v0.36.0

Release notes

This release introduces initial support to QUIC as a protocol for relay servers, MySQL support for store, and rootless container support for the client running Netstack mode. We also added support for disabling system flags in the client, and optional ZITADEL PAT configuration in the management service among other enhancements and bug fixes.

New features

QUIC Protocol Support

Added initial support for the QUIC protocol in the client and relay server, improving connection reliability and performance. For self-hosted admins that want to try this out, you should ensure that the relay server has TLS certificates configured and that the main listening port is available in both, TCP and UDP.

Rootless Container Support

Implemented rootless container support for the client running in Netstack mode, enabling secure and compatible operation without requiring privileged permissions or Linux capabilities.

You can use the images netbirdio/netbird:rootless-latest or netbirdio/netbird:0.36.0-rootless for this mode.

Learn more about how to enable Netstack mode in the documentation.

MySQL Support

Added MySQL support for the management service, allowing users to store data in a MySQL database. This feature is particularly useful for organizations that prefer MySQL as their database backend.

If you want to start a new deployment with MySQL, you can use the environment variable NETBIRD_STORE_CONFIG_ENGINE=mysql and NETBIRD_STORE_ENGINE_MYSQL_DSN="<username>:<password>@tcp(127.0.0.1:3306)/<database>" in the setup.env file.

We are counting on your feedback and community contributions to improve documentation for this support.

Enhancements

New system flags to disable a few features on the client side

We are introducing a set of new flags that allow users to disable specific features on the client side. This is particularly useful for users who wants more control over their system configurations.

The new flags are available with the netbird up command, see the flags below:

      --disable-client-routes           Disable client routes. If enabled, the client won't process client routes received from the management service.
      --disable-dns                     Disable DNS. If enabled, the client won't configure DNS settings.
      --disable-firewall                Disable firewall configuration. If enabled, the client won't modify firewall rules.
      --disable-server-routes           Disable server routes. If enabled, the client won't act as a router for server routes received from the management service.

Optional ZITADEL PAT Configuration

Enabled optional configuration of a Personal Access Token (PAT) for ZITADEL in the management service, enhancing authentication options for users who want to use ZITADEL as their identity provider.

To configure the ZITADEL PAT, you can use the environment variable NETBIRD_IDP_MGMT_EXTRA_PAT=<secret> in the setup.env file.

What's Changed

• [misc] separate integration and benchmark test workflows #3147
• [misc] remove outdated readme header #3151
• [misc] upgrade go to 1.23 in devcontainer #3160
• [misc] add missing relay to docker-compose.yml.tmpl.traefik #3163
• [misc] Skip docker step when fork PR #3175
• [misc] Fix gvisor.dev/gvisor commit #3179
• [relay] Handle IPv6 addresses in X-Real-IP header on relay service #3085
• [relay] Code cleaning in message marshalling #3074
• [relay] Set InitialPacketSize to the maximum allowable value #3188
• [client] Enable network map persistence by default #3152
• [client] Add rootless container and fix client routes in netstack mode #3150
• [client] Add disable system flags #3153
• [client] Prevent local routes in status from being overridden by updates #3166
• [client] Don't fail on v6 ops when disabled via kernel params #3165
• [client] Update fyne to v2.5.3 #3155
• [client] client: make /var/lib/netbird paths configurable #3084
• [client] Support non-openresolv for DNS on Linux #3176
• [client] Allow ssh server on freebsd #3170
• [client] Disable DNS host manager for netstack mode #3183
• [client] Fix a panic on shutdown if dns host manager failed to initialize #3182
• [client] add serial, product model, product manufacturer for Android #2958
• [client] Add QUIC support #2962
• [client] Remove outbound chains #3157
• [client] Add block lan access flag for routers #3171
• [client] Flush macOS DNS cache after changes #3185
• [client] Report client system flags to management server on login #3187
• [management] Add integration test for the setup-keys API endpoints #2936
• [management] exclude self from network map if self is routing peer #3142
• [management] add users benchmark #3141
• [management] add peers benchmark #3143
• [management] Add MySQL Support #3108
• [management] Add support for disabling resources and routing peers in networks #3154
• [management] Send relay credentials with turn updates #3164
• [Management] Send peer network map when SSH status is toggled #3172
• [management] adjust benchmark #3168
• [Management] Enable new network resources and routers by default #3174
• [management] enable optional zitadel configuration of a PAT #3159
• [management] fix groups delete and resource create and update error response #3189

