v0.65.1

What's Changed

• [misc] Fix reverse proxy getting started messaging by @braginini in #5317
• [management] Move service reload outside transaction in account settings update by @bcmmbaga in #5325

Full Changelog: v0.65.0...v0.65.1

v0.65.0

Release Notes for v0.65.0

What's New

🔀 Reverse Proxy

NetBird now includes a built-in reverse proxy in the management server, enabling proxied access to backend services through your NetBird network. Allowing you to expose your services to the public with the option to secure them with SSO, PINs, or passwords.

No VPN client required for end users. Just point a custom domain at your NetBird server, configure the proxy in the dashboard, and your internal services are securely accessible from any browser. Think of it as a self-hosted alternative to Cloudflare Tunnels, but without the MITM and fully under your control.

Key features:

• Custom domains - Map your own domains to internal services and let NetBird handle TLS and routing via CNAME verification
• Built-in authentication - Protect exposed services with SSO (via your configured IdP), PIN codes, passwords, or magic links directly from the dashboard
• Multiple targets - Route traffic to one or more backend peers or resources with optional path-based routing
• Access logs - Monitor who's accessing your proxied services with built-in logging
• Proxy settings - Fine-tune behavior with options like host header passthrough and redirect rewriting

Add a Service

Expose any internal service by selecting a subdomain and adding one or more backend targets. Each target points to a peer or resource on your network.

Custom Domains

Bring your own domain by adding a CNAME record pointing to your NetBird proxy cluster. NetBird handles TLS certificate provisioning automatically.

Authentication

Secure your exposed services with multiple authentication methods. Enable one or combine several for layered protection.

Settings

Fine-tune proxy behavior with options like passing the original Host header to your backend or rewriting redirect URLs to use the public domain.

Learn more:

• Reverse Proxy Overview
• Custom Domains
• Authentication

NetBird cloud support is coming soon, with hosted reverse proxy nodes.

🏗️ Self-Hosted Improvements

• Added combined NetBird server binary for simplified self-hosted deployments, reducing the number of containers needed to run NetBird.
  #5232

🔒 Management Improvements

• Enforced access control on accessible peers, ensuring proper authorization checks when querying the accessible peers endpoint.
  #5301
• Added cloud API spec to the public OpenAPI definition with REST client support.
  #5222

🖥️ Client Improvements

• Added early message buffer for the relay client, preventing message loss during connection establishment.
  #5282
• Refactored relay connection container for improved reliability and code maintainability.
  #5271

What's Changed

• [misc] Update sign pipeline version by @mlsmaycon in #5296
• [self-hosted] add netbird server by @braginini in #5232
• [management] Enforce access control on accessible peers by @bcmmbaga in #5301
• [misc] Add cloud api spec to public open api with rest client by @bcmmbaga in #5222
• [client] Add early message buffer for relay client by @pappz in #5282
• [client] Refactor/relay conn container by @pappz in #5271
• [management, reverse proxy] Add reverse proxy feature by @pascal-fischer in #5291

Full Changelog: v0.64.6...v0.65.0

v0.64.6

Release Notes for v0.64.6

What's New

🚨 Security Fix
Security: Fixed account impersonation validation in management API

Fixed a vulnerability in the management server's authentication middleware where the ?account= query parameter could be used to impersonate arbitrary accounts without proper validation when getting a list of accessible peers. It requires the attacker to have prior knowledge of the target accounts' and peer IDs.

The fix adds explicit validation via IsValidChildAccount() before allowing account switching. Account impersonation is now only permitted when the target account is confirmed as a legitimate child account of the
requesting user's parent account.

Affected component: Management server HTTP middleware (auth_middleware.go) and /api/peers/<peer_id>/accessible-peers endpoint

Severity: High — an authenticated user could potentially access or act on behalf of accounts they should not have access to by passing an arbitrary account parameter and fetching the list of accessible peers.

Recommendation: All self-hosted deployments should upgrade to this version.

