Releases: DefGuard/gateway
v2.0.0-alpha2
🎉 Welcome to Defguard 2.0 Alpha 2 🎉
📖 A comprehensive list of the changes implemented since Alpha 1 is documented in detail here: https://defguard.net/blog/defguard-2-0-release-alpha-2/
🛠️ We also highly recommend reviewing our detailed technical overview of all changes and the comprehensive showcase of all features in this article.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
Detailed Changes
- Release 1.5 merger by @wojcik91 in #211
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #212
- Merge main into dev after 1.5.1 release by @j-chmielewski in #215
- Create SBOM files by @j-chmielewski in #216
- CI: scan code with trivy by @j-chmielewski in #217
- Periodic sbom regeneration by @j-chmielewski in #218
- Merge SBOM CI pipelines into main by @j-chmielewski in #219
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
- Reverse gRPC communication by @moubctez in #233
- Limit connections to one Core by @moubctez in #241
- Enable use of fwmark by @moubctez in #242
- Disable APT repository signing/upload by @jakub-tldr in #244
- Core certificate authority, part 2: Gateway by @t-aleksander in #250
- Install missing build dependencies by @t-aleksander in #254
- Install missing dependencies, take 2 by @t-aleksander in #255
- MTU and FwMark are not optional by @moubctez in #256
- Gateway wizard by @t-aleksander in #257
- Update OPNsense plugin: add ACL, fix service by @moubctez in #259
- Purge RPC by @j-chmielewski in #268
- Update nftnl and mnl by @moubctez in #273
- Skip stats collection when disconnected by @j-chmielewski in #275
- Proper socket handing for mnl by @moubctez in #279
- Use proper file permissions for certificates by @moubctez in #281
- Prepare Alpha2 by @moubctez in #283
Full Changelog: v1.5.1...v2.0.0-alpha2
Contributors
Assets 10
v1.6.3
This is a security patch for the major 1.6 release.
It includes dependency updates to resolve the following CVEs:
What's Changed
Other Changes
- update dependencies & prepare 1.6.3 release by @wojcik91 in #269
- update boringtun & wireguard-rs by @wojcik91 in #272
Full Changelog: v1.6.2...v1.6.3
Contributors
Assets 14
- 822 KB
2026-03-17T03:26:12Z - 296 KB
2026-03-17T03:26:12Z - 169 KB
2026-03-17T03:26:12Z - 420 KB
2026-03-17T03:26:12Z - 2.94 MB
2026-02-16T13:11:23Z - 3.11 MB
2026-02-16T13:07:51Z - 3.33 MB
2026-02-16T13:07:14Z - 3 MB
2026-02-16T13:07:54Z - 2.12 MB
2026-02-16T13:11:28Z - 3.26 MB
2026-02-16T13:07:17Z -
2026-02-16T13:02:46Z -
2026-02-16T13:02:46Z - Loading
v2.0.0-alpha1
wojcik91
Maciek
🎉 Welcome to Defguard 2.0 Alpha 1 🎉
First of all, this is an actual alpha, not meant for production, but a technology preview of what’s to come, hopefully in a month, when the stable release should be ready.
2.0 is a major overhaul, featuring a completely redesigned UI/UX, secure reverse Core-to-Gateway communication with a built-in SSL certificate authority, automated deployment and session management, and initial high-availability support, laying a solid foundation for easier, safer, and more manageable on-premise deployments.
🛠️ We highly recommend that you get familiar with a detailed technical overview of all changes and a comprehensive showcase of all features in this blog post.
