feat(nordvpn): filter with SERVER_CATEGORIES (#1806 )

- update NordVPN servers data built-in
feat(nordvpn): update mechanism uses v2 API
2024-03-22 10:02:31 +01:00 · 2024-03-21 17:02:25 +00:00 · 2024-03-21 17:02:11 +00:00 · 2024-03-21 10:08:41 +01:00 · 2024-03-21 08:18:14 +00:00 · 2024-03-21 07:36:56 +00:00
795 changed files with 335978 additions and 19794 deletions
--- a/.devcontainer/.dockerignore
+++ b/.devcontainer/.dockerignore
@@ -0,0 +1,5 @@
 .dockerignore
 devcontainer.json
 docker-compose.yml
 Dockerfile
 README.md
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -0,0 +1,2 @@
 FROM qmcgaw/godevcontainer
 RUN apk add wireguard-tools htop openssl
--- a/.devcontainer/README.md
+++ b/.devcontainer/README.md
@@ -0,0 +1,69 @@
 # Development container
 Development container that can be used with VSCode.
 It works on Linux, Windows and OSX.
 ## Requirements
 - [VS code](https://code.visualstudio.com/download) installed
 - [VS code remote containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers) installed
 - [Docker](https://www.docker.com/products/docker-desktop) installed and running
 - [Docker Compose](https://docs.docker.com/compose/install/) installed
 ## Setup
 1. Create the following files on your host if you don't have them:
    ```sh
    touch ~/.gitconfig ~/.zsh_history
    ```
    Note that the development container will create the empty directories `~/.docker`, `~/.ssh` and `~/.kube` if you don't have them.
 1. **For Docker on OSX or Windows without WSL**: ensure your home directory `~` is accessible by Docker.
 1. Open the command palette in Visual Studio Code (CTRL+SHIFT+P).
 1. Select `Remote-Containers: Open Folder in Container...` and choose the project directory.
 ## Customization
 ### Customize the image
 You can make changes to the [Dockerfile](Dockerfile) and then rebuild the image. For example, your Dockerfile could be:
 ```Dockerfile
 FROM qmcgaw/godevcontainer
 RUN apk add curl
 ```
 To rebuild the image, either:
 - With VSCode through the command palette, select `Remote-Containers: Rebuild and reopen in container`
 - With a terminal, go to this directory and `docker-compose build`
 ### Customize VS code settings
 You can customize **settings** and **extensions** in the [devcontainer.json](devcontainer.json) definition file.
 ### Entrypoint script
 You can bind mount a shell script to `/root/.welcome.sh` to replace the [current welcome script](https://github.com/qdm12/godevcontainer/blob/master/shell/.welcome.sh).
 ### Publish a port
 To access a port from your host to your development container, publish a port in [docker-compose.yml](docker-compose.yml). You can also now do it directly with VSCode without restarting the container.
 ### Run other services
 1. Modify [docker-compose.yml](docker-compose.yml) to launch other services at the same time as this development container, such as a test database:
    ```yml
      database:
        image: postgres
        restart: always
        environment:
          POSTGRES_PASSWORD: password
    ```
 1. In [devcontainer.json](devcontainer.json), change the line `"runServices": ["vscode"],` to `"runServices": ["vscode", "database"],`.
 1. In the VS code command palette, rebuild the container.
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,72 +1,73 @@
-{
+{
-    "name": "pia-dev",
+    "name": "gluetun-dev",
-    "dockerComposeFile": [
+    "dockerComposeFile": [
-        "docker-compose.yml"
+        "docker-compose.yml"
-    ],
+    ],
-    "service": "vscode",
+    "service": "vscode",
-    "runServices": [
+    "runServices": [
-        "vscode"
+        "vscode"
-    ],
+    ],
-    "shutdownAction": "stopCompose",
+    "shutdownAction": "stopCompose",
-    "postCreateCommand": "go mod download",
+    "postCreateCommand": "~/.windows.sh && go mod download && go mod tidy",
-    "workspaceFolder": "/workspace",
+    "workspaceFolder": "/workspace",
-    "extensions": [
+    // "overrideCommand": "",
-        "golang.go",
+    "customizations": {
-        "IBM.output-colorizer",
+        "vscode": {
-        "eamodio.gitlens",
+            "extensions": [
-        "mhutchie.git-graph",
+                "golang.go",
-        "davidanson.vscode-markdownlint",
+                "eamodio.gitlens", // IDE Git information
-        "shardulm94.trailing-spaces",
+                "davidanson.vscode-markdownlint",
-        "alefragnani.Bookmarks",
+                "ms-azuretools.vscode-docker", // Docker integration and linting
-        "Gruntfuggly.todo-tree",
+                "shardulm94.trailing-spaces", // Show trailing spaces
-        "mohsen1.prettify-json",
+                "Gruntfuggly.todo-tree", // Highlights TODO comments
-        "quicktype.quicktype",
+                "bierner.emojisense", // Emoji sense for markdown
-        "spikespaz.vscode-smoothtype",
+                "stkb.rewrap", // rewrap comments after n characters on one line
-        "stkb.rewrap",
+                "vscode-icons-team.vscode-icons", // Better file extension icons
-        "vscode-icons-team.vscode-icons"
+                "github.vscode-pull-request-github", // Github interaction
-    ],
+                "redhat.vscode-yaml", // Kubernetes, Drone syntax highlighting
-    "settings": {
+                "bajdzis.vscode-database", // Supports connections to mysql or postgres, over SSL, socked
-        // General settings
+                "IBM.output-colorizer", // Colorize your output/test logs
-        "files.eol": "\n",
+                "github.copilot" // AI code completion
-        // Docker
+            ],
-        "remote.extensionKind": {
+            "settings": {
-            "ms-azuretools.vscode-docker": "workspace"
+                "files.eol": "\n",
-        },
+                "remote.extensionKind": {
-        // Golang general settings
+                    "ms-azuretools.vscode-docker": "workspace"
-        "go.useLanguageServer": true,
+                },
-        "go.autocompleteUnimportedPackages": true,
+                "go.useLanguageServer": true,
-        "go.gotoSymbol.includeImports": true,
+                "[go]": {
-        "go.gotoSymbol.includeGoroot": true,
+                    "editor.codeActionsOnSave": {
-        "gopls": {
+                        "source.organizeImports": true
-            "completeUnimported": true,
+                    }
-            "deepCompletion": true,
+                },
-            "usePlaceholders": false
+                "[go.mod]": {
-        },
+                    "editor.codeActionsOnSave": {
-        "go.lintTool": "golangci-lint",
+                        "source.organizeImports": true
-        // Golang on save
+                    }
-        "go.buildOnSave": "workspace",
+                },
-        "go.lintOnSave": "workspace",
+                "gopls": {
-        "go.vetOnSave": "workspace",
+                    "usePlaceholders": false,
-        "editor.formatOnSave": true,
+                    "staticcheck": true
-        "[go]": {
+                },
-            "editor.codeActionsOnSave": {
+                "go.lintTool": "golangci-lint",
-                "source.organizeImports": true
+                "go.lintOnSave": "package",
-            }
+                "editor.formatOnSave": true,
-        },
+                "go.buildTags": "linux",
-        // Golang testing
+                "go.toolsEnvVars": {
-        "go.toolsEnvVars": {
+                    "CGO_ENABLED": "0"
-            "GOFLAGS": "-tags=integration"
+                },
-        },
+                "go.testEnvVars": {
-        "gopls.env": {
+                    "CGO_ENABLED": "1"
-            "GOFLAGS": "-tags=integration"
+                },
-        },
+                "go.testFlags": [
-        "go.testEnvVars": {},
+                    "-v",
-        "go.testFlags": [
+                    "-race"
-            "-v",
+                ],
-            // "-race"
+                "go.testTimeout": "10s",
-        ],
+                "go.coverOnSingleTest": true,
-        "go.testTimeout": "600s",
+                "go.coverOnSingleTestFile": true,
-        "go.coverOnSingleTestFile": true,
+                "go.coverOnTestPackage": true
-        "go.coverOnSingleTest": true
+            }
-    }
+        }
    }
 }
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -1,15 +1,28 @@
-version: "3.7"
+version: "3.7"
-
+
-services:
+services:
-  vscode:
+  vscode:
-    image: qmcgaw/godevcontainer
+    build: .
-    volumes:
+    volumes:
-      - ../:/workspace
+      - ../:/workspace
-      - ~/.ssh:/home/vscode/.ssh
+      # Docker socket to access Docker server
-      - ~/.ssh:/root/.ssh
+      - /var/run/docker.sock:/var/run/docker.sock
-      - /var/run/docker.sock:/var/run/docker.sock
+      # SSH directory for Linux, OSX and WSL
-    cap_add:
+      # On Linux and OSX, a symlink /mnt/ssh <-> ~/.ssh is
-      - SYS_PTRACE
+      # created in the container. On Windows, files are copied
-    security_opt:
+      # from /mnt/ssh to ~/.ssh to fix permissions.
-      - seccomp:unconfined
+      - ~/.ssh:/mnt/ssh
-    entrypoint: zsh -c "while sleep 1000; do :; done"
+      # Shell history persistence
      - ~/.zsh_history:/root/.zsh_history
      # Git config
      - ~/.gitconfig:/root/.gitconfig
    environment:
      - TZ=
    cap_add:
      # For debugging with dlv
      - SYS_PTRACE
      - NET_ADMIN
    security_opt:
      # For debugging with dlv
      - seccomp:unconfined
    entrypoint: [ "zsh", "-c", "while sleep 1000; do :; done" ]
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,11 +1,9 @@
 .devcontainer
 .git
 .github
 .vscode
 cmd
 !cmd/gluetun
 doc
 docker-compose.yml
 Dockerfile
 LICENSE
 README.md
 title.svg
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -7,23 +7,12 @@ Contributions are [released](https://help.github.com/articles/github-terms-of-se
 1. [Fork](https://github.com/qdm12/gluetun/fork) and clone the repository
 1. Create a new branch `git checkout -b my-branch-name`
 1. Modify the code
-1. Ensure the docker build succeeds `docker build .`
+1. Ensure the docker build succeeds `docker build .` (you might need `export DOCKER_BUILDKIT=1`)
 1. Commit your modifications
 1. Push to your fork and [submit a pull request](https://github.com/qdm12/gluetun/compare)
 ## Resources
 - [Gluetun guide on development](https://github.com/qdm12/gluetun-wiki/blob/main/contributing/development.md)
 - [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
 - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
 ## Contributors
 Thanks for all the contributions, whether small or not so small!
 - [@JeordyR](https://github.com/JeordyR) for testing the Mullvad version and opening a [PR with a few fixes](https://github.com/qdm12/gluetun/pull/84/files) 👍
 - [@rorph](https://github.com/rorph) for a [PR to pick a random region for PIA](https://github.com/qdm12/gluetun/pull/70) and a [PR to make the container work with kubernetes](https://github.com/qdm12/gluetun/pull/69)
 - [@JesterEE](https://github.com/JesterEE) for a [PR to fix silly line endings in block lists back then](https://github.com/qdm12/gluetun/pull/55) 📎
 - [@elmerfdz](https://github.com/elmerfdz) for a [PR to add timezone information to have correct log timestampts](https://github.com/qdm12/gluetun/pull/51) 🕙
 - [@Juggels](https://github.com/Juggels) for a [PR to write the PIA forwarded port to a file](https://github.com/qdm12/gluetun/pull/43)
 - [@gdlx](https://github.com/gdlx) for a [PR to fix and improve PIA port forwarding script](https://github.com/qdm12/gluetun/pull/32)
 - [@janaz](https://github.com/janaz) for keeping an eye on [updating things in the Dockerfile](https://github.com/qdm12/gluetun/pull/8)
--- a/.github/ISSUE_TEMPLATE/bug.md
+++ b/.github/ISSUE_TEMPLATE/bug.md
@@ -1,37 +0,0 @@
 ---
 name: Bug
 about: Report a bug
 title: 'Bug: ...'
 labels: ":bug: bug"
 assignees: qdm12
 ---
 **Host OS** (approximate answer is fine too): Ubuntu 18
 **Is this urgent?**: No
 **What VPN provider are you using**:
 **What are you using to run your container?**: Docker Compose
 **What is the version of the program** (See the line at the top of your logs)
 ```
 Running version latest built on 2020-03-13T01:30:06Z (commit d0f678c)
 ```
 **What's the problem** 🤔
 That feature doesn't work
 **Share your logs...**
 ...*careful to remove i.e. token information with PIA port forwarding*
 ```log
 PASTE YOUR LOGS
 IN THERE
 ```
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -0,0 +1,116 @@
 name: Bug
 description: Report a bug
 title: "Bug: "
 labels: [":bug: bug"]
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for taking the time to fill out this bug report!
