This release is for desktop only.
Here is a list of all changes since last stable release 2024.8.
Added
- Add a new access method: Encrypted DNS Proxy. Encrypted DNS proxy is a way to reach the API via
proxies. The access method is enabled by default.
macOS
- Detect whether full disk access is enabled in the split tunneling view.
- Add button to restart system service in split tunneling view. This can help mitigate edge-case
issues when enabling full disk access.
Changed
- Replace the draft key encapsulation mechanism Kyber (round 3) with the standardized
ML-KEM (FIPS 203) dito in the handshake for Quantum-resistant tunnels. - Make Smart Routing override multihop if both are enabled. To manually set the entry relay,
explicitly enable the "Direct only" option in the DAITA settings. - Update maybenot from 1.1.3 to 2.0.1.
Windows
- Enable quantum-resistant tunnels by default (when set to
auto).
Fixed
- Handle network switching better when using WG over Shadowsocks.
- Fix multihop entry location list sometimes being shown when multihop is disabled.
macOS
- Fix packets being duplicated on LAN when split tunneling is enabled.
- Fix DNS issues caused by forcibly using a local DNS resolver in all states.
Note that this fix is not present on macOS versions between 14.6 and 15.1.
Security
Windows
- Block WSL/Hyper-V traffic in secured states (except the connected state). The normal firewall
(WFP) filters normally do not apply for VMs. This mitigates the issue by ensuring that it does not
leak (as easily) when the VPN tunnel is up. Previously, WSL would leak while in the blocked or
connecting state, or while lockdown mode was active.