Netmaker v1.6.0 Release Notes 🚀

🚀 What’s New

🔁 Site-to-Site ACLs (Beta)

Using Netmaker's Egress function at local sites, paired with local routing rules, you can bridge entire networks (site-to-site). Now, Netmaker allows you to define ACL policies that control what traffic is allowed between these sites.

• Build site-to-site rules between egress resources on different networks.
• Combine egress resources, nodes, and specific IPs in a single policy.

🛡️ Egress ACLs with IP Restriction

Netmaker's Egress function forwards traffic to external networks like offices and data centres. Netmaker's Access Controls can now target individual IPs inside of an egress range using the ip ACL target type. This enables you to limit access to specific IPs within an external network.

• Restrict access to specific endpoints within a larger egress CIDR.
• Combine egress resources, nodes, tags, and individual IPs in the same policy.

📦 Egress Applications Catalogue (Beta)

Simplified application-aware egress routing with a built-in catalogue of popular SaaS and cloud services.

• Select from a catalogue of applications, including AWS, Google Cloud, Microsoft 365, Salesforce, GitHub, etc.
• Create egress resources directly from predefined application templates without manually managing domain lists.
• Automatically resolve and maintain application domains, ensuring routing policies stay up to date as services evolve.
• Reduce administrative overhead and improve policy consistency across environments.

⏱️ JIT Group Memberships

Just-In-Time (JIT) access is a workflow within Netmaker where users request temporary access to the network, which is approved by administrators for a predefined time period. JIT access within Netmaker can now be scoped to user groups per network.

• Enable JIT for all non-admin users, or limit it to selected user groups.
• Users request access; admins approve or deny with email notifications.
• Expired grants are cleaned up automatically, and users are notified.

🔗 SIEM Integration

Netmaker provides audit logs of actions and events on the platform. Netmaker can now be integrated with certain providers to forward audit events to your security stack.

• Supported providers: Splunk, Datadog, Elastic, and Microsoft Sentinel.
• Events are exported through the SIEM exporter service.

🔑 Default Enrollment Keys

Enrollment keys are how devices join the network via Netclient. Administrators can now designate a default enrollment key for any network in order to simplify device onboarding.

• Set default enrollment keys per network.
• Regenerate key tokens without recreating the key.

🗄️ Database Schema Migration

This release introduces schema changes to the following core entities:

• Nodes
• Pending Users
• User Invites
• Posture Check Violations

Impact:

• The database structure will be updated automatically during the upgrade.
• Downgrades may not be supported after migration.

👉 Action Required:

• Ensure the application starts successfully and migrations are complete.
• Validate core functionality post-upgrade.

For detailed upgrade steps, refer to the official upgrade documentation:

Server Upgrades v1.5.1+

🧰 Improvements & Fixes

• Netclient registration UX — Host registration over OAuth/basic auth now returns clear websocket close reasons on failure (auth errors, missing access, posture violations, and server errors).

• User group management — Streamlined user role permissions and group updates, role-downgrade handling.

• Orphan reference cleanup — Removes stale network references left behind after resource deletion.

• Scalability & reliability — Optimised node status calculation, offline-status hooks, zombie/orphan node cleanup, and ACL cache race fixes.

• API hardening — Auth rate limiting on REST endpoints and activity-log permission fixes.

• Egress improvements — CIDR validation for ACL egress IPs, multi-domain egress routing, and domain-answer handling for preset-based egress.

• Failover removed — Legacy per-node failover APIs and CLI commands have been removed in favour of gateway-based patterns.

🐞 Known Issues

• IPv6-only machines
  Netclients cannot currently auto-upgrade on IPv6-only systems.

• Multi-network join performance
  Multi-network netclient joins using an enrollment key still require optimisation.

• systemd-resolved DNS limitation
  On systems using systemd-resolved in uplink mode, only the first 3 entries in resolv.conf are honoured; additional entries are ignored. This may cause DNS resolution issues. Stub mode is recommended.

• Windows Desktop App + mixed gateway modes
  When the Windows Desktop App is connected to both:

  • a Full Tunnel Gateway, and
  • a Split Tunnel Gateway

  The gateway monitoring component may disconnect from the Split Tunnel Gateway.

