All Versions
Latest Version
Avg Release Cycle
119 days
Latest Release
722 days ago

Changelog History

  • v1.6.0 Changes

    June 30, 2022

    โž• Added

    • ๐Ÿ”ง Experimental: nebula clients can be configured to act as relays for other nebula clients. Primarily useful when stubborn NATs make a direct tunnel impossible. (#678)

    • ๐Ÿ”ง Configuration option to report manually specified ip:ports to lighthouses. (#650)

    • ๐Ÿ Windows arm64 build. (#638)

    • ๐Ÿ‘ punchy and most lighthouse config options now support hot reloading. (#649)

    ๐Ÿ”„ Changed

    • ๐Ÿ— Build against go 1.18. (#656)

    • ๐Ÿ‘ Promoted routines config from experimental to supported feature. (#702)

    • โšก๏ธ Dependencies updated. (#664)

    ๐Ÿ›  Fixed

    • ๐ŸŽ Packets destined for the same host that sent it will be returned on MacOS. This matches the default behavior of other operating systems. (#501)

    • ๐Ÿ unsafe_route configuration will no longer crash on Windows. (#648)

    • A few panics that were introduced in 1.5.x. (#657, #658, #675)

    ๐Ÿ”’ Security

    • You can set listen.send_recv_error to control the conditions in which recv_error messages are sent. Sending these messages can expose the fact that Nebula is running on a host, but it speeds up re-handshaking. (#670)

    โœ‚ Removed

    • ๐Ÿšš x509 config stanza support has been removed. (#685)
  • v1.5.2 Changes

    December 14, 2021

    โž• Added

    • ๐Ÿ”ง Warn when a non lighthouse node does not have lighthouse hosts configured. (#587)

    ๐Ÿ”„ Changed

    • No longer fatals if expired CA certificates are present in, as long as 1 valid CA is present. (#599)

    • nebula-cert will now enforce ipv4 addresses. (#604)

    • ๐ŸŽ Warn on macOS if an unsafe route cannot be created due to a collision with an existing route. (#610)

    • ๐Ÿ‘ Warn if you set a route MTU on platforms where we don't support it. (#611)

    ๐Ÿ›  Fixed

    • Rare race condition when tearing down a tunnel due to recv_error and sending packets on another thread. (#590)

    • ๐Ÿ› Bug in routes and unsafe_routes handling that was introduced in 1.5.0. (#595)

    • โœ… -test mode no longer results in a crash. (#602)

    โœ‚ Removed

    • config alias for (#604)

    ๐Ÿ”’ Security

    • โฌ†๏ธ Upgraded to address an issue which allowed unauthenticated clients to cause a panic in SSH servers. (#603)
  • v1.5.1 Changes

    December 13, 2021

    ๐Ÿš€ (This release was skipped due to discovering #610 and #611 after the tag was created.)

  • v1.5.0 Changes

    November 11, 2021

    โž• Added

    • ๐Ÿ–จ SSH print-cert has a new -raw flag to get the PEM representation of a certificate. (#483)

    • ๐Ÿ†• New build architecture: Linux riscv64. (#542)

    • ๐Ÿ‘ New experimental config option remote_allow_ranges. (#540)

    • ๐Ÿ†• New config option pki.disconnect_invalid that will tear down tunnels when they become invalid (through expiry or removal of root trust). Default is false. Note, this will not currently recognize if a remote has changed certificates since the last handshake. (#370)

    • ๐Ÿ†• New config option unsafe_routes.<route>.metric will set a metric for a specific unsafe route. It's useful if you have more than one identical route and want to prefer one against the other. (#353)

    ๐Ÿ”„ Changed

    • ๐Ÿ— Build against go 1.17. (#553)

    • ๐Ÿ— Build with CGO_ENABLED=0 set, to create more portable binaries. This could have an effect on DNS resolution if you rely on anything non-standard. (#421)

    • ๐Ÿ Windows now uses the wintun driver which does not require installation. This driver is a large improvement over the TAP driver that was used in previous versions. If you had a previous version of nebula running, you will want to disable the tap driver in Control Panel, or uninstall the tap0901 driver before running this version. (#289)

    • Darwin binaries are now universal (works on both amd64 and arm64), signed, and shipped in a notarized zip file. will be the only darwin release artifact. (#571)

    • ๐Ÿ”ง Darwin uses syscalls and AF_ROUTE to configure the routing table, instead of using /sbin/route. Setting is now allowed on Darwin as well, it must be in the format utun[0-9]+ or it will be ignored. (#163)

    ๐Ÿ—„ Deprecated

    • ๐Ÿ‘ The preferred_ranges option has been supported as a replacement for local_range since v1.0.0. It has now been documented and local_range has been officially deprecated. (#541)

    ๐Ÿ›  Fixed

    • Valid recv_error packets were incorrectly marked as "spoofing" and ignored. (#482)

    • SSH server handles single exec requests correctly. (#483)

    • Signing a certificate with nebula-cert sign now verifies that the supplied ca-key matches the ca-crt. (#503)

