Trying to upgrade from 202010280217 to 202012060217 I get a config migration error related to the protocol udp4 line on the OpenVPN config.
Here my OpenVPN config commands:
set interfaces openvpn vtun10 encryption cipher 'aes256gcm' set interfaces openvpn vtun10 encryption ncp-ciphers 'aes128gcm' set interfaces openvpn vtun10 hash 'sha256' set interfaces openvpn vtun10 mode 'client' set interfaces openvpn vtun10 openvpn-option '--persist-key' set interfaces openvpn vtun10 openvpn-option '--passtos' set interfaces openvpn vtun10 openvpn-option '--key-direction 1' set interfaces openvpn vtun10 openvpn-option '--resolv-retry infinite' set interfaces openvpn vtun10 openvpn-option '--proto udp4' set interfaces openvpn vtun10 openvpn-option '--pull-filter ignore redirect-gateway' set interfaces openvpn vtun10 openvpn-option '--route 10.0.0.0 255.255.0.0' set interfaces openvpn vtun10 persistent-tunnel set interfaces openvpn vtun10 protocol 'udp4' set interfaces openvpn vtun10 remote-host 'vpnserver.example.com' set interfaces openvpn vtun10 remote-port '1194' set interfaces openvpn vtun10 tls auth-file '/config/auth/my-tls.key' set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/my-ca.pem' set interfaces openvpn vtun10 tls cert-file '/config/auth/my-cert.pem' set interfaces openvpn vtun10 tls key-file '/config/auth/my-key.pem'
The error is the following:
Traceback (most recent call last): File "/usr/libexec/vyos/vyos-boot-config-loader.py", line 143, in <module> commit_out = session.commit() File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 164, in commit out = self.__run_command([COMMIT]) File "/usr/lib/python3/dist-packages/vyos/configsession.py", line 136, in __run_command raise ConfigSessionError(output) vyos.configsession.ConfigSessionError: [ interfaces openvpn vtun10 protocol udp4 ] Invalid value [[interfaces openvpn vtun10]] failed Commit failed
set interfaces openvpn vtun10 protocol 'udp4' was accepted as valid on 202010280217 but it's not on 202012060217.
Removing the protocol line (I already have that config within the "openvpn-option") the config is migrated succesfully, but not working.
Checking the openvpn logs I see an error related to the ncp-ciphers parameter:
Unsupported cipher in --ncp-ciphers: aes128gcm
set interfaces openvpn vtun10 encryption ncp-ciphers 'aes128gcm' is still valid on 202012060217 but isn't actually working.
Removing set interfaces openvpn vtun10 encryption ncp-ciphers 'aes128gcm' from the config allow the connection to be established (but at cost of loosing the ncp-ciphers specification)