v3.34.1

Fixes

• Fix routing net.IPNet to netip.Prefix conversion (fixes #1583)

v3.34.0

Features

• HEALTH_SUCCESS_WAIT_DURATION variable, defaulting to 5s
• Rename port forwarding variables (prepare to add ProtonVPN, see #1488)
  • VPN_PORT_FORWARDING_STATUS_FILE
  • VPN_PORT_FORWARDING
  • Deprecate PIA specific variables for VPN port forwarding
• Servers data updated for: perfect privacy, surfshark
• Routing: log default route family as string

Fixes

• Mullvad: add aes-256-gcm cipher to support their newer Openvpn 2.6 servers
• Perfect privacy: update cert and key (thanks @Thamos88 and @15ky3)
• Perfect privacy: remove check for empty hostname in servers
• Routing: add policy rules for each destination local networks (thanks @kylemanna)
• Settings: clarify Wireguard provider unsupported error
• Minor fixes
  • Pprof settings rates can be nil

Maintenance

• Wrap all sentinel errors and enforce using errors.Is
• Migrate usages of inet.af/netaddr to net/netip
• Use netip.Prefix for ip networks instead of net.IPNet and netaddr.IPPrefix
• Use netip.Addr instead of net.IP
• Wireguard: use netip.AddrPort instead of *net.UDPAddr
• Healthcheck use Go dialer preferrably
• Upgrade Wireguard dependencies
• Upgrade inet.af/netaddr dependency
• Upgrade golang.org/x/net to 0.10.0
• Upgrade github.com/fatih/color from 1.14.1 to 1.15.0
• Upgrade golangci-lint from v1.51.2 to v1.52.2
• Upgrade github.com/vishvananda/netlink from 1.1.1-0.20211129163951-9ada19101fc5 to 1.2.1-beta.2
• Upgrade golang.org/x/sys from 0.7.0 to 0.8.0
• Remove unneeded settings/helpers/pointers.go, CopyNetipPrefix and settings/sources/env envToInt function
• Fix netlink tagged integration tests
• Settings: use generics for helping functions (thanks @bubuntux)
• Simplify default routes for loop
• Development container: do not bind mount ~/.gitconfig

v3.33.0

Features

• WIREGUARD_IMPLEMENTATION variable which can be auto (default), userspace or kernelspace
• gchr.io/qdm12/gluetun Docker image mirror
• Alpine upgraded from 3.16 to 3.17
• OpenVPN upgraded from 2.5.6 to 2.5.8 built with OpenSSL 3
• OpenSSL 1.1.* installed separately to maintain OpenVPN 2.4 working
• Logging:
  • log FAQ Github Wiki URL when the VPN internally restarts
  • Warn Openvpn 2.4 is to be removed in the next release
  • Warn when using SlickVPN or VPN Unlimited due to their weak certificates
  • Warn Hide My Ass is no longer supported (credits to @Fukitsu)
  • OpenVPN RTNETLINK answers: File exists changed to warning level with explanation
  • OpenVPN Linux route add command failed: changed to warning level with explanation
  • Log IPv6 support at debug level with more information instead of at the info level
• Update servers data: AirVPN, FastestVPN, Mullvad, Surfshark, Private Internet Access
• Netlink: add debug logger (no use yet)
• Surfshark: add 2 new 'HK' servers
• Install Alpine wget package (fixes #1260, #1494 due to busybox's buggy wget)
• OpenVPN: transparently upgrade key encryption for DES-CBC encrypted keys (VPN Secure)

Important fixes

• Exit with code 1 on a program error
• Profiling server: do not run if disabled
• IPv6 detection: inspect each route source and destination for buggy kernels/container runtimes
• iptables detection: better interpret permission denied for buggy kernels/container runtimes
• FastestVPN: update OpenVPN zip file URL for the updater (#1264)
• IPVanish: update OpenVPN zip file URL for the updater (#1449)
• Surfshark: remove 3 servers no longer resolving
• AirVPN:
  • remove commas from API locations
  • remove commas from city names
• VPN Unlimited: lower TLS security level to 0 to allow weak certificates to work with Openvpn 2.5.8+Openssl 3
• SlickVPN
  • explicitely allow AES-256-GCM cipher
  • lower TLS security level to 0 to allow SlickVPN's weak certificates to work with Openvpn 2.5.8+Openssl 3
  • All servers support TCP and UDP
  • Precise default TCP port as 443

