Releases: DefGuard/defguard
v2.0.0-beta1
wojcik91
Maciek
🎉 Welcome to Defguard 2.0 Beta 1 🎉
📖 A comprehensive list of the changes implemented since Alpha 2 is documented in detail here: https://defguard.net/blog/defguard-2-0-release-beta-1/
🛠️ We highly recommend previewing it yourself. We prepared a guide explaining how to run the alpha2 before. To run the beta1 just use 2.0.0-beta1 image tags instead of 2.0.0-alpha2.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
Known issues
Migration wizard (triggered when upgrading from an older version) will fail on the login screen. Before migrating (upgrading), make sure to be logged in to Defguard, as this issue doesn't happen to logged in accounts.
What's Changed
- Adoption logs UI tweaks by @j-chmielewski in #2289
- Change icon to text & add sorting by @jakub-tldr in #2292
- Show error in form on incorrect current password by @jakub-tldr in #2293
- Remove placeholder, add variable to Webhook by @jakub-tldr in #2297
- Add network device & openid deletion confirmation modals by @jakub-tldr in #2296
- fix cache invalidation for client behavior settings page by @j-chmielewski in #2294
- Require current password for self-edit, skip for admin non-self edits by @jakub-tldr in #2301
- Allow admin for editing users credentials by @jakub-tldr in #2302
- Fix spacing on restrictions section by @jakub-tldr in #2305
- change FormInput to FormTextarea to handle \n by @jakub-tldr in #2310
- fix app crash when clicking initiate enrollment button by @wojcik91 in #2312
- Change labels in migration one liner wizard by @jakub-tldr in #2313
- Implement UI fixes and improvements by @filipslezaklab in #2315
- Duplicate authentication keys / name checking by @jakub-tldr in #2318
- add confirm action modal by @filipslezaklab in #2308
- Add user device delete confirmation by @jakub-tldr in #2322
- Check for duplicate pubkey & check for duplicates during renaming auth keys by @jakub-tldr in #2324
- extend session manager test suite by @wojcik91 in #2325
- tables update 3 by @filipslezaklab in #2331
- Remove unnecessary toggle by @wojcik91 in #2339
- add missing images to license modals and welcome wizard screens by @filipslezaklab in #2341
- Allowed groups by @moubctez in #2332
- Add more tests for initial/migration/auto-adoption wizards by @t-aleksander in #2340
- Block adding device when there is no space in at least one subnet by @jakub-tldr in #2338
- Add missing variables to tests by @jakub-tldr in #2344
- Disable Submit when user has no devices to re-address by @moubctez in #2346
- fix modal scroll by @filipslezaklab in #2347
- Remove rp id from settings and derive it from defguard_url by @j-chmielewski in #2326
- fix modals on profile general tab by @filipslezaklab in #2349
- restore Disable MFA action in users table by @wojcik91 in #2350
- alias badge display fix by @wojcik91 in #2352
- add missing actions for rules table by @filipslezaklab in #2355
- Require both parameters for auto adoption wizard (adopt-edge adopt-gateway) by @t-aleksander in #2354
- Bug fixes by @moubctez in #2360
- Fix initial wizard always redirecting to vpn overview by @t-aleksander in #2358
- use qr-card component instead of plain qrcanvas by @filipslezaklab in #2364
- Info about licence limits by @moubctez in #2363
- Block adding network device when there are no available locations by @jakub-tldr in #2366
- add missing disconnect threshold input by @wojcik91 in #2365
- Cache invalidation fixes by @j-chmielewski in #2370
- Migrate defguard_url from config by @j-chmielewski in #2369
- add theme switch to top bar element by @filipslezaklab in #2386
- Update migration UI by @filipslezaklab in #2385
- Fix ACL form validation errors by @j-chmielewski in #2378
- Validate location address by @moubctez in #2388
- Update deployment helps by @t-aleksander in #2383
- make IP optional in activity log by @wojcik91 in #2394
- add 404 and migration auth error pages by @filipslezaklab in #2397
- Fix cache invalidation after MFA method setup by @j-chmielewski in #2396
- fix missing MFA session events by @wojcik91 in #2371
- Change label when creating device in full network by @jakub-tldr in #2399
- Send Gateway reconnect email by @moubctez in #2398
- Add missing delete confirmations by @jakub-tldr in #2403
