v6.0.1-pre-release

This release contains a significant change to how wag does route restrictions, it is highly likely you will need to review your configurations.

Breaking Changes:

• Wag now uses the most specific route to determine if a route is restricted behind MFA or Public. For example:

        "Policies": {
            "*": {
                "Mfa": [
                     "10.0.1.0/24"
                ],
                "Allow": [
                    "10.0.1.2/32"
                ]
            }
}

While this policy has a blanket restriction to force everything under /24 to require MFA, the single route 10.0.1.2/32 is available to any user without authorisation, as it is more specific.

Features:

• The wag management UI will now check for updates from github and give a notification if a new version of wag is available. This can be enabled/disabled with CheckUpdates in the config.json, defaultly off.

v5.1.3

Small release to just cover off some issues.

Changes:

• Startup message has been improved to be more accurate
• An iptables rule is now added in order to allow services (internal hosts) to talk to vpn clients as per #40

Features:

• NAT'ing can now be turned off.

v5.1.1

Minor improvements and bug fix

Bug Fix:

• When a wireguard configuration file is generated the AllowedIps no longer contains port numbers (since v5.0.0)

Changes:

• Management UI now more clearly shows locked devices and user accounts

v5.1.0 - Security Patch

A number of security vulnerabilities were found in the wag management UI thanks to @lachlan2k

These issues do not impact the functionality of the port filtering or restrictions that wag may place on users. However they are severe in their own right and should be addressed immediately.

They have been present since v4.1.1 when the management UI was included.

Security Fixes:

• High Severity Stored XSS in the management console
• High Severity CSRF in the management console
• Low severity time based enumeration in the management console

v5.0.0 Port Filtering

Wag now gives administrators the option to define port filtering restrictions, so that specific users and groups are restricted not-just-by IP but also protocol and service.

Features:

• Extended wag acl syntax to filter ports and services (see below)
• Add MFA reset to management UI

Bug Fixes:

• Fix management UI not respecting TLS certificates
• Fix typo in rules UI

ACL rule syntax (taken from readme)

The Policies section allows you to define what routes, ports and protocols should be both captured by the VPN and allowed through wag respectively.
Currently 3 types of port and protocol rules are supported:

Any

When no other rules are defined or the any keyword is used wag will allow all services and port combinations.

Example:

"1.1.1.1": Allows all ports and protocols to 1.1.1.1/32
"1.1.1.1 54/any": Allows both tcp and udp to 1.1.1.1/32

Single Service

Example:

192.168.1.1 22/tcp 53/udp: Fairly self explanatory, allows you to hit 22/tcp and 53/udp on a host
1.1.1.1 icmp: As icmp doesnt have ports really you dont need it either

Ranges

You can also define a range of ports with a protocol. wag requires that the lower port is first.

Example:

192.168.1.1 22-1024/tcp 53-23/any: Format is low port-high port/service

v5.0.0-pre-release Port Filtering

This release brings port restrictions to wag as per the feature request in #25
A rather large change to the code, so it will bring about some bugs. Hence the pre-release.

Features:

• Wag ACLs are now ale to define port, protocol and port range restrictions.

ACL rule syntax

The Policies section allows you to define what routes, ports and protocols should be both captured by the VPN and allowed through wag respectively.
Currently 3 types of port and protocol rules are supported:

Any

When no other rules are defined or the any keyword is used wag will allow all services and port combinations.

Example:

"1.1.1.1": Allows all ports and protocols to 1.1.1.1/32
"1.1.1.1 54/any": Allows both tcp and udp to 1.1.1.1/32

Single Service

Example:

192.168.1.1 22/tcp 53/udp: Fairly self explanatory, allows you to hit 22/tcp and 53/udp on a host
1.1.1.1 icmp: As icmp doesnt have ports really you dont need it either

Ranges

You can also define a range of ports with a protocol. wag requires that the lower port is first.

Example:

192.168.1.1 22-1024/tcp 53-23/any: Format is low port-high port/service

v4.1.3

Another small release to remove the requirement for oidc group claims to have the group: prefix.

Changes:

• Oidc groups will now have group: added to them automatically to match with wag groups

v4.1.2

Small release just to fix a DNS bug

Bug Fixes:

• Wireguard.DNS values would erroneously have IP address subnets (/32) appended to them in generation of wireguard quick config file on registration

v4.1.1 - Web UI, OIDC and Webauthn

A huge release which incorporates several months of work. This almost certainly contains breaking changes (and maybe some bugs).

Most notably this release adds:

• Multiple MFA methods, such as webauth and oidc.
• A web administration user interface

v4.1.1

Breaking changes:

• Multiple configuration options have been moved to more appropriate places
• A new configuration option for specifying which MFA method is selected is now called Authenticators
• Issuer has been moved to Authenticators.Issuer
• DNS has been moved under Wireguard.DNS

Features:

• The ManagementUI field is now a configurable option in wag config which allows a user to define listening address, certificates and if the UI is enabled
• wag webadmin is now a subcommand of the wag binary, which allows for all standard user management functionality. Web administration users must be added via command line only
• The wagctrl package has more API endpoints for controlling and fetching wag data
• config.json now allows users to specify ExposePorts which adds iptables rules to allow said ports to access the vpn host (useful for proxying) closes #27
• By default wag will now generate and insert a PresharedKey (thanks to #26)

Bug Fixes:

• Fixed bug where the build process was not injecting wags version correctly
• Fixed small bug where on save some json fields would be null instead of not present
• Fixed adding two users with no MFA would throw unique column error
• Fix issue when wag is behind a reverse proxy, that the web proxy port will not be exposed to the end user leaving them unable to MFA

v3.2.1-pre-release

Bug Fixes:

• Fix nil panic on config reload
• Set default socket selection to users command submodule
• Fix registrations failing due string not being nullable when pulling from sqlite db

v3.2.0-pre-release

Breaking changes:

• the wagctl library client now requires the use of NewControlClient(socketPath string) instead of using control methods directly

Changes:

• /status/ endpoint rather than /routes/ endpoint for getting route and authorisation status
• registration now takes an optional -group or -groups argument which sets a users groups so that when in use with the OIDC a user can register and get a valid wireguard configuration file, without having to be present within the config.json file by name
• Successful authorisation page now has a logout link
• Wag will no longer remove socket and wireguard device if another wag instance is detected to be managing it

Features:

• config.json now supports the Socket field, which species where wag will put its control socket, thus you can run multiple wag instances on one server

Bug Fixes:

Two or more users could not have reset mfa methods at one time, this is now fixed
Two or more users can now have the OIDC authentication method

v3.1.0-pre-release

Features:

• oidc method now available in Authenticators.Methods
• Authenticators.OIDC contains configuration options for the IdP

Bug Fixes:

• Server public key and client private key are no longer HTML entity encoded (since v3.0.0-pre-release)

v3.0.0-pre-release

Changes:

• Content Security Policy now allows script-src: self
• SIGPIPE is no longer considered an exit condition

Features:

• The tunnel server now has a /public_key route to return the wireguard public key
• Device registration can now display configuration as a QR code for mobile devices (use /register_device?type=mobile)
• Wag now supports both TOTP and Webauthn authorisation methods
• The configuration file now allows for specification of default authentication method, and enabled methods

Bug Fixes:

• Denial of server due to unreleased lock if a user re-uses a valid code within 30 seconds. (basically impossible to hit)

v3.2.1-pre-release

Bug fix release for previous pre-release

Bug Fixes:

• Fix nil panic on config reload
• Set default socket selection to users command submodule
• Fix registrations failing due string not being nullable when pulling from sqlite db