What's Changed

• [client] Index peer tunnel IPs for faster PeerStateByIP lookup by @mlsmaycon in #6412

Full Changelog: v0.72.3...v0.72.4

Release Notes for v0.72.3

What's New

Client Improvements

• Added commands to discover and write Kubernetes configuration. experimental
  #6260
• Masked sensitive data during debug bundle creation.
  #6364
• Preserved user deselect-all route preferences across management syncs.
  #6363
• Fixed state manager crashes caused by concurrent iptables map access.
  #6345
• Added WebSocket relay fallback when QUIC datagrams exceed transport limits.
  #6339
• Filtered DNS fallback upstreams matching NetBird server IPs to prevent loops.
  #6183
• Preserved posture checks on configuration-only sync updates.
  #6373
• Improved embedded client shutdown by canceling context before stopping the engine.
  #6397

Management Improvements

• Added IPv6 default permit rules for exit node routes.
  #6368
• Logged user agent information and returned request IDs.
  #6380
• Added version gating to stop sending deprecated RemotePeers field.
  #6371
• Fixed L4 service updates when no custom port is configured.
  #6396

Proxy Enhancements

• Added non-blocking mapping updates.
  #6369
• Improved certificate handling by notifying readiness for domains covered by static certificates.
  #6389
• Switched proxy ID generation to UUIDs.
  #6391

Infrastructure & Tooling

• Improved support for atomic Linux distributions in install scripts and fixed Docker-related issues in getting-started.sh.
  #6139
• Updated the Go toolchain version in go.mod.
  #6377

New Contributors

• @PizzaLovingNerd made their first contribution in #6139
• @bdolgov made their first contribution in #6389

Full Changelog: v0.72.2...v0.72.3

What's Changed

• [management] resolve private services on custom domains in synthesized DNS zones by @mlsmaycon in #6348

Full Changelog: v0.72.1...v0.72.2

What's Changed

• [management] Copy private field on shallowCloneMapping by @mlsmaycon in #6347

Full Changelog: v0.72.0...v0.72.1

Release Notes for v0.72.0

What's New

Private Service Expose & Reverse Proxy

• Added support to expose NetBird-only services over tunnel peers across management, client, and proxy.
  #6226
• Added follow-up fixes for private reverse-proxy services.
  #6268
• Added private service expose support in the dashboard.
  netbirdio/dashboard#646
• Updated reverse proxy modals in the dashboard.
  netbirdio/dashboard#661
• Bound embed client WireGuard per-device memory across proxy and client.
  #5962

Client Improvements

• Filtered scoped/cloned default routes from BSD network monitor.
  #6208
• Matched DNS wildcard handlers on label boundaries.
  #6255
• Refactored Linux system info to use syscalls.
  #6230
• Released WASM js.FuncOf callbacks in SSH and RDP paths.
  #5982
• Fixed possible deadlock in statemanager Stop.
  #6228
• Improved Rosenpass support.
  #6136
• Recognized NetBird DNS forwarder port in capture text format.
  #6177
• Applied netroute default-gateway workaround on Android.
  #6192
• Captured injected ICMPv6 echo replies in debug capture.
  #6321
• Gated DNS forwarder on BlockInbound.
  #6257
• Persisted sync response via pluggable store, including disk support on iOS.
  #6331
• Allowed WireGuard port to be zero in UI and showed the port in status command.
  #6158
• Prevented corruption from competing log rotation and improved debug bundle.
  #6214

Management Improvements

• Fixed owner role update.
  #6264
• Refactored management server bootstrap.
  #6256
• Updated log levels.
  #6266
• Extended nmap monitoring.
  #6271
• Added SSO session extend flow.
  #6197
• Extended combined server initialization.
  #6156
• Enriched context in permissions manager.
  #6286
• Exported ResolveDomain.
  #6334

Dashboard Improvements

• Added simplified dashboard layout.
  netbirdio/dashboard#649
• Fixed broken SSH and RDP in the dashboard.
  netbirdio/dashboard#650
• Moved setup keys to Settings.
  netbirdio/dashboard#653
• Improved table filters layout.
  netbirdio/dashboard#654
• Grouped Networks and Routes under Network Routing.
  netbirdio/dashboard#660

Infrastructure & CI

• Pinned GitHub Actions with SHA and improved workflows.
  #6249
• Added Codecov integration and coverage reporting across workflows.
  #6333
• Allowed Docker image overrides for getting started.
  #6335
• Exposed VCS revision in dev build version output across client, management, and misc.
  #6263

New Contributors

• @phillebaba made their first contribution in #6230
• @riccardomanfrin made their first contribution in #6228
• @theodorsm made their first contribution in #6249

