v9.1.12

This release closes a couple bugs that were discovered.

Fixes:

• Wag did not validate the DNS option the same way as wg-quick meaning that folk couldnt add a search domain. Wag now accepts any domain in the DNS entry, this will no longer be resolved into an IP address and added to the routing table. #266
• On logout of OIDC sessions the user is now prompted to click a button to log in #227

Features:

• Client MTU can now be set when creating a registration token #265

v9.1.10

This release fixes a UI bug in the webhooks/automation dialog which would prevent choosing json object attributes to use. #263

v9.1.7

This release fixes a bug which would prevent administrative users from uploading custom certificates to anything but the management interface and fixes a bug where the Webauthn would fail behind reverse proxies.

Fixes:

• Certificate upload inputs are now correctly assigned to their respective servers fixes #238
• Webauthn when used behind a reverse proxy (on the vpn tunnel) will now use the correct origin

Changes:

• Docker build is now faster

v9.1.7-beta

This is a pre-release and is not formally marked as stable. Despite it probably being stable.

Fixes:

• Webauthn now should work behind a reverse proxy
• Adding custom certificates to the various http servers should now work correctly

v9.1.6

This release brings some bug fixes.

Fixes:

• ACME TLS certificate provisioning will now be more stable and no longer report errors
• OIDC provider will no longer add two ports to the end of callback domain
• Tests for url determination and certmagic TLS object storage now run properly

v9.1.4

This release fixes a number of small bugs discovered by @ilsaloving-gander.

Fixes:

• Wag will no longer crash on startup if two listening addresses are both port 80/tcp #208
• The config -put command now works properly to push values into the database #210
• Static certificates will now be properly loaded and set as "in use" on first run if defined #212

Thanks to @ilsaloving-gander for the help!

v9.1.2

This release improves auto provisioning TLS, improves mfa portal lagginess when a large number of rules are displayed and fixes a broken migration that occurs in v9.1.0

Features:

• DevMode will now enable a pprof handler to enable remote wag profiling
• User UI can now download /api/status output for easier help desk support

Fixes:

• In clustered setups sessions will not always be marked inactive after the inactivity timeout has expired
• Clients roaming from one node to another will no longer have the inactivity timer expire their session randomly
• Cluster node management is now displayed when not using an external etcd cluster
• ACME HTTP-01 will now always start an 80/tcp listener except when the user configures one of their webservers to be 80/tcp
• In v9.0.1 groups may not have their index created when migrating from older versions of wag, v9.1.1 now migrates the groups properly

v9.1.0

This release adds automation webhooks, and cleans up a bunch of old and deprecated features.
Additionally there has been a closer focus on testing and correctness to ensure safety. As such there are now more unit tests and the wag unix API has been expanded.

Features

• Wireguard.LogLevel can now be used to enable debug mode for wireguard since we've moved from using the kernel version to using the wireguard-go project.
• Webhook automation #178 , it is now possible for wag to ingest webhooks to automate the creation of registration tokens and the deletion of users and devices
• Wag can now use an external ETCd cluster #116

Removals:

• MFATemplatesDirectory configuration option is no longer valid. This has not been replaced now that there is a dedicated wag webapp
• DatabaseLocation has been superseeded by Clustering.DatabaseLocation as sqlite3 migration has now been dropped.
• Proxied has been replaced by NumberOfProxies as a single boolean isnt enough information to parse X-Forwarded-For
• wag cleanup has been removed as it is no longer required

Fixes:

• Fixes race condition in shutdown process which could cause dangling firewall rules
• Firewall rules are now inserted as their own chain for better management

Security fixes:

• Registration tokens can no longer be used more than their number of uses

v9.0.0

After several months work, wag version 9 is being released.
This release has a number of massive changes and improvements. As this is a major version change this may contain breaking changes, best effort has been made to port over data from 8.0.1 but as the internal structure for how groups are managed has changed this may break.

New Features:

• Completely redesigned administrative and user mfa pages to use a more modern and reactive frame work (and it looks good!)
• ACME
• Support on all TLS enabled enpoints (management, registration and tunnel).
• Support for DNS-01 challenge via Cloudflare token
• MFA portal
  • Uses websockets to realtime update the user whether their account/device is locked
  • Notifications are now built in, a user can allow notifications to be prompted to re-authorise
  • Authorisation page now shows allowed/mfa routes and wag version
• IPv6 has been partially enabled, routes now support IPv6
• Cluster errors now give notifications on the administrative page
• OIDC can now take custom scopes thanks to @mohgho
• Registration tokens can now define a static ip to set as a device rather than dynamically determining new IP address

Changes:

• Fonts are now included locally within the application as per #128
• eBPF and specific kernel versions are no longer required as this has been moved entirely into golang userspace (bye ebpf 😢 )
• Using githubs container registery the unstable branch is now available to administrators
• The reload command has been removed as it is redundant per #143
• Devices will now reauth automatically if a user moves quickly then supplies a challenge (fixes some roaming issues users have)
• TLSManagerListenURL is no longer a required field, but not supplying it will mean setting up a cluster is not possible
• Sqlite compatibility has now been removed entirely

Breaking changes:

• OIDC callback has been changed from /authorise/oidc to /api/oidc/authorise/callback due to API redesign
• /status on the tunnel has now been moved to /api/status
• /routes on the tunnel has now been moved to /api/routes, this may be temporarily reverted as per #185 targetting 9.0.1

Security Fixes:

• A number of third party libraries have been updated to remediate issues picked up by dependabot
• OIDC now correctly associates the subject rather than the user email address as per #117

Full Changelog: v8.0.1...v9.0.0

v8.0.1

Adds a fix presented by softScheck for their PAM module.

Due to a copy and paste mistake retrieving the PAM details was not possible. Now it is!