Releases: qdm12/gluetun
v3.38.0
Features
- Public IP fetching:
- Add
PUBLICIP_API_TOKEN
variable PUBLICIP_API
variable supportingipinfo
andip2location
- Add
- Private Internet Access:
PORT_FORWARD_ONLY
variable (#2070) - NordVPN:
- update mechanism uses v2 NordVPN web API
- Filter servers with
SERVER_CATEGORIES
(#1806)
- Wireguard:
- Read config from secret file, defaults to
/run/secrets/wg0.conf
which can be changed with variableWIREGUARD_CONF_SECRETFILE
- Read private key, preshared key and addresses from individual secret files (#1348)
- Read config from secret file, defaults to
- Firewall: disallow the unspecified address (
0.0.0.0/0
or::/0
) for outbound subnets - Built-in servers data updated:
- NordVPN
- Privado
- Private Internet Access
- VPN Unlimited
- VyprVPN
- Healthcheck: change unhealthy log from info to debug level
Fixes
- Privado: update OpenVPN zip file URL
STREAM_ONLY
behavior fixed (#2126)- Torguard: set user agent to be allowed to download zip files
- Surfshark:
- Remove no longer valid multi hop regions
- Fail validation for empty string region
- Clearer error message for surfshark regions: only log possible 'new' server regions, do not log old retro-compatible server regions
Maintenance
- Healthcheck: more explicit log to go read the Wiki health guide
- NAT-PMP: RPC error contain all failed attempt messages
- Github:
- add closed issue workflow stating comments are not monitored
- add opened issue workflow
- Dependencies
- Bump github.com/breml/rootcerts from 0.2.14 to 0.2.16 (#2094)
- CI
- Pin docker/build-push-action to v5 (without minor version)
- Upgrade linter to v1.56.2
v3.37.0
🎉 🎆 Happy new year 2024 🎉 🎆 Personal note at the bottom 😉
Features
- Port forwarding: port redirection with
VPN_PORT_FORWARDING_LISTENING_PORT
- Custom provider: support tcp-client proto for OpenVPN
- NordVPN: add access token warning if used as wireguard private key
- Windscribe: update servers data
Fixes
- Shadowsocks: bump from v0.5.0-rc1 to v0.5.0
- treat udp read error as non critical
- log out crash error for tcpudp combined server
- Wireguard:
- Load preshared key from toml file correctly and from peer selection
- Custom provider OpenVPN:
- Default TCP port for any tcp protocol
- Firewall:
- Handle OpenVPN
tcp-client
protocol astcp
- Handle OpenVPN
- PureVPN: fix update url and update servers (#1992)
- VPN Unlimited OpenVPN:
- Update CA certificate and add new second certificate
- Remove
DEFAULT:@SECLEVEL=0
- Specify cipher as AES-256-CBC and auth as SHA512
- Format-servers command:
- Fix for providers with dashes
- Add missing
server name
header for PIA
Maintenance
- Bump github.com/breml/rootcerts from 0.2.11 to 0.2.14 (#1800, #1981)
- Bump github.com/fatih/color from 1.15.0 to 1.16.0 (#1950)
- Bump github.com/klauspost/compress from 1.16.7 to 1.17.4 (#1922, #1993)
- Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#2012)
- Bump golang.org/x/net from 0.12.0 to 0.19.0 (#1907, #1953, #1985)
- Bump golang.org/x/sys from 0.11.0 to 0.13.0 (#1897)
- Bump golang.org/x/text from 0.11.0 to 0.14.0 (#1845, #1946)
- CI:
- Bump actions/checkout from 3 to 4 (#1847)
- Bump crazy-max/ghaction-github-labeler from 4 to 5 (#1858)
- Bump DavidAnson/markdownlint-cli2-action from 11 to 14 (#1871, #1982)
- Bump docker/build-push-action from 4.1.1 to 5.1.0 (#1860, #1969)
- Bump docker/login-action from 2 to 3 (#1936)
- Bump docker/metadata-action from 4 to 5 (#1937)
- Bump docker/setup-buildx-action from 2 to 3 (#1938)
- Bump docker/setup-qemu-action from 2 to 3 (#1861)
- Bump github/codeql-action from 2 to 3 (#2002)
Personal note on the state of Gluetun
I have been focusing my effort since mid November on a DNSSEC validator to finalize a Go library on par with the usage we have of Unbound, in order to replace Unbound in Gluetun and add DNS special features for Gluetun. For example:
- automatically diverting local hostnames questions to the local Docker DNS server (a long overdued problem) - already implemented
- allow resolution of VPN endpoint hostname to ips in a very restricted DNS server + firewall to only allow a specific hostname to resolve (not implemented yet)
This is a tough problem not so well documented with few complete and valid implementations, so it's taking some time. There is likely 2 more weeks of work left before finalization.
