Features
- OpenVPN: default version changed from 2.5 to 2.6
- Alpine upgraded from 3.18 to 3.20 (3.19 got skipped due to buggy
iptables) - Healthcheck: change timeout mechanism
- Healthcheck timeout is no longer fixed to 3 seconds
- Healthcheck timeout increases from 2s to 4s, 6s, 8s, 10s
- No 1 second wait time between check retries after failure
- VPN internal restart may be delayed by a maximum of 10 seconds
- Firewall:
- Query iptables binary variants to find which one to use depending on the kernel
- Prefer using
iptables-nftoveriptables-legacy(Alpine new default is nft backend iptables)
- Wireguard:
WIREGUARD_PERSISTENT_KEEPALIVE_INTERVALoption- read configuration file without case sensitivity
- VPN Port forwarding: only use port forwarding enabled servers if
VPN_PORT_FORWARDING=on(applies only to PIA and ProtonVPN for now) - FastestVPN:
- Wireguard support (#2383 - Credits to @Zerauskire for the initial investigation and @jvanderzande for an initial implementation as well as reviewing the pull request)
- use API instead of openvpn zip file to fetch servers data
- add city filter
SERVER_CITY - update built-in servers data
- Perfect Privacy: port forwarding support with
VPN_PORT_FORWARDING=on(#2378) - Private Internet Access: port forwarding options
VPN_PORT_FORWARDING_USERNAMEandVPN_PORT_FORWARDING_PASSWORD(retro-compatible withOPENVPN_USERandOPENVPN_PASSWORD) - ProtonVPN:
- Surfshark: servers data update
- VPNSecure: servers data update
VPN_ENDPOINT_IPsplit intoOPENVPN_ENDPOINT_IPandWIREGUARD_ENDPOINT_IPVPN_ENDPOINT_PORTsplit intoOPENVPN_ENDPOINT_PORTandWIREGUARD_ENDPOINT_PORT
Fixes
VPN_PORT_FORWARDING_LISTENING_PORTfixed- IPv6 support detection ignores loopback route destinations
- Custom provider:
- handle
portoption line for OpenVPN - ignore comments in an OpenVPN configuration file
- assume port forwarding is always supported by a custom server
- handle
- VPN Unlimited:
- change default UDP port from 1194 to 1197
- allow OpenVPN TCP on port 1197
- Private Internet Access Wireguard and port forwarding
- Set server name if names filter is set with the custom provider (see #2147)
- PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
- Torguard: update OpenVPN configuration
- add aes-128-gcm and aes-128-cbc ciphers
- remove mssfix, sndbuf, rcvbuf, ping and reneg options
- VPNSecure: associate
N / Awith no data for servers - AirVPN: set default mssfix to 1320-28=1292
- Surfshark: remove outdated hardcoded retro servers
- Public IP echo:
- ip2location parsing for latitude and longitude fixed
- abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
internal/server:/openvpnroute status get and put- get status return stopped if running Wireguard
- put status changes vpn type if running Wireguard
- Log out if
PORT_FORWARD_ONLYis enabled in the server filtering tree of settings - Log last Gluetun release by tag name alphabetically instead of by release date
format-serversfixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfsharkinternal/tun: only create tun device if it does not exist, do not create if it exists and does not work
Documentation
- readme:
- clarify shadowsocks proxy is a server, not a client
- update list of providers supporting Wireguard with the custom provider
- add protonvpn as custom port forwarding implementation
- disable Github blank issues
- Bump github.com/qdm12/gosplash to v0.2.0
- Add
/choosesuffix to github links in logs
- Add
- add Github labels: "Custom provider", "Category: logs" and "Before next release"
- rename
FIREWALL_ENABLEDtoFIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOTdue to the sheer amount of users misusing it.FIREWALL_ENABLEDwon't do anything anymore. At least you've been warned not to use it...
Maintenance
- Code health
- PIA port forwarding:
- remove dependency on storage package
- return an error to port forwarding loop if server cannot port forward
internal/config:- upgrade to
github.com/qdm12/gosettingsv0.4.2- drop
github.com/qdm12/govaliddependency - upgrade
github.com/qdm12/ss-serverto v0.6.0 - do not un-set sensitive config settings anymore
- drop
- removed bad/invalid retro-compatible keys
CONTROL_SERVER_ADDRESSandCONTROL_SERVER_PORT - OpenVPN protocol field is now a string instead of a TCP boolean
- Split server filter validation for features and subscription-tier
- provider name field as string instead of string pointer
- upgrade to
internal/portforward: support multiple ports forwarded- Fix typos in code comments (#2216)
internal/tun: fix unit test for unprivileged user
- PIA port forwarding:
- Development environment
- fix
source.organizeImportsvscode setting value - linter: remove now invalid skip-dirs configuration block
- fix
- Dependencies
- Bump Wireguard Go dependencies
- Bump Go from 1.21 to 1.22
- Bump golang.org/x/net from 0.19.0 to 0.25.0 (#2138, #2208, #2269)
- Bump golang.org/x/sys from 0.15.0 to 0.18.0 (#2139)
- Bump github.com/klauspost/compress from 1.17.4 to 1.17.8 (#2178, #2218)
- Bump github.com/fatih/color from 1.16.0 to 1.17.0 (#2279)
- Bump github.com/stretchr/testify to v1.9.0
- Do not upgrade busybox since vulnerabilities are fixed now with Alpine 3.19+
- CI
- Github
- remove empty label description fields
- add
/choosesuffix to issue and discussion links - review all issue labels: add closed labels, add category labels, rename labels, add label category prefix, add emojis for each label
- Add issue labels: Popularity extreme and high, Closed cannot be done, Categories kernel and public IP service