GluetunVPN qmcgaw/gluetun https://hub.docker.com/r/qmcgaw/gluetun bridge false https://forums.unraid.net/topic/111725-support-diamondprecisioncomputing-all-images-and-files https://github.com/qdm12/gluetun https://img.shields.io/github/license/qdm12/gluetun # Gluetun VPN client Lightweight swiss-knife-like VPN client to multiple VPN service providers ## Quick links - [Setup](#setup) - [Features](#features) - Problem? - [Check the Wiki](https://github.com/qdm12/gluetun/wiki) - [Start a discussion](https://github.com/qdm12/gluetun/discussions) - [Fix the Unraid template](https://github.com/qdm12/gluetun/discussions/550) - Suggestion? - [Create an issue](https://github.com/qdm12/gluetun/issues) - [Join the Slack channel](https://join.slack.com/t/qdm12/shared_invite/enQtOTE0NjcxNTM1ODc5LTYyZmVlOTM3MGI4ZWU0YmJkMjUxNmQ4ODQ2OTAwYzMxMTlhY2Q1MWQyOWUyNjc2ODliNjFjMDUxNWNmNzk5MDk) - Happy? - Sponsor me on [github.com/sponsors/qdm12](https://github.com/sponsors/qdm12) - Donate to [paypal.me/qmcgaw](https://www.paypal.me/qmcgaw) - Drop me [an email](mailto:quentin.mcgaw@gmail.com) - **Want to add a VPN provider?** check [Development](https://github.com/qdm12/gluetun/wiki/Development) and [Add a provider](https://github.com/qdm12/gluetun/wiki/Add-a-provider) - Video: [![Video Gif](https://i.imgur.com/CetWunc.gif)](https://youtu.be/0F6I03LQcI4) - [Substack Console interview](https://console.substack.com/p/console-72) ## Features - Based on Alpine 3.18 for a small Docker image of 35.6MB - Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad**, **NordVPN**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**, **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **WeVPN**, **Windscribe** servers - Supports OpenVPN for all providers listed - Supports Wireguard both kernelspace and userspace - For **Mullvad**, **Ivpn**, **Surfshark** and **Windscribe** - For **ProtonVPN**, **PureVPN**, **Torguard**, **VPN Unlimited** and **WeVPN** using [the custom provider](https://github.com/qdm12/gluetun/wiki/Custom-provider) - For custom Wireguard configurations using [the custom provider](https://github.com/qdm12/gluetun/wiki/Custom-provider) - More in progress, see [#134](https://github.com/qdm12/gluetun/issues/134) - DNS over TLS baked in with service provider(s) of your choice - DNS fine blocking of malicious/ads/surveillance hostnames and IP addresses, with live update every 24 hours - Choose the vpn network protocol, `udp` or `tcp` - Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices - Built in Shadowsocks proxy (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP) - Built in HTTP proxy (tunnels HTTP and HTTPS through TCP) - [Connect other containers to it](https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun) - [Connect LAN devices to it](https://github.com/qdm12/gluetun/wiki/Connect-a-LAN-device-to-gluetun) - Compatible with amd64, i686 (32 bit), **ARM** 64 bit, ARM 32 bit v6 and v7, and even ppc64le 🎆 - [Custom VPN server side port forwarding for Private Internet Access](https://github.com/qdm12/gluetun/wiki/Private-internet-access#vpn-server-port-forwarding) - Possibility of split horizon DNS by selecting multiple DNS over TLS providers - Unbound subprogram drops root privileges once launched - Can work as a Kubernetes sidecar container, thanks @rorph ## Setup 🎉 There are now instructions specific to each VPN provider with examples to help you get started as quickly as possible! Go to the [Wiki](https://github.com/qdm12/gluetun/wiki)! Here's a docker-compose.yml for the laziest: ```yml version: "3" services: gluetun: image: qmcgaw/gluetun # container_name: gluetun # line above must be uncommented to allow external containers