Changes and improvements
  - Fixed an issue where SSH sessions and other connections were dropped when using MASQUE and the device's network interface changed.
  - Improvement made so that device posture client certificate checks now support PKCS#1.
  - Fixed an issue to ensure the managed certificate is installed in the trust store if not already there.
  - Reduced unnecessary log messages when resolv.conf has no owner.
  - Fixed an issue with warp-diag printing benign TLS certificate errors.
  - Fixed an issue with the WARP client becoming unresponsive during startup.
  - Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.
  - Fixed an issue that was preventing proper operation of DNS-over-TLS (DoT) for consumer users.

Changes and improvements
  - Fixed an issue where SSH sessions and other connections were dropped when using MASQUE and the device's network interface changed.
  - Improvement made so that device posture client certificate checks now support PKCS#1.
  - Fixed an issue to ensure the managed certificate is installed in the trust store if not already there.
  - Reduced unnecessary log messages when resolv.conf has no owner.
  - Fixed an issue with warp-diag printing benign TLS certificate errors.
  - Improved reliability of connection establishment logic under degraded network conditions.
  - Improved captive portal detection behavior by forcing captive portal checks outside the tunnel.
  - Allow the ability to configure tunnel protocol for consumer registrations.
  - Fixed an issue with the WARP client becoming unresponsive during startup.
  - Extended diagnostics collection time in warp-diag to ensure logs are captured reliably.
  - Fixed an issue that was preventing proper operation of DNS-over-TLS (DoT) for consumer users.

Changes and improvements
  - Added list targets to the warp-cli to enhance the user experience with the Access for Infrastructure SSH solution.
  - Added the ability to customize PCAP options in the warp-cli.
  - Added a list of installed applications in warp-diag.
  - Added a tunnel reset mtu subcommand to the warp-cli.
  - Added the ability for warp-cli to use the team provided in the MDM file for initial registration.
  - Added a JSON output option to the warp-cli.
  - Added the ability to execute a pcap on multiple interfaces with warp-cli.
  - Added MASQUE tunnel protocol support for Consumer WARP.
  - Improved the performance of firewall operations when enforcing split tunnel configuration.
  - Fixed an issue where device posture certificate checks were unexpectedly failing.
  - Fixed an issue where the Linux GUI fails to open the browser login window when registering a new ZT organization.
  - Fixed an issue where clients using service tokens failed to retry after a network change.
  - Fixed an issue where the client, when switching between WireGuard and MASQUE protocols, sometimes required a manual tunnel key reset.
  - Fixed a known issue which required users to re-register when an older single configuration MDM file was deployed after deploying the newer, multiple configuration format.
  - Deprecated warp-cli commands have been removed. If you have any workflows that use the deprecated commands, please update to the new commands where necessary.

  Known issues
  - Using MASQUE as the tunnel protocol may be incompatible if your organization has Regional Services enabled.

New Features
  - The WARP client now supports operation on Ubuntu 24.04.
  - Admins can now elect to have ZT WARP clients connect using the MASQUE protocol; this setting is in Device Profiles. Note: before MASQUE can be used, the global setting for Override local interface IP must be enabled. For more detail, see https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#device-tunnel-protocol. This feature will be rolled out to customers in stages over approximately the next month.
  - The Device Posture client certificate check has been substantially enhanced. The primary enhancement is the ability to check for client certificates that have unique common names, made unique by the inclusion of the device serial number or host name (for example, CN = 123456.mycompany, where 123456 is the device serial number). Additional details can be found here:  https://developers.cloudflare.com/cloudflare-one/identity/devices/warp-client-checks/client-certificate/
  - TCP MSS clamping is now used where necessary to meet the MTU requirements of the tunnel interface. This will be especially helpful in docker use cases.

  Warnings
  - Ubuntu 16.04 and 18.04 are not supported by this version of the client.
  - This is the last GA release that will be supporting older, deprecated warp-cli commands. There are two methods to identify these commands. One, when used in this release, the command will work but will also return a deprecation warning. And two, the deprecated commands do not appear in the output of `warp-cli -h`.