🚀Here you can find a quick tutorial on how to quickly launch 2.0α with Docker Compose.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
What's Changed
- Release 1.5 merger by @wojcik91 in #211
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #212
- Merge main into dev after 1.5.1 release by @j-chmielewski in #215
- Create SBOM files by @j-chmielewski in #216
- CI: scan code with trivy by @j-chmielewski in #217
- Periodic sbom regeneration by @j-chmielewski in #218
- Merge SBOM CI pipelines into main by @j-chmielewski in #219
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
- Reverse gRPC communication by @moubctez in #233
- Limit connections to one Core by @moubctez in #241
- Enable use of fwmark by @moubctez in #242
- Disable APT repository signing/upload by @jakub-tldr in #244
- Core certificate authority, part 2: Gateway by @t-aleksander in #250
- Install missing build dependencies by @t-aleksander in #254
- Install missing dependencies, take 2 by @t-aleksander in #255
- MTU and FwMark are not optional by @moubctez in #256
- Gateway wizard by @t-aleksander in #257
- Update OPNsense plugin: add ACL, fix service by @moubctez in #259
- fix binary build by @wojcik91 in #266
Full Changelog: v1.5.1...v2.0.0-alpha1
Contributors
Assets 10
v1.6.2
This is a patch for the major 1.6 release.
What's Changed
Other Changes
- Remove outdated info by @jakub-tldr in #251
- Update OPNsense plugin: add ACL, fix service by @moubctez in #258
Full Changelog: v1.6.1...v1.6.2
Contributors
Assets 14
v1.6.1
This is a patch for the major 1.6 release.
What's Changed
Other Changes
- Disable latest Docker tag in release workflow by @wojcik91 in #240
- Disable APT repository signing/uploads by @jakub-tldr in #243
- update trivy config by @wojcik91 in #247
- Update APT repository on full release/pre-release by @jakub-tldr in #245
- fix FreeBSD build by @wojcik91 in #249
Full Changelog: v1.6.0...v1.6.1
Contributors
Assets 14
v1.6.0
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and is published in Apple macOS Store officially.
🖥️ All desktop Clients now have a new MTU setting available.
🚦 Introducing Client Traffic Policy Selection. This lets administrators define whether VPN clients can choose their routing mode or are forced to use a specific traffic policy, such as routing all traffic through the VPN or only predefined traffic.
What's Changed
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
- Use new wireguard-rs API with BoringTun by @moubctez in #220
- feat(opnsense): enable PID file monitoring for Defguard Gateway service by @jamtur01 in #222
- Remove AMI building by @t-aleksander in #230
- Fix handing ports in PacketFiler rules by @moubctez in #236
- use published wireguard-rs v0.8.0 by @j-chmielewski in #237
New Contributors
- @jakub-tldr made their first contribution in #221
- @jamtur01 made their first contribution in #222
Full Changelog: v1.5.2...v1.6.0
Contributors
Assets 14
v1.6.0-rc1
t-aleksander
Aleksander
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is a release candidate which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
Full Changelog: v1.6.0-alpha2...v1.6.0-rc1
Contributors
Assets 10
v1.5.2
What's Changed
This patch for version 1.5 fixes port handing for Packet Filter.
Full Changelog: v1.5.1...v1.5.2
1.5 release is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.
Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.
📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!
💫Desktop Client now supports External SSO/IdP MFA
Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!
🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).
🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.
Migration guide
Before updating please make sure to read the migration guide
v1.6.0-alpha2
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is an alpha release which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- Release 1.5 merger by @wojcik91 in #211
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #212
- Merge main into dev after 1.5.1 release by @j-chmielewski in #215
- Create SBOM files by @j-chmielewski in #216
- CI: scan code with trivy by @j-chmielewski in #217
- Periodic sbom regeneration by @j-chmielewski in #218
- Merge SBOM CI pipelines into main by @j-chmielewski in #219
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
- feat(opnsense): enable PID file monitoring for Defguard Gateway service by @jamtur01 in #222
- Remove AMI building by @t-aleksander in #230
New Contributors
Full Changelog: v1.5.1...v1.6.0-alpha2
Contributors
Assets 10
v1.6.0-alpha1
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is an alpha release which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- Release 1.5 merger by @wojcik91 in #211
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #212
- Merge main into dev after 1.5.1 release by @j-chmielewski in #215
- Create SBOM files by @j-chmielewski in #216
- CI: scan code with trivy by @j-chmielewski in #217
- Periodic sbom regeneration by @j-chmielewski in #218
- Merge SBOM CI pipelines into main by @j-chmielewski in #219
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
New Contributors
- @jakub-tldr made their first contribution in #221
Full Changelog: v1.5.1...v1.6.0-alpha1