to connect. See https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun#external-container-to-gluetun cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - /yourpath:/gluetun environment: # See https://github.com/qdm12/gluetun/wiki - VPN_SERVICE_PROVIDER=ivpn - VPN_TYPE=openvpn # OpenVPN: - OPENVPN_USER= - OPENVPN_PASSWORD= # Wireguard: # - WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU= # - WIREGUARD_ADDRESSES=10.64.222.21/32 # Timezone for accurate log times - TZ= # Server list updater. See https://github.com/qdm12/gluetun/wiki/Updating-Servers#periodic-update - UPDATER_PERIOD= - UPDATER_VPN_SERVICE_PROVIDERS= ``` 🆕 Image also available as `ghcr.io/qdm12/gluetun` ## License [![MIT](https://img.shields.io/github/license/qdm12/gluetun)](https://github.com/qdm12/gluetun/master/LICENSE) Security: Network:VPN http://[IP]:[PORT:8000] https://raw.githubusercontent.com/DiamondPrecisionComputing/unraid-templates/main/templates/GluetunVPN.xml https://raw.githubusercontent.com/qdm12/gluetun/master/doc/logo_256.png --cap-add=NET_ADMIN --restart always This app and docker were generously made by qmcgaw. If you like the project please consider making a donation toward his efforts and check out the MANY other projects he has created on GitHub. https://www.paypal.me/qmcgaw 2023-05-23 ###3.34.1 ###Fixes - Fix routing net.IPNet to netip.Prefix conversion (fixes #1583) ###3.34.0 ###Features - HEALTH_SUCCESS_WAIT_DURATION variable, defaulting to 5s - Rename port forwarding variables (prepare to add ProtonVPN, see #1488) - VPN_PORT_FORWARDING_STATUS_FILE - VPN_PORT_FORWARDING - Deprecate PIA specific variables for VPN port forwarding - Servers data updated for: perfect privacy, surfshark - Routing: log default route family as string ###Fixes - Mullvad: add aes-256-gcm cipher to support their newer Openvpn 2.6 servers - Perfect privacy: update cert and key (thanks @Thamos88 and @15ky3) - Perfect privacy: remove check for empty hostname in servers - Routing: add policy rules for each destination local networks (thanks @kylemanna) - Settings: clarify Wireguard provider unsupported error - Minor fixes - Pprof settings rates can be nil ###Maintenance - Wrap all sentinel errors and enforce using errors.Is - Migrate usages of inet.af/netaddr to net/netip - Use netip.Prefix for ip networks instead of net.IPNet and netaddr.IPPrefix - Use netip.Addr instead of net.IP - Wireguard: use netip.AddrPort instead of *net.UDPAddr - Healthcheck use Go dialer preferrably - Upgrade Wireguard dependencies - Upgrade inet.af/netaddr dependency - Upgrade golang.org/x/net to 0.10.0 - Upgrade github.com/fatih/color from 1.14.1 to 1.15.0 - Upgrade golangci-lint from v1.51.2 to v1.52.2 - Upgrade github.com/vishvananda/netlink from 1.1.1-0.20211129163951-9ada19101fc5 to 1.2.1-beta.2 - Upgrade golang.org/x/sys from 0.7.0 to 0.8.0 - Remove unneeded settings/helpers/pointers.go, CopyNetipPrefix and settings/sources/env envToInt function - Fix netlink tagged integration tests - Settings: use generics for helping functions (thanks @bubuntux) - Simplify default routes for loop - Development container: do not bind mount ~/.gitconfig ###3.33.3 ###Features - WIREGUARD_IMPLEMENTATION variable which can be auto (default), userspace or kernelspace - gchr.io/qdm12/gluetun Docker image mirror - Alpine upgraded from 3.16 to 3.17 - OpenVPN upgraded from 2.5.6 to 2.5.8 built with OpenSSL 3 - OpenSSL 1.1.