VyOS
VyOS is an open-source network operating system based on Debian GNU/Linux, designed as a versatile platform for routing, firewalling, VPN services, and network automation across bare metal, cloud, and edge environments.[1][2] It competes directly with commercial networking solutions by offering enterprise-grade features without per-device licensing fees, supporting standard hardware like x86-64, i586, and ARM architectures with minimal requirements of 512 MB RAM. Since 2024, official LTS binary images require a subscription, though source code and rolling releases are freely available.[2][3] The project originated in late 2013 as a community-driven fork of Vyatta Core 6.6R1, following Brocade's acquisition of Vyatta in 2012 and the subsequent discontinuation of its open-source edition.[4] Vyatta itself had launched in 2006 as a Debian-based router OS with free and proprietary variants, but after Brocade's closure of community resources, developers preserved and advanced the GPL-licensed codebase under OSI-approved licenses, primarily GPLv2 and LGPLv2.[4] The first major release, codenamed Hydrogen (1.0), arrived on December 22, 2013, addressing bugs from Vyatta and introducing scripting enhancements.[4] Subsequent releases expanded capabilities: Helium (1.1) in 2014 added L2TPv3 and VXLAN support; Crux (1.2) in 2019 upgraded to Debian Jessie with a modular build system and shifted naming conventions to constellations; Equuleus (1.3) in 2021, the first long-term support (LTS) version supported until April 2025, incorporating SSTP VPN and virtual routing and forwarding (VRF); and Sagitta (1.4) in 2024 is the current LTS release, supported at least until 2026.[4][5][6] VyOS maintains rolling releases for testing and LTS branches for stability, with development funded through community contributions and commercial support from VyOS Networks (formerly Sentrium SL, founded in 2014).[4][2][7] Key features include advanced routing protocols such as BGP, OSPF, RIP, IS-IS, and MPLS LDP; VPN options like IPsec, OpenVPN, and WireGuard; stateful and zone-based firewalls with NAT; and automation tools including a GraphQL API, cloud-init integration, and Ansible compatibility.[2] High availability is supported via VRRP and ECMP, making it suitable for enterprise, service provider, and edge computing scenarios.[2] As of 2025, VyOS is deployed by over 1,000 businesses worldwide, including Fujitsu and Google, emphasizing its transparency, auditability, and cost-effectiveness.[2]Overview
Introduction
VyOS is an open-source network operating system based on Debian GNU/Linux, serving as a routing platform designed for firewalls, routers, and VPN appliances. Built with extended long-term support for security updates, it emphasizes flexibility and transparency in networking deployments.[2] VyOS supports the x86-64 architecture and runs on diverse environments, including bare metal hardware, virtual machines such as KVM and VMware, and major cloud providers like AWS, Azure, and GCP. This broad compatibility enables seamless integration across on-premises, virtualized, and cloud-based infrastructures without vendor-specific constraints.[2] At its core, VyOS delivers enterprise-grade networking capabilities in a free, open-source package, positioning it as a cost-effective competitor to proprietary systems such as Cisco IOS and Juniper Junos. Its command-line interface (CLI) employs a unified syntax for operational and configuration modes, drawing inspiration from Junos-style commands to facilitate familiar administration and automation.[4][8] For enterprise users, VyOS provides optional subscription-based support, encompassing software updates, maintenance, and professional assistance to ensure reliable production use.[3]Technical Architecture
VyOS is built on Debian GNU/Linux as its foundational operating system, providing a stable and minimalistic base for network operations. This Debian foundation enables a lightweight installation footprint, with a minimum of 1 GB RAM required and 2 GB recommended for typical deployments to ensure smooth performance without excessive resource demands.[1][2][9] The core packet processing in VyOS relies on the Linux kernel, which handles networking tasks efficiently through its integrated Netfilter framework. Firewalling is implemented using iptables or its successor nftables, allowing direct interaction with kernel-level packet filtering for stateful inspection and rule-based traffic control. While the kernel inherently supports eBPF for programmable advanced filtering, VyOS primarily leverages Netfilter hooks for these operations, enabling high-performance data plane processing without custom kernel modifications.[10][11] Dynamic routing protocols in VyOS are powered by FRRouting (FRR), an open-source suite that serves as the control plane for protocols including BGP, OSPF, and IS-IS. FRR integrates seamlessly with the Linux kernel's forwarding plane, allowing VyOS to manage complex routing tables and policy-based forwarding while maintaining compatibility with standard networking standards.