chore(deps): update docker.io/qmcgaw/gluetun docker tag to v3.40.0

[renovate]

This PR contains the following updates:

Package	Update	Change
docker.io/qmcgaw/gluetun	minor	v3.32.0 -> v3.40.0

---

Release Notes

qdm12/gluetun (docker.io/qmcgaw/gluetun)

v3.40.0

Compare Source

Happy holidays release time 🎄 🎅 🎁

💁 If anything doesn't work compared to previous release, please create an issue and revert to using v3.39.1 😉

ℹ️ Life is pretty busy all around currently (moving soon, new job, ill parent) so I might be even slower than usual until summer 2025, I'll do my best!

Features

• VPN: run WaitForDNS before querying the public ip address (partly address #​2325)
• DNS: replace unbound with qdm12/[email protected] (#​1742 & later commits)
  • Faster start up
  • Clearer error messages
  • Allow for more Gluetun-specific customization
• Port forwarding:
  • VPN_PORT_FORWARDING_UP_COMMAND option (#​2399)
  • VPN_PORT_FORWARDING_DOWN_COMMAND option
• Config allow irrelevant server filters to be set (see #​2337)
  • Disallow setting a server filter when there is no choice available
  • Allow setting an invalid server filter when there is at least one choice available
  • Log at warn level when an invalid server filter is set
• Firewall: support custom ICMP rules
• Healthcheck:
  • log out last error when auto healing VPN
  • run TLS handshake after TCP dial if address has 443 port
• Public IP:
  • retry fetching information when connection refused error is encountered (partly address #​2325)
  • support custom API url echoip#https://... (#​2529)
  • resilient public ip fetcher with backup sources (#​2518)
  • add ifconfigco option and cloudflare option (#​2502)
  • PUBLICIP_ENABLED replaces PUBLICIP_PERIOD
    • PUBLICIP_ENABLED (on, off) can be set to enable or not public ip data fetching on VPN connection
    • PUBLICIP_PERIOD=0 still works to indicate to disable public ip fetching
    • PUBLICIP_PERIOD != 0 means to enable public ip fetching
    • Warnings logged when using PUBLICIP_PERIOD
• STORAGE_FILEPATH option (#​2416)
  • STORAGE_FILEPATH= disables storing to and reading from a local servers.json file
  • STORAGE_FILEPATH defaults to /gluetun/servers.json
• Netlink: debug rule logs contain the ip family
• internal/tun: mention in 'operation not permitted' error the user should specify --device /dev/net/tun (resolves #​2606)
• Control server role based authentication system (#​2434) (part of v3.39.1 as a bugfix)
  • Parse toml configuration file, see https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/control-server.md#authentication
  • Retro-compatible with existing AND documented routes, until after this release
  • Log a warning if an unprotected-by-default route is accessed unprotected
  • Authentication methods: none, apikey, basic
  • genkey command to generate API keys
• FastestVPN: add aes-256-gcm to OpenVPN ciphers list
• Private Internet Access updater: use v6 API to get servers data
• IPVanish: update servers data
• PrivateVPN: native port forwarding support (#​2285)
• Privado: update servers data
• format-servers command supports the json format option

Fixes

• Wireguard: change default WIREGUARD_MTU from 1400 to 1320 (partially address #​2533)
• OpenVPN: set default mssfix to 1320 for all providers with no default already set (partially address #​2533)
• Control server: fix logged wiki authentication section link
• Firewall:
  • iptables list uses -n flag for testing iptables path (#​2574)
  • deduplicate VPN address accept rule for multiple default routes with the same network interface
  • deduplicate ipv6 multicast output accept rules
  • ipv6 multicast output address value fixed
  • log warning if ipv6 nat filter is not supported instead of returning an error (allow to port forward redirect for IPv4 and not IPv6 if IPv6 NAT is not supported and fixed #​2503)
• Wireguard:
  • Point to Kubernetes wiki page when encountering IP rule add file exists error (#​2526)
• IPVanish:
  • fix openvpn configuration by updating CA value and add comp-lzo option
  • update openvpn zip file url for updater
• Perfect Privacy: update openvpn expired certificates (#​2542)
• Public IP: lock settings during entire update to prevent race conditions

Documentation

• Dockerfile
  • add missing OPENVPN_MSSFIX environment variable
  • add missing option definitions
    • STREAM_ONLY
    • FREE_ONLY
  • Document PORT_FORWARD_ONLY is for both PIA and ProtonVPN

