In T6545#194997, @SrividyaA wrote:@Viacheslav, For site-to-site or server/client mode, when used cipher option as none then also issue is noticed. When you commit, it gives this warning:
vyos@vyos# set int openvpn vtun1 encryption cipher none [edit] vyos@vyos# commit Warning: "encryption none" was specified! No encryption will be performed and data is transmitted in plain text over the network!Logs:
Jul 10 14:51:39 openvpn-vtun1[12357]: Cipher NONE not supported
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed Search
Jul 11 2024
Jul 11 2024
Jul 9 2024
Jul 9 2024
Any idea for CLI?
Jul 8 2024
Jul 8 2024
Viacheslav changed the subtype of T6562: VRF support for config-sync from "Task" to "Feature Request".
Jul 5 2024
Jul 5 2024
Viacheslav added a comment to T4600: Closing IPV6CP by client closes PPPoE link completely, even if IPv6 is optional.
Add PR on accell-ppp repo or patch in the vyos-build via PR https://github.com/vyos/vyos-build/tree/current/packages/linux-kernel/patches/accel-ppp
There are no other options for review.
Jul 4 2024
Jul 4 2024
@SrividyaA Does it work for site-to-site ciphers option?
Jul 3 2024
Jul 3 2024
Viacheslav closed T5570: PAM config RADIUS ignore for default and success, a subtask of T5577: Optimize PAM configs for RADIUS/TACACS+, as Resolved.
Viacheslav changed the status of T6541: Add circinus branch to labeler workflow from Open to In progress.
Viacheslav moved T6538: Allow adding a geneve interface to the vrf. from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav added a comment to T4600: Closing IPV6CP by client closes PPPoE link completely, even if IPv6 is optional.
@marekm Can you add the PR to the accel-ppp repo? I guess it will be better to fix it in upstream.
https://github.com/accel-ppp/accel-ppp
Jul 2 2024
Jul 2 2024
Viacheslav added a comment to T6526: hardware flowtables not working on supposedly supported hardware.
Some info
To make hardware offloading works, the NIC should be programmable to load forwarding rules like flowtable and this is what switchdev doing
Viacheslav changed the status of T6523: Error: "nft table ip vyos_filter not found" when commiting prometheus-client from In progress to Needs testing.
@SamLue will be available in the next rolling release, can you check when it will be available?
There are some nuances with it, until we do not have a route from to default VRF to the peer it won't work
set vrf bind-to-all set vrf name first table '123'
Viacheslav changed the status of T6538: Allow adding a geneve interface to the vrf. from Open to In progress.
Viacheslav changed the status of T6523: Error: "nft table ip vyos_filter not found" when commiting prometheus-client from Open to In progress.
Viacheslav changed the status of T4025: OpenVPN server with TAP interface, client didn’t see network from Open to Needs testing.
Jul 2 2024, 6:55 AM · Bugs, VyOS 1.5 Circinus, VyOS 1.4 Sagitta (1.4.1), Restricted Project, openvpn
We are not going to implement it.
Viacheslav added a comment to T6379: "generate openvpn" uses "comp-lzo no", which leads to problems on Android-Clients.
Should fix it https://github.com/vyos/vyos-1x/pull/3747
Viacheslav added a comment to T6486: Generate openvpn client-config ignores configured protocol type.
PR https://github.com/vyos/vyos-1x/pull/3747
Also it should fix T6379
Viacheslav changed the status of T5487: OPENVPN -DEPRECATED OPTION: --cipher from Resolved to Unknown Status.
Viacheslav moved T5487: OPENVPN -DEPRECATED OPTION: --cipher from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.1) board.
Viacheslav moved T6477: Adding Loki plugin to Telegraf from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.1) board.
Viacheslav changed the status of T6486: Generate openvpn client-config ignores configured protocol type from Open to In progress.
Viacheslav changed the status of T6535: NAT66 Prefix Translation not working anymore from Resolved to Invalid.
Jul 1 2024
Jul 1 2024
Viacheslav changed the status of T6535: NAT66 Prefix Translation not working anymore from Open to Needs reporter action.
We do not use iptables, we use nftables.
Check the rules with sudo nft list ruleset
What exactly does not work?
Viacheslav added a comment to T6486: Generate openvpn client-config ignores configured protocol type.
@adestis Can you add an example of the expected configuration if use-lzo-compression is configured and not configured?
https://github.com/vyos/vyos-1x/blob/e270712f7ebd76e4e1be598766d999cef4f05e26/src/op_mode/generate_ovpn_client_file.py#L57
Jun 28 2024
Jun 28 2024
The correct pass options without "
set interfaces openvpn vtun20 encryption ncp-ciphers 'aes256' set interfaces openvpn vtun20 hash 'sha512' set interfaces openvpn vtun20 mode 'server' set interfaces openvpn vtun20 openvpn-option 'push keepalive 1 10' set interfaces openvpn vtun20 server subnet '10.10.2.0/24' set interfaces openvpn vtun20 server topology 'subnet' set interfaces openvpn vtun20 tls ca-certificate 'ca' set interfaces openvpn vtun20 tls certificate 'cert' set interfaces openvpn vtun20 tls dh-params 'dh'
Viacheslav changed the status of T6522: OpenVPN-options does not pass the quotes anymore from Open to In progress.
Viacheslav added a comment to T6360: CGNAT add the ability to exclude (bypass) the translations for specific destinations.
