In testing this I found that ocserv validates its config on startup and using radius accounting without radius authentication fails to validate and the service will not start. As a result i'm not treating OpenConnect accounting as dependant on the radius as the authentication mode.

migration script modified in current; lower task priority to test error reporting from libvyoconfig.

Yeah, in my case as well, NPTv6 is mostly only useful if it it works with a dynamic (from DHCPv6-PD) prefix, since that's how my ISP provides addresses (AFAIK I'd have to pay for a business connection to get a static prefix, though I haven't actually called and asked myself). I'm tempted to play with hacking something together by building from source myself with some tweaks to auto-update the nat rules when it gets a new PD prefix.

I've created a pull request which add support for this, and yes, it does use raw command.
I know that here we want to avoid "raw options" but I think this is one of the most needed feature and I don't see any other way else to do this. Until a better option is found, I think my PR should do just fine.

Tested in a server/client setup:

I can confirm that with VyOS 1.4-rolling-202301250317 the issue is gone.
At least based on my setup and configuration
Thx for fixing quickly

Please test with latest rolling

There is also a service called "pppd-dns.service" that references "/etc/ppp/ip-down.d/0000usepeerdns", this service is enabled by default and fails on new installs.
It should be disabled and optionally, the file removed too.

PR https://github.com/vyos/vyos-build/pull/298