202 lines
13 KiB
Markdown
202 lines
13 KiB
Markdown
# Changelog
|
|
|
|
## 2026-03-31 - 1.16.5 - fix(rust-userspace-nat)
|
|
improve TCP session backpressure, buffering, and idle cleanup in userspace NAT
|
|
|
|
- apply proper bridge-channel backpressure by reserving channel capacity before consuming smoltcp TCP data
|
|
- defer bridge sender initialization until the bridge task starts and track TCP session activity timestamps
|
|
- cap per-session pending TCP send buffers at 512KB and abort stalled sessions when clients cannot keep up
|
|
- add idle TCP session cleanup and switch NAT polling to a dynamic smoltcp-driven delay
|
|
|
|
## 2026-03-31 - 1.16.4 - fix(server)
|
|
register preloaded WireGuard clients as peers on server startup
|
|
|
|
- Adds configured clients from the runtime registry to the WireGuard listener when the server starts.
|
|
- Ensures clients loaded from config can complete WireGuard handshakes without requiring separate peer registration.
|
|
- Logs a warning if automatic peer registration fails for an individual client.
|
|
|
|
## 2026-03-31 - 1.16.3 - fix(rust-nat)
|
|
defer TCP bridge startup until handshake completion and buffer partial NAT socket writes
|
|
|
|
- Start TCP bridge tasks only after the smoltcp socket becomes active to prevent server data from arriving before the client handshake completes.
|
|
- Buffer pending TCP payloads and flush partial writes so bridge-to-socket data is not silently lost under backpressure.
|
|
- Keep closing TCP sessions alive until FIN processing completes and add logging for dropped packets when bridge or route channels are full.
|
|
|
|
## 2026-03-31 - 1.16.2 - fix(wireguard)
|
|
sync runtime peer management with client registration and derive the correct server public key from the WireGuard private key
|
|
|
|
- Register, remove, and rotate WireGuard peers in the running listener when clients are added, deleted, or rekeyed.
|
|
- Generate client WireGuard configs with the public key derived from the configured WireGuard private key instead of reusing the generic server public key.
|
|
- Handle expired WireGuard sessions by re-initiating handshakes and mark client state as handshaking until the tunnel becomes active.
|
|
- Improve allowed IP matching and peer VPN IP extraction for runtime packet routing.
|
|
|
|
## 2026-03-30 - 1.16.1 - fix(rust/server)
|
|
add serde alias for clientAllowedIPs in server config
|
|
|
|
- Accepts the camelCase clientAllowedIPs field when deserializing server configuration.
|
|
- Improves compatibility with existing or external configuration formats without changing runtime behavior.
|
|
|
|
## 2026-03-30 - 1.16.0 - feat(server)
|
|
add configurable client endpoint and allowed IPs for generated VPN configs
|
|
|
|
- adds serverEndpoint to generated SmartVPN and WireGuard client configs so remote clients can use a public address instead of the listen address
|
|
- adds clientAllowedIPs to generated WireGuard configs to support full-tunnel or split-tunnel routing
|
|
- updates TypeScript interfaces to expose the new server configuration options
|
|
|
|
## 2026-03-30 - 1.15.0 - feat(vpnserver)
|
|
add nftables-backed destination policy enforcement for TUN mode
|
|
|
|
- add @push.rocks/smartnftables dependency and export it through the plugin layer
|
|
- apply destination policy rules via nftables when starting the server in TUN mode
|
|
- add periodic nftables health checks and best-effort cleanup on server stop
|
|
- update documentation for destination routing policy, socket transport mode, trusted client tags, events, and service generation
|
|
|
|
## 2026-03-30 - 1.14.0 - feat(nat)
|
|
add destination routing policy support for socket-mode VPN traffic
|
|
|
|
- introduce configurable destinationPolicy settings in server and TypeScript interfaces
|
|
- apply allow, block, and forceTarget routing decisions when creating TCP and UDP NAT sessions
|
|
- export ACL IP matching helper for destination policy evaluation
|
|
|
|
## 2026-03-30 - 1.13.0 - feat(client-registry)
|
|
separate trusted server-defined client tags from client-reported tags with legacy tag compatibility
|
|
|
|
- Adds distinct serverDefinedClientTags and clientDefinedClientTags fields to client registry and TypeScript interfaces.
|
|
- Treats legacy tags values as serverDefinedClientTags during deserialization and server-side create/update flows for backward compatibility.
|
|
- Clarifies that only server-defined tags are trusted for access control while client-defined tags are informational only.
