Releases: DefGuard/defguard
v1.6.5
This is a patch for the major 1.6 release.
It includes fixes for some ACL-related edge-cases:
- fix rule generation for destination aliases in dual-stack scenarios by @wojcik91 in #2189
- fix component alias ranges being ignored by @wojcik91 in #2247
Other Changes
- Added new issue templates by @kchudy in #2145
- don't allow empty keys by @j-chmielewski in #2193
- add gateway config helper command by @wojcik91 in #2291
- Fix e2e tests by @j-chmielewski in #2314
Full Changelog: v1.6.4...v1.6.5
Contributors
Assets 12
v2.0.0-alpha2
🎉 Welcome to Defguard 2.0 Alpha 2 🎉
📖 A comprehensive list of the changes implemented since Alpha 1 is documented in detail here: https://defguard.net/blog/defguard-2-0-release-alpha-2/
🛠️ We also highly recommend reviewing our detailed technical overview of all changes and the comprehensive showcase of all features in this article.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
Detailed changes
- fix acl queries by @filipslezaklab in #2032
- Persist initial setup wizard state by @t-aleksander in #2033
- fix querykey conflict by @filipslezaklab in #2039
- Restore minimal LDAP compose by @t-aleksander in #2043
- Crl by @j-chmielewski in #2041
- New mail templates by @moubctez in #1997
- Check limits when creating users / locations by @filipslezaklab in #2048
- New mail templates part 2 by @moubctez in #2053
- Lack of SMTP configuration information for user by @jakub-tldr in #2054
- Wizard design tweaks by @t-aleksander in #2063
- Fix typos by @moubctez in #2066
- Gateway TLS verification by @j-chmielewski in #2049
- Use binary licence key by @moubctez in #2069
- Deleting a location cascade-deletes gateways by @j-chmielewski in #2075
- Static IP assignment from user list by @t-aleksander in #2077
- update location stats API to reflect new design by @wojcik91 in #2081
- Device IP management for single device by @t-aleksander in #2084
- "Add new device" option for admins by @jakub-tldr in #2079
- fix keepalive interval input by @j-chmielewski in #2099
- add gateway list page by @wojcik91 in #2100
- Add enabled to MailContext by @moubctez in #2107
- add edit gateway page by @wojcik91 in #2108
- Disabled SMTP badge in "Initiate self-enrollment" button by @jakub-tldr in #2114
- Fix welcome page by @moubctez in #2113
- Update ui submodule by @jakub-tldr in #2115
- Use Desktop deep-link for enrolment by @moubctez in #2122
- Block changing network address if devices are present, fix wizard by @t-aleksander in #2119
- add session manager test harness by @wojcik91 in #2128
- Change gateway port input type to number by @j-chmielewski in #2130
- handle public edge component URL in settings by @wojcik91 in #2118
- Cleanup certs by @moubctez in #2134
- use session timeout setting for cookies by @wojcik91 in #2143
- add location type, fwmark, mtu columns to locations table by @j-chmielewski in #2147
- Show business & enterprise features in edit/wizard forms by @jakub-tldr in #2137
- restore restrictions section in ACL create/edit form by @wojcik91 in #2133
- require destination in ACLs by @wojcik91 in #2146
- Gateway/Edge enabled/disabled by @moubctez in #2158
- display pending ACL updates in sidebar by @wojcik91 in #2164
- fix cache invalidation after adding and removing new gateway by @j-chmielewski in #2168
