VyOS Platform Blog

VyOS 1.4.4 released: syslog over TLS, AWS GLB support, and 50+ bug fixes

Written by Daniil Baturin | December 19, 2025 9:22:24 AM Z

Hello, Community!

Customers and holders of contributor subscriptions can now download VyOS 1.4.4 release images and the corresponding source tarball. This release adds TLS support for syslog, support for AWS gateway load balancer tunnel handler (on AWS only), an option to match BGP prefix origin validation extended communities in route maps, and more. It also fixes over fifty bugs. Additionally, there's now a proper validation to prevent manually assigned multicast addresses, which may break some old malformed configs, so pay attention to it. Last but not least, there's a deprecation warning for SSH DSA keys that will stop working in VyOS releases after 1.5 due to changes in OpenSSH, so make sure to update your user accounts to more secure algorithm keys while you still have the time.

Breaking changes

VyOS no longer allows multicast addresses to be manually assigned to interfaces (T8054)

This is unlikely to affect anyone but we still need to mention it. While we were working on a fix for the issue where VyOS mistakenly disallowed all-zero host part IPv6 addresses (T7973), we coincidentally found something that VyOS mistakenly did not prevent from happening — manually-assigned multicast addresses.

Assigning a multicast address to a network interface by hand doesn't do anything useful. Multicast groups must be joined and left using IGMP messages, and a process needs to be handling multicast traffic. But Linux and iproute2 generally allow users to create any configurations whether they make any sense or not, and we didn't have a validator to disallow that in VyOS.

Now attempts to assign multicast addresses by hand will correctly fail. However, that also means that existing configs with such addresses will fail to load now. If you suspect you may have a manually assigned multicast address in your config, take a moment to check and remove it.

Deprecations

SSH DSA keys are now deprecated (T7839

VyOS has supported SSH DSA (ssh-dss) keys from its inception, like most OSes with SSH servers. We re-enabled their support when OpenSSH maintainers declared them deprecated and disabled them in the default configuration, because we believe that the risk that people would be locked out of their systems is unacceptable if we can avoid it.

It's usually a good idea to disable insecure algorithms once implementations of better algorithms are widespread. If someone has an outdated client, they can have difficulties connecting but they still can get into the system once they upgrade the client or find a different machine. Keys are a different story — it's possible for people to have only one account on the system, with password authentication disabled completely. If all users on such a system had ssh-dss keys, the only way back would be to use the password reset function, which requires physical or out-of-band access and a reboot.

That's why we kept ssh-dss support on as long as possible. However, OpenSSH 10.x has removed support for them completely, and Debian Trixie has that version, so once we move past Debian Bookworm, all users of ssh-dss keys will be locked out of their systems.

VyOS 1.4/Sagitta will support them until its EOL, and VyOS 1.5/Circinus is also based on Debian Bookworm so it's not an immediate concern. Still, everyone who still has users with ssh-dss keys needs to start phasing them out. To facilitate that, we added a prominent deprecation warning that VyOS displays every time on login if there are any users with ssh-dss keys.

Salt  integration is now deprecated (T8056)

Integration with Salt (service salt-minion) is now deprecated and is set to be removed in future VyOS versions — interest in that feature from the community and customers has been consistently low so we expect that it will not affect many people. However, we added a deprecation warning to give users time to either migrate to something else or let us know that they still want to use it. There is no set schedule for its removal yet but it's likely that the upcoming VyOS 1.5 will be the last release to support it

If you use Salt and want to keep using VyOS with it, let us know.

Known issues

We found that our SSH server CLI still allows users to enter the cipher name rijndael-cbc@lysator.liu.se that is no longer supported in recent OpenSSH versions and breaks the server config (T8098). We have never seen that name used in the wild and never received any bug reports, so we assume it's not an issue for any real person. However, we will include a migration script for that in subsequent releases.

New features and improvements

  • Support BGP Prefix Origin Validation State Extended Community (RFC 8097): set policy route-map <name> rule <N> match rpki-extcommunity <valid|invalid|notfound> (T1124).
  • Add TLS functionality for rsyslog (T4251).
  • Add AWS gateway load-balancing tunnel handler (AWS instances only) (T5261). Example: 
    
set service aws glb script on-create '/config/scripts/glb-create.sh'
set service aws glb script on-destroy '/config/scripts/glb-destroy.sh'
set service aws glb status format 'simple'
set service aws glb status port '8282'
set service aws glb threads tunnel '4'
set service aws glb threads tunnel-affinity '1-2'
set service aws glb threads udp '4'
set service aws glb threads udp-affinity '0-3'
  • New operational mode command to show all network interfaces in the system: run show interfaces kernel (T7268).
  • Add warning message for unsaved changes in the dialog before initiating an upgrade (T7319).
  • A timeout option for DPD in IKEv2: set vpn ipsec ike-group <name> dead-peer-detection timeout (T7504).
  • An option to set a custom MAC address on dummy interfaces: set interfaces dummy dumN mac <MAC> (T7686).
  • Add operational mode show interfaces kernel statistics command (T7742).
  • Add system login to config-sync (T7905).
  • HAProxy add health check probes to a port other than the one to which normal traffic is sent (T7906).
  • A warning if TACACS or RADIUS source-address is not configured on the system (T8024).
  • An option to always send the server certificate to IKEv2 remote access VPN clients: set vpn ipsec remote-access connection <name> authentication always-send-cert (T8027).
  • Update Linux kernel to 6.6.117 (T8035).

