Releases: qdm12/gluetun
Releases · qdm12/gluetun
v3.31.1
v3.31.0
Features
- SlickVPN Support (#961)
- VPNsecure.me support (#848)
- Update servers data built-in for ExpressVPN, Surfshark
- Control server: add
/vpn
route to replace/openvpn
(in future v4.0.0) - Control server: patch VPN settings using HTTP PUT at
/v1/vpn/settings
(undocumented, experimental)
Fixes
- Surfshark: remove no longer valid retro server data
- Bump github.com/breml/rootcerts from 0.2.3 to 0.2.6 (#1033, #1058)
Documentation
- Fix readme typo
sercice
toservice
(#1067)
Undocumented breaking changes
- Environment variable
OPENVPN_CLIENTCRT
->OPENVPN_CERT
(No breaking change since this was undocumented) - Environment variable
OPENVPN_CLIENTKEY
->OPENVPN_KEY
(No breaking change since this was undocumented) - Control server: replace response status code
404
with401
for unsupported routes and methods - Control server: do not redact openvpn credentials from JSON response
- Read base64 encoded data from environment variables (OpenVPN cert, key and encrypted key) instead of PEM encoded data
Maintenance
- Add mocks check to check for missing
//go:generate
comments and outdated mocks - Linting:
- upgrade golangci-lint to v1.49.0
- config: remove duplicate
predeclared
and commentedvarnamelen
,wrapcheck
- config: remove deprecated linters
ifshort
- config: add linters
asasalint
,usestdlibvars
,interfacebloat
,reassign
- Fix Slowloris attacks on HTTP servers
- Force set default of 5 minutes for pprof read timeout
- Change
ShutdownTimeout
totime.Duration
since it cannot be set to 0
- Use common mocks for ivpn and ipvanish
- OpenVPN user and password as nullable (they can be an empty string for custom provider)
- OpenVPN settings struct field
ClientKey
->Key
- OpenVPN settings struct field
ClientCrt
->Cert
- Remove deprecated
io/ioutil
import - Fix labels workflow:
- Limit labels workflow to run on commits coming from not-forked repositories
- Fix permissions to write for labels
- Bump docker/build-push-action from 3.0.0 to 3.1.1 (#1073, #1098)
- Bump github.com/stretchr/testify from 1.7.2 to 1.8.0 (#1042, #1052)
v3.30.1
Fixes
- OpenVPN certificate: read PEM encoded files and read base 64 encoded PEM inner value from environment variable (as documented in Wiki)
- OpenVPN key: read PEM encoded files and read base 64 encoded PEM inner value from environment variable (as documented in Wiki)
v3.30.0
Features
- ExpressVPN: OpenVPN additional ciphers (#1047)
- Storage:
- add
"keep"
boolean field for servers to keep manually added servers - log time difference as a friendly duration
- add
- Updater: configurable minimum ratio of servers found
UPDATER_MIN_RATIO
environment variable-minratio
flag for CLI operation
- Docker: upgrade Alpine from 3.15 to 3.16 (#1005)
- Update servers data: Perfect privacy, Purevpn, Privatevpn, Private Internet Access, ProtonVPN, IPVanish, Surfshark
- Environment variables: clean values by removing surrounding spaces and suffix new line characters
- Wireguard: add debug logs for IPv6 detection which can be enabled with
LOG_LEVEL=debug
Fixes
- ExpressVPN: OpenVPN
fragment
option taken into account (#1047) - Private internet access:
- load custom certificate to communicate with their API
- restrict custom port choice
- ProtonVPN:
- set free field for free servers, fixing
FREE_ONLY
behavior - remove duplicate entry IPs
- restrict custom port choice
- set free field for free servers, fixing
- Wireguard: continue on ipv6 route add permission denial
- VPN: do not close wait error channel on consumer side
- Port forwarding: set file owned by the uid and gid set by
PUID
andPGID
- Private Internet Access: remove duplicate log of port forwarding data expiration
- Pprof settings: override method used correctly in global settings
- Updater: Fix CLI operation not setting DNS server
- IPVanish: remove duplicate server entries
- Custom: validate custom OpenVPN file at settings validation
Documentation
- Bug issue template: fix render of logs to be
plain text
instead oflog
