v0.31.1

What's Changed

• [management] Fix add peer all group network map update by @pascal-fischer in #2830
• [misc] Avoid failing all other matrix tests if one fails by @mlsmaycon in #2839
• [client] Fix cached device flow oauth by @mlsmaycon in #2833
• [management] Fix network map update on peer validation by @pascal-fischer in #2849
• [client] Use the prerouting chain to mark for masquerading to support older systems by @lixmal in #2808
• [relay-server] Use X-Real-IP in case of reverse proxy by @pappz in #2848
• [client] Exclude split default route ip addresses from anonymization by @lixmal in #2853
• [management] Enforce max conn of 1 for sqlite setups by @pascal-fischer in #2855
• [management] Fix potential panic on inactivity expiration log message by @pascal-fischer in #2854
• [management] Add benchmark tests to get account with claims by @mlsmaycon in #2761
• [client] Use offload in WireGuard bind receiver by @pappz in #2815
• [management] Remove context from database calls by @pascal-fischer in #2863
• [management] Add peer lock to grpc server by @pascal-fischer in #2859
• [management] Fix api error message typo peers_group by @lixmal in #2862
• [client] Remove loop after route calculation by @pappz in #2856
• [client] fix/proxy close by @pappz in #2873
• [client] Fix race conditions by @lixmal in #2869

Full Changelog: v0.31.0...v0.31.1

v0.31.0

Release Notes for v0.31.0

Highlights

[management] Setup key improvements #2775

• We added support to setup-key deletion, allowing account cleanup of revoked or expired keys.
• The max expiration time was removed, allowing users to define any date for key expiration.
• Setup-keys are now stored as hashs, improving security for systems.

Because of a database migration where the setup-keys are being hashed, a downgrade is no longer possible without restoring a backup. So, testing and making sure a backup is done before upgrading is highly recommended. See backup docs here: https://docs.netbird.io/selfhosted/selfhosted-guide#backup

Improvements

• [client] Make native firewall init fail firewall creation #2784
• [misc] Update Zitadel from v2.54.10 to v2.64.1 #2793
• [client] allow relay leader on iOS #2795
• [management] remove network map diff calculations #2820
• [management] Add DB access duration to logs for context cancel #2781
• [client] Log windows panics #2829

Bug fixes

• [client] Ignore route rules with no sources instead of erroring out #2786
• [client] Fix multiple peer name filtering in netbird status command #2798
• [client] Fix the broken dependency gvisor.dev/gvisor #2789
• [management] Fix peer meta isEqual #2807
• [client] Nil check on ICE remote conn #2806
• [client] Allocate new buffer for every package #2823
• [client] Fix unused servers cleanup #2826
• [client] Remove legacy forwarding rules in userspace mode #2782

New Contributors

• @Codixer made their first contribution in #2793
• @mgarces made their first contribution in #2798
• @milantracy made their first contribution in #2789

Full Changelog: v0.30.3...v0.31.0

v0.30.3

What's Changed

• [management] Fix domain information is up to date check by @mlsmaycon in #2754
• Fix decompress zip path by @mlsmaycon in #2755
• Update sign workflow version by @mlsmaycon in #2756
• Release global lock on early error by @mlsmaycon in #2760
• Replace suite tests with regular go tests by @mlsmaycon in #2762
• [management] Fix context cancellation with JWT group sync enabled by @bcmmbaga in #2767
• [client] Eliminate UDP proxy in user-space mode by @pappz in #2712
• [management] Optimize network map updates by @bcmmbaga in #2718
• [management] Fix session inactivity response by @pascal-fischer in #2770
• [relay-client] Log exposed address by @pappz in #2771
• [client] Cleanup dns and route states on startup by @lixmal in #2757
• [client] Fix controller re-connection by @pappz in #2758
• [client] Cleanup firewall state on startup by @lixmal in #2768

Full Changelog: v0.30.2...v0.30.3

v0.30.2

What's Changed

• [relay, client] Relay/fix/wg roaming by @pappz in #2691
• [management] Refactor getAccountIDWithAuthorizationClaims by @mlsmaycon in #2715
• [client] Add table filter rules using iptables by @lixmal in #2727
• [relay-server] Move the handshake logic to a separated struct by @pappz in #2648
• [management] Add session expire functionality based on inactivity by @ctrl-zzz in #2326
• [client] Add universal bin build and update sign workflow version by @mlsmaycon in #2738
• [client] Exclude loopback from NAT by @lixmal in #2747
• [misc] Update Zitadel version on quickstart script by @eoksum in #2744
• [management] Fix JSON function compatibility for SQLite and PostgreSQL by @bcmmbaga in #2746

New Contributors

• @eoksum made their first contribution in #2744

Full Changelog: v0.30.1...v0.30.2

v0.30.1

This release fixes a few issues with the network route access controls and a bug with Signal service.

What's Changed

• [management] Remove admin check on getAccountByID by @pascal-fischer in #2699
• [management] Validate peer ownership during login by @bcmmbaga in #2704
• [client] Limit P2P attempts and restart on specific events by @lixmal in #2657
• [management] Propagate error in store errors by @pascal-fischer in #2709
• [misc] Add Link to the Lawrence Systems video by @braginini in #2711
• [management] Make max open db conns configurable by @pascal-fischer in #2713
• [management] Add support to envsub go management configurations by @mlsmaycon in #2708
• [management] Move testdata to sql files by @pascal-fischer in #2693
• [client] Improve route acl by @lixmal in #2705
• [signal] new signal dispatcher version by @pascal-fischer in #2722

Full Changelog: v0.30.0...v0.30.1

v0.30.0

Release Notes for v0.30.0

What's New

Access Control for Network Routes

Starting with version 0.30.0, users can assign access control groups to network routes, offering improved security and traffic restrictions. Route access is now unidirectional, ensuring traffic complies with the specified policies before authorization. This feature enhances the flexibility of network management.