- Add missing disable confirmations by @jakub-tldr in #2404
- add preshared key to VPN session model by @wojcik91 in #2402
- add user & device "online" indicator by @wojcik91 in #2409
- adoption form default ports & helpers by @j-chmielewski in #2410
- Use new validators by @jakub-tldr in #2408
- License upsell section by @j-chmielewski in #2401
- activity log event order fix by @wojcik91 in #2413
- Pagination by @moubctez in #2406
- extend ACL test coverage for new flags by @wojcik91 in #2411
- Limited pagination by @moubctez in #2417
- Autoadoption logs by @j-chmielewski in #2416
- Frontend validators tests by @jakub-tldr in #2429
- Adjust E2E tests to the new initial wizard and fix existing tests by @jakub-tldr in #2428
- use secret_key field from Settings to generate JWTs by @wojcik91 in #2434
- restore core gRPC server tests & add testing framework for gateway handlers by @wojcik91 in #2381
- fix API tokens page license handling by @wojcik91 in #2431
- remove gRPC Auth service by @wojcik91 in #2437
- update ACL rules table columns by @wojcik91 in #2441
- Mail templates by @moubctez in #2430
- Ensure settings are initialized before running wizards by @j-chmielewski in #2447
- Prevent creating network which can't contain already existing devices & Hostname validator tweak by @jakub-tldr in #2444
- fix last connected IP column value in Users table by @wojcik91 in #2443
- Plain text mail by @moubctez in #2451
- Enrollment settings by @j-chmielewski in #2433
- New support page by @jakub-tldr in #2452
- Fix license upsell sections spacing by @j-chmielewski in #2456
- ACL rule generator by @moubctez in #2459
- Squash migrations by @j-chmielewski in #2229
- New version notification by @jakub-tldr in #2460
- Change text in Support page / Make field nullable in LDAP form by @jakub-tldr in https://github.co...
Contributors
Assets 8
v1.6.5
This is a patch for the major 1.6 release.
It includes fixes for some ACL-related edge-cases:
- fix rule generation for destination aliases in dual-stack scenarios by @wojcik91 in #2189
- fix component alias ranges being ignored by @wojcik91 in #2247
Other Changes
- Added new issue templates by @kchudy in #2145
- don't allow empty keys by @j-chmielewski in #2193
- add gateway config helper command by @wojcik91 in #2291
- Fix e2e tests by @j-chmielewski in #2314
Full Changelog: v1.6.4...v1.6.5
Contributors
Assets 12
v2.0.0-alpha2
🎉 Welcome to Defguard 2.0 Alpha 2 🎉
📖 A comprehensive list of the changes implemented since Alpha 1 is documented in detail here: https://defguard.net/blog/defguard-2-0-release-alpha-2/
🛠️ We also highly recommend reviewing our detailed technical overview of all changes and the comprehensive showcase of all features in this article.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
Detailed changes
- fix acl queries by @filipslezaklab in #2032
- Persist initial setup wizard state by @t-aleksander in #2033
- fix querykey conflict by @filipslezaklab in #2039
- Restore minimal LDAP compose by @t-aleksander in #2043
- Crl by @j-chmielewski in #2041
- New mail templates by @moubctez in #1997
- Check limits when creating users / locations by @filipslezaklab in #2048
- New mail templates part 2 by @moubctez in #2053
- Lack of SMTP configuration information for user by @jakub-tldr in #2054
- Wizard design tweaks by @t-aleksander in #2063
- Fix typos by @moubctez in #2066
- Gateway TLS verification by @j-chmielewski in #2049
- Use binary licence key by @moubctez in #2069
- Deleting a location cascade-deletes gateways by @j-chmielewski in #2075
- Static IP assignment from user list by @t-aleksander in #2077
- update location stats API to reflect new design by @wojcik91 in #2081
- Device IP management for single device by @t-aleksander in #2084
- "Add new device" option for admins by @jakub-tldr in #2079
- fix keepalive interval input by @j-chmielewski in #2099
- add gateway list page by @wojcik91 in #2100
- Add enabled to MailContext by @moubctez in #2107
- add edit gateway page by @wojcik91 in #2108
- Disabled SMTP badge in "Initiate self-enrollment" button by @jakub-tldr in #2114
- Fix welcome page by @moubctez in #2113
- Update ui submodule by @jakub-tldr in #2115
- Use Desktop deep-link for enrolment by @moubctez in #2122
