v0.10.0

New Features

Groups support ⭐

We now support group management, including:

• Every VPN Location can now be protected by defined group access (previously only: All users || Admins)
• In OpenID Apps - for each app you can also include Group Scope - and when user logs in with defguard to an application, all groups that the user is part of is returned in the OIDC token

SSH & GPG keys management

Now any user can add/delete (manage) their public SSH & GPG keys, which is great for managing access to your servers with SSH keys from defguard. More in docs here: https://defguard.gitbook.io/defguard/admin-and-features/ssh-authentication

New YubiKey provisioning and management

after provisioning a YubiKey - the YK it’s visible in the user profile with serial number as well as GPG & SSH public keys corresponding to the YKs private keys
Also, there is a new look for YubiKey provisioning (in the key management dialog)

A lot of enhancements

• proxy now has detailed logs with IP addresses and business logs - a lot of users asked for that to implement fail2ban since the proxy is a public service

• Phone number is now optional during enrollment

Fixes

• MFA disconnecting bug
• email validation when adding a new user

Full Changelog: v0.9.0...v0.10.0

v0.9.0

New Features

Before upgrading please read upgrade notes

WireGuard Multi-Factor Authentication ⭐

We are introducing first of its kind Multi-Factor Authentication for WireGuard with TOTP/Email codes and WireGuard Pre-Shared Session Keys.

This feature requires the new release 0.2 of our desktop client, more details can be found in documentation

New Desktop Client 💻

• Finally a Windows release!
• Supporting any WireGuard server - you can now use one client for defguard instances + any other WireGuard servers you have - just import your current configurations by adding WireGuard Tunnel
• Live Logs, VPN Details, Settings!
• Update, Remove Instance/Tunnel
• Dark Theme! ;-)

WARNING - if you are upgrading from 0.1.x please read upgrade notes

Password Reset

Users can now use the enrollment service to reset their passwords!
This feature requires proxy to be deployed and SMTP server to be configured.

Enterprise Support

As many requested, we have introduced Enterprise Support, hopefully, support can maintain our efforts in building this awesome Open Source project!

Other Changes

• chore: update axum to 0.7 and other dependencies by @moubctez in #465
• fix: enrollment e2e fixes by @blazej-teonite in #472
• feat: groups as roles by @moubctez in #467
• feat: group management API by @moubctez in #479
• fix: allow safe special chars in username and password for users by @filipslezaklab in #493
• feat: update instance & location info in client enrollment by @wojcik91 in #492
• docs: e2e readme by @filipslezaklab in #495
• feat: reverse proxy gRPC service communication by @moubctez in #496
• fix: allow username special chars by @wojcik91 in #505
• fix: update username validation in login form by @wojcik91 in #510
• fix: add missing port to location endpoint in desktop client instance update by @wojcik91 in #514
• fix: return default logo if empty by @filipslezaklab in #519

Full Changelog: v0.8.0...v0.9.0

v0.8.0

New features:

⭐ Desktop Clients 💻 ⭐

We have released the official (and beautiful ❤️) macOS and Linux desktop clients supporting multiple defguard instances and automatically configuring all Locations in the instance.

You can download them from client release page and read here how easy it is to configure the desktop client.

Windows desktop client is in development and will be released soon

Desktop client user enrollment and onboarding

When Remote enrollment is enabled while adding a new user, the user can now choose enrollment via Web Browser or Desktop client.

All instructions are sent to the newly created user via email.

Multi-Factor Authentication via Email codes

A new MFA method has been added, utilizing codes sent via email.

Email notifications about important changes

Defguard now sends email notifications informing about important actions that took place:

Each email has information about the date, IP address, browser, and device that was used to act.

SSH authorized keys endpoint

Please read the documentation on how to easily configure your SSH server to access SSH keys, that are stored in Defguard (privision via YubiKey provisioning).

In the next release, the user will be able to manage any SSH keys, not only the ones provisioned via YK provisioning.