New Contributors

• @si458 made their first contribution in #3160
• @jameshilliard made their first contribution in #3179

Full Changelog: v0.35.2...v0.36.0

v0.35.2

What's Changed

• [management] Add missing group usage checks for network resources and routes access control by @bcmmbaga in #3117
• [management] remove ids from policy creation api by @pascal-fischer in #2997
• [management] Fix networks net map generation with posture checks by @mlsmaycon in #3124
• [management] add selfhosted metrics for networks by @pascal-fischer in #3118
• [client] Ignore case when matching domains in handler chain by @lixmal in #3133
• [client] Allow inbound rosenpass port by @lixmal in #3109
• [management] Preserve jwt groups when accessing API with PAT by @bcmmbaga in #3128
• [management] remove sorting from network map generation by @pascal-fischer in #3126
• [management] Fix policy tests by @mlsmaycon in #3135

Full Changelog: v0.35.1...v0.35.2

v0.35.1

What's Changed

• [client] Don't fail debug if log file is console by @lixmal in #3103
• [client] Fix inbound tracking in userspace firewall by @lixmal in #3111

Full Changelog: v0.35.0...v0.35.1

v0.35.0

Release notes

With this release, we are introducing a new concept in NetBird called Networks. This concept improves the administration of routed resources and provides greater visibility into what is shared with peers. Networks are configuration containers that map your on-premise or cloud networks in a logical set of configurations, making it easier to manage and share routes with your peers based on your infrastructure.

Support for Networks will be available for our cloud-hosted systems in the next few days.

You can find out more information about Networks here:
Concept
Routing traffic to multiple IP resources
Accessing restricted website domain resources
Accessing entire domains within networks

Some screenshots:
Unified view of your network resources:

Multiple resource types and new support for wildcard domains:

What's Changed

• [client] Add support for state manager on iOS by @pascal-fischer in #2996
• [client] Add peer conn init limit by @mlsmaycon in #3001
• [management] Remove peer needs login log message by @bcmmbaga in #3005
• [management] restructure api files by @pascal-fischer in #3013
• [Snyk] Security upgrade alpine from 3.20 to 3.21.0 by @mlsmaycon in #3019
• [client] Fix race condition with systray ready by @mohamed-essam in #2993
• [misc] split tests with management and rest by @mlsmaycon in #3051
• [misc] Handle dnf version 5 in install script by @mohamed-essam in #3026
• [client] fix: reformat IPv6 ICE addresses when hole punching by @jclds139 in #3050
• [misc] Upgrade x/crypto package by @mlsmaycon in #3055
• fix client unsupported h2 protocol when only 443 activated by @V-E-O in #3009
• [client] Avoid using iota on mixed const block by @mlsmaycon in #3057
• [client, management] Add new network concept by @lixmal in #3047
• [client] Do not start DNS forwarder on client side by @pappz in #3094
• [management] Fix duplicate resource routes when routing peer is part of the source group by @bcmmbaga in #3095
• [client] Reduce DNS handler chain lock contention by @lixmal in #3099
• [management] Run test sequential by @pascal-fischer in #3101
• [client] Add firewall rules to the debug bundle by @lixmal in #3089
• [client] Add stateful userspace firewall and remove egress filters by @lixmal in #3093

New Contributors

• @jclds139 made their first contribution in #3050
• @V-E-O made their first contribution in #3009

