I just rebooted my VyOS 1.3.0 router. On reboot, the entire vpn block in my router config had disappeared. In the commit log, the change appears to have been made by root via vyos-boot-config-loader.
How is this possible? How can simply rebooting result in a change to the device configuration (short of changing images or forgetting to run save, neither of which is the case here)?
tobias@vyos# run show system commit |head -n 2
0 2022-01-13 17:40:58 by root via vyos-boot-config-loader
1 2022-01-13 17:12:55 by tobias via cli
tobias@vyos# compare 1|head -n 2
-vpn {
- ipsec {
The config in question was added and saved weeks ago, and the change I made immediately before the reboot-generated change DID persist across the reboot:
I don’t see anything clearly related in /var/log/messages, but it’s always possible I’m not looking for the right things (commits, references to ipsec or vpn, etc.).
I tried rolling back to the previous config, and again that entire block was wiped.
# rollback 1
Proceed with reboot? [confirm]
… wait for reboot …
tobias@vyos:~$ show system commit|head -n 4
0 2022-01-13 18:07:33 by root via vyos-boot-config-loader
1 2022-01-13 18:03:02 by tobias via other
2 2022-01-13 17:40:58 by root via vyos-boot-config-loader
3 2022-01-13 17:12:55 by tobias via cli
tobias@vyos:~$ show system commit diff 3|head -n 2
[edit protocols static]
+route 0.0.0.0/0 {
tobias@vyos:~$ show system commit diff 2|head -n 2
-vpn {
- ipsec {
tobias@vyos:~$ show system commit diff 1|head -n 2
+vpn {
+ ipsec {
tobias@vyos:~$ show system commit diff 0|head -n 2
-vpn {
- ipsec {
It sounds like you’ve hit a bug. Your config was there, saved, but when it’s been parsed on reboot, it’s been ignored due to a problem.
Do you have a copy of the config file on the device? Look in /config/archive and examine those files.
If you can find your config saved in one of those, it would be worth logging a Phabriactor ticket and uploading your config there (sanitized) and explaining in detail what happened.
I worked backwards by recreating the config manually and discovered that this is the problematic line:
set vpn ipsec site-to-site peer w.x.w.z dhcp-interface 'eth0'
When attempting to commit this change manually, VyOS says:
VPN configuration error: The specified interface is not configured for dhcp.
[[vpn]] failed
Commit failed
[edit]
The problem appears to be that VyOS allowed me to switch eth0 from DHCP to static (in a prior commit), but it did not also require me to delete this setting at that time.
Hi @fernando, thanks for reproducing this and making the bug! I tried to create the bug myself, but I’m afraid I am stuck on this screen for a couple days. Do you happen to have permission to approve my account?