Skip to content

Releases: NHAS/wag

v1.4.0-pre-release

18 Oct 07:42
@NHAS NHAS
v1.4.0-pre-release
75c64fb
Compare
Choose a tag to compare
v1.4.0-pre-release Pre-release
Pre-release

Upgrades the wag database to handle a new 'endpoint' field to resolve #12

Bug Fixes:

  • After hot upgrade the wireguard endpoint watcher no longer automatically de-authenticate all users as wireguard device creation sets device endpoints to their previous value

Changes:

  • make upgrade message a bit clearer to differentiate when a binary needs to be manually copied or is automatically copied
  • Wag now stores the last user device endpoint in the SQLite3 database
  • wag can now automatically upgrade its own database
Loading

v1.3.2-pre-release

15 Oct 23:07
@NHAS NHAS
v1.3.2-pre-release
5002132
Compare
Choose a tag to compare
v1.3.2-pre-release Pre-release
Pre-release

This release is incompatible with previous versions of wag.

It is recommended that the systemd service file is updated to the current version in the respository.

Major Changes:

  • WgDevName has been moved into a new configuration structure Wireguard and is now called DevName
  • Wag will now create and populate a wireguard device using netlink, when the device specified by DevName is not present
  • Wag no longer relies on wg-quick configuration for peers

Features:

  • Netlink interoperability allows wag to setup/teardown a wireguard device
  • Hot upgrading, the VPN now does not need to be fully stopped in order to upgrade the golang components of wag this is added with the ./wag upgrade command
  • Improved control package, now every action can be done using it

Changes:

  • When a user exceeds the lockout number of attempts the error message they now get is "account locked"
  • Wags XDP component is now more obviously labeled as wag in tools such as bpftool
  • The wag socket now allows whatever process group wag is in to read/write (allows for better integrations)
  • No longer use the default http mux for the control mux just in case it becomes exposed
  • Once a TOTP code is used, it cannot be reused

Bug Fixes:

  • Fix firewall list command not outputting data
  • -config is now no longer required for every cli command
  • Add a minimum time to registration request completion to stop timing attacks (now will take ~1 second)
Loading

v1.1.1

27 Sep 08:54
@NHAS NHAS
v1.1.1
ad60678
Compare
Choose a tag to compare
v1.1.1

Features:

  • Command line now supports checking version with ./wag version

Bug Fixes:

  • Fixes users being reported as authorized despite being outside of sliding window timeout

Changes:

  • Added license
Loading

v1.1.0

15 Sep 10:07
@NHAS NHAS
v1.0.7
4663f9e
Compare
Choose a tag to compare
v1.1.0

Major Changes:

  • SessionTimeoutMinutes has been replaced by MaxSessionLifetimeMinutes to make room for sliding window sessions, that require MFA after a period of time without activity.

Features:

  • SessionInactivityTimeoutMinutes, a new option in the json file which will de-authenticate/sign out users after a period of time without any network activity.
  • Unit testing of EBPF program

Bug Fixes:

  • Fix multiple issues that occurred when SessionInactivityTimeoutMinutes or MaxSessionLifetimeMinutes were disabled (set to -1)

Changes:

  • Config parsing will now fail if an unknown json field is present
Loading

v1.0.6

14 Sep 03:37
@NHAS NHAS
v1.0.6
9df2a66
Compare
Choose a tag to compare
v1.0.6

Features:

  • MFA session timeout can now be disabled by setting SessionTimeoutMinutes to -1 (this will not effect lockouts that occur due to network change)
  • Add DNS option to configuration file, this automatically allows DNS addresses and will generate wg0.conf's with the DNS= option

Changes:

  • Log output is now easier to parse for SIEM ingestion

Bug Fixes:

  • Specifying a route as public after it has been declared as MFA now has no effect. MFA check takes precedence.
Loading

v1.0.4

08 Sep 19:41
@NHAS NHAS
v1.0.4
5c8d110
Compare
Choose a tag to compare
v1.0.4

Fix multiple reloads failing due to configuration file path becoming blank

Loading

v1.0.3

08 Sep 11:01
@NHAS NHAS
v1.0.3
9b5db4c
Compare
Choose a tag to compare
v1.0.3

Fix bug that would cause -config argument to be ignored on all commands.
Fix text of webserver errors to more accurately reflect which listener failed
Fix double printing of errors

Loading

v1.0.2

07 Sep 02:21
@NHAS NHAS
v1.0.2
f07abe7
Compare
Choose a tag to compare
v1.0.2

Fix numerous bugs

  • Allow clients to ping tunnel address
  • Fix minor text bug in reload help text
  • Fix empty private key issue if public key is supplied during registration process
  • Use ParseKey instead of NewKey for base64 encoded key during registration
  • Url decode registration parameters
  • Fix use of nil map in config
Loading

v1.0.1

02 Sep 05:08
@NHAS NHAS
v1.0.1
72014fe
Compare
Choose a tag to compare
v1.0.1

Adds domain name compatibility to ACLs

e.g

 "Policies": {
            "*": {
                "Allow": [
                    "10.7.7.7",
                    "google.com"
                ]
            },
            "username": {
                  "Allow":[ "10.0.0.1/32"]
            },
            "group:nerds": {
                "Mfa": [
                    "192.168.3.4/32"
                ],
                "Allow": [
                    "192.168.3.5/32"
                ]
            }
}
Loading

v1.0.0

02 Sep 03:07
@NHAS NHAS
v1.0.0
0d9830a
Compare
Choose a tag to compare
v1.0.0

This is the first release of WAG, a Wireguard companion which uses EBPF and XDP to provide TOTP 2fa.

Notable features:

  • ACLs for specific users
  • Web based device enrollment
  • Public non-2fa routes, in combination to 2fa only routes
Loading