stash

Dockerfile

@@ -85,7 +85,7 @@ ENV VPN_SERVICE_PROVIDER=pia \
     OPENVPN_PASSWORD= \
     OPENVPN_USER_SECRETFILE=/run/secrets/openvpn_user \
     OPENVPN_PASSWORD_SECRETFILE=/run/secrets/openvpn_password \
-    OPENVPN_VERSION=2.4 \
+    OPENVPN_VERSION=2.6 \
     OPENVPN_VERBOSITY=1 \
     OPENVPN_FLAGS= \
     OPENVPN_CIPHERS= \
@@ -224,9 +224,6 @@ EXPOSE 8000/tcp 8888/tcp 8388/tcp 8388/udp
 HEALTHCHECK --interval=5s --timeout=5s --start-period=10s --retries=3 CMD /gluetun-entrypoint healthcheck
 ARG TARGETPLATFORM
 RUN apk add --no-cache --update -l wget && \
-    apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.12/main" openvpn\~2.4 && \
-    apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.16/main" openssl\~1.1 && \
-    mv /usr/sbin/openvpn /usr/sbin/openvpn2.4 && \
     apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.17/main" openvpn\~2.5 && \
     mv /usr/sbin/openvpn /usr/sbin/openvpn2.5 && \
     apk del openvpn && \

cmd/gluetun/main.go

@@ -270,7 +270,6 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 
 	err = printVersions(ctx, logger, []printVersionElement{
 		{name: "Alpine", getVersion: alpineConf.Version},
-		{name: "OpenVPN 2.4", getVersion: ovpnConf.Version24},
 		{name: "OpenVPN 2.5", getVersion: ovpnConf.Version25},
 		{name: "OpenVPN 2.6", getVersion: ovpnConf.Version26},
 		{name: "IPtables", getVersion: firewallConf.Version},

internal/configuration/settings/openvpn.go

@@ -19,7 +19,7 @@ import (
 // OpenVPN contains settings to configure the OpenVPN client.
 type OpenVPN struct {
 	// Version is the OpenVPN version to run.
-	// It can only be "2.4".
+	// It can only be "2.5" or "2.6".
 	Version string `json:"version"`
 	// User is the OpenVPN authentication username.
 	// It cannot be nil in the internal state if OpenVPN is used.
@@ -90,7 +90,7 @@ var ivpnAccountID = regexp.MustCompile(`^(i|ivpn)\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4
 
 func (o OpenVPN) validate(vpnProvider string) (err error) {
 	// Validate version
-	validVersions := []string{openvpn.Openvpn24}
+	validVersions := []string{openvpn.Openvpn25, openvpn.Openvpn26}
 	if err = validate.IsOneOf(o.Version, validVersions...); err != nil {
 		return fmt.Errorf("%w: %w", ErrOpenVPNVersionIsNotValid, err)
 	}
@@ -289,7 +289,7 @@ func (o *OpenVPN) overrideWith(other OpenVPN) {
 }
 
 func (o *OpenVPN) setDefaults(vpnProvider string) {
-	o.Version = gosettings.DefaultComparable(o.Version, openvpn.Openvpn24)
+	o.Version = gosettings.DefaultComparable(o.Version, openvpn.Openvpn26)
 	o.User = gosettings.DefaultPointer(o.User, "")
 	if vpnProvider == providers.Mullvad {
 		o.Password = gosettings.DefaultPointer(o.Password, "m")

internal/configuration/settings/settings.go

@@ -4,7 +4,9 @@ import (
 	"fmt"
 	"net/netip"
 
+	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
+	"github.com/qdm12/gluetun/internal/constants/vpn"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gluetun/internal/pprof"
 	"github.com/qdm12/gosettings/reader"
@@ -160,6 +162,18 @@ func (s Settings) Warnings() (warnings []string) {
 			" so this will likely not work anymore. See https://github.com/qdm12/gluetun/issues/1498.")
 	}
 
