Releases: DefGuard/defguard
v1.1.1
Quick fix release
- Fix enterprise settings sometimes not taking effect immediately, log gateway's token rejection reason by @t-aleksander in #865
🎉 1.1.x: All Enterprise features are free! 🎉
All Enterprise features (within certain limits) are now free and do not require a license.
Limits should be more than sufficient for home, small business, and student use. More details here.
Further improvements:
🔐 Ability to use external OIDC for secure remote enrollment and Desktop client configuration
🔏 External OIDC now supports code authorization flow - extending Custom OIDC support to Okta, JumpCloud, Zitadel and others..
🛜 Fixed IPv6 configuration in the Location settings
Please consider buying the enterprise license to support us!
The whole defguard team thanks you! 🫡
Detailed changes
- Fix ipv6 input and database adminid constraints by @t-aleksander in #851
- Enable enterprise features when within certain limits by @t-aleksander in #852
- OpenID via Proxy by @moubctez in #845
- Add external oidc tests by @t-aleksander in #855
- Remove web3 functionality from frontend, update docs links by @t-aleksander in #857
New Contributors
- @eltociear made their first contribution in #848
Full Changelog: v1.0.0...v1.1.0
v1.1.0
🎉 All Enterprise features are free! 🎉
All Enterprise features (within certain limits) are now free and do not require a license.
Limits should be more than sufficient for home, small business, and student use. More details here.
Further improvements:
🔐 Ability to use external OIDC for secure remote enrollment and Desktop client configuration
🔏 External OIDC now supports code authorization flow - extending Custom OIDC support to Okta, JumpCloud, Zitadel and others..
🛜 Fixed IPv6 configuration in the Location settings
Please consider buying the enterprise license to support us!
The whole defguard team thanks you! 🫡
Detailed changes
- Fix ipv6 input and database adminid constraints by @t-aleksander in #851
- Enable enterprise features when within certain limits by @t-aleksander in #852
- OpenID via Proxy by @moubctez in #845
- Add external oidc tests by @t-aleksander in #855
- Remove web3 functionality from frontend, update docs links by @t-aleksander in #857
New Contributors
- @eltociear made their first contribution in #848
Full Changelog: v1.0.0...v1.1.0
v1.0.0
🎉 Now you can support our development efforts! 🎉
We are introducing Enterprise License with unique features not available in the Open Source Open Core:
🔐 Ability to use external OIDC (Google/Microsoft/Custom) to login or create a defguard account.
💥 Real time sync for client configurations! First WireGuard client to support this feature!
🛑 Ability to disable users to manage their devices (just admins will have this possibility).
✖︎ Ability to disable users to configure WireGuard clients other than defguard desktop client.
🚦Ability to disable All traffic in the desktop client - just predefined traffic.
🔜 …More features will come soon!
Please consider buying the enterprise license to support us!
The whole defguard team thanks you! 🫡
🔥 New features (Open Source Open Core & Enterprise) 🔥
- core & proxy have now HTTP & gRPC healthchecks
- new MFA email messages to easily copy the code
- Multiple DNS servers support & search domain support
- Proxy and Gateway have better gRPC connection handling when a disconnect occurs
- New Kubernetes HELM charts (thanks to Prusa3D Research team ❤️
… and **a lot of 🐛 bugfixes! **
Desktop Client Major Upgrade
- Rewrite of the whole routing stack (on all platforms) with IPv6 support
- Tray menu for quick connect/disconnect
- Multiple DNS servers support
- Search domain support
- Settings menu has a new section displaying all log messages
- All log messages have been rewritten for better support and knowledge of what’s going on
📖 Upgrade notes
Please remember to read the upgrade notes before doing the upgrade!
v1.0.0-alpha1
🛑 Warning this is a ALPHA PRE-RELESE only working with alpha proxy&gateway&client! 🛑
👇👇👇For official release see below.👇👇👇
This is the first release of the new Open Source Open Core & Enterprise features like: external OpenID (Google/Microsoft/Custom), real time client sync and more!
All currently available enterprise features are in enterprise documentation section as well as information about upcoming enterprise license.
This release also includes the latest Open Source functionaries.
v0.11.0
We have focused on stability, business logs improvements and bug squashing in these release - but also have done some features:
New Features
Account disabling/enabling ⭐
Now you can disable or enable a user account (by @t-aleksander in #640)
Important: LDAP support for this feature is not implemented yet. See #660 for status.
Core & Proxy DEB & RPM packages
Upon a lot of requests we have added (besides docker/kubernetes) a pure package distribution of core & proxy (gateway already had it done for some time).
