Page MenuHomeVyOS Platform
Feed All Stories

Sep 12 2019

runar triaged T1655: equuleus: buster: arm: vyos-accel-ppp build failes because of filename hardcoded as x86_64 in debian/rules as Normal priority.
Sep 12 2019, 7:56 AM · VyOS 1.3 Equuleus (1.3.0)
c-po added a parent task for T1466: Add EAPOL login support: T1637: Rewrite ethernet interface in new style XML syntax.
Sep 12 2019, 6:44 AM · VyOS 1.3 Equuleus (1.3.0)
c-po added a subtask for T1637: Rewrite ethernet interface in new style XML syntax: T1466: Add EAPOL login support.
Sep 12 2019, 6:44 AM · VyOS 1.3 Equuleus (1.3.0)
mario added a comment to T534: VPN/IPSEC/BGP/DPD - unknown bug, tunnel and interfaces up, but no traffic.

No, we don't use vyos in production any more, so I can't tell.

Sep 12 2019, 6:34 AM · Rejected
MarcSim closed T1545: IPSEC vti issue as Resolved.

We have openned a ticket on VyOS support, and they have find the solution.
We had to add this configuration :

Sep 12 2019, 5:37 AM · VyOS 1.3 Equuleus (1.3.0)
syncer triaged T1654: sFlow: multiple "sflow server" not work, and "disable-imt" could break configuration as Low priority.
Sep 12 2019, 4:31 AM · VyOS 1.3 Equuleus (1.3.0)
syncer moved T1654: sFlow: multiple "sflow server" not work, and "disable-imt" could break configuration from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.4) board.
Sep 12 2019, 4:30 AM · VyOS 1.3 Equuleus (1.3.0)
syncer moved T1654: sFlow: multiple "sflow server" not work, and "disable-imt" could break configuration from Need Triage to In Progress on the VyOS 1.3 Equuleus board.
Sep 12 2019, 4:30 AM · VyOS 1.3 Equuleus (1.3.0)
syncer edited projects for T1654: sFlow: multiple "sflow server" not work, and "disable-imt" could break configuration, added: VyOS 1.3 Equuleus, VyOS 1.2 Crux (VyOS 1.2.4); removed VyOS 1.2 Crux.
Sep 12 2019, 4:28 AM · VyOS 1.3 Equuleus (1.3.0)

Sep 11 2019

dmbaturin renamed T1460: "show firewall ...." doesn't support counters with more than eight digits from "show firewall ...." does not show information correctly in specific cases to "show firewall ...." doesn't support counters with more than eight digits.
Sep 11 2019, 10:34 PM · VyOS 1.2 Crux (VyOS 1.2.3)
dmbaturin renamed T1362: Incorrect handling of special characters in VRRP passwords from VRRP Auth Password Is Not Sanitized - to Incorrect handling of special characters in VRRP passwords.
Sep 11 2019, 10:31 PM · VyOS 1.2 Crux (VyOS 1.2.3)
hagbard added a comment to T1040: rc.local is executed too early.

@rcit Is that still a relevant issue?

Sep 11 2019, 10:29 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
hagbard closed T1652: vyos-xe-guestutilities sync upstream as Wontfix.

nothing added we would need.

Sep 11 2019, 10:27 PM · VyOS 1.3 Equuleus (1.3.0)
dmbaturin changed the status of T1642: BGP configuration error when using remove-private-as from Open to Needs testing.
Sep 11 2019, 10:11 PM · VyOS 1.2 Crux (VyOS 1.2.3)
drac added a comment to T834: New L2TP server implementation based on accel-ppp.

I have been trying this new feature out.

  1. I had configured an MTU value and I had some sessions connected, I realised I had set it incorrect so I modified it to the correct value. On commit I received an error (sorry I don't have it at present) but to the extent that accel-pppd was not running on localhost:2004.

I had to reboot the router to get it working again.

Sep 11 2019, 9:35 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
hagbard changed the status of T770: Bonded interfaces get updated with incorrect hw-id in config. from Confirmed to In progress.
Sep 11 2019, 5:16 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
isithran awarded T31: Add VRF support a Like token.
Sep 11 2019, 4:34 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
Unknown Object (User) added a comment to T1545: IPSEC vti issue.

