A huge release which incorporates several months of work. This almost certainly contains breaking changes (and maybe some bugs).
Most notably this release adds:
- Multiple MFA methods, such as webauth and oidc.
- A web administration user interface
v4.1.1
Breaking changes:
- Multiple configuration options have been moved to more appropriate places
- A new configuration option for specifying which MFA method is selected is now called
Authenticators Issuerhas been moved toAuthenticators.IssuerDNShas been moved underWireguard.DNS
Features:
- The
ManagementUIfield is now a configurable option in wag config which allows a user to define listening address, certificates and if the UI is enabled wag webadminis now a subcommand of the wag binary, which allows for all standard user management functionality. Web administration users must be added via command line only- The
wagctrlpackage has more API endpoints for controlling and fetching wag data config.jsonnow allows users to specifyExposePortswhich adds iptables rules to allow said ports to access the vpn host (useful for proxying) closes #27- By default wag will now generate and insert a
PresharedKey(thanks to #26)
Bug Fixes:
- Fixed bug where the build process was not injecting wags version correctly
- Fixed small bug where on save some json fields would be null instead of not present
- Fixed adding two users with no MFA would throw unique column error
- Fix issue when wag is behind a reverse proxy, that the web proxy port will not be exposed to the end user leaving them unable to MFA
v3.2.1-pre-release
Bug Fixes:
- Fix nil panic on config reload
- Set default socket selection to users command submodule
- Fix registrations failing due string not being nullable when pulling from sqlite db
v3.2.0-pre-release
Breaking changes:
- the wagctl library client now requires the use of
NewControlClient(socketPath string)instead of using control methods directly
Changes:
/status/endpoint rather than/routes/endpoint for getting route and authorisation status- registration now takes an optional
-groupor-groupsargument which sets a users groups so that when in use with theOIDCa user can register and get a valid wireguard configuration file, without having to be present within theconfig.jsonfile by name - Successful authorisation page now has a logout link
- Wag will no longer remove socket and wireguard device if another wag instance is detected to be managing it
Features:
config.jsonnow supports theSocketfield, which species where wag will put its control socket, thus you can run multiple wag instances on one server
Bug Fixes:
Two or more users could not have reset mfa methods at one time, this is now fixed
Two or more users can now have the OIDC authentication method
v3.1.0-pre-release
Features:
- oidc method now available in
Authenticators.Methods Authenticators.OIDCcontains configuration options for theIdP
Bug Fixes:
- Server public key and client private key are no longer HTML entity encoded (since v3.0.0-pre-release)
v3.0.0-pre-release
Changes:
- Content Security Policy now allows
script-src: self - SIGPIPE is no longer considered an exit condition
Features:
- The tunnel server now has a
/public_keyroute to return the wireguard public key - Device registration can now display configuration as a QR code for mobile devices (use
/register_device?type=mobile) - Wag now supports both
TOTPandWebauthnauthorisation methods - The configuration file now allows for specification of default authentication method, and enabled methods
Bug Fixes:
- Denial of server due to unreleased lock if a user re-uses a valid code within 30 seconds. (basically impossible to hit)