To configure this, follow the documentation: Configuring routes with access control.

Improvements

• Add Access Control for Network Routes: [management, client] Add access control support to network routes #2100
• Remove Redundant Account Token Calls: [management] Remove redundant get account calls in GetAccountFromToken #2615
• Refactor User JWT Group Synchronization: [management] Refactor User JWT group sync #2690

Bug Fixes

• Anonymize Relay Address in Peers View: [client] Anonymize relay address in status peers view #2640
• Check WireGuard Interface Instead of Engine Context: [client] Check wginterface instead of engine ctx #2676
• Close Remote Connection in Proxy: [client] Close the remote conn in proxy #2626
• Fix eBPF Close Function: [client] Fix ebpf close function #2672
• Fix Relay Disconnection Handling: [client] Fix Relay disconnection handling #2680
• Restrict Peer Access for Non-Admins: [management] Restrict accessible peers to user-owned peers for non-admins #2618

Other Changes

• Adjust Relay Worker Log Levels: [client] Adjust relay worker log level and message #2683
• Improve Error Count Formatting: [client] Fix error count formatting #2641
• Refactor Interface Package: [client] Refactor/iface pkg #2646
• Remove Custom Localhost Dialer: [client] Remove usage of custom dialer for localhost #2639
• Add Account Existence Check to AccountManager: [management] Add AccountExists to AccountManager #2694
• Add DB Retrieval Method: [management] Add get DB method to store #2650
• Fix Account Manager Mock Implementation: [management] Fix account manager mock #2695
• Propagate Management Metrics: [management] Propagate metrics #2667
• Remove File Store in Management: [management] Remove file store #2689
• Update Management Docker Image: [management] Update management base docker image #2687
• Improve ZITADEL IDP Error Handling: [management] improve zitadel idp error response detail #2634
• Add Log Setting to Caddy Container: [misc] Add log setting to Caddy container #2684
• Fix IP Range Posture Check Example: [misc] Fix ip range posture check example in API doc #2628
• Update to Goreleaser Version 2: [misc] Specify goreleaser version and update to 2 #2673
• Use Packages to Fetch Latest Version: [misc] Use the pkgs to get the latest version #2682
• Move Signal Message Handling into Dispatcher: [signal] Move dummy signal message handling into dispatcher #2686
• Propagate Signal Metrics: [signal] Propagate metrics #2668
• Add Context to Signal Dispatcher: [signal] add context to signal-dispatcher #2662

New Contributors

• @adasauce made their first contribution in #2634
• @simen64 made their first contribution in #2678

Full Changelog: v0.29.4...v0.30.0

v0.29.4

What's Changed

• Do not block the msg receiving if the wg proxy does not operate by @pappz in #2617
• Exit from processConnResults after all tries by @pappz in #2621

Full Changelog: 0.29.3...v0.29.4

v0.29.3

What's Changed

• [client] Ensure engine is stopped before starting it back by @hurricanehrndz in #2565
• [relay] Change heartbeat timeout by @pappz in #2598
• [client] Fix blocked net.Conn Close call by @pappz in #2600
• [management] Add command flag to set metrics port for signal and relay service, and update management port by @benniekiss in #2599
• [client] Fix get management and signal state race condition by @mlsmaycon in #2570
• [management] fix legacy decrypting of empty values by @bcmmbaga in #2595
• [signal] Fix signal active peers metrics by @pascal-fischer in #2591
• [management] Add transaction to addPeer by @pascal-fischer in #2469
• [client] Fix leaked server connections by @pappz in #2596
• [client] Enforce permissions on Win by @pappz in #2568
• [relay] Add health check attempt threshold by @mlsmaycon in #2609
• [client] Fix race condition while read/write conn status in peer conn by @pappz in #2607
• [client] Cancel the context of wg watcher when the go routine exit by @pappz in #2612

Full Changelog: v0.29.2...v0.29.3

v0.29.2

What's Changed

• [management] Add GCM encryption and migrate legacy encrypted events by @bcmmbaga in #2569
• [misc] Update core github actions by @mlsmaycon in #2584
• Update Go version to 1.23 by @mlsmaycon in #2588
• [management] Add accessible peers endpoint by @bcmmbaga in #2579
• [client] fix: install.sh: avoid call of netbird executable after rpm-ostree installation by @M0Rf30 in #2589
• [client] Fix wg handshake checking by @pappz in #2590
• [misc] Support configurable max log size with var NB_LOG_MAX_SIZE_MB by @mlsmaycon in #2592

Full Changelog: v0.29.1...v0.29.2

v0.29.1

This release improves the relay with better authentication messages. To ensure your system is working properly, you should upgrade your relay and management servers before upgrading your clients.

What's Changed

• [client] Don't overwrite allowed IPs when updating the wg peer's endpoint address by @lixmal in #2578
• [relay] Improve relay messages by @lixmal in #2574
• [relay] change log levels by @pappz in #2580
• Remove pre-release step from workflow by @mlsmaycon in #2583
• [client] Update service package version by @mlsmaycon in #2582

Full Changelog: v0.29.0...v0.29.1