netmaker

VPN & Tunnels

A WireGuard automation platform for creating managed virtual networks from homelab to enterprise

Track releases GitHub Website

Go Latest v1.5.1 · 2mo ago Security brief →

Features

Automates WireGuard mesh VPNs and site‑to‑site connections
Provides an admin UI with OAuth, ACLs, and private DNS
Supports self‑hosted open source and managed SaaS deployments

Recent releases

View all 2 releases →

v1.5.1 Breaking risk 2mo

Breaking changes

Legacy ACLs fully removed

Notable features

Traffic Logs Beta with domain tagging
Peer update debouncer
Pagination APIs for Users/Hosts

Full changelog

Netmaker v1.5.1 Release Notes 🚀

🚀 What’s New

🔁 Traffic Logs (Beta)

Traffic Logs have now moved into Beta.

Traffic Logs are now enriched with relevant domain tagging, making network activity easier to audit and investigate.

🧰 Improvements & Fixes

Scalability & Reliability Improvements
Introduced a peer update debouncer that coalesces rapid-fire PublishPeerUpdate calls into a single broadcast — a 500ms resettable debounce window capped by a 3s max-wait deadline ensures back-to-back operations (bulk node updates, gateway changes, host deletions) produce one peer update instead of dozens, drastically reducing CPU and MQTT pressure on the control plane

Pre-warms peer update caches after each debounced broadcast so pull requests from hosts are served instantly from cache instead of triggering expensive on-demand computation

Batched metrics export to netmaker exporter via periodic ticker instead of publishing on every individual MQTT metrics message, reducing continuous CPU pressure from Prometheus scraping
Database Schema Migration
Added schema migrations for the Users, Groups, Roles, Networks, and Hosts tables.
Deprecated Legacy ACLs
Legacy ACLs have been fully removed as part of the platform’s transition to the updated access control model.
Paginated APIs
Introduced pagination support for Users and Hosts APIs.
DNS
Added native Active Directory support.
Posture Checks
Nodes can now skip the auto-update check during join, improving join reliability in controlled environments.
IDP Sync
Improved identity provider sync behavior:
- Synced IDP groups are now denied access by default until explicitly granted.
- Okta-specific settings are now reset when an IDP integration is removed.
HA Setup
Streamlined high availability (HA) setup and operational workflows.
Install Script
Added on-demand Monitoring Stack installation support via:
./nm-quick.sh -m
Monitoring Stack
Updated the monitoring stack to use the official Prometheus and Grafana images.
HA Gateways
Reset Auto Assigned gw when it is disconnected from the network.

🐞 Known Issues

IPv6-only machines
Netclients cannot currently auto-upgrade on IPv6-only systems.
Multi-network join performance
Multi-network netclient joins using an enrollment key still require optimization.
systemd-resolved DNS limitation
On systems using systemd-resolved in uplink mode, only the first 3 entries in resolv.conf are honored; additional entries are ignored. This may cause DNS resolution issues. Stub mode is recommended.
Windows Desktop App + mixed gateway modes
When the Windows Desktop App is connected to both:
- a Full Tunnel Gateway, and
- a Split Tunnel Gateway
the gateway monitoring component may disconnect from the Split Tunnel Gateway.

View release on GitHub

v1.5.0 New feature 3mo

Notable features

Just-In-Time Access (beta): time-limited network access with automatic request/approval workflow
Overlapping Egress Ranges (beta): virtual NAT mode allowing multiple egress routers to share overlapping IP ranges
Gateway Monitoring: desktop app auto-failover to healthy gateway hubs

Full changelog

Netmaker v1.5.0 Release Notes 🚀

🚀 What’s New

🔓 Just-In-Time Access (beta)

Time-limited, on-demand network access: users request access, admins approve or deny, and grants expire automatically.
Request/approval workflow with configurable grant duration; admins retain full control over who accesses which networks and when.

🔁 Overlapping Egress Ranges (beta)

Virtual NAT mode enables multiple egress routers to share overlapping IP ranges by assigning each egress a virtual range from a configurable pool.
Configurable per-network IPv4 pool and site prefix length for virtual range allocation.
Eliminates routing conflicts when multiple sites need to egress the same destination CIDRs (e.g., multiple offices routing to the same cloud VPC).
Supports both direct NAT and virtual NAT modes for flexible egress configurations.

🌍 Gateway Monitoring

Desktop App connections automatically fail over to healthy gateway hubs when the primary becomes unavailable.
Gateway health is monitored via connectivity checks and last-seen metrics; only online gateways are used for new connections.

🧰 Improvements & Fixes

IP Detection Interval User can now choose the Device Endpoint IP detection interval based on their requirements.
User Migration: Optimized user migration logic to reduce server startup time.
DNS: Use Global Nameservers only if no match-all nameservers are configured, added fallback nameserver configuration.
Darwin: Netclients on macOS can now use internet gateway.
GeoLocation: Consolidate IP location API usage with fallbacks

Known Issues 🐞

netclients cannot auto-upgrade on ipv6-only machines.
Need to optimize multi-network netclient join with enrollment key
On systems using systemd-resolved in uplink mode, the first 3 entries in resolv.conf are used and rest are ignored. So it might cause DNS issues. Stub mode is preferred.
When a Windows desktop app is connected to a Full Tunnel Gateway, and a Split Tunnel Gateway at the same time,
the gateway monitoring component would disconnect from the split tunnel gateway.

View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.