Skip to content

Releases: qdm12/gluetun

v3.39.1

29 Sep 18:13
Compare
Choose a tag to compare

🎥 https://youtu.be/O09rP1DlcFU?si=qPdzWUWnzciNxAc7

Fixes

  • Firewall: delete chain rules by line number (#2411)
  • Control server: require authentication for vulnerable routes (#2434)
  • NordVPN: remove commas from region values
  • IVPN: split city into city and region
    • Fix bad city values containing a comma
    • update ivpn servers data
  • Private Internet Access: support port forwarding using custom Wireguard (#2420)
  • ProtonVPN: prevent using FREE_ONLY and PORT_FORWARD_ONLY together (see #2470)
  • internal/storage: add missing selection fields to build noServerFoundError (see #2470)

v3.39.0

09 Aug 08:04
Compare
Choose a tag to compare

🎥 Youtube video explaining all this

Features

  • OpenVPN: default version changed from 2.5 to 2.6
  • Alpine upgraded from 3.18 to 3.20 (3.19 got skipped due to buggy iptables)
  • Healthcheck: change timeout mechanism
    • Healthcheck timeout is no longer fixed to 3 seconds
    • Healthcheck timeout increases from 2s to 4s, 6s, 8s, 10s
    • No 1 second wait time between check retries after failure
    • VPN internal restart may be delayed by a maximum of 10 seconds
  • Firewall:
    • Query iptables binary variants to find which one to use depending on the kernel
    • Prefer using iptables-nft over iptables-legacy (Alpine new default is nft backend iptables)
  • Wireguard:
    • WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL option
    • read configuration file without case sensitivity
  • VPN Port forwarding: only use port forwarding enabled servers if VPN_PORT_FORWARDING=on (applies only to PIA and ProtonVPN for now)
  • FastestVPN:
    • Wireguard support (#2383 - Credits to @Zerauskire for the initial investigation and @jvanderzande for an initial implementation as well as reviewing the pull request)
    • use API instead of openvpn zip file to fetch servers data
    • add city filter SERVER_CITY
    • update built-in servers data
  • Perfect Privacy: port forwarding support with VPN_PORT_FORWARDING=on (#2378)
  • Private Internet Access: port forwarding options VPN_PORT_FORWARDING_USERNAME and VPN_PORT_FORWARDING_PASSWORD (retro-compatible with OPENVPN_USER and OPENVPN_PASSWORD)
  • ProtonVPN:
    • Wireguard support (#2390)
    • feature filters SECURE_CORE_ONLY, TOR_ONLY and PORT_FORWARD_ONLY (#2182)
    • determine "free" status using API tier value
    • update built-in servers data
  • Surfshark: servers data update
  • VPNSecure: servers data update
  • VPN_ENDPOINT_IP split into OPENVPN_ENDPOINT_IP and WIREGUARD_ENDPOINT_IP
  • VPN_ENDPOINT_PORT split into OPENVPN_ENDPOINT_PORT and WIREGUARD_ENDPOINT_PORT

Fixes

  • VPN_PORT_FORWARDING_LISTENING_PORT fixed
  • IPv6 support detection ignores loopback route destinations
  • Custom provider:
    • handle port option line for OpenVPN
    • ignore comments in an OpenVPN configuration file
    • assume port forwarding is always supported by a custom server
  • VPN Unlimited:
    • change default UDP port from 1194 to 1197
    • allow OpenVPN TCP on port 1197
  • Private Internet Access Wireguard and port forwarding
    • Set server name if names filter is set with the custom provider (see #2147)
  • PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
  • Torguard: update OpenVPN configuration
    • add aes-128-gcm and aes-128-cbc ciphers
    • remove mssfix, sndbuf, rcvbuf, ping and reneg options
  • VPNSecure: associate N / A with no data for servers
  • AirVPN: set default mssfix to 1320-28=1292
  • Surfshark: remove outdated hardcoded retro servers
  • Public IP echo:
    • ip2location parsing for latitude and longitude fixed
    • abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
  • internal/server: /openvpn route status get and put
    • get status return stopped if running Wireguard
    • put status changes vpn type if running Wireguard
  • Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings
  • Log last Gluetun release by tag name alphabetically instead of by release date
  • format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
  • internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

Documentation

  • readme:
    • clarify shadowsocks proxy is a server, not a client
    • update list of providers supporting Wireguard with the custom provider
    • add protonvpn as custom port forwarding implementation
  • disable Github blank issues
  • Bump github.com/qdm12/gosplash to v0.2.0
    • Add /choose suffix to github links in logs
  • add Github labels: "Custom provider", "Category: logs" and "Before next release"
  • rename FIREWALL_ENABLED to FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT due to the sheer amount of users misusing it. FIREWALL_ENABLED won't do anything anymore. At least you've been warned not to use it...

