v3.31.1

Fixes

• Fix vpnsecure.me operation by allowing empty OpenVPN username

v3.31.0

Features

• SlickVPN Support (#961)
• VPNsecure.me support (#848)
• Update servers data built-in for ExpressVPN, Surfshark
• Control server: add /vpn route to replace /openvpn (in future v4.0.0)
• Control server: patch VPN settings using HTTP PUT at /v1/vpn/settings (undocumented, experimental)

Fixes

• Surfshark: remove no longer valid retro server data
• Bump github.com/breml/rootcerts from 0.2.3 to 0.2.6 (#1033, #1058)

Documentation

• Fix readme typo sercice to service (#1067)

Undocumented breaking changes

• Environment variable OPENVPN_CLIENTCRT -> OPENVPN_CERT (No breaking change since this was undocumented)
• Environment variable OPENVPN_CLIENTKEY -> OPENVPN_KEY (No breaking change since this was undocumented)
• Control server: replace response status code 404 with 401 for unsupported routes and methods
• Control server: do not redact openvpn credentials from JSON response
• Read base64 encoded data from environment variables (OpenVPN cert, key and encrypted key) instead of PEM encoded data

Maintenance

• Add mocks check to check for missing //go:generate comments and outdated mocks
• Linting:
  • upgrade golangci-lint to v1.49.0
  • config: remove duplicate predeclared and commented varnamelen, wrapcheck
  • config: remove deprecated linters ifshort
  • config: add linters asasalint, usestdlibvars, interfacebloat, reassign
  • Fix Slowloris attacks on HTTP servers
  • Force set default of 5 minutes for pprof read timeout
  • Change ShutdownTimeout to time.Duration since it cannot be set to 0
• Use common mocks for ivpn and ipvanish
• OpenVPN user and password as nullable (they can be an empty string for custom provider)
• OpenVPN settings struct field ClientKey -> Key
• OpenVPN settings struct field ClientCrt -> Cert
• Remove deprecated io/ioutil import
• Fix labels workflow:
  • Limit labels workflow to run on commits coming from not-forked repositories
  • Fix permissions to write for labels
• Bump docker/build-push-action from 3.0.0 to 3.1.1 (#1073, #1098)
• Bump github.com/stretchr/testify from 1.7.2 to 1.8.0 (#1042, #1052)

v3.30.1

Fixes

• OpenVPN certificate: read PEM encoded files and read base 64 encoded PEM inner value from environment variable (as documented in Wiki)
• OpenVPN key: read PEM encoded files and read base 64 encoded PEM inner value from environment variable (as documented in Wiki)

v3.30.0

Features

• ExpressVPN: OpenVPN additional ciphers (#1047)
• Storage:
  • add "keep" boolean field for servers to keep manually added servers
  • log time difference as a friendly duration
• Updater: configurable minimum ratio of servers found
  • UPDATER_MIN_RATIO environment variable
  • -minratio flag for CLI operation
• Docker: upgrade Alpine from 3.15 to 3.16 (#1005)
• Update servers data: Perfect privacy, Purevpn, Privatevpn, Private Internet Access, ProtonVPN, IPVanish, Surfshark
• Environment variables: clean values by removing surrounding spaces and suffix new line characters
• Wireguard: add debug logs for IPv6 detection which can be enabled with LOG_LEVEL=debug

Fixes

• ExpressVPN: OpenVPN fragment option taken into account (#1047)
• Private internet access:
  • load custom certificate to communicate with their API
  • restrict custom port choice
• ProtonVPN:
  • set free field for free servers, fixing FREE_ONLY behavior
  • remove duplicate entry IPs
  • restrict custom port choice
• Wireguard: continue on ipv6 route add permission denial
• VPN: do not close wait error channel on consumer side
• Port forwarding: set file owned by the uid and gid set by PUID and PGID
• Private Internet Access: remove duplicate log of port forwarding data expiration
• Pprof settings: override method used correctly in global settings
• Updater: Fix CLI operation not setting DNS server
• IPVanish: remove duplicate server entries
• Custom: validate custom OpenVPN file at settings validation

Documentation

• Bug issue template: fix render of logs to be plain text instead of log
• ProtonVPN: document in code to remove SERVER_NAMES
• Update maintenance.md document