Client Improvements

• Added missing BSD flags to the debug bundle.
  #5254
• Cached the result of wgInterface.ToInterface() using sync.Once for better performance.
  #5256
• Fixed nil pointer panic in the ICE agent during sleep/wake cycles.
  #5261
• Always log DNS forwarder responses for improved troubleshooting.
  #5262
• Fixed netstack detection and added a WireGuard port option.
  #5251
• Corrected wrong URL logging for DefaultAdminURL.
  #5252
• Added timing measurements to handleSync for better observability.
  #5228
• Fixed duplicate firewall rules in USP filter.
  #5269
• Added environment variable to skip DNS probing when needed.
  #5270
• Fixed race condition and ensured correct message ordering in Relay.
  #5265
• Ensured login is checked in foreground mode when required.
  #5295
• Fixed multiple panics in device and engine code.
  #5287
• Cleaned up stale nftables entries without handle.
  #5272

Management Improvements

• Fixed incorrectly setting disconnected status for connected peers.
  #5247
• Added gRPC debounce for message types to reduce noise.
  #5239
• Added validation of stream start time for connecting peers.
  #5267
• Fixed ischild check logic.
  #5279

New Contributors

• @eyJhb made their first contribution in #5252

Full Changelog: v0.64.5...v0.64.6

v0.64.5

What's Changed

🚨 Security Fix

• Management API authorization bypass (CWE-639) — A flaw in the management API auth middleware allowed an authenticated user to bypass account-membership checks and RBAC enforcement via a manipulated request parameter. In multi-account deployments this could enable cross-account access; in single-account deployments it
  could relax per-user authorization checks. All self-hosted users should upgrade immediately. Fix by @pascal-fischer in
  #5246

Other Changes

• Add selfhosting video by @braginini in #5235

Full Changelog: v0.64.4...v0.64.5

---

Key changes from your draft:

• Moved the CVE fix into its own Security Fix section so it stands out
• Added a plain-English description of the impact without revealing the exploit mechanism (no mention of ?account, IsChild, or specific code paths)
• Added the "All self-hosted users should upgrade immediately" call to action
• Kept the PR attribution to @pascal-fischer
• You can add [CVE-YYYY-XXXXX] once the CVE ID is assigned

v0.64.4

What's Changed

• [client] Add macOS default resolvers as fallback by @lixmal in #5201
• [client] Add block inbound option to the embed client by @lixmal in #5215
• [management] Disable local users for a smooth single-idp mode by @braginini in #5226
  https://docs.netbird.io/selfhosted/identity-providers/disable-local-authentication
• [management] disable sync lim by @crn4 in #5233
• [management] run cancelPeerRoutines in goroutine in sync by @crn4 in #5234

Full Changelog: v0.64.3...v0.64.4

v0.64.3

Release Notes for v0.64.3

What's New

Client Improvements

• Removed redundant square bracket trimming in USP endpoint parsing.
  #5197
• Refactored and optimized raw socket header handling for better performance.
  #5174
• Ensured NetBird stops on firewall initialization failure to avoid undefined states.
  #5208
• Fixed WireGuard watcher missing the initial handshake.
  #5213

Management Improvements

• Fixed ephemeral peers not being removed correctly.
  #5203
• Fixed skipping ephemeral peers on deletion.
  #5206
• Streamlined domain validation logic.
  #5211

Full Changelog: v0.64.2...v0.64.3

v0.64.2

Release Notes for v0.64.2

What's New

Client Improvements

• Consolidated authentication logic to improve maintainability and consistency.
  #5010
• Added IPv6 support to the UDP WireGuard proxy.
  #5169
• Fixed a flaky JWT SSH test to improve CI stability.
  #5181
• Updated Fyne UI and added retry handling to the exit menu.
  #5187
• Prevented eBPF traffic from being tracked in conntrack.
  #5166
• Added support for non-PTY, no-command interactive SSH sessions.
  #5093

Management & Identity

• Fixed validator warning messages to improve clarity.
  #5168
• Improved peer deletion error handling.
  #5188
• Included default groups claim in the CLI audience.
  #5186
• Added user invite link support for the embedded IdP.
  #5157

Full Changelog: v0.64.1...v0.64.2

v0.64.1

Release Notes for v0.64.1

What's New

Client Improvements

• Fixed RFC 4592 wildcard matching for existing domain names.
  #5145
• Extended the WireGuard watcher to also monitor ICE connections.
  #5133
• Added IPv6 support to userspace bind.
  #5147
• Fixed IPv4-only limitation in the bind proxy.
  #5154
• Improved DNS reliability by trying the next upstream on SERVFAIL / REFUSED responses.
  #5163
• Hid forwarding rules from status output when the count is zero.
  #5149
• Added CPU profiling to the debug bundle.
  #4700
• Fixed health result reporting in the debug bundle.
  #5164
• Changed the default Rosenpass log level.
  #5137
• Fixed exit node menu behavior on reconnect and removed tooltips in the GUI.
  #5167