Netmaker v1.5.1 Release Notes 🚀

⚠️ Migration Notes (Important)

These changes may impact existing deployments. Please review carefully before upgrading.

❗Legacy ACLs Removal

Legacy ACLs have been fully removed as part of the transition to the new access control model.

Impact:

• Existing configurations using legacy ACLs will no longer function
• Access behaviour may change after the upgrade

👉 Action Required:

• Review existing access policies
• Reconfigure them using the new access control model before upgrading

🗄️ Database Schema Migration

This release introduces schema changes to the following core entities:

• Users
• Groups
• Roles
• Networks
• Hosts

Impact:

• The database structure will be updated automatically during the upgrade
• Downgrades may not be supported after migration.

👉 Action Required:

• Ensure the application starts successfully and migrations are complete
• Validate core functionality post-upgrade

For detailed upgrade steps, refer to the official upgrade documentation:

Server Upgrades v1.5.1+

🚀 What’s New

🔁 Traffic Logs (Beta)

Traffic Logs have now moved into Beta.

• Traffic Logs are now enriched with relevant domain tagging, making network activity easier to audit and investigate.

🧰 Improvements & Fixes

• Scalability & Reliability Improvements
  Introduced a peer update debouncer that coalesces rapid-fire PublishPeerUpdate calls into a single broadcast — a 500ms resettable debounce window capped by a 3s max-wait deadline ensures back-to-back operations (bulk node updates, gateway changes, host deletions) produce one peer update instead of dozens, drastically reducing CPU and MQTT pressure on the control plane

  Pre-warms peer update caches after each debounced broadcast so pull requests from hosts are served instantly from cache instead of triggering expensive on-demand computation

  Batched metrics export to netmaker exporter via periodic ticker instead of publishing on every individual MQTT metrics message, reducing continuous CPU pressure from Prometheus scraping

• Database Schema Migration
  Added schema migrations for the Users, Groups, Roles, Networks, and Hosts tables.

• Deprecated Legacy ACLs
  Legacy ACLs have been fully removed as part of the platform’s transition to the updated access control model.

• Paginated APIs
  Introduced pagination support for Users and Hosts APIs.

• DNS
  Added native Active Directory support.

• Posture Checks
  Nodes can now skip the auto-update check during join, improving join reliability in controlled environments.

• IDP Sync
  Improved identity provider sync behavior:

  • Synced IDP groups are now denied access by default until explicitly granted.
  • Okta-specific settings are now reset when an IDP integration is removed.

• HA Setup
  Streamlined high availability (HA) setup and operational workflows.

• Install Script
  Added on-demand Monitoring Stack installation support via:
  ./nm-quick.sh -m

• Monitoring Stack
  Updated the monitoring stack to use the official Prometheus and Grafana images.

• HA Gateways
  Reset Auto Assigned gw when it is disconnected from the network.

🐞 Known Issues

• IPv6-only machines
  Netclients cannot currently auto-upgrade on IPv6-only systems.

• Multi-network join performance
  Multi-network netclient joins using an enrollment key still require optimization.

• systemd-resolved DNS limitation
  On systems using systemd-resolved in uplink mode, only the first 3 entries in resolv.conf are honored; additional entries are ignored. This may cause DNS resolution issues. Stub mode is recommended.

• Windows Desktop App + mixed gateway modes
  When the Windows Desktop App is connected to both:

  • a Full Tunnel Gateway, and
  • a Split Tunnel Gateway

  the gateway monitoring component may disconnect from the Split Tunnel Gateway.

Netmaker v1.5.0 Release Notes 🚀

🚀 What’s New

🔓 Just-In-Time Access (beta)

• Time-limited, on-demand network access: users request access, admins approve or deny, and grants expire automatically.

• Request/approval workflow with configurable grant duration; admins retain full control over who accesses which networks and when.