LDAP configuration via Settings

In defguard settings, a new tab is dedicated to configure and test LDAP server configuration.

wireguard-rs library and crate

Our gateway and desktop client now use a unified Rust library - wireguard-rs providing unified WireGuard interface to native/kernel and userspace implementations.
The crate (besides Wireguard) also supports:

• Peer routing - see WGApi docs.
• Configuring DNS resolver - see WGApi docs.
  ** On FreeBSD network interfaces are managed using ioctl.
  ** On Linux, handle network routing using netlink.
  ** fwmark handling

Fixes

A lot! of fixes

New Contributors

• @blazej-teonite made their first contribution in #402

Full Changelog: v0.7.1...v0.8.0

v0.7.1

New features

One-line install

We've created a one-line install script to simplify your first defguard deployment.
You should now be able to get your own instance running on a private VPS just by setting a couple environment variables and running:

curl --proto '=https' --tlsv1.2 -sSf -L https://raw.githubusercontent.com/DefGuard/deployment/main/docker-compose/setup.sh -O && bash setup.sh

To learn more about prerequisites and available options see our documentation.

Other Changes

• style(ui): update components by @filipslezaklab in #326
• refactor: migrate to Sqlx 0.7 by @moubctez in #327
• feat: add subcommand to initialize first VPN location by @wojcik91 in #329
• fix: add missing libssl dependency in Docker image by @wojcik91 in #331
• fix(ui): yubikeys provisioning by @filipslezaklab in #334
• fix: device avatar ui by @filipslezaklab in #337

Full Changelog: v0.7.0...v0.7.1

v0.7.0

New features:

Remote user enrollment process

The main defguard concept is that the core (with the database) should be deployed securely and not available from the public Internet (accessible only from the internal network or VPN). This approach raised a significant problem with onboarding new remote users: how can users access defguard, set up password, and add their devices to access VPN or change their password if they can't access defguard?

We introduced a public proxy that now enables a secure enrollment process, during which the user can: double-check their data, setup their password, and add their initial device to access VPN as a nice wizard!

In the future we plan to add more functionalities to the public proxy - like password reset for users.

User onboarding after enrollment

Now you can easily share with new users any relevant company information, links to company systems, security guidelines, etc. In the enrollment module, you can write custom messages using markdown that will be shown on the last step of the enrollment process and sent to the user via email:

Email/SMTP support

In Setup -> SMTP tab you can setup and test your SMTP for sending email (for enrollment and onboarding).
SMTP setup is required in order for enrollment & onboarding to work.

Send debug/support information

Now you can go to Settings -> Support and download (or send via email automatically if you have setup SMTP) support data & logs if you need our help/assistance!
Or you can use them when submitting a bug.

UI Library

Our beautiful React UI is now a collection of React components, that can be used in other projects! Get it at: https://github.com/defguard/ui (now used in Core & Proxy - soon desktop clients).

Native FreeBSD Wireguard Kernel support

Our gateway now supports native kernel Wireguard implementation - and we released a FreeBSD package.

OPNSense Plugin

On the gateway release page you will now find OPNSense Plugin package (named: defguard-gateway_0.5.2_x86_64-unknown-opnsense.txz)

Other Changes

• feat: support forward auth for reverse proxies by @wojcik91 in #309
• Do not trigger builds on documentation. by @teon in #268
• Rewrite select macro with conditional by @j-chmielewski in #269
• Fix docker build by @j-chmielewski in #270
• fix: username, first & last name validation by @j-chmielewski in #272
• refactor: switch templating engine from handlebars to tera by @j-chmielewski in #275
• feat: handle SMTP errors on SMTP settings page by @j-chmielewski in #274
• feat: send enrollment success notification to admin by @wojcik91 in #297
• Added test for adding user to admin group by @kchudy in #298
• feat: download debugging/support information and logs or send them via email by @j-chmielewski in #277
• Fix: Mail templates styling by @dzania in #303
• feat: defguard-ui by @filipslezaklab in #304
• 284 e2e test change user password by @kchudy in #302
• fix: overview device card connection time refresh by @filipslezaklab in #267
• fix: select by @filipslezaklab in #311
• style: add user modal by @filipslezaklab in #313
• fix: missing enrollment settings field by @filipslezaklab in #314
• 279 e2e test enrollment process by @dzania in #312
• Fix: Hide sensitive data in support information by @dzania in #315

New Contributors

• @kchudy made their first contribution in #265
• @teon made their first contribution in #268

