Releases: DefGuard/client
v1.5.3-rc1
⚠️ ⚠️ This is a pre-release ⚠️ ⚠️
This is a pre-release addressing issues found in the stable version of Defguard Client related to DNS on Debian 13.
What's Changed
Other Changes
- Setup ctrl+q keyboard shortcut by @j-chmielewski in #618
- Fix ctrl+q keyboard shortcut by @j-chmielewski in #632
- Backport debian 13 DNS fix by @t-aleksander in #687
Full Changelog: v1.5.1...v1.5.3-rc1
Contributors
Assets 23
v1.6.0-alpha5
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is an alpha release which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
Other Changes
- Release 1.5 merger by @wojcik91 in #577
- Fix build and cargo dependencies by @moubctez in #580
- Fixes pentest issue DG25-28 from 2025-09-02 by @j-chmielewski in #578
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #582
- Merge main into dev after 1.5.1 release by @j-chmielewski in #592
- Create SBOM files by @j-chmielewski in #593
- CI: scan code with trivy by @j-chmielewski in #594
- Fix RPM package by @moubctez in #595
- Periodic sbom regeneration by @j-chmielewski in #599
- Merge SBOM CI pipelines into main by @j-chmielewski in #600
- Merge release/1.5.2 into main by @wojcik91 in #605
- Fix pnpm build by @moubctez in #606
- BoringTun by @moubctez in #597
- share rust toolchain between nix shell & package by @wojcik91 in #610
- Merge main -> dev after 1.5.2 release by @wojcik91 in #609
- new job for building .deb for ubuntu 22.04 /debian 12 by @jakub-tldr in #611
- fix nix setup for boringtun repo by @wojcik91 in #613
- update aur packages workflow by @jakub-tldr in #614
- Setup ctrl+q keyboard shortcut by @j-chmielewski in #618
- undo unnecessary deletion by @jakub-tldr in #620
- Run AUR workflow only on full release by @jakub-tldr in #619
- APT uploading/signing workflow by @jakub-tldr in #622
- Direct WireGuard management on Windows using wireguard-nt by @j-chmielewski in #626
- client auto-provisioning by @wojcik91 in #627
- Build and sign Defguard client without wireguard binary by @j-chmielewski in #629
- List whole directory by @jakub-tldr in #631
- Fix ctrl+q keyboard shortcut by @j-chmielewski in #632
- refresh tray icon after instance deletion by @jakub-tldr in #639
- OpenID modal refresh by @jakub-tldr in #640
- add Windows provisioning script to MSI installer by @wojcik91 in #625
- Service locations on Windows (Pre-logon, Always-on) by @t-aleksander in #636
- add missing DEB & RPM dependencies by @wojcik91 in #642
- Fix issues related to service locations by @t-aleksander in #643
- Fix issues related to service locations by @t-aleksander in #644
- Add missing sqlx query by @t-aleksander in #646
- Fixes pentest issue DG25-27 from 2025-09-02 by @j-chmielewski in #641
- Add ubuntu 22.04 apt upload pipeline by @jakub-tldr in #645
- Merge main branch into dev before 1.6-alpha release by @j-chmielewski in #649
- Don't log enrollment token by @j-chmielewski in #650
- add admin helper script to generate enrollment tokens by @wojcik91 in #653
- Swift plugin by @moubctez in #630
- Basic client version reporting by @t-aleksander in #658
- add admin helper script for generating enrollment tokens in Entra environments by @wojcik91 in #665
- update helper provisioning scripts to include optional token expiration time by @wojcik91 in #669
- Add global MTU setting by @j-chmielewski in #668
- fix MFA modal error handling by @wojcik91 in #670
- macOS: switch to objc2 by @moubctez in #659
- Workflow: use Tauri action by @moubctez in #673
- Restore MTU by @moubctez in #674
- fix DNS error handling by @wojcik91 in #676
- macOS tunnel statistics by @moubctez in #678
- Fix macOS build after merge by @moubctez in #679
- Implement "force all traffic" enterprise setting by @j-chmielewski in #672
- Cleaner error message by @jakub-tldr in #680
- Fix resolvconf on debian 13 by @t-aleksander in #681
- Sync locations and tunnel with system settings by @moubctez in #684
- Cleanup for Windows by @moubctez in #685
Full Changelog: v1.5.2...v1.6.0-alpha5
Contributors
Assets 21
v1.6.0-alpha4
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is an alpha release which is not compatible with 1.5.x ⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
This release focuses on easy installation and automatic configuration of Desktop clients (for large environments/rollouts), including:
🛠️ Introducing service locations on Windows Desktop clients allowing users to connect to a location that, for example, provides access to a remote Active Directory before the computer’s login screen, enabling authentication against AD.