v3.36.0
🎃 Happy Halloween 🎃 Hopefully it is not a spooky release! 😸
Features
- Wireguard
- VPN server port forwarding
- Servers data
- Surfshark servers data API endpoint updated (#1560)
- Built-in servers data updated for Cyberghost, Mullvad, Torguard, Surfshark
- Clarify "Wireguard is up" message logged
- Updater log warning about using
-minratio
if not enough servers are found - Configuration: add
/32
if not present for Wireguard addresses
Fixes
- Minor breaking change:
DNS_KEEP_NAMESERVER
leaves DNS fully untouched - Minor breaking change:
update
command uses dashes instead of spaces for provider names (i.e.-vpn\ unlimited
->-vpn-unlimited
) - Port forwarding run loop reworked and fixed (#1874)
- Public IP fetching run loop reworked and fixed
- ProtonVPN: add
aes-256-gcm
cipher for OpenVPN - Custom provider: allow custom endpoint port setting
- IPv6 support for ipinfo (#1853)
- Routing:
VPNLocalGatewayIP
Wireguard support - Routing: add outbound subnets routes only for matching ip families
- Routing: change firewall only for matching ip families
- Netlink: try loading Wireguard module if not found (#1741)
- Public IP: do not retry when doing too many requests
Documentation
- Readme
- remove
UPDATER_VPN_SERVICE_PROVIDERS
in docker-compose config - remove Slack channel link (don't have time to check it)
- update Wireguard native integrations support list
- remove
- Update to use newer wiki repository
- update URLs logged by program
- update README.md links
- update contributing guide link
- update issue templates links
- replace Wiki issue template by link to Gluetun Wiki repository issue creation
- set program announcement about Github wiki new location
- Issue templates
- add Unraid as option in bug issue template
- provide minimum requirements for an issue: title must be filled, at least 10 lines of log provided, Gluetun version must be provided
Maintenance
- Dockerfile: add missing environment variables
OPENVPN_PROCESS_USER
value defaults toroot
- Add
HTTPPROXY_STEALTH=off
- Add
HTTP_CONTROL_SERVER_LOG=on
- Code
internal/settings
: change source precedence order: Secret files then files then environment variablesinternal/routing
: WrapsetupIPv6
rule error correctly- Move vpn gateway obtention within port forwarding service
internal/vpn
: fix typoportForwader
->portForwarder
internal/provider
: use type assertion for port forwarders
- CI
- rename workflow to
Markdown
- Markdown workflow triggers on
*.md
files only - Markdown workflow triggers for pull requests as well
- Markdown job runs misspell, linting and dead link actions
- Markdown publishing step to Docker Hub is only for pushes to the master branch
- Add markdown-skip workflow
- rename workflow to
- Dependencies
v3.35.0
➡️ 📖 Corresponding wiki
Features
WIREGUARD_MTU
enviromnent variable (#1571)OPENVPN_VERSION=2.6
support- Soft breaking changes:
- Openvpn 2.4 no longer supported
- Control server JSON field names changed
- NordVPN Wireguard support and new API endpoint (#1380)
- Wireguard MTU defaults to 1400 instead of 1420
- Wireguard debug logs log obfuscated keys
- Bump Alpine from 3.17 to 3.18
- Shadowsocks bumped from v0.4.0 to v0.5.0-rc1
Fixes
- AirVPN: allow Airvpn as Wireguard provider
- routing: ip family match function ipv4-in-ipv6 should match ipv6
- HTTP proxy: fix httpproxy.go error message (#1596)
- Netlink:
RouteList
list routes from all tables and does no longer filter by link- use
AddrReplace
instead ofAddrAdd
- Wireguard: delete existing Wireguard link before adding it
Documentation
- Readme: fix Alpine version from 3.17 to 3.18 (#1636)
- Github labels: add problem category labels: Config problem, Routing, IPv6, Port forwarding
Maintenance
Code
internal/routing
:- remove old assigned ip debug log
- unexport
IPIsPrivate
asipIsPrivate
- remove unused
VPNDestinationIP
internal/settings
: usegithub.com/qdm12/gosettings
- remove now unused settings helpers
- remove now unused helpers/messages.go
- use helping functions:
FileExists
,ObfuscateKey
,BoolToYesNo
- use
gosettings/sources/env
functions
internal/netlink
:- IPv6 detection simplified
- Define own types with minimal fields and separate code by OS
- Allow to swap
github.com/vishvananda/netlink
- Add files tagged for each platform
- Create non-implemented files for NOT linux
- Allow development on non-Linux platforms
- Allow to swap
internal/httpproxy
: addTest_returnRedirect
to prevent error wrap ofErrUseLastResponse
internal/settings/secrets
: add test forreadSecretFileAsStringPtr
Dependencies
- Bump github.com/breml/rootcerts from 0.2.10 to 0.2.11 (#1567)
- Bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (#1575, #1633)
- Bump golang.org/x/text from 0.9.0 to 0.10.0 (#1681)
CI
- CI triggers for pull requests to branches other than master
- Bump docker/build-push-action from 4.0.0 to 4.1.1 (#1684)
Development tooling
- Update devcontainer definitions
- Set build tag as
linux
for cross development - Specify
.vscode
recommendations - Linting:
- upgrade to v1.53.2
- add linters
dupword
,paralleltest
,gosmopolitan
,mirror
,tagalign
,zerologlint
andgocheckcompilerdirectives
- add linter
musttag
and fix lint errors (change JSON fields in control server)
v3.34.3
Just creating another bugfix release since released tag v3.34.2
was wrongly pointed to the master
branch instead of the v3.34
branch.
