- add
cs-CZtranslation - add
sk-SKtranslation - fix two LDAP bugs (#156)
- restore support for
bindDnTemplateformat in common use with Active Directory - switch to
ldap_readwhen obtaining attributes of a DN instead of performing a subtree search
- restore support for
- allow for writing
authDatato syslog (#140)
- update
fkooman/oauth2-serverdependency (7.7.0, 7.8.0) - allow search domains for VPN connections where all traffic is sent over the VPN (#152)
- Added Catalan (
ca-ES) translation for the user portal - show unsupported configuration keys used in the configuration file (#147)
- remove database query from
DisabledUserHook - refactor permission sources
- only fetch static permissions once during a session, not on every page load
- limit allowed OAuth scopes for the VPN clients to only
config ConnectionManager:oDisconnectdoes not useuserIdparameter, remove it- update translations of "Issues" in various languages
- LDAP improvements
- always require
userIdAttributeto be set (announcement) - add TLS configuration for the LDAP client, allow specifying CA, client certificate and key (#154)
- always require
- EXPERIMENTAL support to make it possible to configure WireGuard MTU (#151, documentation)
- consider allocated WireGuard IPs for alerting (#134)
- implement freeing WireGuard IPs for VPN clients that are unresponsive (#4)
- no longer have a minimum value for
sessionExpiry, previously it wasPT30M - move
StaticPermissionHookfunctionality toUpdateUserInfoHook - always fetch static permissions
- consolidate various
Storage::user*methods - allow node(s) to specify OpenVPN user/group (#133)
- fix various static code analysis warnings
vpn-user-portal-statusnow also shows the number of allocated IP addresses for WireGuard (and the number of still free addresses) (#4)- do not show empty array when using
--alertand--jsonwithvpn-user-portal-statusand there is nothing to alert about
- implement support for user specific "Session Expiry" (#88)
- make
vpn-user-portal-account --listalso show local users whenDbAuthModuleis used (#125)
- on "Info" page warn when DNS search domain is not set for a profile, while DNS is provided, but not default gateway (#120)
- on "Info" page if DNS is not used in split-tunnel scenario do not warn when DNS traffic is not sent over VPN
- switch to Argon2id hashes for local account passwords
- switch to new color palette for "App Usage" on "Stats" page
- show number of users on "Users" page
- expose
created_atfromStorage::oCertListandStorage::wPeerList(#121) - expose the max #available connections per profile on "Connections" page (#122)
- make it possible to add additional OAuth API clients (#119)
- switch session storage to use JSON instead of PHP serialization
- this will log everyone out of the portal (if they are currently logged in), will NOT affect VPN sessions
- various fixes for issues found by security audit
- DEC-02-004 WP1: Stored XSS via VPN-configuration display-name (High)
- DEC-02-006 WP1: Stored XSS via null byte truncation in Radius auth (High)
- DEC-02-007 WP1: Client disconnection via absent access control (Medium)
- DEC-02-008 WP1: Bypassing connection threshold with race conditions (Low)
- DEC-02-001 WP1: Trim function does not HTML-escape short strings (Medium)
- DEC-02-005 WP3: Unnecessary use of unserialize() for cookie storage (Low)
- do not write
syslogoutput tostderr(#117) - add "#Unique Guest Users" to the last week's "Stats"
- add "#Unique Guest Users" to the "Aggregated Stats"
- "Aggregated Stats" will now contain data starting "yesterday" instead of "one week ago"
- Various database fixes
- Fix long standing issue with MariaDB/MySQL with "Aggregate Stats" (#53)
- Fix PostgreSQL again with "Aggregate Stats" (#118)
- Add index on
connection_logtable to make generating "Aggregate Stats" fast (#112) - NOTE: a database migration is necessary. This is done automatically with SQLite. If you switched to using MariaDB/MySQL, or PostgreSQL you MUST do this manually!
- fix for bug in iOS/macOS app regarding OAuth token refreshing after server upgrade from 2.x to 3.x
- fix SQL query for exporting "Aggregate Stats"
- make log of adding/removing peers during sync more informative
- add name of server to aggregate/live stats file downloads
- (re)implement tool to generate (reverse) DNS zone files (#25)
- (re)implement "Static Permissions" for cases where your authentication backend does not (adequately) (#18)
- update for vpn-daemon
/w/remove_peerchanges (v3.0.2) - add some tests to verify
nodeNumber,nodeUrlandonNodeprofile configuration file - show
nodeNumberon Info page for the node(s) - add
LoggerInterface::debug - remove
Tpl::profileIdToDisplayName"cache" - refactor connect/disconnect event hooks
- write to
connection_logtable fromConnectionLogHook - make
VPN_PROTOavailable on connect/disconnect inScriptConnectionHook - make
VPN_BYTES_INandVPN_BYTES_OUTavailable on disconnect inScriptConnectionHook - cleanup "daemon-sync" to make sure the correct connect/disconnect events are triggered in all cases
- make "daemon-sync" delete certificates/peers that no longer match the configuration on "apply changes" (#96)
- try all nodes when attempting to connect with WireGuard and the first node ran out of free IP addresses (#110)
- fix "Aggregate Stats" inefficient
LEFT JOINquery (#112) - sort/group "Aggregate Stats"
- fix
ConfigCheckwith DNS template variables (#107) - add network prefix to
AllowedIPsby default for WireGuard client configuration (#108)
- enforce format of remote user IDs for guest users (#104)
- restore
@GW4@and@GW6@template variables fordnsServerList(#105)
- fix application stats on "Stats" admin page (#102)
- prevent local revoked clients from using API in "Guest Usage" scenario (#103)
- fix OpenVPN special port handling (#101)
- fix (C) year
- cast
ini_getreturn value formbstring.func_overloadto bool
- make sure
mbstring.func_overloadPHP option is not enabled, show on "Info" page if it is - do proper UTF-8 validation and introduce maximum length of some user provided inputs
- verify and trim node keys before allowing them (#100)
- fix
nb-NOtranslation typo
- fix warning message for non-https node URL (#93)
- update
nl-NLtranslation - update for
fkooman/oauth2-server7.1 - introduce
ApiUserInfothat wraps the OAuth access token - enable
issquery parameter support for OAuth callbacks withfkooman/oauth2-server7.2 (#91) - implement Guest Access support (#17)
- PREVIEW: implement "Admin API" support (#16)
- fix multi node deployments when profile is not installed on all nodes (#90)
- simplify
.well-knownhandling code in development setup - add additional
ProfileConfigtests - add simple shell script client
dev/api_client.shfor API testing / development
- fix handling optional
oListenOnin multi node setups (#85) - implement
ConnectionHookInterfaceto allow for plugins to respond to client connect/disconnect events (#82) - re-implement the syslog connection logger on top of
ConnectionHookInterface - implement
--listoption forvpn-user-portal-accountto list user accounts - PREVIEW: add support for running script/command on client connect/disconnect (#84)
- proper logging of authentication failures for local database, LDAP and RADIUS
- add Portal URL to manually downloaded configuration file (#81)
- update
ar-MAtranslation - require userIdAttribute to be set in LDAP response when requesting it to be used (#83)
- make
oListenOnaccept multiple values (#75) - update
pt-PTtranslation - update
ar-MAtranslation
- initial 3.x release