🚗 Introducing Desktop Client Auto Provisioning - on all platforms, additionally for Windows Client we introduced automated enrollment for Active Directory as well as EntraID enrollment.
🪟 Windows Desktop Client has finally an MSI package - see the client 1.6 alpha releases with native Wireguard networking based on WireguardNT. Please read the migration docs.
MacOS Desktop Client introduces native Swift/macOS VPN implementation and will soon be published in Apple macOS Store officially. TestFlight URL: https://testflight.apple.com/join/d4MvaBgw.
🖥️ All desktop Clients now have a new MTU setting available.
- Basic client version reporting by @t-aleksander in #658
- add admin helper script for generating enrollment tokens in Entra environments by @wojcik91 in #665
- update helper provisioning scripts to include optional token expiration time by @wojcik91 in #669
- Add global MTU setting by @j-chmielewski in #668
Full Changelog: v1.6.0-alpha3...v1.6.0-alpha4
Contributors
Assets 21
v1.6.0-alpha3
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is an alpha that will break current client ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
What's Changed
Other Changes
- Release 1.5 merger by @wojcik91 in #577
- Fix build and cargo dependencies by @moubctez in #580
- Fixes pentest issue DG25-28 from 2025-09-02 by @j-chmielewski in #578
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #582
- Merge main into dev after 1.5.1 release by @j-chmielewski in #592
- Create SBOM files by @j-chmielewski in #593
- CI: scan code with trivy by @j-chmielewski in #594
- Fix RPM package by @moubctez in #595
- Periodic sbom regeneration by @j-chmielewski in #599
- Merge SBOM CI pipelines into main by @j-chmielewski in #600
- Merge release/1.5.2 into main by @wojcik91 in #605
- Fix pnpm build by @moubctez in #606
- BoringTun by @moubctez in #597
- share rust toolchain between nix shell & package by @wojcik91 in #610
- Merge main -> dev after 1.5.2 release by @wojcik91 in #609
- new job for building .deb for ubuntu 22.04 /debian 12 by @jakub-tldr in #611
- fix nix setup for boringtun repo by @wojcik91 in #613
- update aur packages workflow by @jakub-tldr in #614
- Setup ctrl+q keyboard shortcut by @j-chmielewski in #618
- undo unnecessary deletion by @jakub-tldr in #620
- Run AUR workflow only on full release by @jakub-tldr in #619
- APT uploading/signing workflow by @jakub-tldr in #622
- Direct WireGuard management on Windows using wireguard-nt by @j-chmielewski in #626
- client auto-provisioning by @wojcik91 in #627
- Build and sign Defguard client without wireguard binary by @j-chmielewski in #629
- List whole directory by @jakub-tldr in #631
- Fix ctrl+q keyboard shortcut by @j-chmielewski in #632
- refresh tray icon after instance deletion by @jakub-tldr in #639
- OpenID modal refresh by @jakub-tldr in #640
- add Windows provisioning script to MSI installer by @wojcik91 in #625
- Service locations on Windows (Pre-logon, Always-on) by @t-aleksander in #636
- add missing DEB & RPM dependencies by @wojcik91 in #642
- Fix issues related to service locations by @t-aleksander in #643
- Fix issues related to service locations by @t-aleksander in #644
- Add missing sqlx query by @t-aleksander in #646
- Fixes pentest issue DG25-27 from 2025-09-02 by @j-chmielewski in #641
- Add ubuntu 22.04 apt upload pipeline by @jakub-tldr in #645
- Merge main branch into dev before 1.6-alpha release by @j-chmielewski in #649
- Don't log enrollment token by @j-chmielewski in #650
- add admin helper script to generate enrollment tokens by @wojcik91 in #653
- Swift plugin by @moubctez in #630
New Contributors
- @jakub-tldr made their first contribution in #611
Full Changelog: v1.5.1...v1.6.0-alpha3
Contributors
Assets 19
v1.6.0-testbuild2
779642b⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is a TEST build with fixes for dual-stack statistics ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
v1.6.0-testbuild
27593a0⚠️ ⚠️ ⚠️ ⚠️ ⚠️ This is a TEST build of Windows MSI with new Wireguard low level communication for windows client ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
v1.5.2
This patch for version 1.5 includes fixes for Ubuntu and Fedora packages related to background service socket permissions.