- Automated adoption wizard by @t-aleksander in #2165
- ACL form restrictions section fix by @wojcik91 in #2171
- Update dependencies by @moubctez in #2178
- Optimize IP's reassignement & tests by @jakub-tldr in #2160
- Deploy Edge component step in initial wizard by @jakub-tldr in #2184
- Allow entering empty secret in webhook config by @jakub-tldr in #2186
- Trim Gateways and Edges on licence expiration by @moubctez in #2169
- Delete Yubikey provision trigger event on webhook by @jakub-tldr in #2201
- Add migration wizard by @filipslezaklab in #2194
- Fix empty expand in table when removing last item by @filipslezaklab in #2205
- Fix OpenID label & Change LDAP labels by @jakub-tldr in #2206
- block used alias/destination delete by @wojcik91 in #2204
- LDAP case insensitive by @moubctez in #2195
- User-friendly settings by @j-chmielewski in #2210
- Periodiacally refresh Gateway status by @moubctez in #2212
- License check by @moubctez in #2230
- Fix stale gateway/edge connected status by @t-aleksander in #2232
- Hide "Device IP settings" option for non-admin users by @jakub-tldr in #2234
- Network devices UI fixes by @jakub-tldr in #2235
- Fix network device edit modal by @jakub-tldr in #2237
- Adoption core logs by @j-chmielewski in #2188
- Migrate locations by @filipslezaklab in #2245
- Network readdress by @moubctez in #2260
- Add more logs to automatic component adoption process by @t-aleksander in #2274
- share edge deploy wizard step component by @filipslezaklab in #2275
- use table edit cell by @filipslezaklab in #2276
- ACL UI fixes by @wojcik91 in #2222
- Fix MFA mail by @moubctez in #2281
- Tweak settings UI by @j-chmielewski in #2282
- update openid table page by @filipslezaklab in #2285
- Prepare for Alpha Two by @moubctez in #2284
- Default MFA option only for logged in user by @moubctez in #2286
- fix logout not removing cookies by @filipslezaklab in #2287
- Redirect to user profile page on 403 status code by @moubctez in #2288
- Add snackbars to all settings pages, fix form state in client behavio… by @j-chmielewski in #2290
Full Changelog: v2.0.0-alpha1...v2.0.0-alpha2
Contributors
Assets 8
v1.6.4
This is a security patch for the major 1.6 release.
It includes dependency updates to resolve the following CVEs:
- CVE-2026-25537
- GHSA-7587-4wv6-m68m
- GHSA-8h58-w33p-wq3g
- GHSA-c7ph-f7jm-xv4w
- CVE-2026-25727
- CVE-2026-25639
- CVE-2026-2391
What's Changed
Other Changes
- Filter MFA locations on network devices list by @jakub-tldr in #1996
- Bump dependencies to address security issues by @moubctez in #2065
Full Changelog: v1.6.3...v1.6.4
Contributors
Assets 12
v2.0.0-alpha1
wojcik91
Maciek
🎉 Welcome to Defguard 2.0 Alpha 1 🎉
First of all, this is an actual alpha, not meant for production, but a technology preview of what’s to come, hopefully in a month, when the stable release should be ready.
2.0 is a major overhaul, featuring a completely redesigned UI/UX, secure reverse Core-to-Gateway communication with a built-in SSL certificate authority, automated deployment and session management, and initial high-availability support, laying a solid foundation for easier, safer, and more manageable on-premise deployments.
🛠️ We highly recommend that you get familiar with a detailed technical overview of all changes and a comprehensive showcase of all features in this blog post.