Full Changelog: v0.71.4...v0.72.0

What's Changed

• [client] Revert legacy registry cleanup on Windows install by @lixmal in #6232

Full Changelog: v0.71.3...v0.71.4

What's Changed

• [management] fix: device redirect uri wasn't registered by @jnfrati in #6191
• [management] Fence peer status updates with a session token by @mlsmaycon in #6193
• [management] Add metrics for peer status updates and ephemeral cleanup by @mlsmaycon in #6196
• [management] Ensure SessionStartedAt has a default value by @mlsmaycon in #6211
• [proxy] clusters API surfaces type, online status, and capability flags by @mlsmaycon in #6148
• [misc] Update contribution guidelines by @mlsmaycon in #6219
• [client] Bump macOS sleep callback timeout to 20s by @lixmal in #6220
• [doc] Clean up README by @lixmal in #6178
• [proxy] concurrent proxy snapshot apply by @pascal-fischer in #6207
• [management] scope network router update call by @pascal-fischer in #6222
• [client] Fix nil channel panic in external chain monitor stop by @lixmal in #6224

Full Changelog: v0.71.2...v0.71.3

What's Changed

• [management] Avoid peer IP reallocation when account settings update preserves the network range by @lixmal in #6173
• [management] Avoid context cancellation in cancelPeerRoutines by @mlsmaycon in #6175
• [client] Clean up legacy 32-bit and HKCU registry entries on Windows install by @lixmal in #6176

Full Changelog: v0.71.1...v0.71.2

What's Changed

• [client] Mirror v4 exit selection onto v6 pair and honour SkipAutoApply per route by @lixmal in #6150
• [client] Drop DNS probes for passive health projection by @lixmal in #5971
• [proxy] auth token generation on mapping by @crn4 in #6157

Full Changelog: v0.71.0...v0.71.1

Release Notes for v0.71.0

What's New

IPv6 overlay addressing
NetBird's overlay is now dual-stack. Every account gets its own IPv6 prefix (default /64, configurable from /48 to /120), and peers can receive both an IPv4 and an IPv6 overlay address. DNS serves AAAA
and reverse PTR records alongside A records, ACLs apply to both families automatically, network routes accept IPv6 CIDRs (with masquerade), exit nodes that route 0.0.0.0/0 get a matching ::/0 route, and
domain routes resolve both A and AAAA.

Rollout is group-gated: new accounts enable IPv6 for the All group by default; existing accounts opt in under Settings > Network. Assignment is also gated on a per-peer capability, so older clients keep
working on IPv4 until they upgrade. Hosts can opt out individually with netbird up --disable-ipv6

Read more in the IPv6 Overlay Addressing announcement and the IPv6 documentation.
#5631 by @lixmal

MFA for local users
Local users (non-IdP) can now enable multi-factor authentication, closing a gap for deployments that don't federate auth through an external provider.
#5804 by @jnfrati

Bring your own proxy (backend ready)
Backend support for per-account reverse-proxy lifecycle has landed: proxy tokens, per-account cluster allow-lists, conflict detection, and one-proxy-per-account enforcement. Full rollout (dashboard, docs) comes
in a later release.
#5627 by @crn4

Client Improvements

• Included MTU and SSH auth config in debug bundle by @lixmal.
  #6071
• Added public key to debug bundle config.txt by @lixmal.
  #6092
• iOS: structured ResolvedIPs collection for domain routes by @pappz.
  #6090
• Used unique temp file and clean up on failure when writing ssh config by @lixmal.
  #6064
• Hardened uspfilter conntrack and shared TCP relay by @lixmal.
  #5936
• Skipped DNS upstream failover on definitive EDE by @lixmal.
  #6089
• Fixed --config flag default to point at profile path by @lixmal.
  #6122
• Bracketed IPv6 in embed listeners, expanded debug bundle by @lixmal.
  #6134
• Added short flags for status command options by @mlsmaycon.
  #6137

Management Improvements

• Removed permissions from geolocations API by @pascal-fischer.
  #6091
• Added update reason to buffered calls by @pascal-fischer.
  #6103
• Allocated and preserved IPv6 overlay addresses for embedded proxy peers by @lixmal.
  #6132
• Fixed offline statuses for public proxy clusters by @crn4.
  #6133
• Bracketed IPv6 reverse-proxy target hosts when building URL Host field by @lixmal.
  #6141

Relay Improvements

• Preserved non-standard port in WS dialer URL prep by @lixmal.
  #6061

Misc

• Updated CONTRIBUTING.md by @mlsmaycon.
  #6076