VyOS Platform Blog

VyOS 1.3.3 LTS release

Written by Daniil Baturin | June 22, 2023 4:33:28 PM Z

Hello, Community!

VyOS 1.3.3 (Equuleus) LTS release is now available for download to subscribers and contributors. The interval between 1.3.2 (released in the past September) and 1.3.3 was unusually long.  Still, it's finally out, with significant feature backports, multiple minor improvements, and of course, bug fixes — read on for details!

The most prominent feature backports - a new event handler and full support for running containers on VyOS.

For a refresher: we removed the old event handling service because its implementation (in Perl) was prone to memory leaks because Perl's GC is terrible at its job. However, it also had multiple design problems: it supported looking for patterns in custom files and outputs of external processes. Still, it had unsolved and likely unsolvable problems with handling situations when those files or processes would become unavailable.

The new event handler only supports looking for patterns in the system log. However, it correctly prevents event loops (when an event handling script's log messages may trigger the same event) and provides more script options.

Here's a configuration example:

set service event-handler event INTERFACE_STATE_DOWN filter pattern '.*eth0.*,RUNNING,.*->.*'
set service event-handler event INTERFACE_STATE_DOWN filter syslog-identifier 'netplugd'
set service event-handler event INTERFACE_STATE_DOWN script environment interface_action value 'down'
set service event-handler event INTERFACE_STATE_DOWN script environment interface_name value 'eth2'
set service event-handler event INTERFACE_STATE_DOWN script path '/config/scripts/eventhandler.py'

New features and improvements

  • New command to enable RPS (Receive Packet Steering): set interfaces ethernet $name offload rps (T3171).
  • Dynamic DNS client supports IPv6 now: set service dns dynamic interface $intf ipv6-enable (T4743).

  • Add IPv6-only dhcp option support (RFC 8925):set service dhcp-server shared-network-name LAN6 subnet 192.168.64.0/24 ipv6-only-preferred 0 (T4832).

  • New op mode command for displaying all configured IPsec connections: show vpn ipsec connections (T4812).
  • Dummy interfaces support setting the MTU now (T4898).
  • Host-unique option for the PPPoE server: set interfaces pppoe pppoeN host-uniq $intf (T4948).
  • PPPoE server minimum MTU is now 1280 (T2603).
  • New shaper commands for PPPoE server (T1993).
  • generate public-key-command now supports multiple keys in a single file (T5033).
  • PPTP server supports RADIUS rate limit options now (T4727).
  • It's now possible to set the VRF for syslog (T2769).
  • Linux kernel has been updated to 5.4.234.

Bug fixes

  • Correct logic for OpenVPN IPv6 remote/local address checking (T4679)
  • Correct logic for disabling WireGuard interfaces (T4702).
  • Firewall rules for TCP MSS clamping work correctly again (T4709).
  • Fixed an error in conntrack sync config generation that could prevent it from working (T4730).
  • Fixed an error that prevented Telegraf's Prometheus client from working with IPv6 addresses (T4680).
  • Telegraf now correctly accepts IP addresses in URLs (T4312).
  • SNMP communities now support a wider range of allowed characters (T4785).
  • The strip-private filter now correctly removes monitoring CLI secrets (T4177).
  • Fixed an error that sometimes prevented VRRP configs from loading correctly (T4526).
  • Fixed an error with PowerDNS configs not being correctly reloaded (T4799).
  • Fixes for DNS server option issues in PPPoE (T4815).
  • Fixes in the IPv6 RA source address option (T4809).
  • SquidGuard rules works correctly again (T3810).
  • Web proxy is now reloaded on commits without dropping connections (T4927).
  • Fixes in the output of show interfaces commands (T4918).
  • Fixed incorrect outputs in IPsec op mode (T4906).
  • Fixed a problem that could break CLI for users on power loss events (T4975).
  • The command for restarting the DHCP relay agent works correctly again (T5009).
  • Tunnel interface multicast setting works again (T5007).
  • Fixed an eror when setting GRE tunnel keys (T5066).
  • Virtual Ethernet interfaces are now correctly excluded from speed and duplex checks (T2516).
  • Show interfaces commands now correctly reflect cleared counters (T5097).
  • Fixed an issue with VRRP preemption (T4939).

What's next?

VyOS 1.3.3 is just one in the series of VyOS 1.3.x/Equuleus releases. We are committed to supporting it at least until 2025, although feature backports will become increasingly rare. But VyOS 1.4.0/Saggitta is on its way to becoming the new LTS the following year,  with a lot more new features and potentially even longer lifespan due to Debian 12 Bookwarm used for its base system, so there will not be reasons to miss 1.3.

Deprecation of OpenVPN site-to-site mode with pre-shared keys

One significant change for the upcoming 1.3.4 release that we need to mention is that OpenVPN site-to-site mode with pre-shared keys will be deprecated. The reason is that OpenVPN itself will remove that mode from its future 2.7 release. We certainly have reservations about that mode that doesn't use TLS and thus provides no forward secrecy (that is, an adversary who manages to guess the session key can decrypt all future traffic). However, if OpenVPN maintainers don't plan to keep it, there's nothing we can do about it. We certainly don't plan to fork OpenVPN to keep a feature that offers a lot of conveniences but has serious security tradeoffs.

Luckily, new features in OpenVPN allow setting up site-to-site connections with TLS almost as quickly as with pre-shared keys. Thanks to support for ECDH (Elliptic Curve-based Diffie-Hellman key exchange protocol), OpenVPN doesn't require a DH prime file anymore, and there's now support for checking certificate fingerprints so that self-signed certificates can be used safely.

We plan to upgrade OpenVPN to 2.6 and add support for ECDH and certificate fingerprint options to 1.3.4, then add a warning message to tell the users about that deprecation and the new way to set up site-to-site connections.

VyOS 1.3.x will certainly support OpenVPN pre-shared keys throughout its lifespan. VyOS 1.4.0 is likely to support it as well, although it's not certain, so we'll encourage people to adjust their configs as soon as possible.

Stay tuned for updates!

P.S. I would like to express my gratitude to all those who contributed to this release and the overall project. Thank you very much!

 
View full post