[12][13] A key VyOS-specific component is its configuration management overlay, centered on the vyos-config system, which parses human-readable CLI commands and translates them into backend configurations for various services. Configurations are stored in a unified tree structure within the /config/config.boot file, ensuring a hierarchical, consistent representation of the entire system state that supports atomic commits and rollbacks for reliability. This framework unifies disparate components like firewall rules and routing under a single interface, abstracting underlying complexities.[14][15][16] VyOS employs a modular design, drawing from Debian's package ecosystem to allow extensions through upstream and custom packages managed via dpkg, facilitating the addition of networking tools and services without rebuilding the core image. Support for containerization is integrated natively, enabling the deployment of Docker-based services alongside routing functions for enhanced flexibility in service orchestration.[17][15][18] The boot process utilizes the GRUB bootloader to load images, supporting versatile deployment options such as ISO files for live testing, USB drives for portable installations, or pre-built AMIs for cloud environments like AWS. Persistence is achieved through an overlay filesystem layered atop a read-only squashfs root, preserving user configurations and customizations across reboots and upgrades while maintaining image integrity.[19][20][21]History
Origins and Fork
VyOS originated as a community-driven fork of Vyatta Core version 6.6R1, initiated in September 2013 following Vyatta's acquisition by Brocade Communications Systems in 2012 and the subsequent discontinuation of the open-source edition.[4] Brocade's shift prioritized proprietary software through the Vyatta Subscription Edition (later renamed Brocade vRouter), leading to the shutdown of community resources such as forums and bug trackers, which left the free version stagnant.[4] This prompted a group of developers, led by Daniil Baturin, to fork the GPL-licensed portions of Vyatta Core to preserve its open-source nature and continue development under free software principles.[22] The initial fork involved significant codebase cleanup to ensure independence from Vyatta's ecosystem, including the removal of proprietary components that had been integrated into the original project.[4] Built on Debian Squeeze (version 6), the early VyOS codebase focused on stabilizing core routing functions while maintaining compatibility with Vyatta's command-line interface (CLI).[4] Developers emphasized preserving the familiar Vyatta syntax to ease migration for existing users, with plans to transition to newer Debian releases like Wheezy in subsequent iterations.[22] The project was publicly announced on October 9, 2013, through mailing lists and forums, highlighting the complete source code fork hosted on GitHub and the commitment to ongoing community contributions.[4] A follow-up blog post on October 13 detailed the fork's structure, including branches for building bootable ISOs and updated submodules for easier development.[23] Early development faced challenges from legacy issues in Vyatta 6.6, such as broken features in routing protocols and network address translation (NAT). Pre-release builds addressed these, including fixes for IPv4 BGP peer groups and NAT rule processing, to restore functionality and prevent peering disruptions.[4] These efforts culminated in the first stable release, Hydrogen 1.0, on December 22, 2013, which marked the project's viability as an independent open-source router platform.[4]Company Evolution
In 2014, VyOS maintainers established Sentrium S.L. in Spain as a commercial entity to fund ongoing development through support services, consulting, and prebuilt long-term support (LTS) images.[4] Under Sentrium's stewardship, VyOS 1.2 (Crux) was released on January 28, 2019, representing the first major structured release with upgrades to Debian Jessie and modular build processes that stabilized the platform for broader adoption.[24][4] To sustain development while maintaining an open-source core, Sentrium introduced subscription-based access to LTS releases in late 2018, with pre-orders launching ahead of the 1.2 rollout and formal availability by early 2019; this model provided paid users with enterprise features like verified binaries and extended support, contrasting with free community builds.[25] On October 9, 2024, Sentrium S.L. was renamed VyOS Networks Iberia S.L. and acquired by the U.S.-based VyOS Networks Corporation as a subsidiary, aiming to enhance global operations and regional expertise in Spain for open-source networking solutions.[26][7] In response to 2024 challenges regarding build script accessibility on GitHub—which involved restricting easy reproduction of LTS images to curb misuse and encourage contributions—the project saw temporary limitations that prompted community forks of build tools.[27] By mid-2025, source access was reinstated with improved transparency measures, aligning with the launch of the VyOS Stream channel in February 2025 as a quarterly technology preview for the next LTS version, including downloadable source tarballs to facilitate community verification.[28][29]Features
Networking and Routing
