Remove unneeded allow-compression asym

- CA
- TLS auth
- TLS crypt (for singapore)
- `allow-compression asym`
- `replay-window 256`
- remote-cert-tls server
- move aes256gcm as preferred cipher

.github/ISSUE_TEMPLATE/bug.yml

@@ -56,6 +56,7 @@ body:
         - IVPN
         - Mullvad
         - NordVPN
+        - OVPN
         - Privado
         - Private Internet Access
         - PrivateVPN

.github/labels.yml

@@ -62,6 +62,8 @@
   color: "cfe8d4"
 - name: "☁️ NordVPN"
   color: "cfe8d4"
+- name: "☁️ OVPN"
+  color: "cfe8d4"
 - name: "☁️ Perfect Privacy"
   color: "cfe8d4"
 - name: "☁️ PIA"

.golangci.yml

@@ -20,9 +20,6 @@ issues:
       text: "newCipherDESCBCBlock returns interface \\(github\\.com\\/youmark\\/pkcs8\\.Cipher\\)"
       linters:
         - ireturn
-    - source: "^\\/\\/ https\\:\\/\\/.+$"
-      linters:
-        - lll
 
 linters:
   enable:

Dockerfile

@@ -147,7 +147,7 @@ ENV VPN_SERVICE_PROVIDER=pia \
     # # ProtonVPN only:
     SECURE_CORE_ONLY= \
     TOR_ONLY= \
-    # # Surfshark only:
+    # # Surfshark and ovpn only:
     MULTIHOP_ONLY= \
     # # VPN Secure only:
     PREMIUM_ONLY= \
@@ -204,8 +204,6 @@ ENV VPN_SERVICE_PROVIDER=pia \
     UPDATER_PERIOD=0 \
     UPDATER_MIN_RATIO=0.8 \
     UPDATER_VPN_SERVICE_PROVIDERS= \
-    UPDATER_PROTONVPN_USERNAME= \
-    UPDATER_PROTONVPN_PASSWORD= \
     # Public IP
     PUBLICIP_FILE="/tmp/gluetun/ip" \
     PUBLICIP_ENABLED=on \

README.md

@@ -57,10 +57,10 @@ Lightweight swiss-knife-like VPN client to multiple VPN service providers
 ## Features
 
 - Based on Alpine 3.20 for a small Docker image of 35.6MB
-- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad**, **NordVPN**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **WeVPN**, **Windscribe** servers
+- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad**, **NordVPN**, **Ovpn**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **WeVPN**, **Windscribe** servers
 - Supports OpenVPN for all providers listed
 - Supports Wireguard both kernelspace and userspace
-  - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
+  - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Ovpn**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
   - For **Cyberghost**, **Private Internet Access**, **PrivateVPN**, **PureVPN**, **Torguard**, **VPN Unlimited**, **VyprVPN** and **WeVPN** using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
   - For custom Wireguard configurations using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
   - More in progress, see [#134](https://github.com/qdm12/gluetun/issues/134)

cmd/gluetun/main.go

@@ -420,8 +420,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 	parallelResolver := resolver.NewParallelResolver(allSettings.Updater.DNSAddress)
 	openvpnFileExtractor := extract.New()
 	providers := provider.NewProviders(storage, time.Now, updaterLogger,
-		httpClient, unzipper, parallelResolver, publicIPLooper.Fetcher(),
-		openvpnFileExtractor, allSettings.Updater)
+		httpClient, unzipper, parallelResolver, publicIPLooper.Fetcher(), openvpnFileExtractor)
 
 	vpnLogger := logger.New(log.SetComponent("vpn"))
 	vpnLooper := vpn.NewLoop(allSettings.VPN, ipv6Supported, allSettings.Firewall.VPNInputPorts,

go.mod

@@ -3,7 +3,6 @@ module github.com/qdm12/gluetun
 go 1.23
 
 require (
-	github.com/ProtonMail/go-srp v0.0.7
 	github.com/breml/rootcerts v0.2.19
 	github.com/fatih/color v1.18.0
 	github.com/golang/mock v1.6.0
@@ -23,20 +22,16 @@ require (
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
 	golang.org/x/net v0.31.0
-	golang.org/x/sys v0.30.0
-	golang.org/x/text v0.22.0
+	golang.org/x/sys v0.27.0
+	golang.org/x/text v0.20.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	gopkg.in/ini.v1 v1.67.0
 )
 
 require (
-	github.com/ProtonMail/bcrypt v0.0.0-20211005172633-e235017c1baf // indirect
-	github.com/ProtonMail/go-crypto v1.3.0-proton // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cloudflare/circl v1.6.0 // indirect
-	github.com/cronokirby/saferith v0.33.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/josharian/native v1.1.0 // indirect
@@ -47,7 +42,6 @@ require (
 	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/miekg/dns v1.1.62 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
@@ -56,9 +50,9 @@ require (
 	github.com/qdm12/goservices v0.1.0 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
-	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
 	golang.org/x/mod v0.21.0 // indirect
-	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/sync v0.9.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect

go.sum

@@ -1,23 +1,9 @@
-github.com/ProtonMail/bcrypt v0.0.0-20210511135022-227b4adcab57/go.mod h1:HecWFHognK8GfRDGnFQbW/LiV7A3MX3gZVs45vk5h8I=
-github.com/ProtonMail/bcrypt v0.0.0-20211005172633-e235017c1baf h1:yc9daCCYUefEs69zUkSzubzjBbL+cmOXgnmt9Fyd9ug=
-github.com/ProtonMail/bcrypt v0.0.0-20211005172633-e235017c1baf/go.mod h1:o0ESU9p83twszAU8LBeJKFAAMX14tISa0yk4Oo5TOqo=
-github.com/ProtonMail/go-crypto v0.0.0-20230321155629-9a39f2531310/go.mod h1:8TI4H3IbrackdNgv+92dI+rhpCaLqM0IfpgCgenFvRE=
-github.com/ProtonMail/go-crypto v1.3.0-proton h1:tAQKQRZX/73VmzK6yHSCaRUOvS/3OYSQzhXQsrR7yUM=
-github.com/ProtonMail/go-crypto v1.3.0-proton/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
-github.com/ProtonMail/go-srp v0.0.7 h1:Sos3Qk+th4tQR64vsxGIxYpN3rdnG9Wf9K4ZloC1JrI=
-github.com/ProtonMail/go-srp v0.0.7/go.mod h1:giCp+7qRnMIcCvI6V6U3S1lDDXDQYx2ewJ6F/9wdlJk=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/breml/rootcerts v0.2.19 h1:3D/qwAC1xoh82GmZ21mYzQ1NaLOICUVntIo+MRZYr4U=
 github.com/breml/rootcerts v0.2.19/go.mod h1:S/PKh+4d1HUn4HQovEB8hPJZO6pUZYrIhmXBhsegfXw=
-github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
-github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
-github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
-github.com/cronokirby/saferith v0.33.0 h1:TgoQlfsD4LIwx71+ChfRcIpjkw+RPOapDEVxa+LhwLo=
-github.com/cronokirby/saferith v0.33.0/go.mod h1:QKJhjoqUtBsXCAVEjw38mFqoi7DebT7kthcD7UzbnoA=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
@@ -57,8 +43,6 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
@@ -100,70 +84,46 @@ github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZla
 github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a h1:fZHgsYlfvtyqToslyjUt3VOPF4J7aK/3MPcK7xp3PDk=
 github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a/go.mod h1:ul22v+Nro/R083muKhosV54bj5niojjWZvU8xrevuH4=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
 golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
 golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

internal/cli/openvpnconfig.go

@@ -76,7 +76,7 @@ func (c *CLI) OpenvpnConfig(logger OpenvpnConfigLogger, reader *reader.Reader,
 	openvpnFileExtractor := extract.New()
 
 	providers := provider.NewProviders(storage, time.Now, warner, client,
-		unzipper, parallelResolver, ipFetcher, openvpnFileExtractor, allSettings.Updater)
+		unzipper, parallelResolver, ipFetcher, openvpnFileExtractor)
 	providerConf := providers.Get(allSettings.VPN.Provider.Name)
 	connection, err := providerConf.GetConnection(
 		allSettings.VPN.Provider.ServerSelection, ipv6Supported)

internal/cli/update.go

@@ -6,7 +6,6 @@ import (
 	"flag"
 	"fmt"
 	"net/http"
-	"slices"
 	"strings"
 	"time"
 
@@ -25,8 +24,6 @@ import (
 var (
 	ErrModeUnspecified     = errors.New("at least one of -enduser or -maintainer must be specified")
 	ErrNoProviderSpecified = errors.New("no provider was specified")
-	ErrUsernameMissing     = errors.New("username is required for this provider")
-	ErrPasswordMissing     = errors.New("password is required for this provider")
 )
 
 type UpdaterLogger interface {
@@ -38,7 +35,7 @@ type UpdaterLogger interface {
 func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) error {
 	options := settings.Updater{}
 	var endUserMode, maintainerMode, updateAll bool
-	var csvProviders, ipToken, protonUsername, protonPassword string
+	var csvProviders, ipToken string
 	flagSet := flag.NewFlagSet("update", flag.ExitOnError)
 	flagSet.BoolVar(&endUserMode, "enduser", false, "Write results to /gluetun/servers.json (for end users)")
 	flagSet.BoolVar(&maintainerMode, "maintainer", false,
@@ -50,8 +47,6 @@ func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) e
 	flagSet.BoolVar(&updateAll, "all", false, "Update servers for all VPN providers")
 	flagSet.StringVar(&csvProviders, "providers", "", "CSV string of VPN providers to update server data for")
 	flagSet.StringVar(&ipToken, "ip-token", "", "IP data service token (e.g. ipinfo.io) to use")
-	flagSet.StringVar(&protonUsername, "proton-username", "", "Username to use to authenticate with Proton")
-	flagSet.StringVar(&protonPassword, "proton-password", "", "Password to use to authenticate with Proton")
 	if err := flagSet.Parse(args); err != nil {
 		return err
 	}
@@ -69,11 +64,6 @@ func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) e
 		options.Providers = strings.Split(csvProviders, ",")
 	}
 
-	if slices.Contains(options.Providers, providers.Protonvpn) {
-		options.ProtonUsername = &protonUsername
-		options.ProtonPassword = &protonPassword
-	}
-
 	options.SetDefaults(options.Providers[0])
 
 	err := options.Validate()
@@ -104,7 +94,7 @@ func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) e
 	openvpnFileExtractor := extract.New()
 
 	providers := provider.NewProviders(storage, time.Now, logger, httpClient,
-		unzipper, parallelResolver, ipFetcher, openvpnFileExtractor, options)
+		unzipper, parallelResolver, ipFetcher, openvpnFileExtractor)
 
 	updater := updater.New(httpClient, storage, providers, logger)
 	err = updater.UpdateServers(ctx, options.Providers, options.MinRatio)

internal/configuration/settings/errors.go

@@ -36,8 +36,6 @@ var (
 	ErrSystemPUIDNotValid              = errors.New("process user id is not valid")
 	ErrSystemTimezoneNotValid          = errors.New("timezone is not valid")
 	ErrUpdaterPeriodTooSmall           = errors.New("VPN server data updater period is too small")
-	ErrUpdaterProtonPasswordMissing    = errors.New("proton password is missing")
-	ErrUpdaterProtonUsernameMissing    = errors.New("proton username is missing")
 	ErrVPNProviderNameNotValid         = errors.New("VPN provider name is not valid")
 	ErrVPNTypeNotValid                 = errors.New("VPN type is not valid")
 	ErrWireguardAllowedIPNotSet        = errors.New("allowed IP is not set")

internal/configuration/settings/openvpnselection.go

@@ -65,7 +65,7 @@ func (o OpenVPNSelection) validate(vpnProvider string) (err error) {
 		switch vpnProvider {
 		// no restriction on port
 		case providers.Custom, providers.Cyberghost, providers.HideMyAss,
-			providers.Privatevpn, providers.Torguard:
+			providers.Ovpn, providers.Privatevpn, providers.Torguard:
 		// no custom port allowed
 		case providers.Expressvpn, providers.Fastestvpn,
 			providers.Giganews, providers.Ipvanish, providers.Nordvpn,

internal/configuration/settings/provider.go

@@ -39,6 +39,7 @@ func (p *Provider) validate(vpnType string, filterChoicesGetter FilterChoicesGet
 			providers.Ivpn,
 			providers.Mullvad,
 			providers.Nordvpn,
+			providers.Ovpn,
 			providers.Protonvpn,
 			providers.Surfshark,
 			providers.Windscribe,

internal/configuration/settings/updater.go

@@ -2,7 +2,6 @@ package settings
 
 import (
 	"fmt"
-	"slices"
 	"strings"
 	"time"
 
