Separate client filtering (TLS handshake) from destination filtering
(per-request) with independent default_action for each section,
so inbound defaults don't leak into outbound evaluation and vice versa.
Block connections to specific ports (e.g. BitTorrent 6881-6889, 6969)
to prevent DMCA complaints. Rules with destination_port are evaluated
per TCP CONNECT / UDP request, while existing cidr/client_random_prefix
rules continue to be evaluated at TLS handshake.
Squashed commit of the following:
commit d8ce9e9786
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Fri Feb 27 22:24:07 2026 +0500
Handle IPv4-compatible addresses in unmap_ipv6() and update CHANGELOG
commit ea30137d46
Author: Andrew Morris <andrew@greynoise.io>
Date: Tue Feb 24 23:18:01 2026 -0500
Deny UDP traffic to local IPs when is_global_ip is set
commit 8793a0397b
Author: Andrew Morris <andrew@greynoise.io>
Date: Tue Feb 24 23:17:13 2026 -0500
Update TCP forwarder to deny connections to local IPv4 addresses
commit 2197765b87
Author: Andrew Morris <andrew@greynoise.io>
Date: Tue Feb 24 23:16:27 2026 -0500
Respect is_global_ip to prevent traffic from hitting the LAN without user explicitly authorizing
commit 0248fa370d
Author: Andrew Morris <andrew@greynoise.io>
Date: Tue Feb 24 23:15:51 2026 -0500
Extract IPv4 addresses from IPv4-mapped addresses, update tests
commit 1e29240795
Author: Andrew Morris <andrew@greynoise.io>
Date: Tue Feb 24 23:13:21 2026 -0500
Update ICMP code to respect is_global_ip to prevent traffic from hitting LAN
Squashed commit of the following:
commit 7f091c2d46
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Thu Feb 26 19:09:26 2026 +0300
Sync certificate export behavior between toml and deeplink
Squashed commit of the following:
commit 52522b5b230f0abf1acb085432b181db6214006a
Merge: 2ad57499d0de3e
Author: Sergey Fionov <sfionov@adguard.com>
Date: Thu Feb 26 09:48:16 2026 +0200
Merge remote-tracking branch 'origin/master' into TRUST-268-support-dual-stack-hostname-only-connection-to-server
commit 2ad5749fff
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Thu Feb 19 16:31:55 2026 +0500
Fix formatting
commit ab0597f558
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Thu Feb 19 16:11:13 2026 +0500
Code cleanup
commit d8329217cf
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Thu Feb 19 15:52:08 2026 +0500
Update changelog
commit c90821b4c8
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Thu Feb 19 15:14:45 2026 +0500
Support hostnames in deeplinks
commit f7e184a5e8
Merge: 71fdf978d5f207
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Thu Feb 19 14:36:29 2026 +0500
Merge branch 'master' into TRUST-268-support-dual-stack-hostname-only-connection-to-server
# Conflicts:
# CHANGELOG.md
# README.md
# endpoint/src/main.rs
# lib/src/client_config.rs
commit 71fdf97343
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Fri Feb 13 19:43:24 2026 +0500
Explicitly set IPV6_V6ONLY=false for dual-stack listen sockets
Change addresses type from Vec<SocketAddr> to Vec<String>
Accept domain names in -a flag for client config export
Warn when -a domain does not match any hostname in hosts.toml
Update -a flag documentation to reflect domain name support
Add unit tests for parse_endpoint_address
Code quality improvements
Unmap IPv6-mapped IPv4 addresses (::ffff:a.b.c.d) before rules evaluation
Add more tests
Code cleanup
Squashed commit of the following:
commit ca4ba8fc4b
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Fri Feb 20 17:25:57 2026 +0500
Add derive(Debug, Clone) to UdpMultiplexerMeta
commit 79d463eaca
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Thu Feb 19 22:36:51 2026 +0500
Fix formatting
commit a0f2c79dea
Author: Ilia Zhirov <i.zhirov@adguard.com>
Date: Thu Feb 19 17:28:46 2026 +0500
Scrub credentials in authentication::Source Debug output
Add unit tests for authentication::Source Debug scrubbing
Reduce edits to necessarry minimum
Unify placeholder with client side
Squashed commit of the following:
commit 49f641f184dfbbf7250328d37c7cee09f5c80870
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Mon Feb 16 16:48:15 2026 +0300
Move custom_sni field
commit a59e4274353da4790b2a4d1b58e732de994ea0b4
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Mon Feb 16 13:01:31 2026 +0300
Support custom_sni in client config
prometheus::gather() only collects from the default global registry,
but VPN metrics (client_sessions, traffic, sockets) are registered
in a separate Registry instance. Collect from both registries.