- ProtonVPN: document in code to remove
SERVER_NAMES
- Update maintenance.md document
Maintenance
Easy to add VPN providers
internal/provider/example
new package- Readme: simplify heading description
internal/updater
: check each server has minimal informationinternal/storage
: modify JSON tests to not need all providers listedinternal/provider/common
new package: shared interfaces and errors for all providersinternal/provider
: newProviders
contains a map from provider string name to provider interface- Use the same provider object for both updating servers and to setup the VPN
- Initialize all providers at start in the
Providers
map internal/provider/*
:- incorporate updating
FetchServers
method inProvider
interface - Rename each provider updater subpackage name to
updater
- add
Name()
method per provider - rename all provider structs to
Provider
- rename all test functions to
Test_Provider_GetConnection
- incorporate updating
internal/updater
: Updaterupdate
method takes in a slice of provider stringsinternal/storage
: common sorting for all serversinternal/provider/surshark/servers/locationdata.go
merging bothinternal/models/location.go
andinternal/constants/surfshark.go
internal/models
: provider to servers map inallServers
:- Custom JSON marshaling methods for
AllServers
- Simplify formatting CLI
- Simplify updater code
- Simplify filter choices for config validation
- Simplify all servers deep copying
- Simplify provider constructor switch
- Simplify storage merging
- Simplify storage reading and extraction
- Custom JSON marshaling methods for
internal/storage/servers.json
: change provider names to match string constants in code- From
pia
toprivate internet access
, and reset version to1
- From
perfectprivacy
toperfect privacy
, and reset version to1
- From
vpnunlimited
tovpn unlimited
, and reset version to1
- From
internal/cli
: refactorFormatServers
to use provider stringsinternal/provider/utils
: unexport no longer externally needed functionsinternal/provider
: addGetConnection
test
Continuous integration
- Fix trigger for Docker image publish job
- Merge jobs and workflows into the
verify
job of the CI workflow:- CodeQL job
- Dependabot workflow
- Fork workflow
- Fix behavior on pull requests from forked repositories
- Run Docker Hub description job only on base repository
- Run Docker image publish job only on base repository
- Build base repository pull request Docker images with tag
:pr-N
(#1026) - Add skip workflow for required verify job
- Restrict permissions to read actions+contents for all jobs
- Remove go.mod tidy check job
- Not really needed with newer
go install
- Conflicts with Go 1.17 go.mod format
- Conflicts with manual indirect dependency upgrade
- Not really needed with newer
- Bump docker/setup-buildx-action from 1 to 2 (#977)
- Bump docker/setup-qemu-action from 1 to 2 (#978)
- Bump docker/build-push-action from 2.10.0 to 3.0.0 (#979)
- Bump docker/metadata-action from 3 to 4 (#980)
- Bump docker/login-action from 1 to 2 (#981)
- Bump crazy-max/ghaction-github-labeler from 3 to 4 (#1007)
Other
Storage: memory and thread safe servers data storage
- only pass hardcoded versions to read file and discard outdated servers
- unexport
SyncServers
method - minimal deep copying and data duplication
- add merged servers mutex for thread safety
- settings: get filter choices from storage for settings validation
- updater:
- update servers to the storage
- get servers count from storage directly
- equality check done by the storage
- connection: filter servers in storage
- formatter: format servers to Markdown in storage
- PIA: get server by name from storage directly
internal/openvpn/extract
:extract.PEM
replaces all PEM parse functionsinternal/constants/openvpn
new package for OpenVPN related constants.internal/wireguard
: add check for empty public key for Wireguardinternal/publicip
:- Exported
Fetcher
interface - Inject
Fetcher
to publicip loop and updaters - Get public IP and information at the same time