Helo, @MarcSim. I want reproduce your issue in lab, can you provide your ipsec configuration from Central VyOS and one of site

show configuration commands | match ipsec | strip-private
Sep 11 2019, 4:09 PM · VyOS 1.3 Equuleus (1.3.0)
zsdc changed the status of T1654: sFlow: multiple "sflow server" not work, and "disable-imt" could break configuration from Open to Confirmed.
Sep 11 2019, 4:07 PM · VyOS 1.3 Equuleus (1.3.0)
zsdc created T1654: sFlow: multiple "sflow server" not work, and "disable-imt" could break configuration.
Sep 11 2019, 4:06 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard added a comment to T1600: Convert 'ping' operation from vyatta-op to new syntax.

@alkersan I think you need to create the link via Makefile in vyos-1x. At least I don't know of any possibility doing that within the xml.

Sep 11 2019, 3:24 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard added a comment to T534: VPN/IPSEC/BGP/DPD - unknown bug, tunnel and interfaces up, but no traffic.

Thanks for your response, did you test a newer image already? There was a lot of work done meanwhile.

Sep 11 2019, 2:56 PM · Rejected
mario added a comment to T534: VPN/IPSEC/BGP/DPD - unknown bug, tunnel and interfaces up, but no traffic.

tried with the first version 1.2, problem was still present. After that, decided to get us a physical router/fw because ipsec would stopped without any obvious reason.
It was a long time ago, almost year and a half...

Sep 11 2019, 6:54 AM · Rejected

Sep 10 2019

hagbard triaged T1652: vyos-xe-guestutilities sync upstream as Low priority.
Sep 10 2019, 10:46 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard claimed T1652: vyos-xe-guestutilities sync upstream.
Sep 10 2019, 10:32 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard created T1652: vyos-xe-guestutilities sync upstream.
Sep 10 2019, 10:31 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard moved T1597: /usr/sbin/rsyslogd after deleting "system syslog" from Need Triage to In Progress on the VyOS 1.3 Equuleus board.
Sep 10 2019, 10:12 PM · VyOS 1.2 Crux (VyOS 1.2.4)
hagbard moved T1597: /usr/sbin/rsyslogd after deleting "system syslog" from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.4) board.
Sep 10 2019, 10:12 PM · VyOS 1.2 Crux (VyOS 1.2.4)
hagbard claimed T534: VPN/IPSEC/BGP/DPD - unknown bug, tunnel and interfaces up, but no traffic.

@mario Did you manage to upgrade to 1.2 and if so, do you still have that issue?

Sep 10 2019, 10:05 PM · Rejected
hagbard changed the status of T1597: /usr/sbin/rsyslogd after deleting "system syslog" from Open to Needs testing.

https://github.com/vyos/vyos-1x/commit/d34fd745438951d55c5c4899b2b3c7bfa5d08026

Sep 10 2019, 9:59 PM · VyOS 1.2 Crux (VyOS 1.2.4)
hagbard claimed T1597: /usr/sbin/rsyslogd after deleting "system syslog".
Sep 10 2019, 9:26 PM · VyOS 1.2 Crux (VyOS 1.2.4)
hagbard changed the status of T1395: Improve boot time for instances with a big count of DHCP servers from In progress to On hold.
Sep 10 2019, 9:02 PM · VyOS 1.3 Equuleus (1.3.7)
hagbard added a comment to T1572: Wireguard keyPair per interface.

https://downloads.vyos.io/rolling/current/amd64/vyos-1.2-rolling-201909102147-amd64.iso or later

Sep 10 2019, 8:59 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard closed T1649: feature documentation different keypairs per interface as Resolved.

https://vyos.readthedocs.io/en/latest/vpn/wireguard.html

Sep 10 2019, 7:45 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard closed T1649: feature documentation different keypairs per interface , a subtask of T1572: Wireguard keyPair per interface, as Resolved.
Sep 10 2019, 7:45 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard closed T1650: implement wireguard default key removal, a subtask of T1572: Wireguard keyPair per interface, as Resolved.
Sep 10 2019, 6:44 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard closed T1650: implement wireguard default key removal as Resolved.