See also: https://docs.defguard.net/support-1/troubleshooting#unix-socket-permission-errors-when-desktop-client-attempts-to-connect-to-vpn-on-linux-machines
This is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.
Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.
📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!
💫Desktop Client now supports External SSO/IdP MFA
Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!
🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).
🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.
What's Changed
- Update dependencies; move nix to workspace; better split() by @moubctez in #450
- Use configured external OIDC Provider for 2FA in client by @t-aleksander in #467
- Bump version to 1.5 by @t-aleksander in #468
- Merge main -> dev post 1.4 release by @wojcik91 in #472
- optimize DB access to avoid write locks by @wojcik91 in #479
- use unix socket for communicating with background service by @wojcik91 in #481
- Handle per-location MFA settings by @wojcik91 in #486
- handle multiple addresses by @wojcik91 in #489
- setup biome for frontend by @wojcik91 in #490
- handle multiple addresses pt2 by @wojcik91 in #491
- fix settings page icon fill by @wojcik91 in #492
- Fix CLI: assign multiple IP addresses and use one network interface name by @moubctez in #504
- Tauri v2 by @moubctez in #512
- Fix tray icon behaviour and close active connections on exit by @moubctez in #513
- Fix windows Quit by @moubctez in #516
- setup AWS CodeBuild for GitHub Actions by @wojcik91 in #517
- Fix deny.toml by @moubctez in #518
- Handle deep-links by @moubctez in #520
- Reflect connection state in system tray by @moubctez in #521
- mfa via mobile device by @filipslezaklab in #519
- Upgrade UI module by @filipslezaklab in #523
- Fix MFA from tray menu by @moubctez in #522
- Fix events by @moubctez in #524
- Fix version for tauri-action by @moubctez in #527
- register totp mfa during account enrollment by @filipslezaklab in #526
- update nix setup for tauri v2 by @wojcik91 in #534
- Build RPM and fix release workflow by @moubctez in #533
- handle token owner validation during instance update by @wojcik91 in #535
- Deep link take 2 by @moubctez in #532
- Make cargo-deny happy again by @moubctez in #536
- add email to enrollment mfa setup by @filipslezaklab in #538
- Tray: omit submenus for one instance by @moubctez in #540
- handle new enrollment configuration by @filipslezaklab in #539
- Fix show/hide by @moubctez in #542
- Deep link fix by @filipslezaklab in #543
- fix deep link reopen in dev mode by @filipslezaklab in #546
- Unminimize on macOS by @moubctez in #548
- Take pathname from deep link by @moubctez in #547
- limit toasts to 5 on screen by @filipslezaklab in #550
- Check version of core and proxy when polling config by @t-aleksander in #549
- fix clipboard hook by @filipslezaklab in #553
- Fixes pentest issue DG25-27 from 2025-09-02 by @wojcik91 in #552
- Inform users about mismatch of UUIDs by @t-aleksander in #556
- Autocorrect UUIDs & fix displaying information that the selected MFA error is not configured by @t-aleksander in #560
- handle WebSocket connection error by @wojcik91 in #567
- Don't report version mismatch if core is not connected by @t-aleksander in #570
- add missing permissions by @filipslezaklab in #574
- Fix MFA connect from tray menu by @moubctez in #575
- Fix build and cargo dependencies by @moubctez in #580
- Fixes pentest issue DG25-28 from 2025-09-02 by @j-chmielewski in #578
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #582
- Fix build and cargo dependencies by @moubctez in #580
- Fixes pentest issue DG25-28 from 2025-09-02 by @j-chmielewski in #578
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #582
- Create SBOM files by @j-chmielewski in #593
- CI: scan code with trivy by @j-chmielewski in #594
- Fix RPM package by @moubctez in #595
- Periodic sbom regeneration by @j-chmielewski in #599
- Merge SBOM CI pipelines into main by @j-chmielewski in #600
Full Changelog: v1.5.0...v1.5.2
Contributors
Assets 23
- 13 MB
2025-10-03T08:26:38Z - 12.3 MB
2025-10-03T08:35:18Z - 17.1 MB
2025-10-03T08:21:19Z - 5.6 KB
2025-12-09T03:01:09Z - 1.55 MB
2025-12-09T03:01:09Z - 10.1 MB
2025-10-03T08:35:23Z - 10.5 MB
2025-10-03T08:21:24Z - 17.1 MB
2025-10-03T08:21:21Z - 17 MB
2025-10-28T09:41:17Z - 12.3 MB
2025-10-03T08:35:20Z -
2025-10-03T08:14:08Z -
2025-10-03T08:14:08Z - Loading
v1.5.1
This patch for version 1.5 includes fixes for vulnerabilities identified during our latest penetration test. As a fully transparent organisation, Defguard publishes a Pentesting Security Report page where you can track the status of our vulnerability fixes.
