v0.30.2

What's Changed

• [relay, client] Relay/fix/wg roaming by @pappz in #2691
• [management] Refactor getAccountIDWithAuthorizationClaims by @mlsmaycon in #2715
• [client] Add table filter rules using iptables by @lixmal in #2727
• [relay-server] Move the handshake logic to a separated struct by @pappz in #2648
• [management] Add session expire functionality based on inactivity by @ctrl-zzz in #2326
• [client] Add universal bin build and update sign workflow version by @mlsmaycon in #2738
• [client] Exclude loopback from NAT by @lixmal in #2747
• [misc] Update Zitadel version on quickstart script by @eoksum in #2744
• [management] Fix JSON function compatibility for SQLite and PostgreSQL by @bcmmbaga in #2746

New Contributors

• @eoksum made their first contribution in #2744

Full Changelog: v0.30.1...v0.30.2

v0.30.1

This release fixes a few issues with the network route access controls and a bug with Signal service.

What's Changed

• [management] Remove admin check on getAccountByID by @pascal-fischer in #2699
• [management] Validate peer ownership during login by @bcmmbaga in #2704
• [client] Limit P2P attempts and restart on specific events by @lixmal in #2657
• [management] Propagate error in store errors by @pascal-fischer in #2709
• [misc] Add Link to the Lawrence Systems video by @braginini in #2711
• [management] Make max open db conns configurable by @pascal-fischer in #2713
• [management] Add support to envsub go management configurations by @mlsmaycon in #2708
• [management] Move testdata to sql files by @pascal-fischer in #2693
• [client] Improve route acl by @lixmal in #2705
• [signal] new signal dispatcher version by @pascal-fischer in #2722

Full Changelog: v0.30.0...v0.30.1

v0.30.0

Release Notes for v0.30.0

What's New

Access Control for Network Routes

Starting with version 0.30.0, users can assign access control groups to network routes, offering improved security and traffic restrictions. Route access is now unidirectional, ensuring traffic complies with the specified policies before authorization. This feature enhances the flexibility of network management.

To configure this, follow the documentation: Configuring routes with access control.

Improvements

• Add Access Control for Network Routes: [management, client] Add access control support to network routes #2100
• Remove Redundant Account Token Calls: [management] Remove redundant get account calls in GetAccountFromToken #2615
• Refactor User JWT Group Synchronization: [management] Refactor User JWT group sync #2690

Bug Fixes

• Anonymize Relay Address in Peers View: [client] Anonymize relay address in status peers view #2640
• Check WireGuard Interface Instead of Engine Context: [client] Check wginterface instead of engine ctx #2676
• Close Remote Connection in Proxy: [client] Close the remote conn in proxy #2626
• Fix eBPF Close Function: [client] Fix ebpf close function #2672
• Fix Relay Disconnection Handling: [client] Fix Relay disconnection handling #2680
• Restrict Peer Access for Non-Admins: [management] Restrict accessible peers to user-owned peers for non-admins #2618

Other Changes

• Adjust Relay Worker Log Levels: [client] Adjust relay worker log level and message #2683
• Improve Error Count Formatting: [client] Fix error count formatting #2641
• Refactor Interface Package: [client] Refactor/iface pkg #2646
• Remove Custom Localhost Dialer: [client] Remove usage of custom dialer for localhost #2639
• Add Account Existence Check to AccountManager: [management] Add AccountExists to AccountManager #2694
• Add DB Retrieval Method: [management] Add get DB method to store #2650
• Fix Account Manager Mock Implementation: [management] Fix account manager mock #2695
• Propagate Management Metrics: [management] Propagate metrics #2667
• Remove File Store in Management: [management] Remove file store #2689
• Update Management Docker Image: [management] Update management base docker image #2687
• Improve ZITADEL IDP Error Handling: [management] improve zitadel idp error response detail #2634
• Add Log Setting to Caddy Container: [misc] Add log setting to Caddy container #2684
• Fix IP Range Posture Check Example: [misc] Fix ip range posture check example in API doc #2628
• Update to Goreleaser Version 2: [misc] Specify goreleaser version and update to 2 #2673
• Use Packages to Fetch Latest Version: [misc] Use the pkgs to get the latest version #2682
• Move Signal Message Handling into Dispatcher: [signal] Move dummy signal message handling into dispatcher #2686
• Propagate Signal Metrics: [signal] Propagate metrics #2668
• Add Context to Signal Dispatcher: [signal] add context to signal-dispatcher #2662

New Contributors

• @adasauce made their first contribution in #2634
• @simen64 made their first contribution in #2678

Full Changelog: v0.29.4...v0.30.0

v0.29.4

What's Changed

• Do not block the msg receiving if the wg proxy does not operate by @pappz in #2617
• Exit from processConnResults after all tries by @pappz in #2621

