diff --git a/internal/cli/formatservers.go b/internal/cli/formatservers.go
index 63ee8eb7..223963c3 100644
--- a/internal/cli/formatservers.go
+++ b/internal/cli/formatservers.go
@@ -61,7 +61,7 @@ func (c *CLI) FormatServers(args []string) error {
 	}
 	switch len(providers) {
 	case 0:
-		return ErrProviderUnspecified
+		return fmt.Errorf("%w", ErrProviderUnspecified)
 	case 1:
 	default:
 		return fmt.Errorf("%w: %d specified: %s",
diff --git a/internal/cli/update.go b/internal/cli/update.go
index 8b9de1a1..07e5899b 100644
--- a/internal/cli/update.go
+++ b/internal/cli/update.go
@@ -51,14 +51,14 @@ func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) e
 	}
 
 	if !endUserMode && !maintainerMode {
-		return ErrModeUnspecified
+		return fmt.Errorf("%w", ErrModeUnspecified)
 	}
 
 	if updateAll {
 		options.Providers = providers.All()
 	} else {
 		if csvProviders == "" {
-			return ErrNoProviderSpecified
+			return fmt.Errorf("%w", ErrNoProviderSpecified)
 		}
 		options.Providers = strings.Split(csvProviders, ",")
 	}
diff --git a/internal/configuration/settings/helpers/belong.go b/internal/configuration/settings/helpers/belong.go
index 62aafde2..899c1dc8 100644
--- a/internal/configuration/settings/helpers/belong.go
+++ b/internal/configuration/settings/helpers/belong.go
@@ -22,7 +22,7 @@ var (
 
 func AreAllOneOf(values, choices []string) (err error) {
 	if len(values) > 0 && len(choices) == 0 {
-		return ErrNoChoice
+		return fmt.Errorf("%w", ErrNoChoice)
 	}
 
 	set := make(map[string]struct{}, len(choices))
diff --git a/internal/configuration/settings/openvpn.go b/internal/configuration/settings/openvpn.go
index b2370cf0..4291100c 100644
--- a/internal/configuration/settings/openvpn.go
+++ b/internal/configuration/settings/openvpn.go
@@ -100,14 +100,14 @@ func (o OpenVPN) validate(vpnProvider string) (err error) {
 		vpnProvider != providers.VPNSecure
 
 	if isUserRequired && *o.User == "" {
-		return ErrOpenVPNUserIsEmpty
+		return fmt.Errorf("%w", ErrOpenVPNUserIsEmpty)
 	}
 
 	passwordRequired := isUserRequired &&
 		(vpnProvider != providers.Ivpn || !ivpnAccountID.MatchString(*o.User))
 
 	if passwordRequired && *o.Password == "" {
-		return ErrOpenVPNPasswordIsEmpty
+		return fmt.Errorf("%w", ErrOpenVPNPasswordIsEmpty)
 	}
 
 	err = validateOpenVPNConfigFilepath(isCustom, *o.ConfFile)
@@ -160,7 +160,7 @@ func validateOpenVPNConfigFilepath(isCustom bool,
 	}
 
 	if confFile == "" {
-		return ErrFilepathMissing
+		return fmt.Errorf("%w", ErrFilepathMissing)
 	}
 
 	err = helpers.FileExists(confFile)
@@ -186,7 +186,7 @@ func validateOpenVPNClientCertificate(vpnProvider,
 		providers.VPNSecure,
 		providers.VPNUnlimited:
 		if clientCert == "" {
-			return ErrMissingValue
+			return fmt.Errorf("%w", ErrMissingValue)
 		}
 	}
 
@@ -209,7 +209,7 @@ func validateOpenVPNClientKey(vpnProvider, clientKey string) (err error) {
 		providers.VPNUnlimited,
 		providers.Wevpn:
 		if clientKey == "" {
-			return ErrMissingValue
+			return fmt.Errorf("%w", ErrMissingValue)
 		}
 	}
 
@@ -227,7 +227,7 @@ func validateOpenVPNClientKey(vpnProvider, clientKey string) (err error) {
 func validateOpenVPNEncryptedKey(vpnProvider,
 	encryptedPrivateKey string) (err error) {
 	if vpnProvider == providers.VPNSecure && encryptedPrivateKey == "" {
-		return ErrMissingValue
+		return fmt.Errorf("%w", ErrMissingValue)
 	}
 
 	if encryptedPrivateKey == "" {
diff --git a/internal/configuration/settings/serverselection.go b/internal/configuration/settings/serverselection.go
index 0f83d412..81d94772 100644
--- a/internal/configuration/settings/serverselection.go
+++ b/internal/configuration/settings/serverselection.go
@@ -118,7 +118,7 @@ func (ss *ServerSelection) validate(vpnServiceProvider string,
 	}
 
 	if *ss.FreeOnly && *ss.PremiumOnly {
-		return ErrFreePremiumBothSet
+		return fmt.Errorf("%w", ErrFreePremiumBothSet)
 	}
 
 	if *ss.StreamOnly &&
diff --git a/internal/configuration/settings/wireguard.go b/internal/configuration/settings/wireguard.go
index 932e3d20..82a92e50 100644
--- a/internal/configuration/settings/wireguard.go
+++ b/internal/configuration/settings/wireguard.go
@@ -52,7 +52,7 @@ func (w Wireguard) validate(vpnProvider string, ipv6Supported bool) (err error)
 
