All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Node family restriction and possibility to check for probable gateway selection before connection (#5285)
- Enable detection for bad gateways even when specifically selected (#5429)
- Change default entry and exit points to random (#5378)
- Enable secure DNS for requests forwarded by local resolver (#5458)
- [Android] Diagnostic doesn't panic because of uninitialized context (#5415)
- [iOS] Introduce ad-blocker. (#5227)
- Fix panic when restoring default routes (#5225)
- Fix adblocker deactivation caused by remote returning embedded HTTP errors (#5302)
- Don't reuse entry gateway when registering fails (#5379)
- [macOS] Daemon checks against the correct ID for its own signature (#5390)
- [Windows] Fix missing IPv4 on mixnet tunnel adapter (#5206)
- Switch platform to patched
2026.7-tola
- Quick connect algorithm (#5112)
- Add TCP listener for local DNS resolver (#5113)
- Add SOCKS5 Proxy process to implement Geo Exclusion (#5078)
- Disable client verifications on daemon flag for debug purposes (#5148)
- [Android] Add Geo Exclusion support via SOCKS5 Proxy (#5160)
- Propagate
fairUsage.dataUnavailablefrom API through to clients so a database outage no longer surfaces as a bandwidth-exceeded error (#5217)
- [macOS] Use endpoint-security framework directly instead of parsing eslogger output (#4749)
- Fix false bandwidth-exceeded errors when the VPN API fair-usage database is temporarily unavailable (#5217)
- Fix accounts incorrectly appearing inactive due to malformed API timestamp fields (#5217)
- [iOS/macOS] Fix account summary fetch errors being silently swallowed, leaving the UI in an unresponsive state (#5217)
- Unify
VpnAccountSummarytimestamp parsing through a singleparse_timestamphelper that warns on malformed input. Onlyfair_usage.resetsOnUtcsoft-fails toNone; subscription and auth-method timestamps now propagatePayloadErrorso a bad payload fails loudly instead of silently flipping subscriptions to inactive (root cause of NYM-1156 "Requesting ZkNyms" / "Get Started" hangs on v2.22.0 iOS). - [iOS/macOS] Stop swallowing errors from
fetchAccountSummarywithtry?; log a sanitized line (error type only, no raw payload string) and setaccountSummaryLastFetchFailedso the UI can observe failure without parsing device logs. - [Linux] Add Polkit as deb and arch dependency (#5143)
- [Windows] App Split Tunnelling (#4908).
- CLI: add command to list processes excluded from VPN tunnel:
nym-vpnc split-tunnel excluded-processes(#4905) - [Linux] Add support for per-app split-tunneling (#5001).
- Stream SelectedGateways via buffered selection (#5037)
- [macOS] Fix bug in XPC buffering between XPC and gRPC layers (#4985)
- [macOS] XPC as transport layer between clients and daemon (#4695)
- [macOS] Authentication layer for windows, feature gated (#4802)
- Activate authentication layer on all desktop platforms (#4856)
- [macOS] XPC client stall when daemon is not running (#4973)
- [CLI]
nym-vpnc account setnow uses--location blockchain; aliases keep legacy--mode decentralisedand--mode decentralizedworking. - [CLI]
nym-vpnc account obtain-ticketbookssubcommand renamed (legacy aliasdecentralised-obtain-ticketbooksstill works).--source(currently parsed but all sources route to smartcontract backend).
- [Windows] Authentication layer for windows, still feature gated (#4618)
- [macOS] Add support for per-app split-tunneling (#4694)
- Detect time travel and sleep when obtaining remote time (#4604)
- Added privy UI feature flag (#4223)
- Added TraceID and SpanID for the account controller commands (#4426)
- Added mixnet tuning feature flag (#4514)
- [Linux] Password-based authentication for clients that attempt to connect to daemon; feature gated until front-end is implemented (#4538)
- Changed VPN API HTTP timeout from 60s to 30s. (#4604)
- Fix discovery propagation bug (#4226)
- Ensure that vpn topology is refreshed periodically when connecting (#4228)
- [Android] Bypass local DNS servers (#4347)
- Fix gateway cache and topology cache not being invalidated when remote discovery updates are received. Note: Manual environment switching still requires daemon/app restart (#4464)
- Removed credentials mode feature flag from code base (#4223)
- [Android] Enable debug logs in production builds for core library (#4405)
- [Android] Print library logs to file, in addition to the existing logcat (#4432)
- Add custom DNS setting for mobile platforms (#4106)
- Login with signature string in addition to mnemonic (#4117)
- SOCKS5 proxy can now be controlled via
nym-vpnc(#4148)
- Update default entry and exit points to Switzerland (https://github.com/nymtech/nym-vpn-client/pull/XXX)
- CLI: remove legacy call to connect the tunnel (#4094)
- Custom DNS servers can be used, instead of the pre-defined ones. They can be set and cleared using the CLI
nym-vpnc dnscommand (#4015)
- Rotate wireguard keys every 1-2 weeks, if disconnected (#3788)
- When querying for bandwidth, retry once on failure (#3922).
- Avoid connection looping by temporarily blacklisting the entry gateway (#4047)
- Implement a TCP-based probe as a fallback for connection monitoring when ICMP is unavailable. (#3868)
- Expose A/C's
RequestingZkNymsstate to UI for in app payment flows (#3925)
- Rotate wireguard keys every 1-2 weeks, if disconnected (#3788)
- When querying for bandwidth, retry once on failure (#3922).
