DefGuard · j-chmielewski · Dec 17, 2025 · Nov 20, 2025 · Nov 21, 2025 · Nov 24, 2025
diff --git a/.fpm b/.fpm
@@ -3,3 +3,4 @@
 --description "Defguard Core service"
 --url "https://defguard.net/"
 --maintainer "Defguard"
+--config-files /etc/defguard/core.conf
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,10 +23,12 @@ jobs:
     uses: ./.github/workflows/build-docker.yml
     with:
       tags: |
-        type=raw,value=latest
         type=semver,pattern={{version}}
         type=semver,pattern={{major}}.{{minor}}
         type=sha
+      # Explicitly disable latest tag. It will be added otherwise.
+      flavor: |
+        latest=false
 
   build-docker-prerelease:
     # Only build tags with -, like v1.0.0-alpha

diff --git a/.github/workflows/test-web.yml b/.github/workflows/test-web.yml
@@ -0,0 +1,39 @@
+on:
+  push:
+    branches:
+      - main
+      - dev
+      - "release/**"
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
+  pull_request:
+    branches:
+      - main
+      - dev
+      - "release/**"
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
+
+permissions:
+  contents: read
+jobs:
+  test-web:
+    runs-on:
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: "recursive"
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+      - name: install deps
+        working-directory: ./web
+        run: |
+          npm i -g npm pnpm
+          pnpm i --frozen-lockfile
+      - name: Run tests
+        working-directory: ./web
+        run: pnpm run test
diff --git a/.sqlx/query-160d23b882d0465fbc8c5453b7dba68521649ba86985d45049487ae50d7dfde8.json b/.sqlx/query-160d23b882d0465fbc8c5453b7dba68521649ba86985d45049487ae50d7dfde8.json
diff --git a/.sqlx/query-283e1c3d082f1388fc2b806bdcab715db1c1df67da573b0f132fea265e42b416.json b/.sqlx/query-283e1c3d082f1388fc2b806bdcab715db1c1df67da573b0f132fea265e42b416.json
diff --git a/.sqlx/query-a644507ebcfb9ef04883ad8b07bb3dbb0fc747ae0843baa001e47ea328e49c25.json b/.sqlx/query-a644507ebcfb9ef04883ad8b07bb3dbb0fc747ae0843baa001e47ea328e49c25.json
diff --git a/.sqlx/query-ccd62ea7526078c9db47812e7f6a5e7829eae217ad9f7f3b0b03aa02f8808dc2.json b/.sqlx/query-ccd62ea7526078c9db47812e7f6a5e7829eae217ad9f7f3b0b03aa02f8808dc2.json
diff --git a/crates/defguard_core/build.rs b/crates/defguard_core/build.rs
@@ -9,6 +9,6 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             &["src/enterprise/proto/license.proto"],
             &["src/enterprise/proto"],
         )?;
-    println!("cargo:rerun-if-changed=src/enterprise");
+    println!("cargo:rerun-if-changed=src/enterprise/proto");
     Ok(())
 }
diff --git a/crates/defguard_core/src/auth/mod.rs b/crates/defguard_core/src/auth/mod.rs
@@ -22,7 +22,7 @@ use defguard_common::db::{
 
 use crate::{
     appstate::AppState,
-    enterprise::{db::models::api_tokens::ApiToken, is_enterprise_enabled},
+    enterprise::{db::models::api_tokens::ApiToken, is_business_license_active},
     error::WebError,
     handlers::SESSION_COOKIE_NAME,
 };
@@ -40,7 +40,7 @@ where
         let appstate = AppState::from_ref(state);
 
         // first try to authenticate by API token if one is found in header
-        if is_enterprise_enabled() {
+        if is_business_license_active() {
             let maybe_auth_header: Option<TypedHeader<Authorization<Bearer>>> =
                 <TypedHeader<_> as OptionalFromRequestParts<S>>::from_request_parts(parts, state)
                     .await

diff --git a/crates/defguard_core/src/enterprise/activity_log_stream/activity_log_stream_manager.rs b/crates/defguard_core/src/enterprise/activity_log_stream/activity_log_stream_manager.rs
@@ -10,7 +10,7 @@ use super::ActivityLogStreamReconfigurationNotification;
 use crate::enterprise::{
     activity_log_stream::http_stream::{HttpActivityLogStreamConfig, run_http_stream_task},
     db::models::activity_log_stream::{ActivityLogStream, ActivityLogStreamConfig},
-    is_enterprise_enabled,
+    is_business_license_active,
 };
 
