Change gateway service from bridge networking to host network mode to enable direct access to host network interfaces. Replace host.docker.internal references with 127.0.0.1 in gateway URLs and backend host configuration. Remove port mapping, extra_hosts, and explicit network attachments since host mode provides direct network access.
Add read_windows_metrics_from_show function that parses human-readable transfer output from wg show command when wg show dump fails. Add parse_human_wireguard_bytes helper to convert human-readable byte values (B, KiB, MiB, GiB, TiB) to u64. Update direct_windows_metrics to fall back to transfer parsing instead of returning zero metrics when dump command fails.
Add direct_windows_metrics function that queries WireGuard tunnel metrics directly using sc query and wg show dump commands instead of tunnel helper. Add find_windows_wg helper to locate wg.exe in standard installation paths. Update metrics function to attempt direct collection first on Windows before falling back to tunnel helper. Parse rx_bytes and tx_bytes from wg show dump output by sum
Add CREATE_NO_WINDOW flag to all tunnel helper Command invocations on Windows to prevent console window flashing during connect, disconnect, and metrics operations. Import CommandExt trait and define CREATE_NO_WINDOW constant for Windows builds.
Remove windows_subsystem = "windows" attribute from tunnel-helper to allow console output for debugging and logging. This enables stdout/stderr visibility when running the helper binary directly.
Add NSIS_HOOK_PREINSTALL macro that stops WireGuardTunnel$NexaVPN service, kills nexavpn-desktop.exe and nexavpn-tunnel-helper.exe processes, and stops NexaVPNTunnelService before installation. Add WireGuardTunnel$NexaVPN service stop to NSIS_HOOK_PREUNINSTALL before service uninstallation.
Add GATEWAY_UDP_PORT environment variable with default value 51900 to replace hardcoded port 51820. Update DEFAULT_GATEWAY_ENDPOINT in .env.example to use new port. Add UDP port mapping to gateway service in docker-compose using GATEWAY_UDP_PORT. Add NEXAVPN_GATEWAY_LISTEN_PORT environment variable to gateway container. Update gateway-entrypoint.sh to use GATEWAY_LISTEN_PORT variable in bootstrap payload and WireGuard interface configuration.
Add tunnel_service_is_active check before Windows tunnel installation to skip if already running. Add is_already_running_error helper to detect "already installed and running" message in WireGuard output. Add wait_for_windows_tunnel_running that polls tunnel state up to 12 times with 500ms intervals after installation. Add describe_windows_tunnel_state for detailed error messages when tunnel fails to reach RUNNING state.
Add rx_bytes and tx_bytes fields to Device type and API responses. Add formatDataSize helper for human-readable byte formatting with units from B to TB. Add Received and Sent columns to devices table in admin UI with formatted traffic totals. Add traffic metrics display to device action panel.
Add TelemetrySnapshot and PeerTelemetry types for gateway runtime stats. Add gateway telemetry endpoint at POST /gateway
Store generated private key in SessionState and persist across enrollment and profile sync operations. Add materialize_profile helper that replaces placeholder tokens (__CLIENT_GENERATED_PRIVATE_KEY__ and __CLIENT_PRIVATE_KEY_REQUIRED__) with actual private key before writing profile to disk. Update enroll_device and sync_profile to materialize profile content with private key before writing.
Change NSIS installer hooks to use bundled/ instead of resources/bundled/ path for tunnel helper executable. Add waitForTunnelStatus helper that polls tunnel status up to 8 times with 500ms intervals to verify expected state after connect/disconnect operations. Update toggle handler to use polling instead of single status check and add error message for failed disconnect operations.
Add connect_to_service helper that attempts service connection with automatic fallback to service start and installation. Add install-service-direct command for elevated service installation. Split install_windows_service into privilege-checking wrapper and install_windows_service_direct for actual installation. Add start_windows_service function using sc start command. Add is_windows_admin helper using net session to
Add single instance check using TCP listener on 127.0.0.1:53190 to prevent multiple application instances. Move AppState initialization into setup closure to include single_instance_lock field. Remove window close prevention and focus restoration handlers. Make main window non-resizable and non-maximizable.