 	// Validate PrivateKey
 	if *w.PrivateKey == "" {
-		return ErrWireguardPrivateKeyNotSet
+		return fmt.Errorf("%w", ErrWireguardPrivateKeyNotSet)
 	}
 	_, err = wgtypes.ParseKey(*w.PrivateKey)
 	if err != nil {
@@ -75,7 +75,7 @@ func (w Wireguard) validate(vpnProvider string, ipv6Supported bool) (err error)
 
 	// Validate Addresses
 	if len(w.Addresses) == 0 {
-		return ErrWireguardInterfaceAddressNotSet
+		return fmt.Errorf("%w", ErrWireguardInterfaceAddressNotSet)
 	}
 	for i, ipNet := range w.Addresses {
 		if ipNet.IP == nil || ipNet.Mask == nil {
diff --git a/internal/configuration/settings/wireguardselection.go b/internal/configuration/settings/wireguardselection.go
index d7101490..16d926d6 100644
--- a/internal/configuration/settings/wireguardselection.go
+++ b/internal/configuration/settings/wireguardselection.go
@@ -41,7 +41,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 		// endpoint IP addresses are baked in
 	case providers.Custom:
 		if len(w.EndpointIP) == 0 {
-			return ErrWireguardEndpointIPNotSet
+			return fmt.Errorf("%w", ErrWireguardEndpointIPNotSet)
 		}
 	default: // Providers not supporting Wireguard
 	}
@@ -51,12 +51,12 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// EndpointPort is required
 	case providers.Custom:
 		if *w.EndpointPort == 0 {
-			return ErrWireguardEndpointPortNotSet
+			return fmt.Errorf("%w", ErrWireguardEndpointPortNotSet)
 		}
 	// EndpointPort cannot be set
 	case providers.Surfshark:
 		if *w.EndpointPort != 0 {
-			return ErrWireguardEndpointPortSet
+			return fmt.Errorf("%w", ErrWireguardEndpointPortSet)
 		}
 	case providers.Airvpn, providers.Ivpn, providers.Mullvad, providers.Windscribe:
 		// EndpointPort is optional and can be 0
@@ -92,7 +92,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 		// public keys are baked in
 	case providers.Custom:
 		if w.PublicKey == "" {
-			return ErrWireguardPublicKeyNotSet
+			return fmt.Errorf("%w", ErrWireguardPublicKeyNotSet)
 		}
 	default: // Providers not supporting Wireguard
 	}
diff --git a/internal/httpproxy/handler.go b/internal/httpproxy/handler.go
index a58f0edf..39f2cc7a 100644
--- a/internal/httpproxy/handler.go
+++ b/internal/httpproxy/handler.go
@@ -2,6 +2,7 @@ package httpproxy
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"sync"
 	"time"
@@ -65,5 +66,5 @@ var hopHeaders = [...]string{ //nolint:gochecknoglobals
 
 // Do not follow redirect, but directly return the redirect response.
 func returnRedirect(*http.Request, []*http.Request) error {
-	return http.ErrUseLastResponse
+	return fmt.Errorf("%w", http.ErrUseLastResponse)
 }
diff --git a/internal/httpserver/settings.go b/internal/httpserver/settings.go
index 1c4801e5..29288234 100644
--- a/internal/httpserver/settings.go
+++ b/internal/httpserver/settings.go
@@ -91,11 +91,11 @@ func (s Settings) Validate() (err error) {
 	}
 
 	if s.Handler == nil {
-		return ErrHandlerIsNotSet
+		return fmt.Errorf("%w", ErrHandlerIsNotSet)
 	}
 
 	if s.Logger == nil {
-		return ErrLoggerIsNotSet
+		return fmt.Errorf("%w", ErrLoggerIsNotSet)
 	}
 