Maintenance

Code quality

• Remove github.com/qdm12/golibs dependency
  • Implement friendly duration formatting locally
  • implement github.com/qdm12/golibs/command locally (#​2418)
• internal/natpmp: fix determinism for test Test_Client_ExternalAddress
• let system handle OS signals after first one to request a program stop
• internal/routing: remove redundant rule ip rule in error messages
• internal/netlink debug log ip rule commands in netlink instead of routing package
• internal/server: move log middleware to internal/server/middlewares/log
• use gofumpt for code formatting
• Fix gopls govet errors
• Upgrade linter from v1.56.2 to v1.61.0
  • Remove no longer needed exclude rules
  • Add new exclude rules for printf govet errors
  • Remove deprecated linters execinquery and exportloopref
  • Rename linter goerr113 to err113 and gomnd to mnd
  • Add new linters and update codebase: canonicalheader, copyloopvar, fatcontext, intrange

Dependencies

• Upgrade Go from 1.22 to 1.23
• Bump vishvananda/netlink from v1.2.1-beta.2 to v1.2.1
• Bump github.com/qdm12/gosettings from v0.4.3 to v0.4.4
  • Better support for quote expressions especially for commands such as VPN_PORT_FORWARDING_UP_COMMAND
• Bump github.com/breml/rootcerts from 0.2.18 to 0.2.19 (#​2601)
• Bump golang.org/x/net from 0.25.0 to 0.31.0 (#​2401, #​2578)
• Bump golang.org/x/sys from 0.260.0 to 0.27.0 (#​2404, #​2573)
• Bump golang.org/x/text from 0.15.0 to 0.17.0 (#​2400)
• Bump github.com/klauspost/compress from 1.17.8 to 1.17.11 (#​2319, #​2550)
• Bump github.com/pelletier/go-toml/v2 from 2.2.2 to 2.2.3 (#​2549)
• Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#​2428)
• Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#​2600)

CI

• Linting: remove canonicalheader since it's not reliable
• Use --device /dev/net/tun for test container
• Bump DavidAnson/markdownlint-cli2-action from 16 to 18 (#​2588)
• Bump docker/build-push-action from 5 to 6 (#​2324)

Development setup

• dev container
  • pin godevcontainer image to tag :v0.20-alpine
  • drop requirement for docker-compose and use devcontainer.json settings directly
  • readme update
    • remove Windows without WSL step
    • update 'remote containers extension' to 'dev containers extension'
    • remove invalid warning on directories creation
    • simplify customizations section
      • remove "publish a port" since it can be done at runtime now
      • remove "run other services" since it's rather unneeded in this case
      • expand documentation on custom welcome script and where to specify the bind mount
        • use bullet points instead of subsections headings
• Github labels
  • change "config problem" to "user error"
  • add "performance", "investigation", "servers storage" and "nearly resolved" categories

v3.39.1

Compare Source

🎥 https://youtu.be/O09rP1DlcFU?si=qPdzWUWnzciNxAc7

Fixes

• Firewall: delete chain rules by line number (#​2411)
• Control server: require authentication for vulnerable routes (#​2434)
• NordVPN: remove commas from region values
• IVPN: split city into city and region
  • Fix bad city values containing a comma
  • update ivpn servers data
• Private Internet Access: support port forwarding using custom Wireguard (#​2420)
• ProtonVPN: prevent using FREE_ONLY and PORT_FORWARD_ONLY together (see #​2470)
• internal/storage: add missing selection fields to build noServerFoundError (see #​2470)

