v3.41.1

Fixes

• Healthcheck: prevent race condition making Gluetun hang completely (#3123)
• Wireguard kernelspace detection fixed in some cases
• OpenVPN 2.5 is not needed as long as it's not to be used, resolving some kernel incompatibilities
• HTTP proxy: remove info log when no Proxy-Authorization header is present
• ProtonVPN:
  • update OpenVPN settings (#3120)
  • support port 51820 for UDP OpenVPN connections

v3.41.0

Video of me reading out this release

Thank you all for your patience for this release which took its sweet time 🙏⏲️

I have been rather absent in a good part of 2025 due to work and life getting in the way, and I would like to thank many of you for helping out around in issues and discussions, and for the few code contributors whilst I was away.

On this release, many of the features you see are the result of behind-the-scene work of the last few years (notably on dns) and I'm super glad they are finally in Gluetun! A lot more to come in v3.42.0, there is already a pile of pull requests waiting 🚀

Final note, introducing the RANTING SECTION at the bottom of this changelog. This section might also be in the future releases (unfortunately)!

Happy holidays! 🎄 🎅 ❄️ ⛄

Features

• DNS
  • (K8s users read this) Local network names resolution using private DNS resolvers found at container start (#2970)
  • DNS over HTTPS support (see DNS_UPSTREAM_RESOLVER_TYPE below)
  • DNS_UPSTREAM_RESOLVER_TYPE option which can be dot (DNS over TLS), doh (DNS over HTTPS) or plain (plaintext over UDP)
  • DNS over TLS re-uses TCP connections which should put less stress on TCP-connections-rate-limiting by the VPN server
  • DNS requests blocked are logged with a reason
  • DNS rebinding protection is always enabled, but hostnames can be excluded with DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES
  • i/o timeout errors are now logged at the debug level instead of warn level
• healthcheck system reworked: more robust and less impact on other applications (#2923)
  • Three checks are performed:
    • startup full check: when the VPN connection is first established, perform a TCP+TLS dial to HEALTH_TARGET_ADDRESSES with a timeout of 6 seconds
    • periodic full check: every 5 minutes, perform a TCP+TLS dial to HEALTH_TARGET_ADDRESSES, with up to 3 tries of 10s, 15s, and 30s timeouts
    • periodic small check: every minute, perform ICMP pings to HEALTH_ICMP_TARGET_IPS, with a fallback to plain DNS (UDP) lookups of github.com to cloudflare+google, with up to 10 tries of 5s, 5s, 5s, 10s, 10s, 10s, 15s, 15s, 15s, and 30s timeouts
  • If any of these checks fail, the VPN connection is restarted
  • Reduced impact on TCP to allow for higher bandwidth in TCP torrenting
  • New option HEALTH_TARGET_ADDRESSES=cloudflare.com:443,github.com:443 to have a fallback address
  • New option HEALTH_ICMP_TARGET_IPS=1.1.1.1,8.8.8.8 to have 8.8.8.8 as a fallback address
  • New option HEALTH_SMALL_CHECK_TYPE which can be dns or icmp. By default it uses icmp and falls back to dns if icmp isn't permitted.
  • New option HEALTH_RESTART_VPN: you should really leave it to on, unless you have trust issues with the healthcheck.
• built-in servers data updates:
  • Cyberghost
  • ExpressVPN
  • Mullvad
  • Privado
  • Private Internet Access
  • SlickVPN (mere 29 hardcoded servers 🤷)
  • ProtonVPN
  • Surfshark
  • Torguard
• control server:
  • HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE option (JSON encoded). For example: {"auth":"basic","username":"me","password":"pass"} or {"auth":"apiKey","apikey":"xyz"} or {"auth":"none"}.
  • log number of roles read from auth file
• VPN server side port forwarding:
  • support {{PORT}} template variable on top of {{PORTS}}
  • support {{VPN_INTERFACE}} template variable which is by default tun0
• Public IP data fetcher queries all data sources in parallel and picks the most popular result
• bump Alpine from 3.20 to 3.22
• wireguard: on error parsing WIREGUARD_ENDPOINT_IP, mention it must be an IP address for the time being
• new ascii logo logged out at program exit... did any of you spot it? 👀