@@ -32,10 +31,6 @@ type Updater struct {
 	// Providers is the list of VPN service providers
 	// to update server information for.
 	Providers []string
-	// ProtonUsername is the username to authenticate with the Proton API.
-	ProtonUsername *string
-	// ProtonPassword is the password to authenticate with the Proton API.
-	ProtonPassword *string
 }
 
 func (u Updater) Validate() (err error) {
@@ -56,18 +51,6 @@ func (u Updater) Validate() (err error) {
 		if err != nil {
 			return fmt.Errorf("%w: %w", ErrVPNProviderNameNotValid, err)
 		}
-
-		if provider == providers.Protonvpn {
-			authenticatedAPI := *u.ProtonUsername != "" || *u.ProtonPassword != ""
-			if authenticatedAPI {
-				switch {
-				case *u.ProtonUsername == "":
-					return fmt.Errorf("%w", ErrUpdaterProtonUsernameMissing)
-				case *u.ProtonPassword == "":
-					return fmt.Errorf("%w", ErrUpdaterProtonPasswordMissing)
-				}
-			}
-		}
 	}
 
 	return nil
@@ -75,12 +58,10 @@ func (u Updater) Validate() (err error) {
 
 func (u *Updater) copy() (copied Updater) {
 	return Updater{
-		Period:         gosettings.CopyPointer(u.Period),
-		DNSAddress:     u.DNSAddress,
-		MinRatio:       u.MinRatio,
-		Providers:      gosettings.CopySlice(u.Providers),
-		ProtonUsername: gosettings.CopyPointer(u.ProtonUsername),
-		ProtonPassword: gosettings.CopyPointer(u.ProtonPassword),
+		Period:     gosettings.CopyPointer(u.Period),
+		DNSAddress: u.DNSAddress,
+		MinRatio:   u.MinRatio,
+		Providers:  gosettings.CopySlice(u.Providers),
 	}
 }
 
@@ -92,8 +73,6 @@ func (u *Updater) overrideWith(other Updater) {
 	u.DNSAddress = gosettings.OverrideWithComparable(u.DNSAddress, other.DNSAddress)
 	u.MinRatio = gosettings.OverrideWithComparable(u.MinRatio, other.MinRatio)
 	u.Providers = gosettings.OverrideWithSlice(u.Providers, other.Providers)
-	u.ProtonUsername = gosettings.OverrideWithPointer(u.ProtonUsername, other.ProtonUsername)
-	u.ProtonPassword = gosettings.OverrideWithPointer(u.ProtonPassword, other.ProtonPassword)
 }
 
 func (u *Updater) SetDefaults(vpnProvider string) {
@@ -108,10 +87,6 @@ func (u *Updater) SetDefaults(vpnProvider string) {
 	if len(u.Providers) == 0 && vpnProvider != providers.Custom {
 		u.Providers = []string{vpnProvider}
 	}
-
-	// Set these to empty strings to avoid nil pointer panics
-	u.ProtonUsername = gosettings.DefaultPointer(u.ProtonUsername, "")
-	u.ProtonPassword = gosettings.DefaultPointer(u.ProtonPassword, "")
 }
 
 func (u Updater) String() string {
@@ -128,10 +103,6 @@ func (u Updater) toLinesNode() (node *gotree.Node) {
 	node.Appendf("DNS address: %s", u.DNSAddress)
 	node.Appendf("Minimum ratio: %.1f", u.MinRatio)
 	node.Appendf("Providers to update: %s", strings.Join(u.Providers, ", "))
-	if slices.Contains(u.Providers, providers.Protonvpn) {
-		node.Appendf("Proton API username: %s", *u.ProtonUsername)
-		node.Appendf("Proton API password: %s", gosettings.ObfuscateKey(*u.ProtonPassword))
-	}
 
 	return node
 }
@@ -154,14 +125,6 @@ func (u *Updater) read(r *reader.Reader) (err error) {
 
 	u.Providers = r.CSV("UPDATER_VPN_SERVICE_PROVIDERS")
 
-	u.ProtonUsername = r.Get("UPDATER_PROTONVPN_USERNAME")
-	if u.ProtonUsername != nil {
-		// Enforce to use the username not the email address
-		*u.ProtonUsername = strings.TrimSuffix(*u.ProtonUsername, "@protonmail.com")
-		*u.ProtonUsername = strings.TrimSuffix(*u.ProtonUsername, "@proton.me")
-	}
-	u.ProtonPassword = r.Get("UPDATER_PROTONVPN_PASSWORD")
-
 	return nil
 }
 

internal/configuration/settings/wireguard.go

@@ -65,6 +65,7 @@ func (w Wireguard) validate(vpnProvider string, ipv6Supported bool) (err error)
 		providers.Ivpn,
 		providers.Mullvad,
 		providers.Nordvpn,
+		providers.Ovpn,
 		providers.Protonvpn,
 		providers.Surfshark,
 		providers.Windscribe,

internal/configuration/settings/wireguardselection.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/netip"
 
+	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/reader"
@@ -21,7 +22,7 @@ type WireguardSelection struct {
 	// in the internal state.
 	EndpointIP netip.Addr `json:"endpoint_ip"`
 	// EndpointPort is a the server port to use for the VPN server.
-	// It is optional for VPN providers IVPN, Mullvad, Surfshark
+	// It is optional for VPN providers IVPN, Mullvad, Ovpn, Surfshark
 	// and Windscribe, and compulsory for the others.
 	// When optional, it can be set to 0 to indicate not use
 	// a custom endpoint port. It cannot be nil in the internal
@@ -39,8 +40,9 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate EndpointIP
 	switch vpnProvider {
 	case providers.Airvpn, providers.Fastestvpn, providers.Ivpn,
-		providers.Mullvad, providers.Nordvpn, providers.Protonvpn,
-		providers.Surfshark, providers.Windscribe:
+		providers.Mullvad, providers.Nordvpn, providers.Ovpn,
+		providers.Protonvpn, providers.Surfshark,
+		providers.Windscribe:
 		// endpoint IP addresses are baked in
 	case providers.Custom:
 		if !w.EndpointIP.IsValid() || w.EndpointIP.IsUnspecified() {
@@ -62,12 +64,16 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 		if *w.EndpointPort != 0 {
 			return fmt.Errorf("%w", ErrWireguardEndpointPortSet)
 		}
-	case providers.Airvpn, providers.Ivpn, providers.Mullvad, providers.Windscribe:
+	case providers.Airvpn, providers.Ivpn, providers.Mullvad,
+		providers.Ovpn, providers.Windscribe:
 		// EndpointPort is optional and can be 0
 		if *w.EndpointPort == 0 {
 			break // no custom endpoint port set
 		}
-		if vpnProvider == providers.Mullvad {
+		if helpers.IsOneOf(vpnProvider,
+			providers.Mullvad,
+			providers.Ovpn,
+		) {
 			break // no restriction on custom endpoint port value
 		}
 		var allowed []uint16
@@ -92,7 +98,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate PublicKey
 	switch vpnProvider {
 	case providers.Fastestvpn, providers.Ivpn, providers.Mullvad,
-		providers.Surfshark, providers.Windscribe:
+		providers.Ovpn, providers.Surfshark, providers.Windscribe:
 		// public keys are baked in
 	case providers.Custom:
 		if w.PublicKey == "" {

internal/constants/providers/providers.go

@@ -15,6 +15,7 @@ const (
 	Ivpn                  = "ivpn"
 	Mullvad               = "mullvad"
 	Nordvpn               = "nordvpn"
+	Ovpn                  = "ovpn"
 	Perfectprivacy        = "perfect privacy"
 	Privado               = "privado"
 	PrivateInternetAccess = "private internet access"
@@ -44,6 +45,7 @@ func All() []string {
 		Ivpn,
 		Mullvad,
 		Nordvpn,
+		Ovpn,
 		Perfectprivacy,
 		Privado,
 		PrivateInternetAccess,

internal/models/server.go

@@ -36,6 +36,8 @@ type Server struct {
 	PortForward bool         `json:"port_forward,omitempty"`
 	Keep        bool         `json:"keep,omitempty"`
 	IPs         []netip.Addr `json:"ips,omitempty"`
+	PortsTCP    []uint16     `json:"ports_tcp,omitempty"`
+	PortsUDP    []uint16     `json:"ports_udp,omitempty"`
 }
 
 var (

internal/portforward/service/stop.go

@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"fmt"
+	"os"
 	"time"
 )
 
@@ -60,10 +61,10 @@ func (s *Service) cleanup() (err error) {
 	s.ports = nil
 
 	filepath := s.settings.Filepath
-	s.logger.Info("clearing port file " + filepath)
-	err = s.writePortForwardedFile(nil)
+	s.logger.Info("removing port file " + filepath)
+	err = os.Remove(filepath)
 	if err != nil {
-		return fmt.Errorf("clearing port file: %w", err)
+		return fmt.Errorf("removing port file: %w", err)
 	}
 
 	return nil

internal/provider/common/updater.go

@@ -13,7 +13,6 @@ var (
 	ErrNotEnoughServers     = errors.New("not enough servers found")
 	ErrHTTPStatusCodeNotOK  = errors.New("HTTP status code not OK")
 	ErrIPFetcherUnsupported = errors.New("IP fetcher not supported")
-	ErrCredentialsMissing   = errors.New("credentials missing")
 )
 
 type Fetcher interface {

internal/provider/cyberghost/provider.go

@@ -15,12 +15,12 @@ type Provider struct {
 }
 
 func New(storage common.Storage, randSource rand.Source,
-	updaterWarner common.Warner, parallelResolver common.ParallelResolver,
+	parallelResolver common.ParallelResolver,
 ) *Provider {
 	return &Provider{
 		storage:    storage,
 		randSource: randSource,
-		Fetcher:    updater.New(parallelResolver, updaterWarner),
+		Fetcher:    updater.New(parallelResolver),
 	}
 }
 

internal/provider/cyberghost/updater/servers.go

@@ -16,10 +16,7 @@ func (u *Updater) FetchServers(ctx context.Context, minServers int) (
 
 	possibleHosts := possibleServers.hostsSlice()
 	resolveSettings := parallelResolverSettings(possibleHosts)
-	hostToIPs, warnings, err := u.parallelResolver.Resolve(ctx, resolveSettings)
-	for _, warning := range warnings {
-		u.warner.Warn(warning)
-	}
+	hostToIPs, _, err := u.parallelResolver.Resolve(ctx, resolveSettings)
 	if err != nil {
 		return nil, err
 	}

internal/provider/cyberghost/updater/updater.go

@@ -6,12 +6,10 @@ import (
 
 type Updater struct {
 	parallelResolver common.ParallelResolver
-	warner           common.Warner
 }
 
-func New(parallelResolver common.ParallelResolver, warner common.Warner) *Updater {
+func New(parallelResolver common.ParallelResolver) *Updater {
 	return &Updater{
 		parallelResolver: parallelResolver,
-		warner:           warner,
 	}
 }

internal/provider/ovpn/connection.go

@@ -0,0 +1,15 @@
+package ovpn
+
+import (
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/utils"
+)
+
+func (p *Provider) GetConnection(selection settings.ServerSelection, ipv6Supported bool) (
+	connection models.Connection, err error,
+) {
+	defaults := utils.NewConnectionDefaults(443, 1194, 9929) //nolint:mnd
+	return utils.GetConnection(p.Name(),
+		p.storage, selection, defaults, ipv6Supported, p.randSource)
+}

internal/provider/ovpn/connection_test.go

@@ -0,0 +1,128 @@
+package ovpn
+
+import (
+	"errors"
+	"math/rand"
+	"net/http"
+	"net/netip"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/constants"
+	"github.com/qdm12/gluetun/internal/constants/providers"
+	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/common"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Provider_GetConnection(t *testing.T) {
+	t.Parallel()
+
+	const provider = providers.Ovpn
+
+	errTest := errors.New("test error")
+
+	testCases := map[string]struct {
+		filteredServers []models.Server
+		storageErr      error
+		selection       settings.ServerSelection
+		ipv6Supported   bool
+		connection      models.Connection
+		errWrapped      error
+		errMessage      string
+	}{
+		"error": {
+			storageErr: errTest,
+			errWrapped: errTest,
+			errMessage: "filtering servers: test error",
+		},
+		"default_openvpn_tcp_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}},
+			},
+			selection: settings.ServerSelection{
+				OpenVPN: settings.OpenVPNSelection{
+					Protocol: constants.TCP,
+				},
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.OpenVPN,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     443,
+				Protocol: constants.TCP,
+			},
+		},
+		"default_openvpn_udp_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}},
+			},
+			selection: settings.ServerSelection{
+				OpenVPN: settings.OpenVPNSelection{
+					Protocol: constants.UDP,
+				},
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.OpenVPN,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     1194,
+				Protocol: constants.UDP,
+			},
+		},
+		"default_wireguard_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}, WgPubKey: "x"},
+			},
+			selection: settings.ServerSelection{
+				VPN: vpn.Wireguard,
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.Wireguard,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     9929,
+				Protocol: constants.UDP,
+				PubKey:   "x",
+			},
+		},
+		"default_multihop_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}, WgPubKey: "x", PortsUDP: []uint16{30044}},
+			},
+			selection: settings.ServerSelection{
+				VPN: vpn.Wireguard,
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.Wireguard,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     30044,
+				Protocol: constants.UDP,
+				PubKey:   "x",
+			},
+		},
+	}
+
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			ctrl := gomock.NewController(t)
+
+			storage := common.NewMockStorage(ctrl)
+			storage.EXPECT().FilterServers(provider, testCase.selection).
+				Return(testCase.filteredServers, testCase.storageErr)
+			randSource := rand.NewSource(0)
+
+			client := (*http.Client)(nil)
+			provider := New(storage, randSource, client)
+
+			connection, err := provider.GetConnection(testCase.selection, testCase.ipv6Supported)
+
+			assert.ErrorIs(t, err, testCase.errWrapped)
+			if testCase.errWrapped != nil {
+				assert.EqualError(t, err, testCase.errMessage)
+			}
+
+			assert.Equal(t, testCase.connection, connection)
+		})
+	}
+}