Full Changelog: v0.34.1...v0.35.0

v0.34.1

What's Changed

• [client] Cleanup status resources on engine stop by @mlsmaycon in #2981
• [client] Don't return error in rule removal if protocol is not supported by @lixmal in #2990
• [client] Init route selector early by @lixmal in #2989
• [client] Reduce max wait time to initialize peer connections by @mlsmaycon in #2984
• [management] Update account peers on login on meta change by @mohamed-essam in #2991
• [client] upgrade zcalusic/sysinfo to v1.1.3 (add serial support for ARM arch) by @EdouardVanbelle in #2954

New Contributors

• @mohamed-essam made their first contribution in #2991

Full Changelog: v0.34.0...v0.34.1

v0.34.0

Release notes

This release brings support to persistent network route selection across client restarts and fixes network access control policy rules to account for peers in source groups.

Enhancements:

Persistent network route selection

This feature is handy for users who want to maintain a specific network route selection across client restarts. The client will now remember the network routes selected before the restart and apply them after the restart.

Bug fixes:

Account different policy rules for route firewall rules

The network access control policy rules now account for peers in source groups. This fix ensures that the rules are correctly applied to the network routes.

What's Changed

• [misc] Update Caddyfile and Docker Compose to support HTTP3 #2822
• [client] Refactor initial Relay connection #2800
• [client] Don't return error in userspace mode without firewall when setting legacy #2924
• [client] Test nftables for incompatible iptables rules #2948
• [client] Set up sysctl and routing table name only if routing rules are available #2933
• [client] Allow routing to fallback to exclusion routes if rules are not supported #2909
• [client] Code cleaning in net pkg #2932
• [client] Unspecified address: default NetworkTypeUDP4+NetworkTypeUDP6 #2804
• [client] Add pprof build tag #2964
• [client] Persist route selection #2810
• [client] Add state file to debug bundle #2969
• [client] Fix debug bundle state anonymization test #2976
• [client] Pass IP instead of net to Rosenpass #2975
• [client] Get static system info once #2965
• [client] Add netbird.err and netbird.out to debug bundle #2971
• [client] Add network map to debug bundle #2966
• [client] Don't choke on non-existent interface in route updates #2922
• [client] Add state handling cmdline options #2821
• [management] Refactor posture check to use store methods #2874
• [management] Refactor policy to use store methods #2878
• [management] Refactor DNS settings to use store methods #2883
• [management] Refactor nameserver groups to use store methods #2888
• [management] refactor to use account object instead of separate db calls for peer update #2957
• [management] Add performance test for login and sync calls #2960
• [management] Add guide when signing key is not found #2942
• [management] Account different policy rules for route firewall rules #2939
• [management] Add missing parentheses on iphone hostname generation condition #2977
• [management] merge update account peers in sync call #2978

Big thanks to our new Contributors

• @v1rusnl made their first contribution in #2822
• @victorserbu2709 made their first contribution in #2804
• @jnohlgard made their first contribution in #2977

v0.33.0

What's Changed

• [misc] Introducing NetBird Guru on Gurubase.io by @kursataktas in #2778
• [misc] use google domain for tests by @mlsmaycon in #2902
• [misc] Update signing pipeline version by @mlsmaycon in #2900
• [management] Add transaction metrics and exclude getAccount time from peers update by @pascal-fischer in #2904
• [client] Add NB_SKIP_SOCKET_MARK & fix crash instead of returing an error by @nazarewk in #2899
• [management] Fix process posture check evaluation on Sync by @pascal-fischer in #2911
• [management] Add metric for peer meta update by @pascal-fischer in #2913
• [management] Add activity events to group propagation flow by @pascal-fischer in #2916
• [client] Fix allow netbird rule verdict by @lixmal in #2925
• [management] Fix getSetupKey call by @pascal-fischer in #2927

New Contributors

• @kursataktas made their first contribution in #2778

Full Changelog: v0.32.0...v0.33.0

v0.32.0

Release Notes for v0.32.0

Highlights

This release fixes an issue with the client's state manager that could cause a deadlock on a system with high load or slower system operations like adding routes or configuring network interfaces. This could affect the recovery from sleep, causing unwanted client state.