Fixes

• Wireguard:
  • specify IP family for new route (#2629)
  • WIREGUARD_ENDPOINT_IP regression (v3.39.0) fixed to override the IP address of a picked connection
• Providers specific:
  • Cyberghost: log warnings from updater resolver but not for "no such host" which happen quite a lot
  • ExpressVPN: update hardcoded servers data (#2888)
  • ProtonVPN: authenticated servers data updating
    • If updating servers data periodically, use UPDATER_PROTONVPN_EMAIL and UPDATER_PROTONVPN_PASSWORD
    • If using the CLI, use -proton-email and -proton-password flags
  • PureVPN:
    • update OpenVPN configuration settings (from #2991 credits to @mlapaj)
    • updater parses country and city from hostname and merges with ip address information (#2991)
  • VPN Unlimited: update certificates value (#2835) and remove no longer valid hardcoded hosts
  • VPN Secure updater fixed by allowing their website servers list to have "N / A" region/city
  • WeVPN: removed since it decomissioned
• Servers storage: do not crash the container but log a warning if flushing merged servers to file fails
• VPN server side port forwarding:
  • clear port file instead of removing it (see why)
  • remove double log when clearing port forward file
• Control server:
  • log out full URL path not just bottom request URI
  • change route with retrocompatibility from /v1/openvpn/portforwarded to /v1/portforward: this route has nothing to do with openvpn specifically, removed the ed in portforwarded to accomodate future routes such as changing the state of port forwarding
• PUBLICIP_ENABLED is now respected
• publicip/api/cloudflare: add now required Referer header (#3058)
• cli openvpnconfig command no longer panics due to missing SetDefaults call
• DNS:
  • retry on next period if a blocklists update failed previously
  • fix DNS_KEEP_NAMESERVER behavior (by the way, you should no longer need to use this option!)
    • no longer hangs the code when establishing the VPN connection
    • no longer makes Gluetun panic when exiting
• Healthcheck:
  • fix grammar issue in log (#2773)

Documentation

• Readme
  • remove no longer valid LoC badge
  • update Alpine version and image size
  • warning on "official" websites which are scams
  • add star history graph because it's fun
• Dockerfile: specify default PUID and PGID to avoid confusion, since both are already defaulted to 1000 in the Go code
• add pull request template (#2918)
• update provider issue template

