In T5657#162236, @bbabich wrote:

Yep looks fine @Viacheslav
I've been using it like this for a while now but figure it may be useful as part of making 'VRFs' complete...

$ sudo ip vrf exec RCS3 mtr 192.168.222.11

Yep looks fine @Viacheslav
I've been using it like this for a while now but figure it may be useful as part of making 'VRFs' complete...

@fsbof This change was accepted so it should end up in the 1.5 rolling soon. I suspect backporting to 1.4 wouldn't be an issue but that is a question for a more senior dev. But as for 1.3, I am unsure as I have never ran that version and don't know if there are any changes between those releases that would make it a pain to backport.

Once accepted, I will update the documentation for this change as well as the ssh fingerprint change (T5653).

https://github.com/vyos/vyos-1x/pull/2369

In this case we can use the next solution:

PR https://github.com/vyos/vyos-1x/pull/2366

Still fails:

Looks like this issue may actually be resolved now.

cf. T5027: the commit for this task necessarily removed the fix there, leading to failing of the same two tests. A fix is to specify a specific encryption cipher within test_openvpn_options and test_openvpn_site2site_interfaces_tun to avoid openvpn defaulting to bf.

I was also affected by this issue. I could only update to 1.5-rolling-202309280022. Updates to more recent versions had the effect that after login I coudn't manage VyOS as I only had a standard linux bash.

Did you test it in vrf? Is it really works as expected?

@JeffWDH I am happy to download, build and test when you're ready if you point me to the right version(s)/location(s). I'm also very new to this but I managed to Build Equuleus in a docker container which has been working ok. Appreciate your efforts.

I've updated this to default to no ASCII art as I think it's cleaner, but added an option to show it if you want to see it:

Wow - you guys work quickly! 👍

I think it should be included, its often used during generation in Debian among other distros.

Fixed in https://github.com/vyos/vyos-1x/pull/2342

I wonder if we need the ASCII art though or not the plain fingerprints only (first line of the command)

Implementation complete

Implementation complete

Implementation complete

Implementation complete

Implementation complete

Implementation complete

Implementation complete

OpenVPN cannot pass the smoketest

 DEBUG - ======================================================================
DEBUG - FAIL: test_openvpn_options (__main__.TestInterfacesOpenVPN.test_openvpn_options)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 525, in test_openvpn_options
DEBUG -     self.assertNotEqual(cur_pid, new_pid)
DEBUG - AssertionError: None == None
DEBUG - 
DEBUG - ======================================================================
DEBUG - FAIL: test_openvpn_site2site_interfaces_tun (__main__.TestInterfacesOpenVPN.test_openvpn_site2site_interfaces_tun)
DEBUG - ----------------------------------------------------------------------
DEBUG - Traceback (most recent call last):
DEBUG -   File "/usr/libexec/vyos/tests/smoke/cli/test_interfaces_openvpn.py", line 601, in test_openvpn_site2site_interfaces_tun
DEBUG -     self.assertTrue(process_named_running(PROCESS_NAME))
DEBUG - AssertionError: None is not true

I had a similar issue going from 1.5-rolling-202309250022 to 1.5-rolling-202310090023.

Then this task can be set to closed and invalid :-)

PR updated: https://github.com/vyos/vyos-build/pull/435

If you don't use the firewall (statefully at least) then it will go through the FW_CONNTRACK chain and the NAT_CONNTRACK and/or WLB_CONNTRACK chains will be reached, or fall through to the notrack.

But the NAT_CONNTRACK and WLB_CONNTRACK chains are never evaluted because FW_CONNTRACK always set action to accept?

PR: https://github.com/vyos/vyos-1x/pull/2361

This should fix the problem: https://github.com/vyos/vyos-1x/pull/2361

That is how the conntrack enabling system works. FW_CONNTRACK verdict is set to accept when it is determined the firewall needs conntracking (state rules, flowtable etc.), same for NAT_/WLB_ chains. If none require conntrack - all chains will be return and it falls down the chain to the final notrack and conntrack is not enabled.