    • ๐Ÿ—„ If preferred_ranges (or the deprecated local_range) is configured, we will immediately switch to a preferred remote address after the reception of a handshake packet (instead of waiting until 1,000 packets have been sent). (#532)

    • A race condition when punchy.respond is enabled and ensures the correct vpn ip is sent a punch back response in highly queried node. (#566)

    • ๐Ÿ›  Fix a rare crash during handshake due to a race condition. (#535)

  • v1.4.0 Changes

    May 11, 2021

    โž• Added

    • ๐Ÿ–จ Ability to output qr code images in print, ca, and sign modes for nebula-cert. This is useful when configuring mobile clients. (#297)

    • Experimental: Nebula can now do work on more than 2 cpu cores in send and receive paths via the new routines config option. (#382, #391, #395)

    • ICMP ping requests can be responded to when the tun.disabled is true. This is useful so that you can "ping" a lighthouse running in this mode. (#342)

    • ๐Ÿณ Run smoke tests via make smoke-docker. (#287)

    • ๐Ÿง More reported stats, udp memory use on linux, build version (when using Prometheus), firewall, handshake, and cached packet stats. (#390, #405, #450, #453)

    • ๐Ÿ‘ IPv6 support for the underlay network. (#369)

    • โœ… End to end testing, run with make e2e. (#425, #427, #428)

    ๐Ÿ”„ Changed

    • ๐ŸŒฒ Darwin will now log stdout/stderr to a file when using -service mode. (#303)

    • ๐Ÿ‘ Example systemd unit file now better arranged startup order when using sshd and other fixes. (#317, #412, #438)

    • โฌ‡๏ธ Reduced memory utilization/garbage collection. (#320, #323, #340)

    • โฌ‡๏ธ Reduced CPU utilization. (#329)

    • ๐Ÿ— Build against go 1.16. (#381)

    • ๐ŸŽ Refactored handshakes to improve performance and correctness. (#401, #402, #404, #416, #451)

    • ๐Ÿ‘Œ Improved roaming support for mobile clients. (#394, #457)

    • ๐ŸŽ Lighthouse performance and correctness improvements. (#406, #418, #429, #433, #437, #442, #449)

    • ๐Ÿ‘ Better ordered startup to enable sshd, stats, and dns subsystems to listen on the nebula interface. (#375)

    ๐Ÿ›  Fixed

    • No longer report handshake packets as lost in stats. (#331)

    • ๐Ÿ“ฆ Error handling in the cert package. (#339, #373)

    • Orphaned pending hostmap entries are cleaned up. (#344)

    • Most known data races are now resolved. (#396, #400, #424)

    • Refuse to run a lighthouse on an ephemeral port. (#399)

    • โœ‚ Removed the global references. (#423, #426, #446)

    • Reloading via ssh command avoids a panic. (#447)

    • Shutdown is now performed in a cleaner way. (#448)

    • ๐Ÿ Logs will now find their way to Windows event viewer when running under -service mode in Windows. (#443)

  • v1.3.0 Changes

    September 22, 2020

    โž• Added

    You can emit statistics about non-message packets by setting the option
    stats.message_metrics. You can similarly emit detailed statistics about
    ๐Ÿ‘€ lighthouse packets by setting the option stats.lighthouse_metrics. See
    the example config for more details. (#230)

    ๐Ÿ‘ We now support freebsd/amd64. This is experimental, please give us feedback.

    ๐Ÿš€ We now release a binary for linux/mips-softfloat which has also been
    ๐Ÿ‘ stripped to reduce filesize and hopefully have a better chance on running on
    small mips devices. (#231)

    You can set tun.disabled to true to run a standalone lighthouse without a
    tun device (and thus, without root). (#269)

    ๐Ÿšš You can set logging.disable_timestamp to remove timestamps from log lines,
    ๐ŸŒฒ which is useful when output is redirected to a logging system that already
    โž• adds timestamps. (#288)

    ๐Ÿ”„ Changed

    Handshakes should now trigger faster, as we try to be proactive with sending
    them instead of waiting for the next timer tick in most cases. (#246, #265)

    Previously, we would drop the conntrack table whenever firewall rules were
    ๐Ÿ”„ changed during a SIGHUP. Now, we will maintain the table and just validate
    that an entry still matches with the new rule set. (#233)

    ๐Ÿ”Š Debug logs for firewall drops now include the reason. (#220, #239)

    ๐Ÿ”Š Logs for handshakes now include the fingerprint of the remote host. (#262)

    Config item pki.blacklist is now pki.blocklist. (#272)

    ๐Ÿ‘ Better support for older Linux kernels. We now only set SO_REUSEPORT if
    0๏ธโƒฃ tun.routines is greater than 1 (default is 1). We also only use the
    0๏ธโƒฃ recvmmsg syscall if listen.batch is greater than 1 (default is 64).

