Releases: slackhq/nebula
Release v1.8.2
Release v1.8.1
Release v1.8.0
Deprecated
- The next minor release of Nebula, 1.9.0, will require at least Windows 10 or
Windows Server 2016. This is because support for earlier versions was removed
in Go 1.21. See https://go.dev/doc/go1.21#windows
Added
-
Linux: Notify systemd of service readiness. This should resolve timing issues
with services that depend on Nebula being active. For an example of how to
enable this, see:examples/service_scripts/nebula.service
. (#929) -
Windows: Use Registered IO (RIO) when possible. Testing on a Windows 11
machine shows ~50x improvement in throughput. (#905) -
FreeBSD: Add support for naming tun devices. (#903)
Changed
-
pki.disconnect_invalid
will now default to true. This means that once a
certificate expires, the tunnel will be disconnected. If you use SIGHUP to
reload certificates without restarting Nebula, you should ensure all of your
clients are on 1.7.0 or newer before you enable this feature. (#859) -
Limit how often a busy tunnel can requery the lighthouse. The new config
optiontimers.requery_wait_duration
defaults to60s
. (#940) -
The internal structures for hostmaps were refactored to reduce memory usage
and the potential for subtle bugs. (#843, #938, #953, #954, #955) -
Lots of dependency updates.
Fixed
Release v1.7.2
Fixed
- Fix a freeze during config reload if the
static_host_map
config was changed. (#886)
Release v1.7.1
Fixed
- Fix IPv4 addresses returned by
static_host_map
DNS lookup queries being treated as IPv6 addresses. (#877)
Release v1.7.0
Added
-
nebula-cert ca
now supports encrypting the CA's private key with a passphrase. Pass-encrypt
in order to be prompted for a passphrase. Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF parameters default to RFC recommendations, but can be overridden via CLI flags-argon-memory
,-argon-parallelism
, and-argon-iterations
. (#386) -
Support for curve P256 and BoringCrypto has been added. See README section "Curve P256 and BoringCrypto" for more details. (#865, #861, #769, #856, #803)
-
New firewall rule
local_cidr
. This could be used to filter destinations when usingunsafe_routes
. (#507) -
Add
unsafe_route
optioninstall
. This controls whether the route is installed in the systems routing table. (#831) -
Add
tun.use_system_route_table
option. Set to true to manage unsafe routes directly on the system route table with gateway routes instead of in Nebula configuration files. This is only supported on Linux. (#839) -
The metric
certificate.ttl_seconds
is now exposed via stats. (#782) -
Add
punchy.respond_delay
option. This allows you to change the delay before attempting punchy.respond. Default is 5 seconds. (#721) -
Added SSH commands to allow the capture of a mutex profile. (#737)
-
You can now set
lighthouse.calculated_remotes
to make it possible to do handshakes without a lighthouse in certain configurations. (#759) -
The firewall can be configured to send REJECT replies instead of the default DROP behavior. (#738)
-
For macOS, an example launchd configuration file is now provided. (#762)
Changed
-
Lighthouses and other
static_host_map
entries that use DNS names will now be automatically refreshed to detect when the IP address changes. (#796) -
Lighthouses send ACK replies back to clients so that they do not fall into connection testing as often by clients. (#851, #408)
-
Allow the
listen.host
option to contain a hostname. (#825) -
When Nebula switches to a new certificate (such as via SIGHUP), we now rehandshake with all existing tunnels. This allows firewall groups to be updated and
pki.disconnect_invalid
to know about the new certificate expiration time. (#838, #857, #842, #840, #835, #828, #820, #807)
Fixed
-
Always disconnect blocklisted hosts, even if
pki.disconnect_invalid
is not set. (#858) -
Dependencies updated and go1.20 required. (#780, #824, #855, #854)
-
Fix possible race condition with relays. (#827)
-
FreeBSD: Fix connection to the localhost's own Nebula IP. (#808)
-
Normalize and document some common log field values. (#837, #811)
-
Fix crash if you set unlucky values for the firewall timeout configuration options. (#802)
-
Make DNS queries case insensitive. (#793)
-
Update example systemd configurations to want
nss-lookup
. (#791) -
Errors with SSH commands now go to the SSH tunnel instead of stderr. (#757)
-
Fix a hang when shutting down Android. (#772)
Release v1.6.1
Fixed
-
Refuse to process underlay packets received from overlay IPs. This prevents
confusion on hosts that have unsafe routes configured. (#741) -
The ssh
reload
command did not work on Windows, since it relied on sending
a SIGHUP signal internally. This has been fixed. (#725) -
A regression in v1.5.2 that broke unsafe routes on Mobile clients has been
fixed. (#729)
Release v1.6.0
Added
-
Experimental: nebula clients can be configured to act as relays for other nebula clients.