|
|
|
|
## 2026-03-30 - 1.12.0 - feat(server)
|
|
add optional PROXY protocol v2 headers for socket-based userspace NAT forwarding
|
|
|
|
- introduce a socketForwardProxyProtocol server option in Rust and TypeScript interfaces
|
|
- pass the new setting into the userspace NAT engine and TCP bridge tasks
|
|
- prepend PROXY protocol v2 headers on outbound TCP connections when socket forwarding is enabled
|
|
|
|
## 2026-03-30 - 1.11.0 - feat(server)
|
|
unify WireGuard into the shared server transport pipeline
|
|
|
|
- add integrated WireGuard server support to VpnServer with shared startup, shutdown, status, statistics, and peer management
|
|
- introduce transportMode 'all' as the default and add server config support for wgPrivateKey, wgListenPort, and preconfigured peers
|
|
- register WireGuard peers in the shared client registry and IP pool so they use the same forwarding engine, routing, and monitoring as WebSocket and QUIC clients
|
|
- expose transportType in server client info and update TypeScript interfaces and documentation to reflect unified multi-transport forwarding
|
|
|
|
## 2026-03-30 - 1.10.2 - fix(client)
|
|
wait for the connection task to shut down cleanly before disconnecting and increase test timeout
|
|
|
|
- store the spawned client connection task handle and await it during disconnect with a 5 second timeout so the disconnect frame can be sent before closing
|
|
- increase the test script timeout from 60 seconds to 90 seconds to reduce flaky test runs
|
|
|
|
## 2026-03-29 - 1.10.1 - fix(test, docs, scripts)
|
|
correct test command verbosity, shorten load test timings, and document forwarding modes
|
|
|
|
- Fixes the test script by removing the duplicated verbose flag in package.json.
|
|
- Reduces load test delays and burst sizes to keep keepalive and connection tests faster and more stable.
|
|
- Updates the README to describe forwardingMode options, userspace NAT support, and related configuration examples.
|
|
|
|
## 2026-03-29 - 1.10.0 - feat(rust-server, rust-client, ts-interfaces)
|
|
add configurable packet forwarding with TUN and userspace NAT modes
|
|
|
|
- introduce forwardingMode options for client and server configuration interfaces
|
|
- add server-side forwarding engines for kernel TUN, userspace socket NAT, and testing mode
|
|
- add a smoltcp-based userspace NAT implementation for packet forwarding without root-only TUN routing
|
|
- enable client-side TUN forwarding support with route setup, packet I/O, and cleanup
|
|
- centralize raw packet destination IP extraction in tunnel utilities for shared routing logic
|
|
- update test command timeout and logging flags
|
|
|
|
## 2026-03-29 - 1.9.0 - feat(server)
|
|
add PROXY protocol v2 support for real client IP handling and connection ACLs
|
|
|
|
- add PROXY protocol v2 parsing for WebSocket connections, including IPv4/IPv6 support, LOCAL command handling, and header read timeout protection
|
|
- apply server-level connection IP block lists before the Noise handshake and enforce per-client source IP allow/block lists using the resolved remote address
|
|
- expose proxy protocol configuration and remote client address fields in Rust and TypeScript interfaces, and document reverse-proxy usage in the README
|
|
|
|
## 2026-03-29 - 1.8.0 - feat(auth,client-registry)
|
|
add Noise IK client authentication with managed client registry and per-client ACL controls
|
|
|
|
- switch the native tunnel handshake from Noise NK to Noise IK and require client keypairs in client configuration
|
|
- add server-side client registry management APIs for creating, updating, disabling, rotating, listing, and exporting client configs
|
|
- enforce client authorization from the registry during handshake and expose authenticated client metadata in server client info
|
|
- introduce per-client security policies with source/destination ACLs and per-client rate limit settings
|
|
- add Rust ACL matching support for exact IPs, CIDR ranges, wildcards, and IP ranges with test coverage
|
|
|
|
## 2026-03-29 - 1.7.0 - feat(rust-tests)
|
|
add end-to-end WireGuard UDP integration tests and align TypeScript build configuration
|
|
|
|
- Add userspace Rust end-to-end tests that validate WireGuard handshake, encryption, peer isolation, and preshared-key data exchange over real UDP sockets.
|
|
- Update the TypeScript build setup by removing the allowimplicitany build flag and explicitly including Node types in tsconfig.
|
|
- Refresh development toolchain versions to support the updated test and build workflow.
