VyOS Project September 2023 Update
We're back with an end-of-summer update. We've been quite busy cleaning up legacy code, fixing bugs, and adding remaining features planned for the future 1.4.0 (Sagitta) LTS release that we hope to finish by 2024. Soon, we'll create a sagitta branch in our git repositories to stabilize the codebase that will become the new 1.4.0 LTS release. Rolling release development will continue in the current branch, and the future 1.5 LTS release will be "Circinus". Meanwhile, the minor release 1.3.4 of the Equuleus branch is in its final stages, and we'll soon build and release its images. Here's what's happened in August.
VyOS 1.3 Equuleus
- VyOS 1.3 now supports virtual Ethernet pairs (T4825). They will connect network namespaces together when full support for netns is added.
- Removing GRE tunnel key works as expected again (T5223).
- IPv6 link-local addresses are now added to container interfaces (T5506).
- Support for running scripts on PPPoE session setup, teardown, and RADIUS attribute change (T3546).
- Fixes for low-impact security vulnerabilities, including the speculative execution issue in AMD CPUs.
We'll provide detailed release notes when 1.3.4 images are out, so stay tuned for updates!
VyOS 1.4 Sagitta
- New service: Zabbix agent 2 for real-time monitoring (T5448):
# Example configuration set service monitoring zabbix-agent directory '/config/zabbix/' set service monitoring zabbix-agent limits buffer-flush-interval '8' set service monitoring zabbix-agent limits buffer-size '120' set service monitoring zabbix-agent log debug-level 'warning' set service monitoring zabbix-agent log size '1' set service monitoring zabbix-agent host-name 'foo' set service monitoring zabbix-agent server '192.0.2.5' set service monitoring zabbix-agent server-active 192.0.2.5 port '10051' set service monitoring zabbix-agent server-active 2001:db8::123
- OpenVPN option to validate self-signed certificates through peer fingerprints (T5271):
set interfaces openvpn <name> tls peer-fingerprint <sha256-digest>
- OpenVPN config option
tls dh-paramsis now optional. Omitting it will default to ECDH (T5270).
- New command to display x509 certificate fingerprint (T5273):
show pki certificate <certificate> fingerprint [sha256|sha384|sha512]
- Wireguard traffic monitoring can be set to be processed in dedicated threads for each peer (T5409):
set interfaces wireguard <name> per-client-thread
- The same option can be used for WLAN interfaces as well:
set interfaces wireless <name> per-client-thread
- Per-interface support for IPv6 duplicate address detection (T5464):
set interfaces <interface-type> <interface> ipv6 accept-dad [0|1|2]
- Configuration options for TCP MSS probing (T5449):
set system ip tcp mss base <n> set system ip tcp mss floor <n> set system ip tcp mss probing [on-icmp-black-hole|force]
- Support for static MACsec keys with peers (T5447):
set interfaces macsec <interface> address <address> set interfaces macsec <interface> security encrypt set interfaces macsec <interface> cipher [gcm-aes-128|gcm-aes-256] set interfaces macsec <interface> security static key <key> set interfaces macsec <interface> security static peer <peer> key <key> set interfaces macsec <interface> security static peer <peer> mac <address>
- Ability to accept or deny wireless traffic based on MAC addresses (T5491):
set interfaces wireless <interface> security station-address mode [accept|deny] set interfaces wireless <interface> security station-address accept mac <address> set interfaces wireless <interface> security station-address deny mac <address>
- DNS update timeout can now be manually set (T5445):
set service dns dynamic timeout <seconds>
- Ability to manually wipe the dynamic DNS cache (T2546):
clear dns dynamic cache
- Support for L3VPN label allocation mode (T5466):
set protocols bgp address-family [ipv4|ipv6]-unicast label vpn allocation-mode per-nexthop
- Containers can now publish multiple addresses (T5463):
set container name <container> port <name> source <port> set container name <container> port <name> destination <port> set container name <container> port <name> listen-address <address-0> set container name <container> port <name> listen-address <address-1>
- The port field is now optional when configuring destination NAT redirection. Omitting it will default to the original port (T5472):
- Conntrack is now disabled by default unless explicitly enabled by rules (T5080).
- Serial console server logs can be monitored and displayed:
[monitor|show] log console-server
show firewallnow displays inbound and outbound interfaces as separate columns (T5496):
- Option to set the time display format to 12-hour or 24-hour notation (T5374):
set system option time-format [12-hour|24-hour]
That's all for now, but stay tuned for more updates!