Skip to content

Releases: NHAS/wag

v7.3.1

16 Aug 07:52
Compare
Choose a tag to compare

Tiny release to fix docker container issue.

Bug Fix:

  • The wag docker container will now no longer fail to start due to the unix socket still existing (it will also properly clean up after itself and end faster)

v7.3.0

07 Aug 10:01
Compare
Choose a tag to compare

This release adds setting the group id (GID) of wag control socket so that control can be a low priv to higher priv operation. Additionally it adds the ability to reuse registration tokens for a bounded number of times as per #50.

Bug Fixes:

  • Restrict DNS servers to 53/any rather than any/any as per #49

Features:

  • The cli option registration now takes an additional -uses option which enables a token to be used multiple times (default 1)
  • Web user interface registration token dialog has similar options

v7.2.1

27 Jul 20:49
Compare
Choose a tag to compare

This release adds PAM support to wag.

Features:

  • Configuration file now supported pam authentication method
  • PAM Authentication service file can be optionally configured with Authenticators.PAM.ServiceName

Thanks to @softScheck for adding this feature!

v7.1.1

25 Jul 05:59
Compare
Choose a tag to compare

This release introduces a small fix and merges some work on supporting docker (which isnt so relevant to the binary release but such is life.)

Bug Fixes:

  • Removed math/rand in favor of crypto/rand in the oidc provider (an autocorrect mistake)

Changes:

  • If webadmin is enabled and no administrative user exists, one will now be generated on first usage

v7.0.2

13 Jun 07:00
Compare
Choose a tag to compare

Just a tiny release to simplify my own life.

Features:

  • Re-add /routes/ API path to get the wireguard captured routes

v7.0.1

11 Jun 10:02
Compare
Choose a tag to compare

Tiny release just to add an API endpoint parameter for ease of use.

Adds routes parameter to /status/ api endpoint, so that when true /status/?routes=true the endpoint will return a comma delimited set of routes that may be placed in a wireguard config file.

Features:

  • Add routes parameter to /status/ api route.

v7.0.0

11 Jun 09:37
Compare
Choose a tag to compare

A large wrap up release which contains heaps of new features, removes an unused feature and bug fixes.

Most notable:

  • Each rule can now have up to 128 port restrictions (e.g 8080/tcp 8081/udp)
  • MFA routes no longer take precedence over Public routes, preference is now based on route specificity. E.g if you define a /32 route, it will be selected over a /24.

Breaking Changes:

  • Removed upgrade option and associated API as I suspect no-one is using live updating as Im not due to the XDP kernel code changing a large mount

Features:

  • Add kernel version check
  • Add docker image

v6.2.0-pre-release

Features:

  • Change the way rules are composed, if a route is defined multiple times the port restrictions are added to one another rather than the final rule being applied (max of 128 port restrictions per route)
  • MFA and Public/Allow rules can exist for the same route

v6.1.2-pre-release

Bug Fixes:

  • Fixed rules exhibiting different behavior depending on rule order #43 e.g 1.1.1.1 8081/tcp icmp was different to 1.1.1.1 icmp 8081/tcp

v6.1.1-pre-release

Features:

  • Add MFATemplatesDirectory option to allow administrators to define their own templates for MFA pages per request in #36

Changes:

  • Removed duplicate rule detection due to poor design

v6.0.1-pre-release

Breaking Changes:

  • Wag now uses the most specific route to determine if a route is restricted behind MFA or Public. For example:
"Policies": {
    "*": {
        "Mfa": [
             "10.0.1.0/24"
        ],
        "Allow": [
            "10.0.1.2/32"
        ]
    }

While this policy has a blanket restriction to force everything under /24 to require MFA, the single route 10.0.1.2/32 is available to any user without authorisation, as it is more specific.

Features:

  • The wag management UI will now check for updates from github and give a notification if a new version of wag is available. This can be enabled/disabled with CheckUpdates in the config.json, defaultly off.

v6.2.0-pre-release

03 May 04:14
Compare
Choose a tag to compare
v6.2.0-pre-release Pre-release
Pre-release

This release adds rule composition, and port hiding/unhiding based on authorisation status.
For example:

 "*": {
            "Mfa": [
                  "10.0.0.0/16",
                  "10.0.1.1/32 22/tcp",
            ]
  },
 "group:users": {
            "Allow": [
                  "10.0.1.1/32 443/tcp",
            ]
 }

Previously (< v6.1.x) would take the last defined policy for a given route (10.0.1.1/32), which would only allow you to define an MFA rule, or a Public/Allow rule.

Now, members of the group:users group will be able to access 10.0.1.1/32 22/tcp without authorisation and 22/tcp and 443/tcp with authorisation.

(A maximum of 128 port definitions can be defined per route)

Features:

  • Change the way rules are composed, if a route is define multiple times the port restrictions are added to one another rather than the final rule being applied
  • MFA and Public/Allow rules can exist for the same route

v6.1.2-pre-release

02 May 05:08
Compare
Choose a tag to compare
v6.1.2-pre-release Pre-release
Pre-release

A small release that adds a bug fix as per the discussion in #43

Bug Fixes:

  • Fixed rules exhibiting different behavior depending on rule order e.g 1.1.1.1 8081/tcp icmp was different to 1.1.1.1 icmp 8081/tcp

v6.1.1-pre-release

02 May 01:56
Compare
Choose a tag to compare
v6.1.1-pre-release Pre-release
Pre-release

This release adds the ability to customise the MFA entry/registration templates as per #36

Features:

  • Add MFATemplatesDirectory option to allow administrators to define their own templates for MFA pages

Changes:

  • Removed duplicate rule detection due to poor design