v3.22.0

Features

• Allow multiple comma separated values for CYBERGHOST_GROUP
• Update Cyberghost servers information
• Change from SHADOWSOCKS_PORT to SHADOWSOCKS_LISTENING_ADDRESS

Fixes

• Windscribe: only use OpenVPN IP addresses, not Wireguard ones
• Cyberghost: explicit-exit-notify used only for UDP, not TCP
• Cyberghost server filtering
  • Defaults to all UDP groups, and to all TCP groups if TCP is chosen
  • Check groups specified match the protocol chosen
  • Default Cyberghost group to no group (no filter)
  • Adjust formatting and messages
• Fix loop state change logic deadlock (preventing a 2nd restart for all run loops)
• Use latest apk-tools to fix an Alpine vulnerability

Documentation

• Add Unraid template link to the issue template

Maintenance

• Port forwarding refactoring: internal/portforward package, run loop and simpler acyclic logic
• Upgrade qdm12/ss-server to v0.3.0

v3.21.1

• Fix stop / start logic for all run loops (missing mutex unlocking)
• Use latest apk-tools so it can be rebuilt in the future (upgrade from 2.15.6-r0 to 2.15.7-r0)
• Upgrade apk-tools with security fix before using apk

v3.21.0

Fixes

• PrivateVPN: replace special last accented a character with a for Bogota
• Do not write out servers data and updated timestamp if no change was detected
• (@TJJP) Fix: Windscribe Openvpn config (#528)
  • See blog.windscribe.com/openvpn-security-improvements-and-changes-7b04
• Server data model version diff:
  • comparison fixed
  • missing "behind" suffix to log line
• Openvpn loop: possible deadlock: unlock read mutex for GetSettingsAndServers
• Alpine vulnerability fixed with apk-tools upgraded (except for ppc64le architecture)

Features

• Update all servers for all providers
• Specify Openvpn flags with OPENVPN_FLAGS
• Set health timeouts with HEALTH_OPENVPN_DURATION_INITIAL and HEALTH_OPENVPN_DURATION_ADDITION
• Health server listening address configurable with HEALTH_SERVER_ADDRESS
• Updater CLI: add -all flag to update all VPN servers

Breaking changes

• Updater CLI:
  • -enduser instead of -file
  • -maintainer instead of -stdout

Documentation

Maintenance

Dependencies

• Upgrade inet.af/netaddr to 2021-07-18
• Upgrade qdm12/dns to v1.11.0

CI

• Remove microbadger hook from CI
• Rename .github/workflows/build.yml to .github/workflows/ci.yml for linting
• Bump docker/build-push-action from 2.4.0 to 2.6.1
• Use curly braces around BUILDPLATFORM
• Rename BUILD_DATE to CREATED
• Build all images fully in parallel (thanks to JSON server information using less memory at compile time)

Code

• Hardcoded servers data as a JSON embedded file in internal/constants/servers.json
  • use embed.FS to have immutable data
  • use sync.Once to parse JSON data only once without data races
• Remove debug line in health server
• Improve health code
• Use qdm12/gosplash for initial logs
• Upgrade qdm12/golibs and rework env error wrapping
• Do not mock os functions
  • Use filepaths with /tmp for tests instead
  • Only mock functions where filepath can't be specified such as user.Lookup
• Pass only single strings to logger methods
  • Do not assume formatting from logger's interface
  • Allow to change golibs in the future to accept only strings for logger methods
• Prefer empty string comparisons than len(s) == 0
• Firewall and routing use logger.Debug instead of fmt.Println
• Remove SetVerbose and SetDebug methods from firewall and routing
• Log routing teardown
• Default logging level set to info
• Inject command.Cmder to openvpn and firewall
• Pass network values to firewall constructor
• Move duration formatting to qdm12/golibs/format
• internal/loopstate package to manage the state of run loops
• Remove routing's Configurator from firewall's Configurator
• Remove routing's Configurator from openvpn's Configurator
• Common no custom port forwarding obtention implementation for all providers but PIA

Packages rework:

