Releases: NHAS/wag
v7.3.1
v7.3.0
This release adds setting the group id (GID) of wag control socket so that control can be a low priv to higher priv operation. Additionally it adds the ability to reuse registration tokens for a bounded number of times as per #50.
Bug Fixes:
- Restrict DNS servers to
53/any
rather thanany/any
as per #49
Features:
- The cli option
registration
now takes an additional-uses
option which enables a token to be used multiple times (default 1) - Web user interface registration token dialog has similar options
v7.2.1
This release adds PAM support to wag.
Features:
- Configuration file now supported
pam
authentication method - PAM Authentication service file can be optionally configured with
Authenticators.PAM.ServiceName
Thanks to @softScheck for adding this feature!
v7.1.1
This release introduces a small fix and merges some work on supporting docker (which isnt so relevant to the binary release but such is life.)
Bug Fixes:
- Removed
math/rand
in favor ofcrypto/rand
in the oidc provider (an autocorrect mistake)
Changes:
- If webadmin is enabled and no administrative user exists, one will now be generated on first usage
v7.0.2
v7.0.1
Tiny release just to add an API endpoint parameter for ease of use.
Adds routes
parameter to /status/
api endpoint, so that when true /status/?routes=true
the endpoint will return a comma delimited set of routes that may be placed in a wireguard config file.
Features:
- Add
routes
parameter to/status/
api route.
v7.0.0
A large wrap up release which contains heaps of new features, removes an unused feature and bug fixes.
Most notable:
- Each rule can now have up to 128 port restrictions (e.g
8080/tcp 8081/udp
) - MFA routes no longer take precedence over Public routes, preference is now based on route specificity. E.g if you define a
/32
route, it will be selected over a/24
.
Breaking Changes:
- Removed
upgrade
option and associated API as I suspect no-one is using live updating as Im not due to the XDP kernel code changing a large mount
Features:
- Add kernel version check
- Add docker image
v6.2.0-pre-release
Features:
- Change the way rules are composed, if a route is defined multiple times the port restrictions are added to one another rather than the final rule being applied (max of 128 port restrictions per route)
- MFA and Public/Allow rules can exist for the same route
v6.1.2-pre-release
Bug Fixes:
- Fixed rules exhibiting different behavior depending on rule order #43 e.g
1.1.1.1 8081/tcp icmp
was different to1.1.1.1 icmp 8081/tcp
v6.1.1-pre-release
Features:
- Add MFATemplatesDirectory option to allow administrators to define their own templates for MFA pages per request in #36
Changes:
- Removed duplicate rule detection due to poor design
v6.0.1-pre-release
Breaking Changes:
- Wag now uses the most specific route to determine if a route is restricted behind MFA or Public. For example:
"Policies": {
"*": {
"Mfa": [
"10.0.1.0/24"
],
"Allow": [
"10.0.1.2/32"
]
}
While this policy has a blanket restriction to force everything under /24 to require MFA, the single route 10.0.1.2/32 is available to any user without authorisation, as it is more specific.
Features:
- The wag management UI will now check for updates from github and give a notification if a new version of wag is available. This can be enabled/disabled with
CheckUpdates
in theconfig.json
, defaultly off.
v6.2.0-pre-release
This release adds rule composition, and port hiding/unhiding based on authorisation status.
For example:
"*": {
"Mfa": [
"10.0.0.0/16",
"10.0.1.1/32 22/tcp",
]
},
"group:users": {
"Allow": [
"10.0.1.1/32 443/tcp",
]
}
Previously (< v6.1.x
) would take the last defined policy for a given route (10.0.1.1/32
), which would only allow you to define an MFA rule, or a Public/Allow rule.
Now, members of the group:users
group will be able to access 10.0.1.1/32 22/tcp
without authorisation and 22/tcp
and 443/tcp
with authorisation.
(A maximum of 128 port definitions can be defined per route)
Features:
- Change the way rules are composed, if a route is define multiple times the port restrictions are added to one another rather than the final rule being applied
- MFA and Public/Allow rules can exist for the same route
v6.1.2-pre-release
A small release that adds a bug fix as per the discussion in #43
Bug Fixes:
- Fixed rules exhibiting different behavior depending on rule order e.g
1.1.1.1 8081/tcp icmp
was different to1.1.1.1 icmp 8081/tcp
v6.1.1-pre-release
This release adds the ability to customise the MFA entry/registration templates as per #36
Features:
- Add
MFATemplatesDirectory
option to allow administrators to define their own templates for MFA pages
Changes:
- Removed duplicate rule detection due to poor design