v3.39.0

Compare Source

🎥 Youtube video explaining all this

Features

• OpenVPN: default version changed from 2.5 to 2.6
• Alpine upgraded from 3.18 to 3.20 (3.19 got skipped due to buggy iptables)
• Healthcheck: change timeout mechanism
  • Healthcheck timeout is no longer fixed to 3 seconds
  • Healthcheck timeout increases from 2s to 4s, 6s, 8s, 10s
  • No 1 second wait time between check retries after failure
  • VPN internal restart may be delayed by a maximum of 10 seconds
• Firewall:
  • Query iptables binary variants to find which one to use depending on the kernel
  • Prefer using iptables-nft over iptables-legacy (Alpine new default is nft backend iptables)
• Wireguard:
  • WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL option
  • read configuration file without case sensitivity
• VPN Port forwarding: only use port forwarding enabled servers if VPN_PORT_FORWARDING=on (applies only to PIA and ProtonVPN for now)
• FastestVPN:
  • Wireguard support (#​2383 - Credits to @​Zerauskire for the initial investigation and @​jvanderzande for an initial implementation as well as reviewing the pull request)
  • use API instead of openvpn zip file to fetch servers data
  • add city filter SERVER_CITY
  • update built-in servers data
• Perfect Privacy: port forwarding support with VPN_PORT_FORWARDING=on (#​2378)
• Private Internet Access: port forwarding options VPN_PORT_FORWARDING_USERNAME and VPN_PORT_FORWARDING_PASSWORD (retro-compatible with OPENVPN_USER and OPENVPN_PASSWORD)
• ProtonVPN:
  • Wireguard support (#​2390)
  • feature filters SECURE_CORE_ONLY, TOR_ONLY and PORT_FORWARD_ONLY (#​2182)
  • determine "free" status using API tier value
  • update built-in servers data
• Surfshark: servers data update
• VPNSecure: servers data update
• VPN_ENDPOINT_IP split into OPENVPN_ENDPOINT_IP and WIREGUARD_ENDPOINT_IP
• VPN_ENDPOINT_PORT split into OPENVPN_ENDPOINT_PORT and WIREGUARD_ENDPOINT_PORT

Fixes

• VPN_PORT_FORWARDING_LISTENING_PORT fixed
• IPv6 support detection ignores loopback route destinations
• Custom provider:
  • handle port option line for OpenVPN
  • ignore comments in an OpenVPN configuration file
  • assume port forwarding is always supported by a custom server
• VPN Unlimited:
  • change default UDP port from 1194 to 1197
  • allow OpenVPN TCP on port 1197
• Private Internet Access Wireguard and port forwarding
  • Set server name if names filter is set with the custom provider (see #​2147)
• PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
• Torguard: update OpenVPN configuration
  • add aes-128-gcm and aes-128-cbc ciphers
  • remove mssfix, sndbuf, rcvbuf, ping and reneg options
• VPNSecure: associate N / A with no data for servers
• AirVPN: set default mssfix to 1320-28=1292
• Surfshark: remove outdated hardcoded retro servers
• Public IP echo:
  • ip2location parsing for latitude and longitude fixed
  • abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
• internal/server: /openvpn route status get and put
  • get status return stopped if running Wireguard
  • put status changes vpn type if running Wireguard
• Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings
• Log last Gluetun release by tag name alphabetically instead of by release date
• format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
• internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

Documentation

• readme:
  • clarify shadowsocks proxy is a server, not a client
  • update list of providers supporting Wireguard with the custom provider
  • add protonvpn as custom port forwarding implementation
• disable Github blank issues
• Bump github.com/qdm12/gosplash to v0.2.0
  • Add /choose suffix to github links in logs
• add Github labels: "Custom provider", "Category: logs" and "Before next release"
• rename FIREWALL_ENABLED to FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT due to the sheer amount of users misusing it. FIREWALL_ENABLED won't do anything anymore. At least you've been warned not to use it...

Maintenance

• Code health
  • PIA port forwarding:
    • remove dependency on storage package
    • return an error to port forwarding loop if server cannot port forward
  • internal/config:
    • upgrade to github.com/qdm12/gosettings v0.4.2
      • drop github.com/qdm12/govalid dependency
      • upgrade github.com/qdm12/ss-server to v0.6.0
      • do not un-set sensitive config settings anymore
    • removed bad/invalid retro-compatible keys CONTROL_SERVER_ADDRESS and CONTROL_SERVER_PORT
    • OpenVPN protocol field is now a string instead of a TCP boolean
    • Split server filter validation for features and subscription-tier
    • provider name field as string instead of string pointer
  • internal/portforward: support multiple ports forwarded
  • Fix typos in code comments (#​2216)
  • internal/tun: fix unit test for unprivileged user
• Development environment
  • fix source.organizeImports vscode setting value
  • linter: remove now invalid skip-dirs configuration block
• Dependencies
  • Bump Wireguard Go dependencies
  • Bump Go from 1.21 to 1.22
  • Bump golang.org/x/net from 0.19.0 to 0.25.0 (#​2138, #​2208, #​2269)
  • Bump golang.org/x/sys from 0.15.0 to 0.18.0 (#​2139)
  • Bump github.com/klauspost/compress from 1.17.4 to 1.17.8 (#​2178, #​2218)
  • Bump github.com/fatih/color from 1.16.0 to 1.17.0 (#​2279)
  • Bump github.com/stretchr/testify to v1.9.0
  • Do not upgrade busybox since vulnerabilities are fixed now with Alpine 3.19+
• CI
  • Bump DavidAnson/markdownlint-cli2-action from 14 to 16 (#​2214)
  • Bump peter-evans/dockerhub-description from 3 to 4 (#​2075)
• Github
  • remove empty label description fields
  • add /choose suffix to issue and discussion links
  • review all issue labels: add closed labels, add category labels, rename labels, add label category prefix, add emojis for each label
  • Add issue labels: Popularity extreme and high, Closed cannot be done, Categories kernel and public IP service