Maintenance

• Code
  • Change DNS option names with retro-compatibility:
    • DOT to DNS_SERVER
    • DOT_PROVIDERS to DNS_UPSTREAM_RESOLVERS
    • DOT_PRIVATE_ADDRESS to DNS_PRIVATE_ADDRESSES
    • DOT_CACHING to DNS_CACHING
    • DOT_IPV6 to DNS_UPSTREAM_IPV6
    • DOT_PRIVATE_ADDRESS split into DNS_BLOCK_IPS and DNS_BLOCK_IP_PREFIXES
    • UNBLOCK with DNS_UNBLOCK_HOSTNAMES
  • clear DNS_BLOCK_IP_PREFIXES values since DNS rebinding protection is built-in the filter middleware
  • internal/vpn: rename openvpn* to vpn* variables
  • internal/configuration/settings:
    • merge DoT settings with DNS settings
    • remove unneeded Health struct fields
  • internal/storage:
    • do not read/write to user file when updating in maintainer mode
    • ignore persisted servers data with a timestamp in the future
  • internal/publicip/api/ip2location: rename countries to match standard country names from the mapping constants.CountryCodes()`
• dependencies
  • bump Go from 1.23 to 1.25
  • bump github.com/breml/rootcerts from 0.2.19 to 0.3.3 (#2683, #2964)
  • bump github.com/klauspost/compress from 1.17.11 to 1.18.1 (#2957)
  • bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4 (#2958)
  • bump github.com/qdm12/dns from v2.0.0-rc8 to v2.0.0-rc10
  • bump github.com/stretchr/testify from 1.10.0 to 1.11.1 (#2959)
  • bump github.com/ulikunitz/xz from 0.5.11 to 0.5.15 (#2955)
  • bump github.com/vishvananda/netlink from 1.2.1 to 1.3.1 (#2932)
  • bump golang.org/x/crypto from 0.29.0 to 0.45.0 (#2619, #2999)
  • bump golang.org/x/net from 0.31.0 to 0.47.0 (#2648, #2937, #2976)
  • bump golang.org/x/sys from 0.29.0 to 0.38.0 (#2939, #2973)
  • bump golang.org/x/text from 0.21.0 to 0.31.0 (#2938, #2975)
• upgrade linter to v2.4.0
  • migrate configuration file
  • fix existing code issues
  • add exclusion rules
  • update linter names
• CI
  • run container and wait for it to connect for both Mullvad and ProtonVPN (#2956)
  • bump github actions and use go.mod Go version (#2880)
  • pull container images at build time from ghcr.io when possible
    • reduce silly image pull rate limiting from docker hub registry
    • still rely on docker hub registry to pull golang and alpine images since these are not on ghcr.io
  • ignore .github/pull_request_template.md with markdown linter
  • consider 429 as valid status code for markdown links
  • bump actions/setup-go from 5 to 6 (#2929)
  • bump actions/checkout from 5 to 6 (#3001)
  • bump DavidAnson/markdownlint-cli2-action from 18 to 21 (#2632, #2984)
  • bump github/codeql-action from 3 to 4 (#2935)
  • bump peter-evans/create-or-update-comment from 4 to 5 (#2931)
• dev setup
  • upgrade dev container to v0.21
  • convert .vscode/launch.json to tasks.json
  • add vscode git remote add task

The ranting section

🥀 this is a new section in which I'll share my rant among various Gluetun-related things 🌻 💁 expect a lot of uppercasing, heavy punctuation and no structure whatsoever. Enjoy the read ❗

ALPINE!!! STOP BREAKING IPTABLES ON EVERY TWO RELEASES! When I enter iptables -nL, -n means NUMERIC! Then why the hell did 0 become all on Alpine 3.22??!!!?!
Gluetun was configured like cl...

v3.40.4

Fixes

• DNS:
  • prevent restart crash if DOT=off and DNS_KEEP_NAMESERVER=off
  • retry on next period the blocklists update after a failed update
• WIREGUARD_ENDPOINT_IP overrides the IP address correctly (regression introduced in v3.39.0)
• ExpressVPN hardcoded servers data updated (#2888 - huge thanks to the manual work of @Lobstrosity)
• PureVPN OpenVPN configuration updated (from #2991, credits to @mlapaj)
• SlickVPN updater: only keep 11 servers hardcoded and drop website scraping code
• VPNSecure updater fixed, with region and city data allowed to be set to N / A
• VPN Unlimited updater: no longer valid hardcoded hosts removed

v3.40.3

Fixes

• Fixed previous fix on ProtonVPN: credentials are not required to be set.

v3.40.2

Fixes

• DNS: fix DNS_KEEP_NAMESERVER behavior
  • no longer hangs the code when establishing the VPN connection
  • no longer makes Gluetun panic when exiting
• ProtonVPN:
  • updater authentication fixed for some accounts
    • If updating servers data periodically, use UPDATER_PROTONVPN_EMAIL instead of UPDATER_PROTONVPN_USERNAME (retrocompatibility maintained)
    • If using the CLI, use -proton-email instead of -proton-username (retrocompatibility maintained)
  • ProtonVPN servers data updated to include paid servers
• Servers storage: do not crash the container but log a warning if flushing merged servers to file fails

v3.40.1

Bug-fix-only release on top of v3.40.0.

v3.41.0 coming soon 🎉 If you have any issues with v3.40.0 please report it rather soon please 🙏 !