🚀Here you can find a quick tutorial on how to quickly launch 2.0α with Docker Compose.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
What's Changed
- Release 1.6 alpha merger by @wojcik91 in #1711
- Finialize moving most important DB models to a common crate by @wojcik91 in #1713
- Merge main->dev before 1.6 by @j-chmielewski in #1756
- Implement multiple proxy handling by @j-chmielewski in #1743
- Reverse gateway grpc take two merger by @moubctez in #1767
- Gateway REST by @moubctez in #1775
- Allow domain names location DNS by @moubctez in #1786
- Add MTU and FwMark to WireGuardNetwork by @moubctez in #1788
- Disable APT repository signing/uploads by @jakub-tldr in #1799
- Disable APT repository signing/uploads by @jakub-tldr in #1800
- Core certificate authority, part 1: Proxy by @t-aleksander in #1790
- UI table update by @filipslezaklab in #1808
- Update APT repository on full release/pre-release by @jakub-tldr in #1807
- Merge main -> dev after 1.6.1 release by @wojcik91 in #1844
- PUT for OpenIDProvider by @moubctez in #1801
- Multiproxy private cookies by @j-chmielewski in #1809
- components update 1 by @filipslezaklab in #1848
- OpenID tests by @jakub-tldr in #1852
- Add MTU and FwMark to web interface by @moubctez in #1849
- Core certificate authority, part 2: Gateway by @t-aleksander in #1846
- Extend OpenAPI docs with OpenID providers by @moubctez in #1860
- OpenID provider kind by @moubctez in #1871
- VPN client session manager pt2 by @wojcik91 in #1802
- Activity log streaming page by @jakub-tldr in #1876
- add VPN sessions & stats generator by @wojcik91 in #1885
- send cookie keys via protos by @j-chmielewski in #1881
- Log streaming page tweaks by @jakub-tldr in #1892
- VPN stats generator pt2 by @wojcik91 in #1891
- Destination, part 1 by @moubctez in #1895
- MTU and FwMark are not optional by @moubctez in #1907
- session manager VPN client events by @wojcik91 in #1911
- fix docker build by @wojcik91 in #1914
- Implement proxy wizard by @t-aleksander in #1910
- Implement remote MFA with new, separate RPC message by @j-chmielewski in #1912
- Include component version in support data by @jakub-tldr in #1920
- Gateway wizard by @t-aleksander in #1919
- handle multiple gateways in session manager by @wojcik91 in #1917
- Any for aliases by @moubctez in #1918
- Initiate self-enrolment from users list by @jakub-tldr in #1935
- Separate API for Alias and Destination by @moubctez in #1938
- Use functions for ApiResponse by @moubctez in #1942
- Activity log streaming certificate file upload by @jakub-tldr in #1941
- Edge edit form by @j-chmielewski in #1940
- Support VPN client MFA connect/disconnect process within the session manager by @wojcik91 in #1939
- periodic VPN session & stats purge by @wojcik91 in #1954
- Fetch AclAlias by kind by @moubctez in #1953
- drop legacy stats tables by @wojcik91 in #1957
- Edge delete by @j-chmielewski in #1960
- New instance setup wizard by @t-aleksander in #1961
- VPN sessions handling fixes by @wojcik91 in #1964
- Fix connecting to proxy after completing initial wizard by @t-aleksander in #1971
- Initial wizard fixes by @t-aleksander in #1987
- Fix wizard routing by @t-aleksander in #1991
- change from root guard to route specific guards by @filipslezaklab in #1993
- fix(mfa): preserve preshared key when creating new session by @j-chmielewski in #1995
- Edge list by @j-chmielewski in #1992
- Update ACL -> firewall rule translation to handle new toggles by @wojcik91 in #1994
- Restore init dev env by @t-aleksander in #2010
- Allow admins to delete a specific MFA method for a user by @jakub-tldr in #2012
- Block adding MFA for user as admin by @jakub-tldr in #2013
- pre-alpha ACL UI fixes by @wojcik91 in #2024
Full Changelog: v1.6.1...v2.0.0-alpha1
Contributors
Assets 8
v1.6.3
This is a patch for the major 1.6 release.
What's Changed
Other Changes
Full Changelog: v1.6.2...v1.6.3
Contributors
Assets 12
v1.6.2
This is a patch for the major 1.6 release.
What's Changed
Other Changes
- Disable APT repository signing/uploads by @jakub-tldr in #1799
- Update APT repository on full release/pre-release by @jakub-tldr in #1807
- add gh cli dependency by @jakub-tldr in #1847
- Remove outdated information by @jakub-tldr in #1845
- Add missing character by @jakub-tldr in #1873
- Allow 0.0.0.0/0 to be set as allowed ip by @jakub-tldr in #1874
- Replace OpenLDAP docker image by @jakub-tldr in #1875
- fix ACL to firewall rule translation for IPv4-only or IPv6-only destinations by @wojcik91 in #1896
- force all traffic for legacy clients by @wojcik91 in #1902
Full Changelog: v1.6.1...v1.6.2
Contributors
Assets 12
v1.6.1
This is a patch for the major 1.6 release.