v3.38.1

Compare Source

ℹ️ This is a bugfix release for v3.38.0. If you can, please instead use release v3.39.0

Fixes

• VPN_PORT_FORWARDING_LISTENING_PORT fixed
• IPv6 support detection ignores loopback route destinations
• Custom provider:
  • handle port option line for OpenVPN
  • ignore comments in an OpenVPN configuration file
  • assume port forwarding is always supported by a custom server
• VPN Unlimited:
  • change default UDP port from 1194 to 1197
  • allow OpenVPN TCP on port 1197
• Private Internet Access Wireguard and port forwarding
  • Set server name if names filter is set with the custom provider (see #​2147)
• PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
• Torguard: update OpenVPN configuration
  • add aes-128-gcm and aes-128-cbc ciphers
  • remove mssfix, sndbuf, rcvbuf, ping and reneg options
• VPNSecure: associate N / A with no data for servers
• AirVPN: set default mssfix to 1320-28=1292
• Surfshark: remove outdated hardcoded retro servers
• Public IP echo:
  • ip2location parsing for latitude and longitude fixed
  • abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
• internal/server: /openvpn route status get and put
  • get status return stopped if running Wireguard
  • put status changes vpn type if running Wireguard
• Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings
• Log last Gluetun release by tag name alphabetically instead of by release date
• format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
• internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

v3.38.0

Compare Source

Features

• Public IP fetching:
  • Add PUBLICIP_API_TOKEN variable
  • PUBLICIP_API variable supporting ipinfo and ip2location
• Private Internet Access: PORT_FORWARD_ONLY variable (#​2070)
• NordVPN:
  • update mechanism uses v2 NordVPN web API
  • Filter servers with SERVER_CATEGORIES (#​1806)
• Wireguard:
  • Read config from secret file, defaults to /run/secrets/wg0.conf which can be changed with variable WIREGUARD_CONF_SECRETFILE
  • Read private key, preshared key and addresses from individual secret files (#​1348)
• Firewall: disallow the unspecified address (0.0.0.0/0 or ::/0) for outbound subnets
• Built-in servers data updated:
  • NordVPN
  • Privado
  • Private Internet Access
  • VPN Unlimited
  • VyprVPN
• Healthcheck: change unhealthy log from info to debug level

Fixes

• Privado: update OpenVPN zip file URL
• STREAM_ONLY behavior fixed (#​2126)
• Torguard: set user agent to be allowed to download zip files
• Surfshark:
  • Remove no longer valid multi hop regions
  • Fail validation for empty string region
  • Clearer error message for surfshark regions: only log possible 'new' server regions, do not log old retro-compatible server regions

Maintenance

• Healthcheck: more explicit log to go read the Wiki health guide
• NAT-PMP: RPC error contain all failed attempt messages
• Github:
  • add closed issue workflow stating comments are not monitored
  • add opened issue workflow
• Dependencies
  • Bump github.com/breml/rootcerts from 0.2.14 to 0.2.16 (#​2094)
• CI
  • Pin docker/build-push-action to v5 (without minor version)
  • Upgrade linter to v1.56.2

v3.37.1

Compare Source

ℹ️ This is a bugfix release for v3.37.0. If you can, please instead use the newer v3.39.0 release.

