Add ServiceCatalogItem type and services CRUD API endpoints (list, create, update, delete). Extend Policy type to include services array with domain, upstream_ip, proxy_ip, and ports metadata.
Add ServicesPage component with table view and create/edit modals for managing service definitions. Include service name, domain, proxy, and upstream columns with port parsing logic.
Integrate service selection
Add alwaysAllowWebProxyTargets function to parse comma-separated IPs from NEXAVPN_ALWAYS_ALLOW_WEB_PROXY_IPS environment variable with deduplication. Update mergeProfileAllowedIPs to accept webProxyTargets parameter and merge them into profile allowed IPs using /32 routes. Add WebProxyTargets field to wireguard.Peer struct and populate it in BuildSyncBundle and device enrollment/policy application
Change nftables forward chain default policy from drop to accept. Add rule to accept all traffic not originating from WireGuard interface. Add explicit drop rule at end of chain for remaining WireGuard interface traffic to maintain security while allowing non-VPN traffic to flow freely.
Remove BuildKit syntax directive and --network=host flags from admin-web, backend, and gateway Dockerfiles to simplify builds and rely on default Docker networking for dependency downloads.
Add BuildKit syntax directive and --network=host flag to npm install, go mod operations, and apk package installation to allow direct host network access during builds, bypassing Docker's default bridge network for improved reliability and performance of dependency downloads.
Add explicit Alpine 3.21 main and community repository URLs to /etc/apk/repositories. Implement 5-attempt retry loop with 3-second delays for apk update and package installation to handle transient network failures during Docker builds.
Add mergeProfileAllowedIPs function to combine policy destinations with DNS server routes in device enrollment and rotation. Add dnsServerRoute helper to convert DNS server IPs to /32 CIDR notation. Update BuildSyncBundle query to include gateway DNS servers in peer data. Add DNSServers field to wireguard.Peer struct. Update gateway nftables configuration to allow UDP/TCP port 53 traffic from assigned IPs to DNS servers before
Remove net.ipv4.ip_forward sysctl configuration from gateway service since host network mode requires IP forwarding to be configured at the host system level rather than per-container.
Remove gateway network alias from backend service since gateway now uses host network mode and accesses backend directly via 127.0.0.1 instead of Docker network resolution.
Change gateway service from bridge networking to host network mode to enable direct access to host network interfaces. Replace host.docker.internal references with 127.0.0.1 in gateway URLs and backend host configuration. Remove port mapping, extra_hosts, and explicit network attachments since host mode provides direct network access.
Add GATEWAY_UDP_PORT environment variable with default value 51900 to replace hardcoded port 51820. Update DEFAULT_GATEWAY_ENDPOINT in .env.example to use new port. Add UDP port mapping to gateway service in docker-compose using GATEWAY_UDP_PORT. Add NEXAVPN_GATEWAY_LISTEN_PORT environment variable to gateway container. Update gateway-entrypoint.sh to use GATEWAY_LISTEN_PORT variable in bootstrap payload and WireGuard interface configuration.
Add rx_bytes and tx_bytes fields to Device type and API responses. Add formatDataSize helper for human-readable byte formatting with units from B to TB. Add Received and Sent columns to devices table in admin UI with formatted traffic totals. Add traffic metrics display to device action panel.
Add TelemetrySnapshot and PeerTelemetry types for gateway runtime stats. Add gateway telemetry endpoint at POST /gateway
Add tunnel_status command to desktop client for querying active tunnel state. Add is_active method to tunnel_manager that calls status command on bundled backend. Add status command to tunnel-helper that checks WireGuard service state on Windows via sc query and interface state on macOS via wg show. Add windows_client_status function for IPC-based status queries with active field in TunnelResponse. Update App.tsx to query tunnel status on
Remove backend port exposure and change public-web from port 8082 to 8080. Add backend dependency to public-web service. Remove public-web dependency from nginx service. Add /api/ location block to public-web nginx config with proxy_pass to backend:8080 and proxy headers for Host, X-Real-IP, X-Forwarded-For and X-Forwarded-Proto.
Add public-web service with static landing page for client enrollment and device provisioning. Add public-web container to docker-compose with port 8082. Configure nginx reverse proxy with domain-based routing: admin-vpn.nesterovic.cc for admin interface and vpn.nesterovic.cc for public interface. Add proxy headers for X-Real-IP, X-Forwarded-For and X-Forwarded-Proto to both server blocks. Create public-web Dockerfile with nginx serving
Update gateway configuration to use host.docker.internal instead of backend service name for API communication. Add extra_hosts mapping in docker-compose to enable host.docker.internal resolution. Add NEXAVPN_BACKEND_HOST environment variable to .env.example with host.docker.internal default.
Add AUTH_EXPIRED_EVENT constant and dispatch event on 401 responses in API client, clearing stored token. Add handleLogout function to App component and wire up event listener to trigger logout on auth expiration. Pass onLogout prop to Layout component and add Logout button to topbar-actions. Update CSS to apply flex layout to topbar-actions and make responsive. Add backend hostname and network aliases in docker-compose to ensure consistent
Remove wait_for_backend_dns function and its invocation from apply_bundle, relying instead on curl connectivity checks in main loop to handle backend availability. Simplifies bootstrap logic by removing redundant DNS verification step.
Add getent availability check before attempting DNS resolution in wait_for_backend_dns function. Fall back to allowing curl connectivity check in main loop when getent is not available, supporting Alpine-based images that don't ship getent by default.
Add wait_for_backend_dns function to verify backend hostname resolution before attempting bootstrap/sync operations. Configure NEXAVPN_BACKEND_HOST environment variable and net.ipv4.ip_forward sysctl in docker-compose. Use atomic write pattern for state.json via temporary file to prevent corruption on failed downloads. Make sysctl ip_forward call conditional on write permissions and non-fatal.
Add depends_on backend service to gateway in docker-compose to ensure backend is available before gateway starts. Refactor gateway-entrypoint.sh to move bootstrap logic into apply_bundle function with error handling, enabling automatic retry on bootstrap failure instead of exiting immediately.
Add Bootstrap and AgentSyncBundle handlers to gateway package with X-Gateway-Bootstrap-Token header authentication. Implement UpsertByName repository method for idempotent gateway registration. Update gateway entrypoint script to auto-generate keys and bootstrap gateway on first run, persisting gateway ID to disk. Add GATEWAY_BOOTSTRAP_TOKEN config and update environment variables for gateway name, bootstrap URL, and sync URL.
Add monorepo structure for NexaVPN WireGuard control plane including:
- .gitignore for node_modules, build artifacts, and environment files
- README with project overview, monorepo layout, and quick start guide
- Admin web UI with React, Vite, TypeScript, and nginx reverse proxy
- API client with type definitions for users, devices, policies, gateways, and audit logs
- Admin pages for dashboard, users, devices, policies, g
