Release Notes for v0.67.0

What's New

Major Networking & Proxy Enhancements

• Introduced Layer 4 (L4) capabilities (TLS/TCP/UDP) across client, management, and proxy.
  #5530
• Added header-based authentication, access restrictions, and session idle timeout for proxy services.
  #5587
• Added support for wildcard certificates and improved certificate handling (read from disk if available).
  #5583
  #5574
• Added require_subdomain capability for proxy clusters.
  #5628
• Improved proxy reliability with domain switching fixes and recovery after cleanup.
  #5585
  #5617

Dashboard support and documentation update are coming soon.

Client Improvements

• Added client metrics support and enhanced observability.
  #5512
• Added health check flag and daemon status output to netbird status.
  #5650
• Restart engine automatically when peer IP changes.
  #5614
• Improved DNS handling, IPv6 formatting, and probe thread safety.
  #5603
  #5576
• Added MTU option and DNSLabels support to embedded client.
  #5550
  #5493
• Refactored auto-update workflow and simplified container entrypoint.
  #5448
  #5652
• Fixed multiple issues including duplicate logs, firewall init behavior, and container logging.
  #5609
  #5621
• Additional client fixes and improvements.
  #5510
  #5613
  #5622
• Updated gvisor to build with Go 1.26.x.
  #5447

Management Improvements

• Added reverse proxy cluster APIs and domain-based targeting.
  #5611
  #5612
• Improved concurrency handling and proxy exclusions from peer approval.
  #5584
  #5588

Proxy Enhancements

• Added log-level flag and usage improvements.
  #5594

Security & Packaging

• Added GPG signing key support for RPM packages.
  #5581

Miscellaneous

• Added image build after merge to main workflow.
  #5605
• Added netbird-tui to community projects.
  #5568

New Contributors

• @n0pashkov made their first contribution in #5568
• @tham-le made their first contribution in #5550
• @wehagy made their first contribution in #5447
• @mango766 made their first contribution in #5603
• @Wouter0100 made their first contribution in #5493

Full Changelog: v0.66.4...v0.67.0

Release Notes for v0.66.4

What's New

Management Improvements

• Create a shallow copy of the account when buffering to improve memory safety and performance.
  #5572

• Set network map components by default and optimize memory usage.
  #5575

Self-Hosted Improvements

• Removed extra proxy domain instructions from the getting started guide to simplify setup.
  #5573

Full Changelog: v0.66.3...v0.66.4

Release Notes for v0.66.3

What's New

Client Improvements

• Fixed "reset connection" error after wake from sleep to improve reconnection stability.
  #5522
• Fixed exit node menu not refreshing on Windows.
  #5553

Management Improvements

• Added per-target options to the reverse proxy (management + proxy).
  #5501
• Avoided breaking single account mode when switching domains.
  #5511
• Added stable domain resolution for the combined server.
  #5515
• Fixed domain uniqueness validation.
  #5529
• Added activity events for domain operations.
  #5548
• Switched proxy registration to use real IP address.
  #5525
• Cached PKCE state to improve login flow reliability.
  #5516
• Count login request duration metrics only for successful logins.
  #5545
• Aggregated gRPC metrics by account ID.
  #5486

Proxy Improvements

• Refactored proxy metrics and added usage logs.
  #5533

CI & Misc

• Added PR title validation workflow.
  #5503

Full Changelog: v0.66.2...v0.66.3

What's Changed

• [management] Store connected proxies in DB by @pascal-fischer in #5472
• [management] Fix embedded IdP metrics to count local and generic OIDC users by @braginini in #5498
• [client] Fix SSH JWT auth failure with Azure Entra ID iat backdating by @hbzhost in #5471
• [misc] Add ISSUE_TEMPLATE configuration file by @mlsmaycon in #5500
• [management] Replace in-memory expose tracker with SQL-backed operations by @mlsmaycon in #5494

New Contributors

• @hbzhost made their first contribution in #5471

Full Changelog: v0.66.1...v0.66.2

Release Notes for v0.66.1

What's New

Client Improvements

• Fixed server mutex being held across waitForUp in Up(), preventing potential blocking behavior.
  #5460
• Fixed close-of-closed-channel panic in ConnectClient retry loop.
  #5470
• Fixed deadlock in route peer status watcher.
  #5489
• Fixed profile config directory permissions.
  #5457
• Lowered socket auto-discovery log level from Info to Debug.
  #5463

Management Improvements

• Prevented deletion of groups linked to flow groups.
  #5439
• Fixed user update permission validation.
  #5441
• Added reverse proxy services REST client.
  #5454
• Added explicit target deletion on service removal.
  #5420

