Releases: qdm12/gluetun
v3.39.1
🎥 https://youtu.be/O09rP1DlcFU?si=qPdzWUWnzciNxAc7
Fixes
- Firewall: delete chain rules by line number (#2411)
- Control server: require authentication for vulnerable routes (#2434)
- NordVPN: remove commas from region values
- IVPN: split city into city and region
- Fix bad city values containing a comma
- update ivpn servers data
- Private Internet Access: support port forwarding using custom Wireguard (#2420)
- ProtonVPN: prevent using FREE_ONLY and PORT_FORWARD_ONLY together (see #2470)
internal/storage
: add missing selection fields to buildnoServerFoundError
(see #2470)
v3.39.0
🎥 Youtube video explaining all this
Features
- OpenVPN: default version changed from 2.5 to 2.6
- Alpine upgraded from 3.18 to 3.20 (3.19 got skipped due to buggy
iptables
) - Healthcheck: change timeout mechanism
- Healthcheck timeout is no longer fixed to 3 seconds
- Healthcheck timeout increases from 2s to 4s, 6s, 8s, 10s
- No 1 second wait time between check retries after failure
- VPN internal restart may be delayed by a maximum of 10 seconds
- Firewall:
- Query iptables binary variants to find which one to use depending on the kernel
- Prefer using
iptables-nft
overiptables-legacy
(Alpine new default is nft backend iptables)
- Wireguard:
WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL
option- read configuration file without case sensitivity
- VPN Port forwarding: only use port forwarding enabled servers if
VPN_PORT_FORWARDING=on
(applies only to PIA and ProtonVPN for now) - FastestVPN:
- Wireguard support (#2383 - Credits to @Zerauskire for the initial investigation and @jvanderzande for an initial implementation as well as reviewing the pull request)
- use API instead of openvpn zip file to fetch servers data
- add city filter
SERVER_CITY
- update built-in servers data
- Perfect Privacy: port forwarding support with
VPN_PORT_FORWARDING=on
(#2378) - Private Internet Access: port forwarding options
VPN_PORT_FORWARDING_USERNAME
andVPN_PORT_FORWARDING_PASSWORD
(retro-compatible withOPENVPN_USER
andOPENVPN_PASSWORD
) - ProtonVPN:
- Surfshark: servers data update
- VPNSecure: servers data update
VPN_ENDPOINT_IP
split intoOPENVPN_ENDPOINT_IP
andWIREGUARD_ENDPOINT_IP
VPN_ENDPOINT_PORT
split intoOPENVPN_ENDPOINT_PORT
andWIREGUARD_ENDPOINT_PORT
Fixes
VPN_PORT_FORWARDING_LISTENING_PORT
fixed- IPv6 support detection ignores loopback route destinations
- Custom provider:
- handle
port
option line for OpenVPN - ignore comments in an OpenVPN configuration file
- assume port forwarding is always supported by a custom server
- handle
- VPN Unlimited:
- change default UDP port from 1194 to 1197
- allow OpenVPN TCP on port 1197
- Private Internet Access Wireguard and port forwarding
- Set server name if names filter is set with the custom provider (see #2147)
- PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
- Torguard: update OpenVPN configuration
- add aes-128-gcm and aes-128-cbc ciphers
- remove mssfix, sndbuf, rcvbuf, ping and reneg options
- VPNSecure: associate
N / A
with no data for servers - AirVPN: set default mssfix to 1320-28=1292
- Surfshark: remove outdated hardcoded retro servers
- Public IP echo:
- ip2location parsing for latitude and longitude fixed
- abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
internal/server
:/openvpn
route status get and put- get status return stopped if running Wireguard
- put status changes vpn type if running Wireguard
- Log out if
PORT_FORWARD_ONLY
is enabled in the server filtering tree of settings - Log last Gluetun release by tag name alphabetically instead of by release date
format-servers
fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfsharkinternal/tun
: only create tun device if it does not exist, do not create if it exists and does not work
Documentation
- readme:
- clarify shadowsocks proxy is a server, not a client
- update list of providers supporting Wireguard with the custom provider
- add protonvpn as custom port forwarding implementation
- disable Github blank issues
- Bump github.com/qdm12/gosplash to v0.2.0
- Add
/choose
suffix to github links in logs
- Add
- add Github labels: "Custom provider", "Category: logs" and "Before next release"
- rename
FIREWALL_ENABLED
toFIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT
due to the sheer amount of users misusing it.FIREWALL_ENABLED
won't do anything anymore. At least you've been warned not to use it...