VyOS provides robust networking and routing capabilities as a Linux-based network operating system, enabling it to function as a versatile router for enterprise and service provider environments.[9] At its core, VyOS leverages the FRRouting (FRR) suite for dynamic routing, supporting a range of protocols that facilitate scalable and efficient path selection in complex networks.[12] This integration allows administrators to configure interior and exterior gateway protocols directly through VyOS's operational commands, ensuring compatibility with standard networking practices.[30] For dynamic routing, VyOS supports BGP for inter-domain routing, capable of handling peering sessions up to 100 Gbps on appropriately equipped hardware, making it suitable for high-speed internet exchange points and large-scale deployments.[9] It also includes OSPFv2 and OSPFv3 for link-state routing within autonomous systems, RIP and RIPng for simpler distance-vector updates in smaller networks, and IS-IS for fast-converging topologies often used in service provider backbones.[31] Additionally, MPLS support with LDP enables label distribution for traffic engineering and VPN services, allowing label-switched paths that optimize forwarding without altering IP routing tables.[32] Static routing in VyOS offers manual route configuration for predictable path control, where administrators define next-hop addresses and metrics to override dynamic decisions.[33] Policy-based routing (PBR) extends this flexibility by applying route maps and prefix lists to match traffic based on source or destination criteria, enabling advanced traffic engineering such as load balancing across multiple uplinks or selective path selection for specific flows.[34] Interface management in VyOS encompasses Layer 2 and Layer 3 features for versatile connectivity. VLANs compliant with IEEE 802.1Q allow trunking and sub-interface segmentation on Ethernet ports, supporting both single and double tagging (QinQ) for service provider scenarios.[35] Bridges facilitate Ethernet switching by forwarding frames based on MAC addresses, while bonding with LACP aggregates multiple physical links into a resilient, high-bandwidth logical interface.[36][37] VRF instances provide routing table isolation for multi-tenant environments, and GENEVE tunnels support overlay networks for virtualization, encapsulating Ethernet frames over UDP for data center interconnects.[38][39] High-performance packet forwarding in VyOS achieves up to 100 Gbps throughput on multi-core hardware, benefiting from Linux kernel optimizations such as multi-queue NIC drivers and receive-side scaling.[9] In later versions, integration with the Vector Packet Processing (VPP) dataplane and DPDK enables kernel-bypass acceleration, reducing latency and maximizing wire-speed performance for routing and forwarding tasks on supported NICs like Intel E810 or Mellanox ConnectX series.[40] IPv6 is natively supported in VyOS with dual-stack operation, allowing seamless integration of IPv4 and IPv6 addressing on interfaces.[41] Neighbor Discovery (ND) handles address resolution and duplicate detection, while Router Advertisements (RA) enable prefix delegation and host configuration on LAN segments.[42] OSPFv3 extends link-state routing to IPv6, and transition mechanisms like 6to4 tunnels—implemented via SIT encapsulation—facilitate IPv6 connectivity over IPv4 networks, with NAT64 providing stateful translation between address families.[31][43][44] Quality of Service (QoS) features in VyOS utilize the Linux traffic control (tc) subsystem for granular traffic management. Traffic shaping limits outbound rates to prevent congestion, policing enforces ingress bandwidth caps by dropping excess packets, and classification rules based on protocols, ports, or ACLs prioritize flows within hierarchical queues.[45] These capabilities ensure reliable performance for voice, video, and critical applications in bandwidth-constrained environments.[46]Security and VPN
VyOS provides robust stateful firewall capabilities leveraging the nftables backend since version 1.4, with earlier versions using iptables. This framework enables connection tracking for both IPv4 and IPv6 traffic, allowing administrators to define rulesets that inspect packet states such as established, related, or new connections to enforce security policies. Zone-based firewalls further simplify management by grouping multiple interfaces into logical security zones, where inter-zone policies can be applied uniformly without per-interface configuration.[10][47][48] For intrusion prevention, VyOS integrates Suricata, an open-source intrusion detection and prevention system (IDS/IPS) that performs real-time analysis of network packets to identify and block suspicious activities, malware, and attacks. Suricata supports features like protocol analysis, file extraction, and logging for forensic purposes, configurable to operate in inline mode for active prevention. Additionally, MACSec (IEEE 802.1AE) offers link-layer encryption, providing data confidentiality, authenticity, and integrity through GCM-AES-128 cipher suites on supported Ethernet interfaces.