This is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.
Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.
📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!
💫Desktop Client now supports External SSO/IdP MFA
Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!
🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).
🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.
What's Changed
- Update dependencies; move nix to workspace; better split() by @moubctez in #450
- Use configured external OIDC Provider for 2FA in client by @t-aleksander in #467
- Bump version to 1.5 by @t-aleksander in #468
- Merge main -> dev post 1.4 release by @wojcik91 in #472
- optimize DB access to avoid write locks by @wojcik91 in #479
- use unix socket for communicating with background service by @wojcik91 in #481
- Handle per-location MFA settings by @wojcik91 in #486
- handle multiple addresses by @wojcik91 in #489
- setup biome for frontend by @wojcik91 in #490
- handle multiple addresses pt2 by @wojcik91 in #491
- fix settings page icon fill by @wojcik91 in #492
- Fix CLI: assign multiple IP addresses and use one network interface name by @moubctez in #504
- Tauri v2 by @moubctez in #512
- Fix tray icon behaviour and close active connections on exit by @moubctez in #513
- Fix windows Quit by @moubctez in #516
- setup AWS CodeBuild for GitHub Actions by @wojcik91 in #517
- Fix deny.toml by @moubctez in #518
- Handle deep-links by @moubctez in #520
- Reflect connection state in system tray by @moubctez in #521
- mfa via mobile device by @filipslezaklab in #519
- Upgrade UI module by @filipslezaklab in #523
- Fix MFA from tray menu by @moubctez in #522
- Fix events by @moubctez in #524
- Fix version for tauri-action by @moubctez in #527
- register totp mfa during account enrollment by @filipslezaklab in #526
- update nix setup for tauri v2 by @wojcik91 in #534
- Build RPM and fix release workflow by @moubctez in #533
- handle token owner validation during instance update by @wojcik91 in #535
- Deep link take 2 by @moubctez in #532
- Make cargo-deny happy again by @moubctez in #536
- add email to enrollment mfa setup by @filipslezaklab in #538
- Tray: omit submenus for one instance by @moubctez in #540
- handle new enrollment configuration by @filipslezaklab in #539
- Fix show/hide by @moubctez in #542
- Deep link fix by @filipslezaklab in #543
- fix deep link reopen in dev mode by @filipslezaklab in #546
- Unminimize on macOS by @moubctez in #548
- Take pathname from deep link by @moubctez in #547
- limit toasts to 5 on screen by @filipslezaklab in #550
- Check version of core and proxy when polling config by @t-aleksander in #549
- fix clipboard hook by @filipslezaklab in #553
- Fixes pentest issue DG25-27 from 2025-09-02 by @wojcik91 in #552
- Inform users about mismatch of UUIDs by @t-aleksander in #556
- Autocorrect UUIDs & fix displaying information that the selected MFA error is not configured by @t-aleksander in #560
- Merge release/1.5-alpha to main by @t-aleksander in #557
- handle WebSocket connection error by @wojcik91 in #567
- Don't report version mismatch if core is not connected by @t-aleksander in #570
- add missing permissions by @filipslezaklab in #574
- Fix MFA connect from tray menu by @moubctez in #575
- Fix build and cargo dependencies by @moubctez in #580
- Fixes pentest issue DG25-28 from 2025-09-02 by @j-chmielewski in #578
- Fixes pentest issue DG25-29 from 2025-09-02 by @j-chmielewski in #582
Full Changelog: v1.5.0...v1.5.1
Contributors
Assets 21
v1.5.1-alpha1
This is an alpha release fixing all pentesting issues.
