Skip to content

Releases: Windscribe/Desktop-App

v2.24.2-alpha

v2.24.2-alpha Pre-release
Pre-release

Choose a tag to compare

@bernerdad bernerdad released this 09 Jul 16:46

Added

  • Custom SNI support for stunnel/wstunnel anti-censorship connections.
  • Cross-platform diagnostics for API connectivity login failures so logs can better distinguish DNS, routing, proxy, IPv4/IPv6, and local security-policy failures.

Improved

  • The Windows IKEv2 connector. A complete rewrite of the code to improve connection setup speed and connection robustness.
  • Anti-censorship startup and failover by supporting parallel backup domain testing in wsnet.
  • Firewall behavior consistency across platforms and firewall modes.
  • Linux firewall implementation by replacing iptables shell calls with libnftables.
  • Linux split tunneling so non-tunneled apps can preserve ISP IPv6 on native dual-stack networks while tunneled apps remain leak-protected.
  • Always On/Always On+ firewall handling with Allow LAN Traffic by disabling risky LAN allowance on mode enable and warning when LAN traffic is explicitly re-enabled.
  • macOS installer/update code paths and installer flow.
  • Linux firewall/routing fwmark handling by centralizing fwmark use and avoiding incorrect WireGuard mark behavior.
  • Hardening for elevated executables using Windows process mitigation APIs where applicable.
  • Windows compiler and linker security hardening, including Control Flow Guard and related mitigation settings.
  • Windows build targeting to Windows 10 2004 so newer Windows APIs can be used without changing the minimum install version.
  • Split tunneling error handling so startup failures can show the usual Split Tunneling failed alert on macOS.
  • Objective-C memory management consistency by enabling ARC uniformly across the project.
  • CLI-only behavior by automatically watching config file changes instead of requiring windscribe-cli preferences reload.
  • Dependency build integrity by pinning or verifying wstunnel and AmneziaWG prebuilt source dependencies.

Fixed

  • Security audit findings covering macOS signature validation, Windows WireGuard config permissions, local IPC robustness, AmneziaWG input validation, and sensitive logging paths.
  • Static IP OpenVPN/TCP connections prompting for credentials instead of supplying stored Static IP credentials internally.
  • Remembered credentials for external .ovpn custom configs not being persisted immediately across restart/reboot.
  • Polish free-data counter text overlapping the upgrade CTA and locations-list chevron.
  • Hashed-login failures caused by user accidentally including leading/trailing whitespace in their input.
  • WireGuard connection mode unavailable when Always On+ firewall mode is enabled and cached WireGuard connection information is available.
  • c-ares Windows DNS server detection regression that could leave only 127.0.0.1:53 and cause DNS resolution failures.
  • The Windscribe service getting stuck in the stop pending state when a stop is requested while the desktop app is running on Windows.
  • A possible crash when enabling Secure Hotspot after connecting the VPN on Windows.
  • A rare crash when launching at startup before macOS screen information is available.
  • Linux firewall block rule ordering so Windscribe's kill-switch block path takes precedence over UFW/third-party allow rules.
  • openSUSE Tumbleweed RPM install failure related to the libcap-progs dependency path.
  • Allow LAN traffic not applying correctly to IPv6 LAN and multicast traffic while connected on Windows.
  • Missing warning when split tunneling is enabled while the macOS split tunneling extension has been manually disabled.
  • Allow LAN traffic IPv6 behavior on macOS so ULA and multicast traffic are blocked on the VPN interface while remaining reachable on the physical LAN.

Updated

  • cURL to 8.21, c-ares to 1.34.7, OpenVPN to 2.7.5, OpenSSL to 4.0.1, and wsnet to 1.5.27 for security updates.
  • WireGuard for Windows to 1.1.
  • wireguard-go to 0.0.20250522 for macOS and Linux.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 e6f83ca72a69d6a7b44e700c76b23df772c8874bc7bdfea738880a86a2d5e23a
Windows arm64 e7d89dd840c22bfc2aa37e88bb76167f61c2daad32295ee6b88f00810da1afa8
macOS universal 755c5a9fbd571d11a0d4ef7b3ebcd495681429df480238869424a7de5b4fb6b2
Ubuntu amd64 e40ec216bd2807b598db7d10c6fbed008b26175153765047b8ff2e4e0b697d8e
Ubuntu arm64 30a743721d5d5ee268829399a36583316c4884ce9b3483a69367c41429df957f
Fedora amd64 8c69710d9058fc43f255c1eedee8f26509dd7c857bb00fd323e2a20089fbc85e
Fedora arm64 81de556f34a6c10baf39f5106030ae04f3e53463e5dcda7d8896d0cb5fc9f987
OpenSUSE amd64 de38ac25bb7ab7ff6e9c70c151ac6f6aada19a6456c2e467b2e734e57773c245
Arch Linux amd64 8c2902741ac35cc14ff445630721fe5b1cdbac3896300038bdc7c429596d3559

