[email protected]:~$ generate pki wireguard key-pair file test Private key: QG039BeDoy2MXKxQwFRhYYea7B50crYvZ1RUn+N0c3A= Public key: iXVG4GSHc0O7NHgX47DhhNO/WWSTZS83/eF2z4GHYSE= File written to /config/auth/test_public.key File written to /config/auth/test_private.key
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Feed Advanced Search
Advanced Search
Advanced Search
Sep 9 2021
Sep 9 2021
c-po moved T3817: PKI: add "import" keyword when in "configure" mode from Need Triage to Backlog on the VyOS 1.4 Sagitta board.
c-po added a comment to T3815: pki : the file command 'generate pki wireguard key-pair file' is not working.
amxj9 added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
Sorry, I haven;t managed to test yet, due to some configuration migration errors leaving me unable to login. Will comment once I've confirmed though, most likely tomorrow.
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
c-po changed Why the issue appeared? from none to implementation-mistake on T3814: wireguard: commit error showing incorrect peer name from the configured name.
Thanks, I got it working now.
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
c-po moved T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface from Need Triage to 1.3.0-epa1 on the VyOS 1.3 Equuleus board.
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
c-po moved T3814: wireguard: commit error showing incorrect peer name from the configured name from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
Your problem is that this is not a CA certificate, it's the servers certificate.
Sep 8 2021
Sep 8 2021
Can you share your CAs public cert for testing?
Hello, Sorry, but I tried this I get "Invalid certificate on CA certificate "test"
c-po added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
A new ISO 1.4-rolling-202109081242 is currently build - you may check in 30 minutes and try if this works for you - it did in my example config.
That would only work if accept_local will be added as proper CLI node on the tunnel interface, or use set system sysctl parameter net.ipv4.conf.default.accept_local value '1'
c-po moved T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface from Need Triage to Finished on the VyOS 1.4 Sagitta board.
c-po changed the status of T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface from Confirmed to Needs testing.
c-po changed the status of T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface from Open to Confirmed.
Viacheslav updated the task description for T3813: Some custom sysctl parameters can't be applied bug.
Viacheslav moved T3786: GRE tunnel source address 0.0.0.0 error from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
amxj9 added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
Certainly, here it is:
openvpn vtun0 {
authentication {
password ******
username ******
}
encryption {
cipher aes256
}
hash sha512
mode client
openvpn-option fast-io
openvpn-option "remote-cert-tls server"
openvpn-option "resolv-retry infinite"
openvpn-option "pull-filter ignore redirect-gateway"
openvpn-option "tun-mtu 1500"
openvpn-option "tun-mtu-extra 32"
openvpn-option "mssfix 1450"
openvpn-option "comp-lzo no"
openvpn-option "ping-restart 0"
openvpn-option ping-timer-rem
openvpn-option "ping 15"
openvpn-option "reneg-sec 0"
persistent-tunnel
protocol udp
remote-host xxx.xxx.xx.xxx
remote-port 1194
tls {
auth-key ****************
ca-certificate ***************
tls-version-min 1.2
}
}Sep 7 2021
Sep 7 2021
c-po added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
Can you please share a version of your anonymized client configuration?
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
amxj9 added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
Unfortunately not. I reverted my changes and then added:
cap_dac_override,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write @openvpn
to /etc/security/capability.conf but got the same errors as before (I rebooted to make sure).
c-po changed Why the issue appeared? from none to design-mistake on T3807: Op Command "show interfaces wireguard" does not show the output.
c-po moved T3807: Op Command "show interfaces wireguard" does not show the output from Need Triage to Finished on the VyOS 1.4 Sagitta board.
c-po moved T3807: Op Command "show interfaces wireguard" does not show the output from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
c-po moved T3807: Op Command "show interfaces wireguard" does not show the output from Need Triage to 1.3.0-epa1 on the VyOS 1.3 Equuleus board.
Same happens to other op-mode commands:
Viacheslav moved T1894: FRR config not loaded after daemons segfault or restart from Need Triage to Finished on the VyOS 1.3 Equuleus board.
Viacheslav closed T1894: FRR config not loaded after daemons segfault or restart, a subtask of T3217: Save FRR configuration on each commit, as Resolved.
Fixed in T3217
Viacheslav moved T3217: Save FRR configuration on each commit from Need Triage to Finished on the VyOS 1.3 Equuleus board.