Fixes

• Wireguard: specify IP family for new route (#2629)
• PUBLICIP_ENABLED is now respected
• Port forwarding: clear port file instead of removing it (see why)
• Control server: log out full URL path not just bottom request URI
• cli openvpnconfig command no longer panics due to missing SetDefaults call
• Providers specific:
  • Cyberghost: log warnings from updater resolver
  • ExpressVPN: update hardcoded servers data (#2888) My mistake, the commit was forgotten. It will be part of v3.40.4. For now use the latest image.
  • ProtonVPN: authenticated servers data updating (#2878)
  • VPN Unlimited: update certificates value (#2835)

PS: sorry for the double notification, CI failed on the first release try

v3.40.0

Happy holidays release time 🎄 🎅 🎁

💁 If anything doesn't work compared to previous release, please create an issue and revert to using v3.39.1 😉

ℹ️ Life is pretty busy all around currently (moving soon, new job, ill parent) so I might be even slower than usual until summer 2025, I'll do my best!

Features

• VPN: run WaitForDNS before querying the public ip address (partly address #2325)
• DNS: replace unbound with qdm12/dns@v2.0.0-rc8 (#1742 & later commits)
  • Faster start up
  • Clearer error messages
  • Allow for more Gluetun-specific customization
• Port forwarding:
  • VPN_PORT_FORWARDING_UP_COMMAND option (#2399)
  • VPN_PORT_FORWARDING_DOWN_COMMAND option
• Config allow irrelevant server filters to be set (see #2337)
  • Disallow setting a server filter when there is no choice available
  • Allow setting an invalid server filter when there is at least one choice available
  • Log at warn level when an invalid server filter is set
• Firewall: support custom ICMP rules
• Healthcheck:
  • log out last error when auto healing VPN
  • run TLS handshake after TCP dial if address has 443 port
• Public IP:
  • retry fetching information when connection refused error is encountered (partly address #2325)
  • support custom API url echoip#https://... (#2529)
  • resilient public ip fetcher with backup sources (#2518)
  • add ifconfigco option and cloudflare option (#2502)
  • PUBLICIP_ENABLED replaces PUBLICIP_PERIOD
    • PUBLICIP_ENABLED (on, off) can be set to enable or not public ip data fetching on VPN connection
    • PUBLICIP_PERIOD=0 still works to indicate to disable public ip fetching
    • PUBLICIP_PERIOD != 0 means to enable public ip fetching
    • Warnings logged when using PUBLICIP_PERIOD
• STORAGE_FILEPATH option (#2416)
  • STORAGE_FILEPATH= disables storing to and reading from a local servers.json file
  • STORAGE_FILEPATH defaults to /gluetun/servers.json
• Netlink: debug rule logs contain the ip family
• internal/tun: mention in 'operation not permitted' error the user should specify --device /dev/net/tun (resolves #2606)
• Control server role based authentication system (#2434) (part of v3.39.1 as a bugfix)
  • Parse toml configuration file, see https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/control-server.md#authentication
  • Retro-compatible with existing AND documented routes, until after this release
  • Log a warning if an unprotected-by-default route is accessed unprotected
  • Authentication methods: none, apikey, basic
  • genkey command to generate API keys
• FastestVPN: add aes-256-gcm to OpenVPN ciphers list
• Private Internet Access updater: use v6 API to get servers data
• IPVanish: update servers data
• PrivateVPN: native port forwarding support (#2285)
• Privado: update servers data
• format-servers command supports the json format option