• Constructors return concrete structs
• Constructors and struct fields accept narrow interfaces
• Split interfaces in sub-interfaces
• Split Go files in more smaller Go files
• Add interface compilation checks
• Use internal/loopstate to manage the state of their Run loop
• Add subpackage state to manage the state of the loop thread safely
• Packages reworked:
  • internal/alpine
  • internal/cli
  • internal/dns
  • internal/firewall
  • internal/healthcheck
  • internal/httpproxy
  • internal/openvpn (both loop and configurator)
  • internal/publicip
  • internal/routing

v3.20.0

Bug fixes

• IPVanish: certificate validation option fixed
• Fix OpenVPN restart logic
  • Remove OpenVPN eventual deadlock after a restart
  • Fix OpenVPN run loop panicing about log streams after one or more internal openvpn restart
• Shutdowns of subprograms (openvpn and unbound) are handled by the Go program
  • Openvpn and Unbound do not receive OS signals
  • Openvpn and Unbound run in a different process group than the entrypoint
  • Openvpn and Unbound are gracefully shutdown by the entrypoint
  • Update golibs with a modified github.com/qdm12/golibs/command package
  • Update github.com/qdm12/dns to v1.9.0 where Unbound is launched in its own group
• Fix events routing behavior if VERSION_INFORMATION=off
• Behavior when exiting at boot
  • Events routing routine exits when gluetun stops
  • Remove deadlock on dns shutdown

Features

• OpenVPN pull filter for ipv6 options if OPENVPN_IPV6=off
• Update servers information:
  • ProtonVPN
  • IPVanish
• Upgrade to Alpine 3.14
• Clean suffix new line(s) for credentials

Documentation

• Add Youtube video
• Simplify metdata and move it at top of readme

Maintenance

Dockerfile

• Download golangci-lint from qmcgaw/binpot
• xcputranslate version as build argument

Readme

• Use native markdown code for svg title image instead of HTML's <svg>

Logs

• Deduplicate error logs for goshutdown
• Remove outdated auth error warning about PIA

Asynchronous logic

• Make all loop's SetStatus context aware
• Rework DNS run loop
  • Fix fragile user triggered logic
  • Simplify state logic
• Rework Openvpn run loop
• Rework openvpn unhealthy triggered restart to be in the healthcheck loop instead of in the openvpn loop

v3.19.1

Bug fixes

• Fix IPVanish TLS verification

See https://github.com/qdm12/gluetun/releases/tag/v3.19.0 for more information

v3.19.0

Features

• IPVanish support (#475, #410, $416)
• VPN Unlimited support (#499, #420)
• IVPN: add Bulgaria and Spain servers
• Improve Cyberghost updater by waiting up to 20 seconds for repeated DNS resolutions
• PureVPN: update server information

Fixes

• IVPN: use name prefix for TLS check instead of full hostname
• PureVPN: change default cipher to AES-256-GCM
• Custom openvpn config:
  • Fix settings log
  • Only use and write OpenVPN auth file if openvpn user is set
  • remote OpenVPN configuration line
  • Custom cipher OPENVPN_CIPHER for OpenVPN 2.5
• PIA: none encryption preset
  • Set cipher and auth to none
  • Add ncp-disable OpenVPN option
• Prevent exit race condition for program loops

Documentation

• Change docker-compose.yml to not use secrets
• Clarify setup instructions for 32 bit
• Add maintenance document
• Issue templates
  • add how to use code highlighting
  • Help issues: add Github discussions link

Maintenance

CI

• Faster cross Docker builds by properly pulling build platform specific qmcgaw/xcputranslate
• Avoid cross Docker build out of memory errors using the xcputranslate sleep feature
• Better Docker layer caching for rebuilds
  • Install g++ in base stage before copying code
  • Install xcputranslate in base stage before copying code
  • Install golangci-lint in base stage before copying code
• Upgrade qmcgaw/xcputranslate to from v0.4.0 to v0.6.0
• Deduplicate Dockerfile base stage build
• Dockerfile test stage has its entrypoint set to run tests