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 07710c97f03899cbc230473a4559ef1e8060c80e1007947860d73fe3ea39ed2b
Ubuntu CLI arm64 787bc80c1c1bf14fd25172b723b20dd2a9faecb6052dec75ea9f259e694bf97c
Fedora CLI amd64 d84d9be7ff123632f824d458f53b0ee6a3492df49af9add308a717c3396bc481
Fedora CLI arm64 baf50387cf842e0ce084ed3a4e643354c4dd43f24af5ed32bad3b8f65069c721
OpenSUSE CLI amd64 018a5a3a134f04f6d2c0712ac9a6669741480f254a1cf4713097cc8e45688f74
Arch Linux CLI amd64 6714f6cef9455b0a45cf606b1ecbdcafa7302935a3066067f870981de1234cfd

v2.23.12

Choose a tag to compare

@bernerdad bernerdad released this 09 Jul 16:16

Fixed

  • WireGuard connection may hang/timeout due to phantom ROOT/WireGuard device nodes created by the Windows feature update process.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 014aae3fddb8cfb858ff3e147d844e791621a61039a0d6aa9ea23db07fdaba3f
Windows arm64 1f65f11a5e8dc0ec74d5e70f3d68b1bfcc82c5adddae4eb59edae94e1f31454c
macOS universal 38994108932d1f0288116cd79296b258bd3ea892ab7cfe20ba731b0a367c43ef
Ubuntu amd64 632498526e54462b025723bd44bfbcf60324427ec2de74e8570ba301f02b232e
Ubuntu arm64 6693bd053f715cc5e2a86b52ae0c7b8214f2883b0b521abb3e9806c3c6dee009
Fedora amd64 e4aa9a42c68f3c28a6565826b74ec89f4bcc66ae35bf2a6c530907d2e01fc16f
Fedora arm64 29600495066351854dc40650f178d32172d6e2c8c3af9c0ef1d53a3cb005aed8
OpenSUSE amd64 8ba494360eb41bb9bf91aebc76f190b1f8bc9931bbc1ecfb293c808463ea5b55
Arch Linux amd64 3cb2e1b1671d44ecff54e0a3d60f1b4884c51d6439e1335b362e83c379b9339f

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 27bff9f1cf2e767958e68156084c745f27921deca9d674e4a973c859cbe3e5fc
Ubuntu CLI arm64 e21a347aec4a0c38228ba79fd86b579dddae04c0f934817ff1061b5abfc6526e
Fedora CLI amd64 a0828cb1b12e1fd1332215293c948e07e883636d94d0d1f337da49294631024c
Fedora CLI arm64 d88f12d6cc2cbef108ef05af54a4585767829468c2f68e237e87227cbf43a621
OpenSUSE CLI amd64 91604460ab59392531a5e1005751d75d3780dec1905e8bcf154f1eb259a8d5e8
Arch Linux CLI amd64 092974ce616fe9b0aba1bc5035e9c0f2af03d4fab17403fe79af5f068e3dff77

v2.23.11

Choose a tag to compare

@bernerdad bernerdad released this 06 Jul 17:42

Added

  • Package signing and update authenticity hardening for supported Linux packages.

Improved

  • App hardening from the Fable 5 audit, including WireGuard key validation, Control D API key log redaction, IPC exposure hardening, safer logging, installer argument redaction, and package/dependency handling fixes.
  • Windows helper IPC parameter validation to reduce local IPC attack surface.
  • Linux helper IPC/API hardening after EGL gid-check bypass review.
  • Windows IKEv2 connector stability to mitigate possible crashes.
  • macOS builds against Xcode 26.5 and enabled ARC for client-common Objective-C++ code.
  • Proxy Gateway privacy by no longer logging blocked destinations for HTTP and SOCKS gateway requests.
  • IP Stack preference wording to clarify it applies to WireGuard only.
  • Preferences title casing consistency.
  • Sign Up screen helper text styling under the Password and Email fields.
  • JSON/INI import consistency for proxy sharing and MAC spoofing settings.
  • Debug logs by removing false positives that could mislead automated log analysis on Windows.
  • Russian and Ukrainian translations in the desktop app, installer, and CLI from GitHub user WkdXeqtr.
  • Belarusian translations in the desktop app, installer, and CLI from GitHub user dubovy-achvelak.

