Skip to content

Agent

Version 1.13.2

  • Released November 3, 2025

Fixed

  • Avoid skipping some changes when multiple queued changes are applied at the same time.
  • Avoid breaking the tunnel for queued changes that include/require a restart of the interface.

Version 1.13.1

  • Released October 24, 2025

Changed

  • Changed canonical OCI image name from ghcr.io/crux-comms/cruxvpn-agent to ghcr.io/siriuscomputer/cruxvpn-agent.
  • Disabled cosign build signing temporarily (until other infrastructure pieces are moved into place).

Version 1.13.0

  • Released October 19, 2025

Changed

  • Break the tunnel to a device when it is quarantined, de-registered, or removed from all security groups in common (when belonging to an organization that requires a common security group to agree on a key).
  • Optionally break the tunnel to a device when the time since its last symmetric key rotation exceeds the configured max TTL.
  • Save keys agreed with unknown SKA-P devices.
  • Upon learning a WireGuard peer is a SKA-P device, either apply its saved key, or generate a dummy key to prevent the tunnel to it from being used until the first secret key is agreed.
  • Start initiating symmetric key agreements right after SKA-P registration, instead of waiting 90 seconds for device UIDs to propagate.
  • Pause SKA initiators in a 25-second "blackout" window around the expected WireGuard handshake.
  • Enable a "rotate now" command from the web UI to force immediate symmetric key rotation.

Version 1.12.1

  • Released September 26, 2025

Fixed

  • Fixed missing log output on Windows.
  • Avoid doing client-side DNS resolution for API calls when using an HTTP proxy.

Version 1.12.0

  • Released August 1, 2025

Changed

  • Change the agent's core monitoring logic to:
    1. Ignore interfaces outside of the configured WireGuard directory (previously would report on all WireGuard interfaces)
    2. Report on down interfaces (previously would ignore them)
  • Flip IPv6/IPv4 preference if connectivity check to API fails, and try it with the other address family.
  • Run DNS queries to secondary DNS servers in parallel, if primary takes too long to respond.
  • If custom DNS servers specified, query them with UDP by default (unless the URL or hostname with which they can be queried with DoH is also specified via the Doh setting; or unless the DNS servers are from well-known DoH providers).

Fixed

  • Fixed ReadOnly setting to block changes from being applied on client.

Version 1.11.2

  • Released July 25, 2025

Changed

  • Send custom application name, version, and developer name to device properties API (eg "Crux VPN Linux Agent 1.11.2 by Sirius").

Fixed

  • Don't automatically retry registration if 1st attempt fails. Now if registration fails, an administrator must correct the issue, and then manually restart the agent.
  • Fix registration mode to always use uppercase values (eg QKEY).
  • Better error messages when missing required registration config settings (such as Realm).
  • Fixed pre-built liboqs download logic in install.sh script to ignore minor OS versions when checking for available downloads.
  • Fixed install.sh to run ldconfig only if a library path was added.
  • Don't try to load agent conf files from /etc/wireguard.
  • Avoid writing deviceProperties.json when no props have changed.

Version 1.11.1

  • Released July 6, 2025

Added

  • Allow custom SKA-P domain to be configured in agent conf via Domain setting, as a shorthand for setting each individual SKA-P API endpoint.
  • Allow QKey and QKeyId settings in agent registration conf.
  • Allow agent conf settings to be specified as base64; eg: PasswordBase64 = cGFzc3dvcmQgIyAxMjM=.

Fixed

  • Allow # characters in Password setting of agent registration conf.
  • Fix startup sequence to not miss DUID updates that occurred while agent was not running.

Version 1.11.0

  • Released June 14, 2025

Added

  • Connectivity checks for Arqit SKA-Platform™ (SKA-P).
  • "Offline" mode for non-essential SKA-P endpoints; engaged via the following /etc/cruxvpn/cruxvpn.conf settings: 
    [PQC.API]
MonitorHeartbeat = offline
MonitorProperties = offline
Policy = offline

Changed

  • Bundle Arqit SKA-Platform™ SDK into agent tarball.

Fixed

  • Enable communication with Crux VPN API even when no SKA-P connectivity; and enable SKA-P peering and communication with SKA-P endpoints even when no Crux VPN API connectivity.

Version 1.10.0

  • Released May 30, 2025

Added

  • Agent MSI builds via GitHub Actions.
  • Liboqs DLL builds via GitHub Actions.

Changed

  • Download liboqs.so if pre-built version available (rather than always build it from source) on install.
  • Default the location of device*.json files to the same directory as the cruxvpn.conf file (rather than always /etc/cruxvpn) if not explicitly specified.

Version 1.9.3

  • Released May 29, 2025

Added

  • "Offline" mode for interacting with the API server, where the agent will not attempt to connect to the API server if you change its /etc/cruxvpn/cruxvpn.conf Api setting to this: 
    Api = offline

Version 1.9.2

  • Released May 18, 2025

Added

  • Tarball and container image builds via GitHub Actions.

Fixed

  • Fixed agent name in crux0.conf comment.
  • Fixed install.sh "wg-quick service definition not found" error on Debian Buster.
  • Fixed liboqs build on Alpine Linux for 32-bit ARM (eg Raspberry Pi).

Version 1.9.1

  • Released May 8, 2025

Added

  • Automatically install iptables package (required for packet forwarding).

Changed

  • Try to install newer Python on RHEL 8 variants on clean install (RHEL 8 default is Python 3.6; Python 3.8 or newer is required).

Fixed

  • Clean up de-register/re-register cycle to avoid this error: No such file or directory: '/etc/cruxvpn/deviceProperties.json'

Version 1.9.0

  • Released May 3, 2025

Added

  • Use Arqit QuantumCloud™ SKA to generate WireGuard preshared keys.
  • Automatically register device with QuantumCloud if not yet registered.
  • Automatically start QuantumCloud peering socket receiver and initiators based on settings in WireGuard config.
  • Build and install liboqs as part of install script.
  • Option to redact preshared keys only.

Changed

  • Use /etc/cruxvpn directory to consolidate all config files.
  • Define and use cruxvpn-wg systemd service in place of wg-quick service.
  • Improve handling of interrupt/terminate signals to shut down faster.
  • Use versioningit plugin to calculate agent version number.

Removed

  • Remove support for Python versions older than 3.8.
  • Remove old Windows EXE installer (deprecated by new MSI-based installer).

Fixed

  • Explicitly set root log level to override log settings from libraries.

Version 1.8.0

  • Initial Release