Release history
netbird releases
Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
All releases
44 shown
v0.70.5
New feature
Notable features
- Added packet capture to debug bundle and CLI
- Advertised relay server IP via signal for foreign‑relay fallback dial
Full changelog
Release Notes for v0.70.5
What's New
Client Improvements
- Added packet capture to debug bundle and CLI.
https://github.com/netbirdio/netbird/pull/5891 - Advertised relay server IP via signal for foreign-relay fallback dial.
https://github.com/netbirdio/netbird/pull/6004 - Released Status.mux before invoking notifier callbacks.
https://github.com/netbirdio/netbird/pull/6039 - Used ctx.Err() instead of gRPC codes.Canceled to detect shutdown.
https://github.com/netbirdio/netbird/pull/6019 - Used atomic write/rename pattern for SSH config.
https://github.com/netbirdio/netbird/pull/5867 - Replaced WG interface polling with netlink subscription on Linux.
https://github.com/netbirdio/netbird/pull/5857 - Displayed QR code for device auth login URL.
https://github.com/netbirdio/netbird/pull/5415 - Bumped go-netroute to v0.4.0 and dropped fork.
https://github.com/netbirdio/netbird/pull/6062 - Used fwmark-aware route lookup for raw socket UDP checksum source.
https://github.com/netbirdio/netbird/pull/6070
Management Improvements
- Added monitoring for nmap update source.
https://github.com/netbirdio/netbird/pull/6036 - Enabled PAT creation during setup.
https://github.com/netbirdio/netbird/pull/6003 - Added public IPv4/IPv6 posture checks.
https://github.com/netbirdio/netbird/pull/6038 - Tracked pending approval in peer event metadata.
https://github.com/netbirdio/netbird/pull/6040 - Fixed proxy reconnect issues.
https://github.com/netbirdio/netbird/pull/6063 - Mapped Entra OID claim as Dex user ID.
https://github.com/netbirdio/netbird/pull/6067 - Fixed flaky invite token test.
https://github.com/netbirdio/netbird/pull/6077
Proxy Enhancements
- Consolidated mapping updates.
https://github.com/netbirdio/netbird/pull/6072
Miscellaneous
- Disabled govet inline analyzer.
https://github.com/netbirdio/netbird/pull/6066 - Updated discussions and issues templates.
https://github.com/netbirdio/netbird/pull/6073
New Contributors
- @lotheac made their first contribution in https://github.com/netbirdio/netbird/pull/5867
- @alexsavio made their first contribution in https://github.com/netbirdio/netbird/pull/5857
- @typhoon1217 made their first contribution in https://github.com/netbirdio/netbird/pull/5415
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.70.4...v0.70.5
v0.70.4
Maintenance
Minor fixes and improvements.
Full changelog
What's Changed
- [misc] fix MSI generation add installer tests by @mlsmaycon in https://github.com/netbirdio/netbird/pull/6031
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.70.3...v0.70.4
v0.70.3
Bug fix
Minor fixes and improvements.
Full changelog
What's Changed
- [client] Enable UI autostart for silent and MSI installs by @shuuri-labs in https://github.com/netbirdio/netbird/pull/6026
- [management] Prevent JWT reuse during peer login by @bcmmbaga in https://github.com/netbirdio/netbird/pull/6002
- [client] Use BindListener for all userspace bind in lazyconn activity by @lixmal in https://github.com/netbirdio/netbird/pull/6028
- [client] Tolerate EEXIST when adding macOS scoped default routes by @lixmal in https://github.com/netbirdio/netbird/pull/6027
- [client] Trigger mobile submodule bump PRs on release tags by @pappz in https://github.com/netbirdio/netbird/pull/6029
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.70.2...v0.70.3
v0.70.2
Bug fix
Minor fixes and improvements.