Full Changelog: v0.6.1...v0.7.0

v0.6.2

What's Changed

• fix: username, first & last name validation by @j-chmielewski

Full Changelog: v0.6.1...v0.6.2

v0.6.1

What's Changed

Exciting New Features 🎉

• feat: purge wireguard stats by @wojcik91 in #260

Other Changes

• fix(CLI): fix init_dev_env command by @wojcik91 in #261
• fix(CLI): fix init_dev_env command pt. 2 by @wojcik91 in #262
• feat: card tabs layout component by @filipslezaklab in #263

Full Changelog: v0.6.0...v0.6.1

v0.6.0

What's Changed

Exciting New Features 🎉

• Multiple VPN Locations (networks/sites) - defguard now supports multiple VPN Locations (networks/sites) with possibility to define access to the selected Location/VPN (all users or only for Admin group).
• Multiple Gateway’s for each VPN Location (for high availability/failover) - if you have a cluster of multiple routers/firewalls (Linux/FreeBSD/OPNSense) now you can spawn on each of them Defguard Gateway with each gateway status shown on the Network Overview - see example here

Other Changes

• User phone number is now optional (submited by @alec-hs)
• fix: example yubi-bridge command by @filipslezaklab in #203
• chore(deps): update web deps by @filipslezaklab in #204
• feat(CLI): validate secret key length by @wojcik91 in #207
• fix(gRPC): prevent username enumeration by @wojcik91 in #208
• feat(API): prevent username enumeration by non admins by @wojcik91 in #209
• fix(web): user profile data handling by @filipslezaklab in #220
• feat: gateway name by @wojcik91 in #221
• fix(VPN): fix network stats queries by @wojcik91 in #222
• style: responsive update by @filipslezaklab in #225
• fix(e2e): account for api changes by @filipslezaklab in #226
• feat: redirect message in openid flow by @filipslezaklab in #228
• feat: preload all fonts by @filipslezaklab in #229
• style: navigation rework by @filipslezaklab in #230
• style: updated button component by @filipslezaklab in #231
• feat(VPN): location access filter by @wojcik91 in #224
• fix: overview networks stats chart by @filipslezaklab in #234
• fix: device card ip info by @filipslezaklab in #236
• fix: network chart scaling by @filipslezaklab in #237
• refactor: use hostname to identify gateways by @wojcik91 in #241
• fix(style): overview network cards in viewports below 400 by @filipslezaklab in #243
• fix: overview network selection by @filipslezaklab in #244
• fix: webhooks page query invalidation by @filipslezaklab in #245
• fix(style): floating box z-index by @filipslezaklab in #246
• feat: delete network by @filipslezaklab in #247
• fix: settings updated by @filipslezaklab in #248
• feat: change self password by @filipslezaklab in #250
• test: add integration tests for network allowed groups by @wojcik91 in #252
• fix: prevent unnecessary gateway reconnect by @wojcik91 in #253

Full Changelog: v0.5.4...v0.6.0

v0.5.4

What's Changed

Exciting New Features 🎉

• feat(VPN): support multiple gateways by @wojcik91 in #198

Other Changes

• test(e2e): vpn wizard and add device form by @filipslezaklab in #191
• chore: add more webauthn passkey registration logs by @wojcik91 in #192
• feat: inform user if webauthn key is already registered by @filipslezaklab in #195
• fix: prevent invalid MFA state when removing auth factors by @wojcik91 in #197
• feat: validate if device name already exists on user by @filipslezaklab in #199
• fix: update example command to run gateway by @wojcik91 in #200
• fix(MFA): properly handle adding new wallets for MFA by @wojcik91 in #201
• feat: manage authorized apps in user edit mode by @filipslezaklab in #194
• fix: disable ability to add devices when network is not present by @filipslezaklab in #196

Full Changelog: v0.5.3...v0.5.4

v0.5.3

What's Changed

Other Changes

• test: recovery codes e2e by @filipslezaklab in #188
• fix(VPN): close update streams properly & prevent connecting multiple gateway clients by @wojcik91 in #187
• test: wizard import vpn config by @filipslezaklab in #189

Full Changelog: v0.5.2...v0.5.3