Full Changelog: 0.29.3...v0.29.4

v0.29.3

What's Changed

• [client] Ensure engine is stopped before starting it back by @hurricanehrndz in #2565
• [relay] Change heartbeat timeout by @pappz in #2598
• [client] Fix blocked net.Conn Close call by @pappz in #2600
• [management] Add command flag to set metrics port for signal and relay service, and update management port by @benniekiss in #2599
• [client] Fix get management and signal state race condition by @mlsmaycon in #2570
• [management] fix legacy decrypting of empty values by @bcmmbaga in #2595
• [signal] Fix signal active peers metrics by @pascal-fischer in #2591
• [management] Add transaction to addPeer by @pascal-fischer in #2469
• [client] Fix leaked server connections by @pappz in #2596
• [client] Enforce permissions on Win by @pappz in #2568
• [relay] Add health check attempt threshold by @mlsmaycon in #2609
• [client] Fix race condition while read/write conn status in peer conn by @pappz in #2607
• [client] Cancel the context of wg watcher when the go routine exit by @pappz in #2612

Full Changelog: v0.29.2...v0.29.3

v0.29.2

What's Changed

• [management] Add GCM encryption and migrate legacy encrypted events by @bcmmbaga in #2569
• [misc] Update core github actions by @mlsmaycon in #2584
• Update Go version to 1.23 by @mlsmaycon in #2588
• [management] Add accessible peers endpoint by @bcmmbaga in #2579
• [client] fix: install.sh: avoid call of netbird executable after rpm-ostree installation by @M0Rf30 in #2589
• [client] Fix wg handshake checking by @pappz in #2590
• [misc] Support configurable max log size with var NB_LOG_MAX_SIZE_MB by @mlsmaycon in #2592

Full Changelog: v0.29.1...v0.29.2

v0.29.1

This release improves the relay with better authentication messages. To ensure your system is working properly, you should upgrade your relay and management servers before upgrading your clients.

What's Changed

• [client] Don't overwrite allowed IPs when updating the wg peer's endpoint address by @lixmal in #2578
• [relay] Improve relay messages by @lixmal in #2574
• [relay] change log levels by @pappz in #2580
• Remove pre-release step from workflow by @mlsmaycon in #2583
• [client] Update service package version by @mlsmaycon in #2582

Full Changelog: v0.29.0...v0.29.1

v0.29.0

Release Notes for v0.29.0

What's New

Relay Feature Integration

We are moving away from the TURN relay (coturn) to our own relay implementation based on WebSocket. This new system will ensure that all relayed connections utilize a single TCP port instead of allocating one port per connection as before. It enables the client to attempt a P2P connection in the background while using the Relay for a fast connection between nodes during bootstrap.

We've created an open thread to discuss the new implementation. Feel free to reach out here: #2566

Relay change notes:

• The Advanced Infrastructure scripts and Getting Started scripts have been updated to include support for the new relay.
• Your clients need to be running the updated client versions to take full advantage of the new relay, but don’t worry—these new agents are fully compatible with older nodes.
• Cloud support for the new relay feature is coming soon*.
• iOS and Android support are coming soon.

To deploy the new relay on existing installations, you can follow the steps below:

1. Run a backup of your deployment as documented here: Advanced guide - Backup or Quickstart guide - backup
2. Update your docker-compose.yml, by adding the new service as follows:

  # Relay
  relay:
    image: netbirdio/relay:latest
    restart: unless-stopped
    environment:
    - NB_LOG_LEVEL=info
    - NB_LISTEN_ADDRESS=:<PORT>
    - NB_EXPOSED_ADDRESS=<DOMAIN>:<PORT>
    - NB_AUTH_SECRET=<AUTH_SECRET>
    ports:
      - <PORT>:<PORT>
    logging:
      driver: "json-file"
      options:
        max-size: "500m"
        max-file: "2"

Replace PORT and DOMAIN according to your deployment. For AUTH_SECRET we recommend using a unique key, you can use a command like openssl rand -base64 32 | sed 's/=//g' to generate it.

3. Update your management.json with the new configuration below:

    "Relay": {
        "Addresses": ["rel://<DOMAIN>:<PORT>"],
        "CredentialsTTL": "24h",
        "Secret": "<AUTH_SECRET>"
    },

Update PORT, DOMAIN and AUTH_SECRET with the same values configured in your docker-compose.yml file.

4. Update your environment and redeploy:

docker compose pull
docker compose up -d --force-recreate

Improvements

• Auto Update Geolite: Added automatic updates for Geolite data. #2297
  @benniekiss made this amazing contribution that allows the management service to update the geolocation databases when starting up.