What's Changed
- ACL Destination validator fix + Unit tests by @jakub-tldr in #1768
- Allow domain names in location DNS by @moubctez in #1787
Full Changelog: v1.6.0...v1.6.1
Contributors
Assets 12
v1.6.0
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and is published in Apple macOS Store officially.
🖥️ All desktop Clients now have a new MTU setting available.
🚦 Introducing Client Traffic Policy Selection. This lets administrators define whether VPN clients can choose their routing mode or are forced to use a specific traffic policy, such as routing all traffic through the VPN or only predefined traffic.
What's Changed
- update dev from staging by @filipslezaklab in #1369
- Release 1.5 merger by @wojcik91 in #1577
- Fixes pentest issue DG25-16 from 2025-09-02 by @j-chmielewski in #1546
- Fixes pentest issue DG25-10 from 2025-09-02 by @j-chmielewski in #1579
- Fixes pentest issue DG25-14 from 2025-09-02 by @moubctez in #1580
- Don't send empty strings when phone number is not provided by @j-chmielewski in #1583
- Fixes pentest issue DG25-17 from 2025-09-02 by @j-chmielewski in #1581
- Fixes pentest issue DG25-21 from 2025-09-02 by @j-chmielewski in #1587
- Fixes pentest issue DG25-1 from 2025-09-02 by @j-chmielewski in #1588
- Fixes pentest issue DG25-24 from 2025-09-02 by @moubctez in #1585
- put mail handler into a separate crate by @wojcik91 in #1590
- Cleanup and revive OpenID login test by @moubctez in #1591
- Fixes pentest issue DG25-11 from 2025-09-02 by @wojcik91 in #1593
- Fixes pentest issue DG25-25 and DG25-20 from 2025-09-02 by @t-aleksander in #1574
- Fixes pentest issue DG25-32 from 2025-09-02 by @j-chmielewski in #1597
- fix document links by @wojcik91 in #1599
- Merge main into dev after 1.5.1 release by @j-chmielewski in #1619
- Create SBOM files by @j-chmielewski in #1620
- CI: scan code with trivy by @j-chmielewski in #1622
- Return NotFound to proxy for missing OpenID provider by @moubctez in #1626
- Periodic sbom regeneration by @j-chmielewski in #1627
- Switch to non-Alpine node:24 by @moubctez in #1628
- add missing error logs in proxy request handlers by @wojcik91 in #1616
- verify audit log events in API integration tests by @wojcik91 in #1624
- Upgrade Debian packages to get latest security fixes by @moubctez in #1648
- fix(e2e): update selectors in external OIDC tests by @wojcik91 in #1656
- fix e2e test enroll via external oidc by @filipslezaklab in #1657
- APT uploading/signing workflow by @jakub-tldr in #1655
- List whole directory by @jakub-tldr in #1664
- Validate IP address in Wizard by @jakub-tldr in #1667
- Service locations (Pre-logon, Always-on) by @t-aleksander in #1666
- User enrollment pending by @j-chmielewski in #1675
- Merge main into dev before 1.6 release by @j-chmielewski in #1680
- Basic client version reporting by @t-aleksander in #1688
- add option to pre-fetch OpenID directory users during sync by @wojcik91 in #1689
- add option to configure enrollment token duration by @wojcik91 in #1698
- fix(gRPC): improve handling device pubkey change by @wojcik91 in #1703
- add invalid location address validation by @wojcik91 in #1707
- Attempt to add depends to FreeBSD package by @moubctez in #1709
- Remove AMI building by @t-aleksander in #1710
- Implement "force all traffic" enterprise setting by @j-chmielewski in #1706
- Filter MFA locations on network devices modal, block creating devices without name by @jakub-tldr in #1719
- Fix traffic policy settings styling by @j-chmielewski in #1720
- Fix validator for ipv4 with port by @jakub-tldr in #1723
- Fix ipv4 validator by @j-chmielewski in #1726
- RPM config fix by @jakub-tldr in #1730
- Validator fix, Frontend unit testing by @jakub-tldr in #1733
- Fix e2e test by @t-aleksander in #1742