Squashed commit of the following:
commit 9f4a2f590e5a54e6033b7188a10627687f1c5d5d
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Mon Feb 9 10:25:16 2026 +0300
Use network byte order in socks5_client
Squashed commit of the following:
commit 2180f578020af98ce5022bd1b150dc10faf25af6
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Thu Jan 29 12:05:19 2026 +0300
Add CHANGELOG
commit ee83a32baf03f787842ec0fa46deb5d6d8e2488b
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Thu Jan 29 11:39:48 2026 +0300
Do not fail with deny_unknown_fields
commit 81bec39b5dfb1ba705f3cd3292175f7ce8bdd498
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Thu Jan 29 10:47:58 2026 +0300
Do not start the endpoint without credentials; warn user about missing credentials
commit d772a4434bda3d72faed6d398b1cc376a7ac1d02
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Wed Jan 28 13:42:09 2026 +0300
Use valid names in quic setting
commit 963e3ea769928abc945cd1436112ed5547815c08
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Wed Jan 28 13:38:04 2026 +0300
Do not ignore wrong fields order with serde(deny_unknown_fields); add serde(alias) for backward compatability
A bunch of code fixes and adjustments to make TrustTunnel build cleanly
on FreeBSD.
Note that because of the `boringssl` version currently used by `quiche`,
to build TrustTunnel on FreeBSD, one needs to set the
BORING_BSSL_RUST_CPPLIB=c++ variable. This is to make the linker use
libc++ from clang instead of libstdc++. A newer version of `boringssl`
has a fix that makes this variable obsolete.
Signed-off-by: Vladimir Krivopalov <vladimir.krivopalov@gmail.com>
Squashed commit of the following:
commit 98bb9229606723667f893d4983be70e3d14416b0
Author: Radmir Sadikov <r.sadikov@adguard.com>
Date: Fri Jan 23 09:46:56 2026 +0400
fix vpn-libs-endpoint: use localhost for metrics instead of 0.0.0.0
Squashed commit of the following:
commit 56b52161bab5f5d05b74ff99eb93f13fbc54a925
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Mon Jan 19 12:36:38 2026 +0300
Remove information about Radius authenticator from README
Squashed commit of the following:
commit 868936154da794b13ed24f18743d361fb52bfb8f
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Mon Dec 29 13:10:17 2025 +0300
do not ask user about the speedtest path and disable it by default
commit 84793f74664b4ff9229d7fc0f48a4437efd02c3c
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Sun Dec 28 16:07:22 2025 +0300
lint-fix
commit 4d6ea3e9bbe964b2a2f8b34b3ccf541ec661e985
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Sun Dec 28 16:05:48 2025 +0300
do not create ping/speedtest hosts in setup_wizard
commit 3cde015560880f57027aaa394109ec29af7b6bad
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Wed Dec 24 14:33:46 2025 +0300
Change setup_wizard logic for ping/speedtest endpoints
Squashed commit of the following:
commit 415614e7660fc75a69a202e8df9ed84f54de8751
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Mon Dec 29 12:05:24 2025 +0300
remove hard limit from systemd template
commit f5b8282fbc8366f701ed5d0dab7d194b1d007cdb
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Sat Dec 27 23:32:26 2025 +0300
add hard limit setting to systemd service.template
commit b3230d2f85a08230a63ba8c189a3dedbcd3d7963
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Sat Dec 27 23:27:13 2025 +0300
remove unnecessary changes
commit 8f086a7c5452bb571a86b2a478e8a8fee464d448
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Sat Dec 27 23:22:14 2025 +0300
lint-fix
commit b30780dd350a5e0f71f481843bffc112cdb0c798
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Sat Dec 27 23:14:52 2025 +0300
Use tokio::watch chennel to report errors from spawned tasks to the main core and handle them properly (exit in case of too many open files error)
commit 3d4e40392915801b5e4a780866831a86b71c72a8
Author: Zhavoronkov Aleksei <a.zhavoronkov@adguard.com>
Date: Thu Dec 25 14:13:30 2025 +0300
Handle too many open files os error
Squashed commit of the following:
commit c5c0fa660ced2c2993c07c6cd762ba456bfcf397
Author: Alexey Zhavoronkov <a.zhavoronkov@adguard.com>
Date: Mon Dec 22 22:21:35 2025 +0300
Improve stream finalization
