v3.27.2

Fixes

• Fix OPENVPN_FLAGS functionality
• Fix Openvpn 2.4 install to use 2.4.12-r0
• Fix CI Docker tags metadata

v3.28.1

Fixes

• Healthcheck uses a TCP dial to github.com:443 since the ping mechanism appears to be non functional
• HEALTH_TARGET_ADDRESS to replace HEALTH_ADDRESS_TO_PING

v3.27.1

Fixes

• Healthcheck uses a TCP dial to github.com:443 since the ping mechanism appears to be non functional
• HEALTH_TARGET_ADDRESS to replace HEALTH_ADDRESS_TO_PING

v3.28.0

Features

• Updater: environment variable UPDATER_VPN_SERVICE_PROVIDERS
  • Updater defaults to update the VPN provider in use if enabled
• ExpressVPN: update built-in server data
• OPENVPN_PROCESS_USER with retro-compatibility with OPENVPN_ROOT
• Add pprof HTTP server on port :6060 (#807)

Fixes

• Accept uppercase OPENVPN_PROTOCOL values
• Cyberghost: log about compatibility mode if COUNTRY is left empty
• Control server: allow to bind on a random port by using :0
• Retro-compatible precedence order for environment variables with defaults set in Dockerfile
  • BLOCK_NSA has precedence over BLOCK_SURVEILLANCE
  • HEALTH_OPENVPN_DURATION_ADDITION has precedence over HEALTH_VPN_DURATION_ADDITION
  • HEALTH_OPENVPN_DURATION_INITIAL has precendence over HEALTH_VPN_DURATION_INITIAL
  • Chain of precedence: PROXY > TINYPROXY > HTTPPROXY
  • Chain of precedence: PROXY_LOG_LEVEL > TINYPROXY_LOG > HTTPPROXY_LOG
  • PROTOCOL has precendence over OPENVPN_PROTOCOL
  • IP_STATUS_FILE has precendence over PUBLICIP_FILE
  • SHADOWSOCKS_PORT has precedence over SHADOWSOCKS_LISTENING_ADDRESS
  • SHADOWSOCKS_METHOD has precedence over SHADOWSOCKS_CIPHER

Maintenance

• SERVER_NAMES variable with retro-compatibility for SERVER_NAME
• SERVER_HOSTNAMES variable with retro-compatibility with SERVER_HOSTNAME
• SERVER_REGIONS variable with retro-compatibility with REGION
• SERVER_CITIES variable with retro-compatibility with CITY
• SERVER_COUNTRIES variable with retro-compatibility with COUNTRY
• Simplify Cyberghost retro-compatibility logic
• PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING_STATUS_FILE with retro-compatibility with PORT_FORWARDING_STATUS_FILE
• PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING with retro-compatibility with PORT_FORWARDING
• PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET variable with retro-compatibility with PIA_ENCRYPTION and ENCRYPTION
• OPENVPN_CIPHERS variable with retro-compatibility with OPENVPN_CIPHER
• VPN_SERVICE_PROVIDER variable with retro-compatibility with VPNSP
• WIREGUARD_ADDRESSES variable with retro-compatibility with WIREGUARD_ADDRESS
• DNS_ADDRESS variable with retro-compatibility with DNS_PLAINTEXT_ADDRESS
• VPN_INTERFACE with retro-compatibility with OPENVPN_INTERFACE and WIREGUARD_INTERFACE
• VPN_ENDPOINT_PORT with retro-compatibility with OPENVPN_PORT and WIREGUARD_ENDPOINT_PORT
• VPN_ENDPOINT_IP with retro-compatibility with OPENVPN_TARGET_IP and WIREGUARD_ENDPOINT_IP
• HTTP_CONTROL_SERVER_PORT with retro-compatibility with HTTP_CONTROL_SERVER_ADDRESS
• OWNED_ONLY with retro-compatibility with OWNED
• Remove unused constant file paths and move remaining ones in corresponding package
• getEnvWithRetro helper function for internal/configuration/sources/env
• Do not validate control server port when reading from environment variables, only validate downstream
• Bump docker/build-push-action from 2.7.0 to 2.8.0 (#801)
• Bump github.com/breml/rootcerts from 0.2.1 to 0.2.2 (#812)

v3.27.0

Fixes

• Hidemyass: REGION validation
• Dockerfile: change SHADOWSOCKS_ADDRESS to SHADOWSOCKS_LISTENING_ADDRESS