🔁 Overlapping Egress Ranges (beta)

• Virtual NAT mode enables multiple egress routers to share overlapping IP ranges by assigning each egress a virtual range from a configurable pool.
• Configurable per-network IPv4 pool and site prefix length for virtual range allocation.
• Eliminates routing conflicts when multiple sites need to egress the same destination CIDRs (e.g., multiple offices routing to the same cloud VPC).
• Supports both direct NAT and virtual NAT modes for flexible egress configurations.

🌍 Gateway Monitoring

• Desktop App connections automatically fail over to healthy gateway hubs when the primary becomes unavailable.
• Gateway health is monitored via connectivity checks and last-seen metrics; only online gateways are used for new connections.

🧰 Improvements & Fixes

• IP Detection Interval User can now choose the Device Endpoint IP detection interval based on their requirements.

• User Migration: Optimized user migration logic to reduce server startup time.

• DNS: Use Global Nameservers only if no match-all nameservers are configured, added fallback nameserver configuration.

• Darwin: Netclients on macOS can now use internet gateway.

• GeoLocation: Consolidate IP location API usage with fallbacks

Known Issues 🐞

• netclients cannot auto-upgrade on ipv6-only machines.

• Need to optimize multi-network netclient join with enrollment key

• On systems using systemd-resolved in uplink mode, the first 3 entries in resolv.conf are used and rest are ignored. So it might cause DNS issues. Stub mode is preferred.

• When a Windows desktop app is connected to a Full Tunnel Gateway, and a Split Tunnel Gateway at the same time,
  the gateway monitoring component would disconnect from the split tunnel gateway.

Netmaker v1.4.0 Release Notes 🚀

🚀 What’s New

🌍 Posture Checks (beta)

• Security feature that validates device compliance against configured policies based on device attributes such as OS, OS version, kernel version, client version, geographic location, and auto-update status.
• Supports tag-based and user group-based assignment of posture checks to specific devices or users.
• Tracks violations with configurable severity levels and provides real-time evaluation of device compliance.
• Helps ensure only compliant devices can access network resources.

🔁 Network Traffic Logging (alpha)

• Comprehensive network flow logging system that captures and stores network traffic metadata.
• Tracks source and destination IPs, ports, protocols, bytes/packets sent/received, and connection timestamps.
• Provides API endpoints for querying flow data with filters by network, node, user, protocol, and time range.
• Enables network administrators to monitor, analyze, and audit network traffic patterns for security and troubleshooting purposes.

🌐 K8s Operator with Cluster Access, Egress and Ingress functionality (beta)

• Cluster Egress: Expose Netmaker network services to Kubernetes workloads using standard Service names.
• Cluster Ingress: Expose Kubernetes services to devices on your Netmaker network.
• API Proxy: Secure access to Kubernetes API servers through Netmaker tunnels with RBAC support.

🔄 Auto Removal of Offline Peers

• Automatically removes nodes that have been offline for a configurable threshold period.
• Configurable per network with customizable timeout thresholds (in minutes).
• Supports tag-based filtering to selectively apply auto-removal to specific device groups.
• Helps maintain clean network topology by removing stale or abandoned peer connections.

🧩 Onboarding Flow

• Streamlined user onboarding experience during signup for workspace setup.

🧰 Improvements & Fixes

• Azure IDP sync: Fixed User sync by group filters.

• User Migration: Optimised User migration logic to reduce server start up time.

• Config Files: Avoid Auto enabling of configs on user login.

• Egress Domain Updates: Fixed domain-related issues in egress configurations to ensure consistent routing behavior.

Known Issues 🐞

• netclients cannot auto-upgrade on ipv6-only machines.

• Need to optimize multi-network netclient join with enrollment key

• On systems using systemd-resolved in uplink mode, the first 3 entries in resolv.conf are used and rest are ignored. So it might cause DNS issues. Stub mode is preferred.

Netmaker v1.2.0 Release Notes 🚀

🚀 What’s New

🌍 Auto-Relays (formerly Failovers)

• Failovers are now Auto-Relays with High Availability (HA) support.

• Enables global routing optimization based on real-time latency between peers across regions.

🔁 Gateway High Availability

• Gateways can now automatically assign peer relays and fallback to healthy nodes when primary gateways become unavailable.