|
|
|
|
## 2026-03-29 - 1.6.0 - feat(readme)
|
|
document WireGuard transport support, configuration, and usage examples
|
|
|
|
- Expand the README from dual-transport to triple-transport support by adding WireGuard alongside WebSocket and QUIC
|
|
- Add client and server WireGuard examples, including live peer management and .conf generation with WgConfigGenerator
|
|
- Document new WireGuard-related API methods, config fields, transport modes, and security model details
|
|
|
|
## 2026-03-29 - 1.5.0 - feat(wireguard)
|
|
add WireGuard transport support with management APIs and config generation
|
|
|
|
- add Rust WireGuard module integration using boringtun and route management through client/server management handlers
|
|
- extend TypeScript client and server configuration schemas with WireGuard-specific options and validation
|
|
- add server-side WireGuard peer management commands including keypair generation, peer add/remove, and peer listing
|
|
- export a WireGuard config generator for producing client and server .conf files
|
|
- add WireGuard-focused test coverage for config validation and config generation
|
|
|
|
## 2026-03-21 - 1.4.1 - fix(readme)
|
|
preserve markdown line breaks in feature list
|
|
|
|
- Adds trailing spaces to the README feature list so each highlighted capability renders on its own line.
|
|
|
|
## 2026-03-19 - 1.4.0 - feat(vpn transport)
|
|
add QUIC transport support with auto fallback to WebSocket
|
|
|
|
- introduces a transport abstraction in the Rust daemon so client and server can operate over WebSocket or QUIC
|
|
- adds dual-mode server configuration with websocket, quic, and both transport modes plus QUIC idle timeout and listen address options
|
|
- adds client transport selection with auto mode that attempts QUIC first and falls back to WebSocket
|
|
- adds QUIC certificate hash pinning support and required Rust dependencies for QUIC and TLS
|
|
- updates TypeScript interfaces, config validation, tests, and documentation to cover the new transport modes
|
|
|
|
## 2026-03-17 - 1.3.0 - feat(tests,client)
|
|
add flow control and load test coverage and honor configured keepalive intervals
|
|
|
|
- Adds end-to-end node tests for client/server flow control, keepalive exchange, connection quality telemetry, rate limiting, concurrent clients, and disconnect tracking.
|
|
- Adds load testing with throttled proxy scenarios to validate behavior under constrained bandwidth and repeated client churn.
|
|
- Updates the Rust client to pass configured keepaliveIntervalSecs into the adaptive keepalive monitor instead of always using defaults.
|
|
|
|
## 2026-03-15 - 1.2.0 - feat(readme)
|
|
document QoS, telemetry, MTU, and rate limiting capabilities in the README
|
|
|
|
- Expand the architecture and feature overview to cover adaptive keepalive, telemetry, QoS, rate limiting, and MTU handling
|
|
- Update client and server examples to show new APIs such as getConnectionQuality(), getMtuInfo(), setClientRateLimit(), and getClientTelemetry()
|
|
- Add TypeScript interface documentation for connection quality, MTU info, enriched client statistics, and per-client telemetry
|
|
|
|
## 2026-03-15 - 1.1.0 - feat(rust-core)
|
|
add adaptive keepalive telemetry, MTU handling, and per-client rate limiting APIs
|
|
|
|
- adds adaptive keepalive monitoring with RTT, jitter, loss, and link health reporting to client statistics and management endpoints
|
|
- introduces MTU overhead calculation and oversized-packet handling support, plus client MTU info APIs
|
|
- adds token-bucket rate limiting with configurable default limits and server management commands to set, remove, and inspect per-client telemetry
|
|
- extends TypeScript client and server interfaces with connection quality, MTU, and client telemetry methods
|
|
|
|
## 2026-02-27 - 1.0.3 - fix(build)
|
|
add aarch64 linker configuration for cross-compilation
|
|
|
|
- Added rust/.cargo/config.toml to configure linker for target aarch64-unknown-linux-gnu
|
|
- Sets linker to 'aarch64-linux-gnu-gcc' to enable cross-compilation to ARM64
|
|
|
|
## 2026-02-27 - 1.0.2 - fix()
|
|
no changes detected - no code or content modifications
|
|
|
|
|
|
## 2026-02-27 - 1.0.1 - fix(release)
|
|
bump patch version (no code changes)
|
|
|
|
- No changes detected in the provided git diff
|
|
- Current package.json version is 1.0.0
|
|
- Recommend patch bump to 1.0.1 to create a release/trivial update
|
|
|
|
## 2026-02-27 - 1.0.0 - initial release
|
|
Initial commit creating the project repository and baseline files.
|
|
|
|
- Initial project scaffold and configuration
|
|
- Repository initialized with base files and metadata |