internal/provider/ovpn/openvpnconf.go

@@ -0,0 +1,41 @@
+package ovpn
+
+import (
+	"strings"
+
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/constants/openvpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/utils"
+)
+
+func (p *Provider) OpenVPNConfig(connection models.Connection,
+	settings settings.OpenVPN, ipv6Supported bool,
+) (lines []string) {
+	providerSettings := utils.OpenVPNProviderSettings{
+		AuthUserPass:  true,
+		RemoteCertTLS: true,
+		Ciphers: []string{
+			openvpn.AES256gcm,
+			openvpn.AES256cbc,
+			openvpn.AES128gcm,
+			openvpn.Chacha20Poly1305,
+		},
+		CAs: []string{
+			"MIIEfTCCA2WgAwIBAgIJAK2aIWqpLj1/MA0GCSqGSIb3DQEBBQUAMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTAeFw0xNDA4MTcxODIxMjlaFw0zNDA4MTIxODIxMjlaMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMR+aP4GTuZwurZuOA2NYzMfqKyZi/TJcLEPlGTB/b4CWA9bTd8f0pHPrDAZsXIEayxxB58BIFNDNiybnbO15JN/QwlsqmA+aZX6mCSkScs/rRwasM6LDo8iGx+KmYEqAgzziONGbCMnlO+OaarXte7LhZ9X6Z/bryu4xq/i1v3raak13kXsrogtu4iDzxqJE/QhbNOi0yhCdlm5RYQjmlKGdPB9pNTgcakVI4HcngRYMzBlrGin0YkvWCdpx5FrDNeld7BSWrJMNYyvd+buaid0Fu1T9/P/Srj/8AiabKoaDyiGFbZdTnGfK+04lWRvwAmvazpqbUt5Omw634jJDuMCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUEvJcHHcTiDtu7bAyZw+xaqg+xdIwgboGA1UdIwSBsjCBr4AUEvJcHHcTiDtu7bAyZw+xaqg+xdKhgYukgYgwgYUxCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xEjAQBgNVBAcTCVN0b2NraG9sbTEcMBoGA1UECxMTRmlybWEgRGF2aWQgV2liZXJnaDETMBEGA1UEAxMKb3Zwbi5zZSBjYTEbMBkGCSqGSIb3DQEJARYMaW5mb0BvdnBuLnNlggkArZohaqkuPX8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAJmID6OyBJbV7ayPPgquojF+FICuDdOfGVKP828cyISxcbVA04VpD0QLYVb0k9pFUx0NbgX2SvRTiFhP7LcyS1HV9s+XLCb2WItPPsrdRTwtqU2n3TlCEzWA3WOcOCtT6JSkv1eelmx1JnP0gYJrDvDvRYBFctwWhtE0bineSQkZwN6980zkknADLAiHpeZSu/AMx7CGTwA6SmoFvpNBmHXDcfe/9ZqbbYfUfyPNe+0JbMrcv1elKi+6wlEkHFaEBphiZwGEbOX1CjUMcQFgW/cIp3n50Eiyx6ktuqimhyb59P4Nw8gqH452tTtE4MM/brA5y0Q0WFBRBojfZIbGWWQ==", //nolint:lll
+		},
+		TLSAuth:      "81782767e4d59c4464cc5d1896f1cf6015017d53ac62e2e3b94b889e00b2c69ddc01944fe1c6d895b4d80540502eb71910b8d785c9efa9e3182343532adffe1cfbb7bb6eae39c502da2748edf0fb89b8a20b0a1085cc1f06135037881bc0c4ad8f2c0f4f72d2ab466fb54af3d8264c5fddeb0f21aa0ca41863678f5fc4c44de4ca0926b36dfddc42c6f2fabd1694bdc8215b2d223b9c21dc6734c2c778093187afb8c33403b228b9af68b540c284f6d183bcc88bd41d47bd717996e499ce1cbbfa768a9723c19c58314c4d19cfed82e543ee92e73d38ad26d4fbec231c0f9f3b30773a5c87792e9bc7c34e8d7611002ebedd044e48a0f1f96527bfdcc940aa09", //nolint:lll
+		KeyDirection: "1",
+		ExtraLines: []string{
+			"replay-window 256",
+		},
+	}
+
+	if strings.HasSuffix(connection.Hostname, "singapore.ovpn.com") {
+		providerSettings.TLSCrypt = providerSettings.TLSAuth
+		providerSettings.TLSAuth = ""
+		providerSettings.KeyDirection = ""
+	}
+
+	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
+}

internal/provider/ovpn/provider.go

@@ -0,0 +1,30 @@
+package ovpn
+
+import (
+	"math/rand"
+	"net/http"
+
+	"github.com/qdm12/gluetun/internal/constants/providers"
+	"github.com/qdm12/gluetun/internal/provider/common"
+	"github.com/qdm12/gluetun/internal/provider/ovpn/updater"
+)
+
+type Provider struct {
+	storage    common.Storage
+	randSource rand.Source
+	common.Fetcher
+}
+
+func New(storage common.Storage, randSource rand.Source,
+	client *http.Client,
+) *Provider {
+	return &Provider{
+		storage:    storage,
+		randSource: randSource,
+		Fetcher:    updater.New(client),
+	}
+}
+
+func (p *Provider) Name() string {
+	return providers.Ovpn
+}

internal/provider/ovpn/updater/api.go

@@ -0,0 +1,179 @@
+package updater
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/netip"
+	"strings"
+
+	"github.com/qdm12/gluetun/internal/provider/common"
+)
+
+type apiData struct {
+	Success     bool            `json:"success"`
+	DataCenters []apiDataCenter `json:"datacenters"`
+}
+
+type apiDataCenter struct {
+	City        string      `json:"city"`
+	CountryName string      `json:"country_name"`
+	Servers     []apiServer `json:"servers"`
+}
+
+type apiServer struct {
+	IP             netip.Addr `json:"ip"`
+	Ptr            string     `json:"ptr"` // hostname
+	Online         bool       `json:"online"`
+	PublicKey      string     `json:"public_key"`
+	WireguardPorts []uint16   `json:"wireguard_ports"`
+}
+
+func fetchAPI(ctx context.Context, client *http.Client) (
+	data apiData, err error,
+) {
+	const url = "https://www.ovpn.com/v2/api/client/entry"
+
+	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return data, err
+	}
+
+	response, err := client.Do(request)
+	if err != nil {
+		return data, err
+	}
+
+	if response.StatusCode != http.StatusOK {
+		_ = response.Body.Close()
+		return data, fmt.Errorf("%w: %d %s", common.ErrHTTPStatusCodeNotOK,
+			response.StatusCode, response.Status)
+	}
+
+	decoder := json.NewDecoder(response.Body)
+	err = decoder.Decode(&data)
+	if err != nil {
+		_ = response.Body.Close()
+		return data, fmt.Errorf("decoding response body: %w", err)
+	}
+
+	err = response.Body.Close()
+	if err != nil {
+		return data, fmt.Errorf("closing response body: %w", err)
+	}
+
+	return data, nil
+}
+
+var (
+	ErrCityNotSet        = errors.New("city is not set")
+	ErrCountryNameNotSet = errors.New("country name is not set")
+	ErrServersNotSet     = errors.New("servers array is not set")
+)
+
+func (a *apiDataCenter) validate() (err error) {
+	conditionalErrors := []conditionalError{
+		{err: ErrCityNotSet, condition: a.City == ""},
+		{err: ErrCountryNameNotSet, condition: a.CountryName == ""},
+		{err: ErrServersNotSet, condition: len(a.Servers) == 0},
+	}
+	err = collectErrors(conditionalErrors)
+	if err != nil {
+		var dataCenterSetFields []string
+		if a.CountryName != "" {
+			dataCenterSetFields = append(dataCenterSetFields, a.CountryName)
+		}
+		if a.City != "" {
+			dataCenterSetFields = append(dataCenterSetFields, a.City)
+		}
+		if len(dataCenterSetFields) == 0 {
+			return err
+		}
+		return fmt.Errorf("data center %s: %w",
+			strings.Join(dataCenterSetFields, ", "), err)
+	}
+
+	for i, server := range a.Servers {
+		err = server.validate()
+		if err != nil {
+			return fmt.Errorf("datacenter %s, %s: server %d of %d: %w",
+				a.CountryName, a.City, i+1, len(a.Servers), err)
+		}
+	}
+
+	return nil
+}
+
+var (
+	ErrIPFieldNotValid         = errors.New("ip address is not set")
+	ErrHostnameFieldNotSet     = errors.New("hostname field is not set")
+	ErrPublicKeyFieldNotSet    = errors.New("public key field is not set")
+	ErrWireguardPortsNotSet    = errors.New("wireguard ports array is not set")
+	ErrWireguardPortNotDefault = errors.New("wireguard port is not the default 9929")
+)
+
+func (a *apiServer) validate() (err error) {
+	const defaultWireguardPort = 9929
+	conditionalErrors := []conditionalError{
+		{err: ErrIPFieldNotValid, condition: !a.IP.IsValid()},
+		{err: ErrHostnameFieldNotSet, condition: a.Ptr == ""},
+		{err: ErrPublicKeyFieldNotSet, condition: a.PublicKey == ""},
+		{err: ErrWireguardPortsNotSet, condition: len(a.WireguardPorts) == 0},
+		{
+			err:       ErrWireguardPortNotDefault,
+			condition: len(a.WireguardPorts) != 1 || a.WireguardPorts[0] != defaultWireguardPort,
+		},
+	}
+	err = collectErrors(conditionalErrors)
+	switch {
+	case err == nil:
+		return nil
+	case a.Ptr != "":
+		return fmt.Errorf("server %s: %w", a.Ptr, err)
+	case a.IP.IsValid():
+		return fmt.Errorf("server %s: %w", a.IP.String(), err)
+	default:
+		return err
+	}
+}
+
+type conditionalError struct {
+	err       error
+	condition bool
+}
+
+type joinedError struct {
+	errs []error
+}
+
+func (e *joinedError) Unwrap() []error {
+	return e.errs
+}
+
+func (e *joinedError) Error() string {
+	errStrings := make([]string, len(e.errs))
+	for i, err := range e.errs {
+		errStrings[i] = err.Error()
+	}
+	return strings.Join(errStrings, "; ")
+}
+
+func collectErrors(conditionalErrors []conditionalError) (err error) {
+	errs := make([]error, 0, len(conditionalErrors))
+	for _, conditionalError := range conditionalErrors {
+		if !conditionalError.condition {
+			continue
+		}
+		errs = append(errs, conditionalError.err)
+	}
+
+	if len(errs) == 0 {
+		return nil
+	}
+
+	return &joinedError{
+		errs: errs,
+	}
+}