- [macOS] Prevent resetting state for non-tunnel DNS connections (#3899)
- Filter out gateways that might be blacklisted by mixnet (#3948)
- Remove unnecessary DNS resolutions on mobile platforms where there is no configurable firewall. (#3913)
- Add new CLI commands to manage sentry and anonymous network statistics collection (#3695)
- Add tunnel connection monitoring (#3724)
- Backend QUIC filtering for desktop (#3746)
- Fallback on mixnet channel if metadata endpoint is not available (#3747)
- Library exposing the command for manual wireguard key rotation (#3870)
- Use two keypairs (entry & exit) per gateway (#3591)
- Disable system DNS resolver fallback on primary resolver failure (#3832)
- Fix mixnet listener timeout not being set (#3715)
- Prevent account controller from networking while state machine is in offline state (#3723)
- [macOS] Log error instead of failing when removing keys from dynamic store during DNS reset. (#3711)
- CLI: fix hang when calling
nym-vpnc disconnect --waitin disconnected state. (#3743) - Don't log a warning on some expected value from the API (#3763)
- Fix no gateway id problem (#3768)
- [Windows] Wait for network interface addresses become usable before starting the tunnel (#3773)
- Fix network environment updates not being made available for grpc clients (#3805)
- Ensure that default discovery when written to disk is always considered stale (#3805)
- Make discovery refresh aware of network connectivity (#3805)
- Fix database cleanup when forgetting account (#3825)
- Get more gateway details, parse them, and expose them to UI to be shown in the server details page (#3447)
- Allow for random selection inside a US state (#3489)
- Add control over LAN sharing when device connection is secured (#3496)
- The
nym-vpnc status --listencommand now prints the daemon configuration when it's changed by other clients (#3503). - Users can select residential only exit nodes (#3560).
- LAN sharing is off by default. Use "Allow LAN" setting to allow it (#3496)
- Differentiate between entry and exit gateway errors (#3458)
- New CLI command interface. Legacy commands will continue working until the following release. (#3559)
- Don't retry on disappeared entry or exit gateway and return to UI for selecting again (#3520)
- Recover from error loop when mixnet client can't reach gateway after a number of retries (#3694)
- Removed countries query (#3523)
- Expose exit IPs (v4 and v6) as well as gateway version from the core (#3427)
- Fix edge case where mixnet processor could be blocked from exiting by mixnet listener causing the client to be stuck in disconnecting state (#3394)
- Fix Sentry extra metadata tag when there is no OS extra info (#3411)
- [macOS] Skip filtering loopback traffic to optimize performance (#3441)
- Prioritize high performance gateways first, fallback to medium. This rule does not apply when specific gateway is selected explicitly (#3511)
- Provide metadata to keep track of progress when establishing connection (#3351)
- [Windows] Embed core version into
winfw.dllandlibwg.dll(#3292) - Disable mixnet cover traffic in two-hop mode (#3347)
- Prevent discovery file from becoming stale because it's only refreshed whilst connected (#3377)
- Daemon global and service configuration is now stored in JSON format, allowing versioning to be supported (#3344).
- Use intra-tunnel endpoint for querying and topping up bandwidth, replacing the mixnet channel (#3316)
- Introduce more extensive entry/exit country parsing in nym-vpn-cli (#3235)
- Upgrade Nym platform to emmental release (#3155)
- Enable anonymous network statistics collection by default in the daemon, only for new installations (#3265)
- Reconnect on failure to resolve gateway addresses instead of entering error state (#3268)
- Reconnect to new gateways every 2 failed connection attempts (#3273)
- Improve shutdown sequence by exiting internal components in the reverse order of their creation. Drain tunnel events and deliver them to listeners before exiting the daemon. (#3185)
- Fix potential infinite loop when sending a disconnect message over mixnet. Limit disconnect timeout to 5 seconds and add 500ms delay between retries. (#3160)
- Prevent gateways refresh from blocking daemon shutdown during initialization. (#3160)
- Add timeout to DNS resolution fixing indefinite connecting state. (#3231)
- [macOS] Fix issues with DNS not being properly reset on disconnect on macOS 15. (#3232)
- [macOS] Bind DNS resolver to random loopback IP on port 53 to fix compatibility issues with other software, notably
digandnslookup. (#3232)
- Update pre-bundled discovery to include account links (#3167)
- Reduce noisiness of WireGuard logs (#3169)
- Add setting to toggle IPv6 support.
- vpnd: Add support to toggle network statistics collection.
- Box too large futures to fix stackoverflow on Windows (#3139)
- Register with locally generated mnemonic (#2926)
- Probe sends zk-nyms (#3011)
- Two keypairs per gateway (first part) (#3035)
- Don't wait on topology fetch from network on state machine start (#3072)
- Use nym cheddar fork (#3048)
- Remove a shutdown timeout for tonic server (#2938)
- Remove shared mixnet client (#2967)
- Remove wireguard credential mode flag (#3021)
- Fix bug that prevented the database(s) from closing gracefully before being disposed (#2925)
- Unblock mixnet client because of a deadlock (#3039)
- Apply patch to h2 crate so hickory-dns DoH connections consider server go-away close as valid preventing spurious warn logging (#3053)
- Fix task manager dropping immediately on config path not being specified (#3054)
- Fix tunnel connectivity issues by applying route MTU for multihop tunnel (#3051)
- Fix prefetching topology not working at no network daemon boot (#3072)
- Fix persistent mixnet storage failure preventing the client from starting
- Fix issues preventing the daemon from starting without network connectivity
- [macOS] Improve route monitoring and offline detection