24.11.001 changelog

24.11.001

Released on 12 November, 2024.

Client

Fixes

  • Improvements for private name handling in IPv6-only networks when managed domains are in overlay mode.
  • Fixed an issue in the Windows DNS supervisor causing errant service restarts when upstream connectivity is inconsistent.
  • DNS health checks have also received several improvements. First, all health checks are now forced over the local upstream connection rather than allowed through the tunnel, which ensures a clear read of the client’s network environment. Second, the health check system is now respecting the probe’s TTL, which creates more accurate checks in full-tunnel scenarios and reduces noise on the network.
  • Improvements in window handling in macos.
  • Improved route handling for service and machine stop/start and wake/sleep events.
  • Improved route handling for machines with multiple active network interfaces

Features

  • Several improvements have been made to private name resolution. If multiple DNS servers are eligible, records will be requested in parallel, preferring the fastest result. EDNS and DNS over TCP are now enabled for private names, allowing very large records to be returned.
  • SOS submissions may now be retried in case of errors to publish.
  • Improved Active Directory integration for remote connections
  • Important pre-release quality feature. controller-health-check-strategy. In previous Bowtie client versions, networks equal or greater to “/8” (e.g 10.0.0.0/8 or 0.0.0.0/1 for full tunnel) would not be installed until several health checks had passed. This is to prevent users from having “no internet” scenarios in captive portal situations. This flag can now be set to allow-presumptive-connections which will install the routes while Bowtie is Active, before health checks have passed. The next two versions will continue to improve on this strategy. If this flag causes issues, revert it to require-health-check to restore 24.10.003 default behavior. To manually bypass a captive portal while this flag is on, pause your Bowtie client. If this feature is right for your environment, consider client configuration targeting to deploy to a subset of your users.

Server

Fixes

  • Increased the grace period that Controllers will allow when updating their BGP routes. Intermittent network latency fluctuations should result in reduced BGP configuration flapping.
  • Fixed an issue that prevented Controllers from correctly provisioning locally self-signed certificates for local IP addresses.

Features

  • If your public IPs are static, and if you always have public IP access to your controllers (via public access or hairpin NAT) a new Wireguard Hint field has been added to the cluster configuration. This will allow the clients to use the “Hint” IP for the Wireguard connection, instead of the DNS name. If you are connecting to your Bowtie controllers from the same network as your Bowtie clients, care must be taken to ensure that hairpin NAT is configured if they are using private IP addresses. If you are relying on split horizon DNS this implementation is not yet applicable to your environment.

Documentation

Enhancements

  • Clarified the scope of the Control Plane devices permission as it applies to user information.