Fixes

• Wireguard: change default WIREGUARD_MTU from 1400 to 1320 (partially address #2533)
• OpenVPN: set default mssfix to 1320 for all providers with no default already set (partially address #2533)
• Control server: fix logged wiki authentication section link
• Firewall:
  • iptables list uses -n flag for testing iptables path (#2574)
  • deduplicate VPN address accept rule for multiple default routes with the same network interface
  • deduplicate ipv6 multicast output accept rules
  • ipv6 multicast output address value fixed
  • log warning if ipv6 nat filter is not supported instead of returning an error (allow to port forward redirect for IPv4 and not IPv6 if IPv6 NAT is not supported and fixed #2503)
• Wireguard:
  • Point to Kubernetes wiki page when encountering IP rule add file exists error (#2526)
• IPVanish:
  • fix openvpn configuration by updating CA value and add comp-lzo option
  • update openvpn zip file url for updater
• Perfect Privacy: update openvpn expired certificates (#2542)
• Public IP: lock settings during entire update to prevent race conditions

Documentation

• Dockerfile
  • add missing OPENVPN_MSSFIX environment variable
  • add missing option definitions
    • STREAM_ONLY
    • FREE_ONLY
  • Document PORT_FORWARD_ONLY is for both PIA and ProtonVPN

Maintenance

Code quality

• Remove github.com/qdm12/golibs dependency
  • Implement friendly duration formatting locally
  • implement github.com/qdm12/golibs/command locally (#2418)
• internal/natpmp: fix determinism for test Test_Client_ExternalAddress
• let system handle OS signals after first one to request a program stop
• internal/routing: remove redundant rule ip rule in error messages
• internal/netlink debug log ip rule commands in netlink instead of routing package
• internal/server: move log middleware to internal/server/middlewares/log
• use gofumpt for code formatting
• Fix gopls govet errors
• Upgrade linter from v1.56.2 to v1.61.0
  • Remove no longer needed exclude rules
  • Add new exclude rules for printf govet errors
  • Remove deprecated linters execinquery and exportloopref
  • Rename linter goerr113 to err113 and gomnd to mnd
  • Add new linters and update codebase: canonicalheader, copyloopvar, fatcontext, intrange

Dependencies

• Upgrade Go from 1.22 to 1.23
• Bump vishvananda/netlink from v1.2.1-beta.2 to v1.2.1
• Bump github.com/qdm12/gosettings from v0.4.3 to v0.4.4
  • Better support for quote expressions especially for commands such as VPN_PORT_FORWARDING_UP_COMMAND
• Bump github.com/breml/rootcerts from 0.2.18 to 0.2.19 (#2601)
• Bump golang.org/x/net from 0.25.0 to 0.31.0 (#2401, #2578)
• Bump golang.org/x/sys from 0.260.0 to 0.27.0 (#2404, #2573)
• Bump golang.org/x/text from 0.15.0 to 0.17.0 (#2400)
• Bump github.com/klauspost/compress from 1.17.8 to 1.17.11 (#2319, #2550)
• Bump github.com/pelletier/go-toml/v2 from 2.2.2 to 2.2.3 (#2549)
• Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#2428)
• Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#2600)

CI

• Linting: remove canonicalheader since it's not reliable
• Use --device /dev/net/tun for test container
• Bump DavidAnson/markdownlint-cli2-action from 16 to 18 (#2588)
• Bump docker/build-push-action from 5 to 6 (#2324)

Development setup

• dev container
  • pin godevcontainer image to tag :v0.20-alpine
  • drop requirement for docker-compose and use devcontainer.json settings directly
  • readme update
    • remove Windows without WSL step
    • update 'remote containers extension' to 'dev containers extension'
    • remove invalid warning on directories creation
    • simplify customizations section
      • remove "publish a port" since it can be done at runtime now
      • remove "run other services" since it's rather unneeded in this case
      • expand documentation on custom welcome script and where to specify the bind mount
        • use bullet points instead of subsections headings
• Github labels
  • change "config problem" to "user error"
  • add "performance", "investigation", "servers storage" and "nearly resolved" categories