Maintenance
- Code health
- PIA port forwarding:
- remove dependency on storage package
- return an error to port forwarding loop if server cannot port forward
internal/config
:- upgrade to
github.com/qdm12/gosettings
v0.4.2- drop
github.com/qdm12/govalid
dependency - upgrade
github.com/qdm12/ss-server
to v0.6.0 - do not un-set sensitive config settings anymore
- drop
- removed bad/invalid retro-compatible keys
CONTROL_SERVER_ADDRESS
andCONTROL_SERVER_PORT
- OpenVPN protocol field is now a string instead of a TCP boolean
- Split server filter validation for features and subscription-tier
- provider name field as string instead of string pointer
- upgrade to
internal/portforward
: support multiple ports forwarded- Fix typos in code comments (#2216)
internal/tun
: fix unit test for unprivileged user
- PIA port forwarding:
- Development environment
- fix
source.organizeImports
vscode setting value - linter: remove now invalid skip-dirs configuration block
- fix
- Dependencies
- Bump Wireguard Go dependencies
- Bump Go from 1.21 to 1.22
- Bump golang.org/x/net from 0.19.0 to 0.25.0 (#2138, #2208, #2269)
- Bump golang.org/x/sys from 0.15.0 to 0.18.0 (#2139)
- Bump github.com/klauspost/compress from 1.17.4 to 1.17.8 (#2178, #2218)
- Bump github.com/fatih/color from 1.16.0 to 1.17.0 (#2279)
- Bump github.com/stretchr/testify to v1.9.0
- Do not upgrade busybox since vulnerabilities are fixed now with Alpine 3.19+
- CI
- Github
- remove empty label description fields
- add
/choose
suffix to issue and discussion links - review all issue labels: add closed labels, add category labels, rename labels, add label category prefix, add emojis for each label
- Add issue labels: Popularity extreme and high, Closed cannot be done, Categories kernel and public IP service
v3.38.1
ℹ️ This is a bugfix release for v3.38.0. If you can, please instead use release v3.39.0
Fixes
VPN_PORT_FORWARDING_LISTENING_PORT
fixed- IPv6 support detection ignores loopback route destinations
- Custom provider:
- handle
port
option line for OpenVPN - ignore comments in an OpenVPN configuration file
- assume port forwarding is always supported by a custom server
- handle
- VPN Unlimited:
- change default UDP port from 1194 to 1197
- allow OpenVPN TCP on port 1197
- Private Internet Access Wireguard and port forwarding
- Set server name if names filter is set with the custom provider (see #2147)
- PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
- Torguard: update OpenVPN configuration
- add aes-128-gcm and aes-128-cbc ciphers
- remove mssfix, sndbuf, rcvbuf, ping and reneg options
- VPNSecure: associate
N / A
with no data for servers - AirVPN: set default mssfix to 1320-28=1292
- Surfshark: remove outdated hardcoded retro servers
- Public IP echo:
- ip2location parsing for latitude and longitude fixed
- abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
internal/server
:/openvpn
route status get and put- get status return stopped if running Wireguard
- put status changes vpn type if running Wireguard
- Log out if
PORT_FORWARD_ONLY
is enabled in the server filtering tree of settings - Log last Gluetun release by tag name alphabetically instead of by release date
format-servers
fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfsharkinternal/tun
: only create tun device if it does not exist, do not create if it exists and does not work
v3.37.1
ℹ️ This is a bugfix release for v3.37.0. If you can, please instead use the newer v3.39.0 release.