+	if helpers.IsOneOf(s.VPN.Provider.Name, providers.SlickVPN) &&
+		s.VPN.Type == vpn.OpenVPN {
+		warnings = append(warnings, "OpenVPN 2.5 and 2.6 use OpenSSL 3 "+
+			"which prohibits the usage of weak security in today's standards. "+
+			s.VPN.Provider.Name+" uses weak security which is out "+
+			"of Gluetun's control so the only workaround is to allow such weaknesses "+
+			`using the OpenVPN option tls-cipher "DEFAULT:@SECLEVEL=0". `+
+			"You might want to reach to your provider so they upgrade their certificates. "+
+			"Once this is done, you will have to let the Gluetun maintainers know "+
+			"by creating an issue, attaching the new certificate and we will update Gluetun.")
+	}
+
 	// TODO remove in v4
 	if s.DNS.ServerAddress.Unmap().Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) != 0 {
 		warnings = append(warnings, "DNS address is set to "+s.DNS.ServerAddress.String()+

internal/configuration/settings/settings_test.go

@@ -30,7 +30,7 @@ func Test_Settings_String(t *testing.T) {
 |   |           ├── Protocol: UDP
 |   |           └── Private Internet Access encryption preset: strong
 |   └── OpenVPN settings:
-|       ├── OpenVPN version: 2.4
+|       ├── OpenVPN version: 2.6
 |       ├── User: [not set]
 |       ├── Password: [not set]
 |       ├── Private Internet Access encryption preset: strong

internal/constants/openvpn/versions.go

@@ -1,5 +1,6 @@
 package openvpn
 
 const (
-	Openvpn24 = "2.4"
+	Openvpn25 = "2.5"
+	Openvpn26 = "2.6"
 )

internal/dns/settings.go

@@ -22,14 +22,15 @@ func (l *Loop) SetSettings(ctx context.Context, settings settings.DNS) (
 	return l.state.SetSettings(ctx, settings)
 }
 
-func buildDoTSettings(settings settings.DNS,
+func buildServerSettings(settings settings.DNS,
 	filter *mapfilter.Filter, logger Logger) (
 	serverSettings server.Settings, err error,
 ) {
 	serverSettings.Logger = logger
+	providersData := provider.NewProviders()
 
 	var dotSettings dot.Settings
-	providersData := provider.NewProviders()
+	dotSettings.Warner = logger
 	dotSettings.UpstreamResolvers = make([]provider.Provider, len(settings.DoT.Providers))
 	for i := range settings.DoT.Providers {
 		var err error

internal/dns/setup.go

@@ -20,7 +20,7 @@ func (l *Loop) setupServer(ctx context.Context) (runError <-chan error, err erro
 
 	settings := l.GetSettings()
 
-	dotSettings, err := buildDoTSettings(settings, l.filter, l.logger)
+	dotSettings, err := buildServerSettings(settings, l.filter, l.logger)
 	if err != nil {
 		return nil, fmt.Errorf("building DoT settings: %w", err)
 	}

internal/openvpn/start.go

@@ -13,7 +13,8 @@ import (
 var ErrVersionUnknown = errors.New("OpenVPN version is unknown")
 
 const (
-	binOpenvpn24 = "openvpn2.4"
+	binOpenvpn25 = "openvpn2.5"
+	binOpenvpn26 = "openvpn2.6"
 )
 
 func start(ctx context.Context, starter CmdStarter, version string, flags []string) (
@@ -21,8 +22,10 @@ func start(ctx context.Context, starter CmdStarter, version string, flags []stri
 ) {
 	var bin string
 	switch version {
-	case openvpn.Openvpn24:
+	case openvpn.Openvpn25:
-		bin = binOpenvpn24
+		bin = binOpenvpn25
+	case openvpn.Openvpn26:
+		bin = binOpenvpn26
 	default:
 		return nil, nil, nil, fmt.Errorf("%w: %s", ErrVersionUnknown, version)
 	}

internal/openvpn/version.go

@@ -8,8 +8,12 @@ import (
 	"strings"
 )
 
-func (c *Configurator) Version24(ctx context.Context) (version string, err error) {
+func (c *Configurator) Version25(ctx context.Context) (version string, err error) {
-	return c.version(ctx, binOpenvpn24)
+	return c.version(ctx, binOpenvpn25)
+}
+
+func (c *Configurator) Version26(ctx context.Context) (version string, err error) {
+	return c.version(ctx, binOpenvpn26)
 }
 
 var ErrVersionTooShort = errors.New("version output is too short")

internal/provider/airvpn/openvpnconf.go

@@ -28,8 +28,6 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 	}
 
 	switch settings.Version {
-	case openvpn.Openvpn24:
-		providerSettings.Ciphers = []string{openvpn.AES256cbc}
 	case openvpn.Openvpn25, openvpn.Openvpn26:
 		providerSettings.Ciphers = []string{
 			openvpn.AES256gcm, openvpn.AES256cbc, openvpn.AES192gcm,