  Known issues
  - There are certain known limitations preventing the use of the MASQUE tunnel protocol in certain scenarios. Do not use the MASQUE tunnel protocol if:
    - A Magic WAN integration is on the account and does not have the latest packet flow path for WARP traffic. Please check migration status with your account team.
    - Your account has Regional Services enabled.
  - The Linux client GUI does not yet support all GUI features found in the Windows and macOS clients. Future releases of the Linux client will be adding these GUI features.
  - ZT Org name not visible in GUI when upgrading from previous GA while under mdm control.
  - Sometimes the Icon will remain gray (disconnected state) while in dark mode.

- Linux client downloads will now contain version numbers in the file name to allow easy identification.
  - Improved the re-connection logic to minimize impact to existing tunneled TCP sessions.
  - Increased the data collected by warp-diag to improve debugging capabilities.

  Known issues
  - The Linux client GUI does not yet support all GUI features found in the Windows and macOS clients. Future releases of the Linux client will be adding these GUI features.
  - ZT Org name not visible in GUI when upgrading from previous GA while under mdm control.
  - Sometimes the Icon will remain gray (disconnected state) while in dark mode.

- Added support for the arm64 architecture.
  - Added the ability for administrators to allow their end users to temporarily obtain access to local network resources in the event their home IP space overlaps with traffic normally routed through the WARP tunnel. Users on Linux interact with this feature via the warp-cli.
  - Added the ability for administrators to specify multiple configurations in MDM files that users can toggle between. This allows users to more easily switch between production and test environments or for China users to switch between their override endpoints within the UI. Users on Linux interact with this feature via the warp-cli. Refer to the help text from "warp-cli mdm --help". GUI integration of this feature will be released in the future.
  - Added the collection of firewall log information and other data to warp-diag to provide additional information for troubleshooting.
  - Added support to run a DHCP server on the same machine as the client (useful in virtual machine scenarios).
  - Added support for os_version_extra on Linux to enhance the OS device posture check.
  - Fixed an issue with sleep notifications making the client more reactive to sleep/wake-up scenarios.
  - Fixed an issue to ensure DEX tests only run when the client is connected.
  - Fixed an issue where IPv6 being disabled at boot time was not detected, leading to errors when the client attempts to set IPv6 addresses.

  Known issues
  - The Linux client GUI does not yet support all GUI features found in the Windows and macOS clients. Future releases of the Linux client will be adding these GUI features.
  - ZT Org name not visible in GUI when upgrading from previous GA while under mdm control
  - Sometimes the Icon will remain gray (disconnected state) while in dark

This release contains reliability improvements and finished our initial Linux UI work for GNOME CentOS

  Notable updates
  - Added support for GNOME CentOS to the UI. This work allows for more seamless authentication and control of the client, bringing it inline with the macOS and Windows for core functionality.

  Known issues
  - Not all UI features are in place yet, more will be coming in future releases
  - ZT Org name not visible in GUI when upgrading from previous GA while under mdm control
  - Sometimes the Icon will remain gray (disconnected state) while in dark

- Added initial implementation of Linux UI for Ubuntu with things like toggle switch, status, ability to switch vnets and better support for joining a Zero Trust organization
  - Added new posture type: Client certificate
  - Added support for IPv6 DEX Traceroute tests (previously only IPv4 addresses could be used)
  - Improved reliability and efficiency in configurating split tunnel rules. Most "error petting the dog" errors should now be gone and organizations with large split tunnel configuration should see reliability improvements.
  - Fixed an issue with DEX traceroutes tests where not all hops were correctly reported
  - Fixed an issue where DEX tests would not properly run immediately after a device came out of sleep
  - Fixed an issue where DEX tests would execute simultaneously causing performance issues for accounts with a large number of tests configured
  - Fixed an issue where DoH requests could take too long to timeout causes DNS reliability issues
  - Fixed an issue where DNS could temporarily fail when DHCP updates were processed
  - Fixed an issue on initial device registration that could sometimes cause it to fail and try again
  - Fixed an issue where short DNS timeouts were causing issues with some captive portals (United in particular)
  - Fixed an issue where managed network detection could fail when our firewall rules were not correctly removed under certain disconnect scenarios
  - Fixed an issue with Managed Networks where if the managed endpoint overlapped with your exclude split tunnel configuration, the split tunnel would only be open for IP traffic destined to the same port as your managed TLS endpoint
  - Fixed an issue where IPv6 traffic could be incorrectly sent down the tunnel in exclude mode
  - Fixed an issue where root CA would not be installed if enabled by admin because we were missing ca-certificates dependency
  - Fixed an issue where the client could be stuck on connecting