- Release/1.5.1 by @j-chmielewski in #589
Full Changelog: v1.5.0...v1.5.1-alpha1
Contributors
Assets 19
v1.5.0
This is the biggest, most feature packed (and fixes) release we have ever done!
We’ve introduced 11 major features! and nearly 100 bugfixes.
Below you will find a short summary of the most important features. For full release notes, including screenshots and videos showcasing these and other updates, please click here.
📲Long awaited Mobile Clients (supporting External Multi-Factor Authentication and Internal Multi-Factor Authentication) are here!
💫Desktop Client now supports External SSO/IdP MFA
Our innovation: Multi-Factor Authentication for WireGuard® VPN on Desktop Client using Mobile client’s Biometry!
🤝Being a completely open company, we’ve introduced a number of public processes like the Architecture Decision Records and the public pentesting discoveries and fixes page prepared with our security team (as far as we know, we are the only VPN solution to do so).
🚩We’ve also explained in detail, why most WireGuard®-based solutions claiming to have MFA are highly misleading and potentially harmful to user security.
What's Changed
Other Changes
- Update dependencies; move nix to workspace; better split() by @moubctez in #450
- Use configured external OIDC Provider for 2FA in client by @t-aleksander in #467
- Bump version to 1.5 by @t-aleksander in #468
- Merge main -> dev post 1.4 release by @wojcik91 in #472
- optimize DB access to avoid write locks by @wojcik91 in #479
- use unix socket for communicating with background service by @wojcik91 in #481
- Handle per-location MFA settings by @wojcik91 in #486
- handle multiple addresses by @wojcik91 in #489
- setup biome for frontend by @wojcik91 in #490
- handle multiple addresses pt2 by @wojcik91 in #491
- fix settings page icon fill by @wojcik91 in #492
- Fix CLI: assign multiple IP addresses and use one network interface name by @moubctez in #504
- Tauri v2 by @moubctez in #512
- Fix tray icon behaviour and close active connections on exit by @moubctez in #513
- Fix windows Quit by @moubctez in #516
- setup AWS CodeBuild for GitHub Actions by @wojcik91 in #517
- Fix deny.toml by @moubctez in #518
- Handle deep-links by @moubctez in #520
- Reflect connection state in system tray by @moubctez in #521
- mfa via mobile device by @filipslezaklab in #519
- Upgrade UI module by @filipslezaklab in #523
- Fix MFA from tray menu by @moubctez in #522
- Fix events by @moubctez in #524
- Fix version for tauri-action by @moubctez in #527
- register totp mfa during account enrollment by @filipslezaklab in #526
- update nix setup for tauri v2 by @wojcik91 in #534
- Build RPM and fix release workflow by @moubctez in #533
- handle token owner validation during instance update by @wojcik91 in #535
- Deep link take 2 by @moubctez in #532
- Make cargo-deny happy again by @moubctez in #536
- add email to enrollment mfa setup by @filipslezaklab in #538
- Tray: omit submenus for one instance by @moubctez in #540
- handle new enrollment configuration by @filipslezaklab in #539
- Fix show/hide by @moubctez in #542
- Deep link fix by @filipslezaklab in #543
- fix deep link reopen in dev mode by @filipslezaklab in #546
- Unminimize on macOS by @moubctez in #548
- Take pathname from deep link by @moubctez in #547
- limit toasts to 5 on screen by @filipslezaklab in #550
- Check version of core and proxy when polling config by @t-aleksander in #549
- fix clipboard hook by @filipslezaklab in #553
- Fixes pentest issue DG25-27 from 2025-09-02 by @wojcik91 in #552
- Inform users about mismatch of UUIDs by @t-aleksander in #556
- Autocorrect UUIDs & fix displaying information that the selected MFA error is not configured by @t-aleksander in #560
- Merge release/1.5-alpha to main by @t-aleksander in #557
- handle WebSocket connection error by @wojcik91 in #567
- Don't report version mismatch if core is not connected by @t-aleksander in #570
- add missing permissions by @filipslezaklab in #574
- Fix MFA connect from tray menu by @moubctez in #575
Full Changelog: v1.4.0...v1.5.0