Skip to content

Agent

Version 1.15.1

  • Released December 9, 2025

Fixed

  • Fixed Linux install script download of pre-built liboqs when using older versions of curl; previously would error with this message: 
    curl: option --no-clobber: is unknown

Version 1.15.0

This release fixes a DNS-resolution issue that will prevent the agent from working properly with its default DNS settings after December 15, due to an incompatibility between its previously default DNS resolver (Quad9, aka 9.9.9.9) and the way it resolves DNS by default (using DNS-over-HTTPS, aka DoH, with HTTP 1.1).

  • Released December 7, 2025

Added

  • Ability to re-provision device after SKA Device Recovery action is invoked.

Changed

  • Made host system's own DNS resolver the default; new default is the same as this cruxvpn.conf setting: 
    [Cruxvpn]
Dns = off
  • Updated default settings to use new SKA version 25.9 URLs and PaaS region as default; new defaults are the same as these cruxvpn.conf settings: 
    [SKA]
Region = ska
Domain = ska.quantum.cloud
[SKA.API]
UserAuth = https://api.ska.quantum.cloud
  • Updated default settings for SKA update intervals; new defaults are the same as these cruxvpn.conf settings (intervals in seconds): 
    [SKA]
HeartbeatInterval = 120
DevicePropertiesInterval = 3600
DevicePolicyInterval = 600
  • Enabled cruxvpn.conf file to use [SKA] and [SKA.API] sections, and enabled cruxvpn-registration.conf file to use [SKA.Registration] section, in place of PQC prefixed sections (but PQC sections will still work as before for the time being).
  • Renamed SKA-related modules and logging to use "ska" identifier in place of "pqc".

Fixed

  • Fixed DNS errors querying default DNS server after December 15.
  • Fixed initiators to not wait until next scheduled interval to agree on new keys after re-registration.

Version 1.14.0

  • Released November 11, 2025

Changed

  • Upgraded Arqit SDK to version 25.12-alpha1.
  • Python 3.9 is now the minimum required version of Python.

Fixed

  • Fixed documentation URLs in logging and help files.

Version 1.13.2

  • Released November 3, 2025

Fixed

  • Avoid skipping some changes when multiple queued changes are applied at the same time.
  • Avoid breaking the tunnel for queued changes that include/require a restart of the interface.

Version 1.13.1

  • Released October 24, 2025

Changed

  • Changed canonical OCI image name from ghcr.io/crux-comms/cruxvpn-agent to ghcr.io/siriuscomputer/cruxvpn-agent.
  • Disabled cosign build signing temporarily (until other infrastructure pieces are moved into place).

Version 1.13.0

  • Released October 19, 2025

Changed

  • Break the tunnel to a device when it is quarantined, de-registered, or removed from all security groups in common (when belonging to an organization that requires a common security group to agree on a key).
  • Optionally break the tunnel to a device when the time since its last symmetric key rotation exceeds the configured max TTL.
  • Save keys agreed with unknown SKA-P devices.
  • Upon learning a WireGuard peer is a SKA-P device, either apply its saved key, or generate a dummy key to prevent the tunnel to it from being used until the first secret key is agreed.
  • Start initiating symmetric key agreements right after SKA-P registration, instead of waiting 90 seconds for device UIDs to propagate.
  • Pause SKA initiators in a 25-second "blackout" window around the expected WireGuard handshake.
  • Enable a "rotate now" command from the web UI to force immediate symmetric key rotation.

Version 1.12.1

  • Released September 26, 2025

Fixed

  • Fixed missing log output on Windows.
  • Avoid doing client-side DNS resolution for API calls when using an HTTP proxy.

Version 1.12.0

  • Released August 1, 2025

Changed

  • Change the agent's core monitoring logic to:
    1. Ignore interfaces outside of the configured WireGuard directory (previously would report on all WireGuard interfaces)
    2. Report on down interfaces (previously would ignore them)
  • Flip IPv6/IPv4 preference if connectivity check to API fails, and try it with the other address family.
  • Run DNS queries to secondary DNS servers in parallel, if primary takes too long to respond.
  • If custom DNS servers specified, query them with UDP by default (unless the URL or hostname with which they can be queried with DoH is also specified via the Doh setting; or unless the DNS servers are from well-known DoH providers).