  Known issues
  - Not all UI features are in place yet, more will be coming in future releases
  - ZT Org name not visible in GUI when upgrading from previous GA while under mdm control
  - Sometimes the Icon will remain gray (disconnected state) while in dark

- Added support for "SWG without DNS Filtering" mode. All DNS functionality
	  from the WARP client is disabled while in this service mode
  - Added support for distribution name and version to be used in OS Version
	  device posture checks
  - Improved performance of the client when in "Proxy Only" service mode
  - Improved performance of domain-based split tunneling when the IP was already
    split tunneled (seen frequently with Zoom domains and IPs being used)
  - Modified warp-cli settings to show if the applied settings came from local (mdm) or
	  network (warp settings profile) policy to make debugging profile issues easier
  - Fixed an issue that could result in increased latency when resolving queries
  - Optimized the performance of DNS queries to prevent minor memory leaks
  - Fixed an issue when service token information was removed from an mdm.xml file
    the client would not prompt for user authentication as expected
  - Fixed an issue where localhost DNS proxy could not be set properly in certain VPN and VM configuration
  - Fixed an issue where the client would attempt to connect even when the "AUTO CONNECT" setting
    was Disabled in WARP Settings or not specified either in an MDM file
  - Fixed an issue where the client would not correctly detect and apply alternate network configuration between network changes

- Added support for millisecond timestamps for use in Digital Experience Monitoring
  - Fixed an issue with Root CA installation feature

- Improve timeouts with broken CNAME records that could result in very long load times for certain apps
  - Fixed issue where systems with significantly out of sync system clocks could fail registration
  - Improved user validation logic during manual ZT login
  - Fixed issue where the WARP daemon can crash and lose connectivity
  - Fixed issue where warp-diag could run traceroutes longer than expected.
    Traceroute tests will now timeout after 65 seconds.
  - Fixed issue where manually logging into a ZT org could fail if certificate authentication was used
  - Added support for Zero Trust Digital Experience Monitoring.
    More information coming soon for customers who signed up for the beta
  - Added new log message to help customers and support identify when a users local
    network IP space overlaps with a remote network configured to go through the tunnel
  - Added support for Zero Trust customers to opt in to having the WARP Client install the root CA
    for your organization if TLS Decryption is enabled.
    A new toggle switch will appear in the dashboard under Settings->WARP Client soon to enable this
  - Modified behavior of Managed networks tests to always happen outside the tunnel as per original intent
  - Improved logging of application posture checks to understand rationale behind
    statuses of application checks (file missing, process not found, etc.)
  - Added support for more detailed statuses in the output of warp-cli status
  - Modified initial connectivity check behavior to retry on errors

- Fixed an issue where clients could lose IPv4 connectivity
  - Fixed an issue where clients would attempt to configure DNS in posture-only
    or proxy modes.
  - Increased MDM check timeout to improve compatibility with certain management
    solutions.

- Added support for network location aware for Zero Trust organizations
  - Improved captive portal handling for some captive portals
  - Fixes for several edge case issues with Zero Trust organizations
  - Turning on DNS logging no longer forces a disconnect and reconnect
  - Modified initial connectivity check behavior to now validate both IPv4 and
    IPv6 are working (previously we only checked IPv4). Test will pass if either
    connects successfully.
  - Fixed DNS issue where TXT records were not being correctly returned when at
    the end of a CNAME chain.
  - Addressed some edge case performance issues with certain NXDOMAIN returns

- Modified behavior of warp-cli enable-dns-log to automatically turn off after
  7 days (this is the equivalent of manually running warp-cli disable-dns-log)
  - Fixed issue where device posture timers were paused while device was asleep.
  Posture tests are now immediately ran on device wakeup and all timers
  restarted.
  - Decreased warp-diag zip file sizes by 60-80%.
  - Fixed issue where mdm.xml file updates may have been missed.
  - Fixed issue where warp DNS servers were still set after WARP was turned off

- Fixed issue where device posture check results stopped sending after 24
  hours (or possibly even sooner)

