Skip to main content

changelog.md for @push.rocks/smartvpn

2026-03-31 - 1.17.1 - fix(readme)

document per-transport metrics and handshake-driven WireGuard connection state

    Add README examples for getStatistics() per-transport active client and total connection counters Clarify that WireGuard peers are marked connected only after a successful handshake and disconnect after idle timeout Refresh API and project structure documentation to reflect newly documented stats fields and source files

    2026-03-31 - 1.17.0 - feat(wireguard)

    track per-transport server statistics and make WireGuard clients active only after handshake

      add websocket, quic, and wireguard active-client and total-connection counters to server statistics register WireGuard peers without marking them active until handshake/data is received, and remove them from active clients on expiration or idle timeout sync WireGuard byte counters into aggregate server stats independently of active client presence and expose new statistics fields in TypeScript interfaces

      2026-03-31 - 1.16.5 - fix(rust-userspace-nat)

      improve TCP session backpressure, buffering, and idle cleanup in userspace NAT

        apply proper bridge-channel backpressure by reserving channel capacity before consuming smoltcp TCP data defer bridge sender initialization until the bridge task starts and track TCP session activity timestamps cap per-session pending TCP send buffers at 512KB and abort stalled sessions when clients cannot keep up add idle TCP session cleanup and switch NAT polling to a dynamic smoltcp-driven delay

        2026-03-31 - 1.16.4 - fix(server)

        register preloaded WireGuard clients as peers on server startup

          Adds configured clients from the runtime registry to the WireGuard listener when the server starts. Ensures clients loaded from config can complete WireGuard handshakes without requiring separate peer registration. Logs a warning if automatic peer registration fails for an individual client.

          2026-03-31 - 1.16.3 - fix(rust-nat)

          defer TCP bridge startup until handshake completion and buffer partial NAT socket writes

            Start TCP bridge tasks only after the smoltcp socket becomes active to prevent server data from arriving before the client handshake completes. Buffer pending TCP payloads and flush partial writes so bridge-to-socket data is not silently lost under backpressure. Keep closing TCP sessions alive until FIN processing completes and add logging for dropped packets when bridge or route channels are full.

            2026-03-31 - 1.16.2 - fix(wireguard)

            sync runtime peer management with client registration and derive the correct server public key from the WireGuard private key

              Register, remove, and rotate WireGuard peers in the running listener when clients are added, deleted, or rekeyed. Generate client WireGuard configs with the public key derived from the configured WireGuard private key instead of reusing the generic server public key. Handle expired WireGuard sessions by re-initiating handshakes and mark client state as handshaking until the tunnel becomes active. Improve allowed IP matching and peer VPN IP extraction for runtime packet routing.

              2026-03-30 - 1.16.1 - fix(rust/server)

              add serde alias for clientAllowedIPs in server config

                Accepts the camelCase clientAllowedIPs field when deserializing server configuration. Improves compatibility with existing or external configuration formats without changing runtime behavior.

                2026-03-30 - 1.16.0 - feat(server)

                add configurable client endpoint and allowed IPs for generated VPN configs

                  adds serverEndpoint to generated SmartVPN and WireGuard client configs so remote clients can use a public address instead of the listen address adds clientAllowedIPs to generated WireGuard configs to support full-tunnel or split-tunnel routing updates TypeScript interfaces to expose the new server configuration options

                  2026-03-30 - 1.15.0 - feat(vpnserver)

                  add nftables-backed destination policy enforcement for TUN mode

                    add @push.rocks/smartnftables dependency and export it through the plugin layer apply destination policy rules via nftables when starting the server in TUN mode add periodic nftables health checks and best-effort cleanup on server stop update documentation for destination routing policy, socket transport mode, trusted client tags, events, and service generation

                    2026-03-30 - 1.14.0 - feat(nat)

                    add destination routing policy support for socket-mode VPN traffic

                      introduce configurable destinationPolicy settings in server and TypeScript interfaces apply allow, block, and forceTarget routing decisions when creating TCP and UDP NAT sessions export ACL IP matching helper for destination policy evaluation

                      2026-03-30 - 1.13.0 - feat(client-registry)

                      separate trusted server-defined client tags from client-reported tags with legacy tag compatibility

                        Adds distinct serverDefinedClientTags and clientDefinedClientTags fields to client registry and TypeScript interfaces. Treats legacy tags values as serverDefinedClientTags during deserialization and server-side create/update flows for backward compatibility. Clarifies that only server-defined tags are trusted for access control while client-defined tags are informational only.