 // check if enterprise features are enabled every minute
@@ -27,7 +27,7 @@ pub async fn run_activity_log_stream_manager(
     let mut enterprise_check_timer = interval(Duration::from_secs(ENTERPRISE_CHECK_PERIOD_SECS));
 
     // initialize enterprise features status
-    let mut enterprise_features_enabled = is_enterprise_enabled();
+    let mut enterprise_features_enabled = is_business_license_active();
 
     loop {
         let mut handles = JoinSet::<()>::new();
@@ -94,7 +94,7 @@ pub async fn run_activity_log_stream_manager(
                }
                _ = enterprise_check_timer.tick() => {
                     // check if enterprise features status has changed
-                    let current_enterprise_features_enabled = is_enterprise_enabled();
+                    let current_enterprise_features_enabled = is_business_license_active();
                     if current_enterprise_features_enabled != enterprise_features_enabled {
                         warn!("Activity log stream manager will reload, detected license enterprise features status has changed");
                         enterprise_features_enabled = current_enterprise_features_enabled;

diff --git a/crates/defguard_core/src/enterprise/db/models/enterprise_settings.rs b/crates/defguard_core/src/enterprise/db/models/enterprise_settings.rs
@@ -1,16 +1,16 @@
-use sqlx::{PgExecutor, query, query_as};
+use sqlx::{PgExecutor, Type, query, query_as};
 use struct_patch::Patch;
 
-use crate::enterprise::is_enterprise_enabled;
+use crate::enterprise::is_business_license_active;
 
 #[derive(Debug, Deserialize, Patch, Serialize)]
 #[patch(attribute(derive(Deserialize, Serialize)))]
 pub struct EnterpriseSettings {
-    // If true, only admins can manage devices
+    /// If true, only admins can manage devices
     pub admin_device_management: bool,
-    // If true, the option to route all traffic through the vpn is disabled in the client
-    pub disable_all_traffic: bool,
-    // If true, manual WireGuard setup is disabled
+    /// Describes allowed routing options for clients connecting to the instance.
+    pub client_traffic_policy: ClientTrafficPolicy,
+    /// If true, manual WireGuard setup is disabled
     pub only_client_activation: bool,
 }
 
@@ -20,8 +20,8 @@ impl Default for EnterpriseSettings {
     fn default() -> Self {
         Self {
             admin_device_management: false,
-            disable_all_traffic: false,
             only_client_activation: false,
+            client_traffic_policy: ClientTrafficPolicy::default(),
         }
     }
 }
@@ -35,11 +35,12 @@ impl EnterpriseSettings {
     {
         // avoid holding the rwlock across await, makes the future !Send
         // and therefore unusable in axum handlers
-        if is_enterprise_enabled() {
+        if is_business_license_active() {
             let settings = query_as!(
                 Self,
                 "SELECT admin_device_management, \
-                disable_all_traffic, only_client_activation \
+				client_traffic_policy \"client_traffic_policy: ClientTrafficPolicy\", \
+				only_client_activation \
                 FROM \"enterprisesettings\" WHERE id = 1",
             )
             .fetch_optional(executor)
@@ -57,11 +58,11 @@ impl EnterpriseSettings {
         query!(
             "UPDATE \"enterprisesettings\" SET \
             admin_device_management = $1, \
-            disable_all_traffic = $2, \
+			client_traffic_policy = $2, \
             only_client_activation = $3 \
             WHERE id = 1",
             self.admin_device_management,
-            self.disable_all_traffic,
+            self.client_traffic_policy as ClientTrafficPolicy,
             self.only_client_activation,
         )
         .execute(executor)
@@ -70,3 +71,17 @@ impl EnterpriseSettings {
         Ok(())
     }
 }
+
+/// Describes allowed traffic options for clients connecting to the instance.
+#[derive(Clone, Deserialize, Serialize, PartialEq, Eq, Type, Debug, Default, Copy)]
+#[sqlx(type_name = "client_traffic_policy", rename_all = "snake_case")]
+#[serde(rename_all = "snake_case")]
+pub enum ClientTrafficPolicy {
+    /// No restrictions
+    #[default]
+    None,
+    /// Clients are not allowed to route all traffic through the VPN.
+    DisableAllTraffic,
+    /// Clients are forced to route all traffic through the VPN.
+    ForceAllTraffic,
+}
diff --git a/crates/defguard_core/src/enterprise/directory_sync/mod.rs b/crates/defguard_core/src/enterprise/directory_sync/mod.rs
@@ -14,12 +14,12 @@ use sqlx::{PgConnection, PgPool, error::Error as SqlxError};
 use thiserror::Error;
 use tokio::sync::broadcast::Sender;
 
