Releases: DefGuard/proxy
v1.6.0
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and is published in Apple macOS Store officially.
🖥️ All desktop Clients now have a new MTU setting available.
🚦 Introducing Client Traffic Policy Selection. This lets administrators define whether VPN clients can choose their routing mode or are forced to use a specific traffic policy, such as routing all traffic through the VPN or only predefined traffic.
What's Changed
- Release 1.5 merger by @wojcik91 in #166
- Fixes pentest issue DG25-16 from 2025-09-02 by @j-chmielewski in #159
- Fixes pentest issue DG25-14 from 2025-09-02 by @moubctez in #167
- Fix enrollment phone number validation by @j-chmielewski in #168
- Web next wip by @filipslezaklab in #170
- Merge main into dev after 1.5.1 release by @j-chmielewski in #172
- Create SBOM files by @j-chmielewski in #173
- CI: scan code with trivy by @j-chmielewski in #174
- Handle not found error by @moubctez in #175
- Periodic sbom regeneration by @j-chmielewski in #176
- ui update by @filipslezaklab in #177
- Merge SBOM CI pipelines into main by @j-chmielewski in #178
- handle openid callback by @filipslezaklab in #179
- webnext update by @filipslezaklab in #181
- Health check rename by @jakub-tldr in #182
- add favicon by @filipslezaklab in #183
- use update service api for client links by @filipslezaklab in #184
- footer update by @filipslezaklab in #185
- Always add x-powered-by HTTP header by @moubctez in #186
- handle update service fallback by @filipslezaklab in #187
- e2e webnext update by @filipslezaklab in #188
- Reorder pages by @filipslezaklab in #189
- add icon warning by @filipslezaklab in #190
- fix info banner by @filipslezaklab in #192
- ui as module by @filipslezaklab in #193
- add debian security repo for main packages by @filipslezaklab in #194
- webnext to web by @filipslezaklab in #195
- Main to dev by @filipslezaklab in #196
- UI 2.0 by @filipslezaklab in #197
- add missing openid routes by @filipslezaklab in #201
- Release/1.6 alpha by @wojcik91 in #202
- APT uploading/signing workflow by @jakub-tldr in #200
- List apt directory by @jakub-tldr in #203
- List whole directory by @jakub-tldr in #206
- Service locations (Pre-logon, Always-on) by @t-aleksander in #207
- Merge main into dev before 1.6 release by @j-chmielewski in #208
- Basic client version reporting by @t-aleksander in #209
- Remove AMI building by @t-aleksander in #211
- Implement "force all traffic" enterprise setting by @j-chmielewski in #212
New Contributors
- @jakub-tldr made their first contribution in #182
Full Changelog: v1.5.1...v1.6.0
Contributors
Assets 11
v1.6.0-rc1
t-aleksander
Aleksander
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is a release candidate which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- Remove AMI building by @t-aleksander in #211
- Implement "force all traffic" enterprise setting by @j-chmielewski in #212
Full Changelog: v1.6.0-alpha5...v1.6.0-rc1
Contributors
Assets 7
v1.6.0-alpha6
⚠️ This is a pre-release that requires Defguard Core min. v1.5.2 - please help us test and stabilize the release 🫡
This release upgrades the Enrollment Process with a completely new UI and UX, featuring a major redesign, the ability to download clients directly from the process, and several other improvements:
Additionally, we have deprecated the Enrollment Wizard (used for setting up passwords and adding a WireGuard® device) in the Proxy. The Enrollment Wizard is now only available on the Desktop Client, with plans to bring it to Mobile apps in the future.
