Pro Custodibus Agent 1.7.5
Fixed
-----
* Fixed reading WireGuard config files on Windows when the interface
name contained a dot (`.`).
* Fixed the following error when running extras scripts on a system
using the mawk version of awk:
```
awk: line 3: regular expression compile failed (missing operand)
```
* Relaxed minimum required dnspython module version to support older
versions of Python.
Pro Custodibus Agent 1.7.4
Fixed
-----
* Fixed error in several extras scripts with certain versions of awk
(would fail with a message like `awk: line 3: regular expression
compile failed (missing operand)`).
Pro Custodibus Agent 1.7.3
Fixed
-----
* Corrected previous fix to account for default HTTP port of 80.
Pro Custodibus Agent 1.7.2
Fixed
-----
* Fixed using API with custom plain-HTTP URL with DNS hostname (eg
`Api = http://example.com`); would fail with `got an unexpected
keyword argument 'assert_hostname'` message.
Pro Custodibus Agent 1.7.1
Fixed
-----
* Fixed service start-up on Windows after new install (would fail with
`cannot import service module` message).
Pro Custodibus Agent 1.7.0
Added
-----
* Additional helper scripts for Windows.
Changed
-------
* Use external DNS resolver by default (see below).
* Apply packet mark (aka fwmark) to agent connections on Linux
when wg-quick will use the mark to override the default gateway
(see below).
* Installer automatically installs wireguard-tools package.
New DNS Settings
----------------
Previously, the agent would use the host operating system's own DNS
resolver. Now, by default, the agent will use the
[Quad9](https://www.quad9.net/) resolvers via DoH (DNS over HTTPS)
to resolve the IP address of the Pro Custodibus API, as well as any
WireGuard endpoint addresses specified by DNS name.
This is particularly useful when a WireGuard interface is itself used
for the host's default route, to ensure that the agent can resolve the
IP address needed to connect to the API even when the WireGuard tunnel
is not working.
To revert to the previous behavior, and use the host operating system's
DNS resolver, add the following setting to the procustodibus.conf file:
Dns = off
To use a custom DoH resolver (such as
[Cloudflare's](https://1.1.1.1/dns/)), add the following settings
to the procustodibus.conf file, customizing the `Dns` setting to
specify the DNS servers to contact, and the `Doh` setting to specify
the hostname that the servers' TLS certificate must match:
Dns = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
Doh = cloudflare-dns.com
To use a custom UDP resolver, add the following settings to the
procustodibus.conf file, customizing the `Dns` setting to specify the
DNS servers to contact:
Dns = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
DnsProtocol = udp
To use a custom TCP resolver, add the following settings to the
procustodibus.conf file, customizing the `Dns` setting to specify the
DNS servers to contact:
Dns = 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001
DnsProtocol = tcp
The agent will automatically attempt to detect whether to use IPv4 or
IPv6 addresses. To force the agent to always prefer IPv4 addresses,
add the following setting to the procustodibus.conf file:
ResolveHostnames = ipv4
To force the agent to always prefer IPv6 addresses, add the following
setting to the procustodibus.conf file:
ResolveHostnames = ipv6
New FwMark Setting
------------------
When a network mask of `/0` (aka the default route) is used on Linux
for the `AllowedIPs` setting of a WireGuard peer, WireGuard`s
`wg-quick` helper script will set up some policy routing rules to
ensure that the WireGuard interface's own traffic is not recursively
routed through the interface's tunnel; these rules rely on the
interface emitting packets with a specific mark (configurable via the
`FwMark` setting on the interface).
Now when the agent detects this scenario, it will also mark its own
packets with the same mark, ensuring that its connections to the
Pro Custodibus API (and the agent's DNS resolver) do not go through the
WireGuard tunnel (and so the agent will still work even if the tunnel
does not).
To prevent the agent from doing this, add the following setting to the
procustodibus.conf file:
FwMark = off
To force the agent to always mark its packets with a specific mark
(such as 123), add the following setting to the procustodibus.conf file:
FwMark = 123
Pro Custodibus Agent 1.6.1
Changed
-------
* Log recent unit events from journalctl when WireGuard up/down fails
(when using systemd to manage WireGuard).
* Always print connection test after reloading configuration.
Fixed
-----
* Fix error applying clamp_msp extra script.
* Fix errors applying extra scripts when value blank.
Pro Custodibus Agent 1.6.0
Added
-----
* New extra helper scripts for WireGuard Pre/Post/Up/Down fields
(located in `scripts` directory).
* New `OneLineFields = true` agent configuration setting to force
WireGuard configuration fields that may use multiple lines
(like `Address`, `AllowedIPs`, etc) to instead be written on
one single line. Defaults to `false`.
* Allow WireSock to be used in place of WireGuard.
Changed
-------
* Allow `PROCUSTODIBUS_LOGGING_LEVEL` environment variable to override
command line `--verbosity` (or `-v` or `-vv`) flags.
* Log new WireGuard config at debug level when updating it.
* Omit logging WireGuard service status on Windows when OK.
Fixed
-----
* Fix updates to WireGuard DNS setting when search path not specified.
* Fix configuration reloading on Windows.
* Resume regular ping loop faster after connectivity interruptions.
* Gracefully handle errors from missing agent credentials file.
Removed
-------
* Removed Python 3.7 as a supported version.
Pro Custodibus Agent 1.5.2
Added
-----
* Installer tests for Alpine 3.20, Fedora 40, and Ubuntu 24.04.
Fixed
-----
* Installer now can install libsodium on Amazon Linux 2023.2 and newer.
* Installer when upgrading now correctly detects version of existing
agent package with newer versions of Python/Pip.
Pro Custodibus Agent 1.5.1
Added
-----
* Added option to watch config and reload automatically when changed.
To turn on, set the following environment variable:
PROCUSTODIBUS_WATCH_CONFIG=true