Maintenance

  • Code health
    • PIA port forwarding:
      • remove dependency on storage package
      • return an error to port forwarding loop if server cannot port forward
    • internal/config:
      • upgrade to github.com/qdm12/gosettings v0.4.2
        • drop github.com/qdm12/govalid dependency
        • upgrade github.com/qdm12/ss-server to v0.6.0
        • do not un-set sensitive config settings anymore
      • removed bad/invalid retro-compatible keys CONTROL_SERVER_ADDRESS and CONTROL_SERVER_PORT
      • OpenVPN protocol field is now a string instead of a TCP boolean
      • Split server filter validation for features and subscription-tier
      • provider name field as string instead of string pointer
    • internal/portforward: support multiple ports forwarded
    • Fix typos in code comments (#2216)
    • internal/tun: fix unit test for unprivileged user
  • Development environment
    • fix source.organizeImports vscode setting value
    • linter: remove now invalid skip-dirs configuration block
  • Dependencies
    • Bump Wireguard Go dependencies
    • Bump Go from 1.21 to 1.22
    • Bump golang.org/x/net from 0.19.0 to 0.25.0 (#2138, #2208, #2269)
    • Bump golang.org/x/sys from 0.15.0 to 0.18.0 (#2139)
    • Bump github.com/klauspost/compress from 1.17.4 to 1.17.8 (#2178, #2218)
    • Bump github.com/fatih/color from 1.16.0 to 1.17.0 (#2279)
    • Bump github.com/stretchr/testify to v1.9.0
    • Do not upgrade busybox since vulnerabilities are fixed now with Alpine 3.19+
  • CI
    • Bump DavidAnson/markdownlint-cli2-action from 14 to 16 (#2214)
    • Bump peter-evans/dockerhub-description from 3 to 4 (#2075)
  • Github
    • remove empty label description fields
    • add /choose suffix to issue and discussion links
    • review all issue labels: add closed labels, add category labels, rename labels, add label category prefix, add emojis for each label
    • Add issue labels: Popularity extreme and high, Closed cannot be done, Categories kernel and public IP service

v3.38.1

09 Aug 07:51
Compare
Choose a tag to compare

ℹ️ This is a bugfix release for v3.38.0. If you can, please instead use release v3.39.0

Fixes

  • VPN_PORT_FORWARDING_LISTENING_PORT fixed
  • IPv6 support detection ignores loopback route destinations
  • Custom provider:
    • handle port option line for OpenVPN
    • ignore comments in an OpenVPN configuration file
    • assume port forwarding is always supported by a custom server
  • VPN Unlimited:
    • change default UDP port from 1194 to 1197
    • allow OpenVPN TCP on port 1197
  • Private Internet Access Wireguard and port forwarding
    • Set server name if names filter is set with the custom provider (see #2147)
  • PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
  • Torguard: update OpenVPN configuration
    • add aes-128-gcm and aes-128-cbc ciphers
    • remove mssfix, sndbuf, rcvbuf, ping and reneg options
  • VPNSecure: associate N / A with no data for servers
  • AirVPN: set default mssfix to 1320-28=1292
  • Surfshark: remove outdated hardcoded retro servers
  • Public IP echo:
    • ip2location parsing for latitude and longitude fixed
    • abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
  • internal/server: /openvpn route status get and put
    • get status return stopped if running Wireguard
    • put status changes vpn type if running Wireguard
  • Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings
  • Log last Gluetun release by tag name alphabetically instead of by release date
  • format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
  • internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

v3.37.1

09 Aug 07:45
Compare
Choose a tag to compare

ℹ️ This is a bugfix release for v3.37.0. If you can, please instead use the newer v3.39.0 release.