Fixed

  • DLL planting vulnerability in the Windows bootstrapper and uninstaller.
  • Windows installer/updater staging TOCTOU allowing the privileged helper to copy from a different source path than the one it validated.
  • Local privilege escalation security vulnerability from app retaining SETGID capability after group switch on Linux.
  • Possible local privilege escalation chain involving external-link opening and OpenVPN directive validation bypass.
  • OpenVPN custom config filtering to handle embedded NULL/control characters consistently and reject unsafe directives.
  • OpenVPN custom config parsing to prevent commented-out route-nopull / route-noexec text from disabling automatic firewall handling.
  • Malformed OpenVPN inline tags bypassing custom config directive filtering.
  • AmneziaWG custom WireGuard I-values allowing newline/config injection in imported custom configs.
  • Custom OpenVPN device names that could bypass Linux DNS leak protection by using wildcard-style interface names.
  • Split tunneling service startup failures not showing the expected user-facing warning prompt on Windows.
  • A crash when clicking the menu bar icon on affected macOS 27 beta builds.
  • DNS leak protection allowing pre-VPN OS DNS resolvers when DNS traffic egressed over the VPN interface on Linux.
  • Always On+ firewall feature eventually showing the Ignore SSL errors prompt during blocked or delayed connectivity.
  • Launch on startup mechanism may fail to apply during a reboot.
  • Control D via API Key connections failing when an IPv6 bootstrap IP from Custom DNS was retained without native IPv6.
  • Ignore SSL Errors runtime bypass handling to reset wsnet failovers before retrying failed requests.
  • IP pinning fallback when an Advanced Parameters remote IP does not match the selected location.
  • Memory leak when handling CLI IPC commands.
  • Windows installer progress handling near completion when uninstalling previous components and launching the app.
  • Periodic reconnects on Windows IKEv2 connections caused by transient OS status checks.
  • Logout/session deletion leaving the Windscribe IKEv2 VPN profile in macOS System Settings.
  • Linux address selection so IPv6-capable VPN connections do not incorrectly prefer IPv4 via Windscribe gai.conf handling.
  • deb/rpm packages installing scripts or helper files with world-writable permissions.
  • Data-remaining counter showing 0 bytes after an expired/blocked account state and newly logged into account has remaining data.
  • Networks marked Unsecured being treated as Secured on launch, which could incorrectly trigger auto-connect.
  • Imported dashed MAC spoof values showing incorrectly and reporting MAC spoofing failure even though the spoof was applied.
  • IKEv2 inclusive split tunneling leaving a low-metric default tunnel route active, causing non-included traffic to route through the VPN on Windows.
  • Linux IPv6 split-tunnel routes being added without the required interface name.
  • Linux IPv6 DNS leak protection missing ip6tables rules for IPv6 DNS resolvers.
  • Linux split-tunneling process monitor skipping proc events after the first netlink read.
  • Linux split-tunneling setup failures being reported as successful.
  • Persistent Ignore SSL Errors preference behavior so TLS validation bypass is runtime-only and does not survive app restart.
  • Connected DNS Custom 0.0.0.0 breaking local ctrld resolver behavior while connected.
  • Split tunneling disabled message handling on macOS.

Updated

  • Updated wsnet to 1.5.20.

Removed

  • The Contact Humans preference from the help UI.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 3430c28f606591b8f13c9d4d1a960b844ae217b0b6c5ebeb50bd764a3e88a33b
Windows arm64 065544d2f821aa5730db43fbdc3a71b01b18a41872bf038af6977a82ea5c7c5c
macOS universal 393a9c0650a66b4fea87716f9a47369a20cb70681cb2cc6ee0cef157f693d116
Ubuntu amd64 9b22ad0369e7539d309c21a2535f46aa7d805d9e2ad6250dbbc376de87c333ee
Ubuntu arm64 9f6bf75d4579c2e9193235b18bc2d603426b08558df31d2a4eb47fc92335d42c
Fedora amd64 f2e5299902a991067dc168120e5596739ef32e7b9c5c88c7c6251654bde2a864
Fedora arm64 cc621bd7fcf286b3fc8da34395c8bbfacb3cca7df145d2dc10d543d868d14fef
OpenSUSE amd64 4b31e4b52009a9eb6d15fc37bfb69606f815835b46aff0d94c317108f0dc5967
Arch Linux amd64 c7a1c9a140807298444bb352ac635f349f535de9b13ae0cef33954c0cb29c30f