        ⚠️ Your issue will be instantly closed as not planned WITHOUT explanation if:
        - you do not fill out **the title of the issue** ☝️
        - you do not provide the **Gluetun version** as requested below
        - you provide **less than 10 lines of logs** as requested below
  - type: dropdown
    id: urgent
    attributes:
      label: Is this urgent?
      description: |
        Is this a critical bug, or do you need this fixed urgently?
        If this is urgent, note you can use one of the [image tags available](https://github.com/qdm12/gluetun-wiki/blob/main/setup/docker-image-tags.md) if that can help.
      options:
        - "No"
        - "Yes"
  - type: input
    id: host-os
    attributes:
      label: Host OS
      description: What is your host OS?
      placeholder: "Debian Buster"
  - type: dropdown
    id: cpu-arch
    attributes:
      label: CPU arch
      description: You can find it on Linux with `uname -m`.
      options:
        - x86_64
        - aarch64
        - armv7l
        - "386"
        - s390x
        - ppc64le
  - type: dropdown
    id: vpn-service-provider
    attributes:
      label: VPN service provider
      options:
        - AirVPN
        - Custom
        - Cyberghost
        - ExpressVPN
        - FastestVPN
        - HideMyAss
        - IPVanish
        - IVPN
        - Mullvad
        - NordVPN
        - Privado
        - Private Internet Access
        - PrivateVPN
        - ProtonVPN
        - PureVPN
        - SlickVPN
        - Surfshark
        - TorGuard
        - VPNSecure.me
        - VPNUnlimited
        - VyprVPN
        - WeVPN
        - Windscribe
    validations:
      required: true
  - type: dropdown
    id: docker
    attributes:
      label: What are you using to run the container
      options:
        - docker run
        - docker-compose
        - Portainer
        - Kubernetes
        - Podman
        - Unraid
        - Other
    validations:
      required: true
  - type: input
    id: version
    attributes:
      label: What is the version of Gluetun
      description: |
        Copy paste the version line at the top of your logs.
        It MUST be in the form `Running version latest built on 2020-03-13T01:30:06Z (commit d0f678c)`.
    validations:
      required: true
  - type: textarea
    id: problem
    attributes:
      label: "What's the problem 🤔"
      placeholder: "That feature does not work..."
    validations:
      required: true
  - type: textarea
    id: logs
    attributes:
      label: Share your logs (at least 10 lines)
      description: No sensitive information is logged out except when running with `LOG_LEVEL=debug`.
      render: plain text
    validations:
      required: true
  - type: textarea
    id: config
    attributes:
      label: Share your configuration
      description: Share your configuration such as `docker-compose.yml`. Ensure to remove credentials.
      render: yml
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,10 @@
 contact_links:
  - name: Report a Wiki issue
    url: https://github.com/qdm12/gluetun-wiki/issues/new
    about: Please create an issue on the gluetun-wiki repository.
  - name: Configuration help?
    url: https://github.com/qdm12/gluetun/discussions/new
    about: Please create a Github discussion.
  - name: Unraid template issue
    url: https://github.com/qdm12/gluetun/discussions/550
    about: Please read the relevant Github discussion.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,17 +0,0 @@
 ---
 name: Feature request
 about: Suggest a feature to add to this project
 title: 'Feature request: FILL THIS TEXT!'
 labels: ":bulb: feature request"
 assignees: qdm12
 ---
 **What's the feature?** 🧐
 - Support this new feature because that and that
 **Optional extra information** 🚀
 - I tried `docker run something` and it doesn't work
 - That [url](https://github.com/qdm12/gluetun) is interesting
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -0,0 +1,19 @@
 name: Feature request
 description: Suggest a feature to add to Gluetun
 title: "Feature request: "
 labels: [":bulb: feature request"]
 body:
  - type: textarea
    id: description
    attributes:
      label: "What's the feature 🧐"
      placeholder: "Make the tunnel resistant to earth quakes"
    validations:
      required: true
  - type: textarea
    id: extra
    attributes:
      label: "Extra information and references"
      placeholder: |
        - I tried `docker run something` and it doesn't work
        - That [url](https://github.com/qdm12/gluetun) is interesting
--- a/.github/ISSUE_TEMPLATE/help.md
+++ b/.github/ISSUE_TEMPLATE/help.md
@@ -1,53 +0,0 @@
 ---
 name: Help
 about: Ask for help
 title: 'Help: ...'
 labels: ":pray: help wanted"
 assignees:
 ---
 **Host OS** (approximate answer is fine too): Ubuntu 18
 **Is this urgent?**: No
 **What VPN provider are you using**:
 **What is the version of the program** (See the line at the top of your logs)
 ```
 Running version latest built on 2020-03-13T01:30:06Z (commit d0f678c)
 ```
 **What's the problem** 🤔
 That feature doesn't work
 **Share your logs...**
 ...*careful to remove i.e. token information with PIA port forwarding*
 ```log
 PASTE YOUR LOGS
 IN THERE
 ```
 **What are you using to run your container?**: Docker Compose
 Please also share your configuration file:
 ```yml
 your .yml
 content
 in here
 ```
 or
 ```sh
 # your docker
 # run command
 # in here
 ```
--- a/.github/ISSUE_TEMPLATE/provider.md
+++ b/.github/ISSUE_TEMPLATE/provider.md
@@ -0,0 +1,17 @@
 ---
 name: Support a VPN provider
 about: Suggest a VPN provider to be supported
 title: 'VPN provider support: NAME OF THE PROVIDER'
 labels: ":bulb: New provider"
 ---
 One of the following is required:
 - Publicly accessible URL to a zip file containing the Openvpn configuration files
 - Publicly accessible URL to a structured (JSON etc.) list of servers **and attach** an example Openvpn configuration file for both TCP and UDP
 - Publicly accessible URL to the list of servers **and attach** an example Openvpn configuration file for both TCP and UDP
 If the list of servers requires to login **or** is hidden behind an interactive configurator,
 you can only use a custom Openvpn configuration file.
 [The Wiki's OpenVPN configuration file page](https://github.com/qdm12/gluetun-wiki/blob/main/setup/openvpn-configuration-file.md) describes how to do so.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,15 @@
 version: 2
 updates:
  # Maintain dependencies for GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
  - package-ecosystem: docker
    directory: /
    schedule:
      interval: "daily"
  - package-ecosystem: gomod
    directory: /
    schedule:
      interval: "daily"
--- a/.github/labels.yml
+++ b/.github/labels.yml
@@ -1,58 +1,124 @@
- name: "Bug :bug:"
+# Temporary status
-  color: "b60205"
+- name: "🗯️ Waiting for feedback"
  color: "aadefa"
  description: ""
- name: "Feature request :bulb:"
+- name: "🔴 Blocked"
-  color: "0e8a16"
+  color: "ff3f14"
  description: "Blocked by another issue or pull request"
 - name: "🔒 After next release"
  color: "e8f274"
  description: "Will be done after the next release"
 # Priority
 - name: "🚨 Urgent"
  color: "d5232f"
  description: ""
- name: "Help wanted :pray:"
+- name: "💤 Low priority"
-  color: "4caf50"
+  color: "4285f4"
  description: ""
- name: "Documentation :memo:"
+
-  color: "c5def5"
+# Complexity
 - name: "☣️ Hard to do"
  color: "7d0008"
  description: ""
- name: "Needs more info :thinking:"
+- name: "🟩 Easy to do"
-  color: "795548"
+  color: "34cf43"
  description: ""
 # VPN providers
 - name: ":cloud: AirVPN"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: Cyberghost"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: HideMyAss"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: IPVanish"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: IVPN"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: ExpressVPN"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: FastestVPN"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: Mullvad"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: NordVPN"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: Perfect Privacy"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: PIA"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: Privado"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: PrivateVPN"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: ProtonVPN"
  color: "cfe8d4"
 - name: ":cloud: PureVPN"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: SlickVPN"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: Surfshark"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: Torguard"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: VPNSecure.me"
  color: "cfe8d4"
 - name: ":cloud: VPNUnlimited"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: Vyprvpn"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: WeVPN"
  color: "cfe8d4"
  description: ""
 - name: ":cloud: Windscribe"
  color: "cfe8d4"
  description: ""
 # Problem category
 - name: "Config problem"
  color: "ffc7ea"
  description: ""
 - name: "Openvpn"
  color: "ffc7ea"
  description: ""
 - name: "Wireguard"
  color: "ffc7ea"
  description: ""
 - name: "Unbound (DNS over TLS)"
  color: "ffc7ea"
  description: ""
 - name: "Firewall"
  color: "ffc7ea"
  description: ""
 - name: "Routing"
  color: "ffc7ea"
  description: ""
 - name: "IPv6"
  color: "ffc7ea"
  description: ""
 - name: "Port forwarding"
  color: "ffc7ea"
  description: ""
 - name: "HTTP proxy"
  color: "ffc7ea"
  description: ""
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,34 +0,0 @@
 name: Docker build
 on:
  pull_request:
    branches: [master]
    paths-ignore:
      - .devcontainer
      - .github/ISSUE_TEMPLATE
      - .github/workflows/buildx-release.yml
      - .github/workflows/buildx-branch.yml
      - .github/workflows/buildx-latest.yml
      - .github/workflows/dockerhub-description.yml
      - .github/workflows/labels.yml
      - .github/workflows/misspell.yml
      - .github/CODEOWNERS
      - .github/CONTRIBUTING.md
      - .github/FUNDING.yml
      - .github/labels.yml
      - .vscode
      - cmd/ovpnparser
      - cmd/resolver
      - doc
      - .gitignore
      - docker-compose.yml
      - LICENSE
      - README.md
      - title.svg
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Build image
        run: docker build .
--- a/.github/workflows/buildx-branch.yml
+++ b/.github/workflows/buildx-branch.yml
@@ -1,50 +0,0 @@
 name: Buildx branch
 on:
  push:
    branches:
      - '*'
      - '*/*'
      - '!master'
    paths-ignore:
      - .devcontainer
      - .github/ISSUE_TEMPLATE
      - .github/workflows/build.yml
      - .github/workflows/buildx-release.yml
      - .github/workflows/buildx-latest.yml
      - .github/workflows/dockerhub-description.yml
      - .github/workflows/labels.yml
      - .github/workflows/misspell.yml
      - .github/CODEOWNERS
      - .github/CONTRIBUTING.md
      - .github/FUNDING.yml
      - .github/labels.yml
      - .vscode
      - cmd/ovpnparser
      - cmd/resolver
      - doc
      - .gitignore
      - docker-compose.yml
      - LICENSE
      - README.md
      - title.svg
 jobs:
  buildx:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Buildx setup
        uses: crazy-max/ghaction-docker-buildx@v1
      - name: Dockerhub login
        run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u qmcgaw --password-stdin 2>&1
      - name: Run Buildx
        run: |
          docker buildx build \
            --progress plain \
            --platform=linux/amd64 \
            --build-arg BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"` \
            --build-arg COMMIT=`git rev-parse --short HEAD` \
            --build-arg VERSION=${GITHUB_REF##*/} \
            -t qmcgaw/private-internet-access:${GITHUB_REF##*/} \
            --push \
            .
      - run: curl -X POST https://hooks.microbadger.com/images/qmcgaw/private-internet-access/tQFy7AxtSUNANPe6aoVChYdsI_I= || exit 0
--- a/.github/workflows/buildx-latest.yml
+++ b/.github/workflows/buildx-latest.yml
@@ -1,47 +0,0 @@
 name: Buildx latest
 on:
  push:
    branches: [master]
    paths-ignore:
      - .devcontainer
      - .github/ISSUE_TEMPLATE
      - .github/workflows/build.yml
      - .github/workflows/buildx-branch.yml
      - .github/workflows/buildx-release.yml
      - .github/workflows/dockerhub-description.yml
      - .github/workflows/labels.yml
      - .github/workflows/misspell.yml
      - .github/CODEOWNERS
      - .github/CONTRIBUTING.md
      - .github/FUNDING.yml
      - .github/labels.yml
      - .vscode
      - cmd/ovpnparser
      - cmd/resolver
      - doc
      - .gitignore
      - docker-compose.yml
      - LICENSE
      - README.md
      - title.svg
 jobs:
  buildx:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Buildx setup
        uses: crazy-max/ghaction-docker-buildx@v1
      - name: Dockerhub login
        run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u qmcgaw --password-stdin 2>&1
      - name: Run Buildx
        run: |
          docker buildx build \
            --progress plain \
            --platform=linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6 \
            --build-arg BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"` \
            --build-arg COMMIT=`git rev-parse --short HEAD` \
            --build-arg VERSION=latest \
            -t qmcgaw/private-internet-access:latest \
            --push \
            .