* installed separately to maintain OpenVPN 2.4 working - Logging: - log FAQ Github Wiki URL when the VPN internally restarts - Warn Openvpn 2.4 is to be removed in the next release - Warn when using SlickVPN or VPN Unlimited due to their weak certificates - Warn Hide My Ass is no longer supported (credits to @Fukitsu) - OpenVPN RTNETLINK answers: File exists changed to warning level with explanation - OpenVPN Linux route add command failed: changed to warning level with explanation - Log IPv6 support at debug level with more information instead of at the info level - Update servers data: AirVPN, FastestVPN, Mullvad, Surfshark, Private Internet Access - Netlink: add debug logger (no use yet) - Surfshark: add 2 new 'HK' servers - Install Alpine wget package (fixes #1260, #1494 due to busybox's buggy wget) - OpenVPN: transparently upgrade key encryption for DES-CBC encrypted keys (VPN Secure) ###Important Fixes - Exit with code 1 on a program error - Profiling server: do not run if disabled - IPv6 detection: inspect each route source and destination for buggy kernels/container runtimes - iptables detection: better interpret permission denied for buggy kernels/container runtimes - FastestVPN: update OpenVPN zip file URL for the updater (#1264) - IPVanish: update OpenVPN zip file URL for the updater (#1449) - Surfshark: remove 3 servers no longer resolving - IPv6 detection: inspect each route source and destination for buggy kernels/container runtimes - AirVPN - remove commas from API locations - remove commas from city names- - VPN Unlimited: lower TLS security level to 0 to allow weak certificates to work with Openvpn 2.5.8+Openssl 3 - SlickVPN - explicitely allow AES-256-GCM cipher - lower TLS security level to 0 to allow SlickVPN's weak certificates to work with Openvpn 2.5.8+Openssl 3 - All servers support TCP and UDP - Precise default TCP port as 443 ###Documentation - Document new docker image gchr.io/qdm12/gluetun - Add servers updater environment variables (#1393) - Update Github labels: - remove issue category labels - Add temporary status labels - Add complexity labels ###Minor Fixes - Firewall: remove previously allowed input ports - HTTP proxy: lower shutdown wait from 2s to 100ms - Private Internet Access: remove credentials from login error string - Wireguard: - validate Wireguard addresses depending on IPv6 support - ignore IPv6 interface addresses if IPv6 is not supported - Healthcheck client: set unset health settings to defaults - Print outbound subnets settings correctly - github.com/breml/rootcerts from 0.2.8 to 0.2.10 - Add subprogram name in version check error ###Maintenance - Development tooling: - Go upgraded from 1.19 to 1.20 - Development container has the same ssh bind mount for all platforms - Development container has openssl installed - golangci-lint upgraded from v1.49.0 to v1.51.2 - github.com/stretchr/testify upgraded from 1.8.1 to 1.8.2 - Dependencies - golang.org/x/text upgraded from 0.4.0 to 0.8.0 - github.com/fatih/color upgraded from 1.13.0 to 1.14.1 - golang.org/x/sys upgraded from 0.3.0 to 0.6.0 - Remove no longer needed apk-tools - Code health - Add comments for OpenVPN settings fields about their base64 DER encoding - internal/openvpn/extract: simplify PEM extraction function - Review all error wrappings - remove repetitive cannot and failed prefixes - rename unmarshaling to decoding - CI - docker/build-push-action upgraded from 3.2.0 to 4.0.0 ###3.32.0 ###Features - AirVPN support (#1145) - Surfshark Wireguard support (#587) - IPv6 connection and tunneling (#1114) - Auto detection of IPv6 support for OpenVPN and OPENVPN_IPV6 removed - Built-in servers updates: Cyberghost, FastestVPN, Ivpn, Mullvad, ProtonVPN, PureVPN and Windscribe - HTTP proxy: log credentials sent on mismatch ###Fixes - Private Internet Access: get token for port forwarding (#1132) - FastestVPN: updater handles lowercase .ovpn filenames - Ivpn: update mechanism fixed for Wireguard