 	const minReadTimeout = time.Millisecond
diff --git a/internal/models/server.go b/internal/models/server.go
index 4f2273a3..4f33971e 100644
--- a/internal/models/server.go
+++ b/internal/models/server.go
@@ -47,17 +47,17 @@ var (
 func (s *Server) HasMinimumInformation() (err error) {
 	switch {
 	case s.VPN == "":
-		return ErrVPNFieldEmpty
+		return fmt.Errorf("%w", ErrVPNFieldEmpty)
 	case s.Hostname == "":
-		return ErrHostnameFieldEmpty
+		return fmt.Errorf("%w", ErrHostnameFieldEmpty)
 	case len(s.IPs) == 0:
-		return ErrIPsFieldEmpty
+		return fmt.Errorf("%w", ErrIPsFieldEmpty)
 	case s.VPN == vpn.Wireguard && (s.TCP || s.UDP):
-		return ErrNetworkProtocolSet
+		return fmt.Errorf("%w", ErrNetworkProtocolSet)
 	case s.VPN == vpn.OpenVPN && !s.TCP && !s.UDP:
-		return ErrNoNetworkProtocol
+		return fmt.Errorf("%w", ErrNoNetworkProtocol)
 	case s.VPN == vpn.Wireguard && s.WgPubKey == "":
-		return ErrWireguardPublicKeyEmpty
+		return fmt.Errorf("%w", ErrWireguardPublicKeyEmpty)
 	default:
 		return nil
 	}
diff --git a/internal/pprof/settings.go b/internal/pprof/settings.go
index 9e3031c1..48f5cbe0 100644
--- a/internal/pprof/settings.go
+++ b/internal/pprof/settings.go
@@ -2,6 +2,7 @@ package pprof
 
 import (
 	"errors"
+	"fmt"
 	"time"
 
 	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
@@ -63,11 +64,11 @@ var (
 
 func (s Settings) Validate() (err error) {
 	if *s.BlockProfileRate < 0 {
-		return ErrBlockProfileRateNegative
+		return fmt.Errorf("%w", ErrBlockProfileRateNegative)
 	}
 
 	if *s.MutexProfileRate < 0 {
-		return ErrMutexProfileRateNegative
+		return fmt.Errorf("%w", ErrMutexProfileRateNegative)
 	}
 
 	return s.HTTPServer.Validate()
diff --git a/internal/provider/mullvad/updater/hosttoserver.go b/internal/provider/mullvad/updater/hosttoserver.go
index 98aceb0f..981cff0b 100644
--- a/internal/provider/mullvad/updater/hosttoserver.go
+++ b/internal/provider/mullvad/updater/hosttoserver.go
@@ -25,7 +25,7 @@ func (hts hostToServer) add(data serverData) (err error) {
 	}
 
 	if data.IPv4 == "" && data.IPv6 == "" {
-		return ErrNoIP
+		return fmt.Errorf("%w", ErrNoIP)
 	}
 
 	server, ok := hts[data.Hostname]
diff --git a/internal/tun/check.go b/internal/tun/check.go
index 780f25bf..1d03f727 100644
--- a/internal/tun/check.go
+++ b/internal/tun/check.go
@@ -27,7 +27,7 @@ func (t *Tun) Check(path string) error {
 
 	sys, ok := info.Sys().(*syscall.Stat_t)
 	if !ok {
-		return ErrTUNInfo
+		return fmt.Errorf("%w", ErrTUNInfo)
 	}
 
 	const expectedRdev = 2760 // corresponds to major 10 and minor 200
diff --git a/internal/wireguard/settings.go b/internal/wireguard/settings.go
index f011441c..9492bfed 100644
--- a/internal/wireguard/settings.go
+++ b/internal/wireguard/settings.go
@@ -92,34 +92,34 @@ func (s *Settings) Check() (err error) {
 	}
 
 	if s.PrivateKey == "" {
-		return ErrPrivateKeyMissing
+		return fmt.Errorf("%w", ErrPrivateKeyMissing)
 	} else if _, err := wgtypes.ParseKey(s.PrivateKey); err != nil {
-		return ErrPrivateKeyInvalid
+		return fmt.Errorf("%w", ErrPrivateKeyInvalid)
 	}
 
 	if s.PublicKey == "" {
-		return ErrPublicKeyMissing
+		return fmt.Errorf("%w", ErrPublicKeyMissing)
 	} else if _, err := wgtypes.ParseKey(s.PublicKey); err != nil {
 		return fmt.Errorf("%w: %s", ErrPublicKeyInvalid, s.PublicKey)
 	}
 
 	if s.PreSharedKey != "" {
 		if _, err := wgtypes.ParseKey(s.PreSharedKey); err != nil {
-			return ErrPreSharedKeyInvalid
+			return fmt.Errorf("%w", ErrPreSharedKeyInvalid)
 		}
 	}
 
 	switch {
 	case s.Endpoint == nil:
-		return ErrEndpointMissing
+		return fmt.Errorf("%w", ErrEndpointMissing)
 	case len(s.Endpoint.IP) == 0:
-		return ErrEndpointIPMissing
+		return fmt.Errorf("%w", ErrEndpointIPMissing)
 	case s.Endpoint.Port == 0:
-		return ErrEndpointPortMissing
+		return fmt.Errorf("%w", ErrEndpointPortMissing)
 	}
 
 	if len(s.Addresses) == 0 {
-		return ErrAddressMissing
+		return fmt.Errorf("%w", ErrAddressMissing)
 	}
 	for i, addr := range s.Addresses {
 		switch {
@@ -136,7 +136,7 @@ func (s *Settings) Check() (err error) {
 	}
 
 	if s.FirewallMark == 0 {
-		return ErrFirewallMarkMissing
+		return fmt.Errorf("%w", ErrFirewallMarkMissing)
 	}
 
 	switch s.Implementation {