Add tunnel_status command to desktop client for querying active tunnel state. Add is_active method to tunnel_manager that calls status command on bundled backend. Add status command to tunnel-helper that checks WireGuard service state on Windows via sc query and interface state on macOS via wg show. Add windows_client_status function for IPC-based status queries with active field in TunnelResponse. Update App.tsx to query tunnel status on
Remove backend port exposure and change public-web from port 8082 to 8080. Add backend dependency to public-web service. Remove public-web dependency from nginx service. Add /api/ location block to public-web nginx config with proxy_pass to backend:8080 and proxy headers for Host, X-Real-IP, X-Forwarded-For and X-Forwarded-Proto.
Add public-web service with static landing page for client enrollment and device provisioning. Add public-web container to docker-compose with port 8082. Configure nginx reverse proxy with domain-based routing: admin-vpn.nesterovic.cc for admin interface and vpn.nesterovic.cc for public interface. Add proxy headers for X-Real-IP, X-Forwarded-For and X-Forwarded-Proto to both server blocks. Create public-web Dockerfile with nginx serving
Add Windows service to handle WireGuard tunnel operations with elevated privileges. Implement IPC server on TCP port 53189 for client-service communication using JSON protocol. Add install-service and uninstall-service commands to NSIS installer hooks for automatic service installation. Replace direct WireGuard calls with IPC requests when running on Windows. Add TunnelRequest and TunnelResponse types for IPC protocol
Replace Unix timestamp with "Just now" label in now_label helper. Update profile label from "No profile provisioned" to "Not provisioned". Change brand copy subtitle based on enrollment state. Rename "Current profile" to "Overview" and "Profile" to "Access" in status panel. Remove "Stored config" surface section showing profile path and revision. Update resources sidebar instructions and rename resource-list to resource-
Replace conditional setter pattern with explicit if/else branches for editing and creating modes. Handle editForm state updates separately from form state updates to improve code clarity and maintainability.
Add FindNextAvailableIP repository method to query ip_allocations table and find next available IP address within gateway VPN CIDR range. Query existing allocations from database and build used IP map. Iterate through CIDR range starting at offset to find first unused address. Update Enroll service method to call FindNextAvailableIP first with fallback to IPAM service Allocate method on error. Add netip and errors imports to repository
Add Group type with id, name, description, members array and optional user_ids field. Add name field to policy targets for display. Add groups API client methods for list, create, update and delete operations. Add GroupsPage component with create form, edit modal, member selection and table view. Add groups route and navigation item to Layout. Add reusable Modal component with title, subtitle and close handler. Update
Add clear_session command to remove session state and profile files from disk. Add resetEnrollment handler in frontend to clear local state and invoke clear_session. Remove hero surface section with profile metadata tiles. Simplify top strip to show profile label in brand copy when enrolled. Add Logout button to top actions and resources sidebar. Redesign status panel with simplified labels and layout. Update surface
Rename restore_main_window to restore_webview_window for WebviewWindow type. Add new restore_window helper for generic Window type. Update tray menu and click handlers to use restore_webview_window. Add WindowEvent::Focused handler to restore window state when focused.
Add sync_profile command to fetch latest profile from backend without re-enrollment. Add DeviceView struct to EnrollResponse. Replace hardcoded "just now" timestamp with now_label helper using Unix epoch seconds. Add sync button to UI with loading state. Redesign client interface with top strip containing brand lockup and action buttons, hero surface with profile metadata tiles, body grid with login/status panels and resources sidebar
Add updateUser and deleteUser API client methods with PATCH and DELETE endpoints. Add updatePolicy and deletePolicy API client methods. Add email field to User type. Add Actions column to users and policies tables with Edit and Delete buttons. Implement inline edit forms for users and policies with state management for editing mode. Add update and delete mutations with query invalidation on success. Add error notices
Fetch policy destinations before calling repo.Enroll instead of after, passing destinations to enrollment creation. Add fallback to default 172.16.10.0/24 destination when no policies are resolved. Re-resolve destinations after enrollment with device ID for final response.