servers - Cyberghost: remove outdated server groups 94-1 pemium udp usa, 95-1 premium udp asia, 93-1 pemium udp usa and 96-1 premium tcp asia - Exit with OS code 0 on successful shutdown - Public IP fetching - handle HTTP status codes 403 as too many requests - no retry when too many requests to ipinfo.io - OpenVPN: do not set tun-ipv6 - server should push tun-ipv6 if it is available - Add ignore filter for tun-ipv6 if ipv6 is not supported on client - Updater: error when server has not the minimal information - Custom provider: OPENVPN_CUSTOM_CONFIG takes precedence only if VPN_SERVICE_PROVIDER is empty - Wireguard: ignore IPv6 addresses if IPv6 is disabled - Environment variables: trim space for wireguard addresses - OpenVPN: parse udp4, udp6, tcp4 or tcp6 ###3.31.1 ###Fixes - Fix vpnsecure.me operation by allowing empty OpenVPN username ###3.31.0 ###Features - SlickVPN Support (#961) - VPNsecure.me support (#848) - Update servers data built-in for ExpressVPN, Surfshark - Control server: add /vpn route to replace /openvpn (in future v4.0.0) - Control server: patch VPN settings using HTTP PUT at /v1/vpn/settings (undocumented, experimental) ###Fixes - Surfshark: remove no longer valid retro server data - Bump github.com/breml/rootcerts from 0.2.3 to 0.2.6 (#1033, #1058) ###3.30.1 ###Fixes - OpenVPN certificate: read PEM encoded files and read base 64 encoded PEM inner value from environment variable (as documented in Wiki) - OpenVPN key: read PEM encoded files and read base 64 encoded PEM inner value from environment variable (as documented in Wiki) ###3.30.0 ###Features - ExpressVPN: OpenVPN additional ciphers (#1047) - Storage - add "keep" boolean field for servers to keep manually added servers - log time difference as a friendly duration - Updater: configurable minimum ratio of servers found - UPDATER_MIN_RATIO environment variable - -minratio flag for CLI operation - Docker: upgrade Alpine from 3.15 to 3.16 (#1005) - Update servers data: Perfect privacy, Purevpn, Privatevpn, Private Internet Access, ProtonVPN, IPVanish, Surfshark - Environment variables: clean values by removing surrounding spaces and suffix new line characters - Wireguard: add debug logs for IPv6 detection which can be enabled with LOG_LEVEL=debug ###Fixes - ExpressVPN: OpenVPN fragment option taken into account (#1047) - Private internet access - load custom certificate to communicate with their API - restrict custom port choice - ProtonVPN - set free field for free servers, fixing FREE_ONLY behavior - remove duplicate entry IPs - restrict custom port choice - Wireguard: continue on ipv6 route add permission denial - VPN: do not close wait error channel on consumer side - Port forwarding: set file owned by the uid and gid set by PUID and PGID - Private Internet Access: remove duplicate log of port forwarding data expiration - Pprof settings: override method used correctly in global settings - Updater: Fix CLI operation not setting DNS server - IPVanish: remove duplicate server entries - Custom: validate custom OpenVPN file at settings validation ###3.29.0 ###Features - Firewall - Auto-detect iptables and iptables-nft for IPv4 and IPv6 - Improve error message when NET_ADMIN capability is missing - Support all default routes instead of only the first one - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes - Add IPv6 inbound routing - Provider Specific - Servers update: Mullvad, Privado, PrivateVPN, ProtonVPN, PureVPN, NordVPN, Private Internet Access, Torguard, FastestVPN (thanks @mircoianese #923) - NordVPN: remove OpenVPN compression - Ivpn: allow no password for account IDs matching i-xxxx-xxxx-xxxx or ivpn-xxxx-xxxx-xxxx - Other - Use