commit 9c869927f5820705c2eb01f92697de1317f5b9dd
Author: Alexey Zhavoronkov <a.zhavoronkov@adguard.com>
Date: Mon Dec 22 20:54:50 2025 +0300
Finish the H3 stream by sending an empty body with fin=true to prevent data races
Squashed commit of the following:
commit b04f8cbc91ff6b85d468033427941d99e1433e19
Author: Alexey Zhavoronkov <a.zhavoronkov@adguard.com>
Date: Mon Dec 22 19:14:06 2025 +0300
Support interactive mode for alternative SNIs
commit a599aa706d2ee66baec839c15077cdc28548db55
Author: Alexey Zhavoronkov <a.zhavoronkov@adguard.com>
Date: Mon Dec 22 17:49:22 2025 +0300
Support alternative SNIs for domain
Squashed commit of the following:
commit e69c9007117a7600c499d84ea8a5294c0d54dcfc
Author: Andrey Meshkov <am@adguard.com>
Date: Sun Dec 21 21:32:33 2025 +0300
Fix grammar in log messages, errors and CLI
Squashed commit of the following:
commit 0dc9600ff3bd8573d805e4de4d85290b1052a222
Author: Andrey Meshkov <am@adguard.com>
Date: Sun Dec 21 20:53:02 2025 +0300
Rollback to the old changelog
commit fb56f619d5f703d712dbfdb95ab093a211dc0c58
Author: Andrey Meshkov <am@adguard.com>
Date: Sun Dec 21 20:36:24 2025 +0300
Improve the dev doc
commit afd44a5e2bebd51b07dcb587cf39ada925a42db9
Author: Andrey Meshkov <am@adguard.com>
Date: Sun Dec 21 20:32:49 2025 +0300
Added auto-formatting and pre-commit hook
Squashed commit of the following:
commit ea27f1d12d0b3bf576a10568a82fff6fc12be8d1
Author: Alexey Zhavoronkov <a.zhavoronkov@adguard.com>
Date: Fri Nov 28 12:14:25 2025 +0300
Change format of client_random_prefix to prefix[/mask]; use log crate for logging as in core
commit 9b914105145aa3b7af0220d77a03d12cd3c00c3b
Author: Alexey Zhavoronkov <a.zhavoronkov@adguard.com>
Date: Thu Nov 27 12:51:57 2025 +0300
Add an ability to specify TLS client random mask
Mask will be applied only if prefix is provided.
The final result is calculated as: match = (client_random_data[i] & mask_bytes[i] == prefix_bytes[i] & mask_bytes[i]).
See-also: AG-48706
Signed-off-by: Alexey Zhavoronkov <a.zhavoronkov@adguard.com>
Squashed commit of the following:
commit 53948bab8841c8278906cc17d6e306a2547fe908
Author: Sergey Fionov <sfionov@adguard.com>
Date: Sat Aug 2 22:53:36 2025 +0300
Use httpbin.agrd.dev instead of example.com
commit c467b86f3d680e61fcb799dcd65f010d932b7331
Author: Sergey Fionov <sfionov@adguard.com>
Date: Sat Aug 2 22:25:28 2025 +0300
Update images
commit b555b242a124f30595a30d18c3bf5a78349d9819
Author: Sergey Fionov <sfionov@adguard.com>
Date: Sat Aug 2 22:22:05 2025 +0300
Changes for intrumented tests
Merge in ADGUARD-CORE-LIBS/vpn-libs-endpoint from fix/quic to master
Squashed commit of the following:
commit 1d932371331fdde9ead5e0a300d1b71ecfd96bb4
Author: Sergei Gunchenko <s.gunchenko@adguard.com>
Date: Tue Jul 25 16:09:02 2023 +0300
lib: fix parsing quic headers
Merge in ADGUARD-CORE-LIBS/vpn-libs-endpoint from fix/increment_version to master
Squashed commit of the following:
commit 40c0a7dfbce13db076fad058aee7143080626476
Author: Sergei Gunchenko <s.gunchenko@adguard.com>
Date: Tue Jul 11 15:43:38 2023 +0300
Get rid of unused rust-crypto
commit 0858ffafdb294200f977cf20b35713b947faa5ae
Author: Sergei Gunchenko <s.gunchenko@adguard.com>
Date: Tue Jul 11 15:42:16 2023 +0300
Increment endpooint version in Cargo.lock as well
Merge in ADGUARD-CORE-LIBS/vpn-libs-endpoint from fix/direct_forwarder to master
Squashed commit of the following:
commit 03dadbd278f5f726397dbb4e75a20dbd319b1820
Author: Sergei Gunchenko <s.gunchenko@adguard.com>
Date: Tue Jul 4 14:25:38 2023 +0300
lib: fix panic in direct forwarder in case of authentication info presence
Merge in ADGUARD-CORE-LIBS/vpn-libs-endpoint from feature/AG-22967 to master
Squashed commit of the following:
commit a9fee73eddc774eb21ea1980e6797afbd90ccee4
Author: Sergei Gunchenko <s.gunchenko@adguard.com>
Date: Mon Jun 26 19:15:26 2023 +0300
Fix versions and update dependencies
commit bb8c7902518034119134dcd94b2d838790b7a27f
Author: Sergei Gunchenko <s.gunchenko@adguard.com>
Date: Mon Jun 26 16:58:22 2023 +0300
lib: sort deps
commit 88892ae05a122fa533b04424065a6f6edf95c8a4
Author: Sergei Gunchenko <s.gunchenko@adguard.com>
Date: Mon Jun 26 16:53:24 2023 +0300
lib: get rid of radius authenticator