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 cac917bf60b6f7fe9f9e6ac09e970ba0ffbbb52ac0d4d4afe259ae78727b0e11
Ubuntu CLI arm64 5775fd86f67d08e926a31853fb74fd1401932a8a6af88f006bbac0c3efbde7f9
Fedora CLI amd64 9ae35e6c7877f0fd4203c3c5826536f403a729bcb90a496e8a252753de929023
Fedora CLI arm64 f0522b756efd188a29b7627fb8b7594e1bfc5b13d95df54f84bcb287453525e3
OpenSUSE CLI amd64 44a2462b7c117bb2c221e1119ca41a375fde0f5ec574b67ac13f82d1b2cd0edf
Arch Linux CLI amd64 b4a338c525032dab9fa62f9fb2f282e967533c182b91467d3f13d40d7be0d658

v2.23.10-beta

v2.23.10-beta Pre-release
Pre-release

Choose a tag to compare

@bernerdad bernerdad released this 30 Jun 16:03

Fixed

  • OpenVPN custom config parsing so commented route-nopull / route-noexec text cannot disable automatic firewall handling for crafted custom profiles.
  • Split tunneling service startup failures not showing the expected user-facing warning prompt on Windows.
  • A crash when clicking the menu bar icon on affected macOS 27 beta builds.
  • DNS leak protection allowing pre-VPN OS DNS resolvers when DNS traffic egressed over the VPN interface on Linux.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 4124dce70a130a676033033ea2cb3df1466e1417ac829948033aaacde9481f11
Windows arm64 14a33944845f4fd10a5729d67f75f1edf59cf9e25cd5309f055312886d88b855
macOS universal e6e533ffd45cd9fa4eaddcaee6894440e0bd36302b1ae08352b9351b01ae1042
Ubuntu amd64 58dd4e959220badadf82b6acc7e7547dfbd2dc7f85e152beb2d264b2b7a0db19
Ubuntu arm64 ea824f37915576fa1feaab1e392e1030b0755c89324d951f4b97ddcfe9ba2711
Fedora amd64 9153119ef8f894a1ce208a565da297f705d0020e1603f82d486369a317a37a1a
Fedora arm64 ede14e5a5c12163f2a2bde39b97039bed375051c4e8bc6bb29f3597655f2d761
OpenSUSE amd64 d49673b530ed367d090d644efc88641f9e946bc74cf929fa75bf921d3f3ca343
Arch Linux amd64 ac7818b0905c313e879b475b50fcfe1a1926a5d0324a4082166ce3cbe5dae08d

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 5c2c707dd779cfc97df59f97d8cc029df4de3c65801abfd5b48afc0ffc2e7e1c
Ubuntu CLI arm64 df20b8da227b72f5a8b8d7df62b2af5d70e074d95853c6ebfa8e9e0617ec0760
Fedora CLI amd64 39fbba509026c1af5a52d41b1fb1e13e28ca4d308ff5e9112eabcc37340608fd
Fedora CLI arm64 ab8aa0d110b8e85ecb91024572547ac281313b85acd1886dd88fbf718c25b977
OpenSUSE CLI amd64 3c245af079da98c3c46c53a907c785c44d815f55dacf57224242e1d1b03564a8
Arch Linux CLI amd64 acc1f5254d3680397738ade971eb3f631b1a860f828c84e1871170a8198ec495

v2.23.9-beta

v2.23.9-beta Pre-release
Pre-release

Choose a tag to compare

@bernerdad bernerdad released this 23 Jun 21:18

Improved

  • Belarusian translations in the GUI and CLI from GitHub user dubovy-achvelak.

Fixed

  • Possible local privilege escalation chain involving external-link opening and OpenVPN directive validation bypass.
  • Always On+ firewall feature eventually showing the Ignore SSL errors prompt during blocked or delayed connectivity.
  • OpenVPN custom config filtering to handle embedded NULL/control characters consistently and reject unsafe directives.
  • Tray icon and desktop notifications missing on Arch Linux using KDE Plasma and Wayland. Regression introduced in 2.23.8.
  • Custom OpenVPN device names that could bypass Linux DNS leak protection by using wildcard-style interface names.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 6092efe624f300f650e0302bef06e8a90a390bed126bf75f2a0188361b6469ae
Windows arm64 16ea418f18eefa439e7222424c020ca089a560df5e0bc3a588f27a6557957053
macOS universal 7068890e4bd2a357ad06d8bb4f76ef1f64b135a766a25849835f7224e96d36c0
Ubuntu amd64 f07d9a97d956d77780712848cd678f85290ef9b996a1be1f633c6557ad9e4dc3
Ubuntu arm64 adaae33bf63856b7c30ad30f55aeae18c227c5d5d1f8a3dfb36dcee6b29b602d
Fedora amd64 bda8a6cefc4d898af8edb211c9dff8c1e1ae2feb2602653383c122f316cdb929
Fedora arm64 176fa91aae1420e81ed10857bf628b4877d61cb09e69965c3e907e22bdacd245
OpenSUSE amd64 83675e38a3b4acbbe176c6fb2d057bef73c3d8b856edcf3279f60b9659015360
Arch Linux amd64 b9ed4d2df53adc9371c73e9eb251df9db5cd6000b3c8177c9fd6ea667bba1f17

