Page MenuHomeVyOS Platform

lucasec (Lucas Christian)
User

Projects

User does not belong to any projects.

User Details

User Since
Apr 2 2019, 2:39 AM (275 w, 5 d)

Recent Activity

Sun, Jul 7

lucasec added a comment to T921: Encrypted DNS.

There are two possible places where encrypted DNS support might be desired in a standard setup where VyOS is hosting a local resolver/recursor:

Sun, Jul 7, 3:11 AM · VyOS 1.4 Sagitta (1.4.0-GA)

Apr 15 2024

lucasec added a comment to T6241: Updating CRL in "pki" config does not update OpenVPN.

I even commented on that issue…
It would seem my memory ages out after 3 years 🤣

Apr 15 2024, 7:41 AM · VyOS 1.4 Sagitta (1.4.0-epa3)

Apr 14 2024

lucasec created T6241: Updating CRL in "pki" config does not update OpenVPN.
Apr 14 2024, 11:55 PM · VyOS 1.4 Sagitta (1.4.0-epa3)
lucasec renamed T6177: Intel QAT causes CPU runaway/stall with ipsec VPN from CPU runaway/stall possibly related to Strongswan to Intel QAT causes CPU runaway/stall with ipsec VPN.
Apr 14 2024, 11:36 PM · VyOS 1.5 Circinus
lucasec added a comment to T6177: Intel QAT causes CPU runaway/stall with ipsec VPN.

My system finally crashed again today. I found a workload that generates enough traffic over the VPN to reliably re-produce.

Apr 14 2024, 7:20 PM · VyOS 1.5 Circinus

Apr 7 2024

lucasec added a comment to T5873: ipsec remote access VPN: support VTI interfaces.

Hi -- this works. The VTI interface is just another interface so you can add it to a firewall zone just as you would an Ethernet interface. This can be done with existing site-to-site ipsec VTIs today. I also do it with OpenVPN interfaces for remote access on some of my installations.

Apr 7 2024, 1:57 AM · VyOS 1.5 Circinus

Mar 28 2024

lucasec closed T5872: ipsec remote access VPN: support dhcp-interface as Resolved.
Mar 28 2024, 6:28 PM · VyOS 1.4 Sagitta (1.4.0-epa3)

Mar 27 2024

lucasec created T6177: Intel QAT causes CPU runaway/stall with ipsec VPN.
Mar 27 2024, 4:45 PM · VyOS 1.5 Circinus

Mar 12 2024

lucasec closed T6114: dhcpv6-server migration script 4-to-5 errors out as Resolved.
Mar 12 2024, 4:44 PM

Mar 11 2024

lucasec created T6114: dhcpv6-server migration script 4-to-5 errors out.
Mar 11 2024, 6:23 AM

Dec 29 2023

lucasec created T5874: ipsec site-to-site: Support binding multiple tunnels to one VTI, customizing local and remote traffic selectors.
Dec 29 2023, 6:24 AM · VyOS 1.5 Circinus
lucasec updated the task description for T5873: ipsec remote access VPN: support VTI interfaces.
Dec 29 2023, 6:05 AM · VyOS 1.5 Circinus
lucasec created T5873: ipsec remote access VPN: support VTI interfaces.
Dec 29 2023, 6:03 AM · VyOS 1.5 Circinus
lucasec renamed T5872: ipsec remote access VPN: support dhcp-interface from ipsec remote access VPN: support dhcp to ipsec remote access VPN: support dhcp-interface.
Dec 29 2023, 6:00 AM · VyOS 1.4 Sagitta (1.4.0-epa3)
lucasec created T5872: ipsec remote access VPN: support dhcp-interface.
Dec 29 2023, 6:00 AM · VyOS 1.4 Sagitta (1.4.0-epa3)
lucasec created T5871: ipsec remote access VPN: specify "cacerts" to disambiguate mulitple remote access configurations.
Dec 29 2023, 5:59 AM · VyOS 1.4 Sagitta (1.4.0-epa3)
lucasec created T5870: ipsec remote access VPN: add x509 ("pubkey") authentication.
Dec 29 2023, 5:55 AM · VyOS 1.4 Sagitta (1.4.0-epa2)

Jan 23 2023

lucasec added a comment to T2486: DNS records set via 'system static-host-mapping' return NXDOMAIN from 'service dns forwarding' after a request to a forwarded zone.

For completeness let me link this back to discussion here: https://github.com/vyos/vyos-1x/pull/1024#issuecomment-1399908479
TL;DR I do not believe this bug needs to be re-opened, what was likely identified is a different, unrelated, limitation of pdns-recursor that affects the newer authoritative DNS functionality.

Jan 23 2023, 7:36 AM · VyOS 1.3 Equuleus (1.3.0)

Apr 5 2022

lucasec created T4345: New firewall code does not accept "rate/time interval" syntax used in old config.
Apr 5 2022, 10:36 PM · VyOS 1.4 Sagitta

Oct 12 2021

lucasec added a comment to T562: PDNS: Add support for authoritative dns server.