Proxy Improvements

• Flushed buffer immediately to improve gRPC support.
  #5469

Self-Hosted Enhancements

• Added support for Embedded IdP PostgreSQL database.
  #5443
• Allowed specifying SQL file locations for auth, activity, and main stores.
  #5487

Security

• Upgraded Alpine Linux from 3.23.2 to 3.23.3.
  #5217

New Contributors

• @artivis made their first contribution in #5457

Full Changelog: v0.66.0...v0.66.1

Release Notes for v0.66.0

🚀 New Feature: netbird expose

We're excited to introduce netbird expose --- a simple and secure way to expose your local services through the NetBird reverse proxy.

⚡ Expose Local Services with Protection

Expose a local HTTP server:

netbird expose 8080

This instantly publishes your local service via NetBird's reverse proxy.

You can enhance the exposure with built-in protection and customization:

🔐 With PIN protection (6 digits)

netbird expose 3000 --with-pin 123456

🔑 With password protection and name prefix

netbird expose 8080 --with-password my-secret --with-name-prefix my-app

👥 Restrict by SSO user groups

netbird expose 8080 --with-user-groups engineering,devops

🌐 Use a custom domain (pre-configured in your account)

netbird expose 8080 --with-custom-domain app.example.com

Supported Flags

• --with-pin string --- Protect the exposed service with a 6-digit
  PIN\
• --with-password string --- Add password protection\
• --with-user-groups strings --- Restrict access to specific user
  groups\
• --with-custom-domain string --- Specify a custom domain\
• --with-name-prefix string --- Prefix the generated service name\
• --protocol string --- Protocol to use (http or https, default
  http)

⚠️ NetBird Cloud support is coming soon with hosted proxy nodes. ⚠️

Learn more at: https://docs.netbird.io/manage/reverse-proxy/expose-from-cli

Or watch the video below:

Client Improvements

• Stopped upstream retry loop immediately on context cancellation.
  #5403
• Fixed busy-loop in network monitor routing socket on macOS/BSD.
  #5424
• Fixed missed sleep/wakeup events on macOS.
  #5418
• Removed connection semaphore to simplify connection handling.
  #5419
• Skipped UAPI listener in netstack mode.
  #5397
• Simplified DNS logging by removing domain list from log output.
  #5396
• Excluded Flow domain from caching to prevent TLS failures.
  #5433
• Added non-default socket file discovery support.
  #5425

Client Service Expose

• Introduced client service expose feature across client and management.
  #5411
• Refactored expose feature by moving business logic from gRPC to manager layer.
  #5435

Proxy Improvements

• Added access log cleanup.
  #5376
• Implemented access log sorting.
  #5378
• Sent proxy updates on account deletion.
  #5375
• Added pre-shared key (PSK) support to proxy.
  #5377

Management Improvements

• Refactored network map component assembly.
  #5193
• Added custom domain counts and service metrics to self-hosted metrics.
  #5414

Self-Hosted Enhancements

• Added support for activity store engine in the combined server.
  #5406
• Added Embedded IdP metrics for improved observability.
  #5407

Full Changelog: v0.65.3...v0.66.0

Release Notes for v0.65.3

🛡️ Security Fix: Race Condition in Role Update Validation

What was affected

A race condition in the user role validation logic could allow permission checks to succeed based on stale role data. Under very specific timing conditions, concurrent requests during a role change (e.g., while an admin was being demoted to user) could bypass role validation when changing another users role.

Exploit Potential

If an administrator account was being demoted while simultaneously performing acocunt ownership transfer actions, a race window existed where the system could treat the user as having elevated permissions to change owners.

In a coordinated scenario involving two administrator accounts, this could potentially allow privilege escalation — for example, promoting a user to Owner during the demotion window.

Conditions Required

Exploitation required:

• Two administrator accounts.
• One administrator being actively demoted.
• Concurrent ownership transfer requests executed precisely during the demotion process.
• Precise timing to trigger the race condition.

This issue required intentional coordination and timing, making it unlikely to occur accidentally and will require access to two admin accounts.

