ยซ Changelog History


Nebula v1.5.0 Release Notes

Release Date: 2021-11-11 // over 2 years ago

  • โž• Added

    • ๐Ÿ–จ SSH print-cert has a new -raw flag to get the PEM representation of a certificate. (#483)

    • ๐Ÿ†• New build architecture: Linux riscv64. (#542)

    • ๐Ÿ‘ New experimental config option remote_allow_ranges. (#540)

    • ๐Ÿ†• New config option pki.disconnect_invalid that will tear down tunnels when they become invalid (through expiry or removal of root trust). Default is false. Note, this will not currently recognize if a remote has changed certificates since the last handshake. (#370)

    • ๐Ÿ†• New config option unsafe_routes.<route>.metric will set a metric for a specific unsafe route. It's useful if you have more than one identical route and want to prefer one against the other. (#353)

    ๐Ÿ”„ Changed

    • ๐Ÿ— Build against go 1.17. (#553)

    • ๐Ÿ— Build with CGO_ENABLED=0 set, to create more portable binaries. This could have an effect on DNS resolution if you rely on anything non-standard. (#421)

    • ๐Ÿ Windows now uses the wintun driver which does not require installation. This driver is a large improvement over the TAP driver that was used in previous versions. If you had a previous version of nebula running, you will want to disable the tap driver in Control Panel, or uninstall the tap0901 driver before running this version. (#289)

    • Darwin binaries are now universal (works on both amd64 and arm64), signed, and shipped in a notarized zip file. nebula-darwin.zip will be the only darwin release artifact. (#571)

    • ๐Ÿ”ง Darwin uses syscalls and AF_ROUTE to configure the routing table, instead of using /sbin/route. Setting tun.dev is now allowed on Darwin as well, it must be in the format utun[0-9]+ or it will be ignored. (#163)

    ๐Ÿ—„ Deprecated

    • ๐Ÿ‘ The preferred_ranges option has been supported as a replacement for local_range since v1.0.0. It has now been documented and local_range has been officially deprecated. (#541)

    ๐Ÿ›  Fixed

    • Valid recv_error packets were incorrectly marked as "spoofing" and ignored. (#482)

    • SSH server handles single exec requests correctly. (#483)

    • Signing a certificate with nebula-cert sign now verifies that the supplied ca-key matches the ca-crt. (#503)

    • ๐Ÿ—„ If preferred_ranges (or the deprecated local_range) is configured, we will immediately switch to a preferred remote address after the reception of a handshake packet (instead of waiting until 1,000 packets have been sent). (#532)

    • A race condition when punchy.respond is enabled and ensures the correct vpn ip is sent a punch back response in highly queried node. (#566)

    • ๐Ÿ›  Fix a rare crash during handshake due to a race condition. (#535)