internal/provider/ovpn/updater/api_test.go

@@ -0,0 +1,115 @@
+package updater
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net/http"
+	"net/netip"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_fetchAPI(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		responseStatus int
+		responseBody   io.ReadCloser
+		data           apiData
+		err            error
+	}{
+		"http response status not ok": {
+			responseStatus: http.StatusNoContent,
+			err:            errors.New("HTTP status code not OK: 204 No Content"),
+		},
+		"nil body": {
+			responseStatus: http.StatusOK,
+			err:            errors.New("decoding response body: EOF"),
+		},
+		"no server": {
+			responseStatus: http.StatusOK,
+			responseBody:   io.NopCloser(strings.NewReader(`{}`)),
+		},
+		"success": {
+			responseStatus: http.StatusOK,
+			responseBody: io.NopCloser(strings.NewReader(`{
+		  "success": true,
+		  "datacenters": [
+		    {
+		      "slug": "vienna",
+		      "city": "Vienna",
+		      "country": "AT",
+		      "country_name": "Austria",
+		      "pools": [
+		        "pool-1.prd.at.vienna.ovpn.com"
+		      ],
+		      "ping_address": "37.120.212.227",
+		      "servers": [
+		        {
+		          "ip": "37.120.212.227",
+		          "ptr": "vpn44.prd.vienna.ovpn.com",
+		          "name": "VPN44 - Vienna",
+		          "online": true,
+		          "load": 8,
+		          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+		          "public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+		          "wireguard_ports": [
+		            9929
+		          ],
+		          "multihop_openvpn_port": 20044,
+		          "multihop_wireguard_port": 30044
+		        }
+		      ]
+		    }
+		  ]
+		}`)),
+			data: apiData{
+				Success: true,
+				DataCenters: []apiDataCenter{
+					{CountryName: "Austria", City: "Vienna", Servers: []apiServer{
+						{
+							IP:             netip.MustParseAddr("37.120.212.227"),
+							Ptr:            "vpn44.prd.vienna.ovpn.com",
+							Online:         true,
+							PublicKey:      "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+							WireguardPorts: []uint16{9929},
+						},
+					}},
+				},
+			},
+		},
+	}
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			ctx := context.Background()
+
+			client := &http.Client{
+				Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+					assert.Equal(t, http.MethodGet, r.Method)
+					assert.Equal(t, r.URL.String(), "https://www.ovpn.com/v2/api/client/entry")
+					return &http.Response{
+						StatusCode: testCase.responseStatus,
+						Status:     http.StatusText(testCase.responseStatus),
+						Body:       testCase.responseBody,
+					}, nil
+				}),
+			}
+
+			data, err := fetchAPI(ctx, client)
+
+			assert.Equal(t, testCase.data, data)
+			if testCase.err != nil {
+				require.Error(t, err)
+				assert.Equal(t, testCase.err.Error(), err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

internal/provider/ovpn/updater/roundtrip_test.go

@@ -0,0 +1,9 @@
+package updater
+
+import "net/http"
+
+type roundTripFunc func(r *http.Request) (*http.Response, error)
+
+func (f roundTripFunc) RoundTrip(r *http.Request) (*http.Response, error) {
+	return f(r)
+}

internal/provider/ovpn/updater/servers.go

@@ -0,0 +1,66 @@
+package updater
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"sort"
+
+	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/common"
+)
+
+var ErrResponseSuccessFalse = errors.New("response success field is false")
+
+func (u *Updater) FetchServers(ctx context.Context, minServers int) (
+	servers []models.Server, err error,
+) {
+	data, err := fetchAPI(ctx, u.client)
+	if err != nil {
+		return nil, fmt.Errorf("fetching API: %w", err)
+	} else if !data.Success {
+		return nil, fmt.Errorf("%w", ErrResponseSuccessFalse)
+	}
+
+	for dataCenterIndex, dataCenter := range data.DataCenters {
+		err = dataCenter.validate()
+		if err != nil {
+			return nil, fmt.Errorf("validating data center %d of %d: %w",
+				dataCenterIndex+1, len(data.DataCenters), err)
+		}
+
+		for _, apiServer := range dataCenter.Servers {
+			if !apiServer.Online {
+				continue
+			}
+
+			baseServer := models.Server{
+				Country:  dataCenter.CountryName,
+				City:     dataCenter.City,
+				Hostname: apiServer.Ptr,
+				IPs:      []netip.Addr{apiServer.IP},
+			}
+			openVPNServer := baseServer
+			openVPNServer.VPN = vpn.OpenVPN
+			openVPNServer.TCP = true
+			openVPNServer.UDP = true
+			servers = append(servers, openVPNServer)
+
+			wireguardServer := baseServer
+			wireguardServer.VPN = vpn.Wireguard
+			wireguardServer.WgPubKey = apiServer.PublicKey
+			servers = append(servers, wireguardServer)
+		}
+	}
+
+	if len(servers) < minServers {
+		return nil, fmt.Errorf("%w: %d and expected at least %d",
+			common.ErrNotEnoughServers, len(servers), minServers)
+	}
+
+	sort.Sort(models.SortableServers(servers))
+
+	return servers, nil
+}

internal/provider/ovpn/updater/servers_test.go

@@ -0,0 +1,181 @@
+package updater
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/netip"
+	"strings"
+	"testing"
+
+	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/common"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Updater_FetchServers(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		// Inputs
+		minServers int
+
+		// From API
+		responseStatus int
+		responseBody   string
+
+		// Output
+		servers    []models.Server
+		errWrapped error
+		errMessage string
+	}{
+		"http_response_error": {
+			responseStatus: http.StatusNoContent,
+			errWrapped:     common.ErrHTTPStatusCodeNotOK,
+			errMessage:     "fetching API: HTTP status code not OK: 204 No Content",
+		},
+		"success_field_false": {
+			responseStatus: http.StatusOK,
+			responseBody:   `{"success": false}`,
+			errWrapped:     ErrResponseSuccessFalse,
+			errMessage:     "response success field is false",
+		},
+		"validation_failed": {
+			responseStatus: http.StatusOK,
+			responseBody: `{
+  "success": true,
+  "datacenters": [
+    {
+      "city": "Vienna",
+      "servers": [
+        {}
+      ]
+    }
+  ]
+}`,
+			errWrapped: ErrCountryNameNotSet,
+			errMessage: "validating data center 1 of 1: data center Vienna: country name is not set",
+		},
+		"not_enough_servers": {
+			minServers:     3,
+			responseStatus: http.StatusOK,
+			responseBody: `{
+  "success": true,
+  "datacenters": [
+    {
+      "city": "Vienna",
+      "country_name": "Austria",
+      "servers": [
+        {
+          "ip": "37.120.212.227",
+          "ptr": "vpn44.prd.vienna.ovpn.com",
+          "online": true,
+          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+          "wireguard_ports": [9929],
+          "multihop_openvpn_port": 20044,
+          "multihop_wireguard_port": 30044
+        }
+      ]
+    }
+  ]
+}`,
+			errWrapped: common.ErrNotEnoughServers,
+			errMessage: "not enough servers found: 2 and expected at least 3",
+		},
+		"success": {
+			minServers: 2,
+			responseBody: `{
+  "success": true,
+  "datacenters": [
+    {
+      "slug": "vienna",
+      "city": "Vienna",
+      "country": "AT",
+      "country_name": "Austria",
+      "pools": [
+        "pool-1.prd.at.vienna.ovpn.com"
+      ],
+      "ping_address": "37.120.212.227",
+      "servers": [
+        {
+          "ip": "37.120.212.227",
+          "ptr": "vpn44.prd.vienna.ovpn.com",
+          "name": "VPN44 - Vienna",
+          "online": true,
+          "load": 8,
+          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+          "public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+          "wireguard_ports": [
+            9929
+          ],
+          "multihop_openvpn_port": 20044,
+          "multihop_wireguard_port": 30044
+        },
+        {
+          "ip": "37.120.212.228",
+          "ptr": "vpn45.prd.vienna.ovpn.com",
+          "online": false,
+          "public_key": "r93LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+          "wireguard_ports": [9929],
+          "multihop_openvpn_port": 20045,
+          "multihop_wireguard_port": 30045
+        }
+      ]
+    }
+  ]
+}`,
+			responseStatus: http.StatusOK,
+			servers: []models.Server{
+				{
+					Country:  "Austria",
+					City:     "Vienna",
+					Hostname: "vpn44.prd.vienna.ovpn.com",
+					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:      vpn.OpenVPN,
+					UDP:      true,
+					TCP:      true,
+				},
+				{
+					Country:  "Austria",
+					City:     "Vienna",
+					Hostname: "vpn44.prd.vienna.ovpn.com",
+					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:      vpn.Wireguard,
+					WgPubKey: "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+				},
+			},
+		},
+	}
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			ctx := context.Background()
+
+			client := &http.Client{
+				Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+					assert.Equal(t, http.MethodGet, r.Method)
+					assert.Equal(t, r.URL.String(), "https://www.ovpn.com/v2/api/client/entry")
+					return &http.Response{
+						StatusCode: testCase.responseStatus,
+						Status:     http.StatusText(testCase.responseStatus),
+						Body:       io.NopCloser(strings.NewReader(testCase.responseBody)),
+					}, nil
+				}),
+			}
+
+			updater := &Updater{
+				client: client,
+			}
+
+			servers, err := updater.FetchServers(ctx, testCase.minServers)
+
+			assert.Equal(t, testCase.servers, servers)
+			assert.ErrorIs(t, err, testCase.errWrapped)
+			if testCase.errWrapped != nil {
+				assert.EqualError(t, err, testCase.errMessage)
+			}
+		})
+	}
+}

internal/provider/ovpn/updater/updater.go

@@ -0,0 +1,15 @@
+package updater
+
+import (
+	"net/http"
+)
+
+type Updater struct {
+	client *http.Client
+}
+
+func New(client *http.Client) *Updater {
+	return &Updater{
+		client: client,
+	}
+}

internal/provider/protonvpn/provider.go

@@ -18,12 +18,11 @@ type Provider struct {
 
 func New(storage common.Storage, randSource rand.Source,
 	client *http.Client, updaterWarner common.Warner,
-	username, password string,
 ) *Provider {
 	return &Provider{
 		storage:    storage,
 		randSource: randSource,
-		Fetcher:    updater.New(client, updaterWarner, username, password),
+		Fetcher:    updater.New(client, updaterWarner),
 	}
 }
 

internal/provider/protonvpn/updater/api.go

@@ -1,567 +1,15 @@
 package updater
 
 import (
-	"bytes"
 	"context"
-	crand "crypto/rand"
-	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
-	"math/rand/v2"
 	"net/http"
 	"net/netip"
-	"slices"
-	"strings"
-
-	srp "github.com/ProtonMail/go-srp"
 )
 