Maintenance

Easy to add VPN providers

• internal/provider/example new package
• Readme: simplify heading description
• internal/updater: check each server has minimal information
• internal/storage: modify JSON tests to not need all providers listed
• internal/provider/common new package: shared interfaces and errors for all providers
• internal/provider: new Providers contains a map from provider string name to provider interface
• Use the same provider object for both updating servers and to setup the VPN
• Initialize all providers at start in the Providers map
• internal/provider/*:
  • incorporate updating FetchServers method in Provider interface
  • Rename each provider updater subpackage name to updater
  • add Name() method per provider
  • rename all provider structs to Provider
  • rename all test functions to Test_Provider_GetConnection
• internal/updater: Updater update method takes in a slice of provider strings
• internal/storage: common sorting for all servers
• internal/provider/surshark/servers/locationdata.go merging both internal/models/location.go and internal/constants/surfshark.go
• internal/models: provider to servers map in allServers:
  • Custom JSON marshaling methods for AllServers
  • Simplify formatting CLI
  • Simplify updater code
  • Simplify filter choices for config validation
  • Simplify all servers deep copying
  • Simplify provider constructor switch
  • Simplify storage merging
  • Simplify storage reading and extraction
• internal/storage/servers.json: change provider names to match string constants in code
  • From pia to private internet access, and reset version to 1
  • From perfectprivacy to perfect privacy, and reset version to 1
  • From vpnunlimited to vpn unlimited, and reset version to 1
• internal/cli: refactor FormatServers to use provider strings
• internal/provider/utils: unexport no longer externally needed functions
• internal/provider: add GetConnection test

Continuous integration

• Fix trigger for Docker image publish job
• Merge jobs and workflows into the verify job of the CI workflow:
  • CodeQL job
  • Dependabot workflow
  • Fork workflow
• Fix behavior on pull requests from forked repositories
  • Run Docker Hub description job only on base repository
  • Run Docker image publish job only on base repository
• Build base repository pull request Docker images with tag :pr-N (#1026)
• Add skip workflow for required verify job
• Restrict permissions to read actions+contents for all jobs
• Remove go.mod tidy check job
  • Not really needed with newer go install
  • Conflicts with Go 1.17 go.mod format
  • Conflicts with manual indirect dependency upgrade
• Bump docker/setup-buildx-action from 1 to 2 (#977)
• Bump docker/setup-qemu-action from 1 to 2 (#978)
• Bump docker/build-push-action from 2.10.0 to 3.0.0 (#979)
• Bump docker/metadata-action from 3 to 4 (#980)
• Bump docker/login-action from 1 to 2 (#981)
• Bump crazy-max/ghaction-github-labeler from 3 to 4 (#1007)

Other

Storage: memory and thread safe servers data storage

• only pass hardcoded versions to read file and discard outdated servers
• unexport SyncServers method
• minimal deep copying and data duplication
• add merged servers mutex for thread safety
• settings: get filter choices from storage for settings validation
• updater:
  • update servers to the storage
  • get servers count from storage directly
  • equality check done by the storage
• connection: filter servers in storage
• formatter: format servers to Markdown in storage
• PIA: get server by name from storage directly
• internal/openvpn/extract: extract.PEM replaces all PEM parse functions
• internal/constants/openvpn new package for OpenVPN related constants.
• internal/wireguard: add check for empty public key for Wireguard
• internal/publicip:
  • Exported Fetcher interface
  • Inject Fetcher to publicip loop and updaters
  • Get public IP and information at the same time
  • Only query ipinfo.io
  • Make MultiInfo part of the Fetch object
  • internal/publicip/ipinfo package
• Updater:
  • DNS address as host:port string in settings structure
  • Remove unneeded ctx error check in cyberghost updating code
  • UpdateServers returns an error if it fails updating a single provider
  • Inject a common resolver to each provider instead of creating a unique one per provider, and use resolver settings on every call to its .Resolve method
  • Move out minServers check from resolver
  • internal/updater/loop subpackage
  • internal/server: more restrictive updater loop interface
• Renamings:
  • updater: rename all presolver to parallelResolver
  • storage: rename InfoErrorer to Infoer
  • provider: rename all BuildConf methods to OpenVPNConfig
  • updater: rename all GetServers methods to FetchServers
• Entire codebase changes:
  • remove unexported Go interfaces
  • remove package comments
  • return concrete types, accept interfaces
• Upgrade gopkg.in/yaml.v3 to v3.0.1 to fix (dull) vulnerability alert on Github