PR: https://github.com/vyos/vyos-1x/pull/1024

Oct 12 2021, 7:28 AM · VyOS 1.4 Sagitta

Oct 11 2021

lucasec added a comment to T3885: dhcpv6-pd: randomly generated DUID is not persisted.

Obviously in a perfect world we get "unique" and "stable". I do think giving stability priority makes sense.

Oct 11 2021, 8:05 AM · VyOS 1.3 Equuleus (1.3.0-epa2), VyOS 1.4 Sagitta

Oct 10 2021

lucasec added a comment to T3885: dhcpv6-pd: randomly generated DUID is not persisted.

I surveyed all the hardware I have to see what kind of UUIDs they report:

Oct 10 2021, 11:37 PM · VyOS 1.3 Equuleus (1.3.0-epa2), VyOS 1.4 Sagitta

Oct 5 2021

lucasec added a comment to T3885: dhcpv6-pd: randomly generated DUID is not persisted.

Yeah, that seems reasonable to me. I would prefer not add clutter to the system node if it can be avoided.

Oct 5 2021, 6:21 AM · VyOS 1.3 Equuleus (1.3.0-epa2), VyOS 1.4 Sagitta
lucasec added a comment to T3885: dhcpv6-pd: randomly generated DUID is not persisted.

That seems fair, basically make the DUID generation deterministic. There is some defined structure to the DUID format, I think this would be a "type 3 DUID" per this document: https://www.juniper.net/documentation/en_US/junose15.1/topics/concept/dhcp-unique-id-servers-clients-overview.html.

Oct 5 2021, 5:23 AM · VyOS 1.3 Equuleus (1.3.0-epa2), VyOS 1.4 Sagitta

Oct 3 2021

lucasec created T3885: dhcpv6-pd: randomly generated DUID is not persisted.
Oct 3 2021, 7:20 AM · VyOS 1.3 Equuleus (1.3.0-epa2), VyOS 1.4 Sagitta

Sep 27 2021

lucasec added a comment to T3861: PKI: changing certificates, keys, crls does not "regenerate" the on-disk certificates.

Adding a few notes here:

  • The ideal behavior probably depends on which PKI elements are changed and what services depend on them.
  • E.g. OpenVPN does not require a server restart for a CRL change (see https://openvpn.net/community-resources/controlling-a-running-openvpn-process/), but changing the CA or server cert/key would require a restart.
  • It seems like there are some swanctrl commands that can conditionally reload parts of the config too without taking all tunnels down
  • The former might be useful if you need to renew server certs or something like that and want to do so with the minimal impact
Sep 27 2021, 4:45 AM · VyOS 1.4 Sagitta (1.4.0-GA)

Sep 19 2021

lucasec added a comment to T3840: dns forwarding: Cache size should allow values > 10k.

Pull request: https://github.com/vyos/vyos-1x/pull/1010

Sep 19 2021, 4:50 AM · VyOS 1.3 Equuleus (1.3.0-epa1), VyOS 1.4 Sagitta
lucasec changed Difficulty level from unknown to easy on T3840: dns forwarding: Cache size should allow values > 10k.
Sep 19 2021, 4:29 AM · VyOS 1.3 Equuleus (1.3.0-epa1), VyOS 1.4 Sagitta
lucasec claimed T3840: dns forwarding: Cache size should allow values > 10k.
Sep 19 2021, 4:21 AM · VyOS 1.3 Equuleus (1.3.0-epa1), VyOS 1.4 Sagitta
lucasec created T3840: dns forwarding: Cache size should allow values > 10k.
Sep 19 2021, 4:21 AM · VyOS 1.3 Equuleus (1.3.0-epa1), VyOS 1.4 Sagitta

Sep 17 2021

lucasec added a comment to T3830: ipsec: remote-id no longer included in IKE AUTH if not explicitly specified.

Tested on latest build VyOS 1.4-rolling-202109160217 and confirmed it is adding the remote id attribute by default as expected. Connections establish without issue.

Sep 17 2021, 4:02 AM · VyOS 1.4 Sagitta

Sep 15 2021

lucasec assigned T3830: ipsec: remote-id no longer included in IKE AUTH if not explicitly specified to c-po.
Sep 15 2021, 5:57 AM · VyOS 1.4 Sagitta
lucasec created T3830: ipsec: remote-id no longer included in IKE AUTH if not explicitly specified.
Sep 15 2021, 5:57 AM · VyOS 1.4 Sagitta

Sep 14 2021

lucasec added a comment to T3828: ipsec: Subtle change in "pfs enable" behavior from equuleus -> sagitta.

Booted my host with 1.4-rolling-202109140217 and confirmed pfs enabled is now generating the expected swanctl.conf file to match the old behavior. If I don't report back in exactly an hour from now that my tunnels died, we can assume the fix works.

Sep 14 2021, 5:03 AM · VyOS 1.4 Sagitta

Sep 13 2021

lucasec assigned T3828: ipsec: Subtle change in "pfs enable" behavior from equuleus -> sagitta to c-po.
Sep 13 2021, 7:20 AM · VyOS 1.4 Sagitta
lucasec created T3828: ipsec: Subtle change in "pfs enable" behavior from equuleus -> sagitta.
Sep 13 2021, 7:20 AM · VyOS 1.4 Sagitta
lucasec added a comment to T3827: interfaces migration script fails on AWS hosts.

