Client Update v0.15.5
Published at February 15, 2025 · 4 min read
Share on:We’re excited to announce v0.15.5 of the Packetriot client! This release includes significant updates, improvements, and bug fixes that enhance functionality and user experience.
The updates are on our downloads page and apt and yum repositories.
Containers for the client are available as well. Use the command below to grab the container for x86-64, arm32, or arm64 platforms.
docker pull packetriot/pktriot:latest
Authentication Enhancements
We’ve added support for integrating OpenID Connect to HTTP/S traffic rules. OpenID Connect (OIDC) centralizes authentication with one party and is commonly used by companies and teams so that users, groups, and authentication policies are managed in one place.
OIDC follows a standard workflow, so our implementation should work with all compatible providers like Okta, Auth0, Azure AD, Google Accounts, etc.
We plan to provide a tutorial using OIDC to identify and authenticate a website, but we’ll give some details and an example below for those already familiar with it.
Integrating with an OpenID Connect provider requires these values:
- Client ID
- Client Secret
- Provider URL
- Redirect URL
We’ve added these new flags to the pktriot tunnel http add command:
--oidc-client-id OpenID connect client ID
--oidc-client-secret OpenID connect client secret
--oidc-provider-url URL for OpenID connect provider
--oidc-redirect-url Redirect URL for OpenID connect authentication
Here is an example of adding OIDC to authenticate users visiting a static website.
[user@host ] pktriot tunnel http add --domain awesome-tun-123.pktriot.net
--webroot /www/awesome-blog
--oidc-client-id <client id> --oidc-client-secret <client secret>
--oidc-provider-url https://dev-12345.okta.com
--oidc-redirect-url https://awesome-tun-123.pktriot.net/login
In this example, we’re using Okta as our OIDC provider. The Packetriot client provides these standardized endpoints when OIDC is enabled:
- /login - Visitors are redirected here when they need to authenticate
- /logout - Invoked by the website or OIDC provider to terminate a web session
- /callback - Invoked by the OIDC provider after a user authenticates
The client will also extract the user and email claims from the OpenID ID token and pass it upstream application using the standard X-Forwarded-User and X-Forwarded-Email header fields.
When you set up an “application” with your OIDC provider, you must provide fully-qualified URLs for endpoints that provide these behaviors. In our example website, the login URL would be https://awesome-tun-123.pktriot.net/login, and the callback URL would be https://awesome-tun-123.pktriot.net/callback.
Some of our users have requested this feature in the past, so we’re glad to offer it and provide a more comprehensive tutorial in the future. It completes the other authentication methods built into our client:
- HTTP Basic-Digest
- Password & 2FA authentication portal
Improved TLS Management
We implemented a new TLS management library that we deployed initially with the Spokes v1.5.0 release. The client is now using this library as well. This change fixes some bugs and improves the overall management of TLS certificates and integrations with ACME-based services like Lets Encrypt.
In future releases, we will add the ability to use ACME CAs beyond Lets Encrypt, such as ZeroSSL.
Changes to our Build
The Packetriot client and Spokes server are both written in Go. In earlier versions, we did not disable CGO in our builds, which degraded portability for Linux systems.
Moving forward, we have this disabled, which will make our client even more portable across different versions of Linux.
Stability Improvements
We fixed some bugs in this release. We also fixed one bug that locked up our client when all the reconnection attempts were exhausted.
A bug in our uptime and network monitoring was fixed as well. A typo prevented us from correctly testing HTTP/S endpoints. If you did not have any TCP traffic, set up (which is
DNS-over-HTTP (DOH)
Enabling DOH was only present during the tunnel configuration step using the --doh flag. With this release, we added the --doh flag to the pktriot start command so you can use DOH in case local DNS is not resolving the domain names of our servers.
Thanks
These enhancements are part of our commitment to improving the functionality and stability of all our published software.
We appreciate all the inputs and bug reports you’ve sent us! Let us know if we can focus on new features or improvements for our client.
Cheers!