Development

• See Easy to add VPN providers related work
• .vscode/launch.json to update servers - Credits to @Rohaq
• go4.org/unsafe/assume-no-moving-gc upgraded to allow development using Go 1.18 without ASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.18
• Linting:
  • upgrade golangci-lint from v1.44.2 to v1.46.2
  • review exclude rules
  • ireturn, execinquery and nosprintfhostport linters added
• Use casers instead of strings.Title to remove Go 1.18 linting warnings
  • Add golang.org/x/text dependency
  • Update code to use cases.Title(language.English)
• Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#1016)

v3.29.0

Features

Firewall

• Auto-detect iptables and iptables-nft for IPv4 and IPv6
• Improve error message when NET_ADMIN capability is missing
• Support all default routes instead of only the first one
  • Accept output traffic from all default routes through VPN interface
  • Accept output from all default routes to outbound subnets
  • Accept all input traffic on ports for all default routes
  • Add IP rules for all default routes
• Add IPv6 inbound routing

Provider specific

• Servers update: Mullvad, Privado, PrivateVPN, ProtonVPN, PureVPN, NordVPN, Private Internet Access, Torguard, FastestVPN (thanks @mircoianese #923)
• NordVPN: remove OpenVPN compression
• Ivpn: allow no password for account IDs matching i-xxxx-xxxx-xxxx or ivpn-xxxx-xxxx-xxxx

Other

• Use https://github.com/qdm12/log for logging
• Log out OS signal name when shutting down
• Storage: omit empty fields in servers.json

Fixes

• Health check:
  • HEALTH_TARGET_ADDRESS to replace HEALTH_ADDRESS_TO_PING
  • Remove github.com/go-ping/ping dependency
  • Dial TCP the target address, appending :443 if port is not set
  • Target address defaults to cloudflare.com:443
• OPENVPN_FLAGS working fixed
• HEALTH_VPN_DURATION_ADDITION working fixed
• Privado: fix OPENVPN_PORT usage, thanks @cacti-user
• Firewall: only set routes for IPv4 default routes
• Use openvpn 2.4.12-r0 in CI build for openvpn 2.4
• Fix PureVPN zip file download link (#915 thanks @mircoianese)
• Private Internet Access: hide escaped url query values (token etc.)
• NordVPN: allow aes-256-gcm for Openvpn 2.4
• Private Internet Access: fix certificate validation (use OS certificates instead of custom certificate)
• Port forwarding: loop exit from vpn loop
• PUID and PGID as 32 bit unsigned integers instead of 16 bit

Documentation

• Readme: re-add /dev/net/tun device since some OSes need it
• Readme: remove old announcement (#938, thanks @martinbjeldbak)

Maintenance

CI

• Add CodeQL analysis workflow
• Bump actions/checkout from 2.4.0 to 3 (#870)
• Bump docker/build-push-action from 2.8.0 to 2.10.0 (#832, #893)
• Bump peter-evans/dockerhub-description from 2 to 3 (#908)

Code

• New internal packages:
  • internal/constants/providers
  • internal/constants/vpn
• Protonvpn: remove unused exit IPs field in server model
• ProtonVPN: Change server name JSON field from name to server_name
• Generic server models:
  • Streamline all server models IP addresses:
    • Use IPs []net.IP for all server models
    • Use ips JSON field for all server models
    • Merge IPv4 and IPv6 addresses together for Mullvad
  • Specify UDP and TCP compatibility for all servers in servers.json
  • Specify VPN protocol for all servers in servers.json
  • Common Server model and Servers model for all providers (#943)
  • Common filtering builder for all providers
  • Common GetConnection for all providers
• Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#897)
• Bump github.com/breml/rootcerts from 0.2.2 to 0.2.3 (#926)
• Routing: remove unused LocalSubnetGetter
• internal/httpserver: remove name field and prefix in logs
• Use internal/httpserver for control server
• Add defensive check for zero connection found from servers (if no IP is defined)
• Simplify reading of servers JSON file

