Release notes#

NethSecurity releases changelogs.

Major changes on 2024-08-08#

Image version: 8-23.05.4-ns.1.2.0

This release focuses on new features for subscriptions and improved user experience.

Detailed changelog can be found here

New features and improvements

  • Update to OpenWrt 23.05.4: update OpenWrt to version 23.05.4 with relevant package and core changes

  • Free Threat Shield lists for community: implement free Threat Shield lists for community users, enhancing overall threat protection

  • Remote backup for all subscriptions: extend remote backup access to both Enterprise and Community subscriptions with additional backup information

  • New script to update packages with logging and stable channel access: implement a new update-packages script with enhanced logging and force-stable flag

  • Firewall objects: implement host set and domain set objects for enhanced firewall management

  • Add objects support in MultiWAN rules: implement objects support in MultiWAN UI for source and destination addresses

  • Add objects support in Port Forward rules: add objects support for destination address and restricted access in Port Forward rules

  • Add objects support in Firewall rules: include objects support for source and destination addresses in Firewall rules

  • OpenVPN Road Warrior IP reservation: improve handling of reserved IPs in OpenVPN configuration to prevent conflicts

  • Backup: include installed package list in backup for easier restoration after image upgrade

  • Let’s Encrypt certificate on web interface extra port: extend Let’s Encrypt certificate usage to the ns-ui extra port

  • OpenVPN tunnel server: add option “remote-cert-tls” in exported file client configuration file

  • Custom DNS for hotspot: add support for changing default DNS for hotspot

  • Limited support for USB-to-Ethernet adapters: provide experimental support for USB-to-Ethernet adapters with manual driver installation

  • Limited support for USB-to-Serial adapters: add experimental support for USB-to-Serial adapters with manual driver installation

Bug fixes

  • Deny creation of certificates with already requested domains: prevent creation of duplicate certificates with the same domain

  • Visual issue with DHCP objects in OpenVPN Road Warrior: fix missing fields and display errors in DHCP options

  • Cannot create reverse proxies: fix nginx configuration validation failure when creating reverse proxies

  • Limit interface names to 13 characters: prevent mwan failure due to long interface names

  • OpenVPN, unable to remove reserved IP for Road Warrior client: fix issue where reserved IP cannot be removed for Roadwarrior clients

  • UI crash with over 3000 conntrack entries: fix UI crash and rpcd service break with large number of conntrack entries

  • MultiWAN, missing WAN disconnection/reconnection alerts: new implementation of WAN alerts to correctly handle connection and reconnection events

  • Controller, display the name of disconnected users: show the name of disconnected units instead of just the UUID

  • Controller, display VPN port: add VPN port display in the NS8 UI for easier firewall configuration

  • Controller, validate CN: add validation rule for controller name field to allow only letters and numbers

  • Controller, do not remove .info file on disconnect: preserve unit information file for disconnected units

  • Controller, units continuously toggle connected/disconnected: address issue with erratic connection status display for multiple units

  • Migration, DHCP and DNS Services for blue/guest zone: enable DHCP and DNS services for migrated blue/guest zones

  • Migration, OpenVPN reserved IP not assigned: address issue with reserved IP assignment for migrated certificates

  • Migration, FlashStart username missing: fix issue where username field is not displayed in FlashStart interface after migration

  • FlashStart, reduce number of queries: modify dnsdist configuration to optimize query handling and reduce unnecessary requests

Major changes on 2024-07-05#

Image version: 8-23.05.3-ns.1.1.0

This releases focuses on fixing bugs and delivering new features.

Detailed changelog can be found here.