Fixes

• VPN_PORT_FORWARDING_LISTENING_PORT fixed
• IPv6 support detection ignores loopback route destinations
• STREAM_ONLY behavior fixed (#​2126)
• Custom provider:
  • handle port option line for OpenVPN
  • ignore comments in an OpenVPN configuration file
  • assume port forwarding is always supported by a custom server
• VPN Unlimited:
  • change default UDP port from 1194 to 1197
  • allow OpenVPN TCP on port 1197
• Private Internet Access Wireguard and port forwarding
  • Set server name if names filter is set with the custom provider (see #​2147)
• PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
• Torguard: update OpenVPN configuration
  • add aes-128-gcm and aes-128-cbc to the ciphers option
  • remove mssfix, sndbuf, rcvbuf, ping and reneg options
  • set HTTP user agent to be allowed to download zip files
• VPNSecure: associate N / A with no data for servers
• AirVPN: set default mssfix to 1320-28=1292
• Surfshark:
  • remove outdated hardcoded retro servers
  • Remove no longer valid multi hop regions
  • Fail validation for empty string region
  • Clearer error message for surfshark regions: only log possible 'new' server regions, do not log old retro-compatible server regions
• Privado: update OpenVPN zip file URL
• internal/server: /openvpn route status get and put
  • get status return stopped if running Wireguard
  • put status changes vpn type if running Wireguard
• Log out last Gluetun release by semver tag name instead of by date
• format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
• internal/tun: only create tun device if it does not exist, do not create if it exists and does not work
• Bump github.com/breml/rootcerts from 0.2.14 to 0.2.17

PS: sorry for re-releasing this one 3 times, CI has been capricious with passing

v3.37.0

Compare Source

🎉 🎆 Happy new year 2024 🎉 🎆 Personal note at the bottom 😉

Features

• Port forwarding: port redirection with VPN_PORT_FORWARDING_LISTENING_PORT
• Custom provider: support tcp-client proto for OpenVPN
• NordVPN: add access token warning if used as wireguard private key
• Windscribe: update servers data

Fixes

• Shadowsocks: bump from v0.5.0-rc1 to v0.5.0
  • treat udp read error as non critical
  • log out crash error for tcpudp combined server
• Wireguard:
  • Load preshared key from toml file correctly and from peer selection
• Custom provider OpenVPN:
  • Default TCP port for any tcp protocol
• Firewall:
  • Handle OpenVPN tcp-client protocol as tcp
• PureVPN: fix update url and update servers (#​1992)
• VPN Unlimited OpenVPN:
  • Update CA certificate and add new second certificate
  • Remove DEFAULT:@​SECLEVEL=0
  • Specify cipher as AES-256-CBC and auth as SHA512
• Format-servers command:
  • Fix for providers with dashes
  • Add missing server name header for PIA

Maintenance

• Bump github.com/breml/rootcerts from 0.2.11 to 0.2.14 (#​1800, #​1981)
• Bump github.com/fatih/color from 1.15.0 to 1.16.0 (#​1950)
• Bump github.com/klauspost/compress from 1.16.7 to 1.17.4 (#​1922, #​1993)
• Bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#​2012)
• Bump golang.org/x/net from 0.12.0 to 0.19.0 (#​1907, #​1953, #​1985)
• Bump golang.org/x/sys from 0.11.0 to 0.13.0 (#​1897)
• Bump golang.org/x/text from 0.11.0 to 0.14.0 (#​1845, #​1946)
• CI:
  • Bump actions/checkout from 3 to 4 (#​1847)
  • Bump crazy-max/ghaction-github-labeler from 4 to 5 (#​1858)
  • Bump DavidAnson/markdownlint-cli2-action from 11 to 14 (#​1871, #​1982)
  • Bump docker/build-push-action from 4.1.1 to 5.1.0 (#​1860, #​1969)
  • Bump docker/login-action from 2 to 3 (#​1936)
  • Bump docker/metadata-action from 4 to 5 (#​1937)
  • Bump docker/setup-buildx-action from 2 to 3 (#​1938)
  • Bump docker/setup-qemu-action from 2 to 3 (#​1861)
  • Bump github/codeql-action from 2 to 3 (#​2002)

---

Personal note on the state of Gluetun

I have been focusing my effort since mid November on a DNSSEC validator to finalize a Go library on par with the usage we have of Unbound, in order to replace Unbound in Gluetun and add DNS special features for Gluetun. For example:

• automatically diverting local hostnames questions to the local Docker DNS server (a long overdued problem) - already implemented
• allow resolution of VPN endpoint hostname to ips in a very restricted DNS server + firewall to only allow a specific hostname to resolve (not implemented yet)