      - run: curl -X POST https://hooks.microbadger.com/images/qmcgaw/private-internet-access/tQFy7AxtSUNANPe6aoVChYdsI_I= || exit 0
--- a/.github/workflows/buildx-release.yml
+++ b/.github/workflows/buildx-release.yml
@@ -1,47 +0,0 @@
 name: Buildx release
 on:
  release:
    types: [published]
    paths-ignore:
      - .devcontainer
      - .github/ISSUE_TEMPLATE
      - .github/workflows/build.yml
      - .github/workflows/buildx-branch.yml
      - .github/workflows/buildx-latest.yml
      - .github/workflows/dockerhub-description.yml
      - .github/workflows/labels.yml
      - .github/workflows/misspell.yml
      - .github/CODEOWNERS
      - .github/CONTRIBUTING.md
      - .github/FUNDING.yml
      - .github/labels.yml
      - .vscode
      - cmd/ovpnparser
      - cmd/resolver
      - doc
      - .gitignore
      - docker-compose.yml
      - LICENSE
      - README.md
      - title.svg
 jobs:
  buildx:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Buildx setup
        uses: crazy-max/ghaction-docker-buildx@v1
      - name: Dockerhub login
        run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u qmcgaw --password-stdin 2>&1
      - name: Run Buildx
        run: |
          docker buildx build \
            --progress plain \
            --platform=linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6 \
            --build-arg BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"` \
            --build-arg COMMIT=`git rev-parse --short HEAD` \
            --build-arg VERSION=${GITHUB_REF##*/} \
            -t qmcgaw/private-internet-access:${GITHUB_REF##*/} \
            --push \
            .
      - run: curl -X POST https://hooks.microbadger.com/images/qmcgaw/private-internet-access/tQFy7AxtSUNANPe6aoVChYdsI_I= || exit 0
--- a/.github/workflows/ci-skip.yml
+++ b/.github/workflows/ci-skip.yml
@@ -0,0 +1,35 @@
 name: No trigger file paths
 on:
  push:
    branches:
      - master
    paths-ignore:
      - .github/workflows/ci.yml
      - cmd/**
      - internal/**
      - pkg/**
      - .dockerignore
      - .golangci.yml
      - Dockerfile
      - go.mod
      - go.sum
  pull_request:
    paths-ignore:
      - .github/workflows/ci.yml
      - cmd/**
      - internal/**
      - pkg/**
      - .dockerignore
      - .golangci.yml
      - Dockerfile
      - go.mod
      - go.sum
 jobs:
  verify:
    runs-on: ubuntu-latest
    permissions:
      actions: read
    steps:
      - name: No trigger path triggered for required verify workflow.
        run: exit 0
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,147 @@
 name: CI
 on:
  release:
    types:
      - published
  push:
    branches:
      - master
    paths:
      - .github/workflows/ci.yml
      - cmd/**
      - internal/**
      - pkg/**
      - .dockerignore
      - .golangci.yml
      - Dockerfile
      - go.mod
      - go.sum
  pull_request:
    paths:
      - .github/workflows/ci.yml
      - cmd/**
      - internal/**
      - pkg/**
      - .dockerignore
      - .golangci.yml
      - Dockerfile
      - go.mod
      - go.sum
 jobs:
  verify:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
    env:
      DOCKER_BUILDKIT: "1"
    steps:
      - uses: actions/checkout@v4
      - uses: reviewdog/action-misspell@v1
        with:
          locale: "US"
          level: error
          exclude: |
            ./internal/storage/servers.json
            *.md
      - name: Linting
        run: docker build --target lint .
      - name: Mocks check
        run: docker build --target mocks .
      - name: Build test image
        run: docker build --target test -t test-container .
      - name: Run tests in test container
        run: |
          touch coverage.txt
          docker run --rm \
          -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \
          test-container
      - name: Build final image
        run: docker build -t final-image .
  codeql:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v3
        with:
          languages: go
      - uses: github/codeql-action/autobuild@v3
      - uses: github/codeql-action/analyze@v3
  publish:
    if: |
      github.repository == 'qdm12/gluetun' &&
      (
        github.event_name == 'push' ||
        github.event_name == 'release' ||
        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
      )
    needs: [verify, codeql]
    permissions:
      actions: read
      contents: read
      packages: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      # extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          flavor: |
            latest=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
          images: |
            ghcr.io/qdm12/gluetun
            qmcgaw/gluetun
            qmcgaw/private-internet-access
          tags: |
            type=ref,event=pr
            type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
            type=semver,pattern=v{{major}}.{{minor}}
            type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          username: qmcgaw
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: qdm12
          password: ${{ github.token }}
      - name: Short commit
        id: shortcommit
        run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
      - name: Build and push final image
        uses: docker/build-push-action@v5
        with:
          platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7,linux/ppc64le
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            CREATED=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
            COMMIT=${{ steps.shortcommit.outputs.value }}
            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
          tags: ${{ steps.meta.outputs.tags }}
          push: true
--- a/.github/workflows/closed-issue.yml
+++ b/.github/workflows/closed-issue.yml
@@ -0,0 +1,21 @@
 name: Closed issue
 on:
  issues:
    types: [closed]
 jobs:
  comment:
    permissions:
      issues: write
    runs-on: ubuntu-latest
    steps:
      - uses: peter-evans/create-or-update-comment@v4
        with:
          token: ${{ github.token }}
          issue-number: ${{ github.event.issue.number }}
          body: |
            Closed issues are **NOT** monitored, so commenting here is likely to be not seen.
            If you think this is *still unresolved* and have **more information** to bring, please create another issue.
            This is an automated comment setup because @qdm12 is the sole maintainer of this project
            which became too popular to monitor issues closed.
--- a/.github/workflows/dockerhub-description.yml
+++ b/.github/workflows/dockerhub-description.yml
@@ -1,19 +0,0 @@
 name: Docker Hub description
 on:
  push:
    branches: [master]
    paths:
      - README.md
      - .github/workflows/dockerhub-description.yml
 jobs:
  dockerHubDescription:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Docker Hub Description
        uses: peter-evans/dockerhub-description@v2.1.0
        env:
          DOCKERHUB_USERNAME: qmcgaw
          DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
          DOCKERHUB_REPOSITORY: qmcgaw/private-internet-access
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -1,18 +1,17 @@
 name: labels
 on:
  push:
-    branches: ["master"]
+    branches: [master]
    paths:
-      - '.github/labels.yml'
+      - .github/labels.yml
-      - '.github/workflows/labels.yml'
+      - .github/workflows/labels.yml
 jobs:
  labeler:
    permissions:
      issues: write
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout
+      - uses: actions/checkout@v4
-        uses: actions/checkout@v2
+      - uses: crazy-max/ghaction-github-labeler@v5
-      - name: Labeler
+        with:
-        if: success()
+          yaml-file: .github/labels.yml
        uses: crazy-max/ghaction-github-labeler@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/markdown-skip.yml
+++ b/.github/workflows/markdown-skip.yml
@@ -0,0 +1,21 @@
 name: Markdown
 on:
  push:
    branches:
      - master
    paths-ignore:
      - "**.md"
      - .github/workflows/markdown.yml
  pull_request:
    paths-ignore:
      - "**.md"
      - .github/workflows/markdown.yml
 jobs:
  markdown:
    runs-on: ubuntu-latest
    permissions:
      actions: read
    steps:
      - name: No trigger path triggered for required markdown workflow.
        run: exit 0
--- a/.github/workflows/markdown.yml
+++ b/.github/workflows/markdown.yml
@@ -0,0 +1,46 @@
 name: Markdown
 on:
  push:
    branches:
      - master
    paths:
      - "**.md"
      - .github/workflows/markdown.yml
  pull_request:
    paths:
      - "**.md"
      - .github/workflows/markdown.yml
 jobs:
  markdown:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: DavidAnson/markdownlint-cli2-action@v14
        with:
          globs: "**.md"
          config: .markdownlint.json
      - uses: reviewdog/action-misspell@v1
        with:
          locale: "US"
          level: error
          pattern: |
            *.md
      - uses: gaurav-nelson/github-action-markdown-link-check@v1
        with:
          use-quiet-mode: yes
      - uses: peter-evans/dockerhub-description@v3
        if: github.repository == 'qdm12/gluetun' && github.event_name == 'push'
        with:
          username: qmcgaw
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
          repository: qmcgaw/gluetun
          short-description: Lightweight Swiss-knife VPN client to connect to several VPN providers
          readme-filepath: README.md
--- a/.github/workflows/misspell.yml
+++ b/.github/workflows/misspell.yml
@@ -1,16 +0,0 @@
 name: Misspells
 on:
  pull_request:
    branches: [master]
  push:
    branches: [master]
 jobs:
  misspell:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: reviewdog/action-misspell@master
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          locale: "US"
          level: error
--- a/.github/workflows/opened-issue.yml
+++ b/.github/workflows/opened-issue.yml
@@ -0,0 +1,22 @@
 name: Opened issue
 on:
  issues:
    types: [opened]
 jobs:
  comment:
    permissions:
      issues: write
    runs-on: ubuntu-latest
    steps:
      - uses: peter-evans/create-or-update-comment@v4
        with:
          token: ${{ github.token }}
          issue-number: ${{ github.event.issue.number }}
          body: |
            @qdm12 is more or less the only maintainer of this project and works on it in his free time.
            Please:
            - **do not** ask for updates, be patient
            - :+1: the issue to show your support instead of commenting
            @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
            [revert to an older tagged container image](https://github.com/qdm12/gluetun-wiki/blob/main/setup/docker-image-tags.md)
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
 scratch.txt
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,6 +1,4 @@
 linters-settings:
  maligned:
    suggest-new: true
  misspell:
    locale: US
@@ -9,20 +7,69 @@ issues:
    - path: _test\.go
      linters:
        - dupl
-        - maligned
+        - goerr113
        - containedctx
        - goconst
        - maintidx
    - path: "internal\\/server\\/.+\\.go"
      linters:
        - dupl
    - path: "internal\\/configuration\\/settings\\/.+\\.go"
      linters:
        - dupl
    - text: "^mnd: Magic number: 0[0-9]{3}, in <argument> detected$"
      source: "^.+= os\\.OpenFile\\(.+, .+, 0[0-9]{3}\\)"
      linters:
        - gomnd
    - text: "^mnd: Magic number: 0[0-9]{3}, in <argument> detected$"
      source: "^.+= os\\.MkdirAll\\(.+, 0[0-9]{3}\\)"
      linters:
        - gomnd
    - linters:
        - lll
      source: "^//go:generate .+$"
    - text: "returns interface \\(github\\.com\\/vishvananda\\/netlink\\.Link\\)"
      linters:
        - ireturn
    - path: "internal\\/openvpn\\/pkcs8\\/descbc\\.go"
      text: "newCipherDESCBCBlock returns interface \\(github\\.com\\/youmark\\/pkcs8\\.Cipher\\)"
      linters:
        - ireturn
    - path: "internal\\/firewall\\/.*\\.go"
      text: "string `-i ` has [1-9][0-9]* occurrences, make it a constant"
      linters:
        - goconst
    - path: "internal\\/provider\\/ipvanish\\/updater\\/servers.go"
      text: "string ` in ` has 3 occurrences, make it a constant"
      linters:
        - goconst
    - path: "internal\\/vpn\\/portforward.go"
      text: 'directive `//nolint:ireturn` is unused for linter "ireturn"'
      linters:
        - nolintlint
 linters:
  disable-all: true
  enable:
    # - cyclop
    # - errorlint
    - asasalint
    - asciicheck
    - bidichk
    - bodyclose
-    - deadcode
+    - containedctx
    - decorder
    - dogsled
    - dupl
-    - errcheck
+    - dupword
    - durationcheck
    - errchkjson
    - errname
    - execinquery
    - exhaustive
    - exportloopref
    - forcetypeassert
    - gci
    - gocheckcompilerdirectives
    - gochecknoglobals
    - gochecknoinits
    - gocognit
@@ -30,35 +77,49 @@ linters:
    - gocritic
    - gocyclo
    - godot
    - goerr113
    - goheader
    - goimports
    - golint
    - gomnd
    - gomoddirectives
    - goprintffuncname
    - gosec
-    - gosimple
+    - gosmopolitan
-    - govet
+    - grouper
-    - ineffassign
+    - importas
-    - interfacer
+    - interfacebloat
    - ireturn
    - lll
-    - maligned
+    - maintidx
    - makezero
    - mirror
    - misspell
    - musttag
    - nakedret
    - nestif
    - nilerr
    - nilnil
    - noctx
    - nolintlint
    - nosprintfhostport
    - paralleltest
    - prealloc
    - predeclared
    - promlinter
    - reassign
    - revive
    - rowserrcheck
    - scopelint
    - sqlclosecheck
-    - staticcheck
+    - tagalign
-    - structcheck
+    - tenv
-    - typecheck
+    - thelper
    - tparallel
    - unconvert
    - unparam
-    - unused
+    - usestdlibvars
-    - varcheck
+    - wastedassign
    - whitespace
    - zerologlint
 run:
  skip-dirs:
--- a/.markdownlint.json
+++ b/.markdownlint.json
@@ -0,0 +1,3 @@
 {
  "MD013": false
 }
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -1,9 +1,8 @@
 {
-    "recommendations": [
+  // This list should be kept to the strict minimum
-        "shardulm94.trailing-spaces",
+  // to develop this project.