New features and improvements

  • Connections management: implemented interface for real-time monitoring and control of conntrack-tracked network connections

  • MultiWAN sticky option: added sticky configuration in MultiWAN rules to maintain connection persistence across sessions

  • DPI signature updates: enabled updated Deep Packet Inspection signatures for both community and enterprise subscription types

  • Admin user management: implemented API functions to elevate local users to admin status and revoke admin privileges

  • LDAP authentication enhancement: improved flexibility for Active Directory and non-standard LDAP Distinguished Name configurations

  • Subscription repository authentication: implemented system_key verification for accessing subscription-based package repositories

Bug fixes

  • NVME storage utilization: resolved issue preventing usage of unallocated NVME drive space for system logging

  • Backup restore validation: added specific error messaging for incorrect passphrase input during backup restoration process

  • MWAN metrics adjustment: modified interface metric allocation to start at 20 and increment by 10 for improved load balancing

  • Scheduled update UI consistency: corrected persistent display of completed scheduled updates in user interface

  • MultiWAN policy labeling: fixed incorrect “balance” label display for custom single-gateway policies

  • MultiWAN form validation and input handling: implemented proper input field state management and form validation in policy editor

  • MultiWAN UI/UX refinement: enhanced port input flexibility and form submission logic for rules and policies

  • Post-migration DHCP functionality: addressed DHCP address assignment failure after version 7.9 to 8 migration

  • VPN account creation side-effect: prevented unintended removal of user display names upon VPN account creation

  • Migration network configuration: implemented removal of extraneous gateway entries from non-red interfaces

  • MultiWAN migration logic: added automatic disabling of MultiWAN configurations with single provider during migration

  • IPsec configuration display: corrected UI to accurately reflect custom IPsec tunnel parameter values

  • Reverse proxy functionality: resolved proxy pass issues for WebTop access post-migration

  • Local user database integrity: fixed disappearance of local user entries following system updates

  • Inventory system robustness: improved handling of VLAN devices on bridge interfaces and DNS configuration retrieval

  • Controller configuration persistence: fixed configuration file corruption issue after saving cluster interface settings

  • Controller setup workflow: improved configuration form with advanced options and clearer user guidance

Major changes on 2024-06-05#

This is a security release

Image version: 8-23.05.3-ns.1.0.1

Addressed security vulnerability: GHSA-74xv-ww67-jjpx (disclosure will be published on 2024-06-20)

Bug Fixes

  • Security fix for GHSA-74xv-ww67-jjpx

  • Ipsec: fix non working tunnel if selected WAN is a PPPoE over vlan

  • MultiWAN: force maximum length for rules and policies names

  • OpenVPN Road Warrior: prevent creation of users with trailing spaces

  • Inventory: improve data collection for subscriptions and network

  • Migration: fix OpenVPN Road Warrior users not visible in UI after migration

  • API server: improved stability and performance by optimizing boot order for proper startup at boot time

Major changes on 2024-05-22#

Stable

Image version: 8-23.05.3-ns.1.0.0

The Stable release focuses on fixing bugs and improving the overall user experience.

Detailed changelog can be found here.

New features and improvements

  • Routes: IPsec rules are now non-editable

  • IPsec: added a validator for remote and local networks

  • Autoreload VPN pages: VPN pages now automatically reload

  • DHCP: added network scanning feature

  • IPsec: improved handling of multiple networks within a single tunnel

  • DHCP: force option for DHCP is now available in the UI

  • Threat shield: remove enterprise list on subscription removal

  • DPI: remove premium signatures on unregister

  • Subscription: improve unregister modal

  • Inventory: collect basic usage statistics

  • IPsec: better expose PFS option

  • Dashboard: add a notification of new available version

  • Firewall rules: improve overall page readability

  • Zones and policies: improved drawer for WAN zone

  • Dashboard: show a warning if DNS is not configured

  • NAT helpers: all NAT helpers are now included in the image but disabled by default

Bug fixes

  • FlashStart: DNS resolution fails after disabling the service

  • FlashStart: fix first configuratin

  • Let’s Encrypt: certificates are not created

  • FlashStart: redirect rule is ineffective

  • Firewall: ipset is not updated after removing an address

  • Migration: host groups are not imported correctly in firewall rules

  • Firewall rules: unable to insert custom IP address

  • Threat shield: changes to allowlist are not immediately applied

  • Migration: unable to edit imported IPsec tunnel

  • OpenVPN road warrior: unable to re-create a previously created user from LDAP database