Code

• Use github.com/qdm12/[email protected] instead of internal/shutdown
• Upgrade golangci-lint to v1.41.1
• Update list of golangci-lint linters
  • Replace golint with revive linter
• Upgrade golang/mock to v1.6.0
• Remove dependency on github.com/kyokomi/emoji
• Upgrade github.com/fatih/color to v1.12.0
• Upgrade github.com/qdm12/dns to v1.8.0
• Upgrade github.com/qdm12/golibs
• Upgrade github.com/qdm12/updated

v3.18.0

Features

• IVPN support
• OPENVPN_VERSION which can be 2.4 or 2.5 to choose your OpenVPN program version at runtime
• Filter Cyberghost servers by SERVER_HOSTNAME
• Filter Mullvad servers by SERVER_HOSTNAME
• Filter NordVPN servers by SERVER_HOSTNAME and/or SERVER_NAME
• Filter Privado servers by COUNTRY, REGION and/or CITY
• Filter Private Internet Access servers by SERVER_HOSTNAME and/or SERVER_NAME
• Filter ProtonVPN servers with FREE_ONLY
• Filter PureVPN servers by SERVER_HOSTNAME
• Filter Surfshark servers by SERVER_HOSTNAME
• Multiple IP addresses for each:
  • Torguard server
  • Windscribe server
  • Private Internet Access server
• All hardcoded server information updated
• Support none encryption preset for Private Internet Access
• Log Alpine version at start
• NET_ADMIN tip logged when a routing permission error occurs
• Create /gluetun if it does not exist

Bug fixes

• ProtonVPN SERVER_NAME environmnent variable reading
• Fix Mullvad servers filtering (see #444)
• Record TCP and UDP support for each PureVPN server
• Only teardown routing configuration if changes to routing occurred
• Fix VyprVPN port
• Fix missing OpenVPN auth overrides
• Only set OpenVPN fast-io option when using UDP
• Upgrade dependencies to fix dependency vulnerabilities
  • golang.org/x/sys to current version
  • github.com/qdm12/dns from v1.4.0 to v1.7.0
  • github.com/qdm12/ss-server from v0.1.0 to v0.2.0
• Fix rebinding protection for IPv6 mapped IPv4 networks
  • Use netaddr package for DNS blacklisting
• Log custom port only if set (for Private Internet Access and Windscribe)
• Change log level for OpenVPN TLS error from debug to warn
• Servers listen on all IP interfaces with :<port>, not just IPv4 with 0.0.0.0:<port>
• HideMyAss hostname choices
• HideMyAss OpenVPN configuration remote hostname port line

Changes

• Do not exit program on an OpenVPN configuration error
• Keep firewall enabled on shutdown to avoid leaks
• Shadowsocks password is now compulsory

Documentation

• Issue template warnings about answering all questions

Maintenance

• Refactor internal/updater package
  • Require at least 80% of current number of servers to update server information
  • Each provider is in its own package with a common structure
  • internal/updater/unzip package with Unzipper interface
  • internal/updater/openvpn package with extraction and download functions
• Improve internal/storage package:
  • Add missing server merging logic
  • logTimeDiff shared function
• Add unset SERVER_NAME in Dockerfile
• Improve internal/publicip package:
  • Exported Result struct
  • Parallelize IP information fetch
• Snyk code security analysis for Go code and Docker image
• Common server not found error builder
• Improve internal/updater/providers/torguard
  • Fallback on IP from configuration file if DNS resolution fails
  • Download both TCP and UDP zip files to detect support for each
• Filter Torguard servers by protocol (although all support TCP and UDP, so not a feature really)
• Improve internal/updater/providers/vyprvpn
  • Extract from each server configuration if the server supports TCP and/or UDP (never TCP for now)
• Filter VyprVPN servers by protocol (although all support only TCP for now, so not a feature really)
• internal/updater/providers/pia: re-fetch PIA API to obtain more server information
• internal/routing: improve error wrapping
• Network protocol as boolean in code to avoid possible coding errors
• internal/provider: split each provider in its own package
• internal/alpine: improve error wrapping
• cmd/gluetun/main.go:
  • Shutdown order, added in internal/shutdown package
    • Order of threads to shutdown (control then tickers then health etc.)
    • Rely on closing channels instead of waitgroups
    • Move exit logs from each package to the shutdown package
  • Use Go 1.16's signal.NotifyContext
  • Improve printVersion function
    • Print program versions in order given
    • Exit program on any error as each program is required
• Generate OpenVPN configuration valid for OpenVPN 2.4 or 2.5 depending on the current version
• Dockerfile:
  • Remove outdated comments
  • Remove unused openvpn installed shell script and library files
• Use io instead of ioutil whenever possible
• Upgrade qdm12/golibs (affects logger)
• Upgrade golangci-lint to v1.40.1
  • Add more linters to .golangci.yml
• Dependabot
  • Bump actions/checkout from 2 to 2.3.4 (#453)