Fixes

  • VPN_PORT_FORWARDING_LISTENING_PORT fixed
  • IPv6 support detection ignores loopback route destinations
  • STREAM_ONLY behavior fixed (#2126)
  • Custom provider:
    • handle port option line for OpenVPN
    • ignore comments in an OpenVPN configuration file
    • assume port forwarding is always supported by a custom server
  • VPN Unlimited:
    • change default UDP port from 1194 to 1197
    • allow OpenVPN TCP on port 1197
  • Private Internet Access Wireguard and port forwarding
    • Set server name if names filter is set with the custom provider (see #2147)
  • PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
  • Torguard: update OpenVPN configuration
    • add aes-128-gcm and aes-128-cbc to the ciphers option
    • remove mssfix, sndbuf, rcvbuf, ping and reneg options
    • set HTTP user agent to be allowed to download zip files
  • VPNSecure: associate N / A with no data for servers
  • AirVPN: set default mssfix to 1320-28=1292
  • Surfshark:
    • remove outdated hardcoded retro servers
    • Remove no longer valid multi hop regions
    • Fail validation for empty string region
    • Clearer error message for surfshark regions: only log possible 'new' server regions, do not log old retro-compatible server regions
  • Privado: update OpenVPN zip file URL
  • internal/server: /openvpn route status get and put
    • get status return stopped if running Wireguard
    • put status changes vpn type if running Wireguard
  • Log out last Gluetun release by semver tag name instead of by date
  • format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
  • internal/tun: only create tun device if it does not exist, do not create if it exists and does not work
  • Bump github.com/breml/rootcerts from 0.2.14 to 0.2.17

PS: sorry for re-releasing this one 3 times, CI has been capricious with passing

v3.38.0

25 Mar 15:50
b3ceece
Compare
Choose a tag to compare

Features

  • Public IP fetching:
    • Add PUBLICIP_API_TOKEN variable
    • PUBLICIP_API variable supporting ipinfo and ip2location
  • Private Internet Access: PORT_FORWARD_ONLY variable (#2070)
  • NordVPN:
    • update mechanism uses v2 NordVPN web API
    • Filter servers with SERVER_CATEGORIES (#1806)
  • Wireguard:
    • Read config from secret file, defaults to /run/secrets/wg0.conf which can be changed with variable WIREGUARD_CONF_SECRETFILE
    • Read private key, preshared key and addresses from individual secret files (#1348)
  • Firewall: disallow the unspecified address (0.0.0.0/0 or ::/0) for outbound subnets
  • Built-in servers data updated:
    • NordVPN
    • Privado
    • Private Internet Access
    • VPN Unlimited
    • VyprVPN
  • Healthcheck: change unhealthy log from info to debug level

Fixes

  • Privado: update OpenVPN zip file URL
  • STREAM_ONLY behavior fixed (#2126)
  • Torguard: set user agent to be allowed to download zip files
  • Surfshark:
    • Remove no longer valid multi hop regions
    • Fail validation for empty string region
    • Clearer error message for surfshark regions: only log possible 'new' server regions, do not log old retro-compatible server regions

Maintenance

  • Healthcheck: more explicit log to go read the Wiki health guide
  • NAT-PMP: RPC error contain all failed attempt messages
  • Github:
    • add closed issue workflow stating comments are not monitored
    • add opened issue workflow
  • Dependencies
    • Bump github.com/breml/rootcerts from 0.2.14 to 0.2.16 (#2094)
  • CI
    • Pin docker/build-push-action to v5 (without minor version)
    • Upgrade linter to v1.56.2

v3.37.0

01 Jan 23:58
Compare
Choose a tag to compare

🎉 🎆 Happy new year 2024 🎉 🎆 Personal note at the bottom 😉

Features

  • Port forwarding: port redirection with VPN_PORT_FORWARDING_LISTENING_PORT
  • Custom provider: support tcp-client proto for OpenVPN
  • NordVPN: add access token warning if used as wireguard private key
  • Windscribe: update servers data

Fixes

  • Shadowsocks: bump from v0.5.0-rc1 to v0.5.0
    • treat udp read error as non critical
    • log out crash error for tcpudp combined server
  • Wireguard:
    • Load preshared key from toml file correctly and from peer selection
  • Custom provider OpenVPN:
    • Default TCP port for any tcp protocol
  • Firewall:
    • Handle OpenVPN tcp-client protocol as tcp
  • PureVPN: fix update url and update servers (#1992)
  • VPN Unlimited OpenVPN:
    • Update CA certificate and add new second certificate
    • Remove DEFAULT:@SECLEVEL=0
    • Specify cipher as AES-256-CBC and auth as SHA512
  • Format-servers command:
    • Fix for providers with dashes
    • Add missing server name header for PIA

