Hello, Community! The belated development update for December 2025 and January 2026 is finally here.
We are getting closer to the 1.5 release but there's also quite a bit of work towards the future. In particular, there's good progress towards replacing the old configuration command completion mechanism with a VyConf-based equivalent, which will allow us to get rid of legacy command definition files eventually.
More immediate improvements include certificate-based authentication for OpenConnect, new operational commands for VPP, support for configuring watchdog timers, and multiple bug fixes.
We have recently upgraded to FRR 10.5. It offers many features and fixes, and also removes support for assigning route maps for filtering the import of connected and kernel routes into the RIB (set system ip protocol <connected|kernel|table> route-map <name>).
We consider it unlikely that anyone ever found that functionality useful — in fact, interfering with the import of connected and kernel routes sounds like asking for trouble.
If you used that functionality and have a valid use case for it, let us know!
For the time being, those commands are removed because they are not present in FRR.
ciphers option is now cipher (T8098)We normally use singular nouns for multi-value nodes like address but the cipher option in SSH was an exception. Now it no longer is.
respond was renamed to trap (T7594)Previously, IPsec connection mode names were initiate, respond, and none:
# set vpn ipsec site-to-site peer SomePeer connection-type <TAB>
Possible completions:
initiate Bring the connection up immediately
respond Wait for the peer to initiate the connection
none Load the connection onlyHowever, those names were misleading and led many people to create problematic configurations.
Internally, that corresponds to StrongSWAN start_action values: initiate to start, respond to trap, and none to none.
The real behavior of StrongSWAN modes is:
start (initiate in the old VyOS terms) — initiate the IKE dialog with the peer immediately.none — wait for IKE traffic from the peer or for a user command, do nothing otherwise.trap (respond in the old VyOS terms) — respond to IKE or initiate the IKE dialog when matching traffic is detected.The trap mode of StrongSWAN doesn't really fit the definition of respond, since respond implies the system will not do anything until the peer sends any IKE packets. Moreover, it's unnecessary in most cases and can create duplicate SAs or connection loops.
That situation is a bit tricky to rectify because there are two types of people: those who used respond because they knew how it behaves and specifically wanted that behavior, and those who were misled by the unfortunate name and assumed that was what they had to use if they wanted VyOS to passively wait for IKE packets.
The ultimate solution is still up for discussion and your input is welcome!
For now, however, we made the minimal change and renamed respond to trap to make it clearer what it does and to match the StrongSWAN terminology.
If trap is what you want, you don't need to do anything — the migration script will take care of it automatically. However, if you want your system to wait until IKE packets come from a peer, you may want to set the connection type to none instead.
OpenConnect server now supports certificate-based authentication.
An uncommon feature of OpenConnect, compared to other VPN servers, is that it allows you to choose the certificate field that you want to use for identifying users.
That's done using the user-identifier-field option that has two predefined values (cn and uid), but also allows you to specify any OID if you want to.
Example:
set vpn openconnect authentication mode certificate user-identifier-field cn
set vpn openconnect ssl ca-certificate SomeCA
set vpn openconnect ssl certificate SomeServerCertVyOS now offers configuration commands for the Systemd watchdog service. Example:
set system watchdog module softdog
set system watchdog reboot-timeout 60
set system watchdog shutdown-timeout 60set protocols traffic-engineering admin-group <name> bit-position <num>
set protocols traffic-engineering interface <intf> admin-group <name>
set protocols traffic-engineering interface <intf> max-bandwidth <num>
set protocols traffic-engineering interface <intf> max-reservable-bandwidth <num>num-rx-desc was increased to 16384 (T7876).show vpp bridge-domain [<num> [detail]] (T7203).show vpp lacp [details] (T7954).run generate tech-support archive now includes NUMA topology information (T7134).geoip country-code in firewall has a completion helper now (T8089).set protocols bgp bmp target FIRST monitor <family> local-rib (T8133).set service router-advert interface eth0 captive-portal <URL> (T8140).set protocols isis traffic-engineering export (T8046).data-ciphers-fallback in site-to-site tunnels (T7633).set service ssh fido <pin-required|touch-required> (T7483).buffers page-size (T8082).host:port syntax is always correctly migrated now (T8059).reset connection command works correctly again (T7810).run renew dhcpv6 interface <name> now works in all cases when a DHCPv6 client is used on an interfaces, not only when address dhcpv6 is set (T8078).cipher rijndael-cbc@lysator.liu.se that is no longer supported by OpenSSH is now correctly migrated to aes256-cbc (T8098).