v0.69.0

Release Notes for v0.69.0

What's New

Reverse Proxy IP Reputation Integration
Now you can use CrowdSec to block malicious traffic based on IP reputation on your exposed service in the reverse proxy.

This feature requires self-hosted installations to add another container to their deployment. See instructions in the reverse proxy migration documentation.

For Cloud users, support is coming soon.

Learn more about here.

macOS p2p connectivity improvements
We've improved macOS p2p connectivity with a better routing exclusion mechanism to avoid loops. Now the client doesn't add /32 routes per remote candidate addresses avoiding limitations on accessing remote peer's local addresses via tunnel connections. Learn more about this change.

To use the old behavior run:

sudo netbird service reconfigure --service-env "NB_USE_LEGACY_ROUTING=true"

Client Improvements

• Added PCP support. This change adds support for the PCP protocol to the client to improve the rate of P2P connectivity.
  #5219
• Added --disable-networks flag to block network selection for users.
  #5896
• Fixed clearing service env vars with --service-env "".
  #5893
• Guarded against container DNAT bypass of ACL rules in iptables.
  #5697
• Populated NetworkAddresses on iOS for posture checks.
  #5900
• Reconnected conntrack netlink listener on error.
  #5885
• Replaced exclusion routes with scoped default + IP_BOUND_IF on macOS.
  #5918
• Fixed incorrect SSH client config combining Host and Match directives.
  #5903
• Fixed WGIface.Close deadlock when DNS filter hook re-enters GetDevice.
  #5916

Management Improvements

• Enforced peer or peer groups requirement for network routers.
  #5894
• Reused single cache store across all management server consumers.
  #5889
• Fixed lint error on Google Workspace integration.
  #5907

Proxy Enhancements

• Added CrowdSec IP reputation integration for reverse proxy.
  #5722
• Added direct redirect to SSO.
  #5874

Infrastructure Improvements

• Updated sign pipeline version to v0.1.2.
  #5884
• Added CrowdSec LAPI container to self-hosted setup script.
  #5880

New Contributors

• @MichaelUray made their first contribution in #5900
• @jnfrati made their first contribution in #5907

Full Changelog: v0.68.3...v0.69.0

v0.68.3

What's Changed

• [management] revert ctx dependency in get account with backpressure by @crn4 in #5878
• [management] add context cancel monitoring by @pascal-fischer in #5879
• [misc] Add CI check for proto version string changes by @lixmal in #5854

Full Changelog: v0.68.2...v0.68.3

v0.68.2

What's Changed

• [management] network map tests by @mlsmaycon in #5795
• [management] use sql null vars by @pascal-fischer in #5844
• [client] Use native firewall for peer ACLs in userspace WireGuard mode by @lixmal in #5668
• [misc] update dashboards by @pascal-fischer in #5840
• [management] update account delete with proper proxy domain and service cleanup by @pascal-fischer in #5817
• [management] allow local routing peer resource by @pascal-fischer in #5814
• [management] enable access log cleanup by default by @pascal-fischer in #5842
• [client] Update RaceDial to accept context for improved cancellation by @pappz in #5849
• [management] add domain and service cleanup migration by @pascal-fischer in #5850
• [client] Fix Android internet blackhole caused by stale route re-injection on TUN rebuild by @pappz in #5865
• [client] Fix/grpc retry by @pappz in #5750
• [client] Fix DNS resolution with userspace WireGuard and kernel firewall by @lixmal in #5873

Full Changelog: v0.68.1...v0.68.2

v0.68.1

What's Changed

• [client] Include service.json in debug bundle by @lixmal in #5825
• [client] Fix FreeBSD not reporting network addresses by @lixmal in #5827
• [client] Handle UPnP routers that only support permanent leases by @lixmal in #5826
• [management] use NullBool for terminated flag by @pascal-fischer in #5829

