Netrinos Client v1.3.2 Release Notes

Release Date: 2026-05-20

Overview

Version 1.3.2 introduces Device/Network access control, lets virtual devices initiate outbound connections, makes it easier to connect to remote devices and services from the desktop UI, brings the desktop GUI to arm64 Linux, adds RPM packaging, and adds in-app and command-line software updates.

Access Control: Device and Network split

The Access Control page now has two independent toggles per peer:

• Device: peer can reach this device’s local services
• Network: peer can forward through this device to your LAN, virtual devices, or the internet

Both default to on; either can be toggled in the portal, desktop UI, or via netrinos acl. Run netrinos acl help for syntax.

Behaviour change on upgrade: with AccessControl=true, peers not in the ACL also lose forwarding access through this device. Previously forwarded traffic was ungated. If you relied on the prior behaviour, set Network=true for the affected peers, or use the all.<account> wildcard.

If a misconfigured ACL locks you out of your own node, run netrinos acl off locally to disable enforcement.

Virtual Devices

• Outbound from LAN devices: registered virtual devices can now initiate connections into the mesh. Requires a static route on your LAN router pointing your Netrinos subnet (shown in the portal) at the Netrinos host’s LAN address.
• Hairpin from the gateway host (Linux): curl vdev_SecureIP:port from the gateway shell now reaches the vdev target.
• Immediate apply: netrinos vdev add and vdev del take effect before the command returns.
• Edits propagate to the portal: virtual device name and description changes made locally are now pushed to the server, so the portal stays in sync.
• No more ghost vdevs: deleting a virtual device locally also clears its server-side allocation; previously the portal could hold on to stale entries.

Easier to connect to remote services

The desktop status screen now shows each peer’s open ports as small clickable chips. Click a chip to open the right app for that service, with no hunting for IPs or typing URIs.

• HTTP / HTTPS: opens the browser at the peer.
• SMB (file share): Windows opens \\host in Explorer; macOS opens smb:// in Finder; Linux opens it in your file manager, even on desktops that don’t otherwise hand off smb:// (e.g. Cinnamon / Nemo).
• RDP (Remote Desktop): Windows opens mstsc; macOS opens Microsoft’s Windows App (formerly Microsoft Remote Desktop) when installed; Linux opens whatever you have registered as the rdp:// handler (Remmina, GNOME Connections, KRDC). The tile shows only when the desktop has a registered RDP handler.
• VNC: Windows detects an installed viewer (TigerVNC, RealVNC, TightVNC, UltraVNC); macOS uses built-in Screen Sharing; Linux uses your registered VNC client.
• SSH: opens a connect dialog. Pick Terminal (SSH) for a shell, or Files (SFTP) to browse the host’s files in your file manager (Linux). The dialog remembers your username and your preferred action per host, so the next click is one Enter away.

Virtual devices show the same tiles as peers, including local virtual devices hosted on this device.

On relayed peers, tiles stay disabled until a quick alive probe confirms the peer is reachable.

Platform support

• arm64 Linux desktop GUI: the Netrinos UI ships in the arm64 client package. Pi5, arm64 Chromebooks, and similar.
• macOS universal wg: the bundled wg tool runs on Intel Macs again (was Apple Silicon only).
• RHEL / CentOS / Fedora: RPM package added (CLI-only on RHEL 9; GUI requires webkit2gtk 4.1).
• Installer dependencies: deb and rpm packages now declare wireguard, wireguard-tools, nftables so apt/dnf installs them automatically.

Software updates

The desktop app now updates itself. When a new version is available, the About page shows it and an indicator appears beside the alerts bell; click Upgrade and Netrinos downloads the update, installs it, and relaunches into the new build. No reinstall, no manual download.

From the command line, on macOS, Windows, and Linux:

netrinos upgrade                 # update to the latest build
netrinos upgrade channel         # show the current update channel
netrinos upgrade channel latest  # set the channel (latest/daily/beta)

Connection reliability

• Better DPI handling: when cloak is enabled, WireGuard traffic is disguised as a real QUIC session. Defeats FortiGate-class firewalls that previously blocked new connections and killed long-lived ones after 30 to 40 minutes.
• NAT pinhole auto-recovery: stuck connections behind aggressive firewalls now recover automatically.
• Faster peer discovery: 1-2 second probe timeouts on UniFi and similar consumer routers are eliminated.

Desktop UI

• Access page: Device and Network columns per peer.
• Devices page: click-to-edit redesign.
• Status page: virtual devices collapse under their parent peer; per-device detail sheet with service tiles (see above); cleaner tooltips and offline-row styling.
• Login page: no longer offers cached usernames from previous sessions. Long-press the version line in the footer to reveal a hidden Server field for switching between production, staging, or a custom config server (previously a CLI-only knob).
• Logs page: log-level dropdown in the header, with a one-click clear next to it that empties the in-memory log view (the log file is untouched; new lines flow back in immediately).
• Alerts page: modernized – a single colored device icon (green for connected, red for disconnected) replaces the separate status dot, and the Event column now lines up with its rows.
• About page: shows the running version and build, and offers a one-click Upgrade when an update is available.

CLI

• netrinos acl ... [device|network|both]: scope argument on set / add / remove; acl show lists effective flags per peer.
• netrinos id/ida/idp: cleaner tables, plus SecureIP, Version, and Caps columns for diagnostics.
• netrinos wg / wgf / wgk: shows the internal proxy socket alongside the real endpoint.
• netrinos update: alias for upgrade.
• netrinos configserver: same operation is now also reachable from the desktop GUI via the login footer (see Desktop UI).

Type netrinos <command> help for full syntax on any command.

Fixes

• Fixed: on macOS, virtual devices and Access Control could silently fail to apply after reboot.
• Fixed: the bundled wg tool now runs on Intel Macs.
• Fixed: on Windows, the mesh datapath could stay dead after netrinos restart until reboot.
• Fixed: on Windows, the daemon could lose its own outbound connectivity under sustained operation.
• Fixed: on Windows, ACL could fail to arm when AccessControl was toggled while NAT was active.
• Fixed: on Windows, netrinos vdev rem no longer reports “Netrinos is not ready” while actually succeeding.
• Fixed: on Windows, virtual-device traffic could be silently dropped on gateway nodes.
• Fixed: netrinos doctor no longer reports “Firewall: MISSING” on Debian / RHEL / Fedora.
• Fixed: ACL changes from CLI and portal no longer race the periodic sync.
• Fixed: routes through a gateway peer are properly cleaned up on removal.
• Fixed: large networks (hundreds of peers) no longer drop probe results from an undersized internal queue.
• Fixed: netrinos log clear is now a real log rotation.
• Fixed: Netrinos runs cleanly on NVIDIA Jetson and similar embedded Linux kernels.

Compatibility

• Works with v1.2.4, v1.2.5, v1.2.6, v1.3.0, and v1.3.1 clients.
• Some features (cloak direct path, Device/Network ACL, faster peer identity check) need both peers on v1.3.1 or newer with a recent build. Older peers fall back transparently.
• On Windows, Device and Network behave as a combined allowlist in this release; use both flags or neither for predictable behaviour. A per-purpose Windows port is planned.
• No configuration changes required for non-cloak users.

Updating

netrinos upgrade