v1.5.0

This is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.

Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.

📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!

💫Desktop Client now supports External SSO/IdP MFA

🫆 Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!

🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).

🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.

Migration guide

Before updating please make sure to read the migration guide

What's Changed

Other Changes

• Handle admin device management flag by @wojcik91 in #116
• Use configured external OIDC Provider for 2FA in client by @t-aleksander in #119
• Allow binding to a specific address by @t-aleksander in #120
• Merge main -> dev post 1.4 release by @wojcik91 in #123
• add support for per location MFA settings by @wojcik91 in #124
• fix: openid mfa callback page rwd by @filipslezaklab in #126
• UI update by @filipslezaklab in #127
• Fix font files by @filipslezaklab in #129
• update routes on backend by @filipslezaklab in #132
• Add AMI building to the release pipeline by @t-aleksander in #130
• mobile mfa poc by @filipslezaklab in #134
• verify biometry register request data by @filipslezaklab in #135
• Add eu central region by @t-aleksander in #136
• sign Docker images using Cosign by @wojcik91 in #137
• Tonic 14 by @moubctez in #140
• Desktop MFA mobile approve by @filipslezaklab in #138
• Version exchange and logging by @j-chmielewski in #133
• Scan images with Trivy by @moubctez in #142
• add code based mfa setup by @filipslezaklab in #141
• Version check by @j-chmielewski in #143
• handle new enrollment configuration by @filipslezaklab in #145
• Fix version comparison by @j-chmielewski in #146
• Switch AMI base image to debian by @t-aleksander in #144
• Update dependencies by @moubctez in #147
• Update tracing_subscriber by @moubctez in #149
• add deep link to openid enroll by @filipslezaklab in #150
• Return defguard version (proxy, core) in http headers by @t-aleksander in #151
• Fix ami building by @t-aleksander in #152
• Better WebSocket handling and build with newer defguard_version by @moubctez in #154
• update messages in openid callback setup page by @filipslezaklab in #155
• Update defguard-version version by @t-aleksander in #156
• Ignore pre-release in version comparison by @j-chmielewski in #160
• update mobile app apple store link by @filipslezaklab in #161
• Return whether core is connected by @t-aleksander in #163
• chore(CI): update node version in release workflow by @wojcik91 in #165

Full Changelog: v1.4.0...v1.5.0

v1.5.0-rc3

⚠️ This is a pre-release that requires Defguard Core v1.5.0-rc2 - please help us test and stabilize the release 🫡

What's Changed

Other Changes

• Return whether core is connected by @t-aleksander in #163

Full Changelog: v1.5.0-rc2...v1.5.0-rc3

v1.5.0-rc2

⚠️ This is a pre-release that requires Defguard Core v1.5.0-rc2 - please help us test and stabilize the release 🫡

What's Changed

• Handle admin device management flag by @wojcik91 in #116
• Use configured external OIDC Provider for 2FA in client by @t-aleksander in #119
• Allow binding to a specific address by @t-aleksander in #120
• Merge main -> dev post 1.4 release by @wojcik91 in #123
• add support for per location MFA settings by @wojcik91 in #124
• fix: openid mfa callback page rwd by @filipslezaklab in #126
• UI update by @filipslezaklab in #127
• Fix font files by @filipslezaklab in #129
• update routes on backend by @filipslezaklab in #132
• Add AMI building to the release pipeline by @t-aleksander in #130
• mobile mfa poc by @filipslezaklab in #134
• verify biometry register request data by @filipslezaklab in #135
• Add eu central region by @t-aleksander in #136
• sign Docker images using Cosign by @wojcik91 in #137
• Tonic 14 by @moubctez in #140
• Desktop MFA mobile approve by @filipslezaklab in #138
• Version exchange and logging by @j-chmielewski in #133
• Scan images with Trivy by @moubctez in #142
• add code based mfa setup by @filipslezaklab in #141
• Version check by @j-chmielewski in #143
• handle new enrollment configuration by @filipslezaklab in #145
• Fix version comparison by @j-chmielewski in #146
• Switch AMI base image to debian by @t-aleksander in #144
• Update dependencies by @moubctez in #147
• Update tracing_subscriber by @moubctez in #149
• add deep link to openid enroll by @filipslezaklab in #150
• Return defguard version (proxy, core) in http headers by @t-aleksander in #151
• Fix ami building by @t-aleksander in #152
• Better WebSocket handling and build with newer defguard_version by @moubctez in #154
• update messages in openid callback setup page by @filipslezaklab in #155
• Update defguard-version version by @t-aleksander in #156
• Ignore pre-release in version comparison by @j-chmielewski in #160

Full Changelog: v1.4.0...v1.5.0-rc2

v1.5.0-rc1

⚠️ This is a pre-release that requires Defguard Core and Defguard Proxy v1.5.0-alpha5 - please help us test and stabilize the release 🫡