-        "ms-azuretools.vscode-docker",
+  "recommendations": [
-        "davidanson.vscode-markdownlint",
+    "golang.go",
-        "IBM.output-colorizer",
+    "davidanson.vscode-markdownlint",
-        "golang.go"
+  ],
    ]
 }
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -0,0 +1,35 @@
 {
    "version": "0.2.0",
    "configurations": [
        {
            "name": "Update a VPN provider servers data",
            "type": "go",
            "request": "launch",
            "cwd": "${workspaceFolder}",
            "program": "cmd/gluetun/main.go",
            "args": [
                "update",
                "${input:updateMode}",
                "-providers",
                "${input:provider}"
            ],
        }
    ],
    "inputs": [
        {
            "id": "provider",
            "type": "promptString",
            "description": "Please enter a provider (or comma separated list of providers)",
        },
        {
            "id": "updateMode",
            "type": "pickString",
            "description": "Update mode to use",
            "options": [
                "-maintainer",
                "-enduser"
            ],
            "default": "-maintainer"
        },
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,91 +1,29 @@
 {
-    // General settings
+  // The settings should be kept to the strict minimum
-    "files.eol": "\n",
+  // to develop this project.
-    // Docker
+  "files.eol": "\n",
-    "remote.extensionKind": {
+  "editor.formatOnSave": true,
-        "ms-azuretools.vscode-docker": "workspace"
+  "go.buildTags": "linux",
-    },
+  "go.toolsEnvVars": {
-    // Golang general settings
+    "CGO_ENABLED": "0"
-    "go.useLanguageServer": true,
+  },
-    "go.autocompleteUnimportedPackages": true,
+  "go.testEnvVars": {
-    "go.gotoSymbol.includeImports": true,
+    "CGO_ENABLED": "1"
-    "go.gotoSymbol.includeGoroot": true,
+  },
-    "gopls": {
+  "go.testFlags": [
-        "completeUnimported": true,
+    "-v",
-        "deepCompletion": true,
+    "-race"
-        "usePlaceholders": false
+  ],
-    },
+  "go.testTimeout": "10s",
-    "go.lintTool": "golangci-lint",
+  "go.coverOnSingleTest": true,
-    "go.lintFlags": [
+  "go.coverOnSingleTestFile": true,
-        "--fast",
+  "go.coverOnTestPackage": true,
-        "--enable",
+  "go.useLanguageServer": true,
-        "rowserrcheck",
+  "[go]": {
-        "--enable",
+    "editor.codeActionsOnSave": {
-        "bodyclose",
+      "source.organizeImports": true
-        "--enable",
+    }
-        "dogsled",
+  },
-        "--enable",
+  "go.lintTool": "golangci-lint",
-        "dupl",
+  "go.lintOnSave": "package"
        "--enable",
        "gochecknoglobals",
        "--enable",
        "gochecknoinits",
        "--enable",
        "gocognit",
        "--enable",
        "goconst",
        "--enable",
        "gocritic",
        "--enable",
        "gocyclo",
        "--enable",
        "goimports",
        "--enable",
        "golint",
        "--enable",
        "gosec",
        "--enable",
        "interfacer",
        "--enable",
        "maligned",
        "--enable",
        "misspell",
        "--enable",
        "nakedret",
        "--enable",
        "prealloc",
        "--enable",
        "scopelint",
        "--enable",
        "unconvert",
        "--enable",
        "unparam",
        "--enable",
        "whitespace"
    ],
    // Golang on save
    "go.buildOnSave": "workspace",
    "go.lintOnSave": "workspace",
    "go.vetOnSave": "workspace",
    "editor.formatOnSave": true,
    "[go]": {
        "editor.codeActionsOnSave": {
            "source.organizeImports": true
        }
    },
    // Golang testing
    "go.toolsEnvVars": {
        "GOFLAGS": "-tags="
    },
    "gopls.env": {
        "GOFLAGS": "-tags="
    },
    "go.testEnvVars": {},
    "go.testFlags": [
        "-v",
        // "-race"
    ],
    "go.testTimeout": "600s",
    "go.coverOnSingleTestFile": true,
    "go.coverOnSingleTest": true
 }
--- a/256
+++ b/256
@@ -1,83 +1,164 @@
-ARG ALPINE_VERSION=3.12
+ARG ALPINE_VERSION=3.18
-ARG GO_VERSION=1.15
+ARG GO_ALPINE_VERSION=3.18
 ARG GO_VERSION=1.21
 ARG XCPUTRANSLATE_VERSION=v0.6.0
 ARG GOLANGCI_LINT_VERSION=v1.56.2
 ARG MOCKGEN_VERSION=v1.6.0
 ARG BUILDPLATFORM=linux/amd64
-FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS builder
+FROM --platform=${BUILDPLATFORM} qmcgaw/xcputranslate:${XCPUTRANSLATE_VERSION} AS xcputranslate
-RUN apk --update add git
+FROM --platform=${BUILDPLATFORM} qmcgaw/binpot:golangci-lint-${GOLANGCI_LINT_VERSION} AS golangci-lint
 FROM --platform=${BUILDPLATFORM} qmcgaw/binpot:mockgen-${MOCKGEN_VERSION} AS mockgen
 FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine${GO_ALPINE_VERSION} AS base
 COPY --from=xcputranslate /xcputranslate /usr/local/bin/xcputranslate
 # Note: findutils needed to have xargs support `-d` flag for mocks stage.
 RUN apk --update add git g++ findutils
 ENV CGO_ENABLED=0
-ARG GOLANGCI_LINT_VERSION=v1.31.0
+COPY --from=golangci-lint /bin /go/bin/golangci-lint
-RUN wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s ${GOLANGCI_LINT_VERSION}
+COPY --from=mockgen /bin /go/bin/mockgen
 WORKDIR /tmp/gobuild
 COPY .golangci.yml .
 COPY go.mod go.sum ./
 RUN go mod download
-ARG VERSION=unknown
+COPY cmd/ ./cmd/
 ARG BUILD_DATE="an unknown date"
 ARG COMMIT=unknown
 COPY cmd/gluetun/main.go .
 COPY internal/ ./internal/
-RUN go test ./...
+
 FROM --platform=${BUILDPLATFORM} base AS test
 # Note on the go race detector:
 # - we set CGO_ENABLED=1 to have it enabled
 # - we installed g++ to support the race detector
 ENV CGO_ENABLED=1
 ENTRYPOINT go test -race -coverpkg=./... -coverprofile=coverage.txt -covermode=atomic ./...
 FROM --platform=${BUILDPLATFORM} base AS lint
 COPY .golangci.yml ./
 RUN golangci-lint run --timeout=10m
-RUN go build -trimpath -ldflags="-s -w \
+
-X 'main.version=$VERSION' \
+FROM --platform=${BUILDPLATFORM} base AS mocks
-X 'main.buildDate=$BUILD_DATE' \
+RUN git init && \
-X 'main.commit=$COMMIT' \
+    git config user.email ci@localhost && \
-" -o entrypoint main.go
+    git config user.name ci && \
    git config core.fileMode false && \
    git add -A && \
    git commit -m "snapshot" && \
    grep -lr -E '^// Code generated by MockGen\. DO NOT EDIT\.$' . | xargs -r -d '\n' rm && \
    go generate -run "mockgen" ./... && \
    git diff --exit-code && \
    rm -rf .git/
 FROM --platform=${BUILDPLATFORM} base AS build
 ARG TARGETPLATFORM
 ARG VERSION=unknown
 ARG CREATED="an unknown date"
 ARG COMMIT=unknown
 RUN GOARCH="$(xcputranslate translate -field arch -targetplatform ${TARGETPLATFORM})" \
    GOARM="$(xcputranslate translate -field arm -targetplatform ${TARGETPLATFORM})" \
    go build -trimpath -ldflags="-s -w \
    -X 'main.version=$VERSION' \
    -X 'main.created=$CREATED' \
    -X 'main.commit=$COMMIT' \
    " -o entrypoint cmd/gluetun/main.go
 FROM alpine:${ALPINE_VERSION}
 ARG VERSION=unknown
-ARG BUILD_DATE="an unknown date"
+ARG CREATED="an unknown date"
 ARG COMMIT=unknown
 LABEL \
    org.opencontainers.image.authors="quentin.mcgaw@gmail.com" \
-    org.opencontainers.image.created=$BUILD_DATE \
+    org.opencontainers.image.created=$CREATED \
    org.opencontainers.image.version=$VERSION \
    org.opencontainers.image.revision=$COMMIT \
    org.opencontainers.image.url="https://github.com/qdm12/gluetun" \
    org.opencontainers.image.documentation="https://github.com/qdm12/gluetun" \
    org.opencontainers.image.source="https://github.com/qdm12/gluetun" \
-    org.opencontainers.image.title="VPN client for PIA, Mullvad, Windscribe, Surfshark and Cyberghost" \
+    org.opencontainers.image.title="VPN swiss-knife like client for multiple VPN providers" \
-    org.opencontainers.image.description="VPN client to tunnel to PIA, Mullvad, Windscribe, Surfshark and Cyberghost servers using OpenVPN, IPtables, DNS over TLS and Alpine Linux"
+    org.opencontainers.image.description="VPN swiss-knife like client to tunnel to multiple VPN servers using OpenVPN, IPtables, DNS over TLS, Shadowsocks, an HTTP proxy and Alpine Linux"
-ENV VPNSP=pia \
+ENV VPN_SERVICE_PROVIDER=pia \
-    VERSION_INFORMATION=on \
+    VPN_TYPE=openvpn \
-    PROTOCOL=udp \
+    # Common VPN options
    VPN_ENDPOINT_IP= \
    VPN_ENDPOINT_PORT= \
    VPN_INTERFACE=tun0 \
    # OpenVPN
    OPENVPN_PROTOCOL=udp \
    OPENVPN_USER= \
    OPENVPN_PASSWORD= \
    OPENVPN_USER_SECRETFILE=/run/secrets/openvpn_user \
    OPENVPN_PASSWORD_SECRETFILE=/run/secrets/openvpn_password \
    OPENVPN_VERSION=2.5 \
    OPENVPN_VERBOSITY=1 \
-    OPENVPN_ROOT=no \
+    OPENVPN_FLAGS= \
-    OPENVPN_TARGET_IP= \
+    OPENVPN_CIPHERS= \
    OPENVPN_IPV6=off \
    TZ= \
    UID=1000 \
    GID=1000 \
    IP_STATUS_FILE="/tmp/gluetun/ip" \
    # PIA, Windscribe, Surfshark, Cyberghost, Vyprvpn, NordVPN, PureVPN only
    USER= \
    PASSWORD= \
    REGION= \
    # PIA only
    PIA_ENCRYPTION=strong \
    PORT_FORWARDING=off \
    PORT_FORWARDING_STATUS_FILE="/tmp/gluetun/forwarded_port" \
    # Mullvad and PureVPN only
    COUNTRY= \
    # Mullvad, PureVPN, Windscribe only
    CITY= \
    # Windscribe only
    HOSTNAME= \
    # Mullvad only
    ISP= \
    OWNED=no \
    # Mullvad and Windscribe only
    PORT= \
    # Cyberghost only
    CYBERGHOST_GROUP="Premium UDP Europe" \
    # NordVPN only
    SERVER_NUMBER= \
    # Openvpn
    OPENVPN_CIPHER= \
    OPENVPN_AUTH= \
    OPENVPN_PROCESS_USER=root \
    OPENVPN_CUSTOM_CONFIG= \
    # Wireguard
    WIREGUARD_CONF_SECRETFILE=/run/secrets/wg0.conf \
    WIREGUARD_PRIVATE_KEY= \
    WIREGUARD_PRIVATE_KEY_SECRETFILE=/run/secrets/wireguard_private_key \
    WIREGUARD_PRESHARED_KEY= \
    WIREGUARD_PRESHARED_KEY_SECRETFILE=/run/secrets/wireguard_preshared_key \
    WIREGUARD_PUBLIC_KEY= \
    WIREGUARD_ALLOWED_IPS= \
    WIREGUARD_ADDRESSES= \
    WIREGUARD_ADDRESSES_SECRETFILE=/run/secrets/wireguard_addresses \
    WIREGUARD_MTU=1400 \
    WIREGUARD_IMPLEMENTATION=auto \
    # VPN server filtering
    SERVER_REGIONS= \
    SERVER_COUNTRIES= \
    SERVER_CITIES= \
    SERVER_HOSTNAMES= \
    SERVER_CATEGORIES= \
    # # Mullvad only:
    ISP= \
    OWNED_ONLY=no \
    # # Private Internet Access only:
    PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET= \
    VPN_PORT_FORWARDING=off \
    VPN_PORT_FORWARDING_LISTENING_PORT=0 \
