Version 0.16.2

Important Note: Upgrading to 0.16.2 from a release prior to 0.16.1 requires special upgrade instructions.

See here: https://gist.github.com/abhishek9686/287563a848932f59768989f054025b37
Updating from 0.16.1 only requires updating netmaker/netmaker-ui image tags in your docker-compose and installing updated binaries on your clients

Community

What's New

• Windows GUI connection button (thanks @BracemAbroug @Noexperience-Team)
• Zombie Processing re-enabled
• Mac Client refactor
• Turris OS support (thanks @Xeevis)

What's Fixed

• arm7 images
• windows connection issue

Know Issues

• unable to ping ext clients from windows
• if node is disconnected via cli and then reconnected via netmaker UI -- peers may take some time to be populated

EE

What's New

• Ext client metrics

What's Fixed

• failover deletion

Version 0.16.1

Important Note: Upgrading to 0.16.1 requires special upgrade instructions. See here: https://gist.github.com/abhishek9686/287563a848932f59768989f054025b37
You can also use the automated script here to update your server from 0.16.0 to 0.16.1: https://gist.github.com/abhishek9686/191eaf31c634b00bcc0e9da5dc8e8c5e

Community

What's New

• Dynamic Security Model for MQ: We moved from a certificate-based to a password-based model which is more reliable. In previous versions, users reported connectivity issues with MQ due to certificates. The new model should resolve these issues, however, it requires some changes to setup. See upgrade steps.

What's Fixed

• network jitter due to "local port" frequent updates
• Disabled ipv6 gateways on server to prevent issues with docker
• Fixed relayed egress gateways
• Fixed iptables for server which is both ingress and egress
• Peer check for disconnected nodes

Known Issues

• Userspace docker netclient doesn't work
• Zombie cleanup still disabled
• IsEE does not get updated when downgrading from EE to non-EE

New Contributors

@naofel1 made their first contribution! They fixed an issue with the netclient daemonset for Kubernetes.

EE

What's New

• Automatic Failover Nodes: New Feature which allows you to set nodes as "failover nodes." These nodes will automatically relay connections between any 2 machines where a p2p connection cannot be established (takes about 2 minutes before it takes effect).
• Metrics now send every minute

What's Fixed

Known Issues

Full Changelog: v0.16.0...v0.16.1

v0.16.0

Community

What's New

• View server logs via UI
• Default Node-level ACL; enables 2 use cases:
  - 1. Allows you to create a network where one or more nodes are unreachable by default
  - 2. Allows you to create a network where only X number of nodes are reachable / added to peers lists
• User Join: You can now join a network with username/password (rather than token) or SSO sign-in (if OAuth configured). Example: netclient join -n mynet -s api.mynetmaker.com -u myuser [Basic Auth] or netclient join -n mynet -s api.mynetmaker.com [SSO]

What's Fixed

• Several issues with internet gateways resolved

Known Issues

• Server can get into a state where dynamic port is turned on, which will break the network
• Observed postup/postdown not getting set on the server in some edge cases
• If node fails to join via login:
  1. extra access key created, valid for one use
  2. a zombie node ID, not visible in UI

New Contributors

@Agraphie made their first contribution! They fixed a bug where PostUp was being set instead of PostDown, good catch!

EE

What's New

• EE is new. EE did not exist before this release.
• Metrics: Nodes collect metrics and display in the UI. Metrics include latency, transfer, and connectivity status. Note: Needs ICMP to work
  • Prometheus Exporter + Grafana: Metrics can optionally be exported via a new Prometheus Exporter to a custom Grafana dashboard
• Users: Users can now be created with multiple "access levels:"
  0: Network Admin - Works like current network admin
  1: Node Access - User is allowed to create and view nodes (up to their limit)
  2: Remote Access (ext clients) - User is allowed to create and view ext clients (up to their limit)
  3: No Access - User cannot access the network
  • When users login, views will be filtered based on their access level
  • Default access levels can be set per network, and adjusted per user
  • Default Node/Ext Client limits can be set per network, and adjusted per user
• Groups: Groups can now be created and managed to grant network access

Full Changelog: v0.15.2...v0.16.0

v0.15.2

What's New

• Updated swagger docs to add more detail to operations.
• Improved IPv6 Internet Gateways.
• Network CIDRs are normalized on network and gateway creation.

What's Fixed

• Client connect/disconnect is now working.
• Fixed panic while running commands on machines without wg-quick.
• Fixed problem when local address resolves to IPv6 address.

Known Issues

• Docker userspace netclient is not available.
• Delay before nodes will reconnect after the creation of an Internet gateway.

Full Changelog: v0.15.1...v0.15.2

v0.15.1

Security Notice

A moderate-severity vulnerability was discovered in v0.15.0 (will be disclosed shortly). Please upgrade to v0.15.1 to resolve this issue.

Whats New

• [experimental] Client Connect/Disconnect: The netclient can now be temporarily disconnected from a network. This works via the UI. Go to node details, edit, toggle the "Connected" flag, and save. There is also a command line option, "netclient connect" and "netclient disconnect." However, a bug prevents this change from persisting, and any network change (peer or node update) will reset connection status. This will be fixed in v0.15.2.

• IPv6 Internet Gateway: you can now set an IPv6 Internet Gateway using "::/0". Keep in mind, this will not work on the Netmaker server, because ipv6 networking is not enabled in the docker/docker-compose. This will work on other machines that act as egress.