Full changelog
What's Changed
- [client] Move macOS sleep detection into the daemon (purego) by @lixmal in https://github.com/netbirdio/netbird/pull/5926
- [client] Fix Windows installer upgrade detection for pre-0.70.1 installs by @lixmal in https://github.com/netbirdio/netbird/pull/6025
- [misc] Add comment automation on release workflow for PRs by @jnfrati in https://github.com/netbirdio/netbird/pull/6016
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.70.1...v0.70.2
v0.70.1
Breaking risk
Breaking changes
- Removed legacy network map code
Notable features
- Microsoft AD FS support for embedded Dex identity providers
- Improved JWT group claim handling from identity providers
- WinRT COM integration for Windows toast notifications
Full changelog
What's Changed
- [management] removed legacy network map code by @crn4 in https://github.com/netbirdio/netbird/pull/5565
- [management] Add Microsoft AD FS support for embedded Dex identity providers by @bcmmbaga in https://github.com/netbirdio/netbird/pull/6008
- [management] Handle single-string JWT group claim from IdPs by @bcmmbaga in https://github.com/netbirdio/netbird/pull/6014
- [client] Don't mark management disconnected on transient job stream errors by @pappz in https://github.com/netbirdio/netbird/pull/6005
- [relay] evict foreign client cache on disconnect by @pappz in https://github.com/netbirdio/netbird/pull/6015
- [self-hosted] fix(getting-started): Infinite healthcheck loop with existing traefik by @WalidDevIO in https://github.com/netbirdio/netbird/pull/5871
- [management] Drop netmap calculation on peer read by @bcmmbaga in https://github.com/netbirdio/netbird/pull/6006
- [client] Use WinRT COM for Windows toasts by @lixmal in https://github.com/netbirdio/netbird/pull/6013
New Contributors
- @WalidDevIO made their first contribution in https://github.com/netbirdio/netbird/pull/5871
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.70.0...v0.70.1
v0.70.0
Maintenance
Notable features
- TTL-based refresh to management DNS cache via handler chain
- Suppressed ICE signaling
- Trusted wg interface in firewalld to bypass owner-flagged chains
Full changelog
Release Notes for v0.70.0
What's New
Client signatures
We've updated our Windows and MacOS installers and binary signatures. This means your users might be prompted again, but we expect minimum inpact for most organizations.
Client Improvements
- Suppressed ICE signaling.
https://github.com/netbirdio/netbird/pull/5820 - Prefer systemd-resolved stub over file mode regardless of resolv.conf header.
https://github.com/netbirdio/netbird/pull/5935 - Trusted wg interface in firewalld to bypass owner-flagged chains.
https://github.com/netbirdio/netbird/pull/5928 - Added TTL-based refresh to management DNS cache via handler chain.
https://github.com/netbirdio/netbird/pull/5945 - Increased gRPC health check timeout to 5s.
https://github.com/netbirdio/netbird/pull/5961 - Improved test stability and reliability:
https://github.com/netbirdio/netbird/pull/5953
https://github.com/netbirdio/netbird/pull/5951
https://github.com/netbirdio/netbird/pull/5950
Management Improvements
- Replaced mailru/easyjson with netbirdio/easyjson fork.
https://github.com/netbirdio/netbird/pull/5938 - Checked policy changes before database updates.
https://github.com/netbirdio/netbird/pull/5405 - Propagated context changes to upstream middleware.
https://github.com/netbirdio/netbird/pull/5956 - Added changeable PAT rate limiting.
https://github.com/netbirdio/netbird/pull/5946 - Excluded already expired peers from expiration job.
https://github.com/netbirdio/netbird/pull/5970 - Unified peer-update test timeout via constant.
https://github.com/netbirdio/netbird/pull/5952
Proxy Enhancements
- Set session cookie path to root.
https://github.com/netbirdio/netbird/pull/5915
Self-Hosted Improvements
- Added reverse proxy retention fields to combined YAML.
https://github.com/netbirdio/netbird/pull/5930 - Used cscli lapi status for CrowdSec readiness check in installer.
https://github.com/netbirdio/netbird/pull/5949
Infrastructure & Misc
- Updated sign pipeline version.
https://github.com/netbirdio/netbird/pull/5981 - Updated release pipeline version.
https://github.com/netbirdio/netbird/pull/5995
New Contributors
- @alsruf36 made their first contribution in https://github.com/netbirdio/netbird/pull/5915
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.69.0...v0.70.0
v0.69.0
New feature
Security fixes
- Guarded against container DNAT bypass of ACL rules in iptables
Notable features
- CrowdSec IP reputation integration for Reverse Proxy
- macOS p2p connectivity improvements via scoped default and IP_BOUND_IF routing
- PCP protocol support for improved P2P connectivity
Full changelog
Release Notes for v0.69.0
What's New
Reverse Proxy IP Reputation Integration
Now you can use CrowdSec to block malicious traffic based on IP reputation on your exposed service in the reverse proxy.
This feature requires self-hosted installations to add another container to their deployment. See instructions in the reverse proxy migration documentation.
For Cloud users, support is coming soon.
Learn more about here.
macOS p2p connectivity improvements
We've improved macOS p2p connectivity with a better routing exclusion mechanism to avoid loops. Now the client doesn't add /32 routes per remote candidate addresses avoiding limitations on accessing remote peer's local addresses via tunnel connections. Learn more about this change.
