VyOS Networks Blog

Building an open source network OS for the people, together.

VyOS Stream 1.5-2025-Q2 is available for download

Daniil Baturin
Posted 11 Jul, 2025

Hello, Community!

VyOS Stream 1.5-2025-Q2 and its corresponding source tarball are now available for download. This is the second VyOS Stream release on the way to the upcoming VyOS 1.5 LTS, and it includes multiple bug fixes and improvements, including the new implementation of WAN load balancing, a general mechanism for allowing conntrack-unfriendly protocols in transparent bridge firewalls, a fix for CVE-2025-30095 (active MitM in console server SSH connections) that was already delivered in VyOS 1.4.2, and more.

 

Highlights

Console server SSH key reuse vulnerability (CVE-2025-30095)

The vulnerability that Morgan Jones of Viasat reported was already fixed in VyOS 1.4.2, but now the fix is included in 1.5 Stream as well. That vulnerability was caused by an unintended interaction between live-build (the ISO image build tool) and the Dropbear packaging that caused all systems deployed from the same image to have the same private key and thus made console server connections (but not system SSH connections) vulnerable to active man-in-the-middle attacks.

“Invalid” connections on bridge firewalls

VyOS supports transparent traffic filtering on bridge interfaces that you can enable with set firewall global-options apply-to-bridged-traffic. One tricky aspect of that feature is the interaction with Linux connection tracking — many protocols do not constitute valid “connections” from conntrack's point of view, and their packets are assigned the "invalid” state, which is usually filtered out. To deal with that problem, we first started adding hardcoded exceptions for known protocols under the catch-all option invalid-connections. The list kept growing, and people kept reporting new protocols, so we decided that the right approach was to make that protocol list configurable.  Now you can specify protocols to unconditionally accept in bridged traffic:


set firewall global-options apply-to-bridged-traffic accept-invalid ethernet-type dhcp
set firewall global-options apply-to-bridged-traffic accept-invalid ethernet-type arp

New WAN load balancing implementation

WAN load balancing remained one of the few legacy components from the Vyatta Core days. We had multiple bug reports and feature requests that we simply could not implement because the legacy code was flawed and difficult to modify or extend, so we had to rewrite it from scratch. We have had our own implementation in rolling release for a while, and we plan to include it in VyOS 1.5, so now it is available in the Q2 Stream. Its internals are completely different, but the CLI remains mostly compatible with the original. For a simple example:


set load-balancing wan interface-health eth0 nexthop 'dhcp'
set load-balancing wan interface-health eth1 nexthop 'dhcp'
set load-balancing wan rule 1 inbound-interface 'eth2'
set load-balancing wan rule 1 interface eth0
set load-balancing wan rule 1 interface eth1

Please check out the documentation, try it out, and let us know if you find any issues!

VyOS now requires at least 2GB of free space for image updates

VyOS previously did not check if there was enough space on the system partition to perform an image upgrade with add system image. That was fine for most systems, but if the system was really short of space, such an upgrade could break the system completely (T6144). Now, VyOS will refuse to attempt an upgrade if there is less than 2GB of space available, to prevent that.

If your system becomes impossible to upgrade due to this behavior change, add more drive space or remove some old images.

Changelog

Configuration syntax changes (automatically migrated)

  • Rewrite load-balancing WAN to XML/Python (T4470).
  • Make REST api and GraphQL API configuration options distinct nodes (T6736).
  • Separate interface and VRF options in firewall zone configuration (T6841).
  • Add a configuration command for ethertypes that bridge firewalls should always accept (T6951).

New features and improvements

  • Make an API endpoint for anonymous host info retrieval (e.g. by a login page) (T4406).
  • Rewrite load-balancing WAN to XML/Python (T4470).
  • Add capability to use local and external dynamic-lists for firewall rules but also for various policies such as access-list, route-maps etc. (T5493).
  • Add GeoIP matching support for policy route (T5636).
  • Add CLI and configuration scripts for stunnel (T5735).
  • HTTPS API ability to import PKI certificates (T5743).
  • Add support for SSH certificate configuration (T6013).
  • Allow larger table IDs in policy route (T6430).
  • Allow creation of wireguard interfaces without requiring peers (T6490).
  • dhcpv6-server: common-options does not support all DHCP options (T6648).
  • Add support for NAT66 destination groups (T6679).
  • Machine-readable operational mode support for traceroute (T6695).
  • Separate interface and VRF options in firewall zone configuration (T6841).
  • Add op mode command "show dhcpv6 server statistics" (T6852).
  • Allow setting name server for containers (T6927).
  • blackbox_exporter for probing endpoints (T6949).
  • Add a configuration command for ethertypes that bridge firewalls should always accept (T6951).
  • node_exporter textfile collector option (T6994).
  • Improve firewall remote-group op-mode output with details from nftables (T7314).
  • VPN IPsec add the ability to exclude IPv6 traffic selectors for VTI interfaces (T7343).
  • Add FRR ip import-table x feature to import routes from non-main kernel table (T7349).
  • Image update: confirm image name is available before accepting (T7359).
  • containers: Allow privileged option (T7412).
  • Add root-guard and bpdu-guard option to bridge interfaces (T7430).
  • Extend HTTP API load/merge request to allow passing config in body (T7498).
  • Add FRR no-ipv6-auto-ra option (T7531).