Maintenance

  • Bump github.com/breml/rootcerts from 0.2.11 to 0.2.14 (#1800, #1981)
  • Bump github.com/fatih/color from 1.15.0 to 1.16.0 (#1950)
  • Bump github.com/klauspost/compress from 1.16.7 to 1.17.4 (#1922, #1993)
  • Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#2012)
  • Bump golang.org/x/net from 0.12.0 to 0.19.0 (#1907, #1953, #1985)
  • Bump golang.org/x/sys from 0.11.0 to 0.13.0 (#1897)
  • Bump golang.org/x/text from 0.11.0 to 0.14.0 (#1845, #1946)
  • CI:
    • Bump actions/checkout from 3 to 4 (#1847)
    • Bump crazy-max/ghaction-github-labeler from 4 to 5 (#1858)
    • Bump DavidAnson/markdownlint-cli2-action from 11 to 14 (#1871, #1982)
    • Bump docker/build-push-action from 4.1.1 to 5.1.0 (#1860, #1969)
    • Bump docker/login-action from 2 to 3 (#1936)
    • Bump docker/metadata-action from 4 to 5 (#1937)
    • Bump docker/setup-buildx-action from 2 to 3 (#1938)
    • Bump docker/setup-qemu-action from 2 to 3 (#1861)
    • Bump github/codeql-action from 2 to 3 (#2002)

Personal note on the state of Gluetun

I have been focusing my effort since mid November on a DNSSEC validator to finalize a Go library on par with the usage we have of Unbound, in order to replace Unbound in Gluetun and add DNS special features for Gluetun. For example:

  • automatically diverting local hostnames questions to the local Docker DNS server (a long overdued problem) - already implemented
  • allow resolution of VPN endpoint hostname to ips in a very restricted DNS server + firewall to only allow a specific hostname to resolve (not implemented yet)

This is a tough problem not so well documented with few complete and valid implementations, so it's taking some time. There is likely 2 more weeks of work left before finalization.

v3.36.0

31 Oct 13:06
1c43a1d
Compare
Choose a tag to compare

🎃 Happy Halloween 🎃 Hopefully it is not a spooky release! 😸

Features

  • Wireguard
    • WIREGUARD_ALLOWED_IPS variable (#1291)
    • Parse settings from /gluetun/wireguard/wg0.conf (#1120)
  • VPN server port forwarding
    • VPN_PORT_FORWARDING_PROVIDER variable (#1616)
    • ProtonVPN port forwarding support with NAT-PMP (#1543)
  • Servers data
    • Surfshark servers data API endpoint updated (#1560)
    • Built-in servers data updated for Cyberghost, Mullvad, Torguard, Surfshark
  • Clarify "Wireguard is up" message logged
  • Updater log warning about using -minratio if not enough servers are found
  • Configuration: add /32 if not present for Wireguard addresses

Fixes

  • Minor breaking change: DNS_KEEP_NAMESERVER leaves DNS fully untouched
  • Minor breaking change: update command uses dashes instead of spaces for provider names (i.e. -vpn\ unlimited -> -vpn-unlimited)
  • Port forwarding run loop reworked and fixed (#1874)
  • Public IP fetching run loop reworked and fixed
  • ProtonVPN: add aes-256-gcm cipher for OpenVPN
  • Custom provider: allow custom endpoint port setting
  • IPv6 support for ipinfo (#1853)
  • Routing: VPNLocalGatewayIP Wireguard support
  • Routing: add outbound subnets routes only for matching ip families
  • Routing: change firewall only for matching ip families
  • Netlink: try loading Wireguard module if not found (#1741)
  • Public IP: do not retry when doing too many requests

Documentation

  • Readme
    • remove UPDATER_VPN_SERVICE_PROVIDERS in docker-compose config
    • remove Slack channel link (don't have time to check it)
    • update Wireguard native integrations support list
  • Update to use newer wiki repository
    • update URLs logged by program
    • update README.md links
    • update contributing guide link
    • update issue templates links
    • replace Wiki issue template by link to Gluetun Wiki repository issue creation
    • set program announcement about Github wiki new location
  • Issue templates
    • add Unraid as option in bug issue template
    • provide minimum requirements for an issue: title must be filled, at least 10 lines of log provided, Gluetun version must be provided

