Release v1.10.0

See the v1.10.0 milestone for a complete list of changes.

NOTE: If you use unsafe_routes, please read the note in the Changed section about default_local_cidr_any. You may need to update your firewall rules in order to maintain connectivity.

Added

• Support for ipv6 and multiple ipv4/6 addresses in the overlay.
  A new v2 ASN.1 based certificate format.
  Certificates now have a unified interface for external implementations.
  (#1212, #1216, #1345, #1359, #1381, #1419, #1464, #1466, #1451, #1476, #1467, #1481, #1399, #1488, #1492, #1495, #1468, #1521, #1535, #1538)
• Add the ability to mark packets on linux to better target nebula packets in iptables/nftables. (#1331)
• Add ECMP support for unsafe_routes. (#1332)
• PKCS11 support for P256 keys when built with pkcs11 tag (#1153, #1482)

Changed

• NOTE: default_local_cidr_any now defaults to false, meaning that any firewall rule
  intended to target an unsafe_routes entry must explicitly declare it via the
  local_cidr field. This is almost always the intended behavior. This flag is
  deprecated and will be removed in a future release. (#1373)
• Improve logging when a relay is in use on an inbound packet. (#1533)
• Avoid fatal errors if rountines is > 1 on systems that don't support more than 1 routine. (#1531)
• Log a warning if a firewall rule contains an any that negates a more restrictive filter. (#1513)
• Accept encrypted CA passphrase from an environment variable. (#1421)
• Allow handshaking with any trusted remote. (#1509)
• Log only the count of blocklisted certificate fingerprints instead of the entire list. (#1525)
• Don't fatal when the ssh server is unable to be configured successfully. (#1520)
• Update to build against go v1.25. (#1483)
• Allow projects using nebula as a library with userspace networking to configure the logger and build version. (#1239)
• Upgrade to yaml.v3. (#1148, #1371, #1438, #1478)

Fixed

• Fix a potential bug with udp ipv4 only on darwin. (#1532)
• Improve lost packet statistics. (#1441, #1537)
• Honor remote_allow_list in hole punch response. (#1186)
• Fix a panic when tun.use_system_route_table is true and a route lacks a destination. (#1437)
• Fix an issue when tun.use_system_route_table: true could result in heavy CPU utilization when many thousands of routes
  are present. (#1326)
• Fix tests for 32 bit machines. (#1394)
• Fix a possible 32bit integer underflow in config handling. (#1353)
• Fix moving a udp address from one vpn address to another in the static_host_map
  which could cause rapid re-handshaking with an incorrect remote. (#1259)
• Improve smoke tests in environments where the docker network is not the default. (#1347)

Release v1.9.7

Security

• Fix an issue where Nebula could incorrectly accept and process a packet from an erroneous source IP when the sender's
  certificate is configured with unsafe_routes (cert v1/v2) or multiple IPs (cert v2). (#1494)

Changed

• Disable sending recv_error messages when a packet is received outside the allowable counter window. (#1459)
• Improve error messages and remove some unnecessary fatal conditions in the Windows and generic udp listener. (#1453)

Release v1.9.6

Added

• Support dropping inactive tunnels. This is disabled by default in this release but can be enabled with tunnels.drop_inactive. See example config for more details. (#1413)

Fixed

• Fix Darwin freeze due to presence of some Network Extensions (#1426)
• Ensure the same relay tunnel is always used when multiple relay tunnels are present (#1422)
• Fix Windows freeze due to ICMP error handling (#1412)
• Fix relay migration panic (#1403)

Release v1.9.5

Added

• Gracefully ignore v2 certificates. (#1282)

Fixed

• Fix relays that refuse to re-establish after one of the remote tunnel pairs breaks. (#1277)

Release v1.9.4

Added

• Support UDP dialing with gVisor. (#1181)

Changed

• Make some Nebula state programmatically available via control object. (#1188)
• Switch internal representation of IPs to netip, to prepare for IPv6 support
  in the overlay. (#1173)
• Minor build and cleanup changes. (#1171, #1164, #1162)
• Various dependency updates. (#1195, #1190, #1174, #1168, #1167, #1161, #1147, #1146)

Fixed

• Fix a bug on big endian hosts, like mips. (#1194)
• Fix a rare panic if a local index collision happens. (#1191)
• Fix integer wraparound in the calculation of handshake timeouts on 32-bit targets. (#1185)

Release v1.9.3

Fixed

• Initialize messageCounter to 2 instead of verifying later. (#1156)

Release v1.9.2

Fixed

• Ensure messageCounter is set before handshake is complete. (#1154)

Release v1.9.1

Fixed

• Fixed a potential deadlock in GetOrHandshake. (#1151)

Release v1.9.0

Deprecated

• This release adds a new setting default_local_cidr_any that defaults to
  true to match previous behavior, but will default to false in the next
  release (1.10). When set to false, local_cidr is matched correctly for
  firewall rules on hosts acting as unsafe routers, and should be set for any
  firewall rules you want to allow unsafe route hosts to access. See the issue
  and example config for more details. (#1071, #1099)

Added

• Nebula now has an official Docker image nebulaoss/nebula that is
  distroless and contains just the nebula and nebula-cert binaries. You
  can find it here: https://hub.docker.com/r/nebulaoss/nebula (#1037)

• Experimental binaries for loong64 are now provided. (#1003)

• Added example service script for OpenRC. (#711)

• The SSH daemon now supports inlined host keys. (#1054)

• The SSH daemon now supports certificates with sshd.trusted_cas. (#1098)

Changed

• Config setting tun.unsafe_routes is now reloadable. (#1083)

• Small documentation and internal improvements. (#1065, #1067, #1069, #1108,
  #1109, #1111, #1135)

• Various dependency updates. (#1139, #1138, #1134, #1133, #1126, #1123, #1110,
  #1094, #1092, #1087, #1086, #1085, #1072, #1063, #1059, #1055, #1053, #1047,
  #1046, #1034, #1022)

Removed

• Support for the deprecated local_range option has been removed. Please
  change to preferred_ranges (which is also now reloadable). (#1043)

• We are now building with go1.22, which means that for Windows you need at
  least Windows 10 or Windows Server 2016. This is because support for earlier
  versions was removed in Go 1.21. See https://go.dev/doc/go1.21#windows (#981)

• Removed vagrant example, as it was unmaintained. (#1129)

• Removed Fedora and Arch nebula.service files, as they are maintained in the
  upstream repos. (#1128, #1132)

• Remove the TCP round trip tracking metrics, as they never had correct data
  and were an experiment to begin with. (#1114)

Fixed

• Fixed a potential deadlock introduced in 1.8.1. (#1112)

• Fixed support for Linux when IPv6 has been disabled at the OS level. (#787)

• DNS will return NXDOMAIN now when there are no results. (#845)

• Allow :: in lighthouse.dns.host. (#1115)

• Capitalization of NotAfter fixed in DNS TXT response. (#1127)

• Don't log invalid certificates. It is untrusted data and can cause a large
  volume of logs. (#1116)

Release v1.8.2

Fixed

• Fix multiple routines when listen.port is zero. This was a regression introduced in v1.6.0. (#1057)

Changed

• Small dependency update for Noise. (#1038)