Releases: DefGuard/gateway
v1.6.5
t-aleksander
Aleksander
This is a patch for the major 1.6 release. It fixes a problem with automatically applying masquerade when using DEFGUARD_MASQUERADE environment variable/argument.
What's Changed
Other Changes
- Fix applying masquerade by @t-aleksander in #313
Full Changelog: v1.6.4...v1.6.5
Contributors
Assets 14
- 870 KB
2026-04-19T03:46:20Z - 300 KB
2026-04-19T03:46:20Z - 163 KB
2026-04-19T03:46:20Z - 411 KB
2026-04-19T03:46:20Z - 3.01 MB
2026-04-17T11:22:42Z - 3.18 MB
2026-04-17T11:23:16Z - 3.42 MB
2026-04-17T11:28:02Z - 3.06 MB
2026-04-17T11:23:19Z - 2.16 MB
2026-04-17T11:22:47Z - 3.35 MB
2026-04-17T11:28:05Z -
2026-04-17T11:12:01Z -
2026-04-17T11:12:01Z - Loading
v2.0.0-beta1
wojcik91
Maciek
🎉 Welcome to Defguard 2.0 Beta 1 🎉
📖 A comprehensive list of the changes implemented since Alpha 2 is documented in detail here: https://defguard.net/blog/defguard-2-0-release-beta-1/
🛠️ We highly recommend previewing it yourself. We prepared a guide explaining how to run the alpha2 before. To run the beta1 just use 2.0.0-beta1 image tags instead of 2.0.0-alpha2.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
What's Changed
- Fix build PF on platforms other then FreeBSD and macOS by @moubctez in #286
- Allow SNAT bindings when masquerade is disabled by @moubctez in #287
- OPNsense plugin for Gateway 2.0 by @moubctez in #290
- Fix nft socket error by @moubctez in #293
- Error handling for network services by @moubctez in #294
- Faster cargo deny by @moubctez in #296
- Remove obsolete name option by @moubctez in #299
- support protobuf versioning by @wojcik91 in #292
- Fix masquerade, second attempt by @t-aleksander in #303
Full Changelog: v2.0.0-alpha2...v2.0.0-beta1
Contributors
Assets 10
v1.6.4
This is a patch for the major 1.6 release. It fixes a problem with applying many firewall rules at once.
What's Changed
Other Changes
- Update nftnl and mnl by @moubctez in #274
- Defguard Gateway service not registered on opnsense in 1.6.3 by @jamtur01 in #278
- Proper socket handing for mnl by @moubctez in #280
- Fix build PF on platforms other then FreeBSD and macOS by @moubctez in #285
- Fix socket error by @moubctez in #295
- Update workflows by @moubctez in #300
Full Changelog: v1.6.3...v1.6.4
Contributors
Assets 14
v2.0.0-alpha2
🎉 Welcome to Defguard 2.0 Alpha 2 🎉
📖 A comprehensive list of the changes implemented since Alpha 1 is documented in detail here: https://defguard.net/blog/defguard-2-0-release-alpha-2/
🛠️ We also highly recommend reviewing our detailed technical overview of all changes and the comprehensive showcase of all features in this article.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
Detailed Changes
- Release 1.5 merger by @wojcik91 in #211
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #212
- Merge main into dev after 1.5.1 release by @j-chmielewski in #215
- Create SBOM files by @j-chmielewski in #216
- CI: scan code with trivy by @j-chmielewski in #217
- Periodic sbom regeneration by @j-chmielewski in #218
- Merge SBOM CI pipelines into main by @j-chmielewski in #219
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
- Reverse gRPC communication by @moubctez in #233
- Limit connections to one Core by @moubctez in #241
- Enable use of fwmark by @moubctez in #242
- Disable APT repository signing/upload by @jakub-tldr in #244
- Core certificate authority, part 2: Gateway by @t-aleksander in #250
- Install missing build dependencies by @t-aleksander in #254
- Install missing dependencies, take 2 by @t-aleksander in #255
- MTU and FwMark are not optional by @moubctez in #256
- Gateway wizard by @t-aleksander in #257
- Update OPNsense plugin: add ACL, fix service by @moubctez in #259
- Purge RPC by @j-chmielewski in #268
- Update nftnl and mnl by @moubctez in #273
- Skip stats collection when disconnected by @j-chmielewski in #275
- Proper socket handing for mnl by @moubctez in #279
- Use proper file permissions for certificates by @moubctez in #281
- Prepare Alpha2 by @moubctez in #283
Full Changelog: v1.5.1...v2.0.0-alpha2
Contributors
Assets 10
v1.6.3
This is a security patch for the major 1.6 release.