Note: config versions were added to the default configs here https://github.com/vyos/vyos-build/commit/23639568a945f19471af88547dab45b87bbd642d, but the current vyos-build-ami replaces the default file with its own that hasn't been modified to add the versioning comment yet. That can probably be fixed whenever that repo is updated for equuleus (I have my own patched local branch that I could publish if desired).

Sep 13 2021, 12:44 AM · VyOS 1.3 Equuleus (1.3.3), VyOS 1.2 Crux (VyOS 1.2.9), VyOS 1.4 Sagitta
lucasec updated subscribers of T3827: interfaces migration script fails on AWS hosts.

cc: @c-po maybe this was a side effect of unifying the two parsers

Sep 13 2021, 12:20 AM · VyOS 1.3 Equuleus (1.3.3), VyOS 1.2 Crux (VyOS 1.2.9), VyOS 1.4 Sagitta
lucasec created T3827: interfaces migration script fails on AWS hosts.
Sep 13 2021, 12:16 AM · VyOS 1.3 Equuleus (1.3.3), VyOS 1.2 Crux (VyOS 1.2.9), VyOS 1.4 Sagitta

Sep 11 2021

lucasec added a comment to T3805: OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface.

FYI, if your OpenVPN config relies on cert files or anything you uploaded into the config directory, you may need to change the owner to the openvpn user or widen file permissions. Oddly this only seems to affect equuleus, not sagitta (OpenVPN seems fine reading files owned by "root" out of "/config/auth").

Sep 11 2021, 8:58 AM · VyOS 1.3 Equuleus (1.3.0-epa1), VyOS 1.4 Sagitta

Nov 14 2020

lucasec added a comment to T3041: Intel QAT: vyos-1.3-rolling-202011020217-amd64 kernel panic during configure.

Your revert appears to do the trick. Image booted fine with QAT enabled, and "show system acceleration qat status" shows the QAT device came up fine and is running happily.

Nov 14 2020, 6:21 AM · VyOS 1.3 Equuleus (1.3.0)

Nov 12 2020

lucasec added a comment to T3041: Intel QAT: vyos-1.3-rolling-202011020217-amd64 kernel panic during configure.

Sure—if you want to drop me an image I can try it out. I do have a working vyos-build as well, I can also try and produce my own with that change backed out when I get some time towards the end of the week.

Nov 12 2020, 4:23 AM · VyOS 1.3 Equuleus (1.3.0)

Nov 10 2020

lucasec added a comment to T3041: Intel QAT: vyos-1.3-rolling-202011020217-amd64 kernel panic during configure.

I will perform a few additional tests tomorrow with the oldest available rolling releases (looks like October 13th as of writing). Will see if I can binary search my way to when things broke.

Nov 10 2020, 7:27 AM · VyOS 1.3 Equuleus (1.3.0)
lucasec updated the task description for T3041: Intel QAT: vyos-1.3-rolling-202011020217-amd64 kernel panic during configure.
Nov 10 2020, 7:22 AM · VyOS 1.3 Equuleus (1.3.0)
lucasec added a comment to T3041: Intel QAT: vyos-1.3-rolling-202011020217-amd64 kernel panic during configure.

A few updates... the failure still occurs on latest rolling. Similar outcome—the kernel panics and dumps a stacktrace during the initial boot-up configure process. However, this issue goes back further than I expected (and initially expressed in the ticket). I goofed up in my testing of 1.3-rolling-202010260327 by booting with a default config file without the QAT option.

Nov 10 2020, 7:21 AM · VyOS 1.3 Equuleus (1.3.0)

Nov 3 2020

lucasec created T3041: Intel QAT: vyos-1.3-rolling-202011020217-amd64 kernel panic during configure.
Nov 3 2020, 5:11 AM · VyOS 1.3 Equuleus (1.3.0)

Oct 27 2020

lucasec closed T2961: Support "stateless" DHCP-v6 (information-request) clients as Resolved.
Oct 27 2020, 7:01 PM
lucasec closed T2964: pdns_recursor should support explicitly configuring query source address as Resolved.
Oct 27 2020, 7:01 PM

Oct 6 2020

lucasec added a comment to T2964: pdns_recursor should support explicitly configuring query source address.

Pull request https://github.com/vyos/vyos-1x/pull/563

Oct 6 2020, 2:14 AM
lucasec created T2964: pdns_recursor should support explicitly configuring query source address.
Oct 6 2020, 1:54 AM

Oct 4 2020

lucasec added a comment to T2961: Support "stateless" DHCP-v6 (information-request) clients.

Pull request: https://github.com/vyos/vyos-1x/pull/562

Oct 4 2020, 10:59 PM
lucasec created T2961: Support "stateless" DHCP-v6 (information-request) clients.
Oct 4 2020, 10:48 PM