Nebula v1.5.0 Release Notes
Release Date: 2021-11-11 // over 2 years ago-
โ Added
๐จ SSH
print-cert
has a new-raw
flag to get the PEM representation of a certificate. (#483)๐ New build architecture: Linux
riscv64
. (#542)๐ New experimental config option
remote_allow_ranges
. (#540)๐ New config option
pki.disconnect_invalid
that will tear down tunnels when they become invalid (through expiry or removal of root trust). Default isfalse
. Note, this will not currently recognize if a remote has changed certificates since the last handshake. (#370)๐ New config option
unsafe_routes.<route>.metric
will set a metric for a specific unsafe route. It's useful if you have more than one identical route and want to prefer one against the other. (#353)
๐ Changed
๐ Build against go 1.17. (#553)
๐ Build with
CGO_ENABLED=0
set, to create more portable binaries. This could have an effect on DNS resolution if you rely on anything non-standard. (#421)๐ Windows now uses the wintun driver which does not require installation. This driver is a large improvement over the TAP driver that was used in previous versions. If you had a previous version of
nebula
running, you will want to disable the tap driver in Control Panel, or uninstall thetap0901
driver before running this version. (#289)Darwin binaries are now universal (works on both amd64 and arm64), signed, and shipped in a notarized zip file.
nebula-darwin.zip
will be the only darwin release artifact. (#571)๐ง Darwin uses syscalls and AF_ROUTE to configure the routing table, instead of using
/sbin/route
. Settingtun.dev
is now allowed on Darwin as well, it must be in the formatutun[0-9]+
or it will be ignored. (#163)
๐ Deprecated
- ๐ The
preferred_ranges
option has been supported as a replacement forlocal_range
since v1.0.0. It has now been documented andlocal_range
has been officially deprecated. (#541)
๐ Fixed
Valid recv_error packets were incorrectly marked as "spoofing" and ignored. (#482)
SSH server handles single
exec
requests correctly. (#483)Signing a certificate with
nebula-cert sign
now verifies that the supplied ca-key matches the ca-crt. (#503)๐ If
preferred_ranges
(or the deprecatedlocal_range
) is configured, we will immediately switch to a preferred remote address after the reception of a handshake packet (instead of waiting until 1,000 packets have been sent). (#532)A race condition when
punchy.respond
is enabled and ensures the correct vpn ip is sent a punch back response in highly queried node. (#566)๐ Fix a rare crash during handshake due to a race condition. (#535)