To use the old behavior run:
sudo netbird service reconfigure --service-env "NB_USE_LEGACY_ROUTING=true"
Client Improvements
- Added PCP support. This change adds support for the PCP protocol to the client to improve the rate of P2P connectivity.
https://github.com/netbirdio/netbird/pull/5219 - Added --disable-networks flag to block network selection for users.
https://github.com/netbirdio/netbird/pull/5896 - Fixed clearing service env vars with --service-env "".
https://github.com/netbirdio/netbird/pull/5893 - Guarded against container DNAT bypass of ACL rules in iptables.
https://github.com/netbirdio/netbird/pull/5697 - Populated NetworkAddresses on iOS for posture checks.
https://github.com/netbirdio/netbird/pull/5900 - Reconnected conntrack netlink listener on error.
https://github.com/netbirdio/netbird/pull/5885 - Replaced exclusion routes with scoped default + IP_BOUND_IF on macOS.
https://github.com/netbirdio/netbird/pull/5918 - Fixed incorrect SSH client config combining Host and Match directives.
https://github.com/netbirdio/netbird/pull/5903 - Fixed WGIface.Close deadlock when DNS filter hook re-enters GetDevice.
https://github.com/netbirdio/netbird/pull/5916
Management Improvements
- Enforced peer or peer groups requirement for network routers.
https://github.com/netbirdio/netbird/pull/5894 - Reused single cache store across all management server consumers.
https://github.com/netbirdio/netbird/pull/5889 - Fixed lint error on Google Workspace integration.
https://github.com/netbirdio/netbird/pull/5907
Proxy Enhancements
- Added CrowdSec IP reputation integration for reverse proxy.
https://github.com/netbirdio/netbird/pull/5722 - Added direct redirect to SSO.
https://github.com/netbirdio/netbird/pull/5874
Infrastructure Improvements
- Updated sign pipeline version to v0.1.2.
https://github.com/netbirdio/netbird/pull/5884 - Added CrowdSec LAPI container to self-hosted setup script.
https://github.com/netbirdio/netbird/pull/5880
New Contributors
- @MichaelUray made their first contribution in https://github.com/netbirdio/netbird/pull/5900
- @jnfrati made their first contribution in https://github.com/netbirdio/netbird/pull/5907
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.68.3...v0.69.0
v0.68.2
Bug fix
Notable features
- Native firewall for peer ACLs in userspace mode
- Domain and service cleanup on account deletion
v0.68.0
Breaking risk
Breaking changes
- GetServerPublicKey unexported from client package
- net.Conn replaced with context-aware Conn interface in relay package
Notable features
- Added HealthCheck method to client
- Added TCP DNS support for local listener
- Added NAT-PMP/UPnP support
Full changelog
What's Changed
- [proxy] Update package-lock.json by @heisbrot in https://github.com/netbirdio/netbird/pull/5661
- [client] Unexport GetServerPublicKey, add HealthCheck method by @pappz in https://github.com/netbirdio/netbird/pull/5735
- [client] Fix mgmProber interface to match unexported GetServerPublicKey by @pappz in https://github.com/netbirdio/netbird/pull/5815
- [management] validate permissions on groups read with name by @pascal-fischer in https://github.com/netbirdio/netbird/pull/5749
- [management] Fix missing service columns in pgx account loader by @lixmal in https://github.com/netbirdio/netbird/pull/5816
- [client] Error out on netbird expose when block inbound is enabled by @lixmal in https://github.com/netbirdio/netbird/pull/5818
- [client] Skip down interfaces in network address collection for posture checks by @lixmal in https://github.com/netbirdio/netbird/pull/5768
- [client] Fix SSH server Stop() deadlock with active sessions by @lixmal in https://github.com/netbirdio/netbird/pull/5717
- [client] Add TCP DNS support for local listener by @lixmal in https://github.com/netbirdio/netbird/pull/5758
- [client] Fix iOS DNS upstream routing for deselected exit nodes by @mlsmaycon in https://github.com/netbirdio/netbird/pull/5803
- [client] Add NAT-PMP/UPnP support by @lixmal in https://github.com/netbirdio/netbird/pull/5202
- [relay] Replace net.Conn with context-aware Conn interface by @pappz in https://github.com/netbirdio/netbird/pull/5770
- [client] Fix SSH proxy mangling shell quoting in forwarded commands by @lixmal in https://github.com/netbirdio/netbird/pull/5669
- [client] Don't abort UI debug bundle when up/down fails by @lixmal in https://github.com/netbirdio/netbird/pull/5780
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.67.4...v0.68.0
v0.67.4
Maintenance
Minor fixes and improvements.