• Swagger Docs: Check them out! Will be built out over time https://app.swaggerhub.com/apis-docs/Netmaker/netmaker/0.15.1

• Guidance on Locking down the Netmaker UI: How to make your dashboard inaccessible exept from your PC - https://docs.netmaker.org/server-installation.html#security-settings

• External Client Custom Name: Via api call, you can now create an external client with a custom name. EX: curl -d '{"clientid": "test3"}' -H 'Content-Type: application/json' https://api.netmaker-site.com/api/extclients/{networkname}/{ingressid}

Whats Fixed

• restore from backup if config file corrupted
• netclient version will update in the UI when netclient is upgrades
• M1 Mac (brew) package now sets path correctly

Known Issues

• ipv6 gateways do not work on netmaker server
• connect/disconnect will get reset by server (if set via CLI)

New Contributors

@k4s0 made their first contribution! They added the custom ext client controller functionality.

Full Changelog: v0.15.0...v0.15.1

v0.15.0

Whats New

• Experimental: Internet Gateway
  • You can now set 0.0.0.0/0 on an egress gateway to create an "internet gateway" or standard VPN. This comes with a few caveats
    • Will not currently work on Mac
    • Does not route DNS requests (though this can be set on ext clients using the "default ext client dns" field on the network)
    • Does not route ipv6
    • Breaks routing for nodes on the same local network: if two or more
  • Most of these issues will be fixed in 0.15.1
• NFTables Support: nftables now supported for egress
• Public IP Check Moved to Server: Clients now check their public IP against the server, which fixes a problem users were having from other countries where IP service websites were blocked.
• Specify IP Service: there is an additional field PUBLIC_IP_SERVICE for the netmaker server which will allow you to specify your own ip checking service for the server and nodes (e.x: PUBLIC_IP_SERVICE=https://ifconfig.me). On netclient this is the flag "-ip-service" (e.x. netclient join -t abc -ip-service https://ifconfig.me)

Whats Fixed

• OAuth now works in HA
• OpenWRT script
• Server routing enhanced to match client side routing
• Wiping files on network leave should work better now

Known Issues

• Internet Gateway will break routing for nodes on the same local network
• zombie node functionality disabled: need to manually clean up duplicate nodes in UI
• netclient will flush filter and nat tables for nft on down

New Contributors

• @Gromina made their first contribution in #1486
• @BobVul made their first contribution in #1443

Full Changelog: v0.14.6...v0.15.0

Version 0.14.6

Whats New

• new toggle to disable NAT for egress gateways
• netclient.exe and MSI are now signed (no longer comes from "Unknown Publisher")
• randomized letsencrypt email for quick installer
• gravitl logo removed from scripts/executables

Whats Fixed

• ip6 ranges for systems without wg-quick
• vpn ranges
• lockfile for /etc/hosts -- prevents corruption of /etc/hosts if accidently run multiple instance of netclient

Known Issues

• Relayed Ingress gateways
• VPN ranges on iOS
• Client version in UI after upgrade may display old version

v0.14.5

What's New

• OIDC Oauth2 Connector, Able to connect to Dex, Auth0, Okta, etc..
• Tooltips in UI for network/node editable fields
• Able to connect to Remote MQ broker from server securely (optional to still use local connection)
• Official MacOS installer
• Removed ability to create networks with "." in the name
• Gravitl removed from startup logo

What's Fixed?

• Egress on server functions
• Reduced number of peer updates
• Timeouts on API connections from clients
• Better client message caching
• HA mode should function again
• K8s templates updated

Known Issues

• VPN egress can mess up server routing: If you put in 172.x.x.x as a egress range, as is recommended for creating an "internet" VPN here, the server will be unable to reach MQ over the local network, which breaks the server. For now, we are recommending users not to create "internet" VPNs using the 172 address range, or to remove those ranges from the list.
• MQ behind a load-balancer may cause timeouts

New Contributors

• @capric98 made their first contribution in #1249

Full Changelog: v0.14.4...release_v0.14.5

Version 0.14.4

What's New

• netclient install command - installs the daemon if not present
• external client ip address displayed on graph details
• table sorting (UI)

What's Fixed?

• ipv6 on macos
• UI tables more mobile friendly
• Point to Site network fixes

Known Issues

• Cannot egress behind a relay server
• HA setup not working

New Contributors

• @calebgasser made their first contribution in #1241

Full Changelog: v0.14.3...v0.14.4

v0.14.3

Advisory

If you are running into connectivity issues after upgrade, run "netclient pull" on your clients. The recommended upgrade process is to first upgrade the server, and then the clients.

If you are experiencing issues on initial setup, please check out the MQ troubleshooting doc. This is the most common issue for a first time setup: For MQ issues (most common first place to look), please reference this Gist before opening an issue: https://gist.github.com/mattkasun/face2a7c1f32031a2126ff7243caad12

What's new?

• Zombie Node Deletion: If a duplicate node is created (zombie), it will be added to a quarantine list. Nodes are listed as zombies if they are not "checking in", and have the same mac address as a functioning node. Zombies are deleted after 10 minutes.
• Sort nodes by address or name in UI

What's fixed?

• Relay logic: several issues with relay addresses were fixed.
• add traffic keys during node update to avoid info getting wiped
• external client cleanup of ingress gateway

Known Issues

• Windows Service: The old netclient Windows Service does not get uninstalled during upgrade. It also does not restart automatically on failure, which is absolutely necessary to function. If you're running an older Windows netclient, you must go to Windows Services, search for netclient, and change the settings so that it will "restart on failure"
• downtime during a relay peer update - takes about 30 seconds for an updated node to become reachable
• sometimes, p2p connection can only be established using a ping
• rarely, node update causes wireguard interface to disappear - workaround: run "netclient pull"
• you can update a node to a duplicate ip address (same as another node)
• sometimes, ping to peer froze after upgrade. - workaround: run "netclient pull"