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 5a59a229211c6372ac2abebbc927dacb23c10991bb8c418ad967a34eb9d36f17
Ubuntu CLI arm64 a0a403c4b39edac89a88ce4ee158ad00d4bfce1b5fdce9a4a9839c71c803238d
Fedora CLI amd64 c54be9c3888cdc6c2c4c1a9fc6a0c195001bd1be8e40a7ccc7421912e213b90d
Fedora CLI arm64 dedc3b565fc560af5a94dedd08d23ac28deed06704f6e255cd36bcb7a11d0fea
OpenSUSE CLI amd64 fb020f0669208046ce984fa33aac3ec3f932607c3593ba4f23f0c254849f6d64
Arch Linux CLI amd64 1d0fc8ca597528b97a34ec1c915199587e19e7c9e0c28ba7cad297cade50db4f

v2.23.8-beta

v2.23.8-beta Pre-release
Pre-release

Choose a tag to compare

@bernerdad bernerdad released this 17 Jun 21:14

Fixed

  • DLL planting vulnerability in the Windows bootstrapper and uninstaller.
  • Local privilege escalation security vulnerability from app retaining SETGID capability after group switch on Linux.
  • Launch on startup mechanism may fail to apply during a reboot.

Removed

  • The Contact Humans preference from the help UI.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 cdac8a146cd8630da70ab36813b21888c279cad400cd2935614aa2cce4d29659
Windows arm64 dcd7b708f569642e39f18b9a42fac990aec98b828271bbd9dbbceed198d8aefd
macOS universal c1b5ad726276779a0bf07f56bda9cdce99e234a0b42b11b81895eb3ae715ac93
Ubuntu amd64 9d8f8657658cb020b97ce11aed002d5b97cd540374b5e38e05971d63c9a6af61
Ubuntu arm64 d757fde55c908cd589d2d95a47d7afba1ef803794fa65276909aa8329f26934f
Fedora amd64 b12d5b611e50785dae13a5ff57b71f0a384fadd0e4692bb8938ca09783e2dab4
Fedora arm64 cbda74e31025c96f06d32e8cfcce3b0f387b08df5734e7731911d4f4ea042d55
OpenSUSE amd64 4619b7e20d962208d75bb0bb0b46815406e0f68778c776de934e313ba5db6b9a
Arch Linux amd64 016c987f6313ed0b766fb3066223adfd2929977496d0199b4241bcd916aa1d8a

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 e079daf032fde99f44db6396842b94b0fcebc026083c4399e0c29e5ff2dce93c
Ubuntu CLI arm64 0ee355df8238360b15c25b7ab386dc049b2e7c1eed0f31b1b47d16bab0bba95d
Fedora CLI amd64 7eca9e577c0bd84aa7d0e79578387d18f9c4bed1f7e66b4c179aa333214c629d
Fedora CLI arm64 7fb08bdebd9f83b73d777172f6d8d065ca34f0486b15d69bee40db4ccedd411b
OpenSUSE CLI amd64 0c36de5d966dcf8fec990c6e5fbe73a7d626ec33295b510c40c1321ea831d1a1
Arch Linux CLI amd64 c895475179b65ad5239250ecbfc3ae0470e723d9f899470221d7c8ddaeba87e0

v2.23.7-beta

v2.23.7-beta Pre-release
Pre-release

Choose a tag to compare

@bernerdad bernerdad released this 15 Jun 20:41

Improved

  • App hardening from the Fable 5 app security audit:
    • WireGuard key validation
    • Control D API key log redaction
    • IPC exposure hardening
    • Safer logging
    • Windows installer argument redaction
    • Linux package/dependency handling fixes