    VPN_PORT_FORWARDING_PROVIDER= \
    VPN_PORT_FORWARDING_STATUS_FILE="/tmp/gluetun/forwarded_port" \
    # # Cyberghost only:
    OPENVPN_CERT= \
    OPENVPN_KEY= \
    OPENVPN_CLIENTCRT_SECRETFILE=/run/secrets/openvpn_clientcrt \
    OPENVPN_CLIENTKEY_SECRETFILE=/run/secrets/openvpn_clientkey \
    # # VPNSecure only:
    OPENVPN_ENCRYPTED_KEY= \
    OPENVPN_ENCRYPTED_KEY_SECRETFILE=/run/secrets/openvpn_encrypted_key \
    OPENVPN_KEY_PASSPHRASE= \
    OPENVPN_KEY_PASSPHRASE_SECRETFILE=/run/secrets/openvpn_key_passphrase \
    # # Nordvpn only:
    SERVER_NUMBER= \
    # # PIA only:
    SERVER_NAMES= \
    # # ProtonVPN only:
    FREE_ONLY= \
    # # Surfshark only:
    MULTIHOP_ONLY= \
    # # VPN Secure only:
    PREMIUM_ONLY= \
    # # PIA only:
    PORT_FORWARD_ONLY= \
    # Firewall
    FIREWALL=on \
    FIREWALL_VPN_INPUT_PORTS= \
    FIREWALL_INPUT_PORTS= \
    FIREWALL_OUTBOUND_SUBNETS= \
    FIREWALL_DEBUG=off \
    # Logging
    LOG_LEVEL=info \
    # Health
    HEALTH_SERVER_ADDRESS=127.0.0.1:9999 \
    HEALTH_TARGET_ADDRESS=cloudflare.com:443 \
    HEALTH_SUCCESS_WAIT_DURATION=5s \
    HEALTH_VPN_DURATION_INITIAL=6s \
    HEALTH_VPN_DURATION_ADDITION=5s \
    # DNS over TLS
    DOT=on \
    DOT_PROVIDERS=cloudflare \
-    DOT_PRIVATE_ADDRESS=127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:0:0/96 \
+    DOT_PRIVATE_ADDRESS=127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112 \
    DOT_VERBOSITY=1 \
    DOT_VERBOSITY_DETAILS=0 \
    DOT_VALIDATION_LOGLEVEL=0 \
@@ -88,35 +169,60 @@ ENV VPNSP=pia \
    BLOCK_ADS=off \
    UNBLOCK= \
    DNS_UPDATE_PERIOD=24h \
-    DNS_PLAINTEXT_ADDRESS=1.1.1.1 \
+    DNS_ADDRESS=127.0.0.1 \
    DNS_KEEP_NAMESERVER=off \
    # Firewall
    FIREWALL=on \
    FIREWALL_VPN_INPUT_PORTS= \
    FIREWALL_INPUT_PORTS= \
    FIREWALL_OUTBOUND_SUBNETS= \
    FIREWALL_DEBUG=off \
    # HTTP proxy
    HTTPPROXY= \
    HTTPPROXY_LOG=off \
-    HTTPPROXY_PORT=8888 \
+    HTTPPROXY_LISTENING_ADDRESS=":8888" \
    HTTPPROXY_STEALTH=off \
    HTTPPROXY_USER= \
    HTTPPROXY_PASSWORD= \
    HTTPPROXY_USER_SECRETFILE=/run/secrets/httpproxy_user \
    HTTPPROXY_PASSWORD_SECRETFILE=/run/secrets/httpproxy_password \
    # Shadowsocks
    SHADOWSOCKS=off \
    SHADOWSOCKS_LOG=off \
-    SHADOWSOCKS_PORT=8388 \
+    SHADOWSOCKS_LISTENING_ADDRESS=":8388" \
    SHADOWSOCKS_PASSWORD= \
-    SHADOWSOCKS_METHOD=chacha20-ietf-poly1305 \
+    SHADOWSOCKS_PASSWORD_SECRETFILE=/run/secrets/shadowsocks_password \
-    UPDATER_PERIOD=0
+    SHADOWSOCKS_CIPHER=chacha20-ietf-poly1305 \
-ENTRYPOINT ["/entrypoint"]
+    # Control server
    HTTP_CONTROL_SERVER_LOG=on \
    HTTP_CONTROL_SERVER_ADDRESS=":8000" \
    # Server data updater
    UPDATER_PERIOD=0 \
    UPDATER_MIN_RATIO=0.8 \
    UPDATER_VPN_SERVICE_PROVIDERS= \
    # Public IP
    PUBLICIP_FILE="/tmp/gluetun/ip" \
    PUBLICIP_PERIOD=12h \
    PUBLICIP_API=ipinfo \
    PUBLICIP_API_TOKEN= \
    # Pprof
    PPROF_ENABLED=no \
    PPROF_BLOCK_PROFILE_RATE=0 \
    PPROF_MUTEX_PROFILE_RATE=0 \
    PPROF_HTTP_SERVER_ADDRESS=":6060" \
    # Extras
    VERSION_INFORMATION=on \
    TZ= \
    PUID= \
    PGID=
 ENTRYPOINT ["/gluetun-entrypoint"]
 EXPOSE 8000/tcp 8888/tcp 8388/tcp 8388/udp
-HEALTHCHECK --interval=10m --timeout=10s --start-period=30s --retries=2 CMD /entrypoint healthcheck
+HEALTHCHECK --interval=5s --timeout=5s --start-period=10s --retries=1 CMD /gluetun-entrypoint healthcheck
-RUN apk add -q --progress --no-cache --update openvpn ca-certificates iptables ip6tables unbound tzdata && \
+ARG TARGETPLATFORM
-    rm -rf /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-* && \
+RUN apk add --no-cache --update -l wget && \
    apk add --no-cache --update -X "https://dl-cdn.alpinelinux.org/alpine/v3.17/main" openvpn\~2.5 && \
    mv /usr/sbin/openvpn /usr/sbin/openvpn2.5 && \
    apk del openvpn && \
    apk add --no-cache --update openvpn ca-certificates iptables ip6tables unbound tzdata && \
    mv /usr/sbin/openvpn /usr/sbin/openvpn2.6 && \
    # Fix vulnerability issue
    apk add --no-cache --update busybox && \
    rm -rf /var/cache/apk/* /etc/unbound/* /usr/sbin/unbound-* /etc/openvpn/*.sh /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so && \
    deluser openvpn && \
    deluser unbound && \
    mkdir /gluetun
-# TODO remove once SAN is added to PIA servers certificates, see https://github.com/pia-foss/manual-connections/issues/10
+COPY --from=build /tmp/gobuild/entrypoint /gluetun-entrypoint
 ENV GODEBUG=x509ignoreCN=0
 COPY --from=builder /tmp/gobuild/entrypoint /entrypoint
--- a/README.md
+++ b/README.md
@@ -1,405 +1,130 @@
-# Gluetun VPN client
+# Gluetun VPN client
-
+
-*Lightweight swiss-knife-like VPN client to tunnel to Private Internet Access,
+Lightweight swiss-knife-like VPN client to multiple VPN service providers
-Mullvad, Windscribe, Surfshark Cyberghost, VyprVPN, NordVPN, PureVPN and Privado VPN servers, using Go, OpenVPN, iptables, DNS over TLS, ShadowSocks and an HTTP proxy*
+
-
+![Title image](https://raw.githubusercontent.com/qdm12/gluetun/master/title.svg)
-**ANNOUNCEMENT**: *Github Wiki reworked*
+
-
+[![Build status](https://github.com/qdm12/gluetun/actions/workflows/ci.yml/badge.svg)](https://github.com/qdm12/gluetun/actions/workflows/ci.yml)
-<img height="250" src="https://raw.githubusercontent.com/qdm12/gluetun/master/title.svg?sanitize=true">
+
-
+[![Docker pulls qmcgaw/gluetun](https://img.shields.io/docker/pulls/qmcgaw/gluetun.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
-[![Build status](https://github.com/qdm12/gluetun/workflows/Buildx%20latest/badge.svg)](https://github.com/qdm12/gluetun/actions?query=workflow%3A%22Buildx+latest%22)
+[![Docker pulls qmcgaw/private-internet-access](https://img.shields.io/docker/pulls/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
-[![Docker Pulls](https://img.shields.io/docker/pulls/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/private-internet-access)
+
-[![Docker Stars](https://img.shields.io/docker/stars/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/private-internet-access)
+[![Docker stars qmcgaw/gluetun](https://img.shields.io/docker/stars/qmcgaw/gluetun.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
-
+[![Docker stars qmcgaw/private-internet-access](https://img.shields.io/docker/stars/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
-[![GitHub last commit](https://img.shields.io/github/last-commit/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues)
+
-[![GitHub commit activity](https://img.shields.io/github/commit-activity/y/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues)
+![Last release](https://img.shields.io/github/release/qdm12/gluetun?label=Last%20release)
-[![GitHub issues](https://img.shields.io/github/issues/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues)
+![Last Docker tag](https://img.shields.io/docker/v/qmcgaw/gluetun?sort=semver&label=Last%20Docker%20tag)
-
+[![Last release size](https://img.shields.io/docker/image-size/qmcgaw/gluetun?sort=semver&label=Last%20released%20image)](https://hub.docker.com/r/qmcgaw/gluetun/tags?page=1&ordering=last_updated)
-[![Image size](https://images.microbadger.com/badges/image/qmcgaw/private-internet-access.svg)](https://microbadger.com/images/qmcgaw/private-internet-access)
+![GitHub last release date](https://img.shields.io/github/release-date/qdm12/gluetun?label=Last%20release%20date)
-[![Image version](https://images.microbadger.com/badges/version/qmcgaw/private-internet-access.svg)](https://microbadger.com/images/qmcgaw/private-internet-access)
+![Commits since release](https://img.shields.io/github/commits-since/qdm12/gluetun/latest?sort=semver)
-[![Join Slack channel](https://img.shields.io/badge/slack-@qdm12-yellow.svg?logo=slack)](https://join.slack.com/t/qdm12/shared_invite/enQtOTE0NjcxNTM1ODc5LTYyZmVlOTM3MGI4ZWU0YmJkMjUxNmQ4ODQ2OTAwYzMxMTlhY2Q1MWQyOWUyNjc2ODliNjFjMDUxNWNmNzk5MDk)
+
-
+[![Latest size](https://img.shields.io/docker/image-size/qmcgaw/gluetun/latest?label=Latest%20image)](https://hub.docker.com/r/qmcgaw/gluetun/tags)
-## Videos
+
-
+[![GitHub last commit](https://img.shields.io/github/last-commit/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/commits/master)
-1. [**Introduction**](https://youtu.be/3jIbU6J2Hs0)
+[![GitHub commit activity](https://img.shields.io/github/commit-activity/y/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/graphs/contributors)
-1. [**Connect a container**](https://youtu.be/mH7J_2JKNK0)
+[![GitHub closed PRs](https://img.shields.io/github/issues-pr-closed/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/pulls?q=is%3Apr+is%3Aclosed)
-1. [**Connect LAN devices**](https://youtu.be/qvjrM15Y0uk)
+[![GitHub issues](https://img.shields.io/github/issues/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues)
-
+[![GitHub closed issues](https://img.shields.io/github/issues-closed/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues?q=is%3Aissue+is%3Aclosed)
-## Features
+
-
+[![Lines of code](https://img.shields.io/tokei/lines/github/qdm12/gluetun)](https://github.com/qdm12/gluetun)
- Based on Alpine 3.12 for a small Docker image of 52MB
+![Code size](https://img.shields.io/github/languages/code-size/qdm12/gluetun)
- Supports **Private Internet Access**, **Mullvad**, **Windscribe**, **Surfshark**, **Cyberghost**, **Vyprvpn**, **NordVPN**, **PureVPN** and **Privado** servers
+![GitHub repo size](https://img.shields.io/github/repo-size/qdm12/gluetun)
- Supports Openvpn only for now
+![Go version](https://img.shields.io/github/go-mod/go-version/qdm12/gluetun)
- DNS over TLS baked in with service provider(s) of your choice
+
- DNS fine blocking of malicious/ads/surveillance hostnames and IP addresses, with live update every 24 hours
+![Visitors count](https://visitor-badge.laobi.icu/badge?page_id=gluetun.readme)
- Choose the vpn network protocol, `udp` or `tcp`
+
- Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
+## Quick links
- Built in Shadowsocks proxy (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
+
- Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
+- [Setup](#setup)
- [Connect other containers to it](https://github.com/qdm12/gluetun#connect-to-it)
+- [Features](#features)
- [Connect LAN devices to it](https://github.com/qdm12/gluetun#connect-to-it)
+- Problem?