https://github.com/vyos/vyos-1x/commit/db07e6fa76d90eaf80a06729753fb89266437674

Sep 10 2019, 6:44 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard changed the status of T1650: implement wireguard default key removal, a subtask of T1572: Wireguard keyPair per interface, from Open to In progress.
Sep 10 2019, 6:12 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard changed the status of T1650: implement wireguard default key removal from Open to In progress.
Sep 10 2019, 6:12 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard claimed T1650: implement wireguard default key removal.
Sep 10 2019, 5:59 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard created T1650: implement wireguard default key removal.
Sep 10 2019, 5:59 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard changed the status of T1649: feature documentation different keypairs per interface , a subtask of T1572: Wireguard keyPair per interface, from Open to In progress.
Sep 10 2019, 5:33 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard changed the status of T1649: feature documentation different keypairs per interface from Open to In progress.
Sep 10 2019, 5:33 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard closed T1648: add cli command 'delete wireguard named-key <key>', a subtask of T1572: Wireguard keyPair per interface, as Resolved.
Sep 10 2019, 5:33 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard closed T1648: add cli command 'delete wireguard named-key <key>' as Resolved.
Sep 10 2019, 5:33 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard changed the status of T1572: Wireguard keyPair per interface from In progress to Needs testing.

https://github.com/vyos/vyos-1x/commit/1017c8103f12ebd6db4f250d8a154571fff32db1
Will be available in tomorrows rolling release for testing. Documentation is underway.

Sep 10 2019, 5:32 PM · VyOS 1.3 Equuleus (1.3.0)
c-po added a comment to T1648: add cli command 'delete wireguard named-key <key>'.

Why can I not delete the default key? If I wan‘t to drop WireGuard on a device I also wan’t to remove that key.

Sep 10 2019, 5:30 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard changed the status of T1648: add cli command 'delete wireguard named-key <key>', a subtask of T1572: Wireguard keyPair per interface, from Open to In progress.
Sep 10 2019, 5:16 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard changed the status of T1648: add cli command 'delete wireguard named-key <key>' from Open to In progress.

The default keys can only be overwritten, named-keys can be removed.

Sep 10 2019, 5:16 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard claimed T1649: feature documentation different keypairs per interface .
Sep 10 2019, 4:05 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard created T1649: feature documentation different keypairs per interface .
Sep 10 2019, 4:05 PM · VyOS 1.3 Equuleus (1.3.0)
trystan added a comment to T921: Encrypted DNS.

Just adding a suggestion since cloudflared (argo tunnel) is open source : https://github.com/cloudflare/cloudflared

Sep 10 2019, 3:22 PM · VyOS 1.4 Sagitta
hagbard claimed T1648: add cli command 'delete wireguard named-key <key>'.
Sep 10 2019, 3:13 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard created T1648: add cli command 'delete wireguard named-key <key>'.
Sep 10 2019, 3:13 PM · VyOS 1.3 Equuleus (1.3.0)
Unknown Object (User) triaged T1647: event-handler configurable syslog.pipe level as Wishlist priority.
Sep 10 2019, 11:28 AM · VyOS 1.3 Equuleus (1.3.4), VyOS 1.4 Sagitta, eventwatchd
syncer renamed T1646: - from How do i resolve HP printer driver is unavailable on windows 10 to -.
Sep 10 2019, 9:25 AM · Invalid
Unknown Object (User) created T1646: -.
Sep 10 2019, 9:24 AM · Invalid
Unknown Object (User) added a comment to T1417: IPv6 zone based firewall rules can't be modified.

This behavior not only for ipv6 and appears after task T484

Sep 10 2019, 9:05 AM
Unknown Object (User) updated the task description for T1645: SPAM.
Sep 10 2019, 4:20 AM · Invalid
Unknown Object (User) created T1645: SPAM.
Sep 10 2019, 4:20 AM · Invalid
hagbard closed T1644: Wireguard listen ports lower than 1024 as Wontfix.

I think encapsulate the udp based traffic into tcp is more than counter productive and makes it an easy DoS target.

Sep 10 2019, 3:36 AM · Rejected
Asteroza added a comment to T1644: Wireguard listen ports lower than 1024.

Actually somebody made a nifty websocket tunnel named wstunnel (similar to stunnel conceptually, but websockets is more natural for tunneling generic binary protocols thanks to webRTC...) that seems to work alright for Wireguard.

Sep 10 2019, 1:06 AM · Rejected
trystan added a comment to T1644: Wireguard listen ports lower than 1024.