Fixed

  • Data-remaining counter showing 0 bytes after an expired/blocked account state and newly logged into account has remaining data.
  • Networks marked Unsecured being treated as Secured on launch, which could incorrectly trigger auto-connect.
  • Imported dashed MAC spoof values showing incorrectly and reporting MAC spoofing failure even though the spoof was applied.
  • IKEv2 inclusive split tunneling leaving a low-metric default tunnel route active, causing non-included traffic to route through the VPN on Windows.
  • Windows installer/updater staging TOCTOU allowing the privileged helper to copy from a different source path than the one it validated.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 3eaecd262bfee837f83c3cbf76059bfdffd6f05a7239e1156d64c57d5c8e32a8
Windows arm64 7d028c4a95bc24de42dbf4436f3a9ec8b269f19d22ab86c22b352d41f6f6e514
macOS universal 3edc907201175650df6370c269ce8c6a78364b410d1a814504d968a70edec3d6
Ubuntu amd64 611059768083270b9305b15b659c3e145022377535674146cf9b31aeab78d863
Ubuntu arm64 9bfa496fc01e57abec1b35726b8cfdf44d55b2a0776d4e1470ddaa672c267d16
Fedora amd64 a1a3300741fd35f3252d08e249b5d303d18200b01ab96bf7317a0305382f1bc0
Fedora arm64 49e01e8649670893a37411afc8ee63691e342704e5dcd0945dc2de131df1e33a
OpenSUSE amd64 dbe16ec934015a488e95a55773075de84d123a068e3de7981a20ed6059ba290d
Arch Linux amd64 82b32705bf43d000857eb87fb65f2b18355b287135374fe50e8d43db688284b5

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 a39795350a731c64a55e4a9f35eb69075106908e30f62ad5b8d9b076ba89c186
Ubuntu CLI arm64 ded0e1d9a9644f26e979016748f7c8fb04229b25c0e254c5c3ba6f9211072612
Fedora CLI amd64 8fcb3021cac06ed8391c728a6665213ba959f125268a1f5b728dc7b668b72735
Fedora CLI arm64 1a96d91c123e91613a8c6db499dbeb67e3bc1b9f0f2274d15786749eec82ec9a
OpenSUSE CLI amd64 59937c8bd4a8b68b88c0586fca0510a4f468fd9da6ad9f3c562e9330f2fc2b9c
Arch Linux CLI amd64 8f8b10724dbccbed5fb4a45068878018817467a0bde7ab3d3449fb28deccf5c1

v2.23.6-beta

v2.23.6-beta Pre-release
Pre-release

Choose a tag to compare

@bernerdad bernerdad released this 08 Jun 17:21

Improved

  • Release build security by enabling signature/path verification checks by default with an explicit local development opt-out.
  • Russian and Ukrainian translations in the desktop app, installer, and CLI from GitHub user WkdXeqtr.
  • Windows IKEv2 connector stability to mitigate possible crashes.
  • Debug logs by removing false positives that could mislead automated log analysis on Windows.
  • macOS builds against Xcode 26.5 and enabled ARC for client-common Objective-C++ code.

Fixed

  • Control D via API Key connections failing when an IPv6 bootstrap IP from Custom DNS was retained without native IPv6.
  • Ignore SSL Errors runtime bypass handling to reset wsnet failovers before retrying failed requests.
  • IP pinning fallback when an Advanced Parameters remote IP does not match the selected location.
  • Memory leak when handling CLI IPC commands.
  • Windows installer progress handling near completion when uninstalling previous components and launching the app.
  • Periodic reconnects on Windows IKEv2 connections caused by transient OS status checks.
  • Logout/session deletion leaving the Windscribe IKEv2 VPN profile in macOS System Settings.
  • Linux address selection so IPv6-capable VPN connections do not incorrectly prefer IPv4 via Windscribe gai.conf handling.
  • deb/rpm packages installing scripts or helper files with world-writable permissions.

Updated

  • Updated wsnet to 1.5.20.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 df93758e0222404c1d8fb9399d186de5d55ff59473a2450103e69be270bc4f40
Windows arm64 14031f4a47ed882add396e1e86b1006ad9e1e1adcff92d08ac0beb076474ac83
macOS universal c7195a562e902f01df3e4ae8980748688fc30d608407abc10a23d2d407d36dd6
Ubuntu amd64 16da3a768159c6904eedd7a4ae105cd73660d4060b47de23d27b573fb3b002aa
Ubuntu arm64 523b0c808546f7735b4ff7c8a7b4e62c5e65080ec5569fca2d437382695597bf
Fedora amd64 58dab30f9f17f206c80b0d811c97d86120a51e5d74d4ea69cef7e233c65e3040
Fedora arm64 6daca17fa545e0600e1d12fbef85ed3cf35e29374c280ae0a41c02a6357a9560
OpenSUSE amd64 316f81e258e9c78bbeeb8043f8b476bccc1894923f45fe55f728470126845caa
Arch Linux amd64 f8278f3ccd6b02f3cd44296b7828ed0d2b56d7948b6a9d050d88e63541013d79