Documentation

• Document new docker image gchr.io/qdm12/gluetun
• Add servers updater environment variables (#1393)
• Update Github labels:
  • remove issue category labels
  • Add temporary status labels
  • Add complexity labels

Minor fixes

• Firewall: remove previously allowed input ports
• HTTP proxy: lower shutdown wait from 2s to 100ms
• Private Internet Access: remove credentials from login error string
• Wireguard:
  • validate Wireguard addresses depending on IPv6 support
  • ignore IPv6 interface addresses if IPv6 is not supported
• Healthcheck client: set unset health settings to defaults
• Print outbound subnets settings correctly
• github.com/breml/rootcerts from 0.2.8 to 0.2.10
• Add subprogram name in version check error

Maintenance

• Development tooling:
  • Go upgraded from 1.19 to 1.20
  • Development container has the same ssh bind mount for all platforms
  • Development container has openssl installed
  • golangci-lint upgraded from v1.49.0 to v1.51.2
  • github.com/stretchr/testify upgraded from 1.8.1 to 1.8.2
• Dependencies
  • golang.org/x/text upgraded from 0.4.0 to 0.8.0
  • github.com/fatih/color upgraded from 1.13.0 to 1.14.1
  • golang.org/x/sys upgraded from 0.3.0 to 0.6.0
  • Remove no longer needed apk-tools
• Code health
  • Add comments for OpenVPN settings fields about their base64 DER encoding
  • internal/openvpn/extract: simplify PEM extraction function
  • Review all error wrappings
    • remove repetitive cannot and failed prefixes
    • rename unmarshaling to decoding
• CI
  • docker/build-push-action upgraded from 3.2.0 to 4.0.0

v3.32.0

Features

• AirVPN support (#1145)
• Surfshark Wireguard support (#587)
• IPv6 connection and tunneling (#1114)
• Auto detection of IPv6 support for OpenVPN and OPENVPN_IPV6 removed
• Built-in servers updates: Cyberghost, FastestVPN, Ivpn, Mullvad, ProtonVPN, PureVPN and Windscribe
• HTTP proxy: log credentials sent on mismatch

Fixes

• Private Internet Access: get token for port forwarding (#1132)
• FastestVPN: updater handles lowercase .ovpn filenames
• Ivpn: update mechanism fixed for Wireguard servers
• Cyberghost: remove outdated server groups 94-1 pemium udp usa, 95-1 premium udp asia, 93-1 pemium udp usa and 96-1 premium tcp asia
• Exit with OS code 0 on successful shutdown
• Public IP fetching
  • handle HTTP status codes 403 as too many requests
  • no retry when too many requests to ipinfo.io
• OpenVPN: do not set tun-ipv6
  • server should push tun-ipv6 if it is available
  • Add ignore filter for tun-ipv6 if ipv6 is not supported on client
• Updater: error when server has not the minimal information
• Custom provider: OPENVPN_CUSTOM_CONFIG takes precedence only if VPN_SERVICE_PROVIDER is empty
• Wireguard: ignore IPv6 addresses if IPv6 is disabled
• Environment variables: trim space for wireguard addresses
• OpenVPN: parse udp4, udp6, tcp4 or tcp6

Documentation

• Readme: add ProtonVPN and PureVPN to Wireguard support

Maintenance

Code changes

• provider/utils: do not check for empty wg keys
• internal/config:
  • rename Reader to Source struct
  • define Source interface locally where needed
  • rename mux source to merge
• internal/storage/servers.json: remove "udp": true for Wireguard
• Filtering: no network protocol filter for Wireguard
• Fix netlink test for wireguard and crash

Other dependencies

• Bump Go from 1.17 to 1.19
• Upgrade Wireguard dependencies
• golang.org/x/text from 0.3.7 to 0.4.0 (#1198)
• github.com/breml/rootcerts from 0.2.6 to 0.2.8 (#1173)

Development

• Improve missing provider panic string
• Improve VSCode update command launch config
  • Run without debug mode
  • Run from workspace folder so it writes to the right path
  • Pick -maintainer or -enduser update mode