Management Enhancements

• Fixed activity event initiator reporting for user group changes.
  #5152
• Ensured ephemeral peers are correctly added to the ephemeral list on login.
  #5165
• Moved activity store encryption into the shared crypt package.
  #5111

Full Changelog: v0.64.0...v0.64.1

v0.64.0

Release Notes for v0.64.0

What's New

Debugging & Observability

• Added the ability to trigger debug bundle generation directly from the API and Dashboard.
  #4832

Client Improvements

• Improved error handling by adjusting notifyDisconnected behavior on receiveJobRequest failures.
  #5138
• Added support for wildcard custom DNS records.
  #5125
• Fixed profile switching issues and repeated down / up command failures.
  #5142
• Fixed Rosenpass connectivity issues for Android peers.
  #5044

Management Enhancements

• Added support for local user password changes when using the embedded IdP.
  #5132
• Included missing activity events in management API responses.
  #5140

Infrastructure

• Added embedded STUN support to the getting-started setup to simplify initial deployments.
  #5141

Full Changelog: v0.63.0...v0.64.0

v0.63.0

Release Notes for v0.63.0

What's New

Custom DNS Zones

NetBird now supports private DNS zones, allowing you to host DNS records directly within your network without external DNS servers.

Create zones like internal.company.io, add A, AAAA, or CNAME records, and distribute them to specific peer groups. Resolution happens locally on peers, and records propagate automatically when group membership
changes. With search domain support enabled, peers can query short names like api instead of the full api.internal.company.io.

Custom zones take precedence over nameserver configurations, giving you control over how specific domains resolve within your network. This works well with routed networks—map friendly names to private IPs behind
routing peers, and NetBird handles both DNS resolution and traffic routing. Your teams access postgres.internal instead of remembering 192.168.0.68.

Zone distribution is group-based, so different teams can see different records for the same zone, or have access to entirely separate zones.

Use Cases

• Environment separation — Distinct zones for production, staging, and development, distributed only to relevant teams
• Routed network resources — DNS names for services in data centers or cloud VPCs accessed through routing peers
• Split-horizon DNS — Internal-only resolution for domains that resolve differently outside your network

Screenshots

Create a new Zone:

Create a new record:

View all records:

Learn more at:

Custom Zones
DNS Aliases for Routed Networks

DNS & Networking Improvements

• Ensured musl compatibility by chasing CNAMEs in the local resolver.
  #5046
• Improved DNS resolution flow by falling through the DNS chain for custom DNS zones.
  #5081
• Changed priority between local and DNS route handlers for more predictable routing.
  #5106
• Fixed netstack upstream DNS handling and added WASM debug methods.
  #4648

Client Improvements

• Fixed WASM peer connections to lazy peers.
  #5097
• Added fallback handling for invalid loginuid in ui-post-install.sh.
  #5099
• Removed duplicate audience checks in the client.
  #5117

Management Enhancements

• Added Custom DNS zones support.
  #4849
• Added configuration compatibility checks during startup.
  #5087
• Optimized external cache access by fetching all users in a single request.
  #5104
• Adapted rate limiting behavior.
  #5080
• Fixed SSH server audience validation across management and client.
  #5105
• Skipped email_verified validation when not present in IdP responses.
  #5118
• Added IdP timeout configuration via environment variable.
  #4647

Infrastructure & Security

• Introduced embedded STUN support for relay and STUN components.
  #5062
• Added a Quickstart reverse proxy assistant to simplify initial setup.
  #5100
• Upgraded Alpine Linux from 3.22.2 to 3.23.2 for security hardening.
  #5119

Other Changes

• Added a hiring announcement with a link to careers.netbird.io.
  #5095

New Contributors

• @nsadeghi97 made their first contribution in #5095
• @ressys1978 made their first contribution in #4647

Full Changelog: v0.62.2...v0.63.0