[49][50] VyOS supports multiple VPN protocols for secure site-to-site and remote access connectivity. OpenVPN operates as both server and client, utilizing a single TCP or UDP connection for reliable tunneling even through NAT environments, with enhancements like Data Channel Offload (DCO) for improved performance. WireGuard, integrated natively via kernel modules since version 1.3, delivers simple, high-speed VPN functionality using modern cryptography for efficient peer-to-peer connections. IPsec, implemented through strongSwan, facilitates both policy-based and route-based (using Virtual Tunnel Interfaces or VTIs) site-to-site VPNs, as well as remote access configurations with authentication via pre-shared keys, certificates, or EAP methods. SSTP, introduced in version 1.3, enables SSL/TLS-secured PPP tunneling for client-server setups, ensuring encrypted transport over standard HTTPS ports.[51][52][53][54] DDoS mitigation in VyOS includes firewall rules that support rate limiting to cap packet flows and prevent overload, while kernel-level SYN cookies and strict reverse path forwarding (per RFC 3704) help counter SYN flood attacks and IP spoofing attempts. Certificate management is handled via the PKI subsystem, which automates retrieval and renewal using the ACME protocol with providers like Let's Encrypt for securing services such as VPNs and web interfaces.[55][56][57] To align with zero-trust principles, VyOS incorporates multi-factor authentication (MFA) using one-time passwords (OTP) for SSH access and local user logins, enhancing protection against unauthorized entry. Audit logging captures configuration changes and system events through syslog, which can be directed to local files, consoles, or remote servers for compliance and monitoring purposes.[58][59]Management and Configuration
VyOS employs a hierarchical command-line interface (CLI) that separates operational and configuration modes to facilitate system administration. In operational mode, administrators execute commands for monitoring and troubleshooting, such asshow interfaces to display interface status or show ip route to view routing tables.[14] To enter configuration mode, the configure command is used, enabling modifications via set, delete, and commit directives; for instance, set interfaces ethernet eth0 [address](/page/Address) dhcp assigns a DHCP address to an interface, with changes applied only after commit.[14] This tree-based structure allows navigation through configuration nodes using edit, up, top, and exit commands, providing context-aware editing similar to other network operating systems.[14]
Configuration persistence in VyOS relies on a centralized file at /config/config.[boot](/page/Boot), which stores the active configuration in a structured format. Utilities for managing this include load to import from local or remote sources (e.g., SCP or FTP), save to export to /config/config.[boot](/page/Boot) or external URIs, compare to diff versions (e.g., compare N M for revisions N and M), and diff to review changes post-commit (e.g., show [system](/page/System) commit [diff](/page/Diff) <number>).[14] VyOS integrates Jinja2 templating for automation, enabling scripted generation of configurations in tools like Ansible, where templates define reusable parameter-driven setups for deployment across multiple devices.[60][61]
Monitoring capabilities include built-in support for SNMPv2 and SNMPv3, configurable under service snmp to expose device metrics to network management systems via community strings or user-based authentication with encryption.[62] Real-time system insights are available through show log for viewing syslog entries and monitor traffic interface <name> for packet capture on specific interfaces, leveraging tcpdump for detailed traffic analysis.[63] While NetFlow and sFlow export via pmacct is available for flow-based monitoring, primary emphasis is on these native CLI tools for operational diagnostics.[64]
Backup and restore operations support image-based upgrades with the add system image command, which installs new firmware versions alongside existing ones in /boot, allowing coexistence of multiple releases.[21] Rollback is achieved by setting a default boot image via set system image default-boot <image-name> followed by a reboot, or selecting from the GRUB menu; configurations are automatically associated with images to preserve state.[21] Configuration export to JSON format is possible using show configuration commands | json (introduced in version 1.4), facilitating integration with external tools, while the underlying XML structure supports programmatic handling.[65][14]
The RESTful HTTP API, introduced in VyOS 1.3, enables programmatic access for executing operational commands, updating images, and managing configurations via endpoints like /configure for sets/deletes and /image for additions.[66][67] Authentication uses API keys configured under service https api keys, supporting integration with orchestration platforms such as Ansible and SaltStack, or custom scripts for automated workflows.[68]
For high availability, VyOS implements VRRP through the keepalived daemon, enabling failover clustering across routers sharing a virtual IP. Configuration occurs under high-availability vrrp group <name>, specifying interface, VRID (1-255), virtual address, and priority (default 100, higher wins election); preemption is enabled by default but can be delayed or disabled.[69] Status verification uses show vrrp, displaying states like MASTER or BACKUP, with multicast keepalives ensuring segment-limited synchronization.[69]