v3.17.0

Features

• Upgrade Alpine from 3.12 to 3.13
• Upgrade openvpn from 2.4.10 to 2.5.1
• Upgrade unbound from 1.10.1 to 1.13.0
• Upgrade iptables from 1.8.4 to 1.8.6
• Protonvpn support (#437 clone on #434)
• Restart Openvpn if the container is unhealthy (#417 & #441)
• Block IPv6 traffic (#428)
  • Block all IPv6 traffic with ip6tables by default
  • Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment
  • Only run ip6tables if it is supported by the Kernel (#431, issue #430)
• Update server information
  • Cyberghost
  • FastestVPN
  • HideMyAss
  • Privado
  • PrivateVPN
  • Private Internet Access
  • PureVPN
  • Surfshark
  • VyprVPN
• Clear firewall rules on shutdown (issue #276)
  Feature: more robust updater DNS resolution
  • Parallel resolver to resolve multiple hosts
  • Repeat resolver to repeat resolution for a single host
  • Additional parameters for fault toleration
  • Do not update servers if 10% of DNS resolutions failed
  • resolver package in internal/updater package

Fixes

• Replace Surfshark default cipher with aes-256-gcm
• Block IPv6 traffic (#428)
• Remove pull-filter ignore ping-restart openvpn instructions

Maintenance

• Upgrade golangci-lint to v1.39.0
• Improve error wrapping in the firewall package
• Dev container changes
  • Bind mount for root only
  • Support for Windows HyperV bind mounts
  • Run go mod tidy after go mod download on container creation
  • Use :z flag for possibly shared bind mounts
  • Bind mount ~/.zsh_history
  • Bind mount ~/.docker config directory

v3.16.0

Fixes

• Fix PIA port forwarding (#427) and remove the TLS x509 ignore CN instruction
• Add more Surfshark servers
  • Add servers missing from surfshark zip file
  • Re-add multihop servers (see #424)
  • Fix logic to try resolving old vpn servers for Surfshark
• Change PIA settings more closely to their official configuration
• Restrict route listing to IPv4 only (#419)
• More resilient updater DNS resolution retry mechanism
• Use 8.8.8.8 as the CLI updater DNS server as 1.1.1.1 would not do some of the resolutions

Features

• Hide My Ass VPN provider (#401)
• PrivateVPN support (#393)
• FastestVPN support (#383)
• Custom openvpn configuration file (#402)
• Uplift the 'localSubnet' concept to cover all local ethernet interfaces (#413)

Maintenance

• Upgrade logging library (shorter lines, less external dependencies)
• Upgrade Go from 1.15 to 1.16
• Build Docker images for all CPU architectures on branches
• Use native Go HTTP client for updater
• Upgrade gomock from 1.4.4 to 1.5.0 (#394)
• Sort providers alphabetically in code
• Simplify environment variables comments in Dockerfile
• Return deduplicated choices from server filter options
• Upgrade golangci-lint to 1.37.0

Documentation

• Update New provider issue template

v3.15.0

Features

• Torguard support

Bug fixes

• Privado SERVER_HOSTNAME selection
• HTTP Proxy returns response of a redirect and do not follow it
• Updater for TCP servers for PIA
• Firewall settings parsing for FIREWALL_VPN_INPUT_PORTS
• HTTP proxy settings parsing for HTTPPROXY_PASSWORD and HTTPPROXY_LOG

Maintenance

• No sleep for last DNS resolution in updater
• Remove support for s390x as it would cause CI build to fail
• Deduplicate PIA servers by protocols

Documentation

• New provider issue template
• Update existing issue templates