What's New

Client & Mobile Improvements

• Batched macOS DNS domains to avoid truncation issues.
  #5368
• Ensured route settlement on iOS before handling DNS responses.
  #5360
• Added logging of lock acquisition time in message handling for improved observability.
  #5393

Relay Improvements

• Reduced QUIC initial packet size to 1280 bytes (IPv6 minimum MTU) for better compatibility.
  #5374

Management Improvements

• Fixed possible race condition on user role change.
  #5395
• Added docker login step in management tests.
  #5323

Self-Hosted Updates

• Added a migration script for upgrading from pre-v0.65.0 to post-v0.65.0 combined setup.
  #5350
• Removed unused configuration example from self-hosted setup.
  #5383

Miscellaneous

• Updated timestamp format to include milliseconds.
  #5387

Full Changelog: v0.65.2...v0.65.3

Release Notes for v0.65.2

What's New

Client Improvements

• Optimized Windows DNS performance with domain batching and batch mode.
  #5264
• Reset WireGuard endpoint on ICE session changes during relay fallback.
  #5283
• Refactored WireGuard endpoint setup with role-based proxy activation.
  #5277
• Exported lazy connection environment variables for mobile clients.
  #5310
• Ignored false positive lint alert in client code.
  #5370

Proxy & Reverse Proxy

• Added listener-side Proxy Protocol support and enabled it in Traefik.
  #5332
• Added WebSocket support to the proxy.
  #5312
• Removed unused OIDC config flags from proxy configuration.
  #5369
• Infrastructure updates for proxy components.
  #5365

Management Improvements

• Fixed UTC difference issue in peer “last seen” status.
  #5348
• Ensured Management starts even if external IdP is down.
  #5367
• Added flag to disable the legacy gRPC endpoint.
  #5372

Documentation & Misc

• Added additional proxy domain instructions.
  #5328
• Added an extra CNAME configuration example.
  #5341

Full Changelog: v0.65.1...v0.65.2

What's Changed

• [misc] Fix reverse proxy getting started messaging by @braginini in #5317
• [management] Move service reload outside transaction in account settings update by @bcmmbaga in #5325

Full Changelog: v0.65.0...v0.65.1

Release Notes for v0.65.0

What's New

🔀 Reverse Proxy

NetBird now includes a built-in reverse proxy in the management server, enabling proxied access to backend services through your NetBird network. Allowing you to expose your services to the public with the option to secure them with SSO, PINs, or passwords.

No VPN client required for end users. Just point a custom domain at your NetBird server, configure the proxy in the dashboard, and your internal services are securely accessible from any browser. Think of it as a self-hosted alternative to Cloudflare Tunnels, but without the MITM and fully under your control.

Key features:

• Custom domains - Map your own domains to internal services and let NetBird handle TLS and routing via CNAME verification
• Built-in authentication - Protect exposed services with SSO (via your configured IdP), PIN codes, passwords, or magic links directly from the dashboard
• Multiple targets - Route traffic to one or more backend peers or resources with optional path-based routing
• Access logs - Monitor who's accessing your proxied services with built-in logging
• Proxy settings - Fine-tune behavior with options like host header passthrough and redirect rewriting

Add a Service

Expose any internal service by selecting a subdomain and adding one or more backend targets. Each target points to a peer or resource on your network.

Custom Domains

Bring your own domain by adding a CNAME record pointing to your NetBird proxy cluster. NetBird handles TLS certificate provisioning automatically.

Authentication

Secure your exposed services with multiple authentication methods. Enable one or combine several for layered protection.

Settings

Fine-tune proxy behavior with options like passing the original Host header to your backend or rewriting redirect URLs to use the public domain.

Learn more:

• Reverse Proxy Overview
• Custom Domains
• Authentication

NetBird cloud support is coming soon, with hosted reverse proxy nodes.

🏗️ Self-Hosted Improvements

• Added combined NetBird server binary for simplified self-hosted deployments, reducing the number of containers needed to run NetBird.
  #5232

🔒 Management Improvements

• Enforced access control on accessible peers, ensuring proper authorization checks when querying the accessible peers endpoint.
  #5301
• Added cloud API spec to the public OpenAPI definition with REST client support.
  #5222

🖥️ Client Improvements

• Added early message buffer for the relay client, preventing message loss during connection establishment.
  #5282
• Refactored relay connection container for improved reliability and code maintainability.
  #5271

What's Changed

• [misc] Update sign pipeline version by @mlsmaycon in #5296
• [self-hosted] add netbird server by @braginini in #5232
• [management] Enforce access control on accessible peers by @bcmmbaga in #5301
• [misc] Add cloud api spec to public open api with rest client by @bcmmbaga in #5222
• [client] Add early message buffer for relay client by @pappz in #5282
• [client] Refactor/relay conn container by @pappz in #5271
• [management, reverse proxy] Add reverse proxy feature by @pascal-fischer in #5291

Full Changelog: v0.64.6...v0.65.0