Detailed changes
- Release 1.5 merger by @wojcik91 in #166
- Fixes pentest issue DG25-16 from 2025-09-02 by @j-chmielewski in #159
- Fixes pentest issue DG25-14 from 2025-09-02 by @moubctez in #167
- Fix enrollment phone number validation by @j-chmielewski in #168
- Web next wip by @filipslezaklab in #170
- Merge main into dev after 1.5.1 release by @j-chmielewski in #172
- Create SBOM files by @j-chmielewski in #173
- CI: scan code with trivy by @j-chmielewski in #174
- Handle not found error by @moubctez in #175
- Periodic sbom regeneration by @j-chmielewski in #176
- ui update by @filipslezaklab in #177
- Merge SBOM CI pipelines into main by @j-chmielewski in #178
- handle openid callback by @filipslezaklab in #179
- webnext update by @filipslezaklab in #181
- Health check rename by @jakub-tldr in #182
- add favicon by @filipslezaklab in #183
- use update service api for client links by @filipslezaklab in #184
- footer update by @filipslezaklab in #185
- Always add x-powered-by HTTP header by @moubctez in #186
- handle update service fallback by @filipslezaklab in #187
- e2e webnext update by @filipslezaklab in #188
- Reorder pages by @filipslezaklab in #189
- add icon warning by @filipslezaklab in #190
- fix info banner by @filipslezaklab in #192
- ui as module by @filipslezaklab in #193
- add debian security repo for main packages by @filipslezaklab in #194
- webnext to web by @filipslezaklab in #195
- Main to dev by @filipslezaklab in #196
- UI 2.0 by @filipslezaklab in #197
- add missing openid routes by @filipslezaklab in #201
- Release/1.6 alpha by @wojcik91 in #202
- APT uploading/signing workflow by @jakub-tldr in #200
- List apt directory by @jakub-tldr in #203
- List whole directory by @jakub-tldr in #206
- Service locations (Pre-logon, Always-on) by @t-aleksander in #207
- Merge main into dev before 1.6 release by @j-chmielewski in #208
- Basic client version reporting by @t-aleksander in #209
- Remove AMI building by @t-aleksander in #211
- Implement "force all traffic" enterprise setting by @j-chmielewski in #212
Full Changelog: v1.5.1...v1.6.0-alpha6
Contributors
Assets 7
v1.6.0-alpha5
wojcik91
Maciek
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is an alpha release which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- APT uploading/signing workflow by @jakub-tldr in #200
- List apt directory by @jakub-tldr in #203
- List whole directory by @jakub-tldr in #206
- Service locations (Pre-logon, Always-on) by @t-aleksander in #207
- Merge main into dev before 1.6 release by @j-chmielewski in #208
- Basic client version reporting by @t-aleksander in #209
Full Changelog: v1.6.0-alpha2...v1.6.0-alpha5
Contributors
Assets 7
v1.6.0-alpha2
wojcik91
Maciek
⚠️ This is a pre-release that requires Defguard Core min. v1.5.2 - please help us test and stabilize the release 🫡
This release upgrades the Enrollment Process with a completely new UI and UX, featuring a major redesign, the ability to download clients directly from the process, and several other improvements:
Additionally, we have deprecated the Enrollment Wizard (used for setting up passwords and adding a WireGuard® device) in the Proxy. The Enrollment Wizard is now only available on the Desktop Client, with plans to bring it to Mobile apps in the future.
Detailed changes
- Release 1.5 merger by @wojcik91 in #166
- Fixes pentest issue DG25-16 from 2025-09-02 by @j-chmielewski in #159
- Fixes pentest issue DG25-14 from 2025-09-02 by @moubctez in #167
- Fix enrollment phone number validation by @j-chmielewski in #168
- Web next wip by @filipslezaklab in #170
- Merge main into dev after 1.5.1 release by @j-chmielewski in #172
- Create SBOM files by @j-chmielewski in #173
- CI: scan code with trivy by @j-chmielewski in #174
- Handle not found error by @moubctez in #175
- Periodic sbom regeneration by @j-chmielewski in #176
- ui update by @filipslezaklab in #177
- Merge SBOM CI pipelines into main by @j-chmielewski in #178
- handle openid callback by @filipslezaklab in #179
- webnext update by @filipslezaklab in #181
- Health check rename by @jakub-tldr in #182
- add favicon by @filipslezaklab in #183
- use update service api for client links by @filipslezaklab in #184
- footer update by @filipslezaklab in #185
- Always add x-powered-by HTTP header by @moubctez in #186
- handle update service fallback by @filipslezaklab in #187
- e2e webnext update by @filipslezaklab in #188
- Reorder pages by @filipslezaklab in #189
- add icon warning by @filipslezaklab in #190
- fix info banner by @filipslezaklab in #192
- ui as module by @filipslezaklab in #193
- add debian security repo for main packages by @filipslezaklab in #194
- webnext to web by @filipslezaklab in #195
- Main to dev by @filipslezaklab in #196
- UI 2.0 by @filipslezaklab in #197
- add missing openid routes by @filipslezaklab in #201
- Release/1.6 alpha by @wojcik91 in #202
New Contributors
- @jakub-tldr made their first contribution in #182
Full Changelog: v1.5.1...v1.6.0-alpha2
Contributors
Assets 7
v1.5.1
This patch for version 1.5 includes fixes for vulnerabilities identified during our latest penetration test. As a fully transparent organisation, Defguard publishes a Pentesting Security Report page where you can track the status of our vulnerability fixes.
This is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.
Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.
📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!
💫Desktop Client now supports External SSO/IdP MFA
Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!
🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).
🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.
Migration guide
Before updating please make sure to read the migration guide
What's Changed
- Handle admin device management flag by @wojcik91 in #116
- Use configured external OIDC Provider for 2FA in client by @t-aleksander in #119
- Allow binding to a specific address by @t-aleksander in #120
- Merge main -> dev post 1.4 release by @wojcik91 in #123
- add support for per location MFA settings by @wojcik91 in #124
- fix: openid mfa callback page rwd by @filipslezaklab in #126
- UI update by @filipslezaklab in #127
- Fix font files by @filipslezaklab in #129
- update routes on backend by @filipslezaklab in #132
- Add AMI building to the release pipeline by @t-aleksander in #130
- mobile mfa poc by @filipslezaklab in #134
- verify biometry register request data by @filipslezaklab in #135
- Add eu central region by @t-aleksander in #136
- sign Docker images using Cosign by @wojcik91 in #137
- Tonic 14 by @moubctez in #140
- Desktop MFA mobile approve by @filipslezaklab in #138
- Version exchange and logging by @j-chmielewski in #133
- Scan images with Trivy by @moubctez in #142
- add code based mfa setup by @filipslezaklab in #141
- Version check by @j-chmielewski in #143
- handle new enrollment configuration by @filipslezaklab in #145
- Fix version comparison by @j-chmielewski in #146
- Switch AMI base image to debian by @t-aleksander in #144
- Update dependencies by @moubctez in #147
- Update tracing_subscriber by @moubctez in #149
- add deep link to openid enroll by @filipslezaklab in #150
- Return defguard version (proxy, core) in http headers by @t-aleksander in #151
- Fix ami building by @t-aleksander in #152
- Better WebSocket handling and build with newer defguard_version by @moubctez in #154
- update messages in openid callback setup page by @filipslezaklab in #155
- Update defguard-version version by @t-aleksander in #156
- Ignore pre-release in version comparison by @j-chmielewski in #160
- update mobile app apple store link by @filipslezaklab in #161
- Return whether core is connected by @t-aleksander in #163
- chore(CI): update node version in release workflow by @wojcik91 in #165
- Fixes pentest issue DG25-16 from 2025-09-02 by @j-chmielewski in #159
- Fixes pentest issue DG25-14 from 2025-09-02 by @moubctez in #167
- Fix enrollment phone number validation by @j-chmielewski in #168
Full Changelog: v1.5.0...v1.5.1
Contributors
Assets 11
v1.5.0
This is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.
Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.
📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!
💫Desktop Client now supports External SSO/IdP MFA
Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!
🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).
🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.
Migration guide
Before updating please make sure to read the migration guide
What's Changed
Other Changes
- Handle admin device management flag by @wojcik91 in #116
- Use configured external OIDC Provider for 2FA in client by @t-aleksander in #119
- Allow binding to a specific address by @t-aleksander in #120
- Merge main -> dev post 1.4 release by @wojcik91 in #123
- add support for per location MFA settings by @wojcik91 in #124
- fix: openid mfa callback page rwd by @filipslezaklab in #126
- UI update by @filipslezaklab in #127
- Fix font files by @filipslezaklab in #129
- update routes on backend by @filipslezaklab in #132
- Add AMI building to the release pipeline by @t-aleksander in #130
- mobile mfa poc by @filipslezaklab in #134
- verify biometry register request data by @filipslezaklab in #135
- Add eu central region by @t-aleksander in #136
- sign Docker images using Cosign by @wojcik91 in #137
- Tonic 14 by @moubctez in #140
- Desktop MFA mobile approve by @filipslezaklab in #138
- Version exchange and logging by @j-chmielewski in #133
- Scan images with Trivy by @moubctez in #142
- add code based mfa setup by @filipslezaklab in #141
- Version check by @j-chmielewski in #143
- handle new enrollment configuration by @filipslezaklab in #145
- Fix version comparison by @j-chmielewski in #146
- Switch AMI base image to debian by @t-aleksander in #144
- Update dependencies by @moubctez in #147
- Update tracing_subscriber by @moubctez in #149
- add deep link to openid enroll by @filipslezaklab in #150
- Return defguard version (proxy, core) in http headers by @t-aleksander in #151