  • OpenVPN RW: hosts are unreachable with bridged configuration

  • MultiWAN: track IP is not updated

  • Reverse Proxy: allow IP list should not be mandatory

  • Controller: unable to connect unit if UI is disabled on port 443

  • Subscription: unable to register a community subscription

  • Install from USB: bad partition table

  • Migration: unable to start PPPoE interface

  • Threat shield: empty subscription feed

  • Auto updates: cron job is not started during night

  • Threat shield not started from the UI

  • Migration: threat shield IP is not migrated

  • EFI: unable to use free space as extra storage

  • Zone: force creation in lowercase

  • OpenVPN Road Warrior: OTP authentication, VPN disconnects after one hour

  • ns-api: threatshield, set ban_nftexpiry and ban_logcount

  • NAT helpers: active FTP sessions do not transfer files

Major changes on 2024-04-29#

Relase Candidate 2

Image version: 8-23.05.3-ns.0.0.5-rc2

The Release Candidate 2 release focuses on fixing bugs and improving the overall user experience. Detailed changelog can be found here.

New features and improvements

  • Firewall rules: improved display of rules section.

  • FlashStart: added DNS resolution functionality after service disabling.

  • Dashboard: enhanced card organization and added links.

  • Routes: enabled creation of routes without gateway.

  • Autoreload VPN pages: implemented automatic data reload every 10 seconds.

  • Migration to vue-components lib: migrated components and utils to vue-components.

  • UI: set rpcd timeout to 300 seconds to support long running tasks.

  • DHCP: introduced network scanning feature.

  • User database: sorted users by username and ensured consistent execution of LDAP queries.

  • DHCP: enabled force option by default for DHCP servers, exposed the option in the UI.

  • OpenVPN road warrior: implemented sorting of OpenVPN road warrior users by username.

Bug fixes

  • Firewall rules: resolved glitch displaying incorrect content.

  • FlashStart: fixed DNS resolution failure post service disabling.

  • Routes: prevented editing of IPsec rules.

  • IPsec: validated remote/local networks to avoid duplicates.

  • Port forward: corrected reflection option label.

  • Migration: ensured proper import of host groups into firewall rules.

  • Firewall rules: allowed insertion of custom IP addresses.

  • Threat shield: apply changes to allowlist immediately.

  • Migration: improve IPSec option migration and allow editing of imported IPsec tunnel.

  • OpenVPN road warrior: resolved issue with user recreation from LDAP.

  • Fixed axios error when committing changes.

  • OpenVPN road warrior: fixed issue with bridged configuration.

  • IPsec: improved handling of multiple networks with a single tunnel.

  • Zones: fixed radio buttons IDs in Zones page.

  • FlashStart: fixed ineffective redirect rule.

  • Controller: refined behavior based on subscription presence.

  • Firewall: updated ipset after IP address removal.

Major changes on 2024-04-10#

Release Candidate 1

Image version: 8-23.05.3-ns.0.0.3-rc1

The Release Candidate 1 release focuses on fixing bugs, adding the centralized controller, and improving the migration process from NethServer 7.

The issue tracker has been moved to GitHub. The new URL is: NethServer/nethsecurity#issues.

New features and improvements

  • NethSecurity has been rebased on OpenWrt 23.05.3.

  • Added the centralized controller to manage multiple NethSecurity instances from a single interface.

  • Port forwards: support port ranges in the source port field.

  • Firewall rules: support IP ranges as destination rules.

  • Backup: allow download of the backup file from the UI even if the machine has an enterprise subscription and remote backup server is not available.

  • Threat shield: improve visualization of the threat shield page if the firewall does not have Internet access.

  • Subscription: show subscription even if the machine has no Internet access.

  • MultiWAN: improved management of the balance policy configuration.

  • Network page: the up/down status of network interfaces now accurately reflects the cable status instead of the kernel status.

  • Firewall rules: improve the visualization of the disabled firewall rules.