🌐 Egress HA with Latency-Aware Routing

• Egress gateways now dynamically select the optimal route based on latency, ensuring faster and more resilient connectivity.

🧭 DNS Search Domains

• Added DNS search domain functionality for simplified hostname resolution across distributed networks.

👥 New User Roles

• Introduced a User Auditor role for security and compliance use-cases, offering read-only visibility into system activity.

🧩 Onboarding Flow

• Streamlined user onboarding experience during signup for workspace setup.

⚙️ Dynamic ACL Deprecation

• Added logic to automatically deprecate outdated ACLs on demand, reducing stale configurations and improving policy hygiene.

🧰 Improvements & Fixes

• Metrics Enrichment: Enhanced uptime and connection-status data.

• DNS Control Fixes: Fixed toggle behavior for enabling/disabling Netmaker DNS on hosts.

• Device Approvals: Improved logic for device approval management.

• Egress Domain Updates: Fixed domain-related issues in egress configurations to ensure consistent routing behavior.

Known Issues 🐞

• WireGuard DNS issue on Ubuntu 24.04 and some other newer Linux distributions. The issue is affecting the Netmaker Desktop, previously known as the Remote Access Client (RAC), and the plain WireGuard external clients. Workaround can be found here https://help.netmaker.io/en/articles/9612016-extclient-rac-dns-issue-on-ubuntu-24-04.

• netclients cannot auto-upgrade on ipv6-only machines.

• Need to optimize multi-network netclient join with enrollment key

Netmaker v1.1.0 Release Notes 🚀

What’s New ✨

• Okta IDP Integration – Seamless authentication and user provisioning with Okta.

• Egress Domain-Based Routing – Route traffic based on domain names, not just network CIDRs.

• DNS Nameservers with Match Domain Functionality – Fine-grained DNS resolution control per domain.

• Service User Management – Platform Network Admins can now add service users directly to networks.

• Device Approval Workflow – Require admin approval before devices can join a network.

• Auto-Created User Group Policies – Automatically generate network access policies for new user groups.

• User Session Expiry Controls – Set session timeouts for both Dashboard and Client Apps.

Improvements & Fixes 🛠

• Access Control Lists (ACLs): Enhanced functionality and flexibility.

• User Management UX: Streamlined workflows for easier administration.

• IDP User/Group Filtering: Improved filtering capabilities for large organizations.

• Stability Enhancements: More reliable connections for nodes using Internet Gateways.

Known Issues 🐞

• WireGuard DNS issue on Ubuntu 24.04 and some other newer Linux distributions. The issue is affecting the Netmaker Desktop, previously known as the Remote Access Client (RAC), and the plain WireGuard external clients. Workaround can be found here https://help.netmaker.io/en/articles/9612016-extclient-rac-dns-issue-on-ubuntu-24-04.

• Inaccurate uptime info in metrics involving ipv4-only and ipv6-only traffic

• netclients cannot auto-upgrade on ipv6-only machines.

• Need to optimize multi-network netclient join with enrollment key

Netmaker v1.0.0

Whats New ✨

• Multi-Factor Authentication (MFA) for user logins – added an extra layer of security to your accounts.

• Gateways Unified: Internet Gateways are now merged into the general Gateway feature and available in Community Edition.

• Improved OAuth & IDP Sync: Simplified and more reliable configuration for identity provider integrations.

• Global Map View: Visualize all your endpoints and users across the globe in a unified interface.

• Network Graph Control: Directly control and manage endpoints via the interactive network graph.

• Site-to-Site over IPv6: IPv4 site-to-site communication over IPv6 Netmaker overlay tunnels.

🛠 Improvements & Fixes

• Auto-Sync DNS Configs: Multi-network DNS configurations now sync automatically between server and clients.

• Stability Fixes: Improved connection reliability for nodes using Internet Gateways.

• LAN/Private Routing Enhancements: Smarter detection and handling of local/private routes, improving peer-to-peer communication in complex network environments.

Known Issues 🐞

• WireGuard DNS issue on Ubuntu 24.04 and some other newer Linux distributions. The issue is affecting the Netmaker Desktop, previously known as the Remote Access Client (RAC), and the plain WireGuard external clients. Workaround can be found here https://help.netmaker.io/en/articles/9612016-extclient-rac-dns-issue-on-ubuntu-24-04.