CI

• docker/build-push-action from 3.1.1 to 3.2.0 (#1193)
• Fix codeql false positive integer parsing
• github.com/stretchr/testify from 1.8.0 to 1.8.1 (#1210)

v3.31.1

Fixes

• Fix vpnsecure.me operation by allowing empty OpenVPN username

v3.31.0

Features

• SlickVPN Support (#961)
• VPNsecure.me support (#848)
• Update servers data built-in for ExpressVPN, Surfshark
• Control server: add /vpn route to replace /openvpn (in future v4.0.0)
• Control server: patch VPN settings using HTTP PUT at /v1/vpn/settings (undocumented, experimental)

Fixes

• Surfshark: remove no longer valid retro server data
• Bump github.com/breml/rootcerts from 0.2.3 to 0.2.6 (#1033, #1058)

Documentation

• Fix readme typo sercice to service (#1067)

Undocumented breaking changes

• Environment variable OPENVPN_CLIENTCRT -> OPENVPN_CERT (No breaking change since this was undocumented)
• Environment variable OPENVPN_CLIENTKEY -> OPENVPN_KEY (No breaking change since this was undocumented)
• Control server: replace response status code 404 with 401 for unsupported routes and methods
• Control server: do not redact openvpn credentials from JSON response
• Read base64 encoded data from environment variables (OpenVPN cert, key and encrypted key) instead of PEM encoded data

Maintenance

• Add mocks check to check for missing //go:generate comments and outdated mocks
• Linting:
  • upgrade golangci-lint to v1.49.0
  • config: remove duplicate predeclared and commented varnamelen, wrapcheck
  • config: remove deprecated linters ifshort
  • config: add linters asasalint, usestdlibvars, interfacebloat, reassign
  • Fix Slowloris attacks on HTTP servers
  • Force set default of 5 minutes for pprof read timeout
  • Change ShutdownTimeout to time.Duration since it cannot be set to 0
• Use common mocks for ivpn and ipvanish
• OpenVPN user and password as nullable (they can be an empty string for custom provider)
• OpenVPN settings struct field ClientKey -> Key
• OpenVPN settings struct field ClientCrt -> Cert
• Remove deprecated io/ioutil import
• Fix labels workflow:
  • Limit labels workflow to run on commits coming from not-forked repositories
  • Fix permissions to write for labels
• Bump docker/build-push-action from 3.0.0 to 3.1.1 (#1073, #1098)
• Bump github.com/stretchr/testify from 1.7.2 to 1.8.0 (#1042, #1052)

v3.30.1

Fixes

• OpenVPN certificate: read PEM encoded files and read base 64 encoded PEM inner value from environment variable (as documented in Wiki)
• OpenVPN key: read PEM encoded files and read base 64 encoded PEM inner value from environment variable (as documented in Wiki)

v3.30.0

Features

• ExpressVPN: OpenVPN additional ciphers (#1047)
• Storage:
  • add "keep" boolean field for servers to keep manually added servers
  • log time difference as a friendly duration
• Updater: configurable minimum ratio of servers found
  • UPDATER_MIN_RATIO environment variable
  • -minratio flag for CLI operation
• Docker: upgrade Alpine from 3.15 to 3.16 (#1005)
• Update servers data: Perfect privacy, Purevpn, Privatevpn, Private Internet Access, ProtonVPN, IPVanish, Surfshark
• Environment variables: clean values by removing surrounding spaces and suffix new line characters
• Wireguard: add debug logs for IPv6 detection which can be enabled with LOG_LEVEL=debug

Fixes

• ExpressVPN: OpenVPN fragment option taken into account (#1047)
• Private internet access:
  • load custom certificate to communicate with their API
  • restrict custom port choice
• ProtonVPN:
  • set free field for free servers, fixing FREE_ONLY behavior
  • remove duplicate entry IPs
  • restrict custom port choice
• Wireguard: continue on ipv6 route add permission denial
• VPN: do not close wait error channel on consumer side
• Port forwarding: set file owned by the uid and gid set by PUID and PGID
• Private Internet Access: remove duplicate log of port forwarding data expiration
• Pprof settings: override method used correctly in global settings
• Updater: Fix CLI operation not setting DNS server
• IPVanish: remove duplicate server entries
• Custom: validate custom OpenVPN file at settings validation

Documentation

• Bug issue template: fix render of logs to be plain text instead of log
• ProtonVPN: document in code to remove SERVER_NAMES
• Update maintenance.md document