- Block changing network address if devices are present, fix wizard by @t-aleksander in #2119
- add session manager test harness by @wojcik91 in #2128
- Change gateway port input type to number by @j-chmielewski in #2130
- handle public edge component URL in settings by @wojcik91 in #2118
- Cleanup certs by @moubctez in #2134
- use session timeout setting for cookies by @wojcik91 in #2143
- add location type, fwmark, mtu columns to locations table by @j-chmielewski in #2147
- Show business & enterprise features in edit/wizard forms by @jakub-tldr in #2137
- restore restrictions section in ACL create/edit form by @wojcik91 in #2133
- require destination in ACLs by @wojcik91 in #2146
- Gateway/Edge enabled/disabled by @moubctez in #2158
- display pending ACL updates in sidebar by @wojcik91 in #2164
- fix cache invalidation after adding and removing new gateway by @j-chmielewski in #2168
- Automated adoption wizard by @t-aleksander in #2165
- ACL form restrictions section fix by @wojcik91 in #2171
- Update dependencies by @moubctez in #2178
- Optimize IP's reassignement & tests by @jakub-tldr in #2160
- Deploy Edge component step in initial wizard by @jakub-tldr in #2184
- Allow entering empty secret in webhook config by @jakub-tldr in #2186
- Trim Gateways and Edges on licence expiration by @moubctez in #2169
- Delete Yubikey provision trigger event on webhook by @jakub-tldr in #2201
- Add migration wizard by @filipslezaklab in #2194
- Fix empty expand in table when removing last item by @filipslezaklab in #2205
- Fix OpenID label & Change LDAP labels by @jakub-tldr in #2206
- block used alias/destination delete by @wojcik91 in #2204
- LDAP case insensitive by @moubctez in #2195
- User-friendly settings by @j-chmielewski in #2210
- Periodiacally refresh Gateway status by @moubctez in #2212
- License check by @moubctez in #2230
- Fix stale gateway/edge connected status by @t-aleksander in #2232
- Hide "Device IP settings" option for non-admin users by @jakub-tldr in #2234
- Network devices UI fixes by @jakub-tldr in #2235
- Fix network device edit modal by @jakub-tldr in #2237
- Adoption core logs by @j-chmielewski in #2188
- Migrate locations by @filipslezaklab in #2245
- Network readdress by @moubctez in #2260
- Add more logs to automatic component adoption process by @t-aleksander in #2274
- share edge deploy wizard step component by @filipslezaklab in #2275
- use table edit cell by @filipslezaklab in #2276
- ACL UI fixes by @wojcik91 in #2222
- Fix MFA mail by @moubctez in #2281
- Tweak settings UI by @j-chmielewski in #2282
- update openid table page by @filipslezaklab in #2285
- Prepare for Alpha Two by @moubctez in #2284
- Default MFA option only for logged in user by @moubctez in #2286
- fix logout not removing cookies by @filipslezaklab in #2287
- Redirect to user profile page on 403 status code by @moubctez in #2288
- Add snackbars to all settings pages, fix form state in client behavio… by @j-chmielewski in #2290
Full Changelog: v2.0.0-alpha1...v2.0.0-alpha2
Contributors
Assets 8
v1.6.4
This is a security patch for the major 1.6 release.
It includes dependency updates to resolve the following CVEs:
- CVE-2026-25537
- GHSA-7587-4wv6-m68m
- GHSA-8h58-w33p-wq3g
- GHSA-c7ph-f7jm-xv4w
- CVE-2026-25727
- CVE-2026-25639
- CVE-2026-2391
What's Changed
Other Changes
- Filter MFA locations on network devices list by @jakub-tldr in #1996
- Bump dependencies to address security issues by @moubctez in #2065
Full Changelog: v1.6.3...v1.6.4
Contributors
Assets 12
v2.0.0-alpha1
wojcik91
Maciek
🎉 Welcome to Defguard 2.0 Alpha 1 🎉
First of all, this is an actual alpha, not meant for production, but a technology preview of what’s to come, hopefully in a month, when the stable release should be ready.
2.0 is a major overhaul, featuring a completely redesigned UI/UX, secure reverse Core-to-Gateway communication with a built-in SSL certificate authority, automated deployment and session management, and initial high-availability support, laying a solid foundation for easier, safer, and more manageable on-premise deployments.
🛠️ We highly recommend that you get familiar with a detailed technical overview of all changes and a comprehensive showcase of all features in this blog post.