• Inaccurate uptime info in metrics involving ipv4-only and ipv6-only traffic

• netclients cannot auto-upgrade on ipv6-only machines.

• Need to optimize multi-network netclient join with enrollment key

Netmaker v0.99.0

Whats New ✨

• IDP Integration: Seamless integration with Google Workspace and Microsoft Entra ID, including automatic synchronization of users and groups

• User Activity & Audit Logs: Comprehensive tracking of control plane events such as user management, node changes, ACL modifications, and user access events.

• Updated Egress UI: A redesigned interface for managing egress gateways for improved usability.

• User Access API Tokens: Generate and manage API tokens for user-level access and automation.

• Server Settings via Dashboard: View and configure core server settings directly from the web dashboard.

• ACLs on Community Edition (Beta): The new version of Access Control Lists is now available in CE as a beta feature.

• New Metrics Page: Gain better insights with a revamped metrics dashboard.

• Offline Node Auto-Cleanup: Automatically remove stale or inactive nodes to keep networks clean.

🛠 Improvements & Fixes

• Optimized DNS Query Handling: Faster and more efficient internal name resolution.

• Improved Failover Handling: Enhanced stability and signaling for NAT traversal peer connections.

• User Egress Policies: More granular control over user-level outbound traffic policies.

• LAN/Private Routing Enhancements: Better detection and handling of local/private endpoint routes during peer communication.

• Deprecated Support For RQlite DB.

Known Issues 🐞

• WireGuard DNS issue on Ubuntu 24.04 and some other newer Linux distributions. The issue is affecting the Netmaker Desktop, previously known as the Remote Access Client (RAC), and the plain WireGuard external clients. Workaround can be found here https://help.netmaker.io/en/articles/9612016-extclient-rac-dns-issue-on-ubuntu-24-04.

Netmaker v0.90.0

Whats New ✨

• ACL Rules for Egress Ranges
• High Availability for Egress Routes
• Remote Access Gateways and Relays have been merged into "Gateways" and are now available on CE. https://docs.netmaker.io/docs/features/gateways
• Enhanced Graph Page
• Ability to Define Additional DNS Nameservers in your network
• Managed DNS support on Windows
• Introducing new desktop apps https://docs.netmaker.io/docs/client-installation/netmaker-desktop

What's Fixed/Improved 🛠

• Metrics Data
• IPv6 DNS Entries.
• FailOver connection improvements.
• Optimized Failover peer signalling.
• Improved Connectivity Status Indicator with real-time troubleshooting help.

Known Issues 🐞

• WireGuard DNS issue on Ubuntu 24.04 and some other newer Linux distributions. The issue is affecting the Remote Access Client (RAC) and the plain WireGuard external clients. Workaround can be found here https://help.netmaker.io/en/articles/9612016-extclient-rac-dns-issue-on-ubuntu-24-04.

Netmaker v0.30.0

Whats New ✨

• All-new Dashboard Navigation
• Advanced ACL Rules - port, protocol and traffic direction
• Reduced Firewall Requirements To One Single Port for self-hosted (443 udp/tcp). Netclient will default to using port 443 only to listen over Private IPs if it is available; otherwise, it will use port 51821.
• Option To Turn Off UDP hole punching, Option To Specify Custom Stun Servers
• Improved Connectivity Status Indicator With Real-time Troubleshooting Help.

What's Fixed/Improved 🛠

• Metrics Data
• Optimised MQ message size
• FailOver Stability Fixes
• Scalability Fixes
• Duplicate Node IP check on update

Known Issues 🐞

• IPv6 DNS Entries Are Not Working.
• Stale Peer On The Interface, When Forced Removed From Multiple Networks At Once.
• WireGuard DNS issue on most flavours of Ubuntu 24.04 and some other newer Linux distributions. The issue is affecting the Remote Access Client (RAC) and the plain WireGuard external clients. Workaround can be found here https://help.netmaker.io/en/articles/9612016-extclient-rac-dns-issue-on-ubuntu-24-04.