                        2026-03-30 - 1.12.0 - feat(server)

                        add optional PROXY protocol v2 headers for socket-based userspace NAT forwarding

                          introduce a socketForwardProxyProtocol server option in Rust and TypeScript interfaces pass the new setting into the userspace NAT engine and TCP bridge tasks prepend PROXY protocol v2 headers on outbound TCP connections when socket forwarding is enabled

                          2026-03-30 - 1.11.0 - feat(server)

                          unify WireGuard into the shared server transport pipeline

                            add integrated WireGuard server support to VpnServer with shared startup, shutdown, status, statistics, and peer management introduce transportMode 'all' as the default and add server config support for wgPrivateKey, wgListenPort, and preconfigured peers register WireGuard peers in the shared client registry and IP pool so they use the same forwarding engine, routing, and monitoring as WebSocket and QUIC clients expose transportType in server client info and update TypeScript interfaces and documentation to reflect unified multi-transport forwarding

                            2026-03-30 - 1.10.2 - fix(client)

                            wait for the connection task to shut down cleanly before disconnecting and increase test timeout

                              store the spawned client connection task handle and await it during disconnect with a 5 second timeout so the disconnect frame can be sent before closing increase the test script timeout from 60 seconds to 90 seconds to reduce flaky test runs

                              2026-03-29 - 1.10.1 - fix(test, docs, scripts)

                              correct test command verbosity, shorten load test timings, and document forwarding modes

                                Fixes the test script by removing the duplicated verbose flag in package.json. Reduces load test delays and burst sizes to keep keepalive and connection tests faster and more stable. Updates the README to describe forwardingMode options, userspace NAT support, and related configuration examples.

                                2026-03-29 - 1.10.0 - feat(rust-server, rust-client, ts-interfaces)

                                add configurable packet forwarding with TUN and userspace NAT modes

                                  introduce forwardingMode options for client and server configuration interfaces add server-side forwarding engines for kernel TUN, userspace socket NAT, and testing mode add a smoltcp-based userspace NAT implementation for packet forwarding without root-only TUN routing enable client-side TUN forwarding support with route setup, packet I/O, and cleanup centralize raw packet destination IP extraction in tunnel utilities for shared routing logic update test command timeout and logging flags

                                  2026-03-29 - 1.9.0 - feat(server)

                                  add PROXY protocol v2 support for real client IP handling and connection ACLs

                                  • add PROXY protocol v2 parsing for WebSocket connections, including IPv4/IPv6 support, LOCAL command handling, and header read timeout protection
                                  • apply server-level connection IP block lists before the Noise handshake and enforce per-client source IP allow/block lists using the resolved remote address
                                  • expose proxy protocol configuration and remote client address fields in Rust and TypeScript interfaces, and document reverse-proxy usage in the README

                                  2026-03-29 - 1.8.0 - feat(auth,client-registry)

                                  add Noise IK client authentication with managed client registry and per-client ACL controls

                                  • switch the native tunnel handshake from Noise NK to Noise IK and require client keypairs in client configuration
                                  • add server-side client registry management APIs for creating, updating, disabling, rotating, listing, and exporting client configs
                                  • enforce client authorization from the registry during handshake and expose authenticated client metadata in server client info
                                  • introduce per-client security policies with source/destination ACLs and per-client rate limit settings
                                  • add Rust ACL matching support for exact IPs, CIDR ranges, wildcards, and IP ranges with test coverage

                                  2026-03-29 - 1.7.0 - feat(rust-tests)

                                  add end-to-end WireGuard UDP integration tests and align TypeScript build configuration

                                  • Add userspace Rust end-to-end tests that validate WireGuard handshake, encryption, peer isolation, and preshared-key data exchange over real UDP sockets.
                                  • Update the TypeScript build setup by removing the allowimplicitany build flag and explicitly including Node types in tsconfig.
                                  • Refresh development toolchain versions to support the updated test and build workflow.

