VyOS Project May 2026 Update

Hello, Community!

The May development update is here. Despite the fact that we had to deal with a downpour of vulnerabilities such as Copy Fail, Dirty Frag, and others (they are all fixed in rolling and in emergency LTS release updates available to subscription holders now!), the VyOS team and community members still added quite a lot of new features and bug fixes this month.

They include a fix for the long-standing, very annoying bug that led to needless OpenVPN server restarts on config changes that only affected user settings that go to the client config dir, multiple new options for DHCPv4 and DHCPv6 servers, initial support for traffic engineering in segment routing, and more.

New features

• Configurable IPoE server timeout: set service ipoe-server idle-timeout <0-86400> (T8910).
• Options to execute scripts on OpenConnect server user connection events: set vpn openconnect script <connect|disconnect> <script file path> (T7654).
• Option to set the local stratum value for NTP server: service ntp local-stratum <1-15> (T8601).
• BFD strict mode setting for BGP: set protocols bgp neighbor <neigh> bfd strict hold-time <seconds> (T8822).
• Operational mode command to show private keys of certificates stored in files in PEM: show pki certificate <name> private pem (T8877).
• DHCPv6 server now allows multiple addresses/prefixes in static reservations rather than just one (T8862).
• Timezone option support for the DHCP server: set service dhcp[v6]-server shared-network-name <name> option time-zone <TZ name> (T8849)
• There's now log-level option in DHCP servers (T8600).
• Fixed an issue with the validation of le and ge options in prefix lists (T8823).
• It's now possible to match the source BGP peer in route-maps: set policy route-map <name> rule <num> match src-peer <host|addr> (T8588).
• It's now possible to change the FRR watchdog timeout: set system frr watchfrr-timeout <seconds> (T8606).
• There's now initial support for traffic engineering options in segment routing (T6750). Example:

set protocols segment-routing traffic-engineering database-import-protocol isis
set protocols segment-routing traffic-engineering segment-list <name> index value <num> mpls label <num>

• Timeout option for VRRP health checks: set high-availability vrrp group Foo health-check timeout <seconds> (T8293).

Bug fixes

• Making a change to the OpenVPN server that only affects data in the client config directory and doesn't touch server settings is now guaranteed not to cause a service restart (T6478).
• Commit no longer fails in case a wireless modem is not connected at the moment (T8412).
• PPPoE server is now correctly reloaded on RADIUS settings changes (T8883).
• Mediatek MT7916AN wireless cards work correctly now (T8528).
• HAProxy configuration script now correctly checks listen-address for port conflicts with other services (T7928).
• NTP server configuration script now correctly checks whether hardware timestamping is supported on interfaces (T7880).
• Options from set system option performance no longer erroneously override sysctl parameters from firewall (T6933).
• ikev2-reauth now works correctly for site-to-site peers (T7555)
• Fixed an issue that prevented GeoIP data updates from working as expected (T8590).
• set high-availability virtual-server <name> persistence-timeout 0 no longer erroneously causes a validation error, so it's now possible to disable persistent connections (T7059).
• Fixed an issue in vyos-netlinkd that caused high CPU load on route updates (T8781).
• Fixed an issue that caused malformed timezone pcode in the DHCPv4 server (T8848).
• set system console device <name> kernek now correctly rejects device names that aren't ttyS* or ttyAMA* (T8853).
• Fixed an issue in WAN load balancing that could break internal routing (T8480).
• DHCP relay now warns if it's configured to use a non-existent interface (T7879).
• Fixed an issue with migration of OpenVPN configuration from VyOS 1.3.x (T8280).