-// apiClient is a minimal Proton v4 API client which can handle all the
-// oddities of Proton's authentication flow they want to keep hidden
-// from the public.
-type apiClient struct {
-	apiURLBase string
-	httpClient *http.Client
-	appVersion string
-	userAgent  string
-	generator  *rand.ChaCha8
-}
-
-// newAPIClient returns an [apiClient] with sane defaults matching Proton's
-// insane expectations.
-func newAPIClient(ctx context.Context, httpClient *http.Client) (client *apiClient, err error) {
-	var seed [32]byte
-	_, _ = crand.Read(seed[:])
-	generator := rand.NewChaCha8(seed)
-
-	// Pick a random user agent from this list. Because I'm not going to tell
-	// Proton shit on where all these funny requests are coming from, given their
-	// unhelpfulness in figuring out their authentication flow.
-	userAgents := [...]string{
-		"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0",
-		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:143.0) Gecko/20100101 Firefox/143.0",
-		"Mozilla/5.0 (X11; Linux x86_64; rv:143.0) Gecko/20100101 Firefox/143.0",
-	}
-	userAgent := userAgents[generator.Uint64()%uint64(len(userAgents))]
-
-	appVersion, err := getMostRecentStableTag(ctx, httpClient)
-	if err != nil {
-		return nil, fmt.Errorf("getting most recent version for proton app: %w", err)
-	}
-
-	return &apiClient{
-		apiURLBase: "https://account.proton.me/api",
-		httpClient: httpClient,
-		appVersion: appVersion,
-		userAgent:  userAgent,
-		generator:  generator,
-	}, nil
-}
-
-var ErrCodeNotSuccess = errors.New("response code is not success")
-
-// setHeaders sets the minimal necessary headers for Proton API requests
-// to succeed without being blocked by their "security" measures.
-// See for example [getMostRecentStableTag] on how the app version must
-// be set to a recent version or they block your request. "SeCuRiTy"...
-func (c *apiClient) setHeaders(request *http.Request, cookie cookie) {
-	request.Header.Set("Cookie", cookie.String())
-	request.Header.Set("User-Agent", c.userAgent)
-	request.Header.Set("x-pm-appversion", c.appVersion)
-	request.Header.Set("x-pm-locale", "en_US")
-	request.Header.Set("x-pm-uid", cookie.uid)
-}
-
-// authenticate performs the full Proton authentication flow
-// to obtain an authenticated cookie (uid, token and session ID).
-func (c *apiClient) authenticate(ctx context.Context, username, password string,
-) (authCookie cookie, err error) {
-	sessionID, err := c.getSessionID(ctx)
-	if err != nil {
-		return cookie{}, fmt.Errorf("getting session ID: %w", err)
-	}
-
-	tokenType, accessToken, refreshToken, uid, err := c.getUnauthSession(ctx, sessionID)
-	if err != nil {
-		return cookie{}, fmt.Errorf("getting unauthenticated session data: %w", err)
-	}
-
-	cookieToken, err := c.cookieToken(ctx, sessionID, tokenType, accessToken, refreshToken, uid)
-	if err != nil {
-		return cookie{}, fmt.Errorf("getting cookie token: %w", err)
-	}
-
-	unauthCookie := cookie{
-		uid:       uid,
-		token:     cookieToken,
-		sessionID: sessionID,
-	}
-	modulusPGPClearSigned, serverEphemeralBase64, saltBase64,
-		srpSessionHex, version, err := c.authInfo(ctx, username, unauthCookie)
-	if err != nil {
-		return cookie{}, fmt.Errorf("getting auth information: %w", err)
-	}
-
-	// Prepare SRP proof generator using Proton's official SRP parameters and hashing.
-	srpAuth, err := srp.NewAuth(version, username, []byte(password),
-		saltBase64, modulusPGPClearSigned, serverEphemeralBase64)
-	if err != nil {
-		return cookie{}, fmt.Errorf("initializing SRP auth: %w", err)
-	}
-
-	// Generate SRP proofs (A, M1) with the usual 2048-bit modulus.
-	const modulusBits = 2048
-	proofs, err := srpAuth.GenerateProofs(modulusBits)
-	if err != nil {
-		return cookie{}, fmt.Errorf("generating SRP proofs: %w", err)
-	}
-
-	authCookie, err = c.auth(ctx, unauthCookie, username, srpSessionHex, proofs)
-	if err != nil {
-		return cookie{}, fmt.Errorf("authentifying: %w", err)
-	}
-
-	return authCookie, nil
-}
-
-var ErrSessionIDNotFound = errors.New("session ID not found in cookies")
-
-func (c *apiClient) getSessionID(ctx context.Context) (sessionID string, err error) {
-	const url = "https://account.proton.me/vpn"
-	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
-	if err != nil {
-		return "", fmt.Errorf("creating request: %w", err)
-	}
-
-	response, err := c.httpClient.Do(request)
-	if err != nil {
-		return "", err
-	}
-	err = response.Body.Close()
-	if err != nil {
-		return "", fmt.Errorf("closing response body: %w", err)
-	}
-
-	for _, cookie := range response.Cookies() {
-		if cookie.Name == "Session-Id" {
-			return cookie.Value, nil
-		}
-	}
-
-	return "", fmt.Errorf("%w", ErrSessionIDNotFound)
-}
-
-var ErrDataFieldMissing = errors.New("data field missing in response")
-
-func (c *apiClient) getUnauthSession(ctx context.Context, sessionID string) (
-	tokenType, accessToken, refreshToken, uid string, err error,
-) {
-	request, err := http.NewRequestWithContext(ctx, http.MethodPost, c.apiURLBase+"/auth/v4/sessions", nil)
-	if err != nil {
-		return "", "", "", "", fmt.Errorf("creating request: %w", err)
-	}
-	unauthCookie := cookie{
-		sessionID: sessionID,
-	}
-	c.setHeaders(request, unauthCookie)
-
-	response, err := c.httpClient.Do(request)
-	if err != nil {
-		return "", "", "", "", err
-	}
-	defer response.Body.Close()
-
-	responseBody, err := io.ReadAll(response.Body)
-	if err != nil {
-		return "", "", "", "", fmt.Errorf("reading response body: %w", err)
-	} else if response.StatusCode != http.StatusOK {
-		return "", "", "", "", buildError(response.StatusCode, responseBody)
-	}
-
-	var data struct {
-		Code         uint     `json:"Code"`         // 1000 on success
-		AccessToken  string   `json:"AccessToken"`  // 32-chars lowercase and digits
-		RefreshToken string   `json:"RefreshToken"` // 32-chars lowercase and digits
-		TokenType    string   `json:"TokenType"`    // "Bearer"
-		Scopes       []string `json:"Scopes"`       // should be [] for our usage
-		UID          string   `json:"UID"`          // 32-chars lowercase and digits
-		LocalID      uint     `json:"LocalID"`      // 0 in my case
-	}
-
-	err = json.Unmarshal(responseBody, &data)
-	if err != nil {
-		return "", "", "", "", fmt.Errorf("decoding response body: %w", err)
-	}
-
-	const successCode = 1000
-	switch {
-	case data.Code != successCode:
-		return "", "", "", "", fmt.Errorf("%w: expected %d got %d",
-			ErrCodeNotSuccess, successCode, data.Code)
-	case data.AccessToken == "":
-		return "", "", "", "", fmt.Errorf("%w: access token is empty", ErrDataFieldMissing)
-	case data.RefreshToken == "":
-		return "", "", "", "", fmt.Errorf("%w: refresh token is empty", ErrDataFieldMissing)
-	case data.TokenType == "":
-		return "", "", "", "", fmt.Errorf("%w: token type is empty", ErrDataFieldMissing)
-	case data.UID == "":
-		return "", "", "", "", fmt.Errorf("%w: UID is empty", ErrDataFieldMissing)
-	}
-	// Ignore Scopes and LocalID fields, we don't use them.
-
-	return data.TokenType, data.AccessToken, data.RefreshToken, data.UID, nil
-}
-
-var ErrUIDMismatch = errors.New("UID in response does not match request UID")
-
-func (c *apiClient) cookieToken(ctx context.Context, sessionID, tokenType, accessToken,
-	refreshToken, uid string,
-) (cookieToken string, err error) {
-	type requestBodySchema struct {
-		GrantType    string `json:"GrantType"`    // "refresh_token"
-		Persistent   uint   `json:"Persistent"`   // 0
-		RedirectURI  string `json:"RedirectURI"`  // "https://protonmail.com"
-		RefreshToken string `json:"RefreshToken"` // 32-chars lowercase and digits
-		ResponseType string `json:"ResponseType"` // "token"
-		State        string `json:"State"`        // 24-chars letters and digits
-		UID          string `json:"UID"`          // 32-chars lowercase and digits
-	}
-	requestBody := requestBodySchema{
-		GrantType:    "refresh_token",
-		Persistent:   0,
-		RedirectURI:  "https://protonmail.com",
-		RefreshToken: refreshToken,
-		ResponseType: "token",
-		State:        generateLettersDigits(c.generator, 24), //nolint:mnd
-		UID:          uid,
-	}
-
-	buffer := bytes.NewBuffer(nil)
-	encoder := json.NewEncoder(buffer)
-	if err := encoder.Encode(requestBody); err != nil {
-		return "", fmt.Errorf("encoding request body: %w", err)
-	}
-
-	request, err := http.NewRequestWithContext(ctx, http.MethodPost, c.apiURLBase+"/core/v4/auth/cookies", buffer)
-	if err != nil {
-		return "", fmt.Errorf("creating request: %w", err)
-	}
-	unauthCookie := cookie{
-		uid:       uid,
-		sessionID: sessionID,
-	}
-	c.setHeaders(request, unauthCookie)
-	request.Header.Set("Authorization", tokenType+" "+accessToken)
-
-	response, err := c.httpClient.Do(request)
-	if err != nil {
-		return "", err
-	}
-	defer response.Body.Close()
-
-	responseBody, err := io.ReadAll(response.Body)
-	if err != nil {
-		return "", fmt.Errorf("reading response body: %w", err)
-	} else if response.StatusCode != http.StatusOK {
-		return "", buildError(response.StatusCode, responseBody)
-	}
-
-	var cookies struct {
-		Code           uint   `json:"Code"`           // 1000 on success
-		UID            string `json:"UID"`            // should match request UID
-		LocalID        uint   `json:"LocalID"`        // 0
-		RefreshCounter uint   `json:"RefreshCounter"` // 1
-	}
-	err = json.Unmarshal(responseBody, &cookies)
-	if err != nil {
-		return "", fmt.Errorf("decoding response body: %w", err)
-	}
-
-	const successCode = 1000
-	switch {
-	case cookies.Code != successCode:
-		return "", fmt.Errorf("%w: expected %d got %d",
-			ErrCodeNotSuccess, successCode, cookies.Code)
-	case cookies.UID != requestBody.UID:
-		return "", fmt.Errorf("%w: expected %s got %s",
-			ErrUIDMismatch, requestBody.UID, cookies.UID)
-	}
-	// Ignore LocalID and RefreshCounter fields, we don't use them.
-
-	for _, cookie := range response.Cookies() {
-		if cookie.Name == "AUTH-"+uid {
-			return cookie.Value, nil
-		}
-	}
-
-	return "", fmt.Errorf("%w", ErrAuthCookieNotFound)
-}
-
-var (
-	ErrUsernameDoesNotExist = errors.New("username does not exist")
-	ErrUsernameMismatch     = errors.New("username in response does not match request username")
-)
-
-// authInfo fetches SRP parameters for the account.
-func (c *apiClient) authInfo(ctx context.Context, username string, unauthCookie cookie) (
-	modulusPGPClearSigned, serverEphemeralBase64, saltBase64, srpSessionHex string,
-	version int, err error,
-) {
-	type requestBodySchema struct {
-		Intent   string `json:"Intent"`   // "Proton"
-		Username string `json:"Username"` // username without @domain.com
-	}
-	requestBody := requestBodySchema{
-		Intent:   "Proton",
-		Username: username,
-	}
-
-	buffer := bytes.NewBuffer(nil)
-	encoder := json.NewEncoder(buffer)
-	if err := encoder.Encode(requestBody); err != nil {
-		return "", "", "", "", 0, fmt.Errorf("encoding request body: %w", err)
-	}
-
-	request, err := http.NewRequestWithContext(ctx, http.MethodPost, c.apiURLBase+"/core/v4/auth/info", buffer)
-	if err != nil {
-		return "", "", "", "", 0, fmt.Errorf("creating request: %w", err)
-	}
-	c.setHeaders(request, unauthCookie)
-
-	response, err := c.httpClient.Do(request)
-	if err != nil {
-		return "", "", "", "", 0, err
-	}
-	defer response.Body.Close()
-
-	responseBody, err := io.ReadAll(response.Body)
-	if err != nil {
-		return "", "", "", "", 0, fmt.Errorf("reading response body: %w", err)
-	} else if response.StatusCode != http.StatusOK {
-		return "", "", "", "", 0, buildError(response.StatusCode, responseBody)
-	}
-
-	var info struct {
-		Code            uint   `json:"Code"`              // 1000 on success
-		Modulus         string `json:"Modulus"`           // PGP clearsigned modulus string
-		ServerEphemeral string `json:"ServerEphemeral"`   // base64
-		Version         *uint  `json:"Version,omitempty"` // 4 as of 2025-10-26
-		Salt            string `json:"Salt"`              // base64
-		SRPSession      string `json:"SRPSession"`        // hexadecimal
-		Username        string `json:"Username"`          // user without @domain.com. Mine has its first letter capitalized.
-	}
-	err = json.Unmarshal(responseBody, &info)
-	if err != nil {
-		return "", "", "", "", 0, fmt.Errorf("decoding response body: %w", err)
-	}
-
-	const successCode = 1000
-	switch {
-	case info.Code != successCode:
-		return "", "", "", "", 0, fmt.Errorf("%w: expected %d got %d",
-			ErrCodeNotSuccess, successCode, info.Code)
-	case info.Modulus == "":
-		return "", "", "", "", 0, fmt.Errorf("%w: modulus is empty", ErrDataFieldMissing)
-	case info.ServerEphemeral == "":
-		return "", "", "", "", 0, fmt.Errorf("%w: server ephemeral is empty", ErrDataFieldMissing)
-	case info.Salt == "":
-		return "", "", "", "", 0, fmt.Errorf("%w (salt data field is empty)", ErrUsernameDoesNotExist)
-	case info.SRPSession == "":
-		return "", "", "", "", 0, fmt.Errorf("%w: SRP session is empty", ErrDataFieldMissing)
-
-	case info.Username != username:
-		return "", "", "", "", 0, fmt.Errorf("%w: expected %s got %s",
-			ErrUsernameMismatch, username, info.Username)
-	case info.Version == nil:
-		return "", "", "", "", 0, fmt.Errorf("%w: version is missing", ErrDataFieldMissing)
-	}
-
-	version = int(*info.Version) //nolint:gosec
-	return info.Modulus, info.ServerEphemeral, info.Salt,
-		info.SRPSession, version, nil
-}
-
-type cookie struct {
-	uid       string
-	token     string
-	sessionID string
-}
-
-func (c *cookie) String() string {
-	s := ""
-	if c.token != "" {
-		s += fmt.Sprintf("AUTH-%s=%s; ", c.uid, c.token)
-	}
-	if c.sessionID != "" {
-		s += fmt.Sprintf("Session-Id=%s; ", c.sessionID)
-	}
-	if c.token != "" {
-		s += "Tag=default; iaas=W10; Domain=proton.me; Feature=VPNDashboard:A"
-	}
-	return s
-}
-
-var (
-	// ErrServerProofNotValid indicates the M2 from the server didn't match the expected proof.
-	ErrServerProofNotValid = errors.New("server proof from server is not valid")
-	ErrVPNScopeNotFound    = errors.New("VPN scope not found in scopes")
-	ErrTwoFANotSupported   = errors.New("two factor authentication not supported in this client")
-	ErrAuthCookieNotFound  = errors.New("auth cookie not found")
-)
-
-// auth performs the SRP proof submission (and optionally TOTP) to obtain tokens.
-func (c *apiClient) auth(ctx context.Context, unauthCookie cookie,
-	username, srpSession string, proofs *srp.Proofs,
-) (authCookie cookie, err error) {
-	clientEphemeral := base64.StdEncoding.EncodeToString(proofs.ClientEphemeral)
-	clientProof := base64.StdEncoding.EncodeToString(proofs.ClientProof)
-
-	type requestBodySchema struct {
-		ClientEphemeral string            `json:"ClientEphemeral"`   // base64(A)
-		ClientProof     string            `json:"ClientProof"`       // base64(M1)
-		Payload         map[string]string `json:"Payload,omitempty"` // not sure
-		SRPSession      string            `json:"SRPSession"`        // hexadecimal
-		Username        string            `json:"Username"`          // user@protonmail.com
-	}
-	requestBody := requestBodySchema{
-		ClientEphemeral: clientEphemeral,
-		ClientProof:     clientProof,
-		SRPSession:      srpSession,
-		Username:        username,
-	}
-
-	buffer := bytes.NewBuffer(nil)
-	encoder := json.NewEncoder(buffer)
-	if err := encoder.Encode(requestBody); err != nil {
-		return cookie{}, fmt.Errorf("encoding request body: %w", err)
-	}
-
-	request, err := http.NewRequestWithContext(ctx, http.MethodPost, c.apiURLBase+"/core/v4/auth", buffer)
-	if err != nil {
-		return cookie{}, fmt.Errorf("creating request: %w", err)
-	}
-	c.setHeaders(request, unauthCookie)
-
-	response, err := c.httpClient.Do(request)
-	if err != nil {
-		return cookie{}, err
-	}
-	defer response.Body.Close()
-
-	responseBody, err := io.ReadAll(response.Body)
-	if err != nil {
-		return cookie{}, fmt.Errorf("reading response body: %w", err)
-	} else if response.StatusCode != http.StatusOK {
-		return cookie{}, buildError(response.StatusCode, responseBody)
-	}
-
-	type twoFAStatus uint
-	//nolint:unused
-	const (
-		twoFADisabled twoFAStatus = iota
-		twoFAHasTOTP
-		twoFAHasFIDO2
-		twoFAHasFIDO2AndTOTP
-	)
-	type twoFAInfo struct {
-		Enabled twoFAStatus `json:"Enabled"`
-		FIDO2   struct {
-			AuthenticationOptions any   `json:"AuthenticationOptions"`
-			RegisteredKeys        []any `json:"RegisteredKeys"`
-		} `json:"FIDO2"`
-		TOTP uint `json:"TOTP"`
-	}
-
-	var auth struct {
-		Code              uint      `json:"Code"`         // 1000 on success
-		LocalID           uint      `json:"LocalID"`      // 7 in my case
-		Scopes            []string  `json:"Scopes"`       // this should contain "vpn". Same as `Scope` field value.
-		UID               string    `json:"UID"`          // same as `Uid` field value
-		UserID            string    `json:"UserID"`       // base64
-		EventID           string    `json:"EventID"`      // base64
-		PasswordMode      uint      `json:"PasswordMode"` // 1 in my case
-		ServerProof       string    `json:"ServerProof"`  // base64(M2)
-		TwoFactor         uint      `json:"TwoFactor"`    // 0 if 2FA not required
-		TwoFA             twoFAInfo `json:"2FA"`
-		TemporaryPassword uint      `json:"TemporaryPassword"` // 0 in my case
-	}
-
-	err = json.Unmarshal(responseBody, &auth)
-	if err != nil {
-		return cookie{}, fmt.Errorf("decoding response body: %w", err)
-	}
-
-	m2, err := base64.StdEncoding.DecodeString(auth.ServerProof)
-	if err != nil {
-		return cookie{}, fmt.Errorf("decoding server proof: %w", err)
-	}
-	if !bytes.Equal(m2, proofs.ExpectedServerProof) {
-		return cookie{}, fmt.Errorf("%w: expected %x got %x",
-			ErrServerProofNotValid, proofs.ExpectedServerProof, m2)
-	}
-
-	const successCode = 1000
-	switch {
-	case auth.Code != successCode:
-		return cookie{}, fmt.Errorf("%w: expected %d got %d",
-			ErrCodeNotSuccess, successCode, auth.Code)
-	case auth.UID != unauthCookie.uid:
-		return cookie{}, fmt.Errorf("%w: expected %s got %s",
-			ErrUIDMismatch, unauthCookie.uid, auth.UID)
-	case auth.TwoFactor != 0:
-		return cookie{}, fmt.Errorf("%w", ErrTwoFANotSupported)
-	case !slices.Contains(auth.Scopes, "vpn"):
-		return cookie{}, fmt.Errorf("%w: in %v", ErrVPNScopeNotFound, auth.Scopes)
-	}
-
-	for _, setCookieHeader := range response.Header.Values("Set-Cookie") {
-		parts := strings.Split(setCookieHeader, ";")
-		for _, part := range parts {
-			if strings.HasPrefix(part, "AUTH-"+unauthCookie.uid+"=") {
-				authCookie = unauthCookie
-				authCookie.token = strings.TrimPrefix(part, "AUTH-"+unauthCookie.uid+"=")
-				return authCookie, nil
-			}
-		}
-	}
-
-	return cookie{}, fmt.Errorf("%w: in HTTP headers %s",
-		ErrAuthCookieNotFound, httpHeadersToString(response.Header))
-}
-
-// generateLettersDigits mimicing Proton's own random string generator:
-// https://github.com/ProtonMail/WebClients/blob/e4d7e4ab9babe15b79a131960185f9f8275512cd/packages/utils/generateLettersDigits.ts
-func generateLettersDigits(rng *rand.ChaCha8, length uint) string {
-	const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
-	return generateFromCharset(rng, length, charset)
-}
-
-func generateFromCharset(rng *rand.ChaCha8, length uint, charset string) string {
-	result := make([]byte, length)
-	randomBytes := make([]byte, length)
-	_, _ = rng.Read(randomBytes)
-	for i := range length {
-		result[i] = charset[int(randomBytes[i])%len(charset)]
-	}
-	return string(result)
-}
-
-func httpHeadersToString(headers http.Header) string {
-	var builder strings.Builder
-	first := true
-	for key, values := range headers {
-		for _, value := range values {
-			if !first {
-				builder.WriteString(", ")
-			}
-			builder.WriteString(fmt.Sprintf("%s: %s", key, value))
-			first = false
-		}
-	}
-	return builder.String()
-}
+var ErrHTTPStatusCodeNotOK = errors.New("HTTP status code not OK")
 
