v3.2.0-pre-release

Improves the OIDC authentication method and contains a number of bug fixes and other quality of life changes.

Breaking changes:

• the wagctl library client now requires the use of NewControlClient(socketPath string) instead of using control methods directly

Changes:

• /status/ endpoint rather than /routes/ endpoint for getting route and authorisation status
• registration now takes an optional -group or -groups argument which sets a users groups so that when in use with the OIDC a user can register and get a valid wireguard configuration file, without having to be present within the config.json file by name
• Successful authorisation page now has a logout link
• Wag will no longer remove socket and wireguard device if another wag instance is detected to be managing it

Features:

• config.json now supports the Socket field, which species where wag will put its control socket, thus you can run multiple wag instances on one server

Bug Fixes:

• Two or more users could not have reset mfa methods at one time, this is now fixed
• Two or more users can now have the OIDC authentication method

v2.0.3

Tiny little release that creates /status/ endpoint on the vpn.

WARNING, this REMOVES /routes/, as that information has been rolled into /status

Features:

• /status/ endpoint that returns a json object in the following format:

struct {
		IsAuthorised bool
		Routes       []string
}

Breaking Changes:

• /routes/ has been removed as this information is now contained within the /status/ endpoint

v2.0.2

Small release that moves building from an archlinux host (with super new glibc) to debian 11 (glibc 2.31).

Bug Fixes:

• If no policy is defined, wag will no longer crash on startup

Changes:

• config generator has been improved

Features:

• Dockerfile can now build the wag binary for proper release builds (thanks cgo)

v3.1.0-pre-release

Adds OIDC authentication method.

Devices are still associated by username, so the preferred_username specified by your identity provider (IdP) is checked against the device owner username.

Features:

• oidc method now available in Authenticators.Methods
• Authenticators.OIDC contains configuration options for the IdP

Bug Fixes:

• Server public key and client private key are no longer HTML entity encoded (since v3.0.0-pre-release)

v3.0.0-pre-release

A large release that adds Webauthn support to wag.

This release adds new options to the configuration file, and (if webauthn is desired) will require users to set the Authenticators.DomainURL variable.

This release also contains a number of small fixes, some of which will be listed here.

Breaking changes:

• Authenticators.DomainURL is now required if the webauthn method is enabled (which it is by default)

Changes:

• Content Security Policy now allows script-src: self
• SIGPIPE is no longer considered an exit condition

Features:

• The tunnel server now has a /public_key route to return the wireguard public key
• Device registration can now display configuration as a QR code for mobile devices (use /register_device?type=mobile)
• Wag now supports both TOTP and Webauthn authorisation methods
• The configuration file now allows for specification of default authentication method, and enabled methods

Bug Fixes:

• Denial of server due to unreleased lock if a user re-uses a valid code within 30 seconds. (basically impossible to hit)

v2.0.0

This release contains a large number of commits, bug fixes, and breaking changes.
The changes will migrate the database automatically, if this fails a backup will have been made, restore to the old version and open an issue.

Notable changes:

• Users can now have multiple devices
• Configuration file has slightly changed how the tunnel web server address is denoted

Breaking changes:

• Webserver.Tunnel.ListenAddress has been replaced by Webserver.Tunnel.Port as a user should not specify any listen address that is outside the tunnel IP address

Changes:

• registration command now allows for -username to specify an existing user to generate a token that will add a device to said user
• devices command uses -address to specify individual devices and -username to target multiple devices

Features:

• Wag now has users cli command, this allows for management of users MFA, resetting, locking, and unlocking of associated devices.
• users has -reset-mfa to re-show users their MFA details
• registration now has an -overwrite directive to replace the public key of an existing user device (rather than having to generate a whole new token
• Wag now has gen-config command to interactively create a configuration file with some sane defaults

Bug Fixes:

• Remove LastPacketTime entry when device is deleted (minor bug)

v1.4.4 - Security Patch

This update resolves an inconsistency in the XDP firewall that would have resulted in network hosts being unintentionally exposed in with specific configurations.

Patching

This will require a full restart of wag (not just a hot upgrade) as the change is in the XDP firewall itself.

Description

If a public allowed route also matches an MFA route, the public route would be used if the user was not authorized, effectively meaning that the user would always be able to access the host/network.

Example Vulnerable Configuration

In the following configuration, a user would have always had access to the 10.0.0.0/24 network, regardless of MFA status. This is not intended.

 "Acls": {
        "Policies": {
            "*": {
                "Mfa": [
                    "10.0.0.0/24"
                ],
                "Allow": [
                   "0.0.0.0/0"
                ]
            }
        }
    }

v1.4.3

Small patch that resolves issue with the wag/wireguard server not being able to initiate connections to their remote clients.

Bug Fixes:

• Will now add an iptables rule to the filter INPUT chain to conntrack connections, allowing them if they've been established
• Fixed the -noiptables startup flag

v1.4.2

Minor bug fix release due to multiple issues in the registration process.

Bug Fixes:

• Registration no longer checks in the no-longer-present Totp table for values
• After hot upgrade registration no longer causes a panic due to missing inner ebpf map specification
• Incrementing peer ip addresses now select correct address

v1.4.1

A large release of wag that changes multiple aspects of the program.

This release changes the configuration file for wag, WgDevName has been moved into a new configuration structure Wireguard and is now called DevName.
Please review the example configuration.

Most notably adds:

• hot upgrades, allowing you to upgrade the golang portions of the VPN without interrupting users
• wag management of the underlying wireguard device, which removes dependency on things like wg-quick.
• database migrations

It is important that the systemd service file is updated to the current version in the repository.

(This releases binary has been upgraded to 1.4.2 due to numerous breaking bugs)

Features:

• Database migrations will first perform a database backup
• v1.3.2-pre-release Netlink interoperability allows wag to setup/teardown a wireguard device
• v1.3.2-pre-release Hot upgrading, the VPN now does not need to be fully stopped in order to upgrade the golang components of wag this is added with the ./wag upgrade command
• v1.3.2-pre-release Improved control package, now every action can be done using it
• v1.3.2-pre-release Add a minimum time to registration request completion to stop timing attacks (now will take ~1 second)

Bug Fixes:

• v1.3.2-pre-release Fix firewall list command not outputting data

• v1.3.2-pre-release -config is now no longer required for every cli command

• v1.4.0-pre-release After hot upgrade the wireguard endpoint watcher no longer automatically de-authenticate all users as wireguard device creation sets device endpoints to their previous value

Changes:

• v1.3.2-pre-release WgDevName has been moved into a new configuration structure Wireguard and is now called DevName
• v1.3.2-pre-release wag will now create and populate a wireguard device using netlink, when the device specified by DevName is not present
• v1.3.2-pre-release wag no longer relies on wg-quick configuration for peers
• v1.3.2-pre-release When a user exceeds the lockout number of attempts the error message they now get is "account locked"
• v1.3.2-pre-release Wags XDP component is now more obviously labeled as wag in tools such as bpftool
• v1.3.2-pre-release The wag socket now allows whatever process group wag is in to read/write (allows for better integrations)
• v1.3.2-pre-release No longer use the default http mux for the control mux just in case it becomes exposed
• v1.3.2-pre-release Once a TOTP code is used, it cannot be reused within the 30 second time period
• v1.4.0-pre-release make upgrade message a bit clearer to differentiate when a binary needs to be manually copied or is automatically copied
• v1.4.0-pre-release wag now stores the last user device endpoint in the SQLite3 database
• v1.4.0-pre-release wag can now automatically upgrade its own database