Fixes
VPN_PORT_FORWARDING_LISTENING_PORT
fixed- IPv6 support detection ignores loopback route destinations
STREAM_ONLY
behavior fixed (#2126)- Custom provider:
- handle
port
option line for OpenVPN - ignore comments in an OpenVPN configuration file
- assume port forwarding is always supported by a custom server
- handle
- VPN Unlimited:
- change default UDP port from 1194 to 1197
- allow OpenVPN TCP on port 1197
- Private Internet Access Wireguard and port forwarding
- Set server name if names filter is set with the custom provider (see #2147)
- PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
- Torguard: update OpenVPN configuration
- add aes-128-gcm and aes-128-cbc to the ciphers option
- remove mssfix, sndbuf, rcvbuf, ping and reneg options
- set HTTP user agent to be allowed to download zip files
- VPNSecure: associate
N / A
with no data for servers - AirVPN: set default mssfix to 1320-28=1292
- Surfshark:
- remove outdated hardcoded retro servers
- Remove no longer valid multi hop regions
- Fail validation for empty string region
- Clearer error message for surfshark regions: only log possible 'new' server regions, do not log old retro-compatible server regions
- Privado: update OpenVPN zip file URL
internal/server
:/openvpn
route status get and put- get status return stopped if running Wireguard
- put status changes vpn type if running Wireguard
- Log out last Gluetun release by semver tag name instead of by date
format-servers
fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfsharkinternal/tun
: only create tun device if it does not exist, do not create if it exists and does not work- Bump github.com/breml/rootcerts from 0.2.14 to 0.2.17
PS: sorry for re-releasing this one 3 times, CI has been capricious with passing
v3.38.0
Features
- Public IP fetching:
- Add
PUBLICIP_API_TOKEN
variable PUBLICIP_API
variable supportingipinfo
andip2location
- Add
- Private Internet Access:
PORT_FORWARD_ONLY
variable (#2070) - NordVPN:
- update mechanism uses v2 NordVPN web API
- Filter servers with
SERVER_CATEGORIES
(#1806)
- Wireguard:
- Read config from secret file, defaults to
/run/secrets/wg0.conf
which can be changed with variableWIREGUARD_CONF_SECRETFILE
- Read private key, preshared key and addresses from individual secret files (#1348)
- Read config from secret file, defaults to
- Firewall: disallow the unspecified address (
0.0.0.0/0
or::/0
) for outbound subnets - Built-in servers data updated:
- NordVPN
- Privado
- Private Internet Access
- VPN Unlimited
- VyprVPN
- Healthcheck: change unhealthy log from info to debug level
Fixes
- Privado: update OpenVPN zip file URL
STREAM_ONLY
behavior fixed (#2126)- Torguard: set user agent to be allowed to download zip files
- Surfshark:
- Remove no longer valid multi hop regions
- Fail validation for empty string region
- Clearer error message for surfshark regions: only log possible 'new' server regions, do not log old retro-compatible server regions
Maintenance
- Healthcheck: more explicit log to go read the Wiki health guide
- NAT-PMP: RPC error contain all failed attempt messages
- Github:
- add closed issue workflow stating comments are not monitored
- add opened issue workflow
- Dependencies
- Bump github.com/breml/rootcerts from 0.2.14 to 0.2.16 (#2094)
- CI
- Pin docker/build-push-action to v5 (without minor version)
- Upgrade linter to v1.56.2
v3.37.0
🎉 🎆 Happy new year 2024 🎉 🎆 Personal note at the bottom 😉
Features
- Port forwarding: port redirection with
VPN_PORT_FORWARDING_LISTENING_PORT
- Custom provider: support tcp-client proto for OpenVPN
- NordVPN: add access token warning if used as wireguard private key
- Windscribe: update servers data
Fixes
- Shadowsocks: bump from v0.5.0-rc1 to v0.5.0
- treat udp read error as non critical
- log out crash error for tcpudp combined server
- Wireguard:
- Load preshared key from toml file correctly and from peer selection
- Custom provider OpenVPN:
- Default TCP port for any tcp protocol
- Firewall:
- Handle OpenVPN
tcp-client
protocol astcp
- Handle OpenVPN
- PureVPN: fix update url and update servers (#1992)
- VPN Unlimited OpenVPN:
- Update CA certificate and add new second certificate
- Remove
DEFAULT:@SECLEVEL=0
- Specify cipher as AES-256-CBC and auth as SHA512
- Format-servers command:
- Fix for providers with dashes
- Add missing
server name
header for PIA
Maintenance
- Bump github.com/breml/rootcerts from 0.2.11 to 0.2.14 (#1800, #1981)
- Bump github.com/fatih/color from 1.15.0 to 1.16.0 (#1950)
- Bump github.com/klauspost/compress from 1.16.7 to 1.17.4 (#1922, #1993)
- Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#2012)
- Bump golang.org/x/net from 0.12.0 to 0.19.0 (#1907, #1953, #1985)
- Bump golang.org/x/sys from 0.11.0 to 0.13.0 (#1897)
- Bump golang.org/x/text from 0.11.0 to 0.14.0 (#1845, #1946)
- CI:
- Bump actions/checkout from 3 to 4 (#1847)
- Bump crazy-max/ghaction-github-labeler from 4 to 5 (#1858)
- Bump DavidAnson/markdownlint-cli2-action from 11 to 14 (#1871, #1982)
- Bump docker/build-push-action from 4.1.1 to 5.1.0 (#1860, #1969)
- Bump docker/login-action from 2 to 3 (#1936)
- Bump docker/metadata-action from 4 to 5 (#1937)
- Bump docker/setup-buildx-action from 2 to 3 (#1938)
- Bump docker/setup-qemu-action from 2 to 3 (#1861)
- Bump github/codeql-action from 2 to 3 (#2002)
Personal note on the state of Gluetun
I have been focusing my effort since mid November on a DNSSEC validator to finalize a Go library on par with the usage we have of Unbound, in order to replace Unbound in Gluetun and add DNS special features for Gluetun. For example:
- automatically diverting local hostnames questions to the local Docker DNS server (a long overdued problem) - already implemented
- allow resolution of VPN endpoint hostname to ips in a very restricted DNS server + firewall to only allow a specific hostname to resolve (not implemented yet)
This is a tough problem not so well documented with few complete and valid implementations, so it's taking some time. There is likely 2 more weeks of work left before finalization.
v3.36.0
🎃 Happy Halloween 🎃 Hopefully it is not a spooky release! 😸
Features
- Wireguard
- VPN server port forwarding
- Servers data
- Surfshark servers data API endpoint updated (#1560)
- Built-in servers data updated for Cyberghost, Mullvad, Torguard, Surfshark
- Clarify "Wireguard is up" message logged
- Updater log warning about using
-minratio
if not enough servers are found - Configuration: add
/32
if not present for Wireguard addresses
Fixes
- Minor breaking change:
DNS_KEEP_NAMESERVER
leaves DNS fully untouched - Minor breaking change:
update
command uses dashes instead of spaces for provider names (i.e.-vpn\ unlimited
->-vpn-unlimited
) - Port forwarding run loop reworked and fixed (#1874)
- Public IP fetching run loop reworked and fixed
- ProtonVPN: add
aes-256-gcm
cipher for OpenVPN - Custom provider: allow custom endpoint port setting
- IPv6 support for ipinfo (#1853)
- Routing:
VPNLocalGatewayIP
Wireguard support - Routing: add outbound subnets routes only for matching ip families
- Routing: change firewall only for matching ip families
- Netlink: try loading Wireguard module if not found (#1741)
- Public IP: do not retry when doing too many requests
Documentation
- Readme
- remove
UPDATER_VPN_SERVICE_PROVIDERS
in docker-compose config - remove Slack channel link (don't have time to check it)
- update Wireguard native integrations support list
- remove
- Update to use newer wiki repository
- update URLs logged by program
- update README.md links
- update contributing guide link
- update issue templates links
- replace Wiki issue template by link to Gluetun Wiki repository issue creation