- Compatible with amd64, i686 (32 bit), **ARM** 64 bit, ARM 32 bit v6 and v7 🎆
+  - Check the Wiki [common errors](https://github.com/qdm12/gluetun-wiki/tree/main/errors) and [faq](https://github.com/qdm12/gluetun-wiki/tree/main/faq)
- VPN server side port forwarding for Private Internet Access and Vyprvpn
+  - [Start a discussion](https://github.com/qdm12/gluetun/discussions)
- Possibility of split horizon DNS by selecting multiple DNS over TLS providers
+  - [Fix the Unraid template](https://github.com/qdm12/gluetun/discussions/550)
- Subprograms all drop root privileges once launched
+- Suggestion?
- Subprograms output streams are all merged together
+  - [Create an issue](https://github.com/qdm12/gluetun/issues)
- Can work as a Kubernetes sidecar container, thanks @rorph
+- Happy?
-
+  - Sponsor me on [github.com/sponsors/qdm12](https://github.com/sponsors/qdm12)
-## Setup
+  - Donate to [paypal.me/qmcgaw](https://www.paypal.me/qmcgaw)
-
+  - Drop me [an email](mailto:quentin.mcgaw@gmail.com)
-1. On some devices you may need to setup your tunnel kernel module on your host with `insmod /lib/modules/tun.ko` or `modprobe tun`
+- **Want to add a VPN provider?** check [the development page](https://github.com/qdm12/gluetun-wiki/blob/main/contributing/development.md) and [add a provider page](https://github.com/qdm12/gluetun-wiki/blob/main/contributing/add-a-provider.md)
-    - [Synology users Wiki page](https://github.com/qdm12/gluetun/wiki/Synology-setup)
+- Video:
-1. Launch the container with:
+
-
+  [![Video Gif](https://i.imgur.com/CetWunc.gif)](https://youtu.be/0F6I03LQcI4)
-    ```bash
+
-    docker run -d --name gluetun --cap-add=NET_ADMIN \
+- [Substack Console interview](https://console.substack.com/p/console-72)
-    -e VPNSP="private internet access" -e REGION="CA Montreal" \
+
-    -e USER=js89ds7 -e PASSWORD=8fd9s239G \
+## Features
-    -v /yourpath:/gluetun \
+
-    qmcgaw/private-internet-access
+- Based on Alpine 3.18 for a small Docker image of 35.6MB
-    ```
+- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad**, **NordVPN**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **WeVPN**, **Windscribe** servers
-
+- Supports OpenVPN for all providers listed
-    or use [docker-compose.yml](https://github.com/qdm12/gluetun/blob/master/docker-compose.yml) with:
+- Supports Wireguard both kernelspace and userspace
-
+  - For **AirVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Surfshark** and **Windscribe**
-    ```bash
+  - For **ProtonVPN**, **PureVPN**, **Torguard**, **VPN Unlimited** and **WeVPN** using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
-    docker-compose up -d
+  - For custom Wireguard configurations using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
-    ```
+  - More in progress, see [#134](https://github.com/qdm12/gluetun/issues/134)
-
+- DNS over TLS baked in with service provider(s) of your choice
-    Note that you can:
+- DNS fine blocking of malicious/ads/surveillance hostnames and IP addresses, with live update every 24 hours
-
+- Choose the vpn network protocol, `udp` or `tcp`
-    - Change the many [environment variables](#environment-variables) available
+- Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
-    - Use `-p 8888:8888/tcp` to access the HTTP web proxy
+- Built in Shadowsocks proxy (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
-    - Use `-p 8388:8388/tcp -p 8388:8388/udp` to access the Shadowsocks proxy
+- Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
-    - Use `-p 8000:8000/tcp` to access the [HTTP control server](#HTTP-control-server) built-in
+- [Connect other containers to it](https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md)
-
+- [Connect LAN devices to it](https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-lan-device-to-gluetun.md)
-    **If you encounter an issue with the tun device not being available, see [the FAQ](https://github.com/qdm12/gluetun/blob/master/doc/faq.md#how-to-fix-openvpn-failing-to-start)**
+- Compatible with amd64, i686 (32 bit), **ARM** 64 bit, ARM 32 bit v6 and v7, and even ppc64le 🎆
-
+- [Custom VPN server side port forwarding for Private Internet Access](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/private-internet-access.md#vpn-server-port-forwarding)
-1. You can update the image with `docker pull qmcgaw/private-internet-access:latest`. See the [wiki](https://github.com/qdm12/gluetun/wiki/Common-issues#use-a-release-tag) for more information on other tags available.
+- Possibility of split horizon DNS by selecting multiple DNS over TLS providers
-
+- Unbound subprogram drops root privileges once launched
-## Testing
+- Can work as a Kubernetes sidecar container, thanks @rorph
-
+
-Check the VPN IP address matches your expectations
+## Setup
-
+
-```sh
+🎉 There are now instructions specific to each VPN provider with examples to help you get started as quickly as possible!
-docker run --rm --network=container:gluetun alpine:3.12 wget -qO- https://ipinfo.io
+
-```
+Go to the [Wiki](https://github.com/qdm12/gluetun-wiki)!
-
+
-▶ [Testing Wiki page](https://github.com/qdm12/gluetun/wiki/Testing-the-setup)
+[🐛 Found a bug in the Wiki?!](https://github.com/qdm12/gluetun-wiki/issues/new)
-
+
-## Environment variables
+Here's a docker-compose.yml for the laziest:
-
+
-**TLDR**; only set the 🏁 marked environment variables to get started.
+```yml
-
+version: "3"
-💡 For all server filtering options such as `REGION`, you can have multiple values separated by a comma, i.e. `Germany,Singapore`
+services:
-
+  gluetun:
-### VPN
+    image: qmcgaw/gluetun
-
+    # container_name: gluetun
-| Variable | Default | Choices | Description |
+    # line above must be uncommented to allow external containers to connect.
-| --- | --- | --- | --- |
+    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
-| 🏁 `VPNSP` | `private internet access` | `private internet access`, `mullvad`, `windscribe`, `surfshark`, `vyprvpn`, `nordvpn`, `purevpn`, `privado` | VPN Service Provider |
+    cap_add:
-| `IP_STATUS_FILE` | `/tmp/gluetun/ip` | Any filepath | Filepath to store the public IP address assigned |
+      - NET_ADMIN
-| `PROTOCOL` | `udp` | `udp` or `tcp` | Network protocol to use |
+    devices:
-| `OPENVPN_VERBOSITY` | `1` | `0` to `6` | Openvpn verbosity level |
+      - /dev/net/tun:/dev/net/tun
-| `OPENVPN_ROOT` | `no` | `yes` or `no` | Run OpenVPN as root |
+    ports:
-| `OPENVPN_TARGET_IP` | | Valid IP address | Specify a target VPN IP address to use |
+      - 8888:8888/tcp # HTTP proxy
-| `OPENVPN_CIPHER` | | i.e. `aes-256-gcm` | Specify a custom cipher to use. It will also set `ncp-disable` if using AES GCM for PIA |
+      - 8388:8388/tcp # Shadowsocks
-| `OPENVPN_AUTH` | | i.e. `sha256` | Specify a custom auth algorithm to use |
+      - 8388:8388/udp # Shadowsocks
-| `OPENVPN_IPV6` | `off` | `on`, `off` | Enable tunneling of IPv6 (only for Mullvad) |
+    volumes:
-
+      - /yourpath:/gluetun
-*For all providers below, server location parameters are all optional. By default a random server is picked using the filter settings provided.*
+    environment:
-
+      # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
- Private Internet Access
+      - VPN_SERVICE_PROVIDER=ivpn
-
+      - VPN_TYPE=openvpn
-    | Variable | Default | Choices | Description |
+      # OpenVPN:
-    | --- | --- | --- | --- |
+      - OPENVPN_USER=
-    | 🏁 `USER` | | | Your username |
+      - OPENVPN_PASSWORD=
-    | 🏁 `PASSWORD` | | | Your password |
+      # Wireguard:
-    | `REGION` | | One of the [PIA regions](https://www.privateinternetaccess.com/pages/network/) | VPN server region |
+      # - WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU=
-    | `PIA_ENCRYPTION` | `strong` | `normal`, `strong` | Encryption preset |
+      # - WIREGUARD_ADDRESSES=10.64.222.21/32
-    | `PORT_FORWARDING` | `off` | `on`, `off` | Enable port forwarding on the VPN server |
+      # Timezone for accurate log times
-    | `PORT_FORWARDING_STATUS_FILE` | `/tmp/gluetun/forwarded_port` | Any filepath | Filepath to store the forwarded port number |
+      - TZ=
-
+      # Server list updater
- Mullvad
+      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
-
+      - UPDATER_PERIOD=
-    | Variable | Default | Choices | Description |
+```
-    | --- | --- | --- | --- |
+
-    | 🏁 `USER` | | | Your user ID |
+🆕 Image also available as `ghcr.io/qdm12/gluetun`
-    | `COUNTRY` | | One of the [Mullvad countries](https://mullvad.net/en/servers/#openvpn) | VPN server country |
+
-    | `CITY` | | One of the [Mullvad cities](https://mullvad.net/en/servers/#openvpn) | VPN server city |
+## License
-    | `ISP` | | One of the [Mullvad ISP](https://mullvad.net/en/servers/#openvpn) | VPN server ISP |
+
-    | `PORT` | | `80`, `443` or `1401` for TCP; `53`, `1194`, `1195`, `1196`, `1197`, `1300`, `1301`, `1302`, `1303` or `1400` for UDP. Defaults to TCP `443` and UDP `1194` | Custom VPN port to use |
+[![MIT](https://img.shields.io/github/license/qdm12/gluetun)](https://github.com/qdm12/gluetun/blob/master/LICENSE)
    | `OWNED` | `no` | `yes` or `no` | If the VPN server is owned by Mullvad |
    💡 [Mullvad IPv6 Wiki page](https://github.com/qdm12/gluetun/wiki/Mullvad-IPv6)
    For **port forwarding**, obtain a port from [here](https://mullvad.net/en/account/#/ports) and add it to `FIREWALL_VPN_INPUT_PORTS`
 - Windscribe (see [this](https://github.com/qdm12/gluetun/blob/master/internal/constants/windscribe.go#L43) for the choices of regions, cities and hostnames)
    | Variable | Default | Choices | Description |
    | --- | --- | --- | --- |
    | 🏁 `USER` | | | Your username |
    | 🏁 `PASSWORD` | | | Your password |
    | `REGION` | | | Comma separated list of regions to choose the VPN server |
    | `CITY` | | | Comma separated list of cities to choose the VPN server |
    | `HOSTNAME` | | | Comma separated list of hostnames to choose the VPN server |
    | `PORT` | | One from the [this list of ports](https://windscribe.com/getconfig/openvpn) | Custom VPN port to use |
 - Surfshark
    | Variable | Default | Choices | Description |
    | --- | --- | --- | --- |
    | 🏁 `USER` | | | Your **service** username, found at the bottom of the [manual setup page](https://account.surfshark.com/setup/manual) |
    | 🏁 `PASSWORD` | | | Your **service** password |
    | `REGION` | | One of the [Surfshark regions](https://github.com/qdm12/gluetun/wiki/Surfshark-Servers) | VPN server region |
 - Cyberghost
    | Variable | Default | Choices | Description |
    | --- | --- | --- | --- |
    | 🏁 `USER` | | | Your username |
    | 🏁 `PASSWORD` | | | Your password |
    | 🏁 | | | **See additional setup steps below** |
    | `REGION` | | One of the Cyberghost regions, [Wiki page](https://github.com/qdm12/gluetun/wiki/Cyberghost-Servers) | VPN server country |
    | `CYBERGHOST_GROUP` | `Premium UDP Europe` | One of the server groups (see above Wiki page) | Server group |
    **Additional setup steps**: Bind mount your `client.key` file to `/gluetun/client.key` and your `client.crt` file to `/gluetun/client.crt`. For example, you can use with your `docker run` command:
    ```sh
    -v /yourpath/client.key:/gluetun/client.key:ro -v /yourpath/client.crt:/gluetun/client.crt:ro
    ```
 - Vyprvpn
    | Variable | Default | Choices | Description |
    | --- | --- | --- | --- |
    | 🏁 `USER` | | | Your username |
    | 🏁 `PASSWORD` | | | Your password |
    | `REGION` | | One of the [VyprVPN regions](https://www.vyprvpn.com/server-locations) | VPN server region |
    For **port forwarding**, add a port you want to be accessible to `FIREWALL_VPN_INPUT_PORTS`
 - NordVPN
    | Variable | Default | Choices | Description |
    | --- | --- | --- | --- |
    | 🏁 `USER` | | | Your username |
    | 🏁 `PASSWORD` | | | Your password |
    | `REGION` | | One of the NordVPN server country, i.e. `Switzerland` | VPN server country |
    | `SERVER_NUMBER` | | Server integer number | Optional server number. For example `251` for `Italy #251` |
 - PureVPN
    | Variable | Default | Choices | Description |
    | --- | --- | --- | --- |
    | 🏁 `USER` | | | Your user ID |
    | 🏁 `REGION` | | One of the [PureVPN regions](https://support.purevpn.com/vpn-servers) | VPN server region |
    | `COUNTRY` | | One of the [PureVPN countries](https://support.purevpn.com/vpn-servers) | VPN server country |
    | `CITY` | | One of the [PureVPN cities](https://support.purevpn.com/vpn-servers) | VPN server city |
 - Privado
    | Variable | Default | Choices | Description |
    | --- | --- | --- | --- |
    | 🏁 `USER` | | | Your username |
    | 🏁 `PASSWORD` | | | Your password |
    | `HOSTNAME` | | [One of the Privado hostname](internal/constants/privado.go#L26), i.e. `ams-001.vpn.privado.io` | VPN server hostname |
 ### DNS over TLS
 None of the following values are required.
