slackhq/nebula v1.5.0

Release v1.5.0

on GitHub

Added

• SSH print-cert has a new -raw flag to get the PEM representation of a certificate. (#483)

• New build architecture: Linux riscv64. (#542)

• New experimental config option remote_allow_ranges. (#540)

• New config option pki.disconnect_invalid that will tear down tunnels when they become invalid (through expiry or
  removal of root trust). Default is false. Note, this will not currently recognize if a remote has changed
  certificates since the last handshake. (#370)

• New config option unsafe_routes.<route>.metric will set a metric for a specific unsafe route. It's useful if you have
  more than one identical route and want to prefer one against the other. (#353)

Changed

• Build against go 1.17. (#553)

• Build with CGO_ENABLED=0 set, to create more portable binaries. This could
  have an effect on DNS resolution if you rely on anything non-standard. (#421)

• Windows now uses the wintun driver which does not require installation. This driver
  is a large improvement over the TAP driver that was used in previous versions. If you had a previous version
  of nebula running, you will want to disable the tap driver in Control Panel, or uninstall the tap0901 driver
  before running this version. (#289)

• Darwin binaries are now universal (works on both amd64 and arm64), signed, and shipped in a notarized zip file.
  nebula-darwin.zip will be the only darwin release artifact. (#571)

• Darwin uses syscalls and AF_ROUTE to configure the routing table, instead of
  using /sbin/route. Setting tun.dev is now allowed on Darwin as well, it
  must be in the format utun[0-9]+ or it will be ignored. (#163)

Deprecated

• The preferred_ranges option has been supported as a replacement for
  local_range since v1.0.0. It has now been documented and local_range
  has been officially deprecated. (#541)

Fixed

• Valid recv_error packets were incorrectly marked as "spoofing" and ignored. (#482)

• SSH server handles single exec requests correctly. (#483)

• Signing a certificate with nebula-cert sign now verifies that the supplied
  ca-key matches the ca-crt. (#503)

• If preferred_ranges (or the deprecated local_range) is configured, we
  will immediately switch to a preferred remote address after the reception of
  a handshake packet (instead of waiting until 1,000 packets have been sent).
  (#532)

• A race condition when punchy.respond is enabled and ensures the correct
  vpn ip is sent a punch back response in highly queried node. (#566)

• Fix a rare crash during handshake due to a race condition. (#535)