🚀Here you can find a quick tutorial on how to quickly launch 2.0α with Docker Compose.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
What's Changed
- Release 1.6 alpha merger by @wojcik91 in #1711
- Finialize moving most important DB models to a common crate by @wojcik91 in #1713
- Merge main->dev before 1.6 by @j-chmielewski in #1756
- Implement multiple proxy handling by @j-chmielewski in #1743
- Reverse gateway grpc take two merger by @moubctez in #1767
- Gateway REST by @moubctez in #1775
- Allow domain names location DNS by @moubctez in #1786
- Add MTU and FwMark to WireGuardNetwork by @moubctez in #1788
- Disable APT repository signing/uploads by @jakub-tldr in #1799
- Disable APT repository signing/uploads by @jakub-tldr in #1800
- Core certificate authority, part 1: Proxy by @t-aleksander in #1790
- UI table update by @filipslezaklab in #1808
- Update APT repository on full release/pre-release by @jakub-tldr in #1807
- Merge main -> dev after 1.6.1 release by @wojcik91 in #1844
- PUT for OpenIDProvider by @moubctez in #1801
- Multiproxy private cookies by @j-chmielewski in #1809
- components update 1 by @filipslezaklab in #1848
- OpenID tests by @jakub-tldr in #1852
- Add MTU and FwMark to web interface by @moubctez in #1849
- Core certificate authority, part 2: Gateway by @t-aleksander in #1846
- Extend OpenAPI docs with OpenID providers by @moubctez in #1860
- OpenID provider kind by @moubctez in #1871
- VPN client session manager pt2 by @wojcik91 in #1802
- Activity log streaming page by @jakub-tldr in #1876
- add VPN sessions & stats generator by @wojcik91 in #1885
- send cookie keys via protos by @j-chmielewski in #1881
- Log streaming page tweaks by @jakub-tldr in #1892
- VPN stats generator pt2 by @wojcik91 in #1891
- Destination, part 1 by @moubctez in #1895
- MTU and FwMark are not optional by @moubctez in #1907
- session manager VPN client events by @wojcik91 in #1911
- fix docker build by @wojcik91 in #1914
- Implement proxy wizard by @t-aleksander in #1910
- Implement remote MFA with new, separate RPC message by @j-chmielewski in #1912
- Include component version in support data by @jakub-tldr in #1920
- Gateway wizard by @t-aleksander in #1919
- handle multiple gateways in session manager by @wojcik91 in #1917
- Any for aliases by @moubctez in #1918
- Initiate self-enrolment from users list by @jakub-tldr in #1935
- Separate API for Alias and Destination by @moubctez in #1938
- Use functions for ApiResponse by @moubctez in #1942
- Activity log streaming certificate file upload by @jakub-tldr in #1941
- Edge edit form by @j-chmielewski in #1940
- Support VPN client MFA connect/disconnect process within the session manager by @wojcik91 in #1939
- periodic VPN session & stats purge by @wojcik91 in #1954
- Fetch AclAlias by kind by @moubctez in #1953
- drop legacy stats tables by @wojcik91 in #1957
- Edge delete by @j-chmielewski in #1960
- New instance setup wizard by @t-aleksander in #1961
- VPN sessions handling fixes by @wojcik91 in #1964
- Fix connecting to proxy after completing initial wizard by @t-aleksander in #1971
- Initial wizard fixes by @t-aleksander in #1987
- Fix wizard routing by @t-aleksander in #1991
- change from root guard to route specific guards by @filipslezaklab in #1993
- fix(mfa): preserve preshared key when creating new session by @j-chmielewski in #1995
- Edge list by @j-chmielewski in #1992
- Update ACL -> firewall rule translation to handle new toggles by @wojcik91 in #1994
- Restore init dev env by @t-aleksander in #2010
- Allow admins to delete a specific MFA method for a user by @jakub-tldr in #2012
- Block adding MFA for user as admin by @jakub-tldr in #2013
- pre-alpha ACL UI fixes by @wojcik91 in #2024
Full Changelog: v1.6.1...v2.0.0-alpha1
Contributors
Assets 8
v1.6.3
This is a patch for the major 1.6 release.
What's Changed
Other Changes
Full Changelog: v1.6.2...v1.6.3
Contributors
Assets 12
v1.6.2
This is a patch for the major 1.6 release.
What's Changed
Other Changes
- Disable APT repository signing/uploads by @jakub-tldr in #1799
- Update APT repository on full release/pre-release by @jakub-tldr in #1807
- add gh cli dependency by @jakub-tldr in #1847
- Remove outdated information by @jakub-tldr in #1845
- Add missing character by @jakub-tldr in #1873
- Allow 0.0.0.0/0 to be set as allowed ip by @jakub-tldr in #1874
- Replace OpenLDAP docker image by @jakub-tldr in #1875
- fix ACL to firewall rule translation for IPv4-only or IPv6-only destinations by @wojcik91 in #1896
- force all traffic for legacy clients by @wojcik91 in #1902
Full Changelog: v1.6.1...v1.6.2
Contributors
Assets 12
v1.6.1
This is a patch for the major 1.6 release.