- Improved connection time on slow network connections
  - Fixed bug where initial teams registration could take awhile to show up on
  client UI
  - Fixed bug that could cause Teams registration to fail (mostly server side
  but mentioning here as well) and handoff from the success page in the
  browser to the client
  - Fixed DNS fallback timeouts and related performance issues
  - Fixed issue where coming out of sleep on some systems could take an
  unreasonably long time to connect
  - Fixed InvalidPacket error in logs that indicated the client needed to reset
  its connection
  - Fixed issue where user experienced no network after boot
  - Fixed issue where warp-diag rotated daemon logs did not collect older logs

- Fixed issue where warp-cli set-custom-endpoint could be used by users
  without local admin rights as a way to bypass Gateway policies.
  - Fixed issue where warp-cli add-trusted-ssid worked in Zero Trust mode when
  it should not have.
  - Fixed issue where warp-cli teams-enroll would run even if already joined to
  an organization and users were not allowed to disconnect or leave.
  - Fixed issue that could result in connection issues coming out of certain
  sleep states (AddrInUse error or Multiple WARP Connections or
  NoCurrentSession).
  - Fixed issue that could result in connection flickering between
  connected/disconnected.
  - Fixed issue where connectivity test could report wrong status in logs when
  in Include Only split tunnel configuration.
  - Fixed issue where warp-cli could hang if service was in a bad state.
  - Fixed issue where sometimes Zero Trust device settings configured in the
  dash wouldn't take effect for machines in a disconnected state and asleep
  state.
  - Fixed issue where our DNS proxy wasn't correctly handling EDNS0 requests.
  - Fixed issue where the DNS Answer for records at the end of a CNAME chain
  would appear in the ADDITIONAL response section instead of the ANSWER
  section. This broke certain connectivity checks for Microsoft and Android
  studio in particular (probably other things). We now put the IP address
  found in the ANSWER section.
  - Fixed issue where multiple instances of the service could run at the same
  time.
  - Fixed issue that could occur during registration if the user clicks on on
  the Launch Cloudflare WARP button after already registering.
  - Fixed issue where the Zero Trust client was starting in connected mode when
  dash settings Switched Locked and Auto Connect were turned off/disabled. The
  client should only ever auto connect when these are enabled.
  - Fixed issue where DNS functionality may be in a broken state when device
  wakes from sleep
  - Improved performance of warp-diag to now collects logs in parallel and now
  collect additional routes to help with debugging.
  - Use desktop notifications for re-authentication notifications

- Fixed issue where OS version and device name may not update in ZT Dashboard
  - Prevent users from brute forcing admin override code
  - Prevent disable-on-wifi feature for ZT customers
  - Add support for environment variables in device posture files paths
  - Prevent flushing all nftable rulesets when WARP is disabled
  - Fix incorrect output in "include-only" mode
  - Fix routing issues when running microk8s
  - Fix issue with wildcard expansion on domain fallback and split tunnel rules
  - Fix issue with `warp-diag feedback` failing to upload
  - Prevent hangs and failures on network traffic when in proxy-mode
  - Prevent log files from growing too large
  - Add "Don't Fragment" bit to encapsulated traffic
  - Ensure our DNS servers stay set if another program tries to change them
  - Add ability to upload device state to API for ZT customers

- Fixed issue where all nftables rulesets were flushed after warp-cli disconnect
  - Fixed false positives when attempting to detect a captive portal
  - Fixed issue where OS version would not be updated in dash after OS update
  - Added support for DNS over TCP
  - Fixed issue where updated posture checks might not take effect until restart
  - Fixed issue with warp-cli where enable/disable with wifi was allowed in Zero Trust mode
  - Fixed issue where too many DNS requests could result in the following error
  appearing in logs: WARN warp::dns: Shedding DNS load
  - Bug fixes and enhancements

- Removed periodic tunnel checks
- Changed `warp-cli connect` to mimic 'warp-cli enable-always-on`
- Changed `warp-cli disconnect` to mimic `warp-cli disable-always-on`
- Added a simple taskbar icon to show status
- Added virtual network switching support via warp-cli (`warp-cli
get-virtual-networks` and `warp-cli set-virtual-network`).
- Bug fixes and enhancements

- `warp-cli delete` run as root will remove the user for an organization
even if "Allowed To Leave" is disabled in Zero Trust dashboard.
- Added `warp-cli disable-connectivity-checks` and `warp-cli
enabled-connectivity-checks` to control connectivity checks
- Fixed issue with `warp-cli teams-enroll` on platforms where the default
browser is installed with snap.
- Added "Device Posture Only" support