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 fe8e63ac614cd610e394f2a151e31082371a2971e2a2cec6cf33293e83787d3f
Ubuntu CLI arm64 265b4df50ec097068e29853aa425cde84510fa0d72a7d492b42f6076e457aa20
Fedora CLI amd64 3010a837cd9fa653bbf3648460454262df67391b1b3c030f36ac3f36beaede2f
Fedora CLI arm64 087b9c2db94326a2fee05d048cd3236d82b1cc1f310e57da466589829b8c00d7
OpenSUSE CLI amd64 0c8b7b1e366ede8e254243f1e929167961f6743787b4a800894045944fbf0876
Arch Linux CLI amd64 90839494988e51cb7831ed368a0b8c6110d75cd9356bf5af70282342f7428249

v2.23.5-alpha

v2.23.5-alpha Pre-release
Pre-release

Choose a tag to compare

@bernerdad bernerdad released this 02 Jun 21:06

Added

  • Package signing and update authenticity hardening for supported Linux packages.

Improved

  • Windows helper IPC parameter validation to reduce local IPC attack surface.
  • Linux helper IPC/API hardening after EGL gid-check bypass review.
  • Belarusian translations in the desktop app, installer, and CLI from GitHub user dubovy-achvelak.
  • Proxy Gateway privacy by no longer logging blocked destinations for HTTP and SOCKS gateway requests.
  • IP Stack preference wording to clarify it applies to WireGuard only.
  • Preferences title casing consistency.
  • Sign Up screen helper text styling under the Password and Email fields.
  • JSON/INI import consistency for proxy sharing and MAC spoofing settings.

Fixed

  • Linux IPv6 split-tunnel routes being added without the required interface name.
  • Linux IPv6 DNS leak protection missing ip6tables rules for IPv6 DNS resolvers.
  • Linux split-tunneling process monitor skipping proc events after the first netlink read.
  • Linux split-tunneling setup failures being reported as successful.
  • Persistent Ignore SSL Errors preference behavior so TLS validation bypass is runtime-only and does not survive app restart.
  • AmneziaWG custom WireGuard I-values allowing newline/config injection in imported custom configs.
  • Malformed OpenVPN inline tags bypassing custom config directive filtering.
  • Connected DNS Custom 0.0.0.0 breaking local ctrld resolver behavior while connected.
  • Split tunneling disabled message handling on macOS.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 d9020541bef258850382ce31aa36b0dac9ec75d92fd41192d55b1233439eeb70
Windows arm64 c6f4d2ad42f332523159b38b59f499df3abd541e6ff6ceeb567bd7a3f8257ae8
macOS universal 1b57b0a50b4cd8163682129c5d189f76d9af8ed06c49b0cd179900243fc59aef
Ubuntu amd64 8b7bca9e75a2e9126051165543ce73681ed687b4e49435b94dfca3a9b6e64b1b
Ubuntu arm64 de098cbf65599d2d79bc8934ac88074382008fffe0b9804a7dcd724fe226147d
Fedora amd64 f0f856de4071613641928483014c9af9e039c88190e552f1756e95fd70468e4b
Fedora arm64 53d716f5865e56fc3c293049a158f263d6d1b427811fea76a9c6f009b626a287
OpenSUSE amd64 57041f5a206730f9bc767f59f29c48e4f127fd2b6f7280138d9f430ed90bc884
Arch Linux amd64 ffda63bb3b12da60a14b0c9429992c4ca46f4800ad35a437b5097910c03d82be

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 6b624bf815e97356c427de11bfd98193ecb8e62c886686024ecb3b3631a07a8d
Ubuntu CLI arm64 4fdac28d4c4ab5ce0fdbb313dc120c311a1b66004e6f212b5a4b544472c2aa7b
Fedora CLI amd64 4cfa0d8de4ec5f7aa86e9e41d81b9327f093dde29a28e483fd1f11b329df62fe
Fedora CLI arm64 b60afe55f2711bf307bf9f5a33b0d3e7bdffbdb44a0d0e2058edc8534b0177a7
OpenSUSE CLI amd64 23bd45ed7ff06ad9cc5a9a7690d6aca2d62fcb34e53b44c8b785f7fc6c535027
Arch Linux CLI amd64 ca18e7c43ac434b352df3290124480ed53aaf31b0de89394f83fa79b99845d88

v2.23.4-alpha

v2.23.4-alpha Pre-release
Pre-release

Choose a tag to compare

@bernerdad bernerdad released this 22 May 22:09

Added

  • IPv6 connection modes for WireGuard locations that support IPv6.
  • OpenVPN DCO support when the ovpn-dco-v2 module is available on Linux.
  • Public IP address to windscribe-cli status output, including split tunnel mode.