- Add support for license tiers by @wojcik91 in #1746
- don't tag Docker image as latest automatically by @wojcik91 in #1749
- disable default latest tag in docker action by @wojcik91 in #1751
- display license tier on settings page by @wojcik91 in #1754
Full Changelog: v1.5.2...v1.6.0
Contributors
Assets 12
v1.6.0-rc1
t-aleksander
Aleksander
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is a release candidate which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- RPM config fix by @jakub-tldr in #1730
- Validator fix, Frontend unit testing by @jakub-tldr in #1733
- Fix e2e test by @t-aleksander in #1742
Full Changelog: v1.6.0-alpha3...v1.6.0-rc1
Contributors
Assets 8
v1.6.0-alpha3
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is an alpha release which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- update dev from staging by @filipslezaklab in #1369
- Release 1.5 merger by @wojcik91 in #1577
- Fixes pentest issue DG25-16 from 2025-09-02 by @j-chmielewski in #1546
- Fixes pentest issue DG25-10 from 2025-09-02 by @j-chmielewski in #1579
- Fixes pentest issue DG25-14 from 2025-09-02 by @moubctez in #1580
- Don't send empty strings when phone number is not provided by @j-chmielewski in #1583
- Fixes pentest issue DG25-17 from 2025-09-02 by @j-chmielewski in #1581
- Fixes pentest issue DG25-21 from 2025-09-02 by @j-chmielewski in #1587
- Fixes pentest issue DG25-1 from 2025-09-02 by @j-chmielewski in #1588
- Fixes pentest issue DG25-24 from 2025-09-02 by @moubctez in #1585
- put mail handler into a separate crate by @wojcik91 in #1590
- Cleanup and revive OpenID login test by @moubctez in #1591
- Fixes pentest issue DG25-11 from 2025-09-02 by @wojcik91 in #1593
- Fixes pentest issue DG25-25 and DG25-20 from 2025-09-02 by @t-aleksander in #1574
- Fixes pentest issue DG25-32 from 2025-09-02 by @j-chmielewski in #1597
- fix document links by @wojcik91 in #1599
- Merge main into dev after 1.5.1 release by @j-chmielewski in #1619
- Create SBOM files by @j-chmielewski in #1620
- CI: scan code with trivy by @j-chmielewski in #1622
- Return NotFound to proxy for missing OpenID provider by @moubctez in #1626
- Periodic sbom regeneration by @j-chmielewski in #1627
- Switch to non-Alpine node:24 by @moubctez in #1628
- add missing error logs in proxy request handlers by @wojcik91 in #1616
- verify audit log events in API integration tests by @wojcik91 in #1624
- Upgrade Debian packages to get latest security fixes by @moubctez in #1648
- fix(e2e): update selectors in external OIDC tests by @wojcik91 in #1656
- fix e2e test enroll via external oidc by @filipslezaklab in #1657
- APT uploading/signing workflow by @jakub-tldr in #1655
- List whole directory by @jakub-tldr in #1664
- Validate IP address in Wizard by @jakub-tldr in #1667
- Service locations (Pre-logon, Always-on) by @t-aleksander in #1666
- User enrollment pending by @j-chmielewski in #1675
- Merge main into dev before 1.6 release by @j-chmielewski in #1680
- Basic client version reporting by @t-aleksander in #1688
- add option to pre-fetch OpenID directory users during sync by @wojcik91 in #1689
- add option to configure enrollment token duration by @wojcik91 in #1698
- fix(gRPC): improve handling device pubkey change by @wojcik91 in #1703
- add invalid location address validation by @wojcik91 in #1707
- Attempt to add depends to FreeBSD package by @moubctez in #1709
- Remove AMI building by @t-aleksander in #1710
- Implement "force all traffic" enterprise setting by @j-chmielewski in #1706
- Filter MFA locations on network devices modal, block creating devices without name by @jakub-tldr in #1719
- Fix traffic policy settings styling by @j-chmielewski in #1720
Full Changelog: v1.5.2...v1.6.0-alpha3