qdm12/gluetun v3.39.0

on GitHub

Features

• OpenVPN: default version changed from 2.5 to 2.6
• Alpine upgraded from 3.18 to 3.20 (3.19 got skipped due to buggy iptables)
• Healthcheck: change timeout mechanism
  • Healthcheck timeout is no longer fixed to 3 seconds
  • Healthcheck timeout increases from 2s to 4s, 6s, 8s, 10s
  • No 1 second wait time between check retries after failure
  • VPN internal restart may be delayed by a maximum of 10 seconds
• Firewall:
  • Query iptables binary variants to find which one to use depending on the kernel
  • Prefer using iptables-nft over iptables-legacy (Alpine new default is nft backend iptables)
• Wireguard:
  • WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL option
  • read configuration file without case sensitivity
• VPN Port forwarding: only use port forwarding enabled servers if VPN_PORT_FORWARDING=on (applies only to PIA and ProtonVPN for now)
• FastestVPN:
  • Wireguard support (#2383 - Credits to @Zerauskire for the initial investigation and @jvanderzande for an initial implementation as well as reviewing the pull request)
  • use API instead of openvpn zip file to fetch servers data
  • add city filter SERVER_CITY
  • update built-in servers data
• Perfect Privacy: port forwarding support with VPN_PORT_FORWARDING=on (#2378)
• Private Internet Access: port forwarding options VPN_PORT_FORWARDING_USERNAME and VPN_PORT_FORWARDING_PASSWORD (retro-compatible with OPENVPN_USER and OPENVPN_PASSWORD)
• ProtonVPN:
  • Wireguard support (#2390)
  • feature filters SECURE_CORE_ONLY, TOR_ONLY and PORT_FORWARD_ONLY (#2182)
  • determine "free" status using API tier value
  • update built-in servers data
• Surfshark: servers data update
• VPNSecure: servers data update
• VPN_ENDPOINT_IP split into OPENVPN_ENDPOINT_IP and WIREGUARD_ENDPOINT_IP
• VPN_ENDPOINT_PORT split into OPENVPN_ENDPOINT_PORT and WIREGUARD_ENDPOINT_PORT

Fixes

• VPN_PORT_FORWARDING_LISTENING_PORT fixed
• IPv6 support detection ignores loopback route destinations
• Custom provider:
  • handle port option line for OpenVPN
  • ignore comments in an OpenVPN configuration file
  • assume port forwarding is always supported by a custom server
• VPN Unlimited:
  • change default UDP port from 1194 to 1197
  • allow OpenVPN TCP on port 1197
• Private Internet Access Wireguard and port forwarding
  • Set server name if names filter is set with the custom provider (see #2147)
• PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
• Torguard: update OpenVPN configuration
  • add aes-128-gcm and aes-128-cbc ciphers
  • remove mssfix, sndbuf, rcvbuf, ping and reneg options
• VPNSecure: associate N / A with no data for servers
• AirVPN: set default mssfix to 1320-28=1292
• Surfshark: remove outdated hardcoded retro servers
• Public IP echo:
  • ip2location parsing for latitude and longitude fixed
  • abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
• internal/server: /openvpn route status get and put
  • get status return stopped if running Wireguard
  • put status changes vpn type if running Wireguard
• Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings
• Log last Gluetun release by tag name alphabetically instead of by release date
• format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
• internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

Documentation

• readme:
  • clarify shadowsocks proxy is a server, not a client
  • update list of providers supporting Wireguard with the custom provider
  • add protonvpn as custom port forwarding implementation
• disable Github blank issues
• Bump github.com/qdm12/gosplash to v0.2.0
  • Add /choose suffix to github links in logs
• add Github labels: "Custom provider", "Category: logs" and "Before next release"
• rename FIREWALL_ENABLED to FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT due to the sheer amount of users misusing it. FIREWALL_ENABLED won't do anything anymore. At least you've been warned not to use it...

Maintenance

• Code health
  • PIA port forwarding:
    • remove dependency on storage package
    • return an error to port forwarding loop if server cannot port forward
  • internal/config:
    • upgrade to github.com/qdm12/gosettings v0.4.2
      • drop github.com/qdm12/govalid dependency
      • upgrade github.com/qdm12/ss-server to v0.6.0
      • do not un-set sensitive config settings anymore
    • removed bad/invalid retro-compatible keys CONTROL_SERVER_ADDRESS and CONTROL_SERVER_PORT
    • OpenVPN protocol field is now a string instead of a TCP boolean
    • Split server filter validation for features and subscription-tier
    • provider name field as string instead of string pointer
  • internal/portforward: support multiple ports forwarded
  • Fix typos in code comments (#2216)
  • internal/tun: fix unit test for unprivileged user
• Development environment
  • fix source.organizeImports vscode setting value
  • linter: remove now invalid skip-dirs configuration block
• Dependencies
  • Bump Wireguard Go dependencies
  • Bump Go from 1.21 to 1.22
  • Bump golang.org/x/net from 0.19.0 to 0.25.0 (#2138, #2208, #2269)
  • Bump golang.org/x/sys from 0.15.0 to 0.18.0 (#2139)
  • Bump github.com/klauspost/compress from 1.17.4 to 1.17.8 (#2178, #2218)
  • Bump github.com/fatih/color from 1.16.0 to 1.17.0 (#2279)
  • Bump github.com/stretchr/testify to v1.9.0
  • Do not upgrade busybox since vulnerabilities are fixed now with Alpine 3.19+
• CI
  • Bump DavidAnson/markdownlint-cli2-action from 14 to 16 (#2214)
  • Bump peter-evans/dockerhub-description from 3 to 4 (#2075)
• Github
  • remove empty label description fields
  • add /choose suffix to issue and discussion links
  • review all issue labels: add closed labels, add category labels, rename labels, add label category prefix, add emojis for each label
  • Add issue labels: Popularity extreme and high, Closed cannot be done, Categories kernel and public IP service