VyOS Platform Blog

VyOS Project April 2025 Update

Written by Daniil Baturin | April 30, 2025 10:30:19 AM Z

Hello, Community!

The April update is here — just at the end of April. We've been busy working on the VPP-based accelerated dataplane — you can watch that work in the repository and play with it in rolling release images. However, there are more features and bug fixes, and we are happy to see more active community contributors — there are quite a few community PRs that we merged lately, including DDNS update support for Kea, auto ignore prefixes for SLAAC, and more — read on for details!

Removed and deprecated features

Some older functionality is now removed from rolling release images.

GnuPG signatures are no longer supported (T7301)

VyOS has been using minisign as its primary signature verification method for years. It has much smaller keys that can be just passed as command line arguments, so it's much easier to use by hand.

When we introduced minisign, we kept making GnuPG signatures as well, to ensure that older images could be updated securely. Since there are no still-supported VyOS versions that wouldn't include minisign, the transition period is complete. From the upcoming VyOS Stream 2025-Q2 and 1.4.3 releases, we will no longer produce GnuPG signatures, so if you want to verify downloaded images by hand, follow the documentation on minisign. This change will have no impact on add system image, since it has supported minisign in even in 1.2 and 1.3, which both have reached end of life.

FastNetMon-based service ids ddos-protection is removed from rolling and deprecated in LTS releases (T7241)

For quite a while, we had a CLI for configuring FastNetMon — a DDoS detection daemon. However, that integration was never especially deep, and we do not see a path to significant improvement.

The long-term plan is to move FastNetMon to an addon, once we finalize a mechanism for allowing addons to extend the system CLI. As for built-in components, the approach will be "quality over quantity" — it's better to have a smaller number of integrations that serve a large number of users and play well together, but to provide an option for everyone to install or develop integrations for their own needs.

New features and improvements

  • Improved output for remote groups in run show firewall group (T7314).
  • add system image now asks the user to choose a different name if the proposed name is not available, instead of failing the installation (T7359).
  • New DHCP server option: capwap-controller (T7310).
  • It's now possible to specify flowtables for firewall global state policy: set firewall global-options state-policy offload offload-target <flowtable> (T7358).
  • It's now possible to explicitly specify selectors for VTI traffic in IPsec: set vpn ipsec site-to-site peer P1 vti traffic-selector <local|remote> prefix <IPv4|IPv6> (T7343).
  • New commands for viewing conntrack logs: show log conntrack event <new|update|destroy> (T7370).
  • VyOS now supports interface tokens for SLAAC, e.g.: set interfaces ethernet eth0 ipv6 address interface-identifier 0000:0000:cafe:0001 (T4627).
  • Container log driver is now configurable: set container log-driver <journald|k8s-file> (T7382).
  • DHCP server has full support for RFC-2136 DDNS updates now (T6773).
  • "Auto ignore prefix" support in the IPv6 router advertisment service: set service router-advert interface eth1 auto-ignore-prefix <prefix> (T7380).
  • It's not possible to disable most boot messages using set system option kernel quiet option (T7397).
  • enforce-first-as option for BGP peers is supported again (T7220).

Bug fixes

  • set vpn ipsec log level command works correctly again (T7290).
  • Fixed an issue that caused duplicated kernel log messages (T7311).
  • Changes in VXLAN interfaces no longer reser the FRR config (T7273).
  • Fixed an issue with incorrectly generated domain names for DHCP server subnets (T7324).
  • The FQDN resolver in firewall now correctly uses separate caches for IPv4 and IPv6 (T7333).
  • The allowed-vlans option for bridge interfaces members no longer slows down the commit process (T7322).
  • Fixed an unhandled netplug error that could occur when interface configuration was changed multiple times in quick succession (T7346).
  • The login prompt on the console is no longer mistakenly displayed in bold (T7356).
  • DHCP server supports the ping-check option again (T7281).
  • DHCP-assigned IP addresses are now correctly removed when an interface loses carrier (T7353).
  • system option kernel options are now correctly applied upon the first reboot after image upgrade (T7327).
  • DHCPv6 client processes on PPPoE interfaces are now shut down gracefully on system shutdown (T6113).
  • PPPoE server sessions are now logged correctly (T7367).
  • Interface dhcp-options no-default-route option works as expected now, when the server honors it (T6253).
  • OSPF no longer mistakenly redistributes NHRP routes by default (T7383).
  • CLI completion for run show firewall group now correctly includes all group types (T7282).
  • Removing SLAAC configuration from an interfaces correctly removes SLAAC-configured addresses and routes (T7375).
  • Fixed an invalid sysctl configuration that caused IPv6 default route to be installed for DHCPv6 only interface during startup (T7379).
  • Fixed an upgrade error when the config did not contain system option kernel option (T7394).

That's all for now, but stay tuned for updates, as usual!
View full post