This is a tough problem not so well documented with few complete and valid implementations, so it's taking some time. There is likely 2 more weeks of work left before finalization.

v3.36.0

Compare Source

🎃 Happy Halloween 🎃 Hopefully it is not a spooky release! 😸

Features

• Wireguard
  • WIREGUARD_ALLOWED_IPS variable (#​1291)
  • Parse settings from /gluetun/wireguard/wg0.conf (#​1120)
• VPN server port forwarding
  • VPN_PORT_FORWARDING_PROVIDER variable (#​1616)
  • ProtonVPN port forwarding support with NAT-PMP (#​1543)
• Servers data
  • Surfshark servers data API endpoint updated (#​1560)
  • Built-in servers data updated for Cyberghost, Mullvad, Torguard, Surfshark
• Clarify "Wireguard is up" message logged
• Updater log warning about using -minratio if not enough servers are found
• Configuration: add /32 if not present for Wireguard addresses

Fixes

• Minor breaking change: DNS_KEEP_NAMESERVER leaves DNS fully untouched
• Minor breaking change: update command uses dashes instead of spaces for provider names (i.e. -vpn\ unlimited -> -vpn-unlimited)
• Port forwarding run loop reworked and fixed (#​1874)
• Public IP fetching run loop reworked and fixed
• ProtonVPN: add aes-256-gcm cipher for OpenVPN
• Custom provider: allow custom endpoint port setting
• IPv6 support for ipinfo (#​1853)
• Routing: VPNLocalGatewayIP Wireguard support
• Routing: add outbound subnets routes only for matching ip families
• Routing: change firewall only for matching ip families
• Netlink: try loading Wireguard module if not found (#​1741)
• Public IP: do not retry when doing too many requests

Documentation

• Readme
  • remove UPDATER_VPN_SERVICE_PROVIDERS in docker-compose config
  • remove Slack channel link (don't have time to check it)
  • update Wireguard native integrations support list
• Update to use newer wiki repository
  • update URLs logged by program
  • update README.md links
  • update contributing guide link
  • update issue templates links
  • replace Wiki issue template by link to Gluetun Wiki repository issue creation
  • set program announcement about Github wiki new location
• Issue templates
  • add Unraid as option in bug issue template
  • provide minimum requirements for an issue: title must be filled, at least 10 lines of log provided, Gluetun version must be provided

Maintenance

• Dockerfile: add missing environment variables
  • OPENVPN_PROCESS_USER value defaults to root
  • Add HTTPPROXY_STEALTH=off
  • Add HTTP_CONTROL_SERVER_LOG=on
• Code
  • internal/settings: change source precedence order: Secret files then files then environment variables
  • internal/routing: Wrap setupIPv6 rule error correctly
  • Move vpn gateway obtention within port forwarding service
  • internal/vpn: fix typo portForwader -> portForwarder
  • internal/provider: use type assertion for port forwarders
• CI
  • rename workflow to Markdown
  • Markdown workflow triggers on *.md files only
  • Markdown workflow triggers for pull requests as well
  • Markdown job runs misspell, linting and dead link actions
  • Markdown publishing step to Docker Hub is only for pushes to the master branch
  • Add markdown-skip workflow
• Dependencies
  • Upgrade Go to 1.21
  • Upgrade linter to v1.54.1
  • Bump golang.org/x/text from 0.10.0 to 0.11.0 (#​1726)
  • Bump golang.org/x/sys from 0.8.0 to 0.11.0 (#​1732, #​1786)
  • Bump golang.org/x/net from 0.10.0 to 0.12.0 (#​1729)
  • bump gosettings to v0.4.0-rc1

v3.35.0

Compare Source

➡️ 📖 Corresponding wiki

Features

• WIREGUARD_MTU enviromnent variable (#​1571)
• OPENVPN_VERSION=2.6 support
• Soft breaking changes:
  • Openvpn 2.4 no longer supported
  • Control server JSON field names changed
• NordVPN Wireguard support and new API endpoint (#​1380)
• Wireguard MTU defaults to 1400 instead of 1420
• Wireguard debug logs log obfuscated keys
• Bump Alpine from 3.17 to 3.18
• Shadowsocks bumped from v0.4.0 to v0.5.0-rc1