Improved

  • OpenVPN anti-censorship support by replacing the custom junk packet implementation with Amnezia-compatible Junk and I packet options.
  • OpenVPN custom config filtering for connection blocks and unsafe custom config paths.
  • Proxy Gateway security by blocking proxied connections to localhost, LAN, and link-local destinations, and adding authentication for shared proxy access.
  • Custom config directory security checks to run without elevation and correctly detect directories writable by other users.
  • Flatpak app split tunneling by matching Flatpak app IDs instead of relying only on executable/command name matching.
  • Windows installer handling when the Base Filtering Engine service is stopped, unavailable, or blocked by security software.
  • JSON/INI import consistency for proxy sharing and MAC spoofing settings.
  • Connection manager connector internals for maintainability without changing connection behavior.
  • Dependency build tooling security by using safe YAML config loading.
  • Validation for settings.
  • Helper file handling and permissions on macOS and Linux.
  • Helper reliability when reporting system errors on macOS and Linux.

Fixed

  • Possible local privilege escalation in the bootstrapper temporary extraction flow on Windows.
  • Possible local privilege escalation in the auto-updater signature verification and launch flow on Windows and macOS.
  • VPN sharing proxy relay buffering that could duplicate queued socket data or grow memory usage with slow peers.
  • Some OpenVPN custom configs being rejected.
  • HTTP Proxy Gateway forwarding proxy authentication credentials to destination websites.
  • A possible crash when downgrading from 2.23 to an older version.
  • Auth token parse failures logging the raw API response, which could expose session token data in debug logs.
  • HTTP Proxy Gateway request parsing allowing unbounded pre-authentication input before authentication challenge.
  • Helper IPC frame parsing to reject malformed or oversized messages safely on Windows and Linux.
  • Exported preferences not preserving the DNS Manager option on Linux.
  • Migration of legacy Flatpak split tunneling entries so existing rules continue to work.
  • Generated OpenVPN config files and runtime directories using overly broad permissions that could expose VPN key material to local users on macOS and Linux.
  • stunnel/wstunnel relay listeners binding to all interfaces instead of loopback only on macOS and Linux.

Updated

  • Qt to 6.11.1.
  • OpenVPN to 2.7 with handling for management output changes, Windows DCO/TAP behavior, and Stealth/WStunnel disconnect behavior.
  • OpenSSL 4.0.
  • WireGuard for Windows to the latest 1.0 release.
  • Bundled wstunnel binaries to the latest available release.

GUI Installer Hashes

Installer SHA-256 hash
Windows amd64 34a6d2359457db1a607445bc899bf73ad09fe285250674d4e1c81f1fac753e64
Windows arm64 827be81b1c34e60382abc5c149cac33774ff7013cffe8834f3c40ef25d5bfacf
macOS universal 53db601fc07c34c15e014b723c2ea6165b8417f51267d1920bffd60504dca4ef
Ubuntu amd64 df96cd2f902d1197375d793f044236617eb80d005415079104d6272c503e0892
Ubuntu arm64 755c7773563b4001984a09258c00609a712fd2fee004e6a585b041f4a2c40c0c
Fedora amd64 b28f16509538303be1ce3638ad6ac8897ccc356aafedd29139bd58c391df729c
Fedora arm64 b993f81dc1ba791c0f66749dae0036b115beac9d19e5831ad08ba47eace25ff5
OpenSUSE amd64 fe5e6e51c3c5a37927491c26facbdb679a0904708d1661e8f75fb862fb2554ac
Arch Linux amd64 05b18b67377a28360a846d73fc277bfb46f02a6844bb4ced637a8471df50c138

CLI Installer Hashes

Installer SHA-256 hash
Ubuntu CLI amd64 91540af707274b245359b54bc4be86c0109215847bf9e3d3c064a86d90eeb589
Ubuntu CLI arm64 22d422e4107724cb811a7cc19d5748c5b73cf96e9c340addc66086d2d7c4a517
Fedora CLI amd64 254f915b37b8437e2497c86417c899afd44f2b8367d847f492676e378c04982d
Fedora CLI arm64 da5114fe519d90b1a40227f55f45357fdf56eaca92cd35d3586fa59f0d504aa1
OpenSUSE CLI amd64 956eb122402b8d5e0c5bae5feee492f9db175d92761ab4cd01a1e72d239fac0a
Arch Linux CLI amd64 2537a37386ef5a5f3e3cc5c960fa7da94505c18f924f019a40bab18c9d47cb2e