- Only query ipinfo.io
- Make
MultiInfo
part of theFetch
object internal/publicip/ipinfo
package
- Exported
- Updater:
- DNS address as
host:port
string in settings structure - Remove unneeded ctx error check in cyberghost updating code
UpdateServers
returns an error if it fails updating a single provider- Inject a common resolver to each provider instead of creating a unique one per provider, and use resolver settings on every call to its
.Resolve
method - Move out minServers check from resolver
internal/updater/loop
subpackageinternal/server
: more restrictive updater loop interface
- DNS address as
- Renamings:
- updater: rename all
presolver
toparallelResolver
- storage: rename
InfoErrorer
toInfoer
- provider: rename all
BuildConf
methods toOpenVPNConfig
- updater: rename all
GetServers
methods toFetchServers
- updater: rename all
- Entire codebase changes:
- remove unexported Go interfaces
- remove package comments
- return concrete types, accept interfaces
- Upgrade
gopkg.in/yaml.v3
to v3.0.1 to fix (dull) vulnerability alert on Github
Development
- See Easy to add VPN providers related work
.vscode/launch.json
to update servers - Credits to @Rohaqgo4.org/unsafe/assume-no-moving-gc
upgraded to allow development using Go 1.18 withoutASSUME_NO_MOVING_GC_UNSAFE_RISK_IT_WITH=go1.18
- Linting:
- upgrade golangci-lint from v1.44.2 to v1.46.2
- review exclude rules
ireturn
,execinquery
andnosprintfhostport
linters added
- Use casers instead of
strings.Title
to remove Go 1.18 linting warnings- Add
golang.org/x/text
dependency - Update code to use
cases.Title(language.English)
- Add
- Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#1016)
v3.29.0
Features
Firewall
- Auto-detect
iptables
andiptables-nft
for IPv4 and IPv6 - Improve error message when
NET_ADMIN
capability is missing - Support all default routes instead of only the first one
- Accept output traffic from all default routes through VPN interface
- Accept output from all default routes to outbound subnets
- Accept all input traffic on ports for all default routes
- Add IP rules for all default routes
- Add IPv6 inbound routing
Provider specific
- Servers update: Mullvad, Privado, PrivateVPN, ProtonVPN, PureVPN, NordVPN, Private Internet Access, Torguard, FastestVPN (thanks @mircoianese #923)
- NordVPN: remove OpenVPN compression
- Ivpn: allow no password for account IDs matching
i-xxxx-xxxx-xxxx
orivpn-xxxx-xxxx-xxxx
Other
- Use https://github.com/qdm12/log for logging
- Log out OS signal name when shutting down
- Storage: omit empty fields in servers.json
Fixes
- Health check:
HEALTH_TARGET_ADDRESS
to replaceHEALTH_ADDRESS_TO_PING
- Remove
github.com/go-ping/ping
dependency - Dial TCP the target address, appending
:443
if port is not set - Target address defaults to
cloudflare.com:443
OPENVPN_FLAGS
working fixedHEALTH_VPN_DURATION_ADDITION
working fixed- Privado: fix
OPENVPN_PORT
usage, thanks @cacti-user - Firewall: only set routes for IPv4 default routes
- Use
openvpn 2.4.12-r0
in CI build for openvpn 2.4 - Fix PureVPN zip file download link (#915 thanks @mircoianese)
- Private Internet Access: hide escaped url query values (token etc.)
- NordVPN: allow aes-256-gcm for Openvpn 2.4
- Private Internet Access: fix certificate validation (use OS certificates instead of custom certificate)
- Port forwarding: loop exit from vpn loop
- PUID and PGID as 32 bit unsigned integers instead of 16 bit
Documentation
- Readme: re-add
/dev/net/tun
device since some OSes need it - Readme: remove old announcement (#938, thanks @martinbjeldbak)
Maintenance
CI
- Add CodeQL analysis workflow
- Bump actions/checkout from 2.4.0 to 3 (#870)
- Bump docker/build-push-action from 2.8.0 to 2.10.0 (#832, #893)
- Bump peter-evans/dockerhub-description from 2 to 3 (#908)
Code
- New internal packages:
internal/constants/providers
internal/constants/vpn
- Protonvpn: remove unused exit IPs field in server model
- ProtonVPN: Change server name JSON field from
name
toserver_name
- Generic server models:
