v0.36.7

What's Changed

• [client] Fix priority handling by @pappz in #3313
• [client] Use GPO DNS Policy Config to configure DNS if present by @lixmal in #3319

Full Changelog: v0.36.6...v0.36.7

v0.36.6

What's Changed

• Bump golang.org/x/net from 0.30.0 to 0.33.0 by @dependabot in #3218
• [client, server] Cleanup magiconair usage from repo by @pappz in #3276
• Management REST Client Code by @mohamed-essam in #3278
• [client] use embedded root CA if system certpool is empty by @hakansa in #3272
• [misc] Replace Wiretrustee with Netbird by @lixmal in #3267
• [client] Fix acl empty port range detection by @lixmal in #3285
• [relay] Use new upstream for nhooyr.io/websocket package by @paralin in #3287
• [client] Fix grouping of peer ACLs with different port ranges by @lixmal in #3289
• [client] Fix nil pointer exception when load empty list and try to cast it by @pappz in #3282
• [management] Check groups when counting peers on networks list by @pascal-fischer in #3284
• [management] add logs for grpc API by @pascal-fischer in #3298
• [client] Add experimental support for userspace routing by @lixmal in #3134
• [signal] Fix context propagation in signal server by @4thel00z in #3251
• [client, relay] Fix/wg watch by @pappz in #3261
• [client] Support dns upstream failover for nameserver groups with same match domain by @lixmal in #3178
• [client] Fix dns handler chain test by @lixmal in #3307
• [client] Check for fwmark support and use fallback routing if not supported by @lixmal in #3220
• [client] Enable userspace forwarder conditionally by @lixmal in #3309
• fix integration tests by @pnmcosta in #3311

New Contributors

• @hakansa made their first contribution in #3272
• @paralin made their first contribution in #3287
• @4thel00z made their first contribution in #3251
• @pnmcosta made their first contribution in #3311

Full Changelog: v0.36.5...v0.36.6

v0.36.5

What's Changed

• [client] Replace engine probes with direct calls by @lixmal in #3195
• Update sign pipeline version by @mlsmaycon in #3246
• [client] Add missing peer ACL flush by @lixmal in #3247

Full Changelog: v0.36.4...v0.36.5

v0.36.4

What's Changed

• [client] Allow freebsd to build netbird-ui by @lixmal in #3212
• [management] Refactor peers to use store methods by @bcmmbaga in #2893
• [misc] Fix: typo in test output by @JinxCappa in #3216
• [management] remove peer from group on delete by @pascal-fischer in #3223
• [management] disable prepareStmt for sqlite by @pascal-fischer in #3228
• [client] Fix freebsd default routes by @lixmal in #3230
• [client] Use correct stdout/stderr log paths for debug bundle on macOS by @lixmal in #3231
• [client] Back up corrupted state files and present them in the debug bundle by @lixmal in #3227
• [client] Match more specific dns handler first by @lixmal in #3226
• [client] Mark redirected traffic early to match input filters on pre-DNAT ports by @lixmal in #3205
• [management] use account request buffer on sync by @pascal-fischer in #3229
• [management/signal/relay] add metrics descriptions by @pascal-fischer in #3233
• [client] Support port ranges in peer ACLs by @lixmal in #3232
• [client] Use dynamic dns route resolution on iOS by @lixmal in #3243
• [management] copy source and destination resource on policyRule copy by @pascal-fischer in #3235

New Contributors

• @JinxCappa made their first contribution in #3216

Full Changelog: v0.36.3...v0.36.4

v0.36.3

What's Changed

• [client] Close ice agent only if not nil by @mlsmaycon in #3210

Full Changelog: v0.36.2...v0.36.3

v0.36.2

What's Changed

• [relay] Don't start relay quic listener on invalid TLS config by @lixmal in #3202
• [management] Fix network migration issue in Postgres by @bcmmbaga in #3198
• [management] add duration logs to Sync by @pascal-fischer in #3203

Full Changelog: v0.36.1...v0.36.2

v0.36.1

What's Changed

• [client] Fix windows info out of bounds panic by @lixmal in #3196

Full Changelog: v0.36.0...v0.36.1

v0.36.0

Release notes

This release introduces initial support to QUIC as a protocol for relay servers, MySQL support for store, and rootless container support for the client running Netstack mode. We also added support for disabling system flags in the client, and optional ZITADEL PAT configuration in the management service among other enhancements and bug fixes.

New features

QUIC Protocol Support

Added initial support for the QUIC protocol in the client and relay server, improving connection reliability and performance. For self-hosted admins that want to try this out, you should ensure that the relay server has TLS certificates configured and that the main listening port is available in both, TCP and UDP.

Rootless Container Support

Implemented rootless container support for the client running in Netstack mode, enabling secure and compatible operation without requiring privileged permissions or Linux capabilities.

