VyOS Platform Blog

VyOS Project August 2024 Update

Written by Daniil Baturin | August 27, 2024 12:12:32 AM Z

Hello, Community! 

This month's development news includes many bug fixes and features, including remote access IPsec using VTI interfaces, support for WPA enterprise clients, and machine-readable tech support reports.  

 

Deprecated options

  • OpenVPN server net30 topology is deprecated and will be removed in future VyOS releases due to the issues it causes for Windows clients (T6591).

Configuration syntax changes

  • OpenVPN ncp-ciphers option is now data-ciphers (T6571).

New features and improvements

  • It's now possible to use routing table numbers up to 65535 in set policy route ... (T6430).
  • Conntrack logging was significantly improved and unblocks a path to better CGNAT logging (T6362).
  • It's now possible to match GRE flags in firewall rules: set firewall ... rule <num> gre flags ... (T4694).
  • It's now possible to match IPsec traffic in firewall rules as well: set firewall ... rule ipsec <match-ipsec-in|match-ipsec-out|...> (T4694).
  • Added missing command run restart ntp (T6575).
  • monitor bandwidth is no longer limited to a single interface and can be called without an interface name to show information for all interfaces (T6566).
  • Reverse proxy has multiple new logging options now (T6539).
  • Added support for VXLAN VNI to VLAN mapping, e.g.: set interfaces vxlan vxlan1 vlan-to-vni 2-4094 vni 10002-14094 (T6505).
  • Reboot and shutdown prompts now include the host name for extra safety (T6537).
  • GENEVE interfaces can be added to VRFs now (T6538).
  • SSH public key algorithm list is now configurable: set service ssh pubkey-accepted-algorithm <name> (T5878).
  • New ESP group option disable-rekey to disable rekey initiation and fixes for rekey behavior (T6599).
  • VyOS can now produce machine-readable tech support reports in JSON: use run geenrate tech-support archive to get a gzip'ed JSON file or run show tech-support machine-readable to display it (T6498).
  • Added support for WPA enterprise clients (T6496):
set interfaces wireless wlan0 security bssid <bssid>
set interfaces wireless wlan0 security wpa enterprise_username <username>
set interfaces wireless wlan0 security wpa enterprise_passphrase <password>
  • Remote access IPsec server can work with VTI interfaces now (T5873). Example configuration:
interfaces {
     ethernet eth0 {
         ...
     }
     vti vti1 {
         address 10.23.58.1/24
         address fdcc:2200:a8ee:2358::1/64
         description "Client VPN"
         mtu 1436
     }
 }
 vpn {
     ipsec {
         esp-group ClientVPN-Client {
             lifetime 3600
             pfs enable
             proposal 1 {
                 encryption aes256gcm128
                 hash sha256
             }
         }
         ike-group ClientVPN-Client {
             key-exchange ikev2
             lifetime 7200
             proposal 1 {
                 dh-group 21
                 encryption aes256gcm128
                 hash sha256
             }
         }
         options {
             disable-route-autoinstall
         }
         remote-access {
             connection ClientVPN {
                 authentication {
                     client-mode x509
                     local-id <local id>
                     server-mode x509
                     x509 {
                         ca-certificate <ca cert name>
                         certificate <cert name>
                     }
                 }
                 bind vti1
                 dhcp-interface eth0
                 esp-group ClientVPN-Client
                 ike-group ClientVPN-Client
                 pool Client-Pool-v4
                 pool Client-Pool-v6
             }
             pool Client-Pool-v4 {
                 name-server 10.23.58.1
                 range {
                     start 10.23.58.2
                     stop 10.23.58.254
                 }
             }
             pool Client-Pool-v6 {
                 name-server fdcc:2200:a8ee:2358::1
                 range {
                     start fdcc:2200:a8ee:2358::2
                     stop fdcc:2200:a8ee:2358::ffff
                 }
             }
         }
     }
 }

Bug fixes

  • run generate openvpn client-config no longer ignores the protocol option (T6486)
  • Changing the serial console speed no longer causes a session drop if you make a commit from the affected console (T3334).
  • Fixed logic errors in generate ipsec profile windows-remote-access (T6617, T6618).
  • run reset vpn ipsec ipsec-peer now correctly resets CAs that were down (T6148).
  • Smaller nftables configs for interface matching (T6603).
  • Importing pre-shared OpenVPN keys now correctly removes key headers (T5744).
  • release dhcp interface ... works correctly again (T6593).
  • connect interface pppoeN and disconnect interface pppoeN work correctly again (T6596).
  • VRF names are now correctly validated on interfaces of all types (T6602).
  • set system options performance throughput no longer enabled IPv6 forwarding if it's disabled in the config (T5552).
  • Moving an interface to a different VRF no longer causes an error (T6592).
  • SNMP extension script paths relative to /config/user-data work correctly again (T6525).
  • Fixed an unhandled exception in "show openconnect-server sessions" (T6578).
  • Fixed missing completion for show firewall <ipv4|ipv6> name <name> rule commands (T6581).
  • run show nat source rules now renders port ranges correctly (T6371).
  • set interfaces wireless <interface> country-code <cc> works correctly again (T4287).

Internal changes

  • New argument in list_nodes(): vyos.configtree.list_nodes(path, path_must_exist=False) returns an empty list if the path doesn't exist (handy for migration scripts).
  • There's now initial support for op mode command unit testing, which will (hopefully) help us make our op mode scripts more robust.
  • We have added GitHub action that checks for unused imports in Python scripts, and we have already removed many unused imports.
  • There's now a new exception vyos.opmode.UnconfiguredObject for cases when a subsystem is configured but a particular entity isn't.

VyOS Stream

You may remember that we promised to implement a VyOS Stream release line to bridge the gap between the ever-changing rolling release and LTS releases, which can only receive the most stable and compatible backports and aren't available publicly. We are using that as a chance to revamp our CI systems, and we expect to publish the first images in late September/early October.

Image build service that will allow customers to create custom flavors and build them via a web UI will be addressed after

That's all for now, but stay tuned for updates!
View full post