I also deleted the previous release tag v3.34.2, re-created it and the v3.34.2 image will be overridden just in case.
For changes, check out the description of v3.34.2
v3.34.2
v3.34.1
v3.34.0
Features
HEALTH_SUCCESS_WAIT_DURATION
variable, defaulting to 5s- Rename port forwarding variables (prepare to add ProtonVPN, see #1488)
VPN_PORT_FORWARDING_STATUS_FILE
VPN_PORT_FORWARDING
- Deprecate PIA specific variables for VPN port forwarding
- Servers data updated for: perfect privacy, surfshark
- Routing: log default route family as string
Fixes
- Mullvad: add aes-256-gcm cipher to support their newer Openvpn 2.6 servers
- Perfect privacy: update cert and key (thanks @Thamos88 and @15ky3)
- Perfect privacy: remove check for empty hostname in servers
- Routing: add policy rules for each destination local networks (thanks @kylemanna)
- Settings: clarify Wireguard provider unsupported error
- Minor fixes
- Pprof settings rates can be
nil
- Pprof settings rates can be
Maintenance
- Wrap all sentinel errors and enforce using
errors.Is
- Migrate usages of
inet.af/netaddr
tonet/netip
- Use
netip.Prefix
for ip networks instead ofnet.IPNet
andnetaddr.IPPrefix
- Use
netip.Addr
instead ofnet.IP
- Wireguard: use
netip.AddrPort
instead of*net.UDPAddr
- Healthcheck use Go dialer preferrably
- Upgrade Wireguard dependencies
- Upgrade
inet.af/netaddr
dependency - Upgrade
golang.org/x/net
to0.10.0
- Upgrade
github.com/fatih/color
from1.14.1
to1.15.0
- Upgrade
golangci-lint
fromv1.51.2
tov1.52.2
- Upgrade
github.com/vishvananda/netlink
from1.1.1-0.20211129163951-9ada19101fc5
to1.2.1-beta.2
- Upgrade
golang.org/x/sys
from0.7.0
to0.8.0
- Remove unneeded settings/helpers/pointers.go,
CopyNetipPrefix
and settings/sources/envenvToInt
function - Fix netlink tagged integration tests
- Settings: use generics for helping functions (thanks @bubuntux)
- Simplify default routes for loop
- Development container: do not bind mount
~/.gitconfig
v3.33.0
Features
WIREGUARD_IMPLEMENTATION
variable which can beauto
(default),userspace
orkernelspace
gchr.io/qdm12/gluetun
Docker image mirror- Alpine upgraded from 3.16 to 3.17
- OpenVPN upgraded from 2.5.6 to 2.5.8 built with OpenSSL 3
- OpenSSL 1.1.* installed separately to maintain OpenVPN 2.4 working
- Logging:
- log FAQ Github Wiki URL when the VPN internally restarts
- Warn Openvpn 2.4 is to be removed in the next release
- Warn when using SlickVPN or VPN Unlimited due to their weak certificates
- Warn Hide My Ass is no longer supported (credits to @Fukitsu)
- OpenVPN
RTNETLINK answers: File exists
changed to warning level with explanation - OpenVPN
Linux route add command failed:
changed to warning level with explanation - Log IPv6 support at debug level with more information instead of at the info level
- Update servers data: AirVPN, FastestVPN, Mullvad, Surfshark, Private Internet Access
- Netlink: add debug logger (no use yet)
- Surfshark: add 2 new 'HK' servers
- Install Alpine
wget
package (fixes #1260, #1494 due to busybox's buggy wget) - OpenVPN: transparently upgrade key encryption for DES-CBC encrypted keys (VPN Secure)
Important fixes
- Exit with code
1
on a program error - Profiling server: do not run if disabled
- IPv6 detection: inspect each route source and destination for buggy kernels/container runtimes
- iptables detection: better interpret permission denied for buggy kernels/container runtimes
- FastestVPN: update OpenVPN zip file URL for the updater (#1264)
- IPVanish: update OpenVPN zip file URL for the updater (#1449)
- Surfshark: remove 3 servers no longer resolving
- AirVPN:
- remove commas from API locations
- remove commas from city names
- VPN Unlimited: lower TLS security level to 0 to allow weak certificates to work with Openvpn 2.5.8+Openssl 3
- SlickVPN
- explicitely allow
AES-256-GCM
cipher - lower TLS security level to 0 to allow SlickVPN's weak certificates to work with Openvpn 2.5.8+Openssl 3