- Streamline all server models IP addresses:
- Use
IPs []net.IP
for all server models - Use
ips
JSON field for all server models - Merge IPv4 and IPv6 addresses together for Mullvad
- Use
- Specify UDP and TCP compatibility for all servers in servers.json
- Specify VPN protocol for all servers in servers.json
- Common
Server
model andServers
model for all providers (#943) - Common filtering builder for all providers
- Common
GetConnection
for all providers
- Streamline all server models IP addresses:
- Bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#897)
- Bump
github.com/breml/rootcerts
from 0.2.2 to 0.2.3 (#926) - Routing: remove unused LocalSubnetGetter
internal/httpserver
: removename
field and prefix in logs- Use
internal/httpserver
for control server - Add defensive check for zero connection found from servers (if no IP is defined)
- Simplify reading of servers JSON file
Dev environment
- Development container
- Fix windows script sourcing
- Remove image name to avoid conflicts
- Bind mount normally without
:z
- Install
htop
- Update maintenance document
v3.28.2
v3.27.2
v3.28.1
v3.27.1
v3.28.0
Features
- Updater: environment variable
UPDATER_VPN_SERVICE_PROVIDERS
- Updater defaults to update the VPN provider in use if enabled
- ExpressVPN: update built-in server data
OPENVPN_PROCESS_USER
with retro-compatibility withOPENVPN_ROOT
- Add pprof HTTP server on port
:6060
(#807)
Fixes
- Accept uppercase
OPENVPN_PROTOCOL
values - Cyberghost: log about compatibility mode if
COUNTRY
is left empty - Control server: allow to bind on a random port by using
:0
- Retro-compatible precedence order for environment variables with defaults set in Dockerfile
BLOCK_NSA
has precedence overBLOCK_SURVEILLANCE
HEALTH_OPENVPN_DURATION_ADDITION
has precedence overHEALTH_VPN_DURATION_ADDITION
HEALTH_OPENVPN_DURATION_INITIAL
has precendence overHEALTH_VPN_DURATION_INITIAL
- Chain of precedence:
PROXY
>TINYPROXY
>HTTPPROXY
- Chain of precedence:
PROXY_LOG_LEVEL
>TINYPROXY_LOG
>HTTPPROXY_LOG
PROTOCOL
has precendence overOPENVPN_PROTOCOL
IP_STATUS_FILE
has precendence overPUBLICIP_FILE
SHADOWSOCKS_PORT
has precedence overSHADOWSOCKS_LISTENING_ADDRESS
SHADOWSOCKS_METHOD
has precedence overSHADOWSOCKS_CIPHER
Maintenance
SERVER_NAMES
variable with retro-compatibility forSERVER_NAME
SERVER_HOSTNAMES
variable with retro-compatibility withSERVER_HOSTNAME
SERVER_REGIONS
variable with retro-compatibility withREGION
SERVER_CITIES
variable with retro-compatibility withCITY
SERVER_COUNTRIES
variable with retro-compatibility withCOUNTRY
- Simplify Cyberghost retro-compatibility logic
PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING_STATUS_FILE
with retro-compatibility withPORT_FORWARDING_STATUS_FILE
PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING
with retro-compatibility withPORT_FORWARDING
PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET
variable with retro-compatibility withPIA_ENCRYPTION
andENCRYPTION
OPENVPN_CIPHERS
variable with retro-compatibility withOPENVPN_CIPHER
VPN_SERVICE_PROVIDER
variable with retro-compatibility withVPNSP
WIREGUARD_ADDRESSES
variable with retro-compatibility withWIREGUARD_ADDRESS
DNS_ADDRESS
variable with retro-compatibility withDNS_PLAINTEXT_ADDRESS
VPN_INTERFACE
with retro-compatibility withOPENVPN_INTERFACE
andWIREGUARD_INTERFACE
VPN_ENDPOINT_PORT
with retro-compatibility withOPENVPN_PORT
andWIREGUARD_ENDPOINT_PORT
VPN_ENDPOINT_IP
with retro-compatibility withOPENVPN_TARGET_IP
andWIREGUARD_ENDPOINT_IP
HTTP_CONTROL_SERVER_PORT
with retro-compatibility withHTTP_CONTROL_SERVER_ADDRESS
OWNED_ONLY
with retro-compatibility withOWNED
- Remove unused constant file paths and move remaining ones in corresponding package
getEnvWithRetro
helper function forinternal/configuration/sources/env
- Do not validate control server port when reading from environment variables, only validate downstream
- Bump docker/build-push-action from 2.7.0 to 2.8.0 (#801)
- Bump github.com/breml/rootcerts from 0.2.1 to 0.2.2 (#812)