Done by @t-aleksander in #649
Other Changes
- feat: add warning when removing a group by @wojcik91 in #628
- feat: add new logo by @t-aleksander in #646
- Add more logging by @t-aleksander in #645
Fixes
- fix: mfa login screen styles by @j-chmielewski in #629
- fix: sync WireGuard locations allowed devices after removing user group by @wojcik91 in #630
- fix: make config structure valid if some fields are missing by @t-aleksander in #637
- fix: add workaround for wrong config file extension on some browsers by @t-aleksander in #638
- fix: verify mfa status during openid authorization by @t-aleksander in #641
- fix: invalidate all user sessions when MFA is enabled by @t-aleksander in #644
- fix: fix frontend linter errors by @t-aleksander in #651
- fix: prevent from adding duplicate public keys by @t-aleksander in #655
- Fix down migrations by @moubctez in #658
- Fix for #661 by @moubctez in #662
v0.10.0
New Features
Groups support ⭐
We now support group management, including:
- Every VPN Location can now be protected by defined group access (previously only: All users || Admins)
- In OpenID Apps - for each app you can also include Group Scope - and when user logs in with defguard to an application, all groups that the user is part of is returned in the OIDC token
SSH & GPG keys management
Now any user can add/delete (manage) their public SSH & GPG keys, which is great for managing access to your servers with SSH keys from defguard. More in docs here: https://defguard.gitbook.io/defguard/admin-and-features/ssh-authentication
New YubiKey provisioning and management
after provisioning a YubiKey - the YK it’s visible in the user profile with serial number as well as GPG & SSH public keys corresponding to the YKs private keys
Also, there is a new look for YubiKey provisioning (in the key management dialog)
A lot of enhancements
-
proxy now has detailed logs with IP addresses and business logs - a lot of users asked for that to implement fail2ban since the proxy is a public service
-
Phone number is now optional during enrollment
Fixes
- MFA disconnecting bug
- email validation when adding a new user
Full Changelog: v0.9.0...v0.10.0
v0.9.0
New Features
Before upgrading please read upgrade notes
WireGuard Multi-Factor Authentication ⭐
We are introducing first of its kind Multi-Factor Authentication for WireGuard with TOTP/Email codes and WireGuard Pre-Shared Session Keys.
This feature requires the new release 0.2 of our desktop client, more details can be found in documentation
New Desktop Client 💻
- Finally a Windows release!
- Supporting any WireGuard server - you can now use one client for defguard instances + any other WireGuard servers you have - just import your current configurations by adding WireGuard Tunnel
- Live Logs, VPN Details, Settings!
- Update, Remove Instance/Tunnel
- Dark Theme! ;-)
WARNING - if you are upgrading from 0.1.x please read upgrade notes
Password Reset
Users can now use the enrollment service to reset their passwords!
This feature requires proxy to be deployed and SMTP server to be configured.
Enterprise Support
As many requested, we have introduced Enterprise Support, hopefully, support can maintain our efforts in building this awesome Open Source project!
Other Changes
- chore: update axum to 0.7 and other dependencies by @moubctez in #465
- fix: enrollment e2e fixes by @blazej-teonite in #472
- feat: groups as roles by @moubctez in #467
- feat: group management API by @moubctez in #479
- fix: allow safe special chars in username and password for users by @filipslezaklab in #493
- feat: update instance & location info in client enrollment by @wojcik91 in #492
- docs: e2e readme by @filipslezaklab in #495
- feat: reverse proxy gRPC service communication by @moubctez in #496
- fix: allow username special chars by @wojcik91 in #505
- fix: update username validation in login form by @wojcik91 in #510
- fix: add missing port to location endpoint in desktop client instance update by @wojcik91 in #514
- fix: return default logo if empty by @filipslezaklab in #519
Full Changelog: v0.8.0...v0.9.0
v0.8.0
New features:
⭐ Desktop Clients 💻 ⭐
We have released the official (and beautiful ❤️) macOS and Linux desktop clients supporting multiple defguard instances and automatically configuring all Locations in the instance.
You can download them from client release page and read here how easy it is to configure the desktop client.
Windows desktop client is in development and will be released soon
Desktop client user enrollment and onboarding
When Remote enrollment is enabled while adding a new user, the user can now choose enrollment via Web Browser or Desktop client.
All instructions are sent to the newly created user via email.
Multi-Factor Authentication via Email codes
A new MFA method has been added, utilizing codes sent via email.
Email notifications about important changes
Defguard now sends email notifications informing about important actions that took place:
Each email has information about the date, IP address, browser, and device that was used to act.