I was thinking some more along the lines of stunnel and wrapping wireguard that way but it would require additional packaging and integration on the vyos side. Luckily whatever outbound filtering is in place for this specific implementation seems to be relatively basic and limited to port blocking/whitelisting.

Sep 10 2019, 12:51 AM · Rejected
Asteroza added a comment to T1644: Wireguard listen ports lower than 1024.

As long as the local nginx is not listening on the external interface on udp/443, functionally there should be no limitation to running wireguard on 443 there. A convoluted script to check that the current config has no existing 443 mapping is one solution, but that seems a bit fragile, and wouldn't really tell you where in the config the blocking 443 instance is.

Sep 10 2019, 12:30 AM · Rejected

Sep 9 2019

hagbard added a comment to T1644: Wireguard listen ports lower than 1024.

Why not using ports higher 1024? Port 80 and 443 are so called privileged ports, not sure if that is really required. Port udp/80, udp/443 for instance may interfere in the future with QUIC.

Sep 9 2019, 9:49 PM · Rejected
trystan added a comment to T1644: Wireguard listen ports lower than 1024.

Yes, I understand that. The primary request is to be able to set a listen port lower than 1024 without having to create a destination NAT rule to get the same result.

Sep 9 2019, 9:29 PM · Rejected
hagbard added a comment to T1644: Wireguard listen ports lower than 1024.

That is listen port. endpoints are peer specific, if you have multiple peers on the same interface, each one has of course it's own endpoint if you want to initiate the connections. Otherwise, once the other peer connected to your gateway (assuming the handshake was successful), this information is taken from the header.

Sep 9 2019, 9:24 PM · Rejected
trystan added a comment to T1644: Wireguard listen ports lower than 1024.
set interfaces wireguard wg1 port 443
Sep 9 2019, 9:14 PM · Rejected
hagbard added a comment to T1644: Wireguard listen ports lower than 1024.

@trystan Listen or endpoint? The listen port had been limited to avoid issues with IANA assigned ports.
udp/80 or udp/443 might not m=be the best option anyway.

Sep 9 2019, 8:57 PM · Rejected
hagbard claimed T1644: Wireguard listen ports lower than 1024.
Sep 9 2019, 8:50 PM · Rejected
trystan created T1644: Wireguard listen ports lower than 1024.
Sep 9 2019, 7:54 PM · Rejected
kroy updated the task description for T1643: Deleting all firewall zones failed and locked out box.
Sep 9 2019, 6:34 PM · VyOS 1.3 Equuleus (1.3.0), test
kroy created T1643: Deleting all firewall zones failed and locked out box.
Sep 9 2019, 6:33 PM · VyOS 1.3 Equuleus (1.3.0), test
hagbard closed T1639: wireguard pubkey change error as Resolved.

https://github.com/vyos/vyos-1x/commit/f7456361b5b94f3c69f8fa0f34f8bff0ef68f9aa

Sep 9 2019, 4:51 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard reopened T1639: wireguard pubkey change error as "Open".
Sep 9 2019, 3:40 PM · VyOS 1.3 Equuleus (1.3.0)
dmbaturin claimed T1642: BGP configuration error when using remove-private-as.
Sep 9 2019, 12:31 PM · VyOS 1.2 Crux (VyOS 1.2.3)
dmbaturin edited projects for T1642: BGP configuration error when using remove-private-as, added: VyOS 1.2 Crux (VyOS 1.2.3); removed VyOS 1.2 Crux.
Sep 9 2019, 12:31 PM · VyOS 1.2 Crux (VyOS 1.2.3)
rcit created T1642: BGP configuration error when using remove-private-as.
Sep 9 2019, 12:16 PM · VyOS 1.2 Crux (VyOS 1.2.3)

Sep 8 2019

Daya added a comment to T1641: VRRP conntrack-sync dropping packets passing through the router.

Thanks for that, What I am suspecting is once the maximum value is reached the router is starting to drop packets, rather clearing the stale connections.

Sep 8 2019, 11:54 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
Unknown Object (User) added a comment to T1641: VRRP conntrack-sync dropping packets passing through the router.

