v9.0.0

After several months work, wag version 9 is being released.
This release has a number of massive changes and improvements. As this is a major version change this may contain breaking changes, best effort has been made to port over data from 8.0.1 but as the internal structure for how groups are managed has changed this may break.

New Features:

• Completely redesigned administrative and user mfa pages to use a more modern and reactive frame work (and it looks good!)
• ACME
• Support on all TLS enabled enpoints (management, registration and tunnel).
• Support for DNS-01 challenge via Cloudflare token
• MFA portal
  • Uses websockets to realtime update the user whether their account/device is locked
  • Notifications are now built in, a user can allow notifications to be prompted to re-authorise
  • Authorisation page now shows allowed/mfa routes and wag version
• IPv6 has been partially enabled, routes now support IPv6
• Cluster errors now give notifications on the administrative page
• OIDC can now take custom scopes thanks to @mohgho
• Registration tokens can now define a static ip to set as a device rather than dynamically determining new IP address

Changes:

• Fonts are now included locally within the application as per #128
• eBPF and specific kernel versions are no longer required as this has been moved entirely into golang userspace (bye ebpf 😢 )
• Using githubs container registery the unstable branch is now available to administrators
• The reload command has been removed as it is redundant per #143
• Devices will now reauth automatically if a user moves quickly then supplies a challenge (fixes some roaming issues users have)
• TLSManagerListenURL is no longer a required field, but not supplying it will mean setting up a cluster is not possible
• Sqlite compatibility has now been removed entirely

Breaking changes:

• OIDC callback has been changed from /authorise/oidc to /api/oidc/authorise/callback due to API redesign
• /status on the tunnel has now been moved to /api/status
• /routes on the tunnel has now been moved to /api/routes, this may be temporarily reverted as per #185 targetting 9.0.1

Security Fixes:

• A number of third party libraries have been updated to remediate issues picked up by dependabot
• OIDC now correctly associates the subject rather than the user email address as per #117

Full Changelog: v8.0.1...v9.0.0

v8.0.1

Adds a fix presented by softScheck for their PAM module.

Due to a copy and paste mistake retrieving the PAM details was not possible. Now it is!

v8.0.0 Clustering

This release finalises the clustering work that has been ongoing since Nov 7th 2023 and rolls up the beta versions into an actual release.

To summaries the changes:
Wag can now be deployed in a cluster using etcd as an event management system to deploy changes across multiple wag instances.

Features:

• The wireguard peer diagnostics page now shows number of bytes sent/received #94
• Webauthn keys will hopefully no longer prompt for pin code #89
• Add clustering admin UI page for adding wag nodes to cluster #24
• wag start now supports the -join flag for taking a cluster join token
• ServerPersistentKeepAlive now configures the keep-alives set by the server to the client to resolve #64
• Wag now has a notifications system for the admin UI that will now note errors, policy application failures and updates
• Adds new diagnostic tools to the admin user interface to check ACLs that are applied to a username and test firewall policy decision

v8.0.0-beta17 Clustering

Fix a bug that would cause 100% CPU consumption on websocket disconnection

v8.0.0-beta16 Clustering

Fixed a small issue with oidc that prevented websocket liveness check from working properly.

v8.0.0-beta15 Clustering

Fix an issue where the secure cookie handler was getting an invalid aes key size ( breaks oidc)

v8.0.0-beta14 Clustering

Bunch of improvements and changes.

Features:

• Member nodes now show version in membership page

Bug Fixes:

• Weaken node association requirements due to pain and suffering
• Add websocket liveness check to keep session alive #108

v8.0.0-beta13 Clustering

Small bug fix that results in an unusable oidc users.

v8.0.0-beta12 Clustering

This is a bug fix release for the upcoming v8.0.0 release, it fixes a rather serious issue where deny rules were not being inserted into the firewall, due to them not being added in the function which compiles ACLs. It also improves the wag API.

Bug Fixes:

• Remove iptables port 80 rule that was being left hanging on wag restarts thanks #75
• Fix Deny rules not being added during user acl determination
• Fix acls having duplicates

Changes:

• The wag unix socket api is now more complete, and contains most functionality found in the admin UI in case someone wants to create another one
• Improves deauthentication messages with reason for deauth

v8.0.0-beta11Clustering

Continuing the cleanup from the etcd work, this release closes a tiny issue that may effect users who have no membership information. Which can cause issues editing existing user groups

Bug Fix:

• In certain situations a user may not have populated the wag-membership-username key, causing group modifications to fail