Releases: NHAS/wag
v8.0.0-beta9 Clustering
This issue fixes a potential security vulnerability when clients roam between different cluster members.
In brief, an attacker who exploits a race condition after stealing a wireguard configuration may be able to piggy back a valid authorization sesssion if balanced to another cluster node than the valid user.
Bug Fix:
- All devices now have an additional field that associates them with their last connected to cluster member
v8.0.0-beta8 Clustering
Continuing to close off a bunch of small bugs that have crept in while doing the clustering work.
Changes:
- Add UI for defining deny rules in the admin UI
- Add validation to general and login settings page
- Strip spaces from text fields in settings page
Bug Fix:
- Fix ip selection potentially being able to assign server ip address
- Fix ip address selection deadlock when all addresses are exhausted in subnet
- Fix registration issue where devices would not be removed if the registration failed at a later step
v8.0.0-beta7 Clustering
Added an additional debug tool to test the xdp firewall
Features:
- Firewall Checker now allows you to test specific protocols/ports/addresses from different user devices to inspect the firewall state better
v8.0.0-beta6 Clustering
Fixes issues with the OIDC authentication provider which prevented users from getting new acls.
Features:
- A new diagnostic tool has been added, now you can enter a username and see what ACLs are produced for said user
Bug Fix:
- User acls are now correctly updated on group membership change
v8.0.0-beta5 Clustering
This fixes a security issue found in the beta release
Bug Fix:
- After resetting MFA on a device, wag would not de-authenticate all active sessions due to a failure in populating the user space user to address map
v8.0.0-beta4 Clustering
A small change to improve OIDC interop
Features:
- Admin users can now specify what oidc claim to maps to the wag username instead of just defaulting to the oidc preferred_username which is most likely an email address
Bug Fixes:
- Remove extra println that reveals more information about MFA than required #100
v8.0.0-beta3 Clustering
This release closes off a small number of issues.
Bug Fixes:
- Inability for a user to log out #103
- OIDC and PAM login settings should be able to be set #106
- One failing MFA method no longer disables all other MFA methods #102
Changes:
- Cluster error events should give their context as a string rather than a collection of bytes #104
v8.0.0-beta2 Clustering
A small patch to fix an important feature.
Bug Fix:
- #99 server failed to correctly append wireguard port
v8.0.0-beta Clustering
This is a huge release that contains a number of fundamental changes to the inner workings of Wag to allow for high availability and clustering.
Additionally it also includes changes to the eBPF interactions which drastically increase the speed of changing firewall rules (#84).
It is highly likely that due to the large number of changes that this release contains that there are bugs, broken functionality and other issues. So until this release has been tested it is released as an beta release.
Wag has moved from using sqlite3
and an config.json
file to using etcd
as the backend for storing users and managing rules. This allows multiple Wag instances to be deployed and managed as one unit.
This release will attempt to perform a migration from sqlite3
into etcd
on first run.
Features:
- The wireguard peer diagnostics page now shows number of bytes sent/received #94
- Webauthn keys will hopefully no longer prompt for pin code #89
- Add clustering admin UI page for adding wag nodes to cluster #24
wag start
now supports the-join
flag for taking a cluster join tokenServerPersistentKeepAlive
now configures the keep alives set by the server to the client to resolve #64- Wag now has a notifications system for the admin UI that will now node failures, policy apply failures and updates
Changes:
- Improved new wireguard device IP address selection
- Admin UI now has
Debug
mode available in config for development
Bug Fixes:
- Fix
gen-config
returningnull
for a number of values #97 - Rules with a domain name will be skipped if they are unsolvable rather than causing rule parsing to fail #86
- Fix performance issues with moderate number of clients #84
- Fix issue where custom templates/js could not be loaded due to bad path #76
- Fix rendering issue on change password page #79
Security Fixes:
X-Forwarded-For
is now correctly parsed
v7.3.2
A round up release that covers off a number of small improvements and bug fixes.
Features:
MFATemplatesDirectory
option now also looks for CSS and JS for changing the appearance of the MFA pagehttp
tohttps
redirection automatically takes place if the port for MFA is on 443 (and has valid certificate)ExposePorts
can now take a port range thanks to @marulitua
Changes:
- Add error message when webauth is selected as an authentication mechanism, but HTTPS isnt enabled
- Visiting the management UI path
/
now redirects to/dashboard
rather than giving a 404 - Improve CSRF protections
- Remove persistent keepalive from server side, as it should be client-side only (thanks #64)
- Improve logging on all management UI endpoints
Bug Fixes:
- Duplicate routes in generated wireguard config (only occurs if the DNS server also has routes applied to it #72)