- Fix ami building by @t-aleksander in #152
- Better WebSocket handling and build with newer defguard_version by @moubctez in #154
- update messages in openid callback setup page by @filipslezaklab in #155
- Update defguard-version version by @t-aleksander in #156
- Ignore pre-release in version comparison by @j-chmielewski in #160
- update mobile app apple store link by @filipslezaklab in #161
- Return whether core is connected by @t-aleksander in #163
- chore(CI): update node version in release workflow by @wojcik91 in #165
Full Changelog: v1.4.0...v1.5.0
Contributors
Assets 7
v1.5.0-rc3
t-aleksander
Aleksander
⚠️ This is a pre-release that requires Defguard Core v1.5.0-rc2 - please help us test and stabilize the release 🫡
What's Changed
Other Changes
- Return whether core is connected by @t-aleksander in #163
Full Changelog: v1.5.0-rc2...v1.5.0-rc3
Contributors
Assets 7
v1.5.0-rc2
What's Changed
- Handle admin device management flag by @wojcik91 in #116
- Use configured external OIDC Provider for 2FA in client by @t-aleksander in #119
- Allow binding to a specific address by @t-aleksander in #120
- Merge main -> dev post 1.4 release by @wojcik91 in #123
- add support for per location MFA settings by @wojcik91 in #124
- fix: openid mfa callback page rwd by @filipslezaklab in #126
- UI update by @filipslezaklab in #127
- Fix font files by @filipslezaklab in #129
- update routes on backend by @filipslezaklab in #132
- Add AMI building to the release pipeline by @t-aleksander in #130
- mobile mfa poc by @filipslezaklab in #134
- verify biometry register request data by @filipslezaklab in #135
- Add eu central region by @t-aleksander in #136
- sign Docker images using Cosign by @wojcik91 in #137
- Tonic 14 by @moubctez in #140
- Desktop MFA mobile approve by @filipslezaklab in #138
- Version exchange and logging by @j-chmielewski in #133
- Scan images with Trivy by @moubctez in #142
- add code based mfa setup by @filipslezaklab in #141
- Version check by @j-chmielewski in #143
- handle new enrollment configuration by @filipslezaklab in #145
- Fix version comparison by @j-chmielewski in #146
- Switch AMI base image to debian by @t-aleksander in #144
- Update dependencies by @moubctez in #147
- Update tracing_subscriber by @moubctez in #149
- add deep link to openid enroll by @filipslezaklab in #150
- Return defguard version (proxy, core) in http headers by @t-aleksander in #151
- Fix ami building by @t-aleksander in #152
- Better WebSocket handling and build with newer defguard_version by @moubctez in #154
- update messages in openid callback setup page by @filipslezaklab in #155
- Update defguard-version version by @t-aleksander in #156
- Ignore pre-release in version comparison by @j-chmielewski in #160
Full Changelog: v1.4.0...v1.5.0-rc2
Contributors
Assets 7
v1.5.0-rc1
wojcik91
Maciek
What's Changed
Other Changes
- Handle admin device management flag by @wojcik91 in #116
- Use configured external OIDC Provider for 2FA in client by @t-aleksander in #119
- Allow binding to a specific address by @t-aleksander in #120
- Merge main -> dev post 1.4 release by @wojcik91 in #123
- add support for per location MFA settings by @wojcik91 in #124
- fix: openid mfa callback page rwd by @filipslezaklab in #126
- UI update by @filipslezaklab in #127
- Fix font files by @filipslezaklab in #129
- update routes on backend by @filipslezaklab in #132
- Add AMI building to the release pipeline by @t-aleksander in #130
- mobile mfa poc by @filipslezaklab in #134
- verify biometry register request data by @filipslezaklab in #135
- Add eu central region by @t-aleksander in #136
- sign Docker images using Cosign by @wojcik91 in #137
- Tonic 14 by @moubctez in #140
- Desktop MFA mobile approve by @filipslezaklab in #138
- Version exchange and logging by @j-chmielewski in #133
- Scan images with Trivy by @moubctez in #142
- add code based mfa setup by @filipslezaklab in #141
- Version check by @j-chmielewski in #143
- handle new enrollment configuration by @filipslezaklab in #145
- Fix version comparison by @j-chmielewski in #146
- Switch AMI base image to debian by @t-aleksander in #144
- Update dependencies by @moubctez in #147
- Update tracing_subscriber by @moubctez in #149
- add deep link to openid enroll by @filipslezaklab in #150
- Return defguard version (proxy, core) in http headers by @t-aleksander in #151
- Fix ami building by @t-aleksander in #152
- Better WebSocket handling and build with newer defguard_version by @moubctez in #154
- update messages in openid callback setup page by @filipslezaklab in #155
- Update defguard-version version by @t-aleksander in #156
Full Changelog: v1.4.0...v1.5.0-rc1