Maintenance complete

www.vyos.net, bugzilla.vyos.net, and forum.vyos.net were moved to the new server and should work as expected now. If you experience any problems, please let us know.

Maintenance notification: vyos.net, forum.vyos.net, bugzilla.vyos.net at 17:00 UTC

What and how long

www.vyos.net, forum.vyos.net, and bugzilla.vyos.net will be unavailable for up to 3 hours.

When

Jul 09th, 17:00-20:00 UTC

Why

Finishing the migration to new infrastructure.

How

At 17:00 UTC websites will be put in maintenance mode to maintain data consistency. You will not be able to post new content and may be unable to access existing content.

After that we will move the data to the new server, check installation, and switch DNS records, and website operations will be restored.

TTL for the records is set to 15 minutes now, if you experience problems with it, try flushing your DNS cache.

Build scripts use development repos by default now

We’ve made a change in the ISO build scripts so they use the development repos, dev.packages.vyos.net, as package source by default. The development repos are automatically populated by the CI server, so you always get the most recent packages.

This change only affects helium branch, hydrogen stays untouched. We will modify “—with-release-build” behaviour to use the release repos later, since helium doesn’t have a release version yet, that’s not a problem.

Note that release and development repos use different GPG keys, so when you build a development ISO, you will be asked whether you trust the key, same with installing release packages on development builds and vice versa. This is to prevent accidental installation of unstable development packages on production systems.

New nightly builds location and CI server

Thanks to Kim Hagen, we now have a continuous integration server (Jenkins-based): http://ci.vyos.net.

You can track build status there if you want.

Nightly builds are now stored at http://dev.packages.vyos.net/iso

Survey report

The survey is now closed and it’s time to summarize the results. The overall picture didn’t change much from the first days, so I think these data is pretty representative.

Read More

CVE-2014-4607

There is a vulnerability in LZO implementation discovered recently.

The only network available VyOS components (to my knowledge) where it’s used are IPsec and OpenVPN that use it for data compression. Compression is performed before encryption, so this is probably not exploitable for a man in the middle. If you are dealing with untrusted remove side of the VPN, probably better to turn compression off.

We will look into providing a hotfix for it for 1.0.4

Keeping OpenVPN config and certs/keys in one file

OpenVPN client setup requires multiple files apart from the config: CA, client certificate, and client key, in case of certificate authentication. With login/password authentication it’s not just one file either, you still need a CA.

Having to deal with just one file is obviously more convenient for both the user and the admin. OpenVPN in fact can do that, even though it’s rarely mentioned in HOWTOs for some reason. You just need to include them in the config file enclosed in <ca>, <cert>, and <key> XML-like tags respectively.

Read More