Full Changelog: v0.68.0...v0.68.1

v0.68.0

What's Changed

• [proxy] Update package-lock.json by @heisbrot in #5661
• [client] Unexport GetServerPublicKey, add HealthCheck method by @pappz in #5735
• [client] Fix mgmProber interface to match unexported GetServerPublicKey by @pappz in #5815
• [management] validate permissions on groups read with name by @pascal-fischer in #5749
• [management] Fix missing service columns in pgx account loader by @lixmal in #5816
• [client] Error out on netbird expose when block inbound is enabled by @lixmal in #5818
• [client] Skip down interfaces in network address collection for posture checks by @lixmal in #5768
• [client] Fix SSH server Stop() deadlock with active sessions by @lixmal in #5717
• [client] Add TCP DNS support for local listener by @lixmal in #5758
• [client] Fix iOS DNS upstream routing for deselected exit nodes by @mlsmaycon in #5803
• [client] Add NAT-PMP/UPnP support by @lixmal in #5202
• [relay] Replace net.Conn with context-aware Conn interface by @pappz in #5770
• [client] Fix SSH proxy mangling shell quoting in forwarded commands by @lixmal in #5669
• [client] Don't abort UI debug bundle when up/down fails by @lixmal in #5780

Full Changelog: v0.67.4...v0.68.0

v0.67.4

What's Changed

• [client] Fix flaky TestServiceLifecycle/Restart on FreeBSD by @lixmal in #5786
• [client] Add GetSelectedClientRoutes to route manager and update DNS route check by @mlsmaycon in #5802

Full Changelog: v0.67.3...v0.67.4

v0.67.3

What's Changed

• [management] Allow updating embedded IdP user name and email by @bcmmbaga in #5721
• [management] Fix L4 service creation deadlock on single-connection databases by @lixmal in #5779
• [management,client] Revert gRPC client secret removal by @bcmmbaga in #5781

Full Changelog: v0.67.2...v0.67.3

v0.67.2

Release Notes for v0.67.2

Legacy to Embedded IdP Migration Tool

We're introducing netbird-idp-migrate, a standalone CLI tool that enables self-hosted NetBird operators to migrate from an external identity provider (Auth0, Zitadel, Okta, Azure AD, Google, etc.) to NetBird's built-in embedded IdP, introduced in v0.62.0.

What it does

The migration tool handles the full transition in a single run:

1. Preserves user identity — Connects to your existing external IdP, fetches email and display name for every user, and backfills any missing contact information before the migration makes original IdP user IDs inaccessible.

2. Re-keys user IDs — Atomically re-encodes every user ID from the external IdP format to the new internal format, updating all foreign key references (peers, personal access tokens, groups, policies, activity events, etc.) in a single transaction per user.

3. Generates new configuration — Transforms your existing management.json by removing the now-unnecessary IdpManagerConfig, PKCEAuthorizationFlow, and DeviceAuthorizationFlow sections, and adds a minimal EmbeddedIdP block with your connector, issuer, and redirect URIs pre-configured.

What it enables

• Simplified self-hosted deployments — Eliminates the need to provision and maintain a separate identity provider. NetBird manages authentication natively via the embedded IdP.
• Zero-downtime preparation — The tool runs independently of the management server, so operators can migrate their database offline and switch to the embedded IdP on the next server restart.
• Safe and resumable — Supports --dry-run to preview all changes without writing, creates a management.json.bak backup before modifying config, and automatically detects and skips already-migrated users — meaning a partial failure can be safely re-run.
• Unlock the combined server — Migrating to the embedded IdP enables you to run NetBird's combined server — a single binary that bundles the management server, signal server, and identity provider into one process, with fewer containers and a single configuration to manage. Learn more here.

Requirements

• NetBird management server v0.66.4+ must have been started at least once so that automatic database migrations create the required schema.
• The external IdP must still be reachable during migration (for the user info population phase). Use --skip-populate-user-info if user email/name data is already complete in the database.

Pre-built binaries are included in this release for Linux (amd64, arm64, arm).

Learn more at:

Migrating from External to Embedded IdP

What's New

Client Improvements

• Added Expose support to embed library.
  #5695
• Persisted service install parameters across reinstalls.
  #5732
• Fixed Exit Node submenu separator accumulation on Windows.
  #5691
• Fixed Android DNS routes lost after TUN rebuild.
  #5739
• Fixed flaky TestUpdateOldManagementURL in CI.
  #5703
• Fixed path join issue in Windows tests.
  #5762
• Fixed IPv6 address handling in QUIC server.
  #5763
• Refactored Android PeerInfo to use ConnStatus enum.
  #5644
• Added support for embed.Client on Android with netstack mode.
  #5623

