VyOS Project August 2024 Update
Daniil Baturin
Posted 27 Aug, 2024
Hello, Community!
This month's development news includes many bug fixes and features, including remote access IPsec using VTI interfaces, support for WPA enterprise clients, and machine-readable tech support reports.
Deprecated options
- OpenVPN server
net30topology is deprecated and will be removed in future VyOS releases due to the issues it causes for Windows clients (T6591).
Configuration syntax changes
- OpenVPN
ncp-ciphersoption is nowdata-ciphers(T6571).
New features and improvements
- It's now possible to use routing table numbers up to 65535 in
set policy route ...(T6430). - Conntrack logging was significantly improved and unblocks a path to better CGNAT logging (T6362).
- It's now possible to match GRE flags in firewall rules:
set firewall ... rule <num> gre flags ...(T4694). - It's now possible to match IPsec traffic in firewall rules as well:
set firewall ... rule ipsec <match-ipsec-in|match-ipsec-out|...>(T4694). - Added missing command
run restart ntp(T6575). monitor bandwidthis no longer limited to a single interface and can be called without an interface name to show information for all interfaces (T6566).- Reverse proxy has multiple new logging options now (T6539).
- Added support for VXLAN VNI to VLAN mapping, e.g.:
set interfaces vxlan vxlan1 vlan-to-vni 2-4094 vni 10002-14094(T6505). - Reboot and shutdown prompts now include the host name for extra safety (T6537).
- GENEVE interfaces can be added to VRFs now (T6538).
- SSH public key algorithm list is now configurable:
set service ssh pubkey-accepted-algorithm <name>(T5878). - New ESP group option
disable-rekeyto disable rekey initiation and fixes for rekey behavior (T6599). - VyOS can now produce machine-readable tech support reports in JSON: use
run geenrate tech-support archiveto get a gzip'ed JSON file orrun show tech-support machine-readableto display it (T6498). - Added support for WPA enterprise clients (T6496):
set interfaces wireless wlan0 security bssid <bssid>
set interfaces wireless wlan0 security wpa enterprise_username <username>
set interfaces wireless wlan0 security wpa enterprise_passphrase <password>- Remote access IPsec server can work with VTI interfaces now (T5873). Example configuration:
interfaces {
ethernet eth0 {
...
}
vti vti1 {
address 10.23.58.1/24
address fdcc:2200:a8ee:2358::1/64
description "Client VPN"
mtu 1436
}
}
vpn {
ipsec {
esp-group ClientVPN-Client {
lifetime 3600
pfs enable
proposal 1 {
encryption aes256gcm128
hash sha256
}
}
ike-group ClientVPN-Client {
key-exchange ikev2
lifetime 7200
proposal 1 {
dh-group 21
encryption aes256gcm128
hash sha256
}
}
options {
disable-route-autoinstall
}
remote-access {
connection ClientVPN {
authentication {
client-mode x509
local-id <local id>
server-mode x509
x509 {
ca-certificate <ca cert name>
certificate <cert name>
}
}
bind vti1
dhcp-interface eth0
esp-group ClientVPN-Client
ike-group ClientVPN-Client
pool Client-Pool-v4
pool Client-Pool-v6
}
pool Client-Pool-v4 {
name-server 10.23.58.1
range {
start 10.23.58.2
stop 10.23.58.254
}
}
pool Client-Pool-v6 {
name-server fdcc:2200:a8ee:2358::1
range {
start fdcc:2200:a8ee:2358::2
stop fdcc:2200:a8ee:2358::ffff
}
}
}
}
}Bug fixes
run generate openvpn client-configno longer ignores the protocol option (T6486)- Changing the serial console speed no longer causes a session drop if you make a commit from the affected console (T3334).
- Fixed logic errors in
generate ipsec profile windows-remote-access(T6617, T6618). run reset vpn ipsec ipsec-peernow correctly resets CAs that were down (T6148).- Smaller nftables configs for interface matching (T6603).
- Importing pre-shared OpenVPN keys now correctly removes key headers (T5744).
release dhcp interface ...works correctly again (T6593).connect interface pppoeNanddisconnect interface pppoeNwork correctly again (T6596).- VRF names are now correctly validated on interfaces of all types (T6602).
set system options performance throughputno longer enabled IPv6 forwarding if it's disabled in the config (T5552).- Moving an interface to a different VRF no longer causes an error (T6592).
- SNMP extension script paths relative to /config/user-data work correctly again (T6525).
- Fixed an unhandled exception in "show openconnect-server sessions" (T6578).
- Fixed missing completion for
show firewall <ipv4|ipv6> name <name> rulecommands (T6581). run show nat source rulesnow renders port ranges correctly (T6371).set interfaces wireless <interface> country-code <cc>works correctly again (T4287).
Internal changes
- New argument in
list_nodes():vyos.configtree.list_nodes(path, path_must_exist=False)returns an empty list if the path doesn't exist (handy for migration scripts). - There's now initial support for op mode command unit testing, which will (hopefully) help us make our op mode scripts more robust.
- We have added GitHub action that checks for unused imports in Python scripts, and we have already removed many unused imports.
- There's now a new exception
vyos.opmode.UnconfiguredObjectfor cases when a subsystem is configured but a particular entity isn't.
VyOS Stream
You may remember that we promised to implement a VyOS Stream release line to bridge the gap between the ever-changing rolling release and LTS releases, which can only receive the most stable and compatible backports and aren't available publicly. We are using that as a chance to revamp our CI systems, and we expect to publish the first images in late September/early October.
Image build service that will allow customers to create custom flavors and build them via a web UI will be addressed after
That's all for now, but stay tuned for updates!
Comments