- set program announcement about Github wiki new location
- Issue templates
- add Unraid as option in bug issue template
- provide minimum requirements for an issue: title must be filled, at least 10 lines of log provided, Gluetun version must be provided
Maintenance
- Dockerfile: add missing environment variables
OPENVPN_PROCESS_USER
value defaults toroot
- Add
HTTPPROXY_STEALTH=off
- Add
HTTP_CONTROL_SERVER_LOG=on
- Code
internal/settings
: change source precedence order: Secret files then files then environment variablesinternal/routing
: WrapsetupIPv6
rule error correctly- Move vpn gateway obtention within port forwarding service
internal/vpn
: fix typoportForwader
->portForwarder
internal/provider
: use type assertion for port forwarders
- CI
- rename workflow to
Markdown
- Markdown workflow triggers on
*.md
files only - Markdown workflow triggers for pull requests as well
- Markdown job runs misspell, linting and dead link actions
- Markdown publishing step to Docker Hub is only for pushes to the master branch
- Add markdown-skip workflow
- rename workflow to
- Dependencies
v3.35.0
➡️ 📖 Corresponding wiki
Features
WIREGUARD_MTU
enviromnent variable (#1571)OPENVPN_VERSION=2.6
support- Soft breaking changes:
- Openvpn 2.4 no longer supported
- Control server JSON field names changed
- NordVPN Wireguard support and new API endpoint (#1380)
- Wireguard MTU defaults to 1400 instead of 1420
- Wireguard debug logs log obfuscated keys
- Bump Alpine from 3.17 to 3.18
- Shadowsocks bumped from v0.4.0 to v0.5.0-rc1
Fixes
- AirVPN: allow Airvpn as Wireguard provider
- routing: ip family match function ipv4-in-ipv6 should match ipv6
- HTTP proxy: fix httpproxy.go error message (#1596)
- Netlink:
RouteList
list routes from all tables and does no longer filter by link- use
AddrReplace
instead ofAddrAdd
- Wireguard: delete existing Wireguard link before adding it
Documentation
- Readme: fix Alpine version from 3.17 to 3.18 (#1636)
- Github labels: add problem category labels: Config problem, Routing, IPv6, Port forwarding
Maintenance
Code
internal/routing
:- remove old assigned ip debug log
- unexport
IPIsPrivate
asipIsPrivate
- remove unused
VPNDestinationIP
internal/settings
: usegithub.aaakk.us.kg/qdm12/gosettings
- remove now unused settings helpers
- remove now unused helpers/messages.go
- use helping functions:
FileExists
,ObfuscateKey
,BoolToYesNo
- use
gosettings/sources/env
functions
internal/netlink
:- IPv6 detection simplified
- Define own types with minimal fields and separate code by OS
- Allow to swap
github.com/vishvananda/netlink
- Add files tagged for each platform
- Create non-implemented files for NOT linux
- Allow development on non-Linux platforms
- Allow to swap
internal/httpproxy
: addTest_returnRedirect
to prevent error wrap ofErrUseLastResponse
internal/settings/secrets
: add test forreadSecretFileAsStringPtr
Dependencies
- Bump github.com/breml/rootcerts from 0.2.10 to 0.2.11 (#1567)
- Bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (#1575, #1633)
- Bump golang.org/x/text from 0.9.0 to 0.10.0 (#1681)
CI
- CI triggers for pull requests to branches other than master
- Bump docker/build-push-action from 4.0.0 to 4.1.1 (#1684)
Development tooling
- Update devcontainer definitions
- Set build tag as
linux
for cross development - Specify
.vscode
recommendations - Linting:
- upgrade to v1.53.2
- add linters
dupword
,paralleltest
,gosmopolitan
,mirror
,tagalign
,zerologlint
andgocheckcompilerdirectives
- add linter
musttag
and fix lint errors (change JSON fields in control server)
v3.34.3
Just creating another bugfix release since released tag v3.34.2
was wrongly pointed to the master
branch instead of the v3.34
branch.
I also deleted the previous release tag v3.34.2, re-created it and the v3.34.2 image will be overridden just in case.
For changes, check out the description of v3.34.2