[Bug]: `masquerade = true` changed behaviour or broken in v1.6.4?

[cotman]

Summary

On an Ubuntu 24.04 GCP VM, when using v1.6.4 and masquerade = true in the gateway.toml, all client VPN traffic hangs and has no DNS. This previously worked fine with v1.6.3, and after downgrading to that version of the gateway everything starts working again.

A workaround for v1.6.4 we're using is to install nftables on the VPN server and manually add the chain and rule, then everything starts working again:

apt install -y nftables
nft add table ip nat
nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
nft add rule ip nat postrouting oifname "ens4" masquerade

We're not sure if we were doing something wrong with v1.6.3, and it just happened to work (and now doesn't in v1.6.4) or the behaviour of masquerade = true has changed/is broken.

Steps to reproduce

1. Vanilla install from APT repo of latest available defguard versions - gateway version v1.6.4
2. Add masquerade = true to the gateway.toml
3. Either defguard doesn't set the chain/rule correctly, or it's not using them on VPN connections

Expected behavior

When using masquerade = true defguard manages the nftools chain and rule so that VPN connections work in this mode.

Actual behavior

Client VPN connections all hang - not just for predefined routes, as there's no DNS at all when connected.

Defguard version

Core: v1.6.5, Gateway: v1.6.4, Desktop client: v1.6.7

Environment details

Core: Ubuntu 24.04, Gateway: Ubuntu 24.04, Desktop client: macOS/Linux

Deployment / install method

Standalone packages

Relevant logs / output

Relevant configuration (redacted)

[kchudy]

Fix planned for the new release 1.6.5

[t-aleksander]

Hello, Gateway 1.6.5 along with the fix has been released. @cotman