What's Changed

• [management] Refactor setup key to use store methods by @bcmmbaga in #2861
• [management] Add more logs to the peer update processes by @pascal-fischer in #2881
• [client] Improve state write timeout and abort work early on timeout by @lixmal in #2882
• [relay-server] Always close ws conn when work thread exit by @pappz in #2879
• [client] Update route calculation tests by @mlsmaycon in #2884
• [client] Handle panic on nil wg interface by @lixmal in #2891
• [management] Fix limited peer view groups by @pascal-fischer in #2894
• [client/management] add peer lock to peer meta update and fix isEqual func by @pascal-fischer in #2840
• [management] Limit the setup-key update operation by @pascal-fischer in #2841
• [management] Refactor group to use store methods by @bcmmbaga in #2867
• [management] Fix the Inactivity Expiration problem. by @ismail0234 in #2865
• [client] Fix state manager race conditions by @lixmal in #2890
• [client] Move state updates outside the refcounter by @lixmal in #2897
• [client] Fix error state race on mgmt connection error by @lixmal in #2892

New Contributors

• @ismail0234 made their first contribution in #2865

Full Changelog: v0.31.1...v0.32.0

v0.31.1

What's Changed

• [management] Fix add peer all group network map update by @pascal-fischer in #2830
• [misc] Avoid failing all other matrix tests if one fails by @mlsmaycon in #2839
• [client] Fix cached device flow oauth by @mlsmaycon in #2833
• [management] Fix network map update on peer validation by @pascal-fischer in #2849
• [client] Use the prerouting chain to mark for masquerading to support older systems by @lixmal in #2808
• [relay-server] Use X-Real-IP in case of reverse proxy by @pappz in #2848
• [client] Exclude split default route ip addresses from anonymization by @lixmal in #2853
• [management] Enforce max conn of 1 for sqlite setups by @pascal-fischer in #2855
• [management] Fix potential panic on inactivity expiration log message by @pascal-fischer in #2854
• [management] Add benchmark tests to get account with claims by @mlsmaycon in #2761
• [client] Use offload in WireGuard bind receiver by @pappz in #2815
• [management] Remove context from database calls by @pascal-fischer in #2863
• [management] Add peer lock to grpc server by @pascal-fischer in #2859
• [management] Fix api error message typo peers_group by @lixmal in #2862
• [client] Remove loop after route calculation by @pappz in #2856
• [client] fix/proxy close by @pappz in #2873
• [client] Fix race conditions by @lixmal in #2869

Full Changelog: v0.31.0...v0.31.1

v0.31.0

Release Notes for v0.31.0

Highlights

[management] Setup key improvements #2775

• We added support to setup-key deletion, allowing account cleanup of revoked or expired keys.
• The max expiration time was removed, allowing users to define any date for key expiration.
• Setup-keys are now stored as hashs, improving security for systems.

Because of a database migration where the setup-keys are being hashed, a downgrade is no longer possible without restoring a backup. So, testing and making sure a backup is done before upgrading is highly recommended. See backup docs here: https://docs.netbird.io/selfhosted/selfhosted-guide#backup

Improvements

• [client] Make native firewall init fail firewall creation #2784
• [misc] Update Zitadel from v2.54.10 to v2.64.1 #2793
• [client] allow relay leader on iOS #2795
• [management] remove network map diff calculations #2820
• [management] Add DB access duration to logs for context cancel #2781
• [client] Log windows panics #2829

Bug fixes

• [client] Ignore route rules with no sources instead of erroring out #2786
• [client] Fix multiple peer name filtering in netbird status command #2798
• [client] Fix the broken dependency gvisor.dev/gvisor #2789
• [management] Fix peer meta isEqual #2807
• [client] Nil check on ICE remote conn #2806
• [client] Allocate new buffer for every package #2823
• [client] Fix unused servers cleanup #2826
• [client] Remove legacy forwarding rules in userspace mode #2782

New Contributors

• @Codixer made their first contribution in #2793
• @mgarces made their first contribution in #2798
• @milantracy made their first contribution in #2789

Full Changelog: v0.30.3...v0.31.0