Primarily useful when stubborn NATs make a direct tunnel impossible. (#678) -
Configuration option to report manually specified
ip:port
s to lighthouses. (#650) -
Windows arm64 build. (#638)
-
punchy
and mostlighthouse
config options now support hot reloading. (#649)
Changed
-
Build against go 1.18. (#656)
-
Promoted
routines
config from experimental to supported feature. (#702) -
Dependencies updated. (#664)
Fixed
-
Packets destined for the same host that sent it will be returned on MacOS.
This matches the default behavior of other operating systems. (#501) -
unsafe_route
configuration will no longer crash on Windows. (#648) -
A few panics that were introduced in 1.5.x. (#657, #658, #675)
Security
- You can set
listen.send_recv_error
to control the conditions in which
recv_error
messages are sent. Sending these messages can expose the fact
that Nebula is running on a host, but it speeds up re-handshaking. (#670)
Removed
x509
config stanza support has been removed. (#685)
Release v1.5.2
Added
- Warn when a non lighthouse node does not have lighthouse hosts configured. (#587)
Changed
-
No longer fatals if expired CA certificates are present in
pki.ca
, as long as 1 valid CA is present. (#599) -
nebula-cert
will now enforce ipv4 addresses. (#604) -
Warn on macOS if an unsafe route cannot be created due to a collision with an
existing route. (#610) -
Warn if you set a route MTU on platforms where we don't support it. (#611)
Fixed
-
Rare race condition when tearing down a tunnel due to
recv_error
and sending packets on another thread. (#590) -
Bug in
routes
andunsafe_routes
handling that was introduced in 1.5.0. (#595) -
-test
mode no longer results in a crash. (#602)
Removed
x509.ca
config alias forpki.ca
. (#604)
Security
- Upgraded
golang.org/x/crypto
to address an issue which allowed unauthenticated clients to cause a panic in SSH
servers. (#603)
Release v1.5.0
Added
-
SSH
print-cert
has a new-raw
flag to get the PEM representation of a certificate. (#483) -
New build architecture: Linux
riscv64
. (#542) -
New experimental config option
remote_allow_ranges
. (#540) -
New config option
pki.disconnect_invalid
that will tear down tunnels when they become invalid (through expiry or
removal of root trust). Default isfalse
. Note, this will not currently recognize if a remote has changed
certificates since the last handshake. (#370) -
New config option
unsafe_routes.<route>.metric
will set a metric for a specific unsafe route. It's useful if you have
more than one identical route and want to prefer one against the other. (#353)
Changed
-
Build against go 1.17. (#553)
-
Build with
CGO_ENABLED=0
set, to create more portable binaries. This could
have an effect on DNS resolution if you rely on anything non-standard. (#421) -
Windows now uses the wintun driver which does not require installation. This driver
is a large improvement over the TAP driver that was used in previous versions. If you had a previous version
ofnebula
running, you will want to disable the tap driver in Control Panel, or uninstall thetap0901
driver
before running this version. (#289) -
Darwin binaries are now universal (works on both amd64 and arm64), signed, and shipped in a notarized zip file.
nebula-darwin.zip
will be the only darwin release artifact. (#571) -
Darwin uses syscalls and AF_ROUTE to configure the routing table, instead of
using/sbin/route
. Settingtun.dev
is now allowed on Darwin as well, it
must be in the formatutun[0-9]+
or it will be ignored. (#163)
Deprecated
- The
preferred_ranges
option has been supported as a replacement for
local_range
since v1.0.0. It has now been documented andlocal_range
has been officially deprecated. (#541)
Fixed
-
Valid recv_error packets were incorrectly marked as "spoofing" and ignored. (#482)
-
SSH server handles single
exec
requests correctly. (#483) -
Signing a certificate with
nebula-cert sign
now verifies that the supplied
ca-key matches the ca-crt. (#503) -
If
preferred_ranges
(or the deprecatedlocal_range
) is configured, we
will immediately switch to a preferred remote address after the reception of
a handshake packet (instead of waiting until 1,000 packets have been sent).
(#532) -
A race condition when
punchy.respond
is enabled and ensures the correct
vpn ip is sent a punch back response in highly queried node. (#566) -
Fix a rare crash during handshake due to a race condition. (#535)