25.03.003 changelog

25.03.003

Released on 31 March, 2025.

Client

In prior versions, locally scoped IPv6 upstream DNS servers were ignored. This has been resolved and clients having issues on networks that are primarily using DNS64 or other locally-scoped DNS servers have been repaired.
The strategy for network interface configuration changes on Windows for the private Bowtie interface caused state tracking issues when connecting to many controllers at the same time, such as immediately after pause/resume cycles. The strategy has been adjusted to correct for this condition.
Fix stderr redirection (only affects Windows) when the stderr file is deleted.
Private DNS lookup now forward to the controller’s DNS server rather than directly accessing the upstream private DNS server. This reduces resource consumption.

Adds optional Sentry integration for error reporting. If the sentry-dsn is set, errors will be reported to Sentry. This allows for better monitoring and debugging of issues in production environments. It can further be controlled by sentry-sample-rate and sentry-traces-sample-rate. These are sent as integer values from 0 to 10000. They default to 100% (10000) for error samples and 10% (1000) for trace samples.
WireGuard logs are split off into files with _wg to make the main logs easier to read.

First-run installations for Controllers that undergo the /setup process now support loading pre-existing (bring-your-own) TLS certificates.

Introduced additional safeguards around Controller REST endpoints. This is a preemptive defense in depth measure; control plane functionality should remain unaffected.

The sos command now asserts that the user has sufficient privileges to work correctly.
Fixed an issue that could cause reverse proxy configuration updates to fail to apply correctly.
Added additional measures to prompt retries when acquiring TLS certificates from ACME providers when failures occur.