 | Variable | Default | Choices | Description |
 | --- | --- | --- | --- |
 | `DOT` | `on` | `on`, `off` | Activate DNS over TLS with Unbound |
 | `DOT_PROVIDERS` | `cloudflare` | `cloudflare`, `google`, `quad9`, `quadrant`, `cleanbrowsing`, `securedns`, `libredns` | Comma delimited list of DNS over TLS providers |
 | `DOT_CACHING` | `on` | `on`, `off` | Unbound caching |
 | `DOT_IPV6` | `off` | `on`, `off` | DNS IPv6 resolution |
 | `DOT_PRIVATE_ADDRESS` | All private CIDRs ranges | | Comma separated list of CIDRs or single IP addresses Unbound won't resolve to. Note that the default setting prevents DNS rebinding |
 | `DOT_VERBOSITY` | `1` | `0` to `5` | Unbound verbosity level |
 | `DOT_VERBOSITY_DETAILS` | `0` | `0` to `4` | Unbound details verbosity level |
 | `DOT_VALIDATION_LOGLEVEL` | `0` | `0` to `2` | Unbound validation log level |
 | `DNS_UPDATE_PERIOD` | `24h` | i.e. `0`, `30s`, `5m`, `24h` | Period to update block lists and cryptographic files and restart Unbound. Set to `0` to deactivate updates |
 | `BLOCK_MALICIOUS` | `on` | `on`, `off` | Block malicious hostnames and IPs with Unbound |
 | `BLOCK_SURVEILLANCE` | `off` | `on`, `off` | Block surveillance hostnames and IPs with Unbound |
 | `BLOCK_ADS` | `off` | `on`, `off` | Block ads hostnames and IPs with Unbound |
 | `UNBLOCK` | |i.e. `domain1.com,x.domain2.co.uk` | Comma separated list of domain names to leave unblocked with Unbound |
 | `DNS_PLAINTEXT_ADDRESS` | `1.1.1.1` | Any IP address | IP address to use as DNS resolver if `DOT` is `off` |
 | `DNS_KEEP_NAMESERVER` | `off` | `on` or `off` | Keep the nameservers in /etc/resolv.conf untouched, but disabled DNS blocking features |
 ### Firewall and routing
 | Variable | Default | Choices | Description |
 | --- | --- | --- | --- |
 | `FIREWALL` | `on` | `on` or `off` | Turn on or off the container built-in firewall. You should use it for **debugging purposes** only. |
 | `FIREWALL_VPN_INPUT_PORTS` | | i.e. `1000,8080` | Comma separated list of ports to allow from the VPN server side (useful for **vyprvpn** port forwarding) |
 | `FIREWALL_INPUT_PORTS` | | i.e. `1000,8000` | Comma separated list of ports to allow through the default interface. This seems needed for Kubernetes sidecars. |
 | `FIREWALL_DEBUG` | `off` | `on` or `off` | Prints every firewall related command. You should use it for **debugging purposes** only. |
 | `FIREWALL_OUTBOUND_SUBNETS` | | i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28` | Comma separated subnets that Gluetun and the containers sharing its network stack are allowed to access. This involves firewall and routing modifications. |
 ### Shadowsocks
 | Variable | Default | Choices | Description |
 | --- | --- | --- | --- |
 | `SHADOWSOCKS` | `off` | `on`, `off` | Enable the internal Shadowsocks proxy |
 | `SHADOWSOCKS_LOG` | `off` | `on`, `off` | Enable logging |
 | `SHADOWSOCKS_PORT` | `8388` | `1024` to `65535` | Internal port number for Shadowsocks to listen on |
 | `SHADOWSOCKS_PASSWORD` | |  | Password to use to connect to Shadowsocks |
 | `SHADOWSOCKS_METHOD` | `chacha20-ietf-poly1305` | `chacha20-ietf-poly1305`, `aes-128-gcm`, `aes-256-gcm` | Method to use for Shadowsocks |
 ### HTTP proxy
 | Variable | Default | Choices | Description |
 | --- | --- | --- | --- |
 | `HTTPPROXY` | `off` | `on`, `off` | Enable the internal HTTP proxy |
 | `HTTPPROXY_LOG` | `off` | `on` or `off` | Logs every tunnel requests |
 | `HTTPPROXY_PORT` | `8888` | `1024` to `65535` | Internal port number for the HTTP proxy to listen on |
 | `HTTPPROXY_USER` | | | Username to use to connect to the HTTP proxy |
 | `HTTPPROXY_PASSWORD` | | | Password to use to connect to the HTTP proxy |
 | `HTTPPROXY_STEALTH` | `off` | `on` or `off` | Stealth mode means HTTP proxy headers are not added to your requests |
 ### System
 | Variable | Default | Choices | Description |
 | --- | --- | --- | --- |
 | `TZ` | | i.e. `Europe/London` | Specify a timezone to use to have correct log times |
 | `UID` | `1000` | | User ID to run as non root and for ownership of files written |
 | `GID` | `1000` | | Group ID to run as non root and for ownership of files written |
 ### HTTP Control server
 | Variable | Default | Choices | Description |
 | --- | --- | --- | --- |
 | `HTTP_CONTROL_SERVER_PORT` | `8000` | `1` to `65535` | Listening port for the HTTP control server |
 | `HTTP_CONTROL_SERVER_LOG` | `on` | `on` or `off` | Enable logging of HTTP requests |
 ### Other
 | Variable | Default | Choices | Description |
 | --- | --- | --- | --- |
 | `PUBLICIP_PERIOD` | `12h` | Valid duration | Period to check for public IP address. Set to `0` to disable. |
 | `VERSION_INFORMATION` | `on` | `on`, `off` | Logs a message indicating if a newer version is available once the VPN is connected |
 | `UPDATER_PERIOD` | `0` | Valid duration string such as `24h` | Period to update all VPN servers information in memory and to /gluetun/servers.json. Set to `0` to disable. This does a burst of DNS over TLS requests, which may be blocked if you set `BLOCK_MALICIOUS=on` for example. |
 ## Connect to it
 There are various ways to achieve this, depending on your use case.
 - <details><summary>Connect containers in the same docker-compose.yml as Gluetun</summary><p>
    Add `network_mode: "service:gluetun"` to your *docker-compose.yml* (no need for `depends_on`)
    </p></details>
 - <details><summary>Connect other containers to Gluetun</summary><p>
    Add `--network=container:gluetun` when launching the container, provided Gluetun is already running
    </p></details>
 - <details><summary>Connect containers from another docker-compose.yml</summary><p>
    Add `network_mode: "container:gluetun"` to your *docker-compose.yml*, provided Gluetun is already running
    </p></details>
 - <details><summary>Connect LAN devices through the built-in HTTP proxy (i.e. with Chrome, Kodi, etc.)</summary><p>
    ⚠️ You might want to use Shadowsocks instead which tunnels UDP as well as TCP and does not leak your credentials.
    The HTTP proxy will not encrypt your username and password every time you send a request to the HTTP proxy server.
    1. Setup an HTTP proxy client, such as [SwitchyOmega for Chrome](https://chrome.google.com/webstore/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif?hl=en)
    1. Ensure the Gluetun container is launched with:
        - port `8888` published `-p 8888:8888/tcp`
    1. With your HTTP proxy client, connect to the Docker host (i.e. `192.168.1.10`) on port `8888`. You need to enter your credentials if you set them with `HTTPPROXY_USER` and `HTTPPROXY_PASSWORD`. Note that Chrome does not support authentication.
    1. If you set `HTTPPROXY_LOG` to `on`, more information will be logged in the Docker logs
    </p></details>
 - <details><summary>Connect LAN devices through the built-in *Shadowsocks* proxy (per app, system wide, etc.)</summary><p>
    1. Setup a Shadowsocks proxy client, there is a list of [ShadowSocks clients for **all platforms**](https://shadowsocks.org/en/download/clients.html)
        - **note** some clients do not tunnel UDP so your DNS queries will be done locally and not through Gluetun and its built in DNS over TLS
        - Clients that support such UDP tunneling are, as far as I know:
            - iOS: Potatso Lite
            - OSX: ShadowsocksX
            - Android: Shadowsocks by Max Lv
    1. Ensure the Gluetun container is launched with:
        - port `8388` published `-p 8388:8388/tcp -p 8388:8388/udp`
    1. With your Shadowsocks proxy client
        - Enter the Docker host (i.e. `192.168.1.10`) as the server IP
        - Enter port TCP (and UDP, if available) `8388` as the server port
        - Use the password you have set with `SHADOWSOCKS_PASSWORD`
        - Choose the encryption method/algorithm to the method you specified in `SHADOWSOCKS_METHOD`
    1. If you set `SHADOWSOCKS_LOG` to `on`, (a lot) more information will be logged in the Docker logs
    </p></details>
 - <details><summary>Access ports of containers connected to Gluetun</summary><p>
    In example, to access port `8000` of container `xyz`  and `9000` of container `abc` connected to Gluetun,
    publish ports `8000` and `9000` for the Gluetun container and access them as you would with any other container
    </p></details>
 - <details><summary>Access ports of containers connected to Gluetun, all in the same docker-compose.yml</summary><p>
    In example, to access port `8000` of container `xyz`  and `9000` of container `abc` connected to Gluetun, publish port `8000` and `9000` for the Gluetun container.
    The docker-compose.yml file would look like:
    ```yml
    version: '3.7'
    services:
      gluetun:
        image: qmcgaw/private-internet-access
        container_name: gluetun
        cap_add:
          - NET_ADMIN
        environment:
          - USER=js89ds7
          - PASSWORD=8fd9s239G
        ports:
          - 8000:8000/tcp
          - 9000:9000/tcp
      abc:
        image: abc
        container_name: abc
        network_mode: "service:gluetun"
      xyz:
        image: xyz
        container_name: xyz
        network_mode: "service:gluetun"
    ```
    </p></details>
 ## Private Internet Access port forwarding
 When `PORT_FORWARDING=on`, a port will be forwarded on the VPN server side and written to the file specified by `PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port`.
 It can be useful to mount this file as a volume to read it from other containers, for example to configure a torrenting client.
 For `VPNSP=private internet access` (default), you will keep the same forwarded port for 60 days as long as you bind mount the `/gluetun` directory.
 You can also use the HTTP control server (see below) to get the port forwarded.
 ## HTTP control server
 [Wiki page](https://github.com/qdm12/gluetun/wiki/HTTP-Control-server)
 ## Development and contributing
 - Contribute with code: start with [this Wiki page](https://github.com/qdm12/gluetun/wiki/Developement-setup)
 - [The list of existing contributors 👍](https://github.com/qdm12/gluetun/blob/master/.github/CONTRIBUTING.md#Contributors)
 - [Github workflows](https://github.com/qdm12/gluetun/actions) to know what's building
 - [List of issues and feature requests](https://github.com/qdm12/gluetun/issues)
 ## License
 This repository is under an [MIT license](https://github.com/qdm12/gluetun/master/license)
 ## Support
 Sponsor me on [Github](https://github.com/sponsors/qdm12), donate to [paypal.me/qmcgaw](https://www.paypal.me/qmcgaw) or subscribe to a VPN provider through one of my affiliate links:
 [![https://github.com/sponsors/qdm12](https://raw.githubusercontent.com/qdm12/gluetun/master/doc/sponsors.jpg)](https://github.com/sponsors/qdm12)
 [![https://www.paypal.me/qmcgaw](https://raw.githubusercontent.com/qdm12/gluetun/master/doc/paypal.jpg)](https://www.paypal.me/qmcgaw)
 [![https://windscribe.com/?affid=mh7nyafu](https://raw.githubusercontent.com/qdm12/gluetun/master/doc/windscribe.jpg)](https://windscribe.com/?affid=mh7nyafu)
 Feel also free to have a look at [the Kanban board](https://github.com/qdm12/gluetun/projects/1) and [contribute](#Development-and-contributing) to the code or the issues discussion.
