VyOS Platform Blog

VyOS Stream 2026.02 is available for download

Written by Daniil Baturin | February 25, 2026 12:32:59 PM Z

Hello, Community!

VyOS Stream 2026.02 is available for download now. It features multiple backports from the rolling release, including TLS support for syslog, NAT66 source groups, IPFIX support in VPP, FRR and VPP updates, and over fifty bug fixes. It also makes the VPP configuration subsystem use DPDK as the default driver for NICs that support it and fall back to XDP automatically if needed — there is no need to and no option to configure the driver by hand anymore.

Breaking changes

Manually-assigned multicast addresses are not longer allowed (T8054)

VyOS no longer allows multicast addresses to be assigned to interfaces. Previously, something like set interfaces ethernet eth0 address 224.0.0.100/24 was a valid configuration commands. Now the CLI will reject it and configs with such addresses will fail to load.

While Linux kernel and iproute2 allow manually assigning multicast addresses, allowing that in the VyOS CLI was an oversight — such configurations will never work for their intended purposes. For multicast traffic to actually work, hosts need to join multicast groups using IGMP.

Direct upgrade from VyOS 1.3.x will no longer be supported (T8279)

The changes we recently made to fix the long-standing problem that in some cases could lead to config data loss if the system was powered down abruptly had an unfortunate side effect — they break the process of copying the old configuration from old VyOS versions.

Since VyOS 1.3.x has already reached end of life, we will likely not fix that. Instead, the recommended procedure will be to upgrade to VyOS 1.4 first.

Configuration syntax changes (automatically migrated)

IPsec peer mode respond was renamed to trap (T7594)

Previously, IPsec connection mode names were initiate, respond, and none:

# set vpn ipsec site-to-site peer SomePeer connection-type <TAB>Possible completions:   initiate             Bring the connection up immediately   respond              Wait for the peer to initiate the connection   none                 Load the connection only

However, those names were misleading and led many people to create problematic configurations.

Internally, that corresponds to StrongSWAN start_action values: initiate to start, respond to trap, and none to none.

The real behavior of StrongSWAN modes is:

  • start (initiate in the old VyOS terms) — initiate the IKE dialog with the peer immediately.
  • none — wait for IKE traffic from the peer or for a user command, do nothing otherwise.
  • trap (respond in the old VyOS terms) — respond to IKE or initiate the IKE dialog when matching traffic is detected.

The trap mode of StrongSWAN doesn't really fit the definition of respond, since respond implies the system will not do anything until the peer sends any IKE packets. Moreover, it's unnecessary in most cases and can create duplicate SAs or connection loops.

That situation is a bit tricky to rectify because there are two types of people: those who used respond because they knew how it behaves and specifically wanted that behavior, and those who were misled by the unfortunate name and assumed that was what they had to use if they wanted VyOS to passively wait for IKE packets.

The ultimate solution is still up for discussion and your input is welcome!

For now, however, we made the minimal change and renamed respond to trap to make it clearer what it does and to match the StrongSWAN terminology.

If trap is what you want, you don't need to do anything — the migration script will take care of it automatically. However, if you want your system to wait until IKE packets come from a peer, you may want to set the connection type to none instead.

XDP support is removed from VPP (T8202)

Originally, the user always could and needed to choose the driver for NICs configured for use with the VPP-based accelerated data plane.

We analyzed user feedback and the situation with feature support and found that if a NIC is supported by both DPDK and XDP, then DPDK is always a better choice — if any of the two drivers has limitations compared to the other, it's always XDP, not DPDK. So at the moment the only important factor is whether a NIC is supported by DPDK or not, and many people found having to always specify that decision annoying.

So we removed the option and made the system use DPDK for all NICs that support it.

We may reconsider that decision if XDP develops some features not available in the DPDK driver, or if new drivers appear in the future.

Other changes

  • The outdated name "rijndael-cbc@lysator.liu.se" in SSH is automatically converted to "aes-256-cbc" (T8098).
  • VPP: Improve "nat44 no-forwarding" feature name and description in CLI (T7972).

New features and improvements

  • Adding a new bonding interface no longer causes existing interfaces to be removed and re-added (T2416).
  • Add TLS functionality for rsyslog (T4251).
  • Disable nginx software version reporting (T6734).
  • Add SRv6 locator format option (T6984).
  • Add operational mode commands commands for bridge spanning tree information (T7254).
  • Add warning message for unsaved changes in the dialog before initiating an upgrade (T7319).
  • SSH FIDO2 Support (T7483).
  • Add VPP IPFIX feature (T7556).
  • Upgrade FRR to 10.5 (T7664).
  • Add interrupt coalescing configuration support for Ethernet interfaces (T7730).
  • VPP: Increase allowed num-rx-desc limit for DPDK (T7876).
  • VPP add op-mode commands to show LACP (T7954).
  • VPP: Improve "nat44 no-forwarding" feature name and description in CLI (T7972).
  • Add capability to start VPP dataplane during system deployment (T7995).
  • Support kernel panic reboot during early boot (T8003).
  • accel-ppp-ng: make a VPP integration a separate plugin (T8010).
  • VPP add correct socket permissions for API (T8012).
  • Add progress indicator/streaming stdout redirect (T8018).
  • login: issue warning if TACACS or RADIUS source-address is not configured on the system (T8024).
  • Expose "send_cert always" swanctl configuration for ipsec vpn road warrior configuration (T8027).
  • Provide CLI for FRR link-params and mpls-te export (T8046).
  • Add support for MaxMind GeoIP database (T8049).
  • login: replace getpwall() based user enumeration to avoid NSS/TACACS timeouts (T8086).
  • Add a completion helper for "geoip country-code" in firewall (T8089).
  • sshd: add support for config test mode (T8090).
  • VPP: Enable ip4-dhcp-client-detect feature if interface address is configured as DHCP (T8125).
  • BGP add loc-rib feature for BMP (T8133).
  • Add support for NAT66 source groups (T8139).
  • Support captive portal identification in IPv6 router advertisements (RFC 8910) (T8140).
  • VPP: Set 'vpp-cp' option automatically if interface is in VPP (T8143).
  • IPv6 autoconfiguration does not work on PPPoE client interfaces (T8153).
  • Adds support for the MTC_S16209x driver ICs to the LCDd templates (T8206).
  • VPP: Enable ip6-icmp-ra-punt feature on interfaces with DHCPv6 address configured (T8207).