Maintenance

Easy to add VPN providers

• internal/provider/example new package
• Readme: simplify heading description
• internal/updater: check each server has minimal information
• internal/storage: modify JSON tests to not need all providers listed
• internal/provider/common new package: shared interfaces and errors for all providers
• internal/provider: new Providers contains a map from provider string name to provider interface
• Use the same provider object for both updating servers and to setup the VPN
• Initialize all providers at start in the Providers map
• internal/provider/*:
  • incorporate updating FetchServers method in Provider interface
  • Rename each provider updater subpackage name to updater
  • add Name() method per provider
  • rename all provider structs to Provider
  • rename all test functions to Test_Provider_GetConnection
• internal/updater: Updater update method takes in a slice of provider strings
• internal/storage: common sorting for all servers
• internal/provider/surshark/servers/locationdata.go merging both internal/models/location.go and internal/constants/surfshark.go
• internal/models: provider to servers map in allServers:
  • Custom JSON marshaling methods for AllServers
  • Simplify formatting CLI
  • Simplify updater code
  • Simplify filter choices for config validation
  • Simplify all servers deep copying
  • Simplify provider constructor switch
  • Simplify storage merging
  • Simplify storage reading and extraction
• internal/storage/servers.json: change provider names to match string constants in code
  • From pia to private internet access, and reset version to 1
  • From perfectprivacy to perfect privacy, and reset version to 1
  • From vpnunlimited to vpn unlimited, and reset version to 1
• internal/cli: refactor FormatServers to use provider strings
• internal/provider/utils: unexport no longer externally needed functions
• internal/provider: add GetConnection test

Continuous integration

• Fix trigger for Docker image publish job
• Merge jobs and workflows into the verify job of the CI workflow:
  • CodeQL job
  • Dependabot workflow
  • Fork workflow
• Fix behavior on pull requests from forked repositories
  • Run Docker Hub description job only on base repository
  • Run Docker image publish job only on base repository
• Build base repository pull request Docker images with tag :pr-N (#1026)
• Add skip workflow for required verify job
• Restrict permissions to read actions+contents for all jobs
• Remove go.mod tidy check job
  • Not really needed with newer go install
  • Conflicts with Go 1.17 go.mod format
  • Conflicts with manual indirect dependency upgrade
• Bump docker/setup-buildx-action from 1 to 2 (#977)
• Bump docker/setup-qemu-action from 1 to 2 (#978)
• Bump docker/build-push-action from 2.10.0 to 3.0.0 (#979)
• Bump docker/metadata-action from 3 to 4 (#980)
• Bump docker/login-action from 1 to 2 (#981)
• Bump crazy-max/ghaction-github-labeler from 3 to 4 (#1007)

Other

Storage: memory and thread safe servers data storage

• only pass hardcoded versions to read file and discard outdated servers
• unexport SyncServers method
• minimal deep copying and data duplication
• add merged servers mutex for thread safety
• settings: get filter choices from storage for settings validation
• updater:
  • update servers to the storage
  • get servers count from storage directly
  • equality check done by the storage
• connection: filter servers in storage
• formatter: format servers to Markdown in storage
• PIA: get server by name from storage directly
• internal/openvpn/extract: extract.PEM replaces all PEM parse functions
• internal/constants/openvpn new package for OpenVPN related constants.
• internal/wireguard: add check for empty public key for Wireguard
• internal/publicip:
  • Exported Fetcher interface
  • Inject Fetcher to publicip loop and updaters
  • Get public IP and information at the same time
  • Only query ipinfo.io
  • Make MultiInfo part of the Fetch object
  • internal/publicip/ipinfo package
• Updater:
  • DNS address as host:port string in settings structure
  • Remove unneeded ctx error check in cyberghost updating code
  • UpdateServers returns an error if it fails updating a single provider
  • Inject a common resolver to each provider instead of creating a unique one per provider, and use resolver settings on every call to its .Resolve method
  • Move out minServers check from resolver
  • internal/updater/loop subpackage
  • internal/server: more restrictive updater loop interface
• Renamings:
  • updater: rename all presolver to parallelResolver
  • storage: rename InfoErrorer to Infoer
  • provider: rename all BuildConf methods to OpenVPNConfig
  • updater: rename all GetServers methods to FetchServers
• Entire codebase changes:
  • remove unexported Go interfaces
  • remove package comments
  • return concrete types, accept interfaces
• Upgrade gopkg.in/yaml.v3 to v3.0.1 to fix (dull) vulnerability alert on Github