 Many thanks to @Frepke, @Ralph521, G. Mendez, M. Otmar Weber, J. Perez and A. Cooper for supporting me financially 🥇👍
--- a/cmd/gluetun/main.go
+++ b/cmd/gluetun/main.go
@@ -2,438 +2,594 @@ package main
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"os"
 	"os/signal"
 	"strings"
 	"sync"
 	"syscall"
 	"time"
 	_ "time/tzdata"
 	_ "github.com/breml/rootcerts"
 	"github.com/qdm12/dns/pkg/unbound"
 	"github.com/qdm12/gluetun/internal/alpine"
 	"github.com/qdm12/gluetun/internal/cli"
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/configuration/sources/env"
 	"github.com/qdm12/gluetun/internal/configuration/sources/files"
 	mux "github.com/qdm12/gluetun/internal/configuration/sources/merge"
 	"github.com/qdm12/gluetun/internal/configuration/sources/secrets"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/dns"
 	"github.com/qdm12/gluetun/internal/firewall"
 	"github.com/qdm12/gluetun/internal/healthcheck"
 	"github.com/qdm12/gluetun/internal/httpproxy"
 	gluetunLogging "github.com/qdm12/gluetun/internal/logging"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gluetun/internal/netlink"
 	"github.com/qdm12/gluetun/internal/openvpn"
-	"github.com/qdm12/gluetun/internal/params"
+	"github.com/qdm12/gluetun/internal/openvpn/extract"
 	"github.com/qdm12/gluetun/internal/portforward"
 	"github.com/qdm12/gluetun/internal/pprof"
 	"github.com/qdm12/gluetun/internal/provider"
 	"github.com/qdm12/gluetun/internal/publicip"
 	pubipapi "github.com/qdm12/gluetun/internal/publicip/api"
 	"github.com/qdm12/gluetun/internal/routing"
 	"github.com/qdm12/gluetun/internal/server"
 	"github.com/qdm12/gluetun/internal/settings"
 	"github.com/qdm12/gluetun/internal/shadowsocks"
 	"github.com/qdm12/gluetun/internal/storage"
-	"github.com/qdm12/gluetun/internal/updater"
+	"github.com/qdm12/gluetun/internal/tun"
-	versionpkg "github.com/qdm12/gluetun/internal/version"
+	updater "github.com/qdm12/gluetun/internal/updater/loop"
 	"github.com/qdm12/gluetun/internal/updater/resolver"
 	"github.com/qdm12/gluetun/internal/updater/unzip"
 	"github.com/qdm12/gluetun/internal/vpn"
 	"github.com/qdm12/golibs/command"
-	"github.com/qdm12/golibs/files"
+	"github.com/qdm12/goshutdown"
-	"github.com/qdm12/golibs/logging"
+	"github.com/qdm12/goshutdown/goroutine"
-	"github.com/qdm12/golibs/network"
+	"github.com/qdm12/goshutdown/group"
 	"github.com/qdm12/goshutdown/order"
 	"github.com/qdm12/gosplash"
 	"github.com/qdm12/log"
 	"github.com/qdm12/updated/pkg/dnscrypto"
 )
 //nolint:gochecknoglobals
 var (
-	buildInfo models.BuildInformation
+	version = "unknown"
-	version   = "unknown"
+	commit  = "unknown"
-	commit    = "unknown"
+	created = "an unknown date"
 	buildDate = "an unknown date"
 )
 func main() {
-	buildInfo.Version = version
+	buildInfo := models.BuildInformation{
-	buildInfo.Commit = commit
+		Version: version,
-	buildInfo.BuildDate = buildDate
+		Commit:  commit,
-	ctx := context.Background()
+		Created: created,
-	os.Exit(_main(ctx, os.Args))
+	}
 	background := context.Background()
 	signalCh := make(chan os.Signal, 1)
 	signal.Notify(signalCh, os.Interrupt, syscall.SIGTERM)
 	ctx, cancel := context.WithCancel(background)
 	logger := log.New(log.SetLevel(log.LevelInfo))
 	args := os.Args
 	tun := tun.New()
 	netLinkDebugLogger := logger.New(log.SetComponent("netlink"))
 	netLinker := netlink.New(netLinkDebugLogger)
 	cli := cli.New()
 	cmder := command.NewCmder()
 	secretsReader := secrets.New()
 	filesReader := files.New()
 	envReader := env.New(logger)
 	muxReader := mux.New(secretsReader, filesReader, envReader)
 	errorCh := make(chan error)
 	go func() {
 		errorCh <- _main(ctx, buildInfo, args, logger, muxReader, tun, netLinker, cmder, cli)
 	}()
 	var err error
 	select {
 	case signal := <-signalCh:
 		fmt.Println("")
 		logger.Warn("Caught OS signal " + signal.String() + ", shutting down")
 		cancel()
 	case err = <-errorCh:
 		close(errorCh)
 		if err == nil { // expected exit such as healthcheck
 			os.Exit(0)
 		}
 		logger.Error(err.Error())
 		cancel()
 	}
 	const shutdownGracePeriod = 5 * time.Second
 	timer := time.NewTimer(shutdownGracePeriod)
 	select {
 	case shutdownErr := <-errorCh:
 		if !timer.Stop() {
 			<-timer.C
 		}
 		if shutdownErr != nil {
 			logger.Warnf("Shutdown not completed gracefully: %s", shutdownErr)
 			os.Exit(1)
 		}
 		logger.Info("Shutdown successful")
 		if err != nil {
 			os.Exit(1)
 		}
 		os.Exit(0)
 	case <-timer.C:
 		logger.Warn("Shutdown timed out")
 		os.Exit(1)
 	case signal := <-signalCh:
 		logger.Warn("Caught OS signal " + signal.String() + ", forcing shut down")
 		os.Exit(1)
 	}
 }
-func _main(background context.Context, args []string) int { //nolint:gocognit,gocyclo
+var (
 	errCommandUnknown = errors.New("command is unknown")
 )
 //nolint:gocognit,gocyclo,maintidx
 func _main(ctx context.Context, buildInfo models.BuildInformation,
 	args []string, logger log.LoggerInterface, source Source,
 	tun Tun, netLinker netLinker, cmder command.RunStarter,
 	cli clier) error {
 	if len(args) > 1 { // cli operation
 		var err error
 		switch args[1] {
 		case "healthcheck":
-			err = cli.HealthCheck(background)
+			return cli.HealthCheck(ctx, source, logger)
 		case "clientkey":
-			err = cli.ClientKey(args[2:])
+			return cli.ClientKey(args[2:])
 		case "openvpnconfig":
-			err = cli.OpenvpnConfig()
+			return cli.OpenvpnConfig(logger, source, netLinker)
 		case "update":
-			err = cli.Update(args[2:])
+			return cli.Update(ctx, args[2:], logger)
 		case "format-servers":
 			return cli.FormatServers(args[2:])
 		default:
-			err = fmt.Errorf("command %q is unknown", args[1])
+			return fmt.Errorf("%w: %s", errCommandUnknown, args[1])
 		}
 		if err != nil {
 			fmt.Println(err)
 			return 1
 		}
 		return 0
 	}
-	ctx, cancel := context.WithCancel(background)
+
-	defer cancel()
+	announcementExp, err := time.Parse(time.RFC3339, "2023-07-01T00:00:00Z")
-	logger := createLogger()
+	if err != nil {
 		return err
 	}
 	splashSettings := gosplash.Settings{
 		User:         "qdm12",
 		Repository:   "gluetun",
 		Emails:       []string{"quentin.mcgaw@gmail.com"},
 		Version:      buildInfo.Version,
 		Commit:       buildInfo.Commit,
 		BuildDate:    buildInfo.Created,
 		Announcement: "Wiki moved to https://github.com/qdm12/gluetun-wiki",
 		AnnounceExp:  announcementExp,
 		// Sponsor information
 		PaypalUser:    "qmcgaw",
 		GithubSponsor: "qdm12",
 	}
 	for _, line := range gosplash.MakeLines(splashSettings) {
 		fmt.Println(line)
 	}
 	allSettings, err := source.Read()
 	if err != nil {
 		return err
 	}
 	// Note: no need to validate minimal settings for the firewall:
 	// - global log level is parsed from source
 	// - firewall Debug and Enabled are booleans parsed from source
 	logger.Patch(log.SetLevel(*allSettings.Log.Level))
 	netLinker.PatchLoggerLevel(*allSettings.Log.Level)
 	routingLogger := logger.New(log.SetComponent("routing"))
 	if *allSettings.Firewall.Debug { // To remove in v4
 		routingLogger.Patch(log.SetLevel(log.LevelDebug))
 	}
 	routingConf := routing.New(netLinker, routingLogger)
 	defaultRoutes, err := routingConf.DefaultRoutes()
 	if err != nil {
 		return err
 	}
 	localNetworks, err := routingConf.LocalNetworks()
 	if err != nil {
 		return err
 	}
 	firewallLogger := logger.New(log.SetComponent("firewall"))
 	if *allSettings.Firewall.Debug { // To remove in v4
 		firewallLogger.Patch(log.SetLevel(log.LevelDebug))
 	}
 	firewallConf, err := firewall.NewConfig(ctx, firewallLogger, cmder,
 		defaultRoutes, localNetworks)
 	if err != nil {
 		return err
 	}
 	if *allSettings.Firewall.Enabled {
 		err = firewallConf.SetEnabled(ctx, true)
 		if err != nil {
 			return err
 		}
 	}
 	// TODO run this in a loop or in openvpn to reload from file without restarting
 	storageLogger := logger.New(log.SetComponent("storage"))
 	storage, err := storage.New(storageLogger, constants.ServersData)
 	if err != nil {
 		return err
 	}
 	ipv6Supported, err := netLinker.IsIPv6Supported()
 	if err != nil {
 		return fmt.Errorf("checking for IPv6 support: %w", err)
 	}
 	err = allSettings.Validate(storage, ipv6Supported)
 	if err != nil {
 		return err
 	}
 	allSettings.Pprof.HTTPServer.Logger = logger.New(log.SetComponent("pprof"))
 	pprofServer, err := pprof.New(allSettings.Pprof)
 	if err != nil {
 		return fmt.Errorf("creating Pprof server: %w", err)
 	}
 	puid, pgid := int(*allSettings.System.PUID), int(*allSettings.System.PGID)
 	const clientTimeout = 15 * time.Second
 	httpClient := &http.Client{Timeout: clientTimeout}
 	client := network.NewClient(clientTimeout)
 	// Create configurators
-	fileManager := files.NewFileManager()
+	alpineConf := alpine.New()
-	alpineConf := alpine.NewConfigurator(fileManager)
+	ovpnConf := openvpn.New(
-	ovpnConf := openvpn.NewConfigurator(logger, fileManager)
+		logger.New(log.SetComponent("openvpn configurator")),
-	dnsConf := dns.NewConfigurator(logger, client, fileManager)
+		cmder, puid, pgid)
-	routingConf := routing.NewRouting(logger)
+	dnsCrypto := dnscrypto.New(httpClient, "", "")
-	firewallConf := firewall.NewConfigurator(logger, routingConf, fileManager)
+	const cacertsPath = "/etc/ssl/certs/ca-certificates.crt"
-	streamMerger := command.NewStreamMerger()
+	dnsConf := unbound.NewConfigurator(nil, cmder, dnsCrypto,
 		"/etc/unbound", "/usr/sbin/unbound", cacertsPath)
-	paramsReader := params.NewReader(logger, fileManager)
+	err = printVersions(ctx, logger, []printVersionElement{
-	fmt.Println(gluetunLogging.Splash(buildInfo))
+		{name: "Alpine", getVersion: alpineConf.Version},
-
+		{name: "OpenVPN 2.5", getVersion: ovpnConf.Version25},
-	printVersions(ctx, logger, map[string]func(ctx context.Context) (string, error){
+		{name: "OpenVPN 2.6", getVersion: ovpnConf.Version26},
-		"OpenVPN":  ovpnConf.Version,
+		{name: "Unbound", getVersion: dnsConf.Version},
-		"Unbound":  dnsConf.Version,
+		{name: "IPtables", getVersion: func(ctx context.Context) (version string, err error) {
-		"IPtables": firewallConf.Version,
+			return firewall.Version(ctx, cmder)
 		}},
 	})
 	allSettings, err := settings.GetAllSettings(paramsReader)
 	if err != nil {
-		logger.Error(err)
+		return err
 		return 1
 	}
 	logger.Info(allSettings.String())
-	// TODO run this in a loop or in openvpn to reload from file without restarting
+	for _, warning := range allSettings.Warnings() {
-	storage := storage.New(logger)
+		logger.Warn(warning)
-	const updateServerFile = true
+	}
-	allServers, err := storage.SyncServers(constants.GetAllServers(), updateServerFile