Skip to content

MasselGUARD 3.6.0 - Dangerous Donkey

Latest
Latest

Choose a tag to compare

View all tags
@masselink masselink released this 10 Jun 18:44
3.6.0
24857cb
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v3.6.0 — Dangerous Donkey

Settings reorganized — 7 tabs

The settings window has been restructured around clear domains: General → Tunnels → WiFi → Appearance → History → Advanced → About.

Tab Now contains
General Language, app mode, Start with Windows, confirm disconnect on exit
Tunnels (was Tunnel Groups) Group management, auto-reconnect mode, kill switch mode, config validation, display options (tunnel count, empty groups, DNS indicator)
WiFi (merges WiFi Rules + Default Action) SSID rules, disable-rules toggle, default action, open network protection, rules display options
Appearance Theme, font, notifications, show activity log
Advanced Maintenance only: import/export, log level, installation, WireGuard client, orphaned services

The WiFi tab reads top-to-bottom in the same order the app evaluates a network change: rules first, then the default action when no rule matches, plus open network protection.

Companion tunnels — WireGuard app awareness

Tunnels connected or disconnected outside MasselGUARD (WireGuard for Windows app, CLI) are now fully tracked:

  • Activity log — external transitions are logged: Connected: <name> via WireGuard app / Disconnected: <name> via WireGuard app.
  • History & timeline — externally started sessions appear in the connection history and activity timeline (source: WireGuard app); externally dropped sessions are closed properly instead of staying open forever.
  • Deactivating a tunnel in the WireGuard app is recognised as deliberate — MasselGUARD logs it and skips auto-reconnect instead of fighting the WireGuard app over the tunnel. A genuine service crash still reconnects.

Unified dual-variant theme system

The theme architecture has been completely redesigned. Instead of maintaining separate dark and light theme files, every theme is now a single file that contains both colour variants.

New theme format

{
  "name": "My Theme",
  "fontFamily": "Segoe UI",
  "cornerRadius": 6,
  "dark": {
    "colorWindowBg": "#0E1117",
    "colorAccent":   "#58A6FF"
  },
  "light": {
    "colorWindowBg": "#F6F8FA",
    "colorAccent":   "#0969DA"
  }
}
  • Root level holds structural settings only — font, corner radius, window chrome, status bar, background image, logo.
  • "dark" and "light" sections hold the colour fields for each mode.
  • Either section can be omitted. The app auto-generates the missing side at load time using HSL lightness inversion — nothing is written to disk.
  • Any colour field omitted from a section falls back to the Windows system palette for that slot.

What this means for users

  • Theme selection is now a single picker — choose one theme, the app applies the dark or light colours based on Settings → Appearance → System mode (Light / Dark / Auto).
  • Custom themes survive a mode switch automatically.
  • Built-in themes: Grey and High Contrast — plus System (Windows colors), which uses the Windows accent palette and is the default.
  • Custom themes can also live in %APPDATA%\MasselGUARD\themes\ so they survive app updates.

Colour auto-generation

When only one variant is defined, the other is derived at load time:

Neutral colours (saturation < 15 %) Straight invert — L → 1 − L in HSL
Chromatic colours (accents, status, danger) Invert L then clamp to 0.30 – 0.75
Background fields Invert L then clamp to 0.06 – 0.94

Settings — Appearance tab redesigned

  • Single theme picker replaces the separate dark/light ComboBoxes and the "Use custom theme" toggle.
  • System mode pill (Light / Dark / Auto) stays, now controls which colour variant of the selected theme is shown.
  • System (Windows colors) is included in the picker as a first-class option — no separate toggle needed.
  • ▶ Dark / ▶ Light preview buttons — try either colour variant of the selected theme for 10 seconds before saving.

Tunnel connect — reliability improvements

Pre-flight config validation

Config files are now validated before the WireGuard service is created. Catches common mistakes that would cause a silent exit:

Field Check
PrivateKey / PublicKey / PresharedKey 44-character base64 (32-byte key)
Address / AllowedIPs Valid CIDRs; IPv6 group count with fix suggestion
DNS Valid IP addresses
MTU 576 – 9000
ListenPort / PersistentKeepalive 1 – 65535
Endpoint host:port format
Required fields PrivateKey, Address, PublicKey, Endpoint

Example fix suggestion: fd00:dead:beef:4/64"4 of 8 groups. Did you mean: fd00:dead:beef::4/64?"

