VyOS Project April 2026 Update

Hello, Community!

Now that VyOS 1.5.0 is out of the door, it's time to share the news about new developments in VyOS rolling release that happened in March and April that either weren't included in VyOS 1.5.0 and VyOS Stream 2026.03 or didn't get a prominent mention. They include support for BGP link-state address family, post-quantum pre-shared keys in IPsec, and more.

New features

PPK support in IPSec (T8136)

Post-quantum cryptography is a hot topic now, since progress in building quantum computers makes it look like long-predicted attacks on classic algorithms may soon become viable.

Full support for ML-KEM will only come after we upgrade strongSwan to 6.x, but as a first step in that direction, there's now support for Post-quantum Preshared Keys (PPKs).

You can configure them in IPsec authentication settings and use them in either site-to-site or remote access connections:

set vpn ipsec authentication ppk <name> id <value>
set vpn ipsec authentication ppk <name> secret <value>

set vpn ipsec site-to-site peer <name> ppk id <value>
set vpn ipsec site-to-site peer <name> ppk required # optional

set vpn ipsec remote-access connection <name> ppk id <value>
set vpn ipsec remote-access connection <name> ppk required # optional

Support for SNMP traps in VRRP (T8448)

It's now possible to configure SNMP traps for VRRP transition events:

set high-availability vrrp snmp
set service snmp trap-source <addr>
set service snmp trap-target <addr> community <name>

Experimental support for BGP-LS (T8457)

BGP-LS (link state) address family is defined in RFC 9552 and allows routers to exchange link state database and traffic engineering metrics from IGP protocols (OSPF and IS-IS) over BGP.

Example:

set protocols bgp system-as <ASN>
set protocols bgp parameters router-id <addr>
set protocols bgp neighbor <addr> remote-as <ASN>
set protocols bgp neighbor <addr> update-source <addr>
set protocols bgp neighbor <addr> address-family link-state

Other features and improvements

• Option to allow different AS number notation formats in BGP: set protocols bgp parameters as-notation <asdot|asdot+|plain> (T7338).
• New operational mode command to show difference between configs on config-sync pair nodes: show configuration secondary sync [commands] [running | candidate | saved] [<config-node-path>] (T7784).
• It's now possible to specify VRF for commit archive uploads: set system config-management commit-archive vrf <name> (T4732).
• Option to specify the timeout for purging all entries on conntrack sync handover events: set service conntrack-sync purge-timeout (T8189).
• New command to disable MAC address learning on bridges: set interfaces bridge br1 member interface eth1 disable-learning (T8411).
• Support for ttyAMA console devices required for ARM64 (T8375).

Bug fixes

• VPP no longer allows adding a physical interface to more than one bonding or bridge interface (T8342).
• VPP ACLs can now be assigned to VLAN sub-interfaces (T8495).
• Fixed a permissions issue that prevented GeoIP database updates from working correctly (T8326).
• Fixed issues that could prevent DHCP option 67 from working correctly (T8408).
• Fixed an issue that prevented flowtable offload options from working with zone-based firewall (T8446).
• Fixed migration of the weekend option in firewall rules from 1.3.x configs (T8275).
• Fixed migration of firewall names with non-alphanumeric characters from 1.3.x configs (T8282).
• Fixed an issue with support for multi-port USB serial adapters in console server (T8211).
• There's a new implementation of a netlink event handling daemon that fixes memory leaks and other issues of the old netplugd (T8047).
• Invoking run show history from configuration mode works correctly now (T8479).