Features

• Wireguard opportunistic kernelspace
  • Auto detect if kernelspace implementation is available
  • Fallback to Go userspace implementation if kernel is not available
• Entrypoint name changed from entrypoint to gluetun-entrypoint
• Privado: update servers data
• ProtonVPN: update servers data
• Docker image: upgrade Alpine to 3.15

Documentation

• docker-compose.yml: add container_name commented line (#806)

Maintenance

• Configuration settings reading and validation reworked (#756)
• Bump github.com/breml/rootcerts from 0.1.1 to 0.2.1 (#722 and #769)
• Fix CI to trigger on published releases
• Fix devcontainer post create command
• Bump actions/checkout from 2.3.4 to 2.4.0 (#705)

v3.26.0

Features

• Perfect privacy support (#606)
• PrivateVPN
  • OPENVPN_PORT support
• Update server information
  • Windscribe
  • Torguard
  • ProtonVPN
  • NordVPN
• Multiple OpenVPN ciphers for negotiation
  • Cyberghost default cipher set to AES-256-GCM
  • OPENVPN_CIPHER accept comma separated cipher values
  • Use ncp-ciphers for OpenVPN 2.4

Fixes

• PrivateVPN: New OpenVPN configuration values
• VyprVPN: Openvpn comp-lzo option
• NordVPN: Openvpn comp-lzo option
• Docker image: fix 2 low vulnerability busybox vulnerabilities
• QNAP devices: openvpn at /usr/sbin/openvpn2.5 see #157
• Updater: fix CLI error message
• Version check: check Github http response status code
• Public IP fetcher: remove opendns.com due to bad x509 cert
• Storage: server data version diff when reading file

Documentation

• Wiki: replace ❎ with ❌ for markdown generated tables
• Labels: add urgent and low priority labels
• Readme: fix links to the Wiki
• Bug issue template: Add link to image tags
• Bug issue template: add custom provider option

Maintenance

• DNS over TLS: wrap original error when downloading crypto files fails
• Config: fix bad error wrapping
• CI
  • Disable Snyk analysis because of false positives
  • Rework image tags generation
  • Bump docker/build-push-action from 2.6.1 to 2.7.0 (#664)
  • Only trigger on push and PR to master
  • Do not push images for branches
  • Add fork only workflow
  • Add dependabot only workflow
  • Do not trigger ci workflow from forked/dependabot PRs
• Linting
  • Add linters: bidichk, ifshort, nilnil and tenv
  • Update golangci-lint to v1.43.0
• Go dependencies
  • Bump github.com/breml/rootcerts from 0.1.0 to 0.1.1 (#668)
• Http Proxy: simplify warning logging
• Splash: move splash message further up at start of program
• Server information: deduplicate ProtonVPN servers by entry IP

v3.25.0

Features

• ExpressVPN support (#623)
• WeVPN support (#591)
• Healthcheck uses DNS and ping to github.com instead of only DNS to avoid relying on DNS cache
• HEALTH_ADDRESS_TO_PING variable
• Adapt logger prefix to VPN used
  • openvpn: for OpenVPN
  • wireguard: for Wireguard
• VPNSP value custom for OpenVPN custom config files (#621)
• VPNSP value custom for Wireguard custom configuration
  • WIREGUARD_PUBLIC_KEY variable
  • WIREGUARD_ENDPOINT_IP variable
• OpenVPN custom configuration file is reloaded on VPN restarts
• OpenVPN custom configuration file is parsed at start to log out valid settings
• Support IPv6 routing for Wireguard
• Log Wireguard server endpoint
• Log Wireguard keys when LOG_LEVEL=debug
• Windscribe OpenVPN default cipher set to aes-256-gcm
• Update server information built-in
  • Cyberghost
  • FastestVPN
  • Mullvad
• format-servers CLI command

Changes

• VPNSP=custom OpenVPN configuration file:
  • up and down options are not filtered out
  • OPENVPN_INTERFACE overrides the network interface defined in the configuration file
  • PORT overrides any port found in the configuration file
• Remove NordVPN SERVER_NAME filter functionality
  • Filter was not effective
  • Is to be deprecated in v4 anyway
  • Bump NordVPN server model version to 3
  • Remove Name field from NordVPN server model
• Remove CYBERGHOST_GROUP as it does not make sense anymore with newer server data