    It is possible to run Nebula as a library inside of another process now.
    Note that this is still experimental and the internal APIs around this might
    ๐Ÿš€ change in minor version releases. (#279)

    ๐Ÿ—„ Deprecated

    • ๐Ÿ—„ pki.blacklist is deprecated in favor of pki.blocklist with the same
      ๐Ÿš€ functionality. Existing configs will continue to load for this release to
      ๐Ÿ‘ allow for migrations. (#272)

    ๐Ÿ›  Fixed

    advmss is now set correctly for each route table entry when tun.routes
    ๐Ÿ”ง is configured to have some routes with higher MTU. (#245)

    Packets that arrive on the tun device with an unroutable destination IP are
    now dropped correctly, instead of wasting time making queries to the
    lighthouses for IP (#267)

  • v1.2.0 Changes

    April 08, 2020

    โž• Added

    โž• Add logging.timestamp_format config option. The primary purpose of this
    ๐Ÿ”„ change is to allow logging timestamps with millisecond precision. (#187)

    ๐Ÿ‘Œ Support unsafe_routes on Windows. (#184)

    ๐Ÿ‘ Add lighthouse.remote_allow_list to filter which subnets we will use to
    ๐Ÿ‘€ handshake with other hosts. See the example config for more details. (#217)

    ๐Ÿ‘ Add lighthouse.local_allow_list to filter which local IP addresses and/or
    ๐Ÿ‘€ interfaces we advertise to the lighthouses. See the example config for more
    details. (#217)

    ๐Ÿ”Œ Wireshark dissector plugin. Add this file in dist/wireshark to your
    ๐Ÿ‘€ Wireshark plugins folder to see Nebula packet headers decoded. (#216)

    systemd unit for Arch, so it can be built entirely from this repo. (#216)

    ๐Ÿ”„ Changed

    โž• Added a delay to punching via lighthouse signal to deal with race conditions
    ๐Ÿง in some linux conntrack implementations. (#210)

    ๐Ÿ‘€ See deprecated, this also adds a new punchy.delay option that defaults to 1s.

    Validate all lighthouse.hosts and static_host_map VPN IPs are in the
    subnet defined in our cert. Exit with a fatal error if they are not in our
    ๐Ÿ”ง subnet, as this is an invalid configuration (we will not have the proper
    routes set up to communicate with these hosts). (#170)

    ๐ŸŽ Use absolute paths to system binaries on macOS and Windows. (#191)

    โž• Add configuration options for handshakes. This includes options to tweak
    try_interval, retries and wait_rotation. See example config for
    descriptions. (#179)

    ๐Ÿ‘ Allow -config file to not end in .yaml or yml. Useful when using
    โœ… -test and automated tools like Ansible that create temporary files without
    ๐Ÿ›  suffixes. (#189)

    โœ… The config test mode, -test, is now more thorough and catches more parsing
    issues. (#177)

    ๐Ÿ“š Various documentation and example fixes. (#196)

    ๐Ÿ‘Œ Improved log messages. (#181, #200)

    โšก๏ธ Dependencies updated. (#188)

    ๐Ÿ—„ Deprecated

    ๐Ÿ”ง punchy, punch_back configuration options have been collapsed under the
    now top level punchy config directive. (#210)

    punchy.punch - This is the old punchy option. Should we perform NAT hole
    0๏ธโƒฃ punching (default false)?

    punchy.respond - This is the old punch_back option. Should we respond to
    0๏ธโƒฃ hole punching by hole punching back (default false)?

    ๐Ÿ›  Fixed

    โฌ‡๏ธ Reduce memory allocations when not using unsafe_routes. (#198)

    Ignore packets from self to self. (#192)

    ๐Ÿ›  MTU fixed for unsafe_routes. (#209)

  • v1.1.0 Changes

    January 17, 2020

    โž• Added

    • ๐ŸŽ For macOS and Windows, build a special version of the binary that can install and manage its own service configuration. You can use this with nebula -service. If you are building from source, use make service to build this feature.
    • ๐Ÿ‘Œ Support for mips, mips64, 386 and ppc64le processors on Linux.
    • ๐Ÿ”ง You can now configure the DNS listen host and port with and lighthouse.dns.port.
    • ๐Ÿ‘ Subnet and routing support. You can now add a unsafe_routes section to your config to allow hosts to act as gateways to other subnets. Read the example config for more details. This is supported on Linux and macOS.

    ๐Ÿ”„ Changed

    • Certificates now have more verifications performed, including making sure the certificate lifespan does not exceed the lifespan of the root CA. This could cause issues if you have signed certificates with expirations beyond the expiration of your CA, and you will need to reissue your certificates.
    • โšก๏ธ If lighthouse interval is set to 0, never update the lighthouse (mobile optimization).
    • ๐Ÿ“š Various documentation and example fixes.
    • ๐Ÿ‘Œ Improved error messages.
    • โšก๏ธ Dependencies updated.

    ๐Ÿ›  Fixed

    • If you have a firewall rule with group: ["one-group"], this will now be accepted, with a warning to use group: "one-group" instead.
    • ๐Ÿ”ง The configuration option was previously ignored (the bind host was always This option will now be honored.
    • The ca_sha and ca_name firewall rule options should now work correctly.