What's Changed

Other Changes

• Handle admin device management flag by @wojcik91 in #116
• Use configured external OIDC Provider for 2FA in client by @t-aleksander in #119
• Allow binding to a specific address by @t-aleksander in #120
• Merge main -> dev post 1.4 release by @wojcik91 in #123
• add support for per location MFA settings by @wojcik91 in #124
• fix: openid mfa callback page rwd by @filipslezaklab in #126
• UI update by @filipslezaklab in #127
• Fix font files by @filipslezaklab in #129
• update routes on backend by @filipslezaklab in #132
• Add AMI building to the release pipeline by @t-aleksander in #130
• mobile mfa poc by @filipslezaklab in #134
• verify biometry register request data by @filipslezaklab in #135
• Add eu central region by @t-aleksander in #136
• sign Docker images using Cosign by @wojcik91 in #137
• Tonic 14 by @moubctez in #140
• Desktop MFA mobile approve by @filipslezaklab in #138
• Version exchange and logging by @j-chmielewski in #133
• Scan images with Trivy by @moubctez in #142
• add code based mfa setup by @filipslezaklab in #141
• Version check by @j-chmielewski in #143
• handle new enrollment configuration by @filipslezaklab in #145
• Fix version comparison by @j-chmielewski in #146
• Switch AMI base image to debian by @t-aleksander in #144
• Update dependencies by @moubctez in #147
• Update tracing_subscriber by @moubctez in #149
• add deep link to openid enroll by @filipslezaklab in #150
• Return defguard version (proxy, core) in http headers by @t-aleksander in #151
• Fix ami building by @t-aleksander in #152
• Better WebSocket handling and build with newer defguard_version by @moubctez in #154
• update messages in openid callback setup page by @filipslezaklab in #155
• Update defguard-version version by @t-aleksander in #156

Full Changelog: v1.4.0...v1.5.0-rc1

v1.5.0-alpha5

⚠️ This is a pre-release that requires Defguard Core 1.5.0-alpha7 - please help us test and stabilize the release 🫡

What's Changed

Other Changes

• Version check by @j-chmielewski in #143
• handle new enrollment configuration by @filipslezaklab in #145
• Fix version comparison by @j-chmielewski in #146
• Switch AMI base image to debian by @t-aleksander in #144
• Update dependencies by @moubctez in #147
• Update tracing_subscriber by @moubctez in #149
• add deep link to openid enroll by @filipslezaklab in #150
• Return defguard version (proxy, core) in http headers by @t-aleksander in #151
• Fix ami building by @t-aleksander in #152

Full Changelog: v1.5.0-alpha4...v1.5.0-alpha5

v1.5.0-alpha4

⚠️ This is a pre-release that requires core 1.5.0-alpha5 & gateway 1.5.0-alpha3 - please help us test and stabilize the release 🫡

What's Changed

Other Changes

• add code based mfa setup by @filipslezaklab in #141

Full Changelog: v1.5.0-alpha3...v1.5.0-alpha4

v1.5.0-alpha3

⚠️ This is a pre-release that requires core 1.5.0-alpha4 & gateway 1.5.0-alpha3 - please help us test and stabilize the release 🫡

What's Changed

Other Changes

• Add eu central region by @t-aleksander in #136
• sign Docker images using Cosign by @wojcik91 in #137
• Tonic 14 by @moubctez in #140
• Desktop MFA mobile approve by @filipslezaklab in #138
• Version exchange and logging by @j-chmielewski in #133
• Scan images with Trivy by @moubctez in #142

Full Changelog: v1.5.0-alpha2...v1.5.0-alpha3

v1.5.0-alpha2

⚠️ This is a pre-release that requires core&gateway 1.5.0-alpha2 - please help us test and stabilize the release 🫡

🥳 New Features 🎉

📱Mobile Apps 🎉finally! mobile applications with Multi-Factor Authentication for VPNs are here for iOS and Android! 💪Please help us test them!

🫆 Alpha2 adds Mobile Apps Biometry (MFA with Biometry)! Please remove current alpha mobile apps and do a clean install and configuration.

🔑 Multi-Factor Authentication with External OIDC/SSO - now you can configure on each location separately which OIDC secures the MFA process: internal (with MFA configured in the user profile) or external like Google/Okta/Microsoft - please remember that only desktop clients 1.5 and new mobile clients support this feature.

🏁 Possibility for admin users to disable MFA in a user profile

🌐 Possibility to “bind” a user and all their devices with a selected public IP address by SNAT

⚠️ Please remember to upgrade all components to alpha version: core, proxy, gateway and clients ⚠️

Full Changelog: v1.4.0...v1.5.0-alpha2

v1.5.0-alpha1

⚠️ This is a pre-release - please help us test and stabilize the release 🫡

🥳 New Features 🎉

📱Mobile Apps 🎉finally! mobile applications with Multi-Factor Authentication for VPNs are here for iOS and Android! 💪Please help us test them!

🔑 Multi-Factor Authentication with External OIDC/SSO - now you can configure on each location separately which OIDC secures the MFA process: internal (with MFA configured in the user profile) or external like Google/Okta/Microsoft - please remember that only desktop clients 1.5 and new mobile clients support this feature.

🏁 Possibility for admin users to disable MFA in a user profile

🌐 Possibility to “bind” a user and all their devices with a selected public IP address by SNAT

⚠️ Please remember to upgrade all components to alpha version: core, proxy, gateway and clients ⚠️

Full Changelog: v1.4.0...v1.5.0-alpha1

v1.4.0

What's Changed

🥳 New Features 🎉

• Assign multiple IP addresses for end clients (IPv4 & IPv6) #1000

Other Changes

• Setup automated audits on CI by @j-chmielewski in #108, #110, #112, #113
• Make client IP mandatory by @j-chmielewski in #115

Full Changelog: v1.2.0...v1.4.0

Migration guide

Before updating please make sure to read the migration guide