When VyOS CLI isn't enough

Sometimes a particular configuration option is supported by the software that VyOS uses, but the CLI does not expose it. Since VyOS is open source, you can always fix that, but sometimes you need it by tomorrow, and there's simply no time to do it.

In a number of places, we've left an escape hatch for it that allows bypassing the CLI and including a raw snippet into the generated config. Of course, you give up the sanity checks of the CLI and take full responsibility for the correctness of the resulting config, but sometimes it's necessary.


In openvpn, we have an option called "openvpn-option". You can pass any options to OpenVPN process with it, but note that in the current versions, it has to follow the command line rather than config file option, i.e. prepend it with "--". See this example:

set interfaces openvpn vtun10 openvpn-option "--connect-freq 10 60"

Note that the "push" option em is supported. I see OpenVPN configs with openvpn-option heavily overused once in a while — before including an option, make sure what you need to do is really not supported.

DHCP server

In the DHCP server, there is not one, but too escape hatches. One is the "subnet-parameters" option under "subnet". Another one is a "global-parameters" under "shared-network-name".

See an example:

set service dhcp-server shared-network-name LAN subnet subnet-parameters "ping-timeout 5;"

Since dhcpd.conf syntax is more complex than just a list of options, it's important to make sure that generated config will be valid. It's easy to make your DHCP server stop loading and spend some time reading the log to see what is wrong, so be careful here.

Note that these options are not supported by the DHCPv6 server. Anyone thinks we should support it?

Dynamic DNS

In dynamic DNS, you can use the generic HTTP method if your provider and protocol is not supported.

set service dns dynamic interface eth0 use-web url http://dyndns.example.com/?update

Since no one can possibly support all providers, I believe it will remain a necessary option forever.

When all else fails: the postconfig script

If something is not supported and doesn't have a handy escape hatch, you still can implement it with the postconfig script. That script is found at /config/scripts/vyatta-postconfig-bootup.script and runs after config.boot loading is complete, so it's particularly conductive to manipulating things like raw iptables rules.

VyOS doesn't delete or overwrite anything in the global netfilter tables after boot, so it's safe to put your commands there, for example "/sbin/iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" for global MSS clamping.

You still need to be careful not to conflict with any of the rules inserted by VyOS though, in general, so always make sure to check what exactly VyOS generates before using the postconfig script.

Looking forward

VyOS 1.2.0 brings improvements to the postconfig script execution and adds some more escape hatches — stay tuned for updates.

9 responses
OpenVPN is a great choice for, what is not working. If my VPN Provider does only support to connect with user + pass auth. with a server certificate. I can not connect to my provider, because i always need a client certificate with a key. And so there i can never connect to my VPN Provider.
Nicholas, VyOS 1.1.8 supports user/password authentication. set interfaces openvpn vtun0 authentication username jrandomhacker set interfaces openvpn vtun0 authentication password letmein
Dear Daniil Baturin, i have tested an i wish that it should work but i can confirm that is not. I have tried this workaround: "https://forum.vyos.io/t/openvpn-client-with-use..." And now its working, without the check, the problem now is, that i couldn´t update without change this in the new image. And that workaround does only work with the old config backend. VyOS is great and the only open source software in that category, which really deserves the name "router". But thanks for your Help. NicholasRush
Nicholas, we've tested it with a few providers and it worked for us. I don't argue that if it works for those we've tested it works for all, but to fix the issue we'll need to know what your provider's suggested config is, what your VyOS config for OpenVPN was, and how exactly it failed. Please create a bug report in https://phabricator.vyos.net, or point me to the task if you've created one already.
OK i will test it again, with a vanilla VyOS 1.1.8 install. If it not works as expected, i create a bug report.
I have to apologize for my hasty comments, because I should have previously updated to the current image. VyOS is still a great project and I think it's great that you get the work done and the os evolves. At the moment I only used VyOS privately, but I will take it into the field of consulting for future commercial projects. Thanks again for your help Daniil Baturin.
3 visitors upvoted this post.