Hello @Daya , you can set custom kernel params for nf_conntrack

set system sysctl custom net.netfilter.nf_conntrack_max value 786432
set system sysctl custom net.nf_conntrack_max value 786432
Sep 8 2019, 4:37 PM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
Daya renamed T1641: VRRP conntrack-sync dropping packets passing through the router from VRRP conntrack-sync dropping packet to VRRP conntrack-sync dropping packets passing through the router.
Sep 8 2019, 10:49 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta
Daya created T1641: VRRP conntrack-sync dropping packets passing through the router.
Sep 8 2019, 10:49 AM · VyOS 1.5 Circinus, VyOS 1.4 Sagitta

Sep 7 2019

c-po updated the task description for T1640: Update Linux Kernel to v4.19.70.
Sep 7 2019, 10:21 PM · VyOS 1.3 Equuleus (1.3.0)
c-po closed T1640: Update Linux Kernel to v4.19.70 as Resolved.
Sep 7 2019, 10:19 PM · VyOS 1.3 Equuleus (1.3.0)
c-po created T1640: Update Linux Kernel to v4.19.70.
Sep 7 2019, 10:17 PM · VyOS 1.3 Equuleus (1.3.0)
jjakob added a comment to T1604: equuleus: buster: vbash: tab completion breaks.

It still fails in config mode:

vyos@vyos# ls <TAB>
  Configuration path [-o] is not valid
  Set failed
Sep 7 2019, 9:12 PM · VyOS 1.3 Equuleus (1.3.0)
jjakob added a comment to T1604: equuleus: buster: vbash: tab completion breaks.

This PR fixes it for me: https://github.com/vyos/vyatta-op/pull/29

Sep 7 2019, 8:19 PM · VyOS 1.3 Equuleus (1.3.0)
runar added a comment to T945: Unable to change configuration after changing it from script (vbash + script-template).

As a workaround could this be added as the first lines of the bash script?
This will check the primary group the script executes via and respawn as the vyattacfg group if it's something else before continuing.

if [ $(id -gn) != vyattacfg ]; then
    exec sg vyattacfg "$0 $*"
fi

NB! the if is necessary because the script should not execute the exec when you respawn as correct group.
You will end in a exec loop if its not there .. :)
i've not tested this on vyos, but have helped me on other systems

Sep 7 2019, 7:21 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
jestabro changed the status of T1424: Rewrite the config load script from On hold to In progress.
Sep 7 2019, 3:59 PM · VyOS 1.3 Equuleus (1.3.0)
lluu131 added a comment to T1020: OSPF Stops distributing default route after a while.

Using 1.2.3-eap1 frr version 7.2-dev-10290718, there is still a problem that the default route disappears between 30 minutes and 40 minutes.

Sep 7 2019, 2:33 PM · VyOS 1.2 Crux (VyOS 1.2.5)

Sep 6 2019

hagbard closed T1639: wireguard pubkey change error as Resolved.

https://github.com/vyos/vyos-1x/commit/189ae4f7096abf7ca7100a4a31e038ce9e3e19c2

Sep 6 2019, 9:52 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard claimed T1639: wireguard pubkey change error .
Sep 6 2019, 9:35 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard created T1639: wireguard pubkey change error .
Sep 6 2019, 9:35 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard changed the status of T1572: Wireguard keyPair per interface from On hold to In progress.
Sep 6 2019, 8:24 PM · VyOS 1.3 Equuleus (1.3.0)
hagbard changed the status of T770: Bonded interfaces get updated with incorrect hw-id in config. from In progress to Confirmed.
Sep 6 2019, 7:05 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
hagbard added a project to T770: Bonded interfaces get updated with incorrect hw-id in config.: VyOS 1.2 Crux.
Sep 6 2019, 7:04 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
hagbard changed the status of T770: Bonded interfaces get updated with incorrect hw-id in config. from On hold to In progress.
Sep 6 2019, 7:03 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
hagbard added a comment to T770: Bonded interfaces get updated with incorrect hw-id in config..

Confirmed, same issue in 1.2.2

Sep 6 2019, 6:51 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
hagbard changed the status of T770: Bonded interfaces get updated with incorrect hw-id in config. from In progress to On hold.
Sep 6 2019, 6:44 PM · VyOS 1.3 Equuleus (1.3.0-epa1)
dmbaturin closed T1624: Failed to set up config session as Resolved.

Works in the latest image for me.

Sep 6 2019, 5:40 PM · VyOS 1.3 Equuleus (1.3.0)