Bug-fix release. Four fixes plus documentation.
- install --force --port=N now changes the server port (was silently ignored: the render re-read the old ListenPort).
- full-tunnel clients get 0.0.0.0/0, ::/0 so AmneziaVPN on iOS accepts the all-traffic mode; manage regen upgrades non-customized clients too.
- default client DNS is now the 1.1.1.1, 1.0.0.1 pair.
- --port accepts ports 1-65535 (was 1024-65535) so 443/80/53 work for DPI evasion on mobile carriers.
Docs: CHANGELOG, S3/S4 range fix, stale issue link cleanup, Ubuntu 26.04 in the subtitle, --force re-run FAQ, a mobile-port note.
Live-tested on Debian 13 (x86_64) and Ubuntu 26.04 (ARM64, native IPv6).
Wire all five CPS special-junk params I1-I5 from the server awg0.conf into client configs (.conf, QR, vpn://). Previously only I1 reached clients; I2-I5 were hard-coded empty and undeliverable. Scope = variant 1 of #71: the admin sets I2-I5 in awg0.conf and manage regen distributes them; no new CLI flags. RU/EN in lockstep, SHA pins recomputed, docs (ADVANCED/ROADMAP/CHANGELOG RU+EN), new bats coverage. Release v5.18.0.
Add an automatic TCPMSS --set-mss rule (mangle FORWARD, both directions, SYN only) to the server PostUp/PostDown, derived from AWG_MTU (1240 v4 / 1220 v6), fixing the PMTU blackhole on mobile/double-NAT/cascade paths. Ships v5.17.0 with tests, SHA pins, CHANGELOG and docs. Smoke-tested on x86_64 and ARM64 (IPv4 + IPv6).
Add three evergreen themes to Recently shipped / Уже сделано (RU+EN):
security and reliability hardening, correct iOS behavior in the default
routing mode, and the companion guides (official-app comparison and the
two-server cascade). Keeps the page theme-based, not a dated changelog.
A hardening and quality release that finalizes two accumulated workstreams.
Code-audit hardening (manage/awg_common/install):
- modify validates DNS as real IPv4/IPv6; octet-range check on the detected public IP
- --expires validated before client creation; --psk fails closed
- atomic .vpnuri and QR writes via the shared safe-temp helper; one shared client-artifact cleanup
- content-aware expiry cron; restore guards for an empty server/clients backup
- INT/TERM abort the script with exit 130/143 instead of falling through
Machine-readable status (additive, backward-compatible):
- list --json and stats --json also emit a stable status_code enum
(active | recent | inactive | no_handshake | key_error | no_data);
the localized status field is kept
Docs and process:
- accurate CLI help (--endpoint FQDN/IPv4/[IPv6], --no-tweaks note), README diagnose/repair-module rows
- ARM coverage for Ubuntu 26.04 (DKMS); docs-check enforces the OS x arch x prebuilt-target matrix
- CI badges, signing-doc cleanup, clearer issue/PR templates
Release mechanics: version and date bumped to 5.15.6 across the six scripts,
helper SHA pins recomputed, CHANGELOG (RU + EN) updated, pinned raw-URL tags and
README badges bumped. Default install behavior and the support matrix are unchanged.
Hardening release after four rounds of external code and documentation audits: installer input validators brought to canonical parity, manage restore/modify correctness fixes, atomic file operations, reproducible ARM builds with a pinned module ref and build manifest, bilingual release notes built by release.yml, an 8x faster Unicode-aware docs consistency check, and documentation accuracy fixes across README, INSTALL_VPS, ADVANCED, RELEASE_PROCESS and the Code of Conduct. Test suite grows to 788 checks; live-tested on clean Ubuntu 24.04 x86_64, Ubuntu 26.04 ARM64 and Debian 13 VPSes including real cross-continent AWG 2.0 handshakes.
Maintenance release after external code and documentation audits. No new
features; hardens the v5.15.0 dual-stack IPv6 work, tightens several manage
commands, fixes correctness and robustness issues, and adds a release
preflight gate plus a docs-consistency check.
Behavior change: split tunnel + IPv6 mirrors the IPv4 intent - a custom
ALLOWED_IPS keeps that IPv4 split and adds only the tunnel ULA for IPv6
instead of forcing a full ::/0 route. A full tunnel still gets ::/0 (native
IPv6) or the ULA.