-#[cfg(not(test))]
-use super::is_enterprise_enabled;
 use super::{
     db::models::openid_provider::{DirectorySyncTarget, OpenIdProvider},
     ldap::utils::ldap_update_users_state,
 };
+#[cfg(not(test))]
+use crate::enterprise::is_business_license_active;
 use crate::{
     enterprise::{
         db::models::openid_provider::DirectorySyncUserBehavior,
@@ -390,7 +390,7 @@ pub(crate) async fn test_directory_sync_connection(
     pool: &PgPool,
 ) -> Result<(), DirectorySyncError> {
     #[cfg(not(test))]
-    if !is_enterprise_enabled() {
+    if !is_business_license_active() {
         debug!("Enterprise is not enabled, skipping testing directory sync connection");
         return Ok(());
     }
@@ -415,7 +415,7 @@ pub(crate) async fn sync_user_groups_if_configured(
     wg_tx: &Sender<GatewayEvent>,
 ) -> Result<(), DirectorySyncError> {
     #[cfg(not(test))]
-    if !is_enterprise_enabled() {
+    if !is_business_license_active() {
         debug!("Enterprise is not enabled, skipping syncing user groups");
         return Ok(());
     }
@@ -975,7 +975,7 @@ pub(crate) async fn do_directory_sync(
     wireguard_tx: &Sender<GatewayEvent>,
 ) -> Result<(), DirectorySyncError> {
     #[cfg(not(test))]
-    if !is_enterprise_enabled() {
+    if !is_business_license_active() {
         debug!("Enterprise is not enabled, skipping performing directory sync");
         return Ok(());
     }

diff --git a/crates/defguard_core/src/enterprise/firewall/mod.rs b/crates/defguard_core/src/enterprise/firewall/mod.rs
@@ -24,7 +24,7 @@ use super::{
 };
 use crate::enterprise::{
     db::models::{acl::AliasKind, snat::UserSnatBinding},
-    is_enterprise_enabled,
+    is_business_license_active,
 };
 
 #[derive(Debug, thiserror::Error)]
@@ -905,7 +905,7 @@ pub async fn try_get_location_firewall_config(
     conn: &mut PgConnection,
 ) -> Result<Option<FirewallConfig>, FirewallError> {
     // do a license check
-    if !is_enterprise_enabled() {
+    if !is_business_license_active() {
         debug!(
             "Enterprise features are disabled, skipping generating firewall config for \
                 location {location}"

diff --git a/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs b/crates/defguard_core/src/enterprise/grpc/desktop_client_mfa.rs
@@ -6,7 +6,7 @@ use tonic::Status;
 use crate::{
     enterprise::{
         handlers::openid_login::{extract_state_data, user_from_claims},
-        is_enterprise_enabled,
+        is_business_license_active,
     },
     events::{BidiRequestContext, BidiStreamEvent, BidiStreamEventType, DesktopClientMfaEvent},
     grpc::{
@@ -23,7 +23,7 @@ impl ClientMfaServer {
         info: Option<DeviceInfo>,
     ) -> Result<(), Status> {
         debug!("Received OIDC MFA authentication request: {request:?}");
-        if !is_enterprise_enabled() {
+        if !is_business_license_active() {
             error!("OIDC MFA method requires enterprise feature to be enabled");
             return Err(Status::invalid_argument("OIDC MFA method is not supported"));
         }