Bug fixes

  • Bridge option "isolated" disappears after reboot (T6775).
  • HTTP API upstream task timeout (504 Gateway Timeout ) (T7090).
  • Interface parameters are not synchronized correctly in VPP (T7098).
  • Impossible to delete protocols under VRF (T7255).
  • isis: configuration migrator 0 -> 1 broken (T8094).
  • "show firewall" does not include logged global state policy entries (T7369).
  • Return the old scripts to generate tech-support archive (T7396).
  • The "respond" connection-type in IPSec peer settings must be renamed to "trap" (T7594).
  • OpenVPN site-to-site tunnels not working after upgrade from 1.4 due data-ciphers incompatibility (T7633).
  • Static ARP entries are missing after an interface status change (T7731).
  • Improper OpenVPN certificates migration from 1.3 to 1.4 (T7738).
  • Operational mode command 'reset connection' is broken (T7810).
  • VPP mistakenly tries to override drivers twice (T7819).
  • Impossible to add dynamic interfaces to the firewall zone (T7849).
  • KeyError: 'model name' executing cpu info summary on arm64 (T7866).
  • VPP gets stuck when rx-queue-size is used with XDP (T7872).
  • DHCP server ping check option does not work (T7913).
  • VPP: Unexpected None interface in CGNAT when ethernet subinterface is removed from vif (T7950).
  • VPP cannot start on the first try on some "slow" platforms (T7970).
  • Remove references to OPAM in skel/.bashrc (T7992).
  • Image installer doesn't detect previous installation (T7994).
  • op-mode: "run generate pki wireguard key-pair install" returns error (T8000).
  • Commit fails removing VTI interface in IPsec config (T8001).
  • VPP logs are duplicating in systemd journal (T8011).
  • Incorrect validation of ports in VPP ACLs (T8016).
  • Virtual ethernet interfaces do not correctly check for the missing peer option (T8017).
  • Do not assign dynamic prefix assignment mode to transport-mode IPsec tunnels (T8022).
  • bond: missing validation of member interface MTU (T8023).
  • HTTPS API for /generate not working properly for wireguard interface (T8026).
  • VPP: Verify driver is not executed if vpp already enabled for this nic (T8030).
  • Use a smarter file comparison in boolean test unsaved_commits() (T8031).
  • vrf: deleting one out of two VRFs with static routes throw KeyError (T8034).
  • Commit errors on removing VPP NAT44 rules (T8036).
  • snmp: trap target broken with SNMPv3 (T8039).
  • VyOS allows multicast addresses to be assigned to interfaces (T8054).
  • Syslog remote ports from node names are not migrated to the new syntax correctly (T8059).
  • "renew dhcpv6" does not work with prefix delegation (T8078).
  • VPP: configuration commit fail causes interface state corruption (T8080).
  • VPP fails to start with buffers page-size 1G (T8082).
  • Unhandled exception when setting up bonding interface on AWS (T8084).
  • VPP: Fix op mode commands which use unsupported in circinus (T8137).
  • Modifying firewall groups does not update dependent NAT66 nft rules (T8138).
  • Configuring non-existig Ethernet interface causes an unhandled exception (T8142).
  • LUKS encryption passphrase is visible during input (T8145).
  • Confirm the key when config encryption is configured without TPM (T8146).
  • "monitor traffic" fails with an unhandled exception on Ctrl-C (T8154).
  • ISIS: lsp-refresh-interval does not accept higher value other than default 900 (T8158).
  • vrf: prevent deletion if instance referenced in PBR (T8169).
  • VPP: 'show vpp ipfix' unhandled exception when vpp is not enabled (T8170).
  • VPP: Fix smoke test for sflow for new VPP version 25.10 (T8226).
  • Add missing, explicit runtime dependency on python3-systemd (T8237).

Other resolved issues

  • Refactor and improve geoip handling (T7926).
  • Consolidate container run arguments (T7982).
  • Remove operational mode commands for viewing route cache (T7998).
  • Remove the last remnants of pmacct (T8008).
  • xml: cleanup double CLI properties in NAT (T8038).
  • Remove the legacy Perl script for printing node priority data (T8041).
  • Mark Salt minion deprecated (T8056).
  • BP not work "Login: issue warning if TACACS or RADIUS source-address is not configured on the system" (T8063).
  • Smoketests: reorganize folder structure for embedded config tests (T8087).
  • Normalize operational mode command names that use capital letters (T8096).
  • Add smoketest for Kernel kexec and ARM Marvell CN9130 options (T8108).
  • get_config_dict() whould not always contain an empty pki node (T8124).
  • Make vyos-smoketest more user-friendly (T8171).
  • Remove the option to manually select XDP as VPP driver (T8202).
  • Fix salt-minion smoketest after package rebuild (T8248).

Download

You can also find the links in the download section of the community website.
View full post