You can use the images netbirdio/netbird:rootless-latest or netbirdio/netbird:0.36.0-rootless for this mode.

Learn more about how to enable Netstack mode in the documentation.

MySQL Support

Added MySQL support for the management service, allowing users to store data in a MySQL database. This feature is particularly useful for organizations that prefer MySQL as their database backend.

If you want to start a new deployment with MySQL, you can use the environment variable NETBIRD_STORE_CONFIG_ENGINE=mysql and NETBIRD_STORE_ENGINE_MYSQL_DSN="<username>:<password>@tcp(127.0.0.1:3306)/<database>" in the setup.env file.

We are counting on your feedback and community contributions to improve documentation for this support.

Enhancements

New system flags to disable a few features on the client side

We are introducing a set of new flags that allow users to disable specific features on the client side. This is particularly useful for users who wants more control over their system configurations.

The new flags are available with the netbird up command, see the flags below:

      --disable-client-routes           Disable client routes. If enabled, the client won't process client routes received from the management service.
      --disable-dns                     Disable DNS. If enabled, the client won't configure DNS settings.
      --disable-firewall                Disable firewall configuration. If enabled, the client won't modify firewall rules.
      --disable-server-routes           Disable server routes. If enabled, the client won't act as a router for server routes received from the management service.

Optional ZITADEL PAT Configuration

Enabled optional configuration of a Personal Access Token (PAT) for ZITADEL in the management service, enhancing authentication options for users who want to use ZITADEL as their identity provider.

To configure the ZITADEL PAT, you can use the environment variable NETBIRD_IDP_MGMT_EXTRA_PAT=<secret> in the setup.env file.

What's Changed

• [misc] separate integration and benchmark test workflows #3147
• [misc] remove outdated readme header #3151
• [misc] upgrade go to 1.23 in devcontainer #3160
• [misc] add missing relay to docker-compose.yml.tmpl.traefik #3163
• [misc] Skip docker step when fork PR #3175
• [misc] Fix gvisor.dev/gvisor commit #3179
• [relay] Handle IPv6 addresses in X-Real-IP header on relay service #3085
• [relay] Code cleaning in message marshalling #3074
• [relay] Set InitialPacketSize to the maximum allowable value #3188
• [client] Enable network map persistence by default #3152
• [client] Add rootless container and fix client routes in netstack mode #3150
• [client] Add disable system flags #3153
• [client] Prevent local routes in status from being overridden by updates #3166
• [client] Don't fail on v6 ops when disabled via kernel params #3165
• [client] Update fyne to v2.5.3 #3155
• [client] client: make /var/lib/netbird paths configurable #3084
• [client] Support non-openresolv for DNS on Linux #3176
• [client] Allow ssh server on freebsd #3170
• [client] Disable DNS host manager for netstack mode #3183
• [client] Fix a panic on shutdown if dns host manager failed to initialize #3182
• [client] add serial, product model, product manufacturer for Android #2958
• [client] Add QUIC support #2962
• [client] Remove outbound chains #3157
• [client] Add block lan access flag for routers #3171
• [client] Flush macOS DNS cache after changes #3185
• [client] Report client system flags to management server on login #3187
• [management] Add integration test for the setup-keys API endpoints #2936
• [management] exclude self from network map if self is routing peer #3142
• [management] add users benchmark #3141
• [management] add peers benchmark #3143
• [management] Add MySQL Support #3108
• [management] Add support for disabling resources and routing peers in networks #3154
• [management] Send relay credentials with turn updates #3164
• [Management] Send peer network map when SSH status is toggled #3172
• [management] adjust benchmark #3168
• [Management] Enable new network resources and routers by default #3174
• [management] enable optional zitadel configuration of a PAT #3159
• [management] fix groups delete and resource create and update error response #3189

New Contributors

• @si458 made their first contribution in #3160
• @jameshilliard made their first contribution in #3179

Full Changelog: v0.35.2...v0.36.0

v0.35.2

What's Changed

• [management] Add missing group usage checks for network resources and routes access control by @bcmmbaga in #3117
• [management] remove ids from policy creation api by @pascal-fischer in #2997
• [management] Fix networks net map generation with posture checks by @mlsmaycon in #3124
• [management] add selfhosted metrics for networks by @pascal-fischer in #3118
• [client] Ignore case when matching domains in handler chain by @lixmal in #3133
• [client] Allow inbound rosenpass port by @lixmal in #3109
• [management] Preserve jwt groups when accessing API with PAT by @bcmmbaga in #3128
• [management] remove sorting from network map generation by @pascal-fischer in #3126
• [management] Fix policy tests by @mlsmaycon in #3135

Full Changelog: v0.35.1...v0.35.2

v0.35.1

What's Changed

• [client] Don't fail debug if log file is console by @lixmal in #3103
• [client] Fix inbound tracking in userspace firewall by @lixmal in #3111

Full Changelog: v0.35.0...v0.35.1