Releases: DefGuard/gateway
v1.6.0
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and is published in Apple macOS Store officially.
🖥️ All desktop Clients now have a new MTU setting available.
🚦 Introducing Client Traffic Policy Selection. This lets administrators define whether VPN clients can choose their routing mode or are forced to use a specific traffic policy, such as routing all traffic through the VPN or only predefined traffic.
What's Changed
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
- Use new wireguard-rs API with BoringTun by @moubctez in #220
- feat(opnsense): enable PID file monitoring for Defguard Gateway service by @jamtur01 in #222
- Remove AMI building by @t-aleksander in #230
- Fix handing ports in PacketFiler rules by @moubctez in #236
- use published wireguard-rs v0.8.0 by @j-chmielewski in #237
New Contributors
- @jakub-tldr made their first contribution in #221
- @jamtur01 made their first contribution in #222
Full Changelog: v1.5.2...v1.6.0
Contributors
Assets 14
- 216 KB
2026-01-04T03:16:09Z - 295 KB
2026-01-04T03:16:08Z - 626 Bytes
2026-01-04T03:16:09Z - 392 KB
2026-01-04T03:16:08Z - 3.02 MB
2025-12-09T11:50:19Z - 3.16 MB
2025-12-09T11:50:31Z - 3.39 MB
2025-12-09T11:53:48Z - 3.04 MB
2025-12-09T11:50:33Z - 2.16 MB
2025-12-09T11:50:27Z - 3.32 MB
2025-12-09T11:53:52Z -
2025-12-09T11:46:35Z -
2025-12-09T11:46:35Z - Loading
v1.6.0-rc1
t-aleksander
Aleksander
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is a release candidate which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
Full Changelog: v1.6.0-alpha2...v1.6.0-rc1
Contributors
Assets 10
v1.5.2
What's Changed
This patch for version 1.5 fixes port handing for Packet Filter.
Full Changelog: v1.5.1...v1.5.2
1.5 release is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.
Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.
📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!
💫Desktop Client now supports External SSO/IdP MFA
Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!
🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).
🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.
Migration guide
Before updating please make sure to read the migration guide
v1.6.0-alpha2
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is an alpha release which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- Release 1.5 merger by @wojcik91 in #211
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #212
- Merge main into dev after 1.5.1 release by @j-chmielewski in #215
- Create SBOM files by @j-chmielewski in #216
- CI: scan code with trivy by @j-chmielewski in #217
- Periodic sbom regeneration by @j-chmielewski in #218
- Merge SBOM CI pipelines into main by @j-chmielewski in #219
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
- feat(opnsense): enable PID file monitoring for Defguard Gateway service by @jamtur01 in #222
- Remove AMI building by @t-aleksander in #230
New Contributors
Full Changelog: v1.5.1...v1.6.0-alpha2
Contributors
Assets 10
v1.6.0-alpha1
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is an alpha release which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- Release 1.5 merger by @wojcik91 in #211
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #212
- Merge main into dev after 1.5.1 release by @j-chmielewski in #215
- Create SBOM files by @j-chmielewski in #216
- CI: scan code with trivy by @j-chmielewski in #217
- Periodic sbom regeneration by @j-chmielewski in #218
- Merge SBOM CI pipelines into main by @j-chmielewski in #219
- Health check rename by @jakub-tldr in #221
- APT uploading/signing workflow by @jakub-tldr in #223
- List whole directory by @jakub-tldr in #224
- Merge main into dev before 1.6 release by @j-chmielewski in #228
New Contributors
- @jakub-tldr made their first contribution in #221
Full Changelog: v1.5.1...v1.6.0-alpha1
Contributors
Assets 10
v1.5.1
This patch for version 1.5 includes fixes for vulnerabilities identified during our latest penetration test. As a fully transparent organisation, Defguard publishes a Pentesting Security Report page where you can track the status of our vulnerability fixes.
This is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.
Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.
📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!
💫Desktop Client now supports External SSO/IdP MFA
Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!
🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).
🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.
Migration guide
Before updating please make sure to read the migration guide
What's Changed
- Allow binding to a specific address by @t-aleksander in #176
- Merge main -> dev post 1.4 release by @wojcik91 in #180
- handle SNAT bindings by @wojcik91 in #173
- Add AMI building to the release pipeline by @t-aleksander in #181
- Fix pointer warnings, update dependencies by @moubctez in #184
- ACL hotfix by @wojcik91 in #187
- Add eu central region by @t-aleksander in #190
- sign Docker images using Cosign by @wojcik91 in #191
- Fix deny.toml by @moubctez in #194
- Version exchange and logging by @j-chmielewski in #189
- Scan images with Trivy by @moubctez in #195
- Better config parsing by @moubctez in #196
- Version check by @j-chmielewski in #197
- Fix version comparison by @j-chmielewski in #199
- Switch AMI base image to debian by @t-aleksander in #198
- Update tracing_subscriber by @moubctez in #200
- Bump defguard-version version by @t-aleksander in #201
- Fix ami building by @t-aleksander in #202
- Build with never defguard_version by @moubctez in #203
- Update defguard-version version by @t-aleksander in #204
- pre release 1.5 cleanup by @wojcik91 in #206
- pre release 1.5 cleanup pt2 by @wojcik91 in #208
- Ignore pre-release in version comparison by @j-chmielewski in #209
- Migrate docker builds to AWS by @wojcik91 in #210
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #212
- use aws images to avoid throttling by @j-chmielewski in #214
Full Changelog: v1.5.0...v1.5.1
Contributors
Assets 14
v1.5.0
This is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.
Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.
📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!
💫Desktop Client now supports External SSO/IdP MFA
Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!
🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).
🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.
Migration guide
Before updating please make sure to read the migration guide
What's Changed
Other Changes
- Allow binding to a specific address by @t-aleksander in #176
- Merge main -> dev post 1.4 release by @wojcik91 in #180
- handle SNAT bindings by @wojcik91 in #173
- Add AMI building to the release pipeline by @t-aleksander in #181
- Fix pointer warnings, update dependencies by @moubctez in #184
- ACL hotfix by @wojcik91 in #187
- Add eu central region by @t-aleksander in #190
- sign Docker images using Cosign by @wojcik91 in #191
- Fix deny.toml by @moubctez in #194
- Version exchange and logging by @j-chmielewski in #189
- Scan images with Trivy by @moubctez in #195
- Better config parsing by @moubctez in #196
- Version check by @j-chmielewski in #197
- Fix version comparison by @j-chmielewski in #199
- Switch AMI base image to debian by @t-aleksander in #198
- Update tracing_subscriber by @moubctez in #200
- Bump defguard-version version by @t-aleksander in #201
- Fix ami building by @t-aleksander in #202
- Build with never defguard_version by @moubctez in #203
- Update defguard-version version by @t-aleksander in #204
- pre release 1.5 cleanup by @wojcik91 in #206
- pre release 1.5 cleanup pt2 by @wojcik91 in #208
- Ignore pre-release in version comparison by @j-chmielewski in #209
- Migrate docker builds to AWS by @wojcik91 in #210
Full Changelog: v1.4.1...v1.5.0
Contributors
Assets 10
v1.5.0-rc2
What's Changed
- Allow binding to a specific address by @t-aleksander in #176
- Merge main -> dev post 1.4 release by @wojcik91 in #180
- handle SNAT bindings by @wojcik91 in #173
- Add AMI building to the release pipeline by @t-aleksander in #181
- Fix pointer warnings, update dependencies by @moubctez in #184
- ACL hotfix by @wojcik91 in #187
- Add eu central region by @t-aleksander in #190
- sign Docker images using Cosign by @wojcik91 in #191
- Fix deny.toml by @moubctez in #194
- Version exchange and logging by @j-chmielewski in #189
- Scan images with Trivy by @moubctez in #195
- Better config parsing by @moubctez in #196
- Version check by @j-chmielewski in #197
- Fix version comparison by @j-chmielewski in #199
- Switch AMI base image to debian by @t-aleksander in #198
- Update tracing_subscriber by @moubctez in #200
- Bump defguard-version version by @t-aleksander in #201
- Fix ami building by @t-aleksander in #202
- Build with never defguard_version by @moubctez in #203
- Update defguard-version version by @t-aleksander in #204
- pre release 1.5 cleanup by @wojcik91 in #206
- pre release 1.5 cleanup pt2 by @wojcik91 in #208
- Ignore pre-release in version comparison by @j-chmielewski in #209
Full Changelog: v1.4.1...v1.5.0-rc2
Contributors
Assets 10
v1.5.0-rc1
wojcik91
Maciek
What's Changed
Other Changes
- Allow binding to a specific address by @t-aleksander in #176
- Merge main -> dev post 1.4 release by @wojcik91 in #180
- handle SNAT bindings by @wojcik91 in #173
- Add AMI building to the release pipeline by @t-aleksander in #181
- Fix pointer warnings, update dependencies by @moubctez in #184
- ACL hotfix by @wojcik91 in #187
- Add eu central region by @t-aleksander in #190
- sign Docker images using Cosign by @wojcik91 in #191
- Fix deny.toml by @moubctez in #194
- Version exchange and logging by @j-chmielewski in #189
- Scan images with Trivy by @moubctez in #195
- Better config parsing by @moubctez in #196
- Version check by @j-chmielewski in #197
- Fix version comparison by @j-chmielewski in #199
- Switch AMI base image to debian by @t-aleksander in #198
- Update tracing_subscriber by @moubctez in #200
- Bump defguard-version version by @t-aleksander in #201
- Fix ami building by @t-aleksander in #202
- Build with never defguard_version by @moubctez in #203
- Update defguard-version version by @t-aleksander in #204
- pre release 1.5 cleanup by @wojcik91 in #206
- pre release 1.5 cleanup pt2 by @wojcik91 in #208
Full Changelog: v1.4.1...v1.5.0-rc1
Contributors
Assets 10
v1.5.0-alpha5
t-aleksander
Aleksander
What's Changed
Other Changes
- Version check by @j-chmielewski in #197
- Fix version comparison by @j-chmielewski in #199
- Switch AMI base image to debian by @t-aleksander in #198
- Update tracing_subscriber by @moubctez in #200
- Bump defguard-version version by @t-aleksander in #201
- Fix ami building by @t-aleksander in #202
Full Changelog: v1.5.0-alpha4...v1.5.0-alpha5