SSH authorized keys endpoint
Please read the documentation on how to easily configure your SSH server to access SSH keys, that are stored in Defguard (privision via YubiKey provisioning).
In the next release, the user will be able to manage any SSH keys, not only the ones provisioned via YK provisioning.
LDAP configuration via Settings
In defguard settings, a new tab is dedicated to configure and test LDAP server configuration.
wireguard-rs library and crate
Our gateway and desktop client now use a unified Rust library - wireguard-rs providing unified WireGuard interface to native/kernel and userspace implementations.
The crate (besides Wireguard) also supports:
- Peer routing - see WGApi docs.
- Configuring DNS resolver - see WGApi docs.
** On FreeBSD network interfaces are managed using ioctl.
** On Linux, handle network routing using netlink.
** fwmark handling
Fixes
A lot! of fixes
New Contributors
- @blazej-teonite made their first contribution in #402
Full Changelog: v0.7.1...v0.8.0
v0.7.1
New features
One-line install
We've created a one-line install script to simplify your first defguard deployment.
You should now be able to get your own instance running on a private VPS just by setting a couple environment variables and running:
curl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGuard/deployment/main/docker-compose/setup.sh -O && bash setup.sh
To learn more about prerequisites and available options see our documentation.
Other Changes
- style(ui): update components by @filipslezaklab in #326
- refactor: migrate to Sqlx 0.7 by @moubctez in #327
- feat: add subcommand to initialize first VPN location by @wojcik91 in #329
- fix: add missing libssl dependency in Docker image by @wojcik91 in #331
- fix(ui): yubikeys provisioning by @filipslezaklab in #334
- fix: device avatar ui by @filipslezaklab in #337
Full Changelog: v0.7.0...v0.7.1
v0.7.0
New features:
Remote user enrollment process
The main defguard concept is that the core (with the database) should be deployed securely and not available from the public Internet (accessible only from the internal network or VPN). This approach raised a significant problem with onboarding new remote users: how can users access defguard, set up password, and add their devices to access VPN or change their password if they can't access defguard?
We introduced a public proxy that now enables a secure enrollment process, during which the user can: double-check their data, setup their password, and add their initial device to access VPN as a nice wizard!
In the future we plan to add more functionalities to the public proxy - like password reset for users.
User onboarding after enrollment
Now you can easily share with new users any relevant company information, links to company systems, security guidelines, etc. In the enrollment module, you can write custom messages using markdown that will be shown on the last step of the enrollment process and sent to the user via email:
Email/SMTP support
In Setup -> SMTP tab you can setup and test your SMTP for sending email (for enrollment and onboarding).
SMTP setup is required in order for enrollment & onboarding to work.
Send debug/support information
Now you can go to Settings -> Support and download (or send via email automatically if you have setup SMTP) support data & logs if you need our help/assistance!
Or you can use them when submitting a bug.
UI Library
Our beautiful React UI is now a collection of React components, that can be used in other projects! Get it at: https://github.com/defguard/ui (now used in Core & Proxy - soon desktop clients).
Native FreeBSD Wireguard Kernel support
Our gateway now supports native kernel Wireguard implementation - and we released a FreeBSD package.
OPNSense Plugin
On the gateway release page you will now find OPNSense Plugin package (named: defguard-gateway_0.5.2_x86_64-unknown-opnsense.txz)
Other Changes
- feat: support forward auth for reverse proxies by @wojcik91 in #309
- Do not trigger builds on documentation. by @teon in #268
- Rewrite select macro with conditional by @j-chmielewski in #269
- Fix docker build by @j-chmielewski in #270
- fix: username, first & last name validation by @j-chmielewski in #272
- refactor: switch templating engine from handlebars to tera by @j-chmielewski in #275
- feat: handle SMTP errors on SMTP settings page by @j-chmielewski in #274
- feat: send enrollment success notification to admin by @wojcik91 in #297
- Added test for adding user to admin group by @kchudy in #298
- feat: download debugging/support information and logs or send them via email by @j-chmielewski in #277
- Fix: Mail templates styling by @dzania in #303
- feat: defguard-ui by @filipslezaklab in #304
- 284 e2e test change user password by @kchudy in #302
- fix: overview device card connection time refresh by @filipslezaklab in #267
- fix: select by @filipslezaklab in #311
- style: add user modal by @filipslezaklab in #313
- fix: missing enrollment settings field by @filipslezaklab in #314
- 279 e2e test enrollment process by @dzania in #312
- Fix: Hide sensitive data in support information by @dzania in #315
New Contributors
Full Changelog: v0.6.1...v0.7.0