  • Added an option to enable the privacy policy link during login.

  • Remote support (don): allow access to UI and preserve the session after a firewall restart.

  • Users: support bind on remote LDAP user datbases.

Bug fixes

  • 2FA: enable 2FA for user only after OTP verification.

  • IPsec tunnels: correctly associate the ipsecX interface to the selected WAN.

  • IPsec: make sure to start after a migration even if the associated WAN is not available.

  • Migration: rework the network migration process to avoid issues with bonds, bridges, and aliases configuration.

  • Migration: display bonds and bridges in the remapping page during the migration.

  • Migration, update and backup: implement new upload and download methods to avoid issues with large files.

  • Migration: fixed an issue that prevented the DHCP server from starting when DHCP options were present in the configuration.

  • DPI: prevent loss of Enterprise signatures after an upgrade.

  • Storage: added the ability to recreate a deleted storage partition.

  • Network: fix creation of VLANs over bridges.

  • Port forward and IPsec tunnels: fixed the visualization of WAN IPs, the page now displays all aliases and avoids duplicates even if the WAN is not available.

  • Port forward: list LAN zone inside hairpin NAT destinations.

  • OpenVPN tunnel: fixed an issue that prevented the modification of a P2P tunnel.

  • MultiWAN page: correctly sort WAN interfaces by priority.

  • MultiWAN page: do not show WAN aliases inside the policy page.

  • DHCP: hide static leases inside the dynamic leases tab.

  • Proxy pass: fix an issue that was preventing the modification of a proxy pass rule.

  • OpenVPN tunnel: fix default cipher selection for P2P tunnels.

  • DPI: restart netifyd after a network configuration change.

  • FlashStart: fix firewall registration to the FlashStart service.

  • FlashStart: fix secondary DNS address.

  • Firewall rules: fix duplicated host in source and destination address.

  • OpenVPN Road Warrior: fix bulk user creation for large user lists.

Known bugs

Network bonds still suffer from some issues. If you’re migrating from NethServer 7, please be aware of the following:

  • VLAN over a bond interface is not created if bond hasn’t a role

  • During bond creation, sometimes, the web UI doesn’t show the devices to add to the bond

  • The newly created bond shows a button saying “Configure bond”, but then it does not configure the bond itself but the interface member of the bond

Upgrade notes

If you are upgrading from a previous beta version and have any IPsec tunnels configured, you must run the following commands after the upgrade:

uci delete ipsec.ns_ipsec_global.interface
uci commit ipsec
/etc/init.d/swanctl restart

Major changes on 2024-02-29#

Beta 2

Image version: 8-23.05.2-ns.0.0.2-beta2

The Beta2 release focuses on improving the new UI and enhancing the overall user experience.

New features

New packages included in the image:

  • Added SNMPD package for network monitoring and management.

  • Dyndns package included for dynamic DNS services.

  • Expanded driver support for older network interfaces and vmnet environments.

User interface (UI):

  • Default UI port changed to 9090, accessible from WAN. The UI is also accessible from LAN and WAN on port 443.

  • LuCI interface disabled by default for streamlined experience.

  • New page configure Source NAT, Masquerading, No-NAT and netmap rules.

  • Improved readability of network packet counts on the network page.

Network:

  • PPPoE with DHCPv6-PD support implemented.

  • It’s now possible to configure bond network interfaces from the UI.

DPI:

  • Automatic network change reconfiguration enabled.

  • All non-WAN interfaces displayed on the DPI page. To upgrade the DPI configuration on existing installations, execute:

    echo '{"changes": {"network": []}}' | /usr/libexec/rpcd/ns.commit call commit
    

Additional features:

  • Improved the installation script ns-install: installation is now faster and it halts the system at the end of the installation process.

  • Improved migration UI for smoother upgrade experience.

  • DHCP static lease creation from existing dynamic leases.

  • Two-factor authentication (2FA) for administrator accounts.

  • Redesigned login experience with a more integrated and admin-oriented look and feel.

