25.08.002 changelog

25.08.002

Released on 26 August, 2025.

Client

Fixes

  • Three related DNS changes in this release.
    1. A change in behavior was enacted to be defensive against consumer ISPs who use DNS interception techniques that overlap with private site ranges.
    2. All requests from the “Help” page to “Evaluate DNS Query” are now logged at $LOG_PATH/bowtie-dns.log and can be captured by support bundles. This can aid both administrators and Bowtie support in rapid analysis.
    3. The wording on that form has changed to be more clear for certain results that match user-supplied rules but are ultimately forwarded upstream.
  • Disabled or deleted devices now correctly recognize their controller side state are able to re-authenticate users from the tray application.
  • In prior versions of Bowtie, explicit routing exclusions and DNS routing exclusions were always routed through the default route. This may be incorrect in network scenarios with additional non-Bowtie routing table entries. With this fix, exclusions should now be routed to the correct destination.
  • Linux: eliminated extraneous systemd-resolved restarts.
  • Fixed an issue that could cause persistent, high background CPU use in some environments.

Enhancements

  • Network change detection under Linux should be more reliable and incur less ambient CPU load.

Features

  • Large Bowtie routes (any routes with a network mask of 255.0.0.0 or larger) are now removed from the routing table when a user does not have a connection to the internet (in the absence of a default route). This primarily affects users who are using Bowtie in a full tunnel configuration.

    To prevent this behavior, set the device configuration “controller-health-check-strategy” to “allow-presumptive-connections”.

  • Extends device posture to Linux
  • The network name is now displayed in the tray UI when Bowtie believes that the network is available. This network name is the adapter name on MacOS & Windows, and the SSID or a user friendly adapter name on Linux.

    This feature may be disabled by setting ui-network-status to false.

  • Collect device posture (e.g. Bitlocker protection status) for Windows.

Server

Fixes

  • The bowtie-server.service daemon should more reliably report its own version in output logs at startup.

Features

  • Support bundles now record CPU use measurements.
  • sshd listener options are now configurable in the Control Plane interface. Administrators may define an organization-wide default or per-Controller settings.
  • opentelemetry-collector files are now configurable from the Control Plane web interface.

Enhancements

  • The promtail.service log collection service has been removed in favor of the journald opentelemetry-collector-contrib receiver (documentation). promtail is deprecated and no longer receiving updates from Grafana Labs.

    If you rely on the default observability stack on Controllers to view logs with the default Grafana installation, no action is necessary.

    If you consume the log stream in a custom opentelemetry-collector-contrib configuration file, then you may want to ensure that exported logs continue to arrive in the expected format. Any custom log exporters defined in /etc/otel.yaml will still be deeply merged with the default configuration file, which has been updated with a new receiver and processor. The Bowtie documentation has been updated with the latest example of the default receivers and processors.

  • The foundational operating system for Controllers has been updated from NixOS 24.11 to 25.05.

    This update includes the following noteworthy version changes. If you rely on any of these packages for downstream integrations (such as observability with Grafana and Loki), ensure that the updated versions are compatible with your existing configuration (and update those configurations if necessary).

    This change includes an upgrade from Linux kernel version 6.1.135 to 6.1.148. System services should continue to operate normally across kernel updates, but if you require that the system run on the newer kernel, you should follow-up with any update actions with a system reboot to run on the newer kernel, but this step is not required.

    Package Old Version New Version
    Linux kernel 6.1.135 6.1.148
    dex 2.41.1 2.42.0
    grafana 11.3.6 12.0.3
    loki 3.2.1 3.4.4
    prometheus 2.55.0 3.5.0
    python 3.12.8 3.12.10
    tempo 2.6.0 2.7.2
    opentelemetry-collector-contrib 0.112.0 0.124.0

    At time of writing, a scan of all operating system dependencies yielded no outstanding critical vulnerabilities requiring immediate action.

    The following updates may require manual intervention on the part of administrators:

    • jq has been removed from Controller images due to outstanding and unpatched vulnerabilities. Internal use of jq has been replaced with calls to thejaq executable (documentation here). If you rely on jq for custom scripts, consider migrating them to jaq, which is usually a drop-in replacement. For convenience, an alias to the jaq executable has been added.
    • opentelemetry-collector-contrib often includes significant changes between minor versions and may require updates to your /etc/otel.yaml file.