                                  2026-03-29 - 1.6.0 - feat(readme)

                                  document WireGuard transport support, configuration, and usage examples

                                  • Expand the README from dual-transport to triple-transport support by adding WireGuard alongside WebSocket and QUIC
                                  • Add client and server WireGuard examples, including live peer management and .conf generation with WgConfigGenerator
                                  • Document new WireGuard-related API methods, config fields, transport modes, and security model details

                                  2026-03-29 - 1.5.0 - feat(wireguard)

                                  add WireGuard transport support with management APIs and config generation

                                  • add Rust WireGuard module integration using boringtun and route management through client/server management handlers
                                  • extend TypeScript client and server configuration schemas with WireGuard-specific options and validation
                                  • add server-side WireGuard peer management commands including keypair generation, peer add/remove, and peer listing
                                  • export a WireGuard config generator for producing client and server .conf files
                                  • add WireGuard-focused test coverage for config validation and config generation

                                  2026-03-21 - 1.4.1 - fix(readme)

                                  preserve markdown line breaks in feature list

                                  • Adds trailing spaces to the README feature list so each highlighted capability renders on its own line.

                                  2026-03-19 - 1.4.0 - feat(vpn transport)

                                  add QUIC transport support with auto fallback to WebSocket

                                  • introduces a transport abstraction in the Rust daemon so client and server can operate over WebSocket or QUIC
                                  • adds dual-mode server configuration with websocket, quic, and both transport modes plus QUIC idle timeout and listen address options
                                  • adds client transport selection with auto mode that attempts QUIC first and falls back to WebSocket
                                  • adds QUIC certificate hash pinning support and required Rust dependencies for QUIC and TLS
                                  • updates TypeScript interfaces, config validation, tests, and documentation to cover the new transport modes

                                  2026-03-17 - 1.3.0 - feat(tests,client)

                                  add flow control and load test coverage and honor configured keepalive intervals

                                  • Adds end-to-end node tests for client/server flow control, keepalive exchange, connection quality telemetry, rate limiting, concurrent clients, and disconnect tracking.
                                  • Adds load testing with throttled proxy scenarios to validate behavior under constrained bandwidth and repeated client churn.
                                  • Updates the Rust client to pass configured keepaliveIntervalSecs into the adaptive keepalive monitor instead of always using defaults.

                                  2026-03-15 - 1.2.0 - feat(readme)

                                  document QoS, telemetry, MTU, and rate limiting capabilities in the README

                                  • Expand the architecture and feature overview to cover adaptive keepalive, telemetry, QoS, rate limiting, and MTU handling
                                  • Update client and server examples to show new APIs such as getConnectionQuality(), getMtuInfo(), setClientRateLimit(), and getClientTelemetry()
                                  • Add TypeScript interface documentation for connection quality, MTU info, enriched client statistics, and per-client telemetry

                                  2026-03-15 - 1.1.0 - feat(rust-core)

                                  add adaptive keepalive telemetry, MTU handling, and per-client rate limiting APIs

                                  • adds adaptive keepalive monitoring with RTT, jitter, loss, and link health reporting to client statistics and management endpoints
                                  • introduces MTU overhead calculation and oversized-packet handling support, plus client MTU info APIs
                                  • adds token-bucket rate limiting with configurable default limits and server management commands to set, remove, and inspect per-client telemetry
                                  • extends TypeScript client and server interfaces with connection quality, MTU, and client telemetry methods

                                  2026-02-27 - 1.0.3 - fix(build)

                                  add aarch64 linker configuration for cross-compilation

                                  • Added rust/.cargo/config.toml to configure linker for target aarch64-unknown-linux-gnu
                                  • Sets linker to 'aarch64-linux-gnu-gcc' to enable cross-compilation to ARM64

                                  2026-02-27 - 1.0.2 - fix()

                                  no changes detected - no code or content modifications

                                  2026-02-27 - 1.0.1 - fix(release)

                                  bump patch version (no code changes)

                                  • No changes detected in the provided git diff
                                  • Current package.json version is 1.0.0
                                  • Recommend patch bump to 1.0.1 to create a release/trivial update

                                  2026-02-27 - 1.0.0 - initial release

                                  Initial commit creating the project repository and baseline files.

                                  • Initial project scaffold and configuration
                                  • Repository initialized with base files and metadata
                                  Back to top