Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

Add logging.timestamp_format config option. The primary purpose of this change is to allow logging timestamps with millisecond precision. (#187)
Support unsafe_routes on Windows. (#184)
Add lighthouse.remote_allow_list to filter which subnets we will use to handshake with other hosts. See the example config for more details. (#217)
Add lighthouse.local_allow_list to filter which local IP addresses and/or interfaces we advertise to the lighthouses. See the example config for more details. (#217)
Wireshark dissector plugin. Add this file in dist/wireshark to your Wireshark plugins folder to see Nebula packet headers decoded. (#216)
systemd unit for Arch, so it can be built entirely from this repo. (#216)

Added a delay to punching via lighthouse signal to deal with race conditions in some linux conntrack implementations. (#210)

See deprecated, this also adds a new punchy.delay option that defaults to 1s.

Validate all lighthouse.hosts and static_host_map VPN IPs are in the subnet defined in our cert. Exit with a fatal error if they are not in our subnet, as this is an invalid configuration (we will not have the proper routes set up to communicate with these hosts). (#170)
Use absolute paths to system binaries on macOS and Windows. (#191)
Add configuration options for handshakes. This includes options to tweak try_interval, retries and wait_rotation. See example config for descriptions. (#179)
Allow -config file to not end in .yaml or yml. Useful when using -test and automated tools like Ansible that create temporary files without suffixes. (#189)
The config test mode, -test, is now more thorough and catches more parsing issues. (#177)
Various documentation and example fixes. (#196)
Improved log messages. (#181, #200)
Dependencies updated. (#188)

punchy, punch_back configuration options have been collapsed under the now top level punchy config directive. (#210)

punchy.punch - This is the old punchy option. Should we perform NAT hole punching (default false)?

punchy.respond - This is the old punch_back option. Should we respond to hole punching by hole punching back (default false)?

For macOS and Windows, build a special version of the binary that can install and manage its own service configuration. You can use this with nebula -service. If you are building from source, use make service to build this feature.
Support for mips, mips64, 386 and ppc64le processors on Linux.
You can now configure the DNS listen host and port with lighthouse.dns.host and lighthouse.dns.port.
Subnet and routing support. You can now add a unsafe_routes section to your config to allow hosts to act as gateways to other subnets. Read the example config for more details. This is supported on Linux and macOS.

Certificates now have more verifications performed, including making sure the certificate lifespan does not exceed the lifespan of the root CA. This could cause issues if you have signed certificates with expirations beyond the expiration of your CA, and you will need to reissue your certificates.
If lighthouse interval is set to 0, never update the lighthouse (mobile optimization).
Various documentation and example fixes.
Improved error messages.
Dependencies updated.

If you have a firewall rule with group: ["one-group"], this will now be accepted, with a warning to use group: "one-group" instead.
The listen.host configuration option was previously ignored (the bind host was always 0.0.0.0). This option will now be honored.
The ca_sha and ca_name firewall rule options should now work correctly.