Fixes

• Set non block on TUN device
• Close HTTP client connections when tunnel comes up
• Public IP loop deadlock
• OpenVPN VPNSP=custom does not deduplicate lines
• PureVPN remove OpenVPN cipher option AES-256-CBC
• Cyberghost OpenVPN cipher option defaults to aes-128-gcm
• Repository servers.json path for maintainer server update cli
• Add missing HTTP status code check for Windscribe API
• PIA_ENCRYPTION default in Go program
  • Defaults to strong instead of strong certificate string
  • No impact on Docker images since variable is set to strong in Dockerfile
  • Only read PIA_ENCRYPTION if service provider is PIA
• (Security) Remove OpenVPN compression option (affects FastestVPN, Hide My Ass, IP Vanish, IVPN, NordVPN, PIA, PrivateVPN, ProtonVPN, Torguard, VPN Unlimited, VyprVPN)
• FastestVPN updated OpenVPN configuration
• HideMyAss: Cote d'Ivoire server country name
• Log errors with error level for OpenVPN
• PIA SERVER_NAME variable functionality

Documentation

• Readme
  • Update with updated Wiki pages and links
  • Add Wireguard in top description
  • Add Console Substack interview link
  • Remove docker-compose.yml file which is now inlined in readme
  • Update Wireguard support list
• Issue templates
  • Add Unraid template issue contact link to discussion #550
  • Add Wiki issue yml template
  • Replace help issue template by issue contact link to Github discussion
  • Update bug issue template to use yml format
  • Update feature request issue template to use yml format
  • Remove default assignees
• Update maintenance document

Maintenance

• Rename environment variables with retro-compatibility
  • HEALTH_OPENVPN_DURATION_INITIAL to HEALTH_VPN_DURATION_INITIAL
  • HEALTH_OPENVPN_DURATION_ADDITION to HEALTH_VPN_DURATION_ADDITION
  • WIREGUARD_PORT to WIREGUARD_ENDPOINT_PORT
  • PORT to OPENVPN_PORT
  • PROTOCOL to OPENVPN_PROTOCOL
  • REGION to COUNTRY for Cyberghost
• OpenVPN options
  • remove deprecated
    • tun-ipv6 (affects all)
    • keysize
    • ncp-disable (affects Cyberghost, PIA, Torguard, Windscribe)
    • keepalive replaced by ping* options
  • remove unneeded
    • script-security (affects Cyberghost, Mullvad, PureVPN, Surfshark, Torguard, Windscribe)
    • ping-timer-rem
    • route-delay (affects Cyberghost, PureVPN)
    • route-method (affects PureVPN)
    • tun-mtu 1500 (affects FastestVPN, NordVPN, ProtonVPN, Surfshark, Torguard)
    • tls-client (affects FastestVPN)
    • ping-exit and ping-restart (affects all)
    • disable-occ (affects PIA to match the Wiki)
  • add only when running without root:
    • persist-tun
    • persist-key
  • add tls-exit to PIA configuration
  • add explicit-exit-notify when using UDP
• Dynamically set allowed VPN input ports
  • Allow to change VPN type at runtime
  • Allow to change interface name at runtime
  • Add cleanup method to cleanup VPN loop on a vpn shutdown
  • Allow VPN inputs ports only when tunnel is up
• internal/openvpn/extract package instead of internal/openvpn/custom package
• internal/openvpn/parse package
  • Parse PEM key data for Cyberghost and VPNUnlimited
  • Add more unit tests
• All providers' BuildConf method return an error
• Rename CustomConfig to ConfFile in Settings structures
• Rename Wireguard CustomPort
• Use type aliases in internal/netlink
• Re-order Dockerfile environment variables
• Improve internal/configuration/health_test.go unit test
• Re-order OpenVPN options
• golangci-lint:
  • Remove disable-all: true and enabled by default linters
  • Add more linters
• Package-local narrow Logger interfaces
• Package-local log levels
• Go program uses time/tzdata instead of Alpine's tzdata
• Go program uses github.com/breml/rootcerts together with Alpine's ca-certificates
• Bump github.com/fatih/color from 1.12.0 to 1.13.0 (#635)
• Bump github.com/qdm12/goshutdown from v0.1.0 to v0.3.0

v3.24.0

Features

• IVPN
  • Wireguard support (#584)
  • TCP protocol support for OpenVPN
  • Custom port support for OpenVPN
  • Servers data update (#578)
  • ISP filter (#578)
• Mullvad
  • WIREGUARD_PORT support
• Surfshark
  • Servers data improved (#575)
• LOG_LEVEL variable (#577)
• Add IP geolocation data to HTTP control server at /v1/publicip/ip
• OPENVPN_TARGET_IP overrides IP for OpenVPN only
• WIREGUARD_ADDRESS accepts multiple comma separated IP networks

