VyOS Platform Blog

VyOS Project November 2025 Update

Written by Daniil Baturin | December 8, 2025 1:03:37 PM Z

Hello, Community!

The update for November is here! There are two big features: TLS support for syslog and IPFIX support in VPP, good progress in replacing the old configuration backend, and multiple bug fixes.

Removed features

  • Operational mode commands show ip route cache and show ipv6 route cache are removed because there's no concept of a route cache in Linux anymore (T7998).

Deprecated features

Integration with Salt (service salt-minion) is now deprecated and is set to be removed in future VyOS versions — interest in that feature from the community and customers has been consistently low so we expect that it will not affect many people. We will soon add a deprecation warning to give everyone a chance to prepare. There is no set schedule for its removal yet.

New features and improvements

  • It's now possible to configure TLS for remote syslog servers (T4251).
  • There's now IPFIX support in VPP (T7556).
  • It's now possible to force the remote access IPsec server to always send the server certificate, even if the client does not request it: set vpn ipsec remote-access connection <name> authentication always-send-cert (T8027).
  • set system option reboot-on-panic now enables much earlier reboot (T8003).
  • add system image now checks for unsaved commits and shows a warning if there are any (T7319).

VyConf progress

We are making good progress with VyConf — the new configuration backend. In particular, now it's capable of reloading the active config on daemon restart — the old backend keeps its entire state in files and has no daemon so it avoids that problem, at the cost of performance issues, but VyConf is a daemon so it must be able to save and recover its state. Apart from that, the session handling mechanism now supports almost all operations of the original, including session edit level.

The end goal of all that, if you are new to this area, is to eventually support commit dry-run, fully atomic commits, and other things that are impossible in the old backend due to its design shortcomings.

Bug fixes

  • WAN load balancing service now correctly restores default routes after interface disconnects and reconnects (T7966).
  • WAN load balancing now correctly handles more than two interfaces in the same rule (T7977).
  • VPP now supports children of bonding interfaces (e.g., bond0.10) in NAT (T7949).
  • VPP no longer gets stuck when rx-queue-size is used with XDP (T7872).
  • VPP now uses the Systemd notify mechanism which makes its startup much faster (T7970).
  • VPP NAT44 rule deletion no longer causes commit errors (T8036).
  • VPP ACL commands now correctly disallow symbolic port names (T8016).
  • VPP now correctly runs a driver compatibility checks on changes when a NIC was already added to VPP (T8030).
  • Fixed incorrect permissions for the VPP socket (T8012).
  • Deletion of sub-interfaces in VPP CGNAT is now correctly reflected in command outputs (T7950).
  • Container networks no longer lose VRFs upon restar (T7305).
  • Removing virtual ethernet interfaces now also correctly removes DHCP clients associated with them (T7990).
  • DHCPv6 client now correctly works on PPPoE interfaces (T7485).
  • Dynamic interfaces no longer cause errors on attempts to add them to firewall zones (T7849).
  • Setting the default action of a firewall zone to drop no longer causes errors (T7112).
  • set interfaces bridge brX member interface <intf> isolated no longer disappears after reboot (T6775).
  • Static ARP entries are now correctly preserved on interface status changes (T7731).
  • Deleting routing protocols under VRF no longer causes errors (T7255).
  • install image correctly detects previous installations again (T7994).
  • run generate pki wireguard key-pair install works correctly again (T8000).
  • virtual-ethernet interfaces now show a proper error message when the peer option is missing (T8017).
  • DHCP server ping-check option works correctly again (T7913).
  • Unconfigured TACACS+ or RADIUS source address now causes a warning (T8024).
  • Bonding interfaces now correctly validate member interface MTUs (T8023).
  • Fixed an error when deleting VRFs with static routes (T8034).
  • SNMP trap targets are now generated correctly (T8039).
  • Fixed an error on deletion of VTI interfaces (T8001).
View full post