- All servers support TCP and UDP
- Precise default TCP port as
443
- explicitely allow
Documentation
- Document new docker image
gchr.io/qdm12/gluetun
- Add servers updater environment variables (#1393)
- Update Github labels:
- remove issue category labels
- Add temporary status labels
- Add complexity labels
Minor fixes
- Firewall: remove previously allowed input ports
- HTTP proxy: lower shutdown wait from 2s to 100ms
- Private Internet Access: remove credentials from login error string
- Wireguard:
- validate Wireguard addresses depending on IPv6 support
- ignore IPv6 interface addresses if IPv6 is not supported
- Healthcheck client: set unset health settings to defaults
- Print outbound subnets settings correctly
github.com/breml/rootcerts
from 0.2.8 to 0.2.10- Add subprogram name in version check error
Maintenance
- Development tooling:
- Go upgraded from 1.19 to 1.20
- Development container has the same ssh bind mount for all platforms
- Development container has
openssl
installed golangci-lint
upgraded from v1.49.0 to v1.51.2github.com/stretchr/testify
upgraded from 1.8.1 to 1.8.2
- Dependencies
golang.org/x/text
upgraded from 0.4.0 to 0.8.0github.com/fatih/color
upgraded from 1.13.0 to 1.14.1golang.org/x/sys
upgraded from 0.3.0 to 0.6.0- Remove no longer needed
apk-tools
- Code health
- Add comments for OpenVPN settings fields about their base64 DER encoding
internal/openvpn/extract
: simplifyPEM
extraction function- Review all error wrappings
- remove repetitive
cannot
andfailed
prefixes - rename
unmarshaling
todecoding
- remove repetitive
- CI
docker/build-push-action
upgraded from 3.2.0 to 4.0.0
v3.32.0
Features
- AirVPN support (#1145)
- Surfshark Wireguard support (#587)
- IPv6 connection and tunneling (#1114)
- Auto detection of IPv6 support for OpenVPN and
OPENVPN_IPV6
removed - Built-in servers updates: Cyberghost, FastestVPN, Ivpn, Mullvad, ProtonVPN, PureVPN and Windscribe
- HTTP proxy: log credentials sent on mismatch
Fixes
- Private Internet Access: get token for port forwarding (#1132)
- FastestVPN: updater handles lowercase
.ovpn
filenames - Ivpn: update mechanism fixed for Wireguard servers
- Cyberghost: remove outdated server groups
94-1
pemium udp usa,95-1
premium udp asia,93-1
pemium udp usa and96-1
premium tcp asia - Exit with OS code
0
on successful shutdown - Public IP fetching
- handle HTTP status codes
403
as too many requests - no retry when too many requests to ipinfo.io
- handle HTTP status codes
- OpenVPN: do not set
tun-ipv6
- server should push
tun-ipv6
if it is available - Add ignore filter for
tun-ipv6
if ipv6 is not supported on client
- server should push
- Updater: error when server has not the minimal information
- Custom provider:
OPENVPN_CUSTOM_CONFIG
takes precedence only ifVPN_SERVICE_PROVIDER
is empty - Wireguard: ignore IPv6 addresses if IPv6 is disabled
- Environment variables: trim space for wireguard addresses
- OpenVPN: parse
udp4
,udp6
,tcp4
ortcp6
Documentation
- Readme: add ProtonVPN and PureVPN to Wireguard support
Maintenance
Code changes
provider/utils
: do not check for empty wg keysinternal/config
:- rename
Reader
toSource
struct - define
Source
interface locally where needed - rename
mux
source tomerge
- rename
internal/storage/servers.json
: remove"udp": true
for Wireguard- Filtering: no network protocol filter for Wireguard
- Fix netlink test for wireguard and crash
Other dependencies
- Bump Go from 1.17 to 1.19
- Upgrade Wireguard dependencies
- golang.org/x/text from 0.3.7 to 0.4.0 (#1198)
- github.com/breml/rootcerts from 0.2.6 to 0.2.8 (#1173)
Development
- Improve missing provider panic string
- Improve VSCode update command launch config
- Run without
debug
mode - Run from workspace folder so it writes to the right path
- Pick
-maintainer
or-enduser
update mode
- Run without