Full changelog
What's Changed
- [client] Fix flaky TestServiceLifecycle/Restart on FreeBSD by @lixmal in https://github.com/netbirdio/netbird/pull/5786
- [client] Add GetSelectedClientRoutes to route manager and update DNS route check by @mlsmaycon in https://github.com/netbirdio/netbird/pull/5802
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.67.3...v0.67.4
v0.67.3
Bug fix
Notable features
- Allow updating embedded IdP user name and email
Full changelog
What's Changed
- [management] Allow updating embedded IdP user name and email by @bcmmbaga in https://github.com/netbirdio/netbird/pull/5721
- [management] Fix L4 service creation deadlock on single-connection databases by @lixmal in https://github.com/netbirdio/netbird/pull/5779
- [management,client] Revert gRPC client secret removal by @bcmmbaga in https://github.com/netbirdio/netbird/pull/5781
Full Changelog: https://github.com/netbirdio/netbird/compare/v0.67.2...v0.67.3
v0.67.2
New feature
Security fixes
- Path traversal and file size protections
Notable features
- Expose support in embed library
- embed.Client on Android with netstack mode
- Notification endpoints and FleetDM API support
v0.67.1
Bug fix
Fixed macOS M-series segfault issue, replaced JumpCloud SDK with direct HTTP calls, improved header authentication with multiple headers, and enhanced iOS DNS route handling.
v0.67.0
New feature
Notable features
- Layer 4 (TLS/TCP/UDP) proxy capabilities
- Header-based authentication and access restrictions
- Wildcard certificate support
v0.66.4
Maintenance
Improved memory safety and performance by creating shallow copies of accounts during buffering and optimizing network map component initialization.
v0.66.3
Bug fix
Notable features
- Per-target reverse proxy options
- Stable domain resolution for combined server
v0.66.2
Bug fix
Database storage improvements for proxies and fixes SSH authentication with Azure Entra ID by replacing in-memory operations with SQL-backed storage for better reliability.
v0.66.1
Bug fix
Notable features
- Reverse proxy REST client
- Embedded IdP PostgreSQL database support
v0.66.0
New feature
Notable features
- netbird expose CLI command with PIN/password protection
- User group-based access control for exposed services
- Custom domain support for service exposure
v0.65.3
Security relevant
patches GHSA-rxmp-8h9v-56cx
Security fixes
- Race condition in user role validation allowing privilege escalation under specific timing conditions
v0.65.2
New feature
Notable features
- WebSocket support for proxy
- Listener-side Proxy Protocol support
- Windows DNS batching optimization
v0.65.1
Bug fix
Fixed reverse proxy setup messaging and account settings transaction handling to prevent database inconsistencies.
v0.65.0
New feature
Notable features
- Built-in reverse proxy with custom domain support
- Multiple authentication methods (SSO, PIN, password, magic links)
- Combined NetBird server binary for simplified deployment
v0.64.6
Security relevant
Security fixes
- Fixed account impersonation validation in management API - High severity
Notable features
- Better observability with DNS forwarder logging
- Performance improvements with interface caching
v0.64.5
Security relevant
Security fixes
- Management API authorization bypass (CWE-639) allowing cross-account access
v0.64.4
New feature
Notable features
- macOS default DNS resolvers as fallback
- Block inbound option for embed client
- Single-IdP mode support
v0.64.3
Bug fix
Fixed WireGuard watcher initialization, improved ephemeral peer handling, optimized socket header processing, and ensured proper shutdown on firewall initialization failures.
v0.64.2
New feature
Notable features
- IPv6 support for UDP WireGuard proxy
- Non-PTY SSH sessions
- User invite link support for embedded IdP
v0.64.1
Bug fix
Notable features
- CPU profiling in debug bundle
- IPv6 support for userspace bind proxy
- SERVFAIL/REFUSED fallback in DNS
v0.64.0
New feature
Notable features
- Debug bundle generation from API and Dashboard
- Wildcard custom DNS records
- Local password changes for embedded IdP
v0.63.0
New feature
Notable features
- Custom DNS zones with group-based distribution
- A, AAAA, and CNAME record support
- Split-horizon DNS capabilities
v0.62.3
Maintenance
Added configuration compatibility checks during startup to prevent misconfiguration issues in self-hosted deployments.
v0.62.2
Bug fix
Notable features
- Non-root ICMP support in userspace firewall
- Local JWKS key resolution
v0.62.1
Bug fix
Fixed race condition in experimental network map during account deletion, improved role change transaction handling, and corrected Caddy debug configuration.
v0.62.0
New feature
Notable features
- Embedded identity provider for local users
- Multiple OIDC provider configuration in Dashboard
- Instance setup wizard for first-time users
v0.61.2
Bug fix
Fixed incorrect update download URL in client preventing proper software updates.
v0.61.1
New feature
Notable features
- DEX IdP support
- iOS device auth flow support
- Fixed peer policy self-reference filtering