 type apiData struct {
 	LogicalServers []logicalServer `json:"LogicalServers"`
@@ -585,25 +33,25 @@ type physicalServer struct {
 	X25519PublicKey string     `json:"X25519PublicKey"`
 }
 
-func (c *apiClient) fetchServers(ctx context.Context, cookie cookie) (
+func fetchAPI(ctx context.Context, client *http.Client) (
 	data apiData, err error,
 ) {
-	const url = "https://account.proton.me/api/vpn/logicals"
+	const url = "https://api.protonmail.ch/vpn/logicals"
+
 	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return data, err
 	}
-	c.setHeaders(request, cookie)
 
-	response, err := c.httpClient.Do(request)
+	response, err := client.Do(request)
 	if err != nil {
 		return data, err
 	}
 	defer response.Body.Close()
 
 	if response.StatusCode != http.StatusOK {
-		b, _ := io.ReadAll(response.Body)
-		return data, buildError(response.StatusCode, b)
+		return data, fmt.Errorf("%w: %d %s", ErrHTTPStatusCodeNotOK,
+			response.StatusCode, response.Status)
 	}
 
 	decoder := json.NewDecoder(response.Body)
@@ -611,31 +59,9 @@ func (c *apiClient) fetchServers(ctx context.Context, cookie cookie) (
 		return data, fmt.Errorf("decoding response body: %w", err)
 	}
 
+	if err := response.Body.Close(); err != nil {
+		return data, err
+	}
+
 	return data, nil
 }
-
-var ErrHTTPStatusCodeNotOK = errors.New("HTTP status code not OK")
-
-func buildError(httpCode int, body []byte) error {
-	prettyCode := http.StatusText(httpCode)
-	var protonError struct {
-		Code    *int              `json:"Code,omitempty"`
-		Error   *string           `json:"Error,omitempty"`
-		Details map[string]string `json:"Details"`
-	}
-	decoder := json.NewDecoder(bytes.NewReader(body))
-	decoder.DisallowUnknownFields()
-	err := decoder.Decode(&protonError)
-	if err != nil || protonError.Error == nil || protonError.Code == nil {
-		return fmt.Errorf("%w: %s: %s",
-			ErrHTTPStatusCodeNotOK, prettyCode, body)
-	}
-
-	details := make([]string, 0, len(protonError.Details))
-	for key, value := range protonError.Details {
-		details = append(details, fmt.Sprintf("%s: %s", key, value))
-	}
-
-	return fmt.Errorf("%w: %s: %s (code %d with details: %s)",
-		ErrHTTPStatusCodeNotOK, prettyCode, *protonError.Error, *protonError.Code, strings.Join(details, ", "))
-}

internal/provider/protonvpn/updater/servers.go

@@ -13,26 +13,9 @@ import (
 func (u *Updater) FetchServers(ctx context.Context, minServers int) (
 	servers []models.Server, err error,
 ) {
-	switch {
-	case u.username == "":
-		return nil, fmt.Errorf("%w: username is empty", common.ErrCredentialsMissing)
-	case u.password == "":
-		return nil, fmt.Errorf("%w: password is empty", common.ErrCredentialsMissing)
-	}
-
-	apiClient, err := newAPIClient(ctx, u.client)
+	data, err := fetchAPI(ctx, u.client)
 	if err != nil {
-		return nil, fmt.Errorf("creating API client: %w", err)
-	}
-
-	cookie, err := apiClient.authenticate(ctx, u.username, u.password)
-	if err != nil {
-		return nil, fmt.Errorf("authentifying with Proton: %w", err)
-	}
-
-	data, err := apiClient.fetchServers(ctx, cookie)
-	if err != nil {
-		return nil, fmt.Errorf("fetching logical servers: %w", err)
+		return nil, err
 	}
 
 	countryCodes := constants.CountryCodes()

internal/provider/protonvpn/updater/updater.go

@@ -7,17 +7,13 @@ import (
 )
 
 type Updater struct {
-	client   *http.Client
-	username string
-	password string
-	warner   common.Warner
+	client *http.Client
+	warner common.Warner
 }
 
-func New(client *http.Client, warner common.Warner, username, password string) *Updater {
+func New(client *http.Client, warner common.Warner) *Updater {
 	return &Updater{
-		client:   client,
-		username: username,
-		password: password,
-		warner:   warner,
+		client: client,
+		warner: warner,
 	}
 }

internal/provider/protonvpn/updater/version.go

@@ -1,64 +0,0 @@
-package updater
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"regexp"
-	"strings"
-)
-
-// getMostRecentStableTag finds the most recent proton-account stable tag version,
-// in order to use it in the x-pm-appversion http request header. Because if we do
-// fall behind on versioning, Proton doesn't like it because they like to create
-// complications where there is no need for it. Hence this function.
-func getMostRecentStableTag(ctx context.Context, client *http.Client) (version string, err error) {
-	page := 1
-	regexVersion := regexp.MustCompile(`^proton-account@(\d+\.\d+\.\d+\.\d+)$`)
-	for ctx.Err() == nil {
-		url := "https://api.github.com/repos/ProtonMail/WebClients/tags?per_page=30&page=" + fmt.Sprint(page)
-
-		request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
-		if err != nil {
-			return "", fmt.Errorf("creating request: %w", err)
-		}
-		request.Header.Set("Accept", "application/vnd.github.v3+json")
-
-		response, err := client.Do(request)
-		if err != nil {
-			return "", err
-		}
-		defer response.Body.Close()
-
-		data, err := io.ReadAll(response.Body)
-		if err != nil {
-			return "", fmt.Errorf("reading response body: %w", err)
-		}
-
-		if response.StatusCode != http.StatusOK {
-			return "", fmt.Errorf("%w: %s: %s", ErrHTTPStatusCodeNotOK, response.Status, data)
-		}
-
-		var tags []struct {
-			Name string `json:"name"`
-		}
-		err = json.Unmarshal(data, &tags)
-		if err != nil {
-			return "", fmt.Errorf("decoding JSON response: %w", err)
-		}
-
-		for _, tag := range tags {
-			if !regexVersion.MatchString(tag.Name) {
-				continue
-			}
-			version := "web-account@" + strings.TrimPrefix(tag.Name, "proton-account@")
-			return version, nil
-		}
-
-		page++
-	}
-
-	return "", fmt.Errorf("%w (queried %d pages)", context.Canceled, page)
-}

internal/provider/providers.go

@@ -21,6 +21,7 @@ import (
 	"github.com/qdm12/gluetun/internal/provider/ivpn"
 	"github.com/qdm12/gluetun/internal/provider/mullvad"
 	"github.com/qdm12/gluetun/internal/provider/nordvpn"
+	"github.com/qdm12/gluetun/internal/provider/ovpn"
 	"github.com/qdm12/gluetun/internal/provider/perfectprivacy"
 	"github.com/qdm12/gluetun/internal/provider/privado"
 	"github.com/qdm12/gluetun/internal/provider/privateinternetaccess"
@@ -54,7 +55,7 @@ type Extractor interface {
 func NewProviders(storage Storage, timeNow func() time.Time,
 	updaterWarner common.Warner, client *http.Client, unzipper common.Unzipper,
 	parallelResolver common.ParallelResolver, ipFetcher common.IPFetcher,
-	extractor custom.Extractor, credentials settings.Updater,
+	extractor custom.Extractor,
 ) *Providers {
 	randSource := rand.NewSource(timeNow().UnixNano())
 