  • Pre and post commit hooks added for enhanced API control.

  • Subscription-based opt-in feature for automatic updates, accessible only to users with active subscriptions.

Bug fixes

MultiWAN:

  • Improved rule flexibility: now allows specifying single IP addresses (not just CIDR format) in source/destination fields for rules.

  • Policy protection: prevents accidental deletion of policies already used in rules.

  • Fixed mwan chart display: mwan chart within Netdata now shows correctly after multi-WAN configuration.

Firewall:

  • Enhanced protocol handling: creates rules for all protocols (not just TCP/UDP) when “any” is selected.

  • Improved rule readability: in rules with 2 or more source/destination addresses, only the second address was readily visible in the tooltip.

Port Forwarding:

  • Streamlined configuration: source and destination ports are only required for TCP/UDP protocols.

  • Simplified ALL protocol selection: when “ALL” protocol is chosen, other protocol options are disabled as they are redundant.

Certificates:

  • Fixed issue: custom certificate being overwritten with self-generated certificate when set as default certificate for the firewall FQDN.

  • Correctly display certificate domain: on the certificate list, the subject displayed now corresponds to the client certificate instead of the first certificate in the chain.

  • Fix Let’s Encrypt certificate deletion: forced acme.sh to generate a new configuration when recreating a Let’s Encrypt certificate for the same domain, instead of reusing the existing one.

  • Let’s Encrypt certificate request: disabled automatic redirection from port 80 to 443 to avoid conflicts with acme.sh.

DPI:

  • Fixed configuration loss: resolved issue where saved DPI filter configurations were deleted during upgrade from previous versions

Network:

  • Improved interface management: enabled editing of interfaces even after their associated zone is deleted.

API:

  • Log consistency: standardized API server logs for NethSecurity API server to match objects passed to scripts.

OpenVPN:

  • Resolved port update issue: changing OpenVPN Road Warrior service port through the UI now correctly reflects the update in the service configuration and associated firewall rule.

  • Configuration protection: fixed issue where RoadWarrior configuration was lost when changing a user’s password.

  • Enhanced authentication: addressed OpenVPN Roadwarrior authentication failures using local users in NethSecurity beta1.

  • Resolved tunnel server status: fixed issue where the tunnel server status was not correctly displayed in the UI.

Hotspot:

  • MAC address inclusion: resolved problem where MAC addresses were missing in the “unit” section of the Hotspot Manager when the hotspot relied on a VLAN.

  • VLAN deletion: fixed issue preventing deletion of VLANs previously used by unregistered hotspots, even after the VLAN was freed.

  • Enhanced status visibility: added enabled/disabled status to the main tab for quick reference.

DHCP:

  • Fixed missing key value for a preconfigured advanced option, ensuring proper functionality.

  • Improved display of multiple options by removing redundant label.

IPsec:

  • IPsec rule NAT port: corrected port for Allow-IPsec-NAT rule, changed from 500 to 4500 (UDP)

  • Duplicate rules: prevented duplicate firewall rule creation on tunnel creations

  • Fix spelling of IPsec rule names

Known bugs

IPsec:

  • Only the first subnet in the IPSec tunnel is functional: when defining more than one network in an IPSec tunnel between different devices, only the first network works; traffic destined to other subnets in the tunnel is not routed correctly. A workaround is to create multiple tunnels with individual subnets. This issue does not occur between two NethSecurity 8 devices (as they use the same daemon), but it can occur between, for example, a NethSecurity 8 and a NethServer 7.9.

Major changes on 2024-02-01#

Beta 1

Image version: 8-23.05.2-ns.0.0.1-beta1

The Beta1 release marks the transition to the new UI as the primary configuration interface. Luci remains active by default for configurations not yet available in the new UI and for verification purposes. Known bugs in the new interface can be found here.

Main changes:

  • Added a dedicated page for managing certificates and reverse proxy settings. Improved the import process for both configurations.

  • Introduced a new page for configuring firewall rules. Users are advised to use this page instead of Luci’s, as using both may lead to incompatibilities.

