I took a look, but was unable to figure out how to finagle VyOS to fix it.

The config generator would need to be adopted https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/interface-openvpn.py and the wrapper script added. I have no time before tomorrow, sorry

And may be change nobody:nogroup to openvpn:openvpn? It's more clear, i think...

How can I help you to fix it? In this article https://community.openvpn.net/openvpn/wiki/UnprivilegedUser looks like it's not so hard...

That will be a complete rewrite, since the interface name is now readable via VYOS_TAGNODE_VALUE, that affects get_config() quite a lot and will reduce the number of code line significantly. The flip side of the coin is, that the current code was running pretty reliable, so I will release small updates while adopting to see if I break anything configure outside of my test environment.

Please test with latest rolling and not a custom build.

When the site looses connection and thus a SIGUSR21 is sent to OpenVPN to restart internally the priviledges have dropped and yes, /sbin/ip can't be called again.

Duplicate: T1628

Or may be you could tell me where I can include this commands? Also I need to setup correct owners for /config/user-data/zabbix/ dir, there is zabbix-proxy DB...

how could I show it to you? Which version have you try to update? I think simple chown in update script could fix it!
Also i think it could be compare with changing of list of users and thous IDs:
Old system list:

Hello @Merijn, do you have possibility provide logs while this issue appear and client try connect to l2tp server?
As example show log tail 100 | strip-private

Here's the sanitized dhcp-server config.

Should be fixed in next rolling release by: https://github.com/vyos/vyatta-cfg/commit/710728ee8eb6def82f9a142468960f6985dcf4e8

On my routers they are definitely missing from /config/dhcpd.leases. I have some static host mappings in the config too. I also confirmed the "on commit set shared-networkname" line is in dhcpd.conf.

Hello @hexes, do you have D-NAT rules for destination port 9786 on external ip? Can you give me advanced info how I can reproduce this?
Also you can masking config with command show ... | strip-private . I need all firewall and nat rules.
ps:/ In my test lab I can't reproduce this issue.

Hello, @jjakob . I cannot reproduce this issue on VyOS 1.2-rolling-201908311322. Can you give more details and configuration commands?
Did you use for ipv4 show dhcp server leases and for ipv6 run show dhcpv6 server leases ?

As a stopgap measure that allows old config to load, I've made the script cap it at 100:

@hagbard not a problem. Looks like we now go the "our own lib" way as pyroute2 has some flaws. DHCP is already fix and I continue improve the script and remove redundant code before it will be extended to support VLAN/bonding.

@c-po sorry was camping in a remote area without cell coverage. What's the way we go then? I'll look tomorrow, eventually Tuesday next week into the dhcp stuff.

Cherry-picked into crux.

@zsdc please follow up on this

@zsdc can you follow up on this

Thanks!!!! I'll test it once it's pulled...

@rgrant I've cherry-picked it into Crux, will be in the 1.2.3 release soon.