This could be achieved with conntrack ignore
set system conntrack ignore ipv4 rule 10 destination address '100.64.0.0/28'
Viacheslav moved T5359: VyOS user/pass remains in config from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav closed T5359: VyOS user/pass remains in config, a subtask of T5907: cloud-init root task for 1.5 and 1.4 , as Not Applicable.
vyos-vm-images has been archived
Viacheslav changed the status of T5933: Unable to commit BGP config with unnumbered neighbour from Open to Needs reporter action.
Provide the set of commands to reproduce
Still bug, the original config in the top of the task
vyos@r4# run show conf com | match "nat "
set nat source rule 100 destination port '5000-8000'
set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 protocol 'tcp'
set nat source rule 100 source address '10.0.0.0/24'
set nat source rule 100 translation address 'masquerade'
[edit]
vyos@r4#
[edit]
vyos@r4# run show nat source rules
Rule Source Destination Proto Out-Int Translation
------ ----------- ----------------------------- ------- --------- -------------
100 10.0.0.0/24 0.0.0.0/0 IP eth0 masquerade
sport any dport {'range': [5000, 8000]}
[edit]
vyos@r4#
[edit]
vyos@r4#
[edit]
vyos@r4# run show ver
Version: VyOS 1.5-rolling-202406260020
Release train: current
Release flavor: genericViacheslav changed the status of T6388: Use OCaml 4.14 for CI builds from Open to Needs reporter action.
We have ENV OCAML_VERSION 4.14.2 for both, @dmbaturin. Can we close it, or will you do an update to 5.0?
Viacheslav moved T6385: interrupting rollback with Ctrl-C displays an exception trace from Open to Finished on the VyOS 1.4 Sagitta board.
Viacheslav moved T6387: Bump conntrack to version 1:1.4.7-1 from Open to Finished on the VyOS 1.5 Circinus board.
Not actual
vyos@r4:~$ show version all | match conntrack ii conntrack 1:1.4.7-1+b2 amd64 Program to modify the conntrack tables ii conntrackd 1:1.4.7-1+b2 amd64 Connection tracking daemon ii libnetfilter-conntrack3:amd64 1.0.9-1 amd64 Netfilter netlink-conntrack library vyos@r4:~$ vyos@r4:~$ show version Version: VyOS 1.5-rolling-202406260020 Release train: current Release flavor: generic
Viacheslav added a comment to T6526: hardware flowtables not working on supposedly supported hardware.
Try native nft commands for offload and check what it says.
# cat /tmp/offload.nft
Jun 27 2024
Jun 27 2024
Viacheslav triaged T6523: Error: "nft table ip vyos_filter not found" when commiting prometheus-client as Low priority.
Viacheslav added a comment to T6523: Error: "nft table ip vyos_filter not found" when commiting prometheus-client.
Do you have a firewall?
If not, it is expected error
Which exectly config it generates?
Based on this code should work https://github.com/vyos/vyos-1x/blob/b3b1d59d86af510c454da446f013b514389f5c7f/src/conf_mode/interfaces_openvpn.py#L683
Viacheslav triaged T6520: update vyos-1x workkflow package-smoketest permission for adding comment as Normal priority.
Jun 26 2024
Jun 26 2024
Viacheslav closed T6412: CGNAT allocation calculation may sometimes be incorrect, a subtask of T5169: Add CGNAT Carrier-Grade NAT based on nftables, as Resolved.
Jun 25 2024
Jun 25 2024
Viacheslav triaged T6516: ISIS - advertise-passive-only not install route in the RIB as Normal priority.
PR https://github.com/vyos/vyos-1x/pull/3720
set service monitoring telegraf loki url 'http://localhost' set service monitoring telegraf loki metric-name-label 'r123'
@Vijayakumar This package is deprecated as per https://vyos.dev/T6507
Jun 24 2024
Jun 24 2024
Viacheslav changed the status of T5735: Add CLI and configuration scripts for stunnel, a subtask of T4783: Add support for stunnel, from Open to Needs testing.
Viacheslav changed the status of T5735: Add CLI and configuration scripts for stunnel from Open to Needs testing.
The no-verify options exists
vyos@vyos# set load-balancing reverse-proxy backend bk01 ssl Possible completions: ca-certificate Certificate Authority in PKI configuration no-verify Do not attempt to verify SSL certificates for backend servers
Added in the T6242
Jun 22 2024
Jun 22 2024
Jun 21 2024
Jun 21 2024
Viacheslav changed the status of T6488: Firewall op mode output incomplete from In progress to Needs testing.
Viacheslav added a comment to T6502: Load balancer reverse proxy does not allow forwarding SSH port.
Provide a minimal example of configuration (set commands) to reproduce.
Viacheslav triaged T6506: Add a linting rule for checking executable bits on scripts as Normal priority.
Jun 20 2024
Jun 20 2024
Jun 19 2024
Jun 19 2024
Works fine:
set load-balancing reverse-proxy backend bk01 server srv01 address '192.168.122.16' set load-balancing reverse-proxy backend bk01 server srv01 port '22' set load-balancing reverse-proxy service ssh backend 'bk01' set load-balancing reverse-proxy service ssh mode 'tcp' set load-balancing reverse-proxy service ssh port '22' set service ssh disable-host-validation set service ssh port '2222'
Viacheslav triaged T6502: Load balancer reverse proxy does not allow forwarding SSH port as Normal priority.