Bug fixes

  • WAN load-balancing exclude rules break PBR (T4452).
  • Ability to set host part IPv6 address via interface ip token (T4627).
  • PKI import OpenVPN shared key includes unexpected BEGIN and END (T5744).
  • static-route option breaks DHCP server (T6031).
  • dhcp6c@pppoe0.service cannot stop gracefully when VyOS shutdowns (T6113).
  • Update system image without enough space for the files can to break the system (T6144).
  • no-default-route not being honoured (T6253).
  • Specific error is not returned via the HTTP API during a configuration failure. (T6326).
  • Missing completion for `show firewall <ipv4|ipv6> name <name> rule` commands (T6581).
  • configd should report exceptions uncaught by conf_mode scripts as commit error (T6608).
  • System CA Not Updated with Configuration (T6809).
  • PPPoE traffic is classified as invalid (T6918).
  • DHCP records out of sync with vyos hostd state after system restart (T6948).
  • Issue with Configuration Migration from VyOS 1.3.8 to 1.4.1 (T6968).
  • Allow configuring IPoE servers without a client IP pool if DHCP relay is used (T6997).
  • show dhcp server leases index out of range error (T7041).
  • Boot Failure After Installation of VyOS Nightly Build on raid (vyos-1.5-rolling-202501060800-generic-amd64) (T7049).
  • OpenVPN error : Unable to bind the tunnel interface to bridge if misconfigured first (T7056).
  • vyos-netplug-dhcp-client requires Config instead of ConfigTreeQuery (T7182).
  • WLB configuration not migrated from 1.5-rolling-202408210022 (T7196).
  • NAT checking translation address is an expensive operation (T7237).
  • syslog: typos in rsyslog.conf (T7270).
  • op-mode: not all groups are displayed correctly with `show firewall groups` (T7282).
  • VPN Openconnect does not check dictionary key server with authentication mode RADIUS (T7287).
  • syslog: duplicate kernel log entries (T7311).
  • Need commit validation for interfaces when mtu configured below 1280 (T7316).
  • kea_get_domain_from_subnet_id returning incorrect domain name (T7324).
  • wifi: mac80211_hwsim kernel module no longer supports VLAN interfaces in smoketests (T7325).
  • grub: "system option kernel" options are not honored after image upgrade (T7327).
  • FQDN resolver uses IPv4 cache for failed IPv6 resolution (T7333).
  • Haproxy mistake URL instead of the PATH in the description redirect-location (T7335).
  • netplug: PermissionError on fast interface changes (T7346).
  • Do not allow deleting interfaces referenced in flowtables (T7350).
  • netplug: behavior change 1.3.8 -> 1.4 when interface with DHCP address looses carrier (T7353).
  • netplug: DHCPv6 address is not cleared when interface is going to operational down (T7360).
  • Route reflector client check not working for peer-group (T7364).
  • syslog: ensure rsyslog is registered as default systemd syslog service (T7367).
  • IPv6 assigned address using SLAAC is not cleared when SLAAC is deconfigured (T7375).
  • Invalid sysctl configuration during startup causes IPv6 default route to be installed for DHCPv6 only interface (T7379).
  • Router advertisement duplicate prefix safeguard (T7389).
  • Image upgrade fails when the "system option kernel" subtree is empty (T7394).
  • smoketest: fix unbound variable issue when checking for VXLAN remote and group error (T7400).
  • smoketest: TypeError: VyOSUnitTestSHIM.TestCase.getFRRconfig() got an unexpected keyword argument 'substring' (T7401).
  • QoS match TCP ACK not working (T7415).
  • reboot/shutdown: unable to log in prior 5 minutes to planned reboot/shutdown time (T7443).
  • CoA is not applied to Accel-PPP services (T7463).
  • Bonding interface mode allows malformed variations of 802.3ad (T7466).
  • IPoE: Add stricter validation for giaddr if dhcp-relay is configured (T7472).
  • 'show/monitor log container' fails when 'log-driver journald' enabled (T7473).
  • Modem connection code doesn't work (T7492).
  • Remove unnecessary PAT for docker image rebuild (T7501).
  • Table 254 is a default table and must not be used for VRF (T7506).
  • OSPF NSSA translation error (T7510).
  • Unable to apply OpenConnect RADIUS accounting settings (T7511).
  • Zone-based firewalls fails on VLAN aware bridges (T7512).
  • Smoketest QoS limiter fails (T7514).
  • PPPoE Discovery and Wake-on-LAN Traffic marked invalid on bridge interfaces (T7523).
  • Container sysctl parameters with values containing spaces cause error (T7532).
  • wwan: extend smoketests to cover WWAN driver option and hwsim (T7539).
  • WAN load balancing information is not shown immediately after startup (T7567).
  • pki: TypeError: argument of type 'NoneType' is not iterable when HAProxy is not in use (T7573).

  • Trying to create a VRF named "vni" leads to an unhandled exception (T7544).

  • Fix uuidgen warning if DMI doesn't have product_serial or it empty (T7587).

  • "show wan-load-balance" command is broken (T7622).

Other resolved issues

  • Upgrade Kea to 2.4.x (T5840).
  • Use a single style for all Python code (T6583).
  • Add an distinct exception for unconfigured objects to vyos.opmode (T6586).
  • Allow using list_nodes on paths that do not exist (T6620).
  • Make REST api and GraphQL api distinct nodes (T6736).
  • Drop requirement of importing script in build time test test_configd_inspect.py (T7042).
  • Refactor kea dhcp op-mode functions to helper functions in vyos.kea (T7052).
  • Display the non-production banner depending on the build type (T7159).
  • Addition and deletion of allowed-vlans on a bridge member is slow (T7322).
  • Stop ANSI bold on tty when booting the system (T7356).
  • Change the completion helper for CoA port configuration (T7471).
  • Delete the "run show login level" command (T7538).
  • Remove copyright years from source files (T7591).

 

 
The post categories: firewall security 1.5 load balancing vyos-stream

Comments

Blog Categories

RSS Feed arrow
See All Categories