internal/provider/custom/openvpnconf_test.go

@@ -64,8 +64,8 @@ func Test_modifyConfig(t *testing.T) {
 				"suppress-timestamps",
 				"auth-user-pass /etc/openvpn/auth.conf",
 				"verb 0",
-				"cipher cipher", //nolint:dupword
+				"data-ciphers-fallback cipher",
-				"ncp-ciphers cipher",
+				"data-ciphers cipher",
 				"auth sha512",
 				"mssfix 1000",
 				"pull-filter ignore \"route-ipv6\"",

internal/provider/expressvpn/updater/hardcoded.go

@@ -32,7 +32,6 @@ func hardcodedServers() (servers []models.Server) {
 		{Country: "Canada", City: "Montreal", Hostname: "canada-montreal-ca-version-2.expressnetw.com"},
 		{Country: "Canada", City: "Toronto", Hostname: "canada-toronto-2-ca-version-2.expressnetw.com"},
 		{Country: "Canada", City: "Toronto", Hostname: "canada-toronto-ca-version-2.expressnetw.com"},
-		{Country: "Canada", City: "Vancouver", Hostname: "canada-vancouver-ca-version-2.expressnetw.com"},
 		{Country: "Chile", Hostname: "chile-ca-version-2.expressnetw.com"},
 		{Country: "Colombia", Hostname: "colombia-ca-version-2.expressnetw.com"},
 		{Country: "Costa Rica", City: "Costa Rica", Hostname: "costarica-ca-version-2.expressnetw.com"},
@@ -49,17 +48,13 @@ func hardcodedServers() (servers []models.Server) {
 		{Country: "France", City: "Strasbourg", Hostname: "france-strasbourg-ca-version-2.expressnetw.com"},
 		{Country: "Georgia", Hostname: "georgia-ca-version-2.expressnetw.com"},
 		{Country: "Germany", City: "Frankfurt", Hostname: "germany-frankfurt-1-ca-version-2.expressnetw.com"},
-		{Country: "Germany", City: "Frankfurt", Hostname: "germany-frankfurt-2-ca-version-2.expressnetw.com"},
 		{Country: "Germany", City: "Frankfurt", Hostname: "germany-darmstadt-ca-version-2.expressnetw.com"},
 		{Country: "Germany", City: "Nuremberg", Hostname: "germany-nuremberg-ca-version-2.expressnetw.com"},
 		{Country: "Greece", Hostname: "greece-ca-version-2.expressnetw.com"},
 		{Country: "Guatemala", Hostname: "guatemala-ca-version-2.expressnetw.com"},
 		{Country: "Hong Kong", City: "Hong Kong", Hostname: "hongkong-2-ca-version-2.expressnetw.com"},
-		{Country: "Hong Kong", City: "Hong Kong", Hostname: "hongkong4-ca-version-2.expressnetw.com"},
 		{Country: "Hungary", Hostname: "hungary-ca-version-2.expressnetw.com"},
 		{Country: "Iceland", Hostname: "iceland-ca-version-2.expressnetw.com"},
-		{Country: "India", City: "Chennai", Hostname: "india-chennai-ca-version-2.expressnetw.com"},
-		{Country: "India", City: "Mumbai", Hostname: "india-mumbai-1-ca-version-2.expressnetw.com"},
 		{Country: "Indonesia", Hostname: "indonesia-ca-version-2.expressnetw.com"},
 		{Country: "Ireland", Hostname: "ireland-ca-version-2.expressnetw.com"},
 		{Country: "Isle Of Man", City: "Isle Of Man", Hostname: "isleofman-ca-version-2.expressnetw.com"},
@@ -72,7 +67,6 @@ func hardcodedServers() (servers []models.Server) {
 		{Country: "Jersey", Hostname: "jersey-ca-version-2.expressnetw.com"},
 		{Country: "Kazakhstan", Hostname: "kazakhstan-ca-version-2.expressnetw.com"},
 		{Country: "Kenya", Hostname: "kenya-ca-version-2.expressnetw.com"},
-		{Country: "Kyrgyzstan", Hostname: "kyrgyzstan-ca-version-2.expressnetw.com"},
 		{Country: "Laos", Hostname: "laos-ca-version-2.expressnetw.com"},
 		{Country: "Latvia", Hostname: "latvia-ca-version-2.expressnetw.com"},
 		{Country: "Liechtenstein", Hostname: "liechtenstein-ca-version-2.expressnetw.com"},
@@ -88,7 +82,6 @@ func hardcodedServers() (servers []models.Server) {
 		{Country: "Montenegro", Hostname: "montenegro-ca-version-2.expressnetw.com"},
 		{Country: "Myanmar", Hostname: "myanmar-ca-version-2.expressnetw.com"},
 		{Country: "Nepal", Hostname: "nepal-ca-version-2.expressnetw.com"},
-		{Country: "Netherlands", City: "Amsterdam", Hostname: "netherlands-amsterdam-2-ca-version-2.expressnetw.com"},
 		{Country: "Netherlands", City: "Amsterdam", Hostname: "netherlands-amsterdam-ca-version-2.expressnetw.com"},
 		{Country: "Netherlands", City: "Rotterdam", Hostname: "netherlands-rotterdam-ca-version-2.expressnetw.com"},
 		{Country: "Netherlands", City: "The Hague", Hostname: "netherlands-thehague-ca-version-2.expressnetw.com"},
@@ -129,7 +122,6 @@ func hardcodedServers() (servers []models.Server) {
 		{Country: "USA", City: "Dallas", Hostname: "usa-dallas-2-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "Dallas", Hostname: "usa-dallas-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "Denver", Hostname: "usa-denver-ca-version-2.expressnetw.com"},
-		{Country: "USA", City: "Los Angeles", Hostname: "usa-losangeles-1-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "Los Angeles", Hostname: "usa-losangeles-2-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "Los Angeles", Hostname: "usa-losangeles-3-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "Los Angeles", Hostname: "usa-losangeles5-ca-version-2.expressnetw.com"},
@@ -138,7 +130,6 @@ func hardcodedServers() (servers []models.Server) {
 		{Country: "USA", City: "New Jersey", Hostname: "usa-newjersey-1-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "New Jersey", Hostname: "usa-newjersey2-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "New Jersey", Hostname: "usa-newjersey-3-ca-version-2.expressnetw.com"},
-		{Country: "USA", City: "New York", Hostname: "us-new-york-2-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "New York", Hostname: "usa-newyork-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "Salt Lake City", Hostname: "usa-saltlakecity-ca-version-2.expressnetw.com"},
 		{Country: "USA", City: "San Francisco", Hostname: "usa-sanfrancisco-ca-version-2.expressnetw.com"},