It includes dependency updates to resolve the following CVEs:
What's Changed
Other Changes
- update dependencies & prepare 1.6.3 release by @wojcik91 in #269
- update boringtun & wireguard-rs by @wojcik91 in #272
Full Changelog: v1.6.2...v1.6.3
Contributors
Assets 14
v2.0.0-alpha1
wojcik91
Maciek
🎉 Welcome to Defguard 2.0 Alpha 1 🎉
First of all, this is an actual alpha, not meant for production, but a technology preview of what’s to come, hopefully in a month, when the stable release should be ready.
2.0 is a major overhaul, featuring a completely redesigned UI/UX, secure reverse Core-to-Gateway communication with a built-in SSL certificate authority, automated deployment and session management, and initial high-availability support, laying a solid foundation for easier, safer, and more manageable on-premise deployments.
🛠️ We highly recommend that you get familiar with a detailed technical overview of all changes and a comprehensive showcase of all features in this blog post.
🚀Here you can find a quick tutorial on how to quickly launch 2.0α with Docker Compose.
We want to get as much feedback as possible, so we encourage you to:
💬 open a GitHub discussion
🪲 report any missing features or bugs as issues
What's Changed
- Release 1.5 merger by @wojcik91 in #211
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #212
- Merge main into dev after 1.5.1 release by @j-chmielewski in #215
- Create SBOM files by @j-chmielewski in #216
- CI: scan code with trivy by @j-chmielewski in #217
- Periodic sbom regeneration by @j-chmielewski in #218
- Merge SBOM CI pipelines into main by @j-chmielewski in #219
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
- Reverse gRPC communication by @moubctez in #233
- Limit connections to one Core by @moubctez in #241
- Enable use of fwmark by @moubctez in #242
- Disable APT repository signing/upload by @jakub-tldr in #244
- Core certificate authority, part 2: Gateway by @t-aleksander in #250
- Install missing build dependencies by @t-aleksander in #254
- Install missing dependencies, take 2 by @t-aleksander in #255
- MTU and FwMark are not optional by @moubctez in #256
- Gateway wizard by @t-aleksander in #257
- Update OPNsense plugin: add ACL, fix service by @moubctez in #259
- fix binary build by @wojcik91 in #266
Full Changelog: v1.5.1...v2.0.0-alpha1
Contributors
Assets 10
v1.6.2
This is a patch for the major 1.6 release.
What's Changed
Other Changes
- Remove outdated info by @jakub-tldr in #251
- Update OPNsense plugin: add ACL, fix service by @moubctez in #258
Full Changelog: v1.6.1...v1.6.2
Contributors
Assets 14
v1.6.1
This is a patch for the major 1.6 release.
What's Changed
Other Changes
- Disable latest Docker tag in release workflow by @wojcik91 in #240
- Disable APT repository signing/uploads by @jakub-tldr in #243
- update trivy config by @wojcik91 in #247
- Update APT repository on full release/pre-release by @jakub-tldr in #245
- fix FreeBSD build by @wojcik91 in #249
Full Changelog: v1.6.0...v1.6.1
Contributors
Assets 14
v1.6.0
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and is published in Apple macOS Store officially.
🖥️ All desktop Clients now have a new MTU setting available.
🚦 Introducing Client Traffic Policy Selection. This lets administrators define whether VPN clients can choose their routing mode or are forced to use a specific traffic policy, such as routing all traffic through the VPN or only predefined traffic.
What's Changed
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
- Use new wireguard-rs API with BoringTun by @moubctez in #220
- feat(opnsense): enable PID file monitoring for Defguard Gateway service by @jamtur01 in #222
- Remove AMI building by @t-aleksander in #230
- Fix handing ports in PacketFiler rules by @moubctez in #236
- use published wireguard-rs v0.8.0 by @j-chmielewski in #237
New Contributors
- @jakub-tldr made their first contribution in #221
- @jamtur01 made their first contribution in #222
Full Changelog: v1.5.2...v1.6.0
Contributors
Assets 14
v1.6.0-rc1
t-aleksander
Aleksander
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is a release candidate which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
Full Changelog: v1.6.0-alpha2...v1.6.0-rc1