Fixes

• AirVPN: allow Airvpn as Wireguard provider
• routing: ip family match function ipv4-in-ipv6 should match ipv6
• HTTP proxy: fix httpproxy.go error message (#​1596)
• Netlink:
  • RouteList list routes from all tables and does no longer filter by link
  • use AddrReplace instead of AddrAdd
• Wireguard: delete existing Wireguard link before adding it

Documentation

• Readme: fix Alpine version from 3.17 to 3.18 (#​1636)
• Github labels: add problem category labels: Config problem, Routing, IPv6, Port forwarding

Maintenance

Code

• internal/routing:
  • remove old assigned ip debug log
  • unexport IPIsPrivate as ipIsPrivate
  • remove unused VPNDestinationIP
• internal/settings: use github.com/qdm12/gosettings
  • remove now unused settings helpers
  • remove now unused helpers/messages.go
  • use helping functions: FileExists, ObfuscateKey, BoolToYesNo
  • use gosettings/sources/env functions
• internal/netlink:
  • IPv6 detection simplified
  • Define own types with minimal fields and separate code by OS
    • Allow to swap github.com/vishvananda/netlink
    • Add files tagged for each platform
    • Create non-implemented files for NOT linux
    • Allow development on non-Linux platforms
• internal/httpproxy: add Test_returnRedirect to prevent error wrap of ErrUseLastResponse
• internal/settings/secrets: add test for readSecretFileAsStringPtr

Dependencies

• Bump github.com/breml/rootcerts from 0.2.10 to 0.2.11 (#​1567)
• Bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (#​1575, #​1633)
• Bump golang.org/x/text from 0.9.0 to 0.10.0 (#​1681)

CI

• CI triggers for pull requests to branches other than master
• Bump docker/build-push-action from 4.0.0 to 4.1.1 (#​1684)

Development tooling

• Update devcontainer definitions
• Set build tag as linux for cross development
• Specify .vscode recommendations
• Linting:
  • upgrade to v1.53.2
  • add linters dupword, paralleltest, gosmopolitan, mirror, tagalign, zerologlint and gocheckcompilerdirectives
  • add linter musttag and fix lint errors (change JSON fields in control server)

v3.34.3

Compare Source

Just creating another bugfix release since released tag v3.34.2 was wrongly pointed to the master branch instead of the v3.34 branch.

I also deleted the previous release tag v3.34.2, re-created it and the v3.34.2 image will be overridden just in case.

For changes, check out the description of v3.34.2

v3.34.2

Compare Source

Fixes

• HTTP Proxy: redirect from http to https

v3.34.1

Compare Source

Fixes

• Fix routing net.IPNet to netip.Prefix conversion (fixes #​1583)

v3.34.0

Compare Source

Features

• HEALTH_SUCCESS_WAIT_DURATION variable, defaulting to 5s
• Rename port forwarding variables (prepare to add ProtonVPN, see #​1488)
  • VPN_PORT_FORWARDING_STATUS_FILE
  • VPN_PORT_FORWARDING
  • Deprecate PIA specific variables for VPN port forwarding
• Servers data updated for: perfect privacy, surfshark
• Routing: log default route family as string

Fixes

• Mullvad: add aes-256-gcm cipher to support their newer Openvpn 2.6 servers
• Perfect privacy: update cert and key (thanks @​Thamos88 and @​15ky3)
• Perfect privacy: remove check for empty hostname in servers
• Routing: add policy rules for each destination local networks (thanks @​kylemanna)
• Settings: clarify Wireguard provider unsupported error
• Minor fixes
  • Pprof settings rates can be nil

Maintenance

• Wrap all sentinel errors and enforce using errors.Is
• Migrate usages of inet.af/netaddr to net/netip
• Use netip.Prefix for ip networks instead of net.IPNet and netaddr.IPPrefix
• Use netip.Addr instead of net.IP
• Wireguard: use netip.AddrPort instead of *net.UDPAddr
• Healthcheck use Go dialer preferrably
• Upgrade Wireguard dependencies
• Upgrade inet.af/netaddr dependency
• Upgrade golang.org/x/net to 0.10.0
• Upgrade github.com/fatih/color from 1.14.1 to 1.15.0
• Upgrade golangci-lint from v1.51.2 to v1.52.2
• Upgrade github.com/vishvananda/netlink from 1.1.1-0.20211129163951-9ada19101fc5 to 1.2.1-beta.2
• Upgrade golang.org/x/sys from 0.7.0 to 0.8.0
• Remove unneeded settings/helpers/pointers.go, CopyNetipPrefix and settings/sources/env envToInt function
• Fix netlink tagged integration tests
• Settings: use generics for helping functions (thanks @​bubuntux)
• Simplify default routes for loop
• Development container: do not bind mount ~/.gitconfig