internal/provider/slickvpn/openvpnconf.go

@@ -31,5 +31,11 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 		},
 	}
 
+	// SlickVPN's certificate is sha1WithRSAEncryption and sha1 is now
+	// rejected by openssl 3.x.x which is used by OpenVPN >= 2.5.
+	// We lower the security level to 3 to allow this algorithm,
+	// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+	providerSettings.TLSCipher = "DEFAULT:@SECLEVEL=0"
+
 	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
 }

internal/provider/utils/cipher.go

@@ -10,7 +10,7 @@ func CipherLines(ciphers []string) (lines []string) {
 	}
 
 	return []string{
-		"cipher " + ciphers[0],
+		"data-ciphers-fallback " + ciphers[0],
-		"ncp-ciphers " + strings.Join(ciphers, ":"),
+		"data-ciphers " + strings.Join(ciphers, ":"),
 	}
 }

internal/provider/utils/cipher_test.go

@@ -16,16 +16,16 @@ func Test_CipherLines(t *testing.T) {
 		"empty version": {
 			ciphers: []string{"AES"},
 			lines: []string{
-				"cipher AES",
+				"data-ciphers-fallback AES",
-				"ncp-ciphers AES",
+				"data-ciphers AES",
 			},
 		},
-		"2.4": {
+		"2.5": {
 			ciphers: []string{"AES", "CBC"},
-			version: "2.4",
+			version: "2.5",
 			lines: []string{
-				"cipher AES",
+				"data-ciphers-fallback AES",
-				"ncp-ciphers AES:CBC",
+				"data-ciphers AES:CBC",
 			},
 		},
 	}

internal/updater/resolver/parallel.go

@@ -5,10 +5,12 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
+	"time"
 )
 
 type Parallel struct {
-	repeatResolver *Repeat
+	lastRequestTime time.Time
+	repeatResolver  *Repeat
 }
 
 func NewParallelResolver(resolverAddress string) *Parallel {

maintenance.md

@@ -1,6 +1,8 @@
 # Maintenance
 
-- Rename `UNBLOCK` to `DNS_HOSTNAMES_UNBLOCKED`
+<https://github.com/macvk/dnsleaktest/blob/master/dnsleaktest.go>
+
+- Rename `UNBLOCK` to `DNS_ALLOWED_HOSTNAMES`
 - Change `Run` methods to `Start`+`Stop`, returning channels rather than injecting them
 - Go 1.18
   - gofumpt