VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Project September 2024 Update

Daniil Baturin
Posted 22 Sep, 2024

Hello, Community!

Summer is over now, and many people are returning to their routines. Check out what we've done in the last month of the summer: that includes a few small config syntax changes, multiple improvements in OpenVPN, an API endpoint for importing PKI objects, and a whole bunch of bug fixes!

Config syntax and behavior changes

In the past month, we made some configuration syntax changes — they are forward-compatible and come with migration scripts, so your old configs will load without any issues.

DHCP shared network options (T6648)

The old command set service dhcpv6-server shared-network-name <name> common-options ... is now set service dhcpv6-server shared-network-name <name> option ... and supports all options previously only available at the subnet level.

IPoE server VLAN auto-creation (T6649)

Originally, IPoE server would always enable VLAN auto-creation when the user configured a VLAN range with a command like set service ipoe-server interface eth1 vlan '5-20'.

However, that behavior is not always desirable. Sometimes administrators only want the server to listen on a range of VLANs, but not create them automatically.

Now VLAN auto-creation is disabled by default and can be enabled with the new vlan-mon option.

set service ipoe-server interface eth1 vlan '5-20'
set service ipoe-server interface eth1 vlan-mon

We used the same option name as in the config of accel-ppp — the backend of our IPoE server and probably the most common implementation of that technology. However, we have a concern that vlan-mon may be a confusing name for people who haven't used accel-ppp before. Let us know if you think the name is misleading and needs to be changed!

New features and improvements

  • New command set service router-advert interface <intf> no-send-advert forces the router to omit the Advertisement Interval option from RA packets as a workaround for clients that cannot process that option correctly (T6681).
  • The new operational mode command show interfaces macsec detail (T6668).
  • New option set firewall global-options apply-for-bridge <ipv4|ipv6> that controls whether L3 firewall rulesets are invoked for bridged traffic (net.bridge.bridge-nf-call-iptables sysctl option) (T6570).

OpenVPN connection protocol is now configurable (T6183):

The command to set the IP protocol version is set interfaces openvpn <intf> ip-version <auto|ipv4|ipv6|dual-stack>. The meanings are as follows:

  • auto — determine the protocol version from local-host and remote-host versions.
  • ipv4 and ipv6 — use only IPv4 or IPv6, unconditionally.
  • dual-stack — accept client connections over both IPv4 and IPv6 (only supported in server mode).

This change also fixes the issue with OpenVPN failing to start when it's configured in client mode with IPv6 remote-host.

OpenVPN server bridge mode (T6555)

VyOS now supports OpenVPN server bridge mode that makes simply give addresses and settings to clients but otherwise just act as a switch and not try to route any packets. If you set up OpenVPN in that mode, you can add it to a bridge with some physical interfaces to make OpenVPN clients communicate with those physical networks transparently.

set interfaces bridge br0 member interface eth2
set interfaces bridge br0 member interface vtun10


set interfaces openvpn vtun10 mode 'server' set interfaces openvpn vtun10 server bridge gateway '10.10.0.1' set interfaces openvpn vtun10 server bridge start '10.10.0.100' set interfaces openvpn vtun10 server bridge stop '10.10.0.200' set interfaces openvpn vtun10 server bridge subnet-mask '255.255.255.0'

HTTPS API endpoints for PKI object import (T5743)

There is now an API endpoint for importing PKI objects such as certificates and keys. For example:

vyos@vyos# curl -k --location --request POST 'https://localhost/import-pki' --form data='{"op": "import-pki", "path": ["pki", "ca", "test", "key-file", "/config/auth/test.key"], "passphrase": ""}' --form key='my-api-key'
{"success": true, "data": "1 value(s) installed.", "error": null}[edit]

Bug fixes

  • DHCP client script now makes multiple attempts to install routes in FRR to fix a rare condition when two or more instances try to install routes simultaneously and may fail to acquire the FRR socket lock (T6667).
  • run show ntp commands now work correctly when the NTP process is running in a VRF (T6561).
  • set system option ssh-client source-interface commands works correctly again and no longer causes an unhandled exception (T6672)
  • run generate pki * commands correctly enforce two-character country code length now (T3961).
  • Trying to configure Suricata IDS on more than one interface no longer causes it to crash (T6659).
  • Address groups work correctly in Suricata IDS configs (T6624).
  • Firewall flowtable settings on virtual interfaces (such as set firewall flowtable test interface bond0.100) no longer disappear after a reboot (T5794).
  • run show log firewall * commands correctly include logs for default actions again (T6636).
  • VyOS 1.3.x configs with set system conntrack ignore rule <N> protocol 'all' options no longer cause migration errors and load correctly (T6646).
  • IP address ranges in source/destination-address options in firewall rules work correctly again (T6643).
  • set system option performance options no longer overwrite custom sysctl parameters set with set system sysctl custom ... (T3204).
  • We improved config script dependency tracking, which fixes a few priority bugs and opens up a path to many improvements (T6671).
  •  

That's all for now, but, as usual, stay tuned for updates regarding VyOS Stream and everything else!

The post categories:

Comments