What's Changed
- ACL Destination validator fix + Unit tests by @jakub-tldr in #1768
- Allow domain names in location DNS by @moubctez in #1787
Full Changelog: v1.6.0...v1.6.1
Contributors
Assets 12
v1.6.0
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and is published in Apple macOS Store officially.
🖥️ All desktop Clients now have a new MTU setting available.
🚦 Introducing Client Traffic Policy Selection. This lets administrators define whether VPN clients can choose their routing mode or are forced to use a specific traffic policy, such as routing all traffic through the VPN or only predefined traffic.
What's Changed
- update dev from staging by @filipslezaklab in #1369
- Release 1.5 merger by @wojcik91 in #1577
- Fixes pentest issue DG25-16 from 2025-09-02 by @j-chmielewski in #1546
- Fixes pentest issue DG25-10 from 2025-09-02 by @j-chmielewski in #1579
- Fixes pentest issue DG25-14 from 2025-09-02 by @moubctez in #1580
- Don't send empty strings when phone number is not provided by @j-chmielewski in #1583
- Fixes pentest issue DG25-17 from 2025-09-02 by @j-chmielewski in #1581
- Fixes pentest issue DG25-21 from 2025-09-02 by @j-chmielewski in #1587
- Fixes pentest issue DG25-1 from 2025-09-02 by @j-chmielewski in #1588
- Fixes pentest issue DG25-24 from 2025-09-02 by @moubctez in #1585
- put mail handler into a separate crate by @wojcik91 in #1590
- Cleanup and revive OpenID login test by @moubctez in #1591
- Fixes pentest issue DG25-11 from 2025-09-02 by @wojcik91 in #1593
- Fixes pentest issue DG25-25 and DG25-20 from 2025-09-02 by @t-aleksander in #1574
- Fixes pentest issue DG25-32 from 2025-09-02 by @j-chmielewski in #1597
- fix document links by @wojcik91 in #1599
- Merge main into dev after 1.5.1 release by @j-chmielewski in #1619
- Create SBOM files by @j-chmielewski in #1620
- CI: scan code with trivy by @j-chmielewski in #1622
- Return NotFound to proxy for missing OpenID provider by @moubctez in #1626
- Periodic sbom regeneration by @j-chmielewski in #1627
- Switch to non-Alpine node:24 by @moubctez in #1628
- add missing error logs in proxy request handlers by @wojcik91 in #1616
- verify audit log events in API integration tests by @wojcik91 in #1624
- Upgrade Debian packages to get latest security fixes by @moubctez in #1648
- fix(e2e): update selectors in external OIDC tests by @wojcik91 in #1656
- fix e2e test enroll via external oidc by @filipslezaklab in #1657
- APT uploading/signing workflow by @jakub-tldr in #1655
- List whole directory by @jakub-tldr in #1664
- Validate IP address in Wizard by @jakub-tldr in #1667
- Service locations (Pre-logon, Always-on) by @t-aleksander in #1666
- User enrollment pending by @j-chmielewski in #1675
- Merge main into dev before 1.6 release by @j-chmielewski in #1680
- Basic client version reporting by @t-aleksander in #1688
- add option to pre-fetch OpenID directory users during sync by @wojcik91 in #1689
- add option to configure enrollment token duration by @wojcik91 in #1698
- fix(gRPC): improve handling device pubkey change by @wojcik91 in #1703
- add invalid location address validation by @wojcik91 in #1707
- Attempt to add depends to FreeBSD package by @moubctez in #1709
- Remove AMI building by @t-aleksander in #1710
- Implement "force all traffic" enterprise setting by @j-chmielewski in #1706
- Filter MFA locations on network devices modal, block creating devices without name by @jakub-tldr in #1719
- Fix traffic policy settings styling by @j-chmielewski in #1720
- Fix validator for ipv4 with port by @jakub-tldr in #1723
- Fix ipv4 validator by @j-chmielewski in #1726
- RPM config fix by @jakub-tldr in #1730
- Validator fix, Frontend unit testing by @jakub-tldr in #1733
- Fix e2e test by @t-aleksander in #1742
- Add support for license tiers by @wojcik91 in #1746
- don't tag Docker image as latest automatically by @wojcik91 in #1749
- disable default latest tag in docker action by @wojcik91 in #1751
- display license tier on settings page by @wojcik91 in #1754
Full Changelog: v1.5.2...v1.6.0
Contributors
Assets 12
v1.6.0-rc1
t-aleksander
Aleksander
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is a release candidate which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- RPM config fix by @jakub-tldr in #1730
- Validator fix, Frontend unit testing by @jakub-tldr in #1733
- Fix e2e test by @t-aleksander in #1742
Full Changelog: v1.6.0-alpha3...v1.6.0-rc1