Add useEffect hook to fetch bootstrap status on component mount. Add bootstrapAvailable and bootstrapStatusLoaded state variables to track bootstrap endpoint availability. Hide mode toggle button when bootstrap is unavailable or status hasn't loaded yet. Add auth-brand and auth-brand-copy CSS classes to improve login page layout and branding. Add BootstrapStatus handler and BootstrapAvailable service method to expose bootstrap availability
Enable tray-icon feature in Tauri dependencies. Add system tray with Open and Quit menu items. Implement tray icon click handlers to restore main window. Add window event handlers to hide window on close/minimize instead of exiting application. Add restore_main_window and hide_main_window helper functions for window visibility management.
Add formatInvokeError helper function to handle various error types from Tauri invoke calls with fallback messages. Update enroll_device to include response body in error message when enrollment fails with non-success status. Add windows_subsystem attribute to main.rs to suppress console window in release builds on Windows.
Update gateway configuration to use host.docker.internal instead of backend service name for API communication. Add extra_hosts mapping in docker-compose to enable host.docker.internal resolution. Add NEXAVPN_BACKEND_HOST environment variable to .env.example with host.docker.internal default.
Add clang-cl wrapper script that invokes clang in MSVC-compatible mode with availability check and helpful error message. Update Linux Windows build script to make clang-cl wrapper executable and include scripts directory in PATH for both cargo-xwin and clang-cl resolution.
Add AUTH_EXPIRED_EVENT constant and dispatch event on 401 responses in API client, clearing stored token. Add handleLogout function to App component and wire up event listener to trigger logout on auth expiration. Pass onLogout prop to Layout component and add Logout button to topbar-actions. Update CSS to apply flex layout to topbar-actions and make responsive. Add backend hostname and network aliases in docker-compose to ensure consistent
Add NexaVPN logo images (full logo and mark-only variants) to admin-web and desktop-client public directories. Add favicon.ico and favicon.png to admin-web, and icon.png to desktop-client. Update index.html files to reference favicon assets. Add icon.png and icon.ico to desktop-client Tauri icons directory and configure bundle.icon in tauri.conf.json. Update Layout component to display logo in sidebar brand-block with
Remove wait_for_backend_dns function and its invocation from apply_bundle, relying instead on curl connectivity checks in main loop to handle backend availability. Simplifies bootstrap logic by removing redundant DNS verification step.
Add apt install instructions for clang, lld, llvm, and nsis to README Ubuntu-to-Windows build section. Add clang-cl availability check to cargo-xwin wrapper script with helpful error message directing users to install LLVM/Clang toolchain when missing.
Update Linux Windows build script to add scripts directory to PATH and reference cargo-xwin by name rather than direct path to wrapper script, improving compatibility with Tauri's runner resolution mechanism.
Add getent availability check before attempting DNS resolution in wait_for_backend_dns function. Fall back to allowing curl connectivity check in main loop when getent is not available, supporting Alpine-based images that don't ship getent by default.
Add cargo-xwin wrapper script that invokes `cargo xwin` subcommand and update Linux Windows build script to use wrapper as --runner instead of cargo-xwin binary name directly. Add chmod +x to ensure wrapper is executable before build.
Update @tauri-apps/api and @tauri-apps/cli to version 2.10.1, and tauri runtime to 2.10.1 for consistency across desktop client dependencies. Update tauri-build to version 2.5.5.
Add wait_for_backend_dns function to verify backend hostname resolution before attempting bootstrap/sync operations. Configure NEXAVPN_BACKEND_HOST environment variable and net.ipv4.ip_forward sysctl in docker-compose. Use atomic write pattern for state.json via temporary file to prevent corruption on failed downloads. Make sysctl ip_forward call conditional on write permissions and non-fatal.
Add depends_on backend service to gateway in docker-compose to ensure backend is available before gateway starts. Refactor gateway-entrypoint.sh to move bootstrap logic into apply_bundle function with error handling, enabling automatic retry on bootstrap failure instead of exiting immediately.
Update all Windows build configurations, scripts, and documentation from i686-pc-windows-msvc (x86) to x86_64-pc-windows-msvc (x64). Update npm scripts, build-tunnel-helper.sh target validation, bundled helper paths, and tunnel manager strategy references. Add XWIN_ARCH=x86_64 environment variable to Linux cross-build command and --xwin-arch flag to cargo xwin invocation.
Change cargo-xwin detection from `command -v cargo-xwin` to `cargo xwin --version` to properly verify cargo subcommand availability on Linux systems cross-compiling to Windows targets.