Skip-validation options

  • Per-tunnel — "⚠ Skip config validation" toggle in the tunnel Edit and Add dialogs.
  • Global override — Settings → Tunnels → Config validation section.

False-positive connect detection fixed

Previously, a failed tunnel start and a successful one both left the service in Stopped state, making them indistinguishable. After detecting Stopped, the app now waits 300 ms and probes the WireGuard management pipe (\\.\pipe\WireGuard\<name>) and the network adapter. If neither is found the failure is logged clearly with a pointer to the Windows Event Log.

Orphaned service cleanup

When a tunnel fails to start, the WireGuardTunnel$<name> SCM entry is now always cleaned up before throwing, preventing orphaned service entries.

Config source priority fixed

stored.Path (the .conf.dpapi file) is now checked before the legacy inline stored.Config blob. Prevents a stale inline blob from being used when a valid file exists alongside it. Priority order:

  1. stored.Path.conf.dpapi file (DPAPI decrypt)
  2. stored.Path → plain .conf file
  3. stored.Config → legacy inline DPAPI blob
  4. stored.Config → raw plaintext (very old builds)

BOM handling

  • Temp conf files are written without BOM (UTF-8 NoBOM).
  • StripBom() helper is applied to all decrypted content before writing.
  • Prevents tunnel.dll (Go) from failing to parse a config that starts with a UTF-8 BOM byte sequence.

Diagnostic conf log

After writing the temp conf, a debug line is logged:

[DBG] Conf written: 456 bytes, BOM=False, first line=[Interface]

Auto-reconnect

  • Tunnels that drop unexpectedly (sleep/wake, network blip, service crash) are automatically reconnected.
  • 3 retry attempts with increasing backoff: 5 s, 10 s, 15 s. Gives up cleanly after the third failure.
  • Only fires on unexpected drops — intentional disconnects (user click, WiFi rule, CLI) and clean deactivations via the WireGuard app are never retried.
  • Global mode in Settings → Tunnels:
    • Off — disabled globally.
    • Per tunnel — each tunnel has its own toggle in the Edit dialog.
    • Always — every tunnel reconnects regardless of the per-tunnel toggle (default).
  • When mode is Off, the per-tunnel toggle is hidden in the Edit dialog.
  • When mode is Always, the toggle shows as disabled with (controlled globally).
  • Activity log entries: dropped → reconnecting (attempt N/3) → reconnected ✓ or giving up.
  • Each attempt waits for the connect to actually finish before reporting success or failure.

Setup wizard expanded

The wizard now covers the most important behaviour settings, so a fresh install is fully configured in one pass:

  • Auto-reconnect mode (Off / Per tunnel / Always)
  • DNS leak indicator and tray notifications
  • Start with Windows and confirm disconnect on exit
  • History capture (connections / WiFi)
  • The WiFi step explains how rules work — WiFi rules, default action, and open network protection, with a typical-use example — since rules themselves are created after the wizard, once tunnels exist
  • A summary page at the end shows every chosen setting before finishing.

Language picker — country flags

The language selector (Settings → General and the wizard) now shows a country flag next to each language name. Flags are 20×15 PNG files in lang\flags\, referenced by a _flag key in each language file — include one when adding your own language.

What's New — rendered Markdown

The What's New panel on the About tab now renders the release notes as formatted Markdown (headings, tables, bold) instead of plain text. Notes are fetched live from GitHub; when offline, a fallback panel links to the project pages.

Updated dependencies

  • tunnel.dll rebuilt from wireguard-windows source (v1.1).
  • wireguard.dll updated to wireguard-NT v1.1.
  • DLL validation at connect time checks file size to distinguish wireguard-NT from the WireGuard-for-Windows stub.
  • install-dotnet.bat helper included — checks for the .NET 10 Desktop Runtime and offers to install it when missing.

Directory ACL hardening

  • %APPDATA%\MasselGUARD\ is now restricted to the current user only on first write.
  • Removes the default Administrators read-access inherited from %APPDATA%.
  • Applies retroactively to existing installations on the first Settings save after updating.
  • Inheritable — tunnels\ subfolder and all history/config files inside are covered automatically.
Assets 3
Loading