Fixes

• FIREWALL_OUTBOUND_SUBNETS IP rules
• Wireguard
  • FIREWALL_VPN_INPUT_PORTS support
  • Fixed cleanup of wireguard link that was preventing restarts
• Surfshark REGION retro-compatibility restored
• MULTIHOP_ONLY defaults to no
• Fix panic for certain 'no server found' errors
• Clear IP data when VPN is stopped

Maintenance

• internal/storage rework
  • No more global variables
  • Inject merged servers to configuration package
  • Configuration parsing to use persisted servers.json (#566)
  • Move server data files from internal/constants to internal/storage
  • Remove Windscribe debug logs
• Fix rules equality check for nil networks
• internal/routing
  • IP rules functions take src and dstarguments as *net.IPNet instead of net.IP
  • IP rules functions unit tests
  • IP rules functions debug logs dynamically built
  • Better splitting of Go source files
  • Reduce number of exported errors
  • Rename outboundsubnets.go to outbound.go
  • Add inbound.go
  • Use internal/netlink instead of github.com/vishvananda/netlink
  • Rework IPIsPrivate function
  • Constructor returns *Routing struct instead of interface
• internal/subnet created
  • Merge FindSubnetsToAdd and FindSubnetsToRemove in FindSubnetsToChange
• internal/httpproxy
  • Server constructor returns *Server struct instead of interface
  • HTTPS handling simplifications
• Only internal/netlink depends on github.com/vishvananda/netlink
• internal/provider/utils
  • utils.FilterByProtocol function
  • Common GetPort for OpenVPN+Wireguard providers
  • Common GetProtocol for OpenVPN+Wireguard providers

v3.23.0

🎉 It's our 1000th commit!!! 🌟

Features

• Support for Wireguard (#565)
  • For Mullvad (#565)
  • For Windscribe (#565)
• Wireguard works with kernel space or user space if unavailable
• VPN_TYPE variable
• WIREGUARD_PRIVATE_KEY variable
• WIREGUARD_ADDRESS variable
• WIREGUARD_PRESHARED_KEY variable
• WIREGUARD_PORT variable
• OPENVPN_INTERFACE defaulting to tun0

Bug fixes

• Change ownership of OpenVPN configuration file with PUID and PGID
• OpenVPN custom config process user gets removed
• OpenVPN custom config with custom network interface name set properly in firewall
• Sorted IP addresses for servers.json (#574)
• Only allow traffic through VPN interface when needed

Documentation

• Update readme
  • Image size lowered to 31MB
  • Using Alpine 3.14
  • Wireguard support

Changes

• HTTP control server /v1/openvpn route interacts with OpenVPN settings only (not provider settings)

Maintenance

• internal/vpn package for vpn loop (OpenVPN and Wireguard)
• internal/netlink package used by internal/wireguard
• Improve internal/configuration code
• Read all settings first
• Context aware collectLines functions
• internal/tun package to handle tun device operations
  • TUN check verifies Rdev value of file
  • Inject as interface to main function
  • Add integration test
  • Clearer log message for end users if tun device does not exist
  • Remove tun file opening at the end of tun file creation
• Remove unix package (unneeded for tests)
• Do not mock unix.Mkdev (no OS operation)
• internal/openvpn/custom package for custom configuration with tests
• Better log when catching an OS signal
• Fix logger settings inheritance
• Keep VPN tunnel interface name in firewall state
• Upgrade from Go 1.16 to Go 1.17

v3.22.0

Features

• Allow multiple comma separated values for CYBERGHOST_GROUP
• Update Cyberghost servers information
• Change from SHADOWSOCKS_PORT to SHADOWSOCKS_LISTENING_ADDRESS

Fixes

• Windscribe: only use OpenVPN IP addresses, not Wireguard ones
• Cyberghost: explicit-exit-notify used only for UDP, not TCP
• Cyberghost server filtering
  • Defaults to all UDP groups, and to all TCP groups if TCP is chosen
  • Check groups specified match the protocol chosen
  • Default Cyberghost group to no group (no filter)
  • Adjust formatting and messages
• Fix loop state change logic deadlock (preventing a 2nd restart for all run loops)
• Use latest apk-tools to fix an Alpine vulnerability

Documentation

• Add Unraid template link to the issue template

Maintenance

• Port forwarding refactoring: internal/portforward package, run loop and simpler acyclic logic
• Upgrade qdm12/ss-server to v0.3.0