v3.39.1

🎥 https://youtu.be/O09rP1DlcFU?si=qPdzWUWnzciNxAc7

Fixes

• Firewall: delete chain rules by line number (#2411)
• Control server: require authentication for vulnerable routes (#2434)
• NordVPN: remove commas from region values
• IVPN: split city into city and region
  • Fix bad city values containing a comma
  • update ivpn servers data
• Private Internet Access: support port forwarding using custom Wireguard (#2420)
• ProtonVPN: prevent using FREE_ONLY and PORT_FORWARD_ONLY together (see #2470)
• internal/storage: add missing selection fields to build noServerFoundError (see #2470)

v3.39.0

🎥 Youtube video explaining all this

Features

• OpenVPN: default version changed from 2.5 to 2.6
• Alpine upgraded from 3.18 to 3.20 (3.19 got skipped due to buggy iptables)
• Healthcheck: change timeout mechanism
  • Healthcheck timeout is no longer fixed to 3 seconds
  • Healthcheck timeout increases from 2s to 4s, 6s, 8s, 10s
  • No 1 second wait time between check retries after failure
  • VPN internal restart may be delayed by a maximum of 10 seconds
• Firewall:
  • Query iptables binary variants to find which one to use depending on the kernel
  • Prefer using iptables-nft over iptables-legacy (Alpine new default is nft backend iptables)
• Wireguard:
  • WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL option
  • read configuration file without case sensitivity
• VPN Port forwarding: only use port forwarding enabled servers if VPN_PORT_FORWARDING=on (applies only to PIA and ProtonVPN for now)
• FastestVPN:
  • Wireguard support (#2383 - Credits to @Zerauskire for the initial investigation and @jvanderzande for an initial implementation as well as reviewing the pull request)
  • use API instead of openvpn zip file to fetch servers data
  • add city filter SERVER_CITY
  • update built-in servers data
• Perfect Privacy: port forwarding support with VPN_PORT_FORWARDING=on (#2378)
• Private Internet Access: port forwarding options VPN_PORT_FORWARDING_USERNAME and VPN_PORT_FORWARDING_PASSWORD (retro-compatible with OPENVPN_USER and OPENVPN_PASSWORD)
• ProtonVPN:
  • Wireguard support (#2390)
  • feature filters SECURE_CORE_ONLY, TOR_ONLY and PORT_FORWARD_ONLY (#2182)
  • determine "free" status using API tier value
  • update built-in servers data
• Surfshark: servers data update
• VPNSecure: servers data update
• VPN_ENDPOINT_IP split into OPENVPN_ENDPOINT_IP and WIREGUARD_ENDPOINT_IP
• VPN_ENDPOINT_PORT split into OPENVPN_ENDPOINT_PORT and WIREGUARD_ENDPOINT_PORT

Fixes

• VPN_PORT_FORWARDING_LISTENING_PORT fixed
• IPv6 support detection ignores loopback route destinations
• Custom provider:
  • handle port option line for OpenVPN
  • ignore comments in an OpenVPN configuration file
  • assume port forwarding is always supported by a custom server
• VPN Unlimited:
  • change default UDP port from 1194 to 1197
  • allow OpenVPN TCP on port 1197
• Private Internet Access Wireguard and port forwarding
  • Set server name if names filter is set with the custom provider (see #2147)
• PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
• Torguard: update OpenVPN configuration
  • add aes-128-gcm and aes-128-cbc ciphers
  • remove mssfix, sndbuf, rcvbuf, ping and reneg options
• VPNSecure: associate N / A with no data for servers
• AirVPN: set default mssfix to 1320-28=1292
• Surfshark: remove outdated hardcoded retro servers
• Public IP echo:
  • ip2location parsing for latitude and longitude fixed
  • abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
• internal/server: /openvpn route status get and put
  • get status return stopped if running Wireguard
  • put status changes vpn type if running Wireguard
• Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings
• Log last Gluetun release by tag name alphabetically instead of by release date
• format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
• internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

Documentation

• readme:
  • clarify shadowsocks proxy is a server, not a client
  • update list of providers supporting Wireguard with the custom provider
  • add protonvpn as custom port forwarding implementation
• disable Github blank issues
• Bump github.com/qdm12/gosplash to v0.2.0
  • Add /choose suffix to github links in logs
• add Github labels: "Custom provider", "Category: logs" and "Before next release"
• rename FIREWALL_ENABLED to FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT due to the sheer amount of users misusing it. FIREWALL_ENABLED won't do anything anymore. At least you've been warned not to use it...