v3.33.0

Compare Source

Features

• WIREGUARD_IMPLEMENTATION variable which can be auto (default), userspace or kernelspace
• gchr.io/qdm12/gluetun Docker image mirror
• Alpine upgraded from 3.16 to 3.17
• OpenVPN upgraded from 2.5.6 to 2.5.8 built with OpenSSL 3
• OpenSSL 1.1.* installed separately to maintain OpenVPN 2.4 working
• Logging:
  • log FAQ Github Wiki URL when the VPN internally restarts
  • Warn Openvpn 2.4 is to be removed in the next release
  • Warn when using SlickVPN or VPN Unlimited due to their weak certificates
  • Warn Hide My Ass is no longer supported (credits to @​Fukitsu)
  • OpenVPN RTNETLINK answers: File exists changed to warning level with explanation
  • OpenVPN Linux route add command failed: changed to warning level with explanation
  • Log IPv6 support at debug level with more information instead of at the info level
• Update servers data: AirVPN, FastestVPN, Mullvad, Surfshark, Private Internet Access
• Netlink: add debug logger (no use yet)
• Surfshark: add 2 new 'HK' servers
• Install Alpine wget package (fixes #​1260, #​1494 due to busybox's buggy wget)
• OpenVPN: transparently upgrade key encryption for DES-CBC encrypted keys (VPN Secure)

Important fixes

• Exit with code 1 on a program error
• Profiling server: do not run if disabled
• IPv6 detection: inspect each route source and destination for buggy kernels/container runtimes
• iptables detection: better interpret permission denied for buggy kernels/container runtimes
• FastestVPN: update OpenVPN zip file URL for the updater (#​1264)
• IPVanish: update OpenVPN zip file URL for the updater (#​1449)
• Surfshark: remove 3 servers no longer resolving
• AirVPN:
  • remove commas from API locations
  • remove commas from city names
• VPN Unlimited: lower TLS security level to 0 to allow weak certificates to work with Openvpn 2.5.8+Openssl 3
• SlickVPN
  • explicitely allow AES-256-GCM cipher
  • lower TLS security level to 0 to allow SlickVPN's weak certificates to work with Openvpn 2.5.8+Openssl 3
  • All servers support TCP and UDP
  • Precise default TCP port as 443

Documentation

• Document new docker image gchr.io/qdm12/gluetun
• Add servers updater environment variables (#​1393)
• Update Github labels:
  • remove issue category labels
  • Add temporary status labels
  • Add complexity labels

Minor fixes

• Firewall: remove previously allowed input ports
• HTTP proxy: lower shutdown wait from 2s to 100ms
• Private Internet Access: remove credentials from login error string
• Wireguard:
  • validate Wireguard addresses depending on IPv6 support
  • ignore IPv6 interface addresses if IPv6 is not supported
• Healthcheck client: set unset health settings to defaults
• Print outbound subnets settings correctly
• github.com/breml/rootcerts from 0.2.8 to 0.2.10
• Add subprogram name in version check error

Maintenance

• Development tooling:
  • Go upgraded from 1.19 to 1.20
  • Development container has the same ssh bind mount for all platforms
  • Development container has openssl installed
  • golangci-lint upgraded from v1.49.0 to v1.51.2
  • github.com/stretchr/testify upgraded from 1.8.1 to 1.8.2
• Dependencies
  • golang.org/x/text upgraded from 0.4.0 to 0.8.0
  • github.com/fatih/color upgraded from 1.13.0 to 1.14.1
  • golang.org/x/sys upgraded from 0.3.0 to 0.6.0
  • Remove no longer needed apk-tools
• Code health
  • Add comments for OpenVPN settings fields about their base64 DER encoding
  • internal/openvpn/extract: simplify PEM extraction function
  • Review all error wrappings
    • remove repetitive cannot and failed prefixes
    • rename unmarshaling to decoding
• CI
  • docker/build-push-action upgraded from 3.2.0 to 4.0.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.