Skip to content

Releases: NHAS/wag

v8.0.0-beta9 Clustering

15 May 02:25
Compare
Choose a tag to compare
Pre-release

This issue fixes a potential security vulnerability when clients roam between different cluster members.

In brief, an attacker who exploits a race condition after stealing a wireguard configuration may be able to piggy back a valid authorization sesssion if balanced to another cluster node than the valid user.

Bug Fix:

  • All devices now have an additional field that associates them with their last connected to cluster member

v8.0.0-beta8 Clustering

13 May 09:15
Compare
Choose a tag to compare
Pre-release

Continuing to close off a bunch of small bugs that have crept in while doing the clustering work.

Changes:

  • Add UI for defining deny rules in the admin UI
  • Add validation to general and login settings page
  • Strip spaces from text fields in settings page

Bug Fix:

  • Fix ip selection potentially being able to assign server ip address
  • Fix ip address selection deadlock when all addresses are exhausted in subnet
  • Fix registration issue where devices would not be removed if the registration failed at a later step

v8.0.0-beta7 Clustering

08 May 22:27
Compare
Choose a tag to compare
Pre-release

Added an additional debug tool to test the xdp firewall

Features:

  • Firewall Checker now allows you to test specific protocols/ports/addresses from different user devices to inspect the firewall state better

v8.0.0-beta6 Clustering

08 May 08:20
Compare
Choose a tag to compare
Pre-release

Fixes issues with the OIDC authentication provider which prevented users from getting new acls.

Features:

  • A new diagnostic tool has been added, now you can enter a username and see what ACLs are produced for said user

Bug Fix:

  • User acls are now correctly updated on group membership change

v8.0.0-beta5 Clustering

07 May 23:39
Compare
Choose a tag to compare
Pre-release

This fixes a security issue found in the beta release

Bug Fix:

  • After resetting MFA on a device, wag would not de-authenticate all active sessions due to a failure in populating the user space user to address map

v8.0.0-beta4 Clustering

07 May 22:06
Compare
Choose a tag to compare
Pre-release

A small change to improve OIDC interop

Features:

  • Admin users can now specify what oidc claim to maps to the wag username instead of just defaulting to the oidc preferred_username which is most likely an email address

Bug Fixes:

  • Remove extra println that reveals more information about MFA than required #100

v8.0.0-beta3 Clustering

07 May 06:00
Compare
Choose a tag to compare
Pre-release

This release closes off a small number of issues.

Bug Fixes:

  • Inability for a user to log out #103
  • OIDC and PAM login settings should be able to be set #106
  • One failing MFA method no longer disables all other MFA methods #102

Changes:

  • Cluster error events should give their context as a string rather than a collection of bytes #104

v8.0.0-beta2 Clustering

06 May 09:51
Compare
Choose a tag to compare
Pre-release

A small patch to fix an important feature.

Bug Fix:

  • #99 server failed to correctly append wireguard port

v8.0.0-beta Clustering

03 May 00:09
Compare
Choose a tag to compare
Pre-release

This is a huge release that contains a number of fundamental changes to the inner workings of Wag to allow for high availability and clustering.
Additionally it also includes changes to the eBPF interactions which drastically increase the speed of changing firewall rules (#84).

It is highly likely that due to the large number of changes that this release contains that there are bugs, broken functionality and other issues. So until this release has been tested it is released as an beta release.

Wag has moved from using sqlite3 and an config.json file to using etcd as the backend for storing users and managing rules. This allows multiple Wag instances to be deployed and managed as one unit.

This release will attempt to perform a migration from sqlite3 into etcd on first run.

Features:

  • The wireguard peer diagnostics page now shows number of bytes sent/received #94
  • Webauthn keys will hopefully no longer prompt for pin code #89
  • Add clustering admin UI page for adding wag nodes to cluster #24
  • wag start now supports the -join flag for taking a cluster join token
  • ServerPersistentKeepAlive now configures the keep alives set by the server to the client to resolve #64
  • Wag now has a notifications system for the admin UI that will now node failures, policy apply failures and updates

Changes:

  • Improved new wireguard device IP address selection
  • Admin UI now has Debug mode available in config for development

Bug Fixes:

  • Fix gen-config returning null for a number of values #97
  • Rules with a domain name will be skipped if they are unsolvable rather than causing rule parsing to fail #86
  • Fix performance issues with moderate number of clients #84
  • Fix issue where custom templates/js could not be loaded due to bad path #76
  • Fix rendering issue on change password page #79

Security Fixes:

  • X-Forwarded-For is now correctly parsed

v7.3.2

06 Nov 22:03
Compare
Choose a tag to compare

A round up release that covers off a number of small improvements and bug fixes.

Features:

  • MFATemplatesDirectory option now also looks for CSS and JS for changing the appearance of the MFA page
  • http to https redirection automatically takes place if the port for MFA is on 443 (and has valid certificate)
  • ExposePorts can now take a port range thanks to @marulitua

Changes:

  • Add error message when webauth is selected as an authentication mechanism, but HTTPS isnt enabled
  • Visiting the management UI path / now redirects to /dashboard rather than giving a 404
  • Improve CSRF protections
  • Remove persistent keepalive from server side, as it should be client-side only (thanks #64)
  • Improve logging on all management UI endpoints

Bug Fixes:

  • Duplicate routes in generated wireguard config (only occurs if the DNS server also has routes applied to it #72)