In case you are running NetBird management in restricted locations like China, you can use add the flag --disable-geolite-update to the management command flags to disable the update.

• Support for ECDSA Public Keys: Added support for ECDSA public keys in management. #2461
  @HarryKodden made their first contribution in this change to support ECDSA public keys.

• RPM-Ostree Support: Added installation script support for rpm-ostree-based distros. #2508
  @M0Rf30 made their first contribution in this change to support installations for rpm-ostree-based distros.

• Signal Dispatcher: Introduced signal dispatcher for better signaling. #2373

• PostgreSQL Store Test: Improved test infrastructure for files generation using PostgreSQL store. #2478

• X-Frame-Options Header: Updated dashboard to use X-Frame-Options with the sameorigin header. #2547

• Retry on TUN Creation for Darwin: Improved client handling by retrying TUN creation for Darwin systems. #2564

• Security Upgrade: Upgraded Alpine version from 3.19 to 3.20 to address security concerns. #2548

Bug Fixes

• Fix Deadlock on Auto Connect: Avoided deadlock in client auto-connect with early exit handling. #2528
• Destroy WG Interface on Timeout: Addressed issue where WireGuard interface wasn't destroyed on down timeout. #2435
• Fix Service Down: Corrected the service-down issue in the client. #2519
• Prevent Client Panic: Fixed client panic when there was no connection. #2541
• Error Handling in OpenConnVia: Improved error handling in the openConnVia function. #2560
• Fix Lock on Down: Fixed a lock issue when the service was brought down. #2546

Documentation

• Route API Docs: Updated route API documentation with a new maximum domain number. #2516

Other Changes

• Test Log Reduction: Reduced test log verbosity. #2550
• Update Slack URL: Updated Slack URL in documentation. #2544
• TestRecreation Test: Added TestRecreation unit test in the client. #2558

New Contributors

• @HarryKodden made their first contribution in #2461
• @M0Rf30 made their first contribution in #2508

Full Changelog: v0.28.9...v0.29.0

v0.28.9

What's Changed

• [management] Rename request buffer and update default interval by @pascal-fischer in #2459
• [client] Add test for SetFlagsFromEnvVars by @mlsmaycon in #2460
• [client] Refactor free port function by @mlsmaycon in #2455
• [misc] Bump github.com/docker/docker from 26.1.4+incompatible to 26.1.5+incompatible by @dependabot in #2426
• [misc] Add support for NETBIRD_STORE_ENGINE_POSTGRES_DSN environment variable in setup.env by @arosberg in #2462
• [management] Refactor HTTP metrics by @bcmmbaga in #2476

New Contributors

• @arosberg made their first contribution in #2462

Full Changelog: v0.28.8...v0.28.9

v0.28.8

What's Changed

• [misc] Use docker compose command by @mlsmaycon in #2382
• [client] change default config location on freebsd by @skillcoder in #2388
• [client] Offer only Device Code Flow on FreeBSD by @skillcoder in #2389
• [client] Fix windows binary version by @mlsmaycon in #2390
• [client] On iOS add error handling for getRouteselector by @pascal-fischer in #2394
• [management] Skip network map check if not regular user by @mlsmaycon in #2402
• [management] Improve mgmt sync performance by @lixmal in #2363
• [client] Update dependencies and switch systray library by @bcmmbaga in #2309
• [management] Add batch delete for groups and users by @bcmmbaga in #2370
• [client] Allow setup keys to be provided in a file by @moosetheory in #2337
• [misc] Update bug-issue-report.md to include netbird debug cmd by @lixmal in #2413
• [client] Parse data from setup key by @mlsmaycon in #2411
• [misc] Update bug-issue-report.md to include anon flag by @lixmal in #2412
• [management] Prevent removal of All group from peers during user groups propagation by @bcmmbaga in #2410
• [client] Upgrade fyne version to fix freezing routes window by @mlsmaycon in #2417
• [client] Mtls support by @Foosec in #2188
• [client] Update PNG systray disconnected icon by @lixmal in #2428
• [misc] Fix linting Issues by @bcmmbaga in #2427
• [misc] Update Slack invite link by @mlsmaycon in #2445
• [management] Split DB calls in peer login by @pascal-fischer in #2439
• [misc] Loading tun module for synology in install.sh by @pascal-fischer in #2423
• [misc] Use clearer wording on issue template by @lixmal in #2443
• [client] Replace windows network monitor implementation by @lixmal in #2450
• [management] Fix logging out peers on deletion by @lixmal in #2453
• [management] Add buffering for getAccount requests during login by @pascal-fischer in #2449

New Contributors

• @moosetheory made their first contribution in #2337
• @Foosec made their first contribution in #2188

Full Changelog: v0.28.7...v0.28.8