Viacheslav moved T3217: Save FRR configuration on each commit from In Progress to Finished on the VyOS 1.4 Sagitta board.
please refer to the PKI documentation at https://docs.vyos.io/en/latest/configuration/pki/index.html or https://blog.vyos.io/pki-and-ipsec-ikev2-remote-access-vpn about how the PKI feature is used.
You don't need line like "begin|end"
For example
set pki ca openvpn_vtun10 certificate 'MIIDSzCCAjOgAwIBAgIUEtkjCVKmZCwUeYLenoznpkxMeZswQ=='
I tested it on ESXi
Sep 6 2021
Sep 6 2021
It seems some bug in KVM.
I still see this bug
VyOS 1.3.0-rc6 config
[email protected]# run show conf com | match mac set interfaces macsec macsec1 address '10.0.0.2/30' set interfaces macsec macsec1 security cipher 'gcm-aes-128' set interfaces macsec macsec1 security encrypt set interfaces macsec macsec1 security mka cak 'f42e15acecc0c1634582bdd32429efdf' set interfaces macsec macsec1 security mka ckn '0ef5ebf77ba031e45ad270e9f80c804d500a2649789db1c87b751114f329e032' set interfaces macsec macsec1 source-interface 'eth1'
Viacheslav closed T2920: Commit crash when adding the second mGRE tunnel with the same key as Resolved.
Works as designed. Note that the MACSec interface will only change its state to u/u after a successful key-exchange.
c-po moved T3800: DHCPv6 client get incorrect mask /128 from Need Triage to In Progress on the VyOS 1.4 Sagitta board.
c-po moved T3803: Add source-address option to the ping CLI from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
c-po moved T3803: Add source-address option to the ping CLI from Need Triage to Finished on the VyOS 1.4 Sagitta board.
c-po moved T3806: Don't set link local ipv6 address if MTU less then 1280 from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
c-po moved T3806: Don't set link local ipv6 address if MTU less then 1280 from Need Triage to Finished on the VyOS 1.4 Sagitta board.
c-po changed the status of T3806: Don't set link local ipv6 address if MTU less then 1280 from Open to In progress.
Viacheslav added a comment to T2920: Commit crash when adding the second mGRE tunnel with the same key.
PR for 1.3 https://github.com/vyos/vyos-1x/pull/999
Viacheslav added a project to T3806: Don't set link local ipv6 address if MTU less then 1280: VyOS 1.4 Sagitta.
c-po added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
Does it work if you grand the capabilities to the openvpn group in /etc/security/capability.conf?
Required migration script to set commands to proper AFI.
Viacheslav edited projects for T3396: syslog can't be configured with an ipv6 literal destination in 1.2.x, added: VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.3 Equuleus.
Viacheslav moved T3396: syslog can't be configured with an ipv6 literal destination in 1.2.x from Backport Candidates to Finished on the VyOS 1.4 Sagitta board.
Viacheslav added a comment to T3396: syslog can't be configured with an ipv6 literal destination in 1.2.x.
PR for 1.3 https://github.com/vyos/vyos-1x/pull/998
Viacheslav moved T3431: Show version all bug from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
Viacheslav moved T3431: Show version all bug from Backport Candidates to Finished on the VyOS 1.4 Sagitta board.
Viacheslav edited projects for T3431: Show version all bug, added: VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.3 Equuleus.
We tested this on 1.4-rolling-202103040218 on our router, unfortunately as this is a production device I couldn't spend long diagnosing this. After upgrading the system image the device didn't come back up (I have layer 2 connectivity to the device via a VLAN on eth1 normally). So I logged in via our serial console and did a show interfaces
Viacheslav moved T3643: show vpn ipsec sa doesn't show tunnels in "down" state from Need Triage to Finished on the VyOS 1.4 Sagitta board.
If to use modified Regex --regex \'^((eth|lan)[0-9]+|(eth)[0-9]v.+|(eno|ens|enp|enx).+)$\'
https://github.com/vyos/vyos-1x/blob/10814c4d3360598262e991e4b20768dfcde91d75/interface-definitions/interfaces-ethernet.xml.in#L17
Sep 5 2021
Sep 5 2021
syncer moved T3790: Does not possible to configure PPTP static ip-address to users from Need Triage to Finished on the VyOS 1.4 Sagitta board.
c-po moved T1176: FRR - BGP replicating routes from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
c-po moved T2432: dhcpd: Can't create new lease file: Permission denied from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
c-po moved T3601: Error in ssh keys for vmware cloud-init if ssh keys is left empty. from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.