Releases
Major Versions
VyOS major versions follow a series of stable long-term support (LTS) releases, each building on the previous with advancements in networking capabilities, security, and system architecture. These releases are named after astronomical themes, reflecting the project's progression from its origins as a Vyatta Core fork. Each version updates the underlying Debian base and introduces key features to enhance routing, firewalling, and VPN functionality. The 1.0.x series, codenamed Hydrogen, was released on December 22, 2013, and is based on Debian 6 (Squeeze). It stabilized the fork from Vyatta Core by addressing critical issues in routing protocols, including basic support for BGP and OSPF, along with fixes for IPv4 BGP peer groups and DHCPv6 relay.[4] Version 1.1.x, known as Helium, arrived on October 9, 2014, continuing on Debian 6 with a focus on IPv6 enhancements such as improved event handling and experimental support for protocols like L2TPv3 and VXLAN, alongside minor stability fixes to refine the core platform.[4] The 1.2.x series, codenamed Crux, marked a significant update on January 28, 2019, based on Debian 8 (Jessie). It introduced enhancements to OpenVPN, including support for multiple local and remote addresses, WireGuard VPN support, mDNS repeater, unicast VRRP, and a modular build system.[24][4] Released on December 21, 2021, the 1.3.x series (Equuleus) shifted to Debian 10 (Buster) and integrated SSTP VPN and virtual routing and forwarding (VRF), IPoE server functionality, OpenConnect VPN, IS-IS routing, and MPLS/LDP to bolster enterprise-grade networking; it was supported as LTS until end of life in March 2025.[70][71][4][72] The latest major version, 1.4.x (Sagitta), launched on February 22, 2024, utilizing Debian 12 (Bookworm) as its foundation. It incorporates migration to nftables for firewall management with eBPF acceleration for improved performance, MACsec for link-layer encryption, IKEv2 road warrior VPN, and enhanced cloud-init support for seamless deployment in virtual environments; the most recent update, 1.4.3 LTS, was issued in July 2025.[6][2][73][74] VyOS maintains an end-of-life policy for LTS versions, providing support for approximately 5 years post-release, including security patches to ensure ongoing stability and protection against vulnerabilities.[75][2][72]Release Channels
VyOS maintains three primary release channels to cater to different user needs, ranging from stable production environments to experimental development testing. The Long Term Support (LTS) channel provides stable branches, such as the 1.4.x series, which are recommended for production deployments due to their high stability and focus on reliability.[76] These releases undergo rigorous testing and receive updates primarily consisting of bug fixes and security patches to maintain a secure and dependable platform over an extended support period, potentially lasting until at least 2026 or longer based on demand.[6] The Rolling Release channel offers nightly builds generated automatically from thecurrent development branch using GitHub Actions, incorporating the latest code commits from maintainers and community contributors.[77] Designed for users testing bleeding-edge features, these builds undergo automated smoke tests but carry no guarantees of stability, as features may change or be removed without notice.[77] Access is freely available through the releases in the vyos/vyos-nightly-build GitHub repository, with images signed using minisign for verification.[78]
Introduced on June 27, 2024, the VyOS Stream channel serves as a technology preview and quality gate for upcoming LTS releases, branching from the previous LTS rather than the rolling current to start from a known stable state.[79] It provides quarterly snapshots, such as 1.5-2025-Q1 and 1.5-2025-Q2, featuring experimental enhancements like kernel upgrades while ensuring forward-compatible configuration changes and a formal deprecation process for any removals.[28] In 2025, the 1.5 Circinus stream previews have emphasized performance optimizations, including planned improvements to the NetFlow sensor via potential replacement of pmacct with alternatives like ipt-netflow to reduce CPU overhead in high-traffic scenarios.[80] Images are released roughly every quarter and can be downloaded with accompanying source tarballs for verification.[81]
VyOS images across channels, including ISO and OVA formats, are built via GitHub Actions workflows, with source code available for custom compilation—LTS sources for subscribers via the support portal and rolling sources openly accessible.[20] Upgrades within the same major version can be performed in-place using the add system image command, which extracts the new image and allows seamless transition while preserving configurations.[82] For major version upgrades, a full reinstallation is typically required to ensure compatibility, though direct image addition is possible in some cases with prior verification of configuration compatibility.[83]