Bug fixes

  • Static routes with dhcp-interface are flaky (T3680).
  • Ability to set host part IPv6 address via interface IP token (T4627).
  • BGP large-community-list regex validation is incomplete (T5069).
  • MSS Clamping Not Applied to VRF Interface from MPLS Cloud (T5797).
  • Add/Improve support for CLI config scripts that change the underlying actual configuration and make them work with vyos-configd (T6489).
  • login: user vyos can not be deleted under vyos-configd (T6504).
  • inject missing env vars in configd to support configfs util (T6633).
  • [vyos-1x] unlimited _noteworthy in vyos.airbag cause memory leak (T6704).
  • Operational mode command "show bridge vni" is broken (T6770).
  • Unable to remove DHCP client from interface when dynamic IPv6 address is configured (T7016).
  • FRR 9.1.x 10.2.x does not redistribute OSPF kernel table x routes (T7297).
  • Container network loses VRF on container restart (T7305).
  • container: cannot remove image when used by more then one tag (T7403).
  • command tech-support archive upload - Not working under certain conditions (T7440).
  • DHCPv6 does not work on PPPoE interfaces (T7485).
  • Fix the output command "show vpn ipsec connection" for passthrough tunnels (T7489).
  • FRR does not redistribute BGP table x routes (T7495).
  • The aws-gwlbtun service cannot start (T7524).
  • Trying to create a VRF named "vni" leads to an unhandled exception (T7544).
  • Command 'show vpn debug peer ' does not work correctly (T7545).
  • Command 'set vpn ipsec disable-uniqreqids' does nothing (T7562).
  • Inconsistent MAC address behaviour on bond interfaces (T7571).
  • IPsec service fails after upgrading from 1.3.8 to 1.4.2 if protocol all is configured (T7581).
  • Fix uuidgen warning if DMI doesn't have product_serial or it empty (T7587).
  • IPSec traffic-selectors without prefixes are rendered incorrectly in the swanctl.conf (T7593).
  • certbot: when using acme certificate, error received "name 'add_cli_node' is not defined" (T7642).

  • Fixed KeyError: 'reverse-proxy' when updating ACME chain (T8102).

  • IPv6 default route disappears after upgrade (T7646).
  • Op-mode command show system memory cache does not work (T7657).
  • QAT support is not detected on Intel C62x virtual function devices (T7662).
  • Smoke test cli/test_vpn_ipsec.py typo makes DPD check always pass (T7667).
  • Move AWS GLB CLI configuration to a separate package (T7671).
  • Incorrect sla-len in DHCPv6 client prefix delegation (T7682).
  • "show nat source/destination rules" proto column is inaccurate (T7696).
  • Commit fails to apply configuration: /run/nftables-ct.conf on conntrack timeout rule removal (T7700).
  • BGP config fails when route-reflector-client is configured and peer-group is not used (T7708).
  • "show interfaces l2tpv3" does not show any interface information (T7721).
  • Backup next-hop is not installed in IS-IS LFA as expected (T7722).
  • Improper OpenVPN certificates migration from 1.3 to 1.4 (T7738).
  • ssh: re-generating server key causes PermissionError (T7751).
  • Syslog: format option to include timezone in message is not working in 1.4.3 (T7788).
  • Invalid order of interface/sub interface removal greatly decreases commit performance (T7813).
  • 'add system image' error if we choose not to copy an active config (T7818).
  • vyos-1x is missing an explicit package dependency on net-tools (T7847).
  • op-cmd: "reset ip arp table" is not working (T7868).
  • dhcp6c fails to restart after interface down & up when using only PD (T7882).
  • pki: configuration issues on reboot when ACME is used together with listen-address (T7885).
  • Incorrect column name in "show dhcp client leases" (T7895).
  • certbot: renewal ineffective due to wrong config location (T7908).
  • Removing PPPoE interface in smoketests and throw a PermissionError (T7919).
  • vrf: dhcp does not work when VRF name contains a hyphen (T7941).
  • Unable to delete container image in 1.4 nightly build "Error: `podman ps` takes no arguments" (T7957).
  • dhcpv6: migrator fix for non VIF interfaces for default routes (T7967).
  • veth: removing virtual-ethernet pairs will purge the peer interface form the kernel (T7990).
  • Remove references to OPAM in skel/.bashrc (T7992).
  • bond: missing validation of member interface MTU (T8023).
  • Use a smarter file comparison in boolean test unsaved_commits() (T8031).
  • snmp: trap target broken with SNMPv3 (T8039).
  • VyOS doesn't allow all-zero host part IPv6 addresses (T7973).
  • VyOS allows multicast addresses to be assigned to interfaces (T8054).

Other resolved issues

  • Improve the smoke test platform (T6510).
  • Addition and deletion of allowed-vlans on a bridge member is slow (T7322).
  • Cleanup unused Python3 imports (T7355).
  • Pass credentials to download commands in environment variables (T7420).
  • Set up a linter check to check complete files for syntax errors and missing imports (T7648).
  • Broken pipe error in "show firewall summary" (T7677).
  • Make "unused-import" check mandatory (T7787).
  • ifconfig: Suppress unnecessary syslog noise from missing nftables rules (T7814).
  • Add a deprecation warning for ssh-dss keys (T7839).
  • Consistent naming of "memory" in op-mode (T7942).
  • Mark Salt minion deprecated (T8056).
  • BP not work "Login: issue warning if TACACS or RADIUS source-address is not configured on the system" (T8063).
View full post