  • Added a page for Quality of Service (QoS) configuration to enhance network traffic management.

  • Added a page for configuring OpenVPN Roadwarrior. Updated the migration process for the new implementation.

  • Introduced the option to use a partition of the main disk as storage for logs.

  • Improved the migration process for multiwan and OpenVPN tunnels, enhancing overall system compatibility.

  • Streamlined the management of upgrades and migrations, focusing on a smoother transition.

  • Implemented a new versioning system to uniquely identify each image, enhancing clarity in tracking releases.

  • Incorporated numerous usability improvements and fixed issues across existing pages, ensuring a more user-friendly experience.

Major changes on 2023-12-11#

Alpha 2

This alpha release is specifically crafted for evaluation purposes, focusing on testing the functionalities of the new system’s user interface. Users are provided with the option to experience either the ongoing development of the new interface or stick with the established LuCI interface. Known bugs in the new interface can be found here.

UI Enhancements

  • Resolved numerous bugs across various pages, including DHCP and DPI filter, enhancing overall pages stability.

  • Introduced the OpenVPN tunnel configuration page.

  • Added the IPsec tunnel configuration page.

  • Incorporated the Hotspot (Dedalo) configuration page.

  • Implemented the Backup and Restore page.

  • Introduced exclusion functionality to the DPI filter page.

  • Exposed netdata reports within the UI, featuring a configurable ping latency monitor.

  • Addressed the default language issue for non-translated languages.

  • Refactored and improved the Network page.

  • Added a page to manage System Updates.

  • Included a migration page from NethServer 7.

  • Enabled factory reset functionality directly from the UI.

  • Implemented a VPN Users page in preparation for the upcoming OpenVPN Road Warrior server.

General Improvements

  • Updated the base OpenWrt to version 23.05.2.

  • Established a mechanism to send alerts to remote portals, including my.nethesis.it and my.nethserver.com.

  • Added support for One-Time Passwords (OTP) in future OpenVPN Road Warrior server configurations.

Note: the bond configuration is still in progress, and as a result, bond-type network interfaces are currently non-functional in this release.

Major changes on 2023-10-31#

Alpha 1

This is an alpha release, designed for evaluation purposes to explore the functionalities of the new system. Users have the option to use the new interface, which is currently under development or the legacy LuCI interface. Please note that some features available on the old LuCI interface will be removed once the corresponding page on the new interface is completed.

While the entire backend functionality is already operational and thoroughly tested, the new interface is not yet complete. Some bugs in the new interface are already known and can be found here.

The new interface includes the following features:

  • Dashboard

  • Subscription Management

  • Hostname and Timezone Configuration

  • Additional Storage Setup

  • Network Interface Configuration

  • DNS and DHCP Settings

  • Routing Configuration

  • Multi-WAN Support

  • Port Forwarding Options

  • Zones and Policies Management

  • Flashstart DNS Filtering

  • Deep Packet Inspection (DPI) Filtering

  • Root User Password Change

  • Access to System Logs

Releases glossary#

The software release cycle includes four stages: Alpha, Beta, Release Candidate (RC), and Stable.

During the Alpha stage, the software is not thoroughly tested and may not include all planned features. This release is not suitable for production environments. However, it can be used to preview what’s coming in the upcoming version. Please note that updates from an Alpha release to other releases are not supported.

The Beta stage indicates that the software is mostly feature complete, but it may still contain many known and unknown bugs. This release should not be used on production environments. However, it can be used to test the software before deploying it to production. Updates from a Beta release to an RC or Stable release are supported but may require a manual procedure.

During the Release Candidate (RC) stage, the software is feature complete, and it contains no known bugs. If no major issues arise, it can be promoted to Stable. Updates from an RC release to a Stable release are supported and should be almost automatic. However, if you’re new to the software, it’s best to use it in production only if you already have some experience with it.

The Stable release is the most reliable and safe to use in production environments. It has been thoroughly tested and is considered to be free of major bugs.