https://github.com/qdm12/log for logging - Log out OS signal name when shutting down - Storage: omit empty fields in servers.json ###Fixes - Health check - HEALTH_TARGET_ADDRESS to replace HEALTH_ADDRESS_TO_PING - Remove github.com/go-ping/ping dependency - Dial TCP the target address, appending :443 if port is not set - Target address defaults to cloudflare.com:443 - OPENVPN_FLAGS working fixed - HEALTH_VPN_DURATION_ADDITION working fixed - Privado: fix OPENVPN_PORT usage, thanks @cacti-user - Firewall: only set routes for IPv4 default routes - Use openvpn 2.4.12-r0 in CI build for openvpn 2.4 - Fix PureVPN zip file download link (#915 thanks @mircoianese) - Private Internet Access: hide escaped url query values (token etc.) - NordVPN: allow aes-256-gcm for Openvpn 2.4 - Private Internet Access: fix certificate validation (use OS certificates instead of custom certificate) - Port forwarding: loop exit from vpn loop - PUID and PGID as 32 bit unsigned integers instead of 16 bit ###3.28.0 ###Features - Updater: environment variable UPDATER_VPN_SERVICE_PROVIDERS - Updater defaults to update the VPN provider in use if enabled - ExpressVPN: update built-in server data - OPENVPN_PROCESS_USER with retro-compatibility with OPENVPN_ROOT - Add pprof HTTP server on port :6060 (#807) ###Fixes - Accept uppercase OPENVPN_PROTOCOL values - Cyberghost: log about compatibility mode if COUNTRY is left empty - Control server: allow to bind on a random port by using :0 - Retro-compatible precedence order for environment variables with defaults set in Dockerfile - BLOCK_NSA has precedence over BLOCK_SURVEILLANCE - HEALTH_OPENVPN_DURATION_ADDITION has precedence over HEALTH_VPN_DURATION_ADDITION - HEALTH_OPENVPN_DURATION_INITIAL has precendence over HEALTH_VPN_DURATION_INITIAL - Chain of precedence: PROXY > TINYPROXY > HTTPPROXY - Chain of precedence: PROXY_LOG_LEVEL > TINYPROXY_LOG > HTTPPROXY_LOG - PROTOCOL has precendence over OPENVPN_PROTOCOL - IP_STATUS_FILE has precendence over PUBLICIP_FILE - SHADOWSOCKS_PORT has precedence over SHADOWSOCKS_LISTENING_ADDRESS - SHADOWSOCKS_METHOD has precedence over SHADOWSOCKS_CIPHER ###3.27.0 ###Features - Wireguard opportunistic kernelspace - Auto detect if kernelspace implementation is available - Fallback to Go userspace implementation if kernel is not available - Entrypoint name changed from entrypoint to gluetun-entrypoint - Privado: update servers data - ProtonVPN: update servers data - Docker image: upgrade Alpine to 3.15 ###Fixes -Hidemyass: REGION validation -Dockerfile: change SHADOWSOCKS_ADDRESS to SHADOWSOCKS_LISTENING_ADDRESS ###3.26.0 ###Features - Perfect privacy support (#606) - PrivateVPN - OPENVPN_PORT support - Update server information - Windscribe - Torguard - ProtonVPN - NordVPN - Multiple OpenVPN ciphers for negotiation - Cyberghost default cipher set to AES-256-GCM - OPENVPN_CIPHER accept comma separated sipher values - use ncp-ciphers for OpenVPN 2.4 ###Fixes - PrivateVPN: New OpenVPN configuration values - VyprVPN: Openvpn comp-lzo option - NordVPN: Openvpn comp-lzo option - Docker image: fix 2 low vulnerability busybox vulnerabilities - QNAP devices: openvpn at /usr/sbin/openvpn2.5 (see #157) - Updater: fix CLI error message - Version check: check Github http response status code - Public IP fetcher: remove opendns.com due to bad x509 cert - Storage: server data version diff when reading file ###3.25.0 ###Features - ExpressVPN Support (#623) - WeVPN Support (#591) - Healthcheck uses DNS and ping to github.com instead of only DNS to avoid relying on DNS cache - HEALTH_ADDRESS_TO_PING variable - Adapt logger prefix to VPN used - openvpn: for OpenVPN - wireguard: for Wireguard - VPNSP value