Maintenance

  • Dockerfile: add missing environment variables
    • OPENVPN_PROCESS_USER value defaults to root
    • Add HTTPPROXY_STEALTH=off
    • Add HTTP_CONTROL_SERVER_LOG=on
  • Code
    • internal/settings: change source precedence order: Secret files then files then environment variables
    • internal/routing: Wrap setupIPv6 rule error correctly
    • Move vpn gateway obtention within port forwarding service
    • internal/vpn: fix typo portForwader -> portForwarder
    • internal/provider: use type assertion for port forwarders
  • CI
    • rename workflow to Markdown
    • Markdown workflow triggers on *.md files only
    • Markdown workflow triggers for pull requests as well
    • Markdown job runs misspell, linting and dead link actions
    • Markdown publishing step to Docker Hub is only for pushes to the master branch
    • Add markdown-skip workflow
  • Dependencies
    • Upgrade Go to 1.21
    • Upgrade linter to v1.54.1
    • Bump golang.org/x/text from 0.10.0 to 0.11.0 (#1726)
    • Bump golang.org/x/sys from 0.8.0 to 0.11.0 (#1732, #1786)
    • Bump golang.org/x/net from 0.10.0 to 0.12.0 (#1729)
    • bump gosettings to v0.4.0-rc1

v3.35.0

28 Jun 13:02
44bc60b
Compare
Choose a tag to compare

➡️ 📖 Corresponding wiki

Features

  • WIREGUARD_MTU enviromnent variable (#1571)
  • OPENVPN_VERSION=2.6 support
  • Soft breaking changes:
    • Openvpn 2.4 no longer supported
    • Control server JSON field names changed
  • NordVPN Wireguard support and new API endpoint (#1380)
  • Wireguard MTU defaults to 1400 instead of 1420
  • Wireguard debug logs log obfuscated keys
  • Bump Alpine from 3.17 to 3.18
  • Shadowsocks bumped from v0.4.0 to v0.5.0-rc1

Fixes

  • AirVPN: allow Airvpn as Wireguard provider
  • routing: ip family match function ipv4-in-ipv6 should match ipv6
  • HTTP proxy: fix httpproxy.go error message (#1596)
  • Netlink:
    • RouteList list routes from all tables and does no longer filter by link
    • use AddrReplace instead of AddrAdd
  • Wireguard: delete existing Wireguard link before adding it

Documentation

  • Readme: fix Alpine version from 3.17 to 3.18 (#1636)
  • Github labels: add problem category labels: Config problem, Routing, IPv6, Port forwarding

Maintenance

Code

  • internal/routing:
    • remove old assigned ip debug log
    • unexport IPIsPrivate as ipIsPrivate
    • remove unused VPNDestinationIP
  • internal/settings: use github.com/qdm12/gosettings
    • remove now unused settings helpers
    • remove now unused helpers/messages.go
    • use helping functions: FileExists, ObfuscateKey, BoolToYesNo
    • use gosettings/sources/env functions
  • internal/netlink:
    • IPv6 detection simplified
    • Define own types with minimal fields and separate code by OS
      • Allow to swap github.com/vishvananda/netlink
      • Add files tagged for each platform
      • Create non-implemented files for NOT linux
      • Allow development on non-Linux platforms
  • internal/httpproxy: add Test_returnRedirect to prevent error wrap of ErrUseLastResponse
  • internal/settings/secrets: add test for readSecretFileAsStringPtr

Dependencies

  • Bump github.com/breml/rootcerts from 0.2.10 to 0.2.11 (#1567)
  • Bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (#1575, #1633)
  • Bump golang.org/x/text from 0.9.0 to 0.10.0 (#1681)

CI

  • CI triggers for pull requests to branches other than master
  • Bump docker/build-push-action from 4.0.0 to 4.1.1 (#1684)

Development tooling

  • Update devcontainer definitions
  • Set build tag as linux for cross development
  • Specify .vscode recommendations
  • Linting:
    • upgrade to v1.53.2
    • add linters dupword, paralleltest, gosmopolitan, mirror, tagalign, zerologlint and gocheckcompilerdirectives
    • add linter musttag and fix lint errors (change JSON fields in control server)

v3.34.3

31 May 14:53
42caa64
Compare
Choose a tag to compare

Just creating another bugfix release since released tag v3.34.2 was wrongly pointed to the master branch instead of the v3.34 branch.

I also deleted the previous release tag v3.34.2, re-created it and the v3.34.2 image will be overridden just in case.

For changes, check out the description of v3.34.2

v3.34.2

31 May 14:51
42caa64
Compare
Choose a tag to compare

Fixes

  • HTTP Proxy: redirect from http to https