Fixed: vpn:// URI carries the server's real MTU/keepalive/DNS; stricter
native-IPv6 detection (global non-ULA address and default route) with the
host IPv6 stack re-enabled before detection; install fails fast on apt update
errors; manage modify validates Endpoint/AllowedIPs; manage add is safe
against name reuse and cleans partial artifacts; manage restore prunes stale
clients/keys and recreates the expiry dir; manage help exit codes; manage
--json keeps stdout pure JSON; log messages stop doubling percent signs.
Docs/process: subnet and OS help accuracy, list --json documented, changelog
compare-links and anchors restored, SECURITY/CONTRIBUTING refreshed, public
RELEASE_PROCESS.md, release publish gated behind a full preflight job, new
docs-consistency workflow, signing design aligned with the asset draft.
Version bumped to 5.15.1 across all six scripts; SHA pins recomputed.
Second independent review of the three preceding commits surfaced:
1. (HIGH) tests/test_v5140_public_ip_services.bats - SC2318 in curl mocks:
`local args=("$@") url="${args[$((${#args[@]} - 1))]}"` references the
array on the same `local` line where it is being assigned. ShellCheck
flags this and the assignment is unreliable. Split into two `local`
statements. Bats suite still passes 11/11 after the fix.
2. (MEDIUM) ADVANCED.md / ADVANCED.en.md - the legacy split-tunneling
paragraph still claimed the default AllowedIPs = 0.0.0.0/0 covers the
tunnel subnet automatically. README was already corrected in edf4f7b;
ADVANCED is now mirrored: coverage depends on --route-all vs the
default --route-amnezia (Amnezia List excludes 10.0.0.0/8) vs custom.
3. (HIGH) docs/SIGNING_DESIGN.md - threat model overclaimed coverage of a
GitHub-account compromise. KEYS.txt is fetched from the same trust
domain, so a first-time user in a single compromised session is in a
TOFU window. Reworded "Covered" / "Partially covered" / "NOT covered"
sections, added the recommendation to publish the public-key
fingerprint via at least one out-of-band channel.
4. (MEDIUM) docs/SIGNING_DESIGN.md - added rollback / misbinding to NOT
covered, plus a minisign trusted-comment binding (tag + filename) in
the signing flow so an old signature paired with a different file or
release fails verification.
5. (MEDIUM) docs/SIGNING_DESIGN.md - changed the README "Verifying
releases" checklist item from DONE to TODO. README has no minisign
section yet; will be added when KEYS.txt is published so the section
is actionable rather than vapor.
6. (LOW) docs/SIGNING_DESIGN.md - narrowed the GPG comparison to "does
not protect the curl-to-raw or release-asset download path" (verified
tags do cover the blobs they point at if the user verifies the tag
first). Replaced two broken references (NixOS signing-prefixes and
minisign #why-not-gpg anchor) with the minisign source repo and
OpenBSD signify man page - both stable and on-topic.
No behavior change in scripts; only test ergonomics + docs accuracy.
Spec for adding detached minisign signatures to installer/management
scripts and tagged releases. The proposal:
- Keypair generated offline by the maintainer, public key published as
KEYS.txt in the repo root, private key NEVER exposed to GitHub Actions
(this is the whole point - signing must be local to the maintainer).
- Per-release signing happens on the maintainer's machine before
'git push origin vX.Y.Z'; .minisig files attached to the GitHub Release
as assets either manually (gh release upload) or via the draft workflow
at docs/release-sign.yml.draft.
- User-side verification: 'minisign -V -p KEYS.txt -m <script> -x <sig>'.
This commit is design + drafts only. Workflow stays under docs/ until the
public key is committed and signatures of pre-release assets are tested.
SECURITY.md gains a 'Release integrity (planned)' section.
Activation is user-action-blocked (maintainer must generate the offline
keypair). Closes implementation gap surfaced by competitor analysis
2026-05-18 (pwnnex/ByeByeVPN ships signed releases + SBOM).
Files added:
docs/SIGNING_DESIGN.md - threat model, tool choice, signing flow
docs/release-sign.yml.draft - GitHub Actions workflow draft
SECURITY.md +6 - 'Release integrity (planned)' section