Maintenance

• Code health
  • PIA port forwarding:
    • remove dependency on storage package
    • return an error to port forwarding loop if server cannot port forward
  • internal/config:
    • upgrade to github.com/qdm12/gosettings v0.4.2
      • drop github.com/qdm12/govalid dependency
      • upgrade github.com/qdm12/ss-server to v0.6.0
      • do not un-set sensitive config settings anymore
    • removed bad/invalid retro-compatible keys CONTROL_SERVER_ADDRESS and CONTROL_SERVER_PORT
    • OpenVPN protocol field is now a string instead of a TCP boolean
    • Split server filter validation for features and subscription-tier
    • provider name field as string instead of string pointer
  • internal/portforward: support multiple ports forwarded
  • Fix typos in code comments (#2216)
  • internal/tun: fix unit test for unprivileged user
• Development environment
  • fix source.organizeImports vscode setting value
  • linter: remove now invalid skip-dirs configuration block
• Dependencies
  • Bump Wireguard Go dependencies
  • Bump Go from 1.21 to 1.22
  • Bump golang.org/x/net from 0.19.0 to 0.25.0 (#2138, #2208, #2269)
  • Bump golang.org/x/sys from 0.15.0 to 0.18.0 (#2139)
  • Bump github.com/klauspost/compress from 1.17.4 to 1.17.8 (#2178, #2218)
  • Bump github.com/fatih/color from 1.16.0 to 1.17.0 (#2279)
  • Bump github.com/stretchr/testify to v1.9.0
  • Do not upgrade busybox since vulnerabilities are fixed now with Alpine 3.19+
• CI
  • Bump DavidAnson/markdownlint-cli2-action from 14 to 16 (#2214)
  • Bump peter-evans/dockerhub-description from 3 to 4 (#2075)
• Github
  • remove empty label description fields
  • add /choose suffix to issue and discussion links
  • review all issue labels: add closed labels, add category labels, rename labels, add label category prefix, add emojis for each label
  • Add issue labels: Popularity extreme and high, Closed cannot be done, Categories kernel and public IP service

v3.38.1

ℹ️ This is a bugfix release for v3.38.0. If you can, please instead use release v3.39.0

Fixes

• VPN_PORT_FORWARDING_LISTENING_PORT fixed
• IPv6 support detection ignores loopback route destinations
• Custom provider:
  • handle port option line for OpenVPN
  • ignore comments in an OpenVPN configuration file
  • assume port forwarding is always supported by a custom server
• VPN Unlimited:
  • change default UDP port from 1194 to 1197
  • allow OpenVPN TCP on port 1197
• Private Internet Access Wireguard and port forwarding
  • Set server name if names filter is set with the custom provider (see #2147)
• PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
• Torguard: update OpenVPN configuration
  • add aes-128-gcm and aes-128-cbc ciphers
  • remove mssfix, sndbuf, rcvbuf, ping and reneg options
• VPNSecure: associate N / A with no data for servers
• AirVPN: set default mssfix to 1320-28=1292
• Surfshark: remove outdated hardcoded retro servers
• Public IP echo:
  • ip2location parsing for latitude and longitude fixed
  • abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
• internal/server: /openvpn route status get and put
  • get status return stopped if running Wireguard
  • put status changes vpn type if running Wireguard
• Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings
• Log last Gluetun release by tag name alphabetically instead of by release date
• format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
• internal/tun: only create tun device if it does not exist, do not create if it exists and does not work