Hello, Community!
This month's development news includes many bug fixes and features, including remote access IPsec using VTI interfaces, support for WPA enterprise clients, and machine-readable tech support reports.
net30
topology is deprecated and will be removed in future VyOS releases due to the issues it causes for Windows clients (T6591).ncp-ciphers
option is now data-ciphers
(T6571).set policy route ...
(T6430).set firewall ... rule <num> gre flags ...
(T4694).set firewall ... rule ipsec <match-ipsec-in|match-ipsec-out|...>
(T4694).run restart ntp
(T6575).monitor bandwidth
is no longer limited to a single interface and can be called without an interface name to show information for all interfaces (T6566).set interfaces vxlan vxlan1 vlan-to-vni 2-4094 vni 10002-14094
(T6505).set service ssh pubkey-accepted-algorithm <name>
(T5878).disable-rekey
to disable rekey initiation and fixes for rekey behavior (T6599).run geenrate tech-support archive
to get a gzip'ed JSON file or run show tech-support machine-readable
to display it (T6498).set interfaces wireless wlan0 security bssid <bssid>
set interfaces wireless wlan0 security wpa enterprise_username <username>
set interfaces wireless wlan0 security wpa enterprise_passphrase <password>
interfaces {
ethernet eth0 {
...
}
vti vti1 {
address 10.23.58.1/24
address fdcc:2200:a8ee:2358::1/64
description "Client VPN"
mtu 1436
}
}
vpn {
ipsec {
esp-group ClientVPN-Client {
lifetime 3600
pfs enable
proposal 1 {
encryption aes256gcm128
hash sha256
}
}
ike-group ClientVPN-Client {
key-exchange ikev2
lifetime 7200
proposal 1 {
dh-group 21
encryption aes256gcm128
hash sha256
}
}
options {
disable-route-autoinstall
}
remote-access {
connection ClientVPN {
authentication {
client-mode x509
local-id <local id>
server-mode x509
x509 {
ca-certificate <ca cert name>
certificate <cert name>
}
}
bind vti1
dhcp-interface eth0
esp-group ClientVPN-Client
ike-group ClientVPN-Client
pool Client-Pool-v4
pool Client-Pool-v6
}
pool Client-Pool-v4 {
name-server 10.23.58.1
range {
start 10.23.58.2
stop 10.23.58.254
}
}
pool Client-Pool-v6 {
name-server fdcc:2200:a8ee:2358::1
range {
start fdcc:2200:a8ee:2358::2
stop fdcc:2200:a8ee:2358::ffff
}
}
}
}
}
run generate openvpn client-config
no longer ignores the protocol option (T6486)generate ipsec profile windows-remote-access
(T6617, T6618).run reset vpn ipsec ipsec-peer
now correctly resets CAs that were down (T6148).release dhcp interface ...
works correctly again (T6593).connect interface pppoeN
and disconnect interface pppoeN
work correctly again (T6596).set system options performance throughput
no longer enabled IPv6 forwarding if it's disabled in the config (T5552).show firewall <ipv4|ipv6> name <name> rule
commands (T6581).run show nat source rules
now renders port ranges correctly (T6371).set interfaces wireless <interface> country-code <cc>
works correctly again (T4287).list_nodes()
: vyos.configtree.list_nodes(path, path_must_exist=False)
returns an empty list if the path doesn't exist (handy for migration scripts).vyos.opmode.UnconfiguredObject
for cases when a subsystem is configured but a particular entity isn't.You may remember that we promised to implement a VyOS Stream release line to bridge the gap between the ever-changing rolling release and LTS releases, which can only receive the most stable and compatible backports and aren't available publicly. We are using that as a chance to revamp our CI systems, and we expect to publish the first images in late September/early October.
Image build service that will allow customers to create custom flavors and build them via a web UI will be addressed after
That's all for now, but stay tuned for updates!