@@ -62,7 +63,7 @@ func NewProviders(storage Storage, timeNow func() time.Time,
 	providerNameToProvider := map[string]Provider{
 		providers.Airvpn:                airvpn.New(storage, randSource, client),
 		providers.Custom:                custom.New(extractor),
-		providers.Cyberghost:            cyberghost.New(storage, randSource, updaterWarner, parallelResolver),
+		providers.Cyberghost:            cyberghost.New(storage, randSource, parallelResolver),
 		providers.Expressvpn:            expressvpn.New(storage, randSource, unzipper, updaterWarner, parallelResolver),
 		providers.Fastestvpn:            fastestvpn.New(storage, randSource, client, updaterWarner, parallelResolver),
 		providers.Giganews:              giganews.New(storage, randSource, unzipper, updaterWarner, parallelResolver),
@@ -71,11 +72,12 @@ func NewProviders(storage Storage, timeNow func() time.Time,
 		providers.Ivpn:                  ivpn.New(storage, randSource, client, updaterWarner, parallelResolver),
 		providers.Mullvad:               mullvad.New(storage, randSource, client),
 		providers.Nordvpn:               nordvpn.New(storage, randSource, client, updaterWarner),
+		providers.Ovpn:                  ovpn.New(storage, randSource, client),
 		providers.Perfectprivacy:        perfectprivacy.New(storage, randSource, unzipper, updaterWarner),
 		providers.Privado:               privado.New(storage, randSource, ipFetcher, unzipper, updaterWarner, parallelResolver),
 		providers.PrivateInternetAccess: privateinternetaccess.New(storage, randSource, timeNow, client),
 		providers.Privatevpn:            privatevpn.New(storage, randSource, unzipper, updaterWarner, parallelResolver),
-		providers.Protonvpn:             protonvpn.New(storage, randSource, client, updaterWarner, *credentials.ProtonUsername, *credentials.ProtonPassword),
+		providers.Protonvpn:             protonvpn.New(storage, randSource, client, updaterWarner),
 		providers.Purevpn:               purevpn.New(storage, randSource, ipFetcher, unzipper, updaterWarner, parallelResolver),
 		providers.SlickVPN:              slickvpn.New(storage, randSource, client, updaterWarner, parallelResolver),
 		providers.Surfshark:             surfshark.New(storage, randSource, client, unzipper, updaterWarner, parallelResolver),

internal/provider/utils/connection.go

@@ -44,8 +44,6 @@ func GetConnection(provider string,
 	}
 
 	protocol := getProtocol(selection)
-	port := getPort(selection, defaults.OpenVPNTCPPort,
-		defaults.OpenVPNUDPPort, defaults.WireguardPort)
 
 	connections := make([]models.Connection, 0, len(servers))
 	for _, server := range servers {
@@ -61,6 +59,9 @@ func GetConnection(provider string,
 				hostname = server.OvpnX509
 			}
 
+			port := getPort(selection, server, defaults.OpenVPNTCPPort,
+				defaults.OpenVPNUDPPort, defaults.WireguardPort)
+
 			connection := models.Connection{
 				Type:        selection.VPN,
 				IP:          ip,

internal/provider/utils/port.go

@@ -6,29 +6,44 @@ import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
 )
 
-func getPort(selection settings.ServerSelection,
+func getPort(selection settings.ServerSelection, server models.Server,
 	defaultOpenVPNTCP, defaultOpenVPNUDP, defaultWireguard uint16,
 ) (port uint16) {
 	switch selection.VPN {
 	case vpn.Wireguard:
 		customPort := *selection.Wireguard.EndpointPort
 		if customPort > 0 {
+			// Note: servers filtering ensures the custom port is within the
+			// server ports defined if any is set.
 			return customPort
 		}
+
+		if len(server.PortsUDP) > 0 {
+			defaultWireguard = server.PortsUDP[0]
+		}
 		checkDefined("Wireguard", defaultWireguard)
 		return defaultWireguard
 	default: // OpenVPN
 		customPort := *selection.OpenVPN.CustomPort
 		if customPort > 0 {
+			// Note: servers filtering ensures the custom port is within the
+			// server ports defined if any is set.
 			return customPort
 		}
 		if selection.OpenVPN.Protocol == constants.TCP {
+			if len(server.PortsTCP) > 0 {
+				defaultOpenVPNTCP = server.PortsTCP[0]
+			}
 			checkDefined("OpenVPN TCP", defaultOpenVPNTCP)
 			return defaultOpenVPNTCP
 		}
 
+		if len(server.PortsUDP) > 0 {
+			defaultOpenVPNUDP = server.PortsUDP[0]
+		}
 		checkDefined("OpenVPN UDP", defaultOpenVPNUDP)
 		return defaultOpenVPNUDP
 	}

internal/provider/utils/port_test.go

@@ -6,6 +6,7 @@ import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -23,6 +24,7 @@ func Test_GetPort(t *testing.T) {
 
 	testCases := map[string]struct {
 		selection         settings.ServerSelection
+		server            models.Server
 		defaultOpenVPNTCP uint16
 		defaultOpenVPNUDP uint16
 		defaultWireguard  uint16
@@ -49,6 +51,20 @@ func Test_GetPort(t *testing.T) {
 			defaultWireguard:  defaultWireguard,
 			port:              defaultOpenVPNUDP,
 		},
+		"OpenVPN_server_port_udp": {
+			selection: settings.ServerSelection{
+				VPN: vpn.OpenVPN,
+				OpenVPN: settings.OpenVPNSelection{
+					CustomPort: uint16Ptr(0),
+					Protocol:   constants.UDP,
+				},
+			},
+			server: models.Server{
+				PortsUDP: []uint16{1234},
+			},
+			defaultOpenVPNUDP: defaultOpenVPNUDP,
+			port:              1234,
+		},
 		"OpenVPN UDP no default port defined": {
 			selection: settings.ServerSelection{
 				VPN: vpn.OpenVPN,
@@ -89,6 +105,20 @@ func Test_GetPort(t *testing.T) {
 			},
 			port: 1234,
 		},
+		"OpenVPN_server_port_tcp": {
+			selection: settings.ServerSelection{
+				VPN: vpn.OpenVPN,
+				OpenVPN: settings.OpenVPNSelection{
+					CustomPort: uint16Ptr(0),
+					Protocol:   constants.TCP,
+				},
+			},
+			server: models.Server{
+				PortsTCP: []uint16{1234},
+			},
+			defaultOpenVPNTCP: defaultOpenVPNTCP,
+			port:              1234,
+		},
 		"Wireguard": {
 			selection: settings.ServerSelection{
 				VPN: vpn.Wireguard,
@@ -106,6 +136,19 @@ func Test_GetPort(t *testing.T) {
 			defaultWireguard: defaultWireguard,
 			port:             1234,
 		},
+		"Wireguard_server_port": {
+			selection: settings.ServerSelection{
+				VPN: vpn.Wireguard,
+				Wireguard: settings.WireguardSelection{
+					EndpointPort: uint16Ptr(0),
+				},
+			},
+			server: models.Server{
+				PortsUDP: []uint16{1234},
+			},
+			defaultWireguard: defaultWireguard,
+			port:             1234,
+		},
 		"Wireguard no default port defined": {
 			selection: settings.ServerSelection{
 				VPN: vpn.Wireguard,
@@ -121,6 +164,7 @@ func Test_GetPort(t *testing.T) {
 			if testCase.panics != "" {
 				assert.PanicsWithValue(t, testCase.panics, func() {
 					_ = getPort(testCase.selection,
+						testCase.server,
 						testCase.defaultOpenVPNTCP,
 						testCase.defaultOpenVPNUDP,
 						testCase.defaultWireguard)
@@ -129,6 +173,7 @@ func Test_GetPort(t *testing.T) {
 			}
 
 			port := getPort(testCase.selection,
+				testCase.server,
 				testCase.defaultOpenVPNTCP,
 				testCase.defaultOpenVPNUDP,
 				testCase.defaultWireguard)