Dev environment

• Development container
  • Fix windows script sourcing
  • Remove image name to avoid conflicts
  • Bind mount normally without :z
  • Install htop
• Update maintenance document

v3.28.2

Fixes

• Fix OPENVPN_FLAGS functionality
• Fix Openvpn 2.4 install to use 2.4.12-r0

v3.27.2

Fixes

• Fix OPENVPN_FLAGS functionality
• Fix Openvpn 2.4 install to use 2.4.12-r0
• Fix CI Docker tags metadata

v3.28.1

Fixes

• Healthcheck uses a TCP dial to github.com:443 since the ping mechanism appears to be non functional
• HEALTH_TARGET_ADDRESS to replace HEALTH_ADDRESS_TO_PING

v3.27.1

Fixes

• Healthcheck uses a TCP dial to github.com:443 since the ping mechanism appears to be non functional
• HEALTH_TARGET_ADDRESS to replace HEALTH_ADDRESS_TO_PING

v3.28.0

Features

• Updater: environment variable UPDATER_VPN_SERVICE_PROVIDERS
  • Updater defaults to update the VPN provider in use if enabled
• ExpressVPN: update built-in server data
• OPENVPN_PROCESS_USER with retro-compatibility with OPENVPN_ROOT
• Add pprof HTTP server on port :6060 (#807)

Fixes

• Accept uppercase OPENVPN_PROTOCOL values
• Cyberghost: log about compatibility mode if COUNTRY is left empty
• Control server: allow to bind on a random port by using :0
• Retro-compatible precedence order for environment variables with defaults set in Dockerfile
  • BLOCK_NSA has precedence over BLOCK_SURVEILLANCE
  • HEALTH_OPENVPN_DURATION_ADDITION has precedence over HEALTH_VPN_DURATION_ADDITION
  • HEALTH_OPENVPN_DURATION_INITIAL has precendence over HEALTH_VPN_DURATION_INITIAL
  • Chain of precedence: PROXY > TINYPROXY > HTTPPROXY
  • Chain of precedence: PROXY_LOG_LEVEL > TINYPROXY_LOG > HTTPPROXY_LOG
  • PROTOCOL has precendence over OPENVPN_PROTOCOL
  • IP_STATUS_FILE has precendence over PUBLICIP_FILE
  • SHADOWSOCKS_PORT has precedence over SHADOWSOCKS_LISTENING_ADDRESS
  • SHADOWSOCKS_METHOD has precedence over SHADOWSOCKS_CIPHER

Maintenance

• SERVER_NAMES variable with retro-compatibility for SERVER_NAME
• SERVER_HOSTNAMES variable with retro-compatibility with SERVER_HOSTNAME
• SERVER_REGIONS variable with retro-compatibility with REGION
• SERVER_CITIES variable with retro-compatibility with CITY
• SERVER_COUNTRIES variable with retro-compatibility with COUNTRY
• Simplify Cyberghost retro-compatibility logic
• PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING_STATUS_FILE with retro-compatibility with PORT_FORWARDING_STATUS_FILE
• PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING with retro-compatibility with PORT_FORWARDING
• PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET variable with retro-compatibility with PIA_ENCRYPTION and ENCRYPTION
• OPENVPN_CIPHERS variable with retro-compatibility with OPENVPN_CIPHER
• VPN_SERVICE_PROVIDER variable with retro-compatibility with VPNSP
• WIREGUARD_ADDRESSES variable with retro-compatibility with WIREGUARD_ADDRESS
• DNS_ADDRESS variable with retro-compatibility with DNS_PLAINTEXT_ADDRESS
• VPN_INTERFACE with retro-compatibility with OPENVPN_INTERFACE and WIREGUARD_INTERFACE
• VPN_ENDPOINT_PORT with retro-compatibility with OPENVPN_PORT and WIREGUARD_ENDPOINT_PORT
• VPN_ENDPOINT_IP with retro-compatibility with OPENVPN_TARGET_IP and WIREGUARD_ENDPOINT_IP
• HTTP_CONTROL_SERVER_PORT with retro-compatibility with HTTP_CONTROL_SERVER_ADDRESS
• OWNED_ONLY with retro-compatibility with OWNED
• Remove unused constant file paths and move remaining ones in corresponding package
• getEnvWithRetro helper function for internal/configuration/sources/env
• Do not validate control server port when reading from environment variables, only validate downstream
• Bump docker/build-push-action from 2.7.0 to 2.8.0 (#801)
• Bump github.com/breml/rootcerts from 0.2.1 to 0.2.2 (#812)