Management Improvements

• Added notification endpoints.
  #5590
• Added terminated field to services.
  #5700
• Extended blackbox tests.
  #5699
• Updated to latest gRPC version.
  #5716
• Prevented events for temporary peers.
  #5719
• Persisted proxy capabilities to database.
  #5720
• Added FleetDM API spec support.
  #5597
• Added target user account validation.
  #5741
• Improved permission validation for posture check delete.
  #5742
• Removed client secret from gRPC auth flow.
  #5751
• Fixed panic on management reboot.
  #5759
• Added legacy to embedded IdP migration tool.
  #5586
• Fixed race condition in setup flow allowing multiple owners.
  #5754

Proxy Enhancements

• Added pprof support for proxy debugging.
  #5764

Security & Stability

• Added path traversal and file size protections.
  #5755

Self-Hosted Improvements

• Added self-hosted scaling note.
  #5769

Miscellaneous

• Added missing OpenAPI definitions.
  #5690
• Updated Contributor License Agreement document.
  #5131
• Set permissions on env file for getting started scripts.
  #5761

New Contributors

• @tobsec made their first contribution in #5691
• @iakshayubale made their first contribution in #5644

Full Changelog: v0.67.1...v0.67.2

v0.67.1

What's Changed

• [client] Don't abort debug for command when up/down fails by @lixmal in #5657
• [misc] Set signing env only if not fork and set license by @mlsmaycon in #5659
• [management] Omit proxy_protocol from API response when false by @lixmal in #5656
• [management] Replace JumpCloud SDK with direct HTTP calls by @bcmmbaga in #5591
• [management] Allow multiple header auths with same header name by @lixmal in #5678
• [management] Fix DNS label uniqueness check on peer rename by @bcmmbaga in #5679
• [misc] Replace discontinued LocalStack with MinIO in S3 test by @lixmal in #5680
• [client] Bump go-m1cpu to v0.2.1 to fix segfault on macOS 26 / M5 chips by @lixmal in #5701
• [infrastructure] Enable RPM package gpgcheck in install script by @lixmal in #5676
• [client] Replace iOS DNS IsPrivate heuristic with route checker by @lixmal in #5694

Full Changelog: v0.67.0...v0.67.1

v0.67.0

Release Notes for v0.67.0

What's New

Major Networking & Proxy Enhancements

• Introduced Layer 4 (L4) capabilities (TLS/TCP/UDP) across client, management, and proxy.
  #5530
• Added header-based authentication, access restrictions, and session idle timeout for proxy services.
  #5587
• Added support for wildcard certificates and improved certificate handling (read from disk if available).
  #5583
  #5574
• Added require_subdomain capability for proxy clusters.
  #5628
• Improved proxy reliability with domain switching fixes and recovery after cleanup.
  #5585
  #5617

Dashboard support and documentation update are coming soon.

Client Improvements

• Added client metrics support and enhanced observability.
  #5512
• Added health check flag and daemon status output to netbird status.
  #5650
• Restart engine automatically when peer IP changes.
  #5614
• Improved DNS handling, IPv6 formatting, and probe thread safety.
  #5603
  #5576
• Added MTU option and DNSLabels support to embedded client.
  #5550
  #5493
• Refactored auto-update workflow and simplified container entrypoint.
  #5448
  #5652
• Fixed multiple issues including duplicate logs, firewall init behavior, and container logging.
  #5609
  #5621
• Additional client fixes and improvements.
  #5510
  #5613
  #5622
• Updated gvisor to build with Go 1.26.x.
  #5447

Management Improvements

• Added reverse proxy cluster APIs and domain-based targeting.
  #5611
  #5612
• Improved concurrency handling and proxy exclusions from peer approval.
  #5584
  #5588

Proxy Enhancements

• Added log-level flag and usage improvements.
  #5594

Security & Packaging

• Added GPG signing key support for RPM packages.
  #5581

Miscellaneous

• Added image build after merge to main workflow.
  #5605
• Added netbird-tui to community projects.
  #5568

New Contributors

• @n0pashkov made their first contribution in #5568
• @tham-le made their first contribution in #5550
• @wehagy made their first contribution in #5447
• @mango766 made their first contribution in #5603
• @Wouter0100 made their first contribution in #5493

Full Changelog: v0.66.4...v0.67.0