Development

• See Easy to add VPN providers related work
• .vscode/launch.json to update servers - Credits to @Rohaq
• go4.org/unsafe/assume-no-moving-gc upgraded to allow development using Go 1.18 without ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.18
• Linting:
  • upgrade golangci-lint from v1.44.2 to v1.46.2
  • review exclude rules
  • ireturn, execinquery and nosprintfhostport linters added
• Use casers instead of strings.Title to remove Go 1.18 linting warnings
  • Add golang.org/x/text dependency
  • Update code to use cases.Title(language.English)
• Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#1016)

v3.29.0

Features

Firewall

• Auto-detect iptables and iptables-nft for IPv4 and IPv6
• Improve error message when NET_ADMIN capability is missing
• Support all default routes instead of only the first one
  • Accept output traffic from all default routes through VPN interface
  • Accept output from all default routes to outbound subnets
  • Accept all input traffic on ports for all default routes
  • Add IP rules for all default routes
• Add IPv6 inbound routing

Provider specific

• Servers update: Mullvad, Privado, PrivateVPN, ProtonVPN, PureVPN, NordVPN, Private Internet Access, Torguard, FastestVPN (thanks @mircoianese #923)
• NordVPN: remove OpenVPN compression
• Ivpn: allow no password for account IDs matching i-xxxx-xxxx-xxxx or ivpn-xxxx-xxxx-xxxx

Other

• Use https://github.com/qdm12/log for logging
• Log out OS signal name when shutting down
• Storage: omit empty fields in servers.json

Fixes

• Health check:
  • HEALTH_TARGET_ADDRESS to replace HEALTH_ADDRESS_TO_PING
  • Remove github.com/go-ping/ping dependency
  • Dial TCP the target address, appending :443 if port is not set
  • Target address defaults to cloudflare.com:443
• OPENVPN_FLAGS working fixed
• HEALTH_VPN_DURATION_ADDITION working fixed
• Privado: fix OPENVPN_PORT usage, thanks @cacti-user
• Firewall: only set routes for IPv4 default routes
• Use openvpn 2.4.12-r0 in CI build for openvpn 2.4
• Fix PureVPN zip file download link (#915 thanks @mircoianese)
• Private Internet Access: hide escaped url query values (token etc.)
• NordVPN: allow aes-256-gcm for Openvpn 2.4
• Private Internet Access: fix certificate validation (use OS certificates instead of custom certificate)
• Port forwarding: loop exit from vpn loop
• PUID and PGID as 32 bit unsigned integers instead of 16 bit

Documentation

• Readme: re-add /dev/net/tun device since some OSes need it
• Readme: remove old announcement (#938, thanks @martinbjeldbak)

Maintenance

CI

• Add CodeQL analysis workflow
• Bump actions/checkout from 2.4.0 to 3 (#870)
• Bump docker/build-push-action from 2.8.0 to 2.10.0 (#832, #893)
• Bump peter-evans/dockerhub-description from 2 to 3 (#908)

Code

• New internal packages:
  • internal/constants/providers
  • internal/constants/vpn
• Protonvpn: remove unused exit IPs field in server model
• ProtonVPN: Change server name JSON field from name to server_name
• Generic server models:
  • Streamline all server models IP addresses:
    • Use IPs []net.IP for all server models
    • Use ips JSON field for all server models
    • Merge IPv4 and IPv6 addresses together for Mullvad
  • Specify UDP and TCP compatibility for all servers in servers.json
  • Specify VPN protocol for all servers in servers.json
  • Common Server model and Servers model for all providers (#943)
  • Common filtering builder for all providers
  • Common GetConnection for all providers
• Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#897)
• Bump github.com/breml/rootcerts from 0.2.2 to 0.2.3 (#926)
• Routing: remove unused LocalSubnetGetter
• internal/httpserver: remove name field and prefix in logs
• Use internal/httpserver for control server
• Add defensive check for zero connection found from servers (if no IP is defined)
• Simplify reading of servers JSON file

Dev environment

• Development container
  • Fix windows script sourcing
  • Remove image name to avoid conflicts
  • Bind mount normally without :z
  • Install htop
• Update maintenance document

v3.28.2

Fixes

• Fix OPENVPN_FLAGS functionality
• Fix Openvpn 2.4 install to use 2.4.12-r0