Fixed

  • Fixed ReadOnly setting to block changes from being applied on client.

Version 1.11.2

  • Released July 25, 2025

Changed

  • Send custom application name, version, and developer name to device properties API (eg "Crux VPN Linux Agent 1.11.2 by Sirius").

Fixed

  • Don't automatically retry registration if 1st attempt fails. Now if registration fails, an administrator must correct the issue, and then manually restart the agent.
  • Fix registration mode to always use uppercase values (eg QKEY).
  • Better error messages when missing required registration config settings (such as Realm).
  • Fixed pre-built liboqs download logic in install.sh script to ignore minor OS versions when checking for available downloads.
  • Fixed install.sh to run ldconfig only if a library path was added.
  • Don't try to load agent conf files from /etc/wireguard.
  • Avoid writing deviceProperties.json when no props have changed.

Version 1.11.1

  • Released July 6, 2025

Added

  • Allow custom SKA-P domain to be configured in agent conf via Domain setting, as a shorthand for setting each individual SKA-P API endpoint.
  • Allow QKey and QKeyId settings in agent registration conf.
  • Allow agent conf settings to be specified as base64; eg: PasswordBase64 = cGFzc3dvcmQgIyAxMjM=.

Fixed

  • Allow # characters in Password setting of agent registration conf.
  • Fix startup sequence to not miss DUID updates that occurred while agent was not running.

Version 1.11.0

  • Released June 14, 2025

Added

  • Connectivity checks for Arqit SKA-Platform™ (SKA-P).
  • "Offline" mode for non-essential SKA-P endpoints; engaged via the following /etc/cruxvpn/cruxvpn.conf settings: 
    [PQC.API]
MonitorHeartbeat = offline
MonitorProperties = offline
Policy = offline

Changed

  • Bundle Arqit SKA-Platform™ SDK into agent tarball.

Fixed

  • Enable communication with Crux VPN API even when no SKA-P connectivity; and enable SKA-P peering and communication with SKA-P endpoints even when no Crux VPN API connectivity.

Version 1.10.0

  • Released May 30, 2025

Added

  • Agent MSI builds via GitHub Actions.
  • Liboqs DLL builds via GitHub Actions.

Changed

  • Download liboqs.so if pre-built version available (rather than always build it from source) on install.
  • Default the location of device*.json files to the same directory as the cruxvpn.conf file (rather than always /etc/cruxvpn) if not explicitly specified.

Version 1.9.3

  • Released May 29, 2025

Added

  • "Offline" mode for interacting with the API server, where the agent will not attempt to connect to the API server if you change its /etc/cruxvpn/cruxvpn.conf Api setting to this: 
    Api = offline

Version 1.9.2

  • Released May 18, 2025

Added

  • Tarball and container image builds via GitHub Actions.

Fixed

  • Fixed agent name in crux0.conf comment.
  • Fixed install.sh "wg-quick service definition not found" error on Debian Buster.
  • Fixed liboqs build on Alpine Linux for 32-bit ARM (eg Raspberry Pi).

Version 1.9.1

  • Released May 8, 2025

Added

  • Automatically install iptables package (required for packet forwarding).

Changed

  • Try to install newer Python on RHEL 8 variants on clean install (RHEL 8 default is Python 3.6; Python 3.8 or newer is required).

Fixed

  • Clean up de-register/re-register cycle to avoid this error: No such file or directory: '/etc/cruxvpn/deviceProperties.json'

Version 1.9.0

  • Released May 3, 2025

Added

  • Use Arqit QuantumCloud™ SKA to generate WireGuard preshared keys.
  • Automatically register device with QuantumCloud if not yet registered.
  • Automatically start QuantumCloud peering socket receiver and initiators based on settings in WireGuard config.
  • Build and install liboqs as part of install script.
  • Option to redact preshared keys only.

Changed

  • Use /etc/cruxvpn directory to consolidate all config files.
  • Define and use cruxvpn-wg systemd service in place of wg-quick service.
  • Improve handling of interrupt/terminate signals to shut down faster.
  • Use versioningit plugin to calculate agent version number.

Removed

  • Remove support for Python versions older than 3.8.
  • Remove old Windows EXE installer (deprecated by new MSI-based installer).

Fixed

  • Explicitly set root log level to override log settings from libraries.

Version 1.8.0

  • Initial Release