Hello, Community!
Summer is over now, and many people are returning to their routines. Check out what we've done in the last month of the summer: that includes a few small config syntax changes, multiple improvements in OpenVPN, an API endpoint for importing PKI objects, and a whole bunch of bug fixes!
In the past month, we made some configuration syntax changes — they are forward-compatible and come with migration scripts, so your old configs will load without any issues.
The old command set service dhcpv6-server shared-network-name <name> common-options ...
is now set service dhcpv6-server shared-network-name <name> option ...
and supports all options previously only available at the subnet
level.
Originally, IPoE server would always enable VLAN auto-creation when the user configured a VLAN range with a command like set service ipoe-server interface eth1 vlan '5-20'
.
However, that behavior is not always desirable. Sometimes administrators only want the server to listen on a range of VLANs, but not create them automatically.
Now VLAN auto-creation is disabled by default and can be enabled with the new vlan-mon
option.
set service ipoe-server interface eth1 vlan '5-20'
set service ipoe-server interface eth1 vlan-mon
We used the same option name as in the config of accel-ppp — the backend of our IPoE server and probably the most common implementation of that technology. However, we have a concern that vlan-mon
may be a confusing name for people who haven't used accel-ppp before. Let us know if you think the name is misleading and needs to be changed!
set service router-advert interface <intf> no-send-advert
forces the router to omit the Advertisement Interval option from RA packets as a workaround for clients that cannot process that option correctly (T6681).show interfaces macsec detail
(T6668).set firewall global-options apply-for-bridge <ipv4|ipv6>
that controls whether L3 firewall rulesets are invoked for bridged traffic (net.bridge.bridge-nf-call-iptables
sysctl option) (T6570).The command to set the IP protocol version is set interfaces openvpn <intf> ip-version <auto|ipv4|ipv6|dual-stack>
. The meanings are as follows:
auto
— determine the protocol version from local-host
and remote-host
versions.ipv4
and ipv6
— use only IPv4 or IPv6, unconditionally.dual-stack
— accept client connections over both IPv4 and IPv6 (only supported in server mode).This change also fixes the issue with OpenVPN failing to start when it's configured in client mode with IPv6 remote-host
.
VyOS now supports OpenVPN server bridge mode that makes simply give addresses and settings to clients but otherwise just act as a switch and not try to route any packets. If you set up OpenVPN in that mode, you can add it to a bridge with some physical interfaces to make OpenVPN clients communicate with those physical networks transparently.
set interfaces bridge br0 member interface eth2
set interfaces bridge br0 member interface vtun10
set interfaces openvpn vtun10 mode 'server'
set interfaces openvpn vtun10 server bridge gateway '10.10.0.1'
set interfaces openvpn vtun10 server bridge start '10.10.0.100'
set interfaces openvpn vtun10 server bridge stop '10.10.0.200'
set interfaces openvpn vtun10 server bridge subnet-mask '255.255.255.0'
There is now an API endpoint for importing PKI objects such as certificates and keys. For example:
vyos@vyos# curl -k --location --request POST 'https://localhost/import-pki' --form data='{"op": "import-pki", "path": ["pki", "ca", "test", "key-file", "/config/auth/test.key"], "passphrase": ""}' --form key='my-api-key'
{"success": true, "data": "1 value(s) installed.", "error": null}[edit]
run show ntp
commands now work correctly when the NTP process is running in a VRF (T6561).set system option ssh-client source-interface
commands works correctly again and no longer causes an unhandled exception (T6672)run generate pki *
commands correctly enforce two-character country code length now (T3961).set firewall flowtable test interface bond0.100
) no longer disappear after a reboot (T5794).run show log firewall *
commands correctly include logs for default actions again (T6636).set system conntrack ignore rule <N> protocol 'all'
options no longer cause migration errors and load correctly (T6646).source/destination-address
options in firewall rules work correctly again (T6643).set system option performance
options no longer overwrite custom sysctl parameters set with set system sysctl custom ...
(T3204).That's all for now, but, as usual, stay tuned for updates regarding VyOS Stream and everything else!