Thanks, I got it working now.
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed All Stories
All Stories
All Stories
Sep 9 2021
Sep 9 2021
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
c-po moved T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface from Need Triage to 1.3.0-epa1 on the VyOS 1.3 Equuleus board.
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
c-po moved T3814: wireguard: commit error showing incorrect peer name from the configured name from Open to In Progress on the VyOS 1.4 Sagitta board.
Your problem is that this is not a CA certificate, it's the servers certificate.
Sep 8 2021
Sep 8 2021
Can you share your CAs public cert for testing?
Hello, Sorry, but I tried this I get "Invalid certificate on CA certificate "test"
c-po added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
A new ISO 1.4-rolling-202109081242 is currently build - you may check in 30 minutes and try if this works for you - it did in my example config.
That would only work if accept_local will be added as proper CLI node on the tunnel interface, or use set system sysctl parameter net.ipv4.conf.default.accept_local value '1'
c-po moved T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface from Open to Finished on the VyOS 1.4 Sagitta board.
c-po changed the status of T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface from Confirmed to Needs testing.
c-po changed the status of T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface from Open to Confirmed.
Viacheslav updated the task description for T3813: Some custom sysctl parameters can't be applied bug.
Viacheslav moved T3786: GRE tunnel source address 0.0.0.0 error from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
amxj9 added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
Certainly, here it is:
openvpn vtun0 {
authentication {
password ******
username ******
}
encryption {
cipher aes256
}
hash sha512
mode client
openvpn-option fast-io
openvpn-option "remote-cert-tls server"
openvpn-option "resolv-retry infinite"
openvpn-option "pull-filter ignore redirect-gateway"
openvpn-option "tun-mtu 1500"
openvpn-option "tun-mtu-extra 32"
openvpn-option "mssfix 1450"
openvpn-option "comp-lzo no"
openvpn-option "ping-restart 0"
openvpn-option ping-timer-rem
openvpn-option "ping 15"
openvpn-option "reneg-sec 0"
persistent-tunnel
protocol udp
remote-host xxx.xxx.xx.xxx
remote-port 1194
tls {
auth-key ****************
ca-certificate ***************
tls-version-min 1.2
}
}Sep 7 2021
Sep 7 2021
c-po edited projects for T3796: Wireguard interfaces are not shown in op-mode, added: VyOS 1.2 Crux (VyOS 1.2.9); removed VyOS 1.2 Crux.
@absolutesantaja this is definately a bug in the 1.2.9 op-mode commands
c-po added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
Can you please share a version of your anonymized client configuration?
Are you saying "show interfaces wireguard" is being back-ported to crux 1.2.9 or something? If not then the crux documentation is still wrong.
Note also that nothing here has been backported to 1.3 yet.
The operational command "show interfaces <interface-type> " has been fixed in the latest rolling and equuleus release.
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
Viacheslav updated the task description for T3810: webproxy squidguard rules don't work properly after rewriting to python. .
amxj9 added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.
Unfortunately not. I reverted my changes and then added:
cap_dac_override,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write @openvpn
to /etc/security/capability.conf but got the same errors as before (I rebooted to make sure).
dmbaturin added a project to T3808: ipsec is mistakenly restarted after delete: VyOS 1.2 Crux (VyOS 1.2.9).
c-po edited a custom field on T3807: Op Command "show interfaces wireguard" does not show the output.
c-po moved T3807: Op Command "show interfaces wireguard" does not show the output from Open to Finished on the VyOS 1.4 Sagitta board.
c-po moved T3807: Op Command "show interfaces wireguard" does not show the output from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
c-po moved T3807: Op Command "show interfaces wireguard" does not show the output from Need Triage to 1.3.0-epa1 on the VyOS 1.3 Equuleus board.
@mbailey Can you check it in 1.3.0-rc6?
Same happens to other op-mode commands:
Viacheslav moved T1894: FRR config not loaded after daemons segfault or restart from Need Triage to Finished on the VyOS 1.3 Equuleus board.
Viacheslav closed T1894: FRR config not loaded after daemons segfault or restart, a subtask of T3217: Save FRR configuration on each commit, as Resolved.
Fixed in T3217
Viacheslav moved T3217: Save FRR configuration on each commit from Need Triage to Finished on the VyOS 1.3 Equuleus board.
Viacheslav moved T3217: Save FRR configuration on each commit from In Progress to Finished on the VyOS 1.4 Sagitta board.
please refer to the PKI documentation at https://docs.vyos.io/en/latest/configuration/pki/index.html or https://blog.vyos.io/pki-and-ipsec-ikev2-remote-access-vpn about how the PKI feature is used.
c-po committed rVYOSONEXd9f20383323a: login: T971 allow quoting in public-keys options (authored by plett).
You don't need line like "begin|end"
For example
set pki ca openvpn_vtun10 certificate 'MIIDSzCCAjOgAwIBAgIUEtkjCVKmZCwUeYLenoznpkxMeZswQ=='
I tested it on ESXi
May I ask whether the vulnerability report should be made public here or submitted to which mailbox? Will a PGP public key be provided to encrypt sensitive information?
Sep 6 2021
Sep 6 2021
It seems some bug in KVM.
I still see this bug
VyOS 1.3.0-rc6 config
vyos@r4-1.3# run show conf com | match mac set interfaces macsec macsec1 address '10.0.0.2/30' set interfaces macsec macsec1 security cipher 'gcm-aes-128' set interfaces macsec macsec1 security encrypt set interfaces macsec macsec1 security mka cak 'f42e15acecc0c1634582bdd32429efdf' set interfaces macsec macsec1 security mka ckn '0ef5ebf77ba031e45ad270e9f80c804d500a2649789db1c87b751114f329e032' set interfaces macsec macsec1 source-interface 'eth1'
Viacheslav closed T2920: Commit crash when adding the second mGRE tunnel with the same key as Resolved.
jestabro moved T3808: ipsec is mistakenly restarted after delete from Need Triage to In Progress on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
GitHub <noreply@github.com> committed rVYOSONEXe1422069475d: Merge pull request #999 from sever-sever/T2920-equ (authored by c-po).
jestabro changed the status of T3808: ipsec is mistakenly restarted after delete from Open to Confirmed.
Works as designed. Note that the MACSec interface will only change its state to u/u after a successful key-exchange.
c-po moved T3800: DHCPv6 client get incorrect mask /128 from Open to In Progress on the VyOS 1.4 Sagitta board.
c-po moved T3803: Add source-address option to the ping CLI from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
c-po moved T3803: Add source-address option to the ping CLI from Open to Finished on the VyOS 1.4 Sagitta board.
c-po moved T3806: Don't set link local ipv6 address if MTU less then 1280 from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
c-po moved T3806: Don't set link local ipv6 address if MTU less then 1280 from Open to Finished on the VyOS 1.4 Sagitta board.
@kroy Did you get it with any other rc versions?
c-po changed the status of T3806: Don't set link local ipv6 address if MTU less then 1280 from Open to In progress.