internal/provider/vpnunlimited/openvpnconf.go

@@ -20,8 +20,8 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 		Ciphers:       []string{openvpn.AES256cbc},
 		Auth:          openvpn.SHA512,
 		CAs: []string{
-			"MIIECjCCA2ygAwIBAgIRAJ/aLZu0PCO7LlOTcPQE9UwwCgYIKoZIzj0EAwQwgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFzAVBgNVBAoMDktlZXBTb2xpZCBJbmMuMR4wHAYDVQQLDBVLZWVwU29saWQgVlBOIFJvb3QgQ0ExHjAcBgNVBAMMFUtlZXBTb2xpZCBWUE4gUm9vdCBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5zQGtlZXBzb2xpZC5jb20wHhcNMjUwMzMxMTQ0OTU4WhcNMzAwNjEzMTQ0OTU4WjCBqTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhOZXcgWW9yazEXMBUGA1UECgwOS2VlcFNvbGlkIEluYy4xHTAbBgNVBAsMFEtlZXBTb2xpZCBPcGVuVlBOIENBMR0wGwYDVQQDDBRLZWVwU29saWQgT3BlblZQTiBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5zQGtlZXBzb2xpZC5jb20wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAEHfJRyn9MZ7HQctQULIxVUNFFw+tWetokml5PvIsS1i3mM4NQnj0HHL5zCCQRKUmSiiWtGvbGlsHEWX/hz+NiVoQGjMqBD2ykdLimiFrceonIofEBZW8to6jTjG3wmJkRykDqsuLyBLUKGc2F5dR3YFGgwyDoRz0NaAYI+qgqWfE+cVaOCASwwggEoMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFB4IhTj1gStDx+fNq+ubBcr+lEbwMIHrBgNVHSMEgeMwgeCAFOEcFx6OcN8T1R8lTdCLhFlYuk5joYGxpIGuMIGrMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCE5ldyBZb3JrMRcwFQYDVQQKDA5LZWVwU29saWQgSW5jLjEeMBwGA1UECwwVS2VlcFNvbGlkIFZQTiBSb290IENBMR4wHAYDVQQDDBVLZWVwU29saWQgVlBOIFJvb3QgQ0ExIzAhBgkqhkiG9w0BCQEWFGFkbWluc0BrZWVwc29saWQuY29tghRnfb8jJuxu5dJzLm5ZdurkedrxzjALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwQDgYsAMIGHAkIBg8Cdu474VlljCoP8WEr6xErKL6Bygy5+SO1Ey0Uu3B7q8R22F0EWvrOmqmyNZ3oRyqhpUGaEBqB2aqDGT7u7wGsCQUP3nyMlDbXqCF05byMbhQrBsCz1nyqDNnfzM2uGmT09XwWXGCYTIGdynyJJLzdOlpf3T19ZLvqLSf6Kvq45u6si",         //nolint:lll
-			"MIIEEDCCA3GgAwIBAgIUZ32/IybsbuXScy5uWXbq5Hna8c4wCgYIKoZIzj0EAwQwgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFzAVBgNVBAoMDktlZXBTb2xpZCBJbmMuMR4wHAYDVQQLDBVLZWVwU29saWQgVlBOIFJvb3QgQ0ExHjAcBgNVBAMMFUtlZXBTb2xpZCBWUE4gUm9vdCBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5zQGtlZXBzb2xpZC5jb20wHhcNMjUwMzMxMTQ0NTUzWhcNMzUwODI2MTQ0NTUzWjCBqzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhOZXcgWW9yazEXMBUGA1UECgwOS2VlcFNvbGlkIEluYy4xHjAcBgNVBAsMFUtlZXBTb2xpZCBWUE4gUm9vdCBDQTEeMBwGA1UEAwwVS2VlcFNvbGlkIFZQTiBSb290IENBMSMwIQYJKoZIhvcNAQkBFhRhZG1pbnNAa2VlcHNvbGlkLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAN77xqCz3wrFDnRMtggwScgvO6wPFZYECTUu5WW0JaowgmuIgo+BiQQyTeUzJEICulc1Hg7EaUEV+z8jsSrB+4/EAWazn/ufWOx/51fa5FCv4YooCbgLPb1CzYDuTc7MUR5PLQ88o3W01wCCgT8RoNH8uChyPBLUBh2f4rUfpzl20Bqdo4IBLDCCASgwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU4RwXHo5w3xPVHyVN0IuEWVi6TmMwgesGA1UdIwSB4zCB4IAU4RwXHo5w3xPVHyVN0IuEWVi6TmOhgbGkga4wgasxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFzAVBgNVBAoMDktlZXBTb2xpZCBJbmMuMR4wHAYDVQQLDBVLZWVwU29saWQgVlBOIFJvb3QgQ0ExHjAcBgNVBAMMFUtlZXBTb2xpZCBWUE4gUm9vdCBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5zQGtlZXBzb2xpZC5jb22CFGd9vyMm7G7l0nMubll26uR52vHOMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBAOBjAAwgYgCQgCZtqE+wXwH0ixjWafX3SClp8O3bYeyB/7jbzf8MprXRYBVQ8JjvugjaZTvX82Uy++LaN3oHqK+NUhJUdfZx/eIuQJCAad7HpsKyTYuUUkgAgWXJma4MstxyO9PVRNYozi1oc45Z8deSvwy404n3u1kY5QXLZQaaMY7m2pF+ECs4WkKCh5s", //nolint:lll
+			"MIID7jCCA1CgAwIBAgIQQTT3w3N+5i8OMfe565xaSjAKBggqhkjOPQQDBDCBojELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQHDAhOZXcgWW9yazEXMBUGA1UECgwOS2VlcFNvbGlkIEluYy4xGjAYBgNVBAsMEUtlZXBTb2xpZCBSb290IENBMRowGAYDVQQDDBFLZWVwU29saWQgUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTYWRtaW5Aa2VlcHNvbGlkLmNvbTAeFw0yMDA0MDExNjI3MTRaFw0yNTAzMzExNjI3MTRaMIGgMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCE5ldyBZb3JrMRcwFQYDVQQKDA5LZWVwU29saWQgSW5jLjEVMBMGA1UECwwMS2VlcFNvbGlkIENBMR0wGwYDVQQDDBRPcGVuVlBOIFNlcnZlciBTdWJDQTEiMCAGCSqGSIb3DQEJARYTYWRtaW5Aa2VlcHNvbGlkLmNvbTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAR9nmoZUraRSSPUhYwIQBLSx+phJdIlqU7F7Hszh95ivnWYkwuizKLaUYy6lSISDohlUtQl9URBlRrGroVctOGlOAdpL2ARTljw5gmUcaavc5cvLiAV7fPJ7BFUgVxInmaVcaMlDwGgKLxmjU2Fw85VLROHbWQjYc93x/BTSFcYO/np4o4IBIzCCAR8wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUrUCjH8xe37lJihyzpqjWwxxNOiswgeIGA1UdIwSB2jCB14AU/LRRnTRaEbxct895Pk9DoymNQIqhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFzAVBgNVBAoMDktlZXBTb2xpZCBJbmMuMRowGAYDVQQLDBFLZWVwU29saWQgUm9vdCBDQTEaMBgGA1UEAwwRS2VlcFNvbGlkIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE2FkbWluQGtlZXBzb2xpZC5jb22CFEssZFYAz8WhYnIDxLeDgKTLD8p2MAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBAOBiwAwgYcCQgGuK8UNnpE8k8hAamnT9gxCSs5APqrgmdLe6BxYSz7AptpF2/MPzLFsXgj4YxC6vJP8Rs8e3Hw9VJ7DF0aYgu8DvQJBeyFWjRnk8kmu2zEU+wF9fkvN9AJ7v0xF0iEaFVsdPKv6sJQP1sAL+AIepJQ7TYvh9Q9G/WaRCfItCtcOAEz3SKA=",             //nolint:lll
+			"MIID9zCCA1igAwIBAgIUSyxkVgDPxaFicgPEt4OApMsPynYwCgYIKoZIzj0EAwQwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFzAVBgNVBAoMDktlZXBTb2xpZCBJbmMuMRowGAYDVQQLDBFLZWVwU29saWQgUm9vdCBDQTEaMBgGA1UEAwwRS2VlcFNvbGlkIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE2FkbWluQGtlZXBzb2xpZC5jb20wIBcNMTkxMjMxMTY1NzMyWhgPMjA1NzA1MTUxNjU3MzJaMIGiMQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxETAPBgNVBAcMCE5ldyBZb3JrMRcwFQYDVQQKDA5LZWVwU29saWQgSW5jLjEaMBgGA1UECwwRS2VlcFNvbGlkIFJvb3QgQ0ExGjAYBgNVBAMMEUtlZXBTb2xpZCBSb290IENBMSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBrZWVwc29saWQuY29tMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBlmcBvPVcV7mVgiUVkO9Dh8b4Hdw/eyU8OLWJ0qyRiqI1q0ad1cxgi6asy33xwilrMkRxhArDSfB87zpUpUboTEMBSf9n+dCoGRncGfW9G+8IvhzPY3Z3nzVHBGhoKlN1jsCuKzzpjGawqTAeCkJNBPQNd75Dp6Tgl198bAowD+iPX3WjggEjMIIBHzAdBgNVHQ4EFgQU/LRRnTRaEbxct895Pk9DoymNQIowgeIGA1UdIwSB2jCB14AU/LRRnTRaEbxct895Pk9DoymNQIqhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOWTERMA8GA1UEBwwITmV3IFlvcmsxFzAVBgNVBAoMDktlZXBTb2xpZCBJbmMuMRowGAYDVQQLDBFLZWVwU29saWQgUm9vdCBDQTEaMBgGA1UEAwwRS2VlcFNvbGlkIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE2FkbWluQGtlZXBzb2xpZC5jb22CFEssZFYAz8WhYnIDxLeDgKTLD8p2MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMAoGCCqGSM49BAMEA4GMADCBiAJCAbDIYRjZYaDwMf8Gq4udKVS4aWtZt73lVulCVmr951tQ9J2Dzh4OEQZvU5+M688o2N/fVxNQoxwm/NsiJxpc/prQAkIBiRbrcEGvalu9h6UqE6yAXe0JZcF5xn/BIe5XygglOput4kvZKLKtIqPe2bwBmL/dqq6XDL7s5QaTWPo5MtpzGjA=", //nolint:lll
 		},
 		ExtraLines: []string{
 			"route-metric 1",

internal/publicip/loop.go

@@ -114,11 +114,6 @@ func (l *Loop) run(runCtx context.Context, runDone chan<- struct{},
 			continue
 		}
 
-		if !*l.settings.Enabled {
-			singleRunResult <- nil
-			continue
-		}
-
 		result, err := l.fetcher.FetchInfo(singleRunCtx, netip.Addr{})
 		if err != nil {
 			err = fmt.Errorf("fetching information: %w", err)

internal/server/middlewares/log/middleware.go

@@ -38,7 +38,7 @@ func (m *logMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	m.childHandler.ServeHTTP(statefulWriter, r)
 	duration := m.timeNow().Sub(tStart)
 	m.logger.Info(strconv.Itoa(statefulWriter.statusCode) + " " +
-		r.Method + " " + r.URL.String() +
+		r.Method + " " + r.RequestURI +
 		" wrote " + strconv.Itoa(statefulWriter.length) + "B to " +
 		r.RemoteAddr + " in " + duration.String())
 }

internal/storage/filter.go

@@ -2,6 +2,7 @@ package storage
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 
 	"github.com/qdm12/gluetun/internal/configuration/settings"
@@ -121,6 +122,10 @@ func filterServer(server models.Server,
 		return true
 	}
 
+	if filterByPorts(selection, server.PortsTCP) {
+		return true
+	}
+
 	// TODO filter port forward server for PIA
 
 	return false
@@ -164,3 +169,21 @@ func filterByProtocol(selection settings.ServerSelection,
 		return (wantTCP && !serverTCP) || (wantUDP && !serverUDP)
 	}
 }
+
+func filterByPorts(selection settings.ServerSelection,
+	serverPorts []uint16,
+) (filtered bool) {
+	if len(serverPorts) == 0 {
+		return false
+	}
+
+	customPort := *selection.OpenVPN.CustomPort
+	if selection.VPN == vpn.Wireguard {
+		customPort = *selection.Wireguard.EndpointPort
+	}
+	if customPort == 0 {
+		return false
+	}
+
+	return !slices.Contains(serverPorts, customPort)
+}

internal/storage/formatting.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
+	"github.com/qdm12/gluetun/internal/constants/vpn"
 )
 
 func commaJoin(slice []string) string {
@@ -16,7 +17,7 @@ func commaJoin(slice []string) string {
 
 var ErrNoServerFound = errors.New("no server found")
 
-func noServerFoundError(selection settings.ServerSelection) (err error) {
+func noServerFoundError(selection settings.ServerSelection) (err error) { //nolint:gocyclo
 	var messageParts []string
 
 	messageParts = append(messageParts, "VPN "+selection.VPN)
@@ -153,6 +154,15 @@ func noServerFoundError(selection settings.ServerSelection) (err error) {
 			"target ip address "+selection.TargetIP.String())
 	}
 
+	customPort := *selection.OpenVPN.CustomPort
+	if selection.VPN == vpn.Wireguard {
+		customPort = *selection.Wireguard.EndpointPort
+	}
+	if customPort > 0 {
+		messageParts = append(messageParts,
+			fmt.Sprintf("%s endpoint port %d", selection.VPN, customPort))
+	}
+
 	message := "for " + strings.Join(messageParts, "; ")
 
 	return fmt.Errorf("%w: %s", ErrNoServerFound, message)

internal/updater/providers.go

@@ -29,7 +29,7 @@ func (u *Updater) updateProvider(ctx context.Context, provider Provider,
 			u.logger.Warn("note: if running the update manually, you can use the flag " +
 				"-minratio to allow the update to succeed with less servers found")
 		}
-		return fmt.Errorf("getting %s servers: %w", providerName, err)
+		return fmt.Errorf("getting servers: %w", err)
 	}
 
 	for _, server := range servers {

internal/updater/updater.go

@@ -2,11 +2,9 @@ package updater
 
 import (
 	"context"
-	"errors"
 	"net/http"
 	"time"
 
-	"github.com/qdm12/gluetun/internal/provider/common"
 	"github.com/qdm12/gluetun/internal/updater/unzip"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
@@ -50,22 +48,22 @@ func (u *Updater) UpdateServers(ctx context.Context, providers []string,
 		// TODO support servers offering only TCP or only UDP
 		// for NordVPN and PureVPN
 		err := u.updateProvider(ctx, fetcher, minRatio)
-		switch {
-		case err == nil:
+		if err == nil {
 			continue
-		case errors.Is(err, common.ErrCredentialsMissing):
-			u.logger.Warn(err.Error() + " - skipping update for " + providerName)
-			continue
-		case len(providers) == 1:
-			// return the only error for the single provider.
-			return err
-		case ctx.Err() != nil:
-			// stop updating other providers if context is done
-			return ctx.Err()
-		default: // error encountered updating one of multiple providers
-			// Log the error and continue updating the next provider.
-			u.logger.Error(err.Error())
 		}
+
+		// return the only error for the single provider.
+		if len(providers) == 1 {
+			return err
+		}
+
+		// stop updating the next providers if context is canceled.
+		if ctxErr := ctx.Err(); ctxErr != nil {
+			return ctxErr
+		}
+
+		// Log the error and continue updating the next provider.
+		u.logger.Error(err.Error())
 	}
 
 	return nil

internal/wireguard/route.go

@@ -32,14 +32,9 @@ func (w *Wireguard) addRoutes(link netlink.Link, destinations []netip.Prefix,
 func (w *Wireguard) addRoute(link netlink.Link, dst netip.Prefix,
 	firewallMark uint32,
 ) (err error) {
-	family := netlink.FamilyV4
-	if dst.Addr().Is6() {
-		family = netlink.FamilyV6
-	}
 	route := netlink.Route{
 		LinkIndex: link.Index,
 		Dst:       dst,
-		Family:    family,
 		Table:     int(firewallMark),
 	}
 

internal/wireguard/route_test.go

@@ -37,7 +37,6 @@ func Test_Wireguard_addRoute(t *testing.T) {
 			expectedRoute: netlink.Route{
 				LinkIndex: linkIndex,
 				Dst:       ipPrefix,
-				Family:    netlink.FamilyV4,
 				Table:     firewallMark,
 			},
 		},
@@ -50,7 +49,6 @@ func Test_Wireguard_addRoute(t *testing.T) {
 			expectedRoute: netlink.Route{
 				LinkIndex: linkIndex,
 				Dst:       ipPrefix,
-				Family:    netlink.FamilyV4,
 				Table:     firewallMark,
 			},
 			routeAddErr: errDummy,