custom for OpenVPN custom config files (#621) - VPNSP value custom for Wireguard custom configuration - WIREGUARD_PUBLIC_KEY variable - WIREGUARD_ENDPOINT_IP variable - OpenVPN custom configuration file is reloaded on VPN restarts - OpenVPN custom configuration file is parsed at start to log out valid settings - Support IPv6 routing for Wireguard - Log Wireguard server endpoint - Log Wireguard keys when LOG_LEVEL=debug - Windscribe OpenVPN default cipher set to aes-256-gcm - Update server information built-in - Cyberghost - FastestVPN - Mullvad - format-servers CLI command ###Fixes - Set non block on TUN device - Close HTTP client connections when tunnel comes up - Public IP loop deadlock - OpenVPN VPNSP=custom does not deduplicate lines - PureVPN remove OpenVPN cipher option AES-256-CBC - Cyberghost OpenVPN cipher option defaults to aes-128-gcm - Repository servers.json path for maintainer server update cli - Add missing HTTP status code check for Windscribe API - PIA_ENCRYPTION default in Go program - Defaults to strong instead of strong certificate string - No impact on Docker images since variable is set to strong in Dockerfile - Only read PIA_ENCRYPTION if service provider is PIA - (Security) Remove OpenVPN compression option (affects FastestVPN, Hide My Ass, IP Vanish, IVPN, NordVPN, PIA, PrivateVPN, ProtonVPN, Torguard, VPN Unlimited, VyprVPN) - FastestVPN updated OpenVPN configuration - HideMyAss: Cote d'Ivoire server country name - Log errors with error level for OpenVPN - PIA SERVER_NAME variable functionality ###3.24.0 ###Features - IVPN - Wireguard support (#584) - TCP protocol support for OpenVPN - Custom port support for OpenVPN - Servers data update (#578) - `ISP` filter (#578) - Mullvad - `WIREGUARD_PORT` support - Surfshark - Servers data improved (#575) - `LOG_LEVEL` variable (#577) - Add IP geolocation data to HTTP control server at `/v1/publicip/ip` - `OPENVPN_TARGET_IP` overrides IP for OpenVPN only - `WIREGUARD_ADDRESSES` accepts multiple comma separated IP networks ###Fixes - `FIREWALL_OUTBOUND_SUBNETS` IP rules - Wireguard - `FIREWALL_VPN_INPUT_PORTS` support - Fixed cleanup of wireguard link that was preventing restarts - Surfshark `REGION` retro-compatibility restored - `MULTIHOP_ONLY` defaults to `no` - Fix panic for certain 'no server found' errors - Clear IP data when VPN is stopped ###v3.23.0 - Support for Wireguard (IVPN, Mullvad and Windscribe) - Change ownership of OpenVPN configuration file with PUID and PGID - OpenVPN custom config process user gets removed - OpenVPN custom config with custom network interface name set properly in firewall - Sorted IP addresses for servers.json - Only allow traffic through VPN interface when needed - HTTP control server /v1/openvpn route interacts with OpenVPN settings only (not provider settings) - Image size lowered to 31MB - Using Alpine 3.14 - Wireguard support ###v3.22.0 - Allow multiple comma separated values for CYBERGHOST_GROUP - Update Cyberghost servers information - Change from SHADOWSOCKS_PORT to SHADOWSOCKS_LISTENING_ADDRESS - Windscribe: only use OpenVPN IP addresses, not Wireguard ones - Cyberghost: explicit-exit-notify used only for UDP, not TCP - Fix loop state change logic deadlock (preventing a 2nd restart for all run loops) - Use latest apk-tools to fix an Alpine vulnerability - Upgrade qdm12/ss-server to v0.3.0 /mnt/user/appdata/gluetun private internet access openvpn tun0 udp 2.5 1 no off auto on off info 127.0.0.1:9999 github.com:443 6s 5s on cloudflare 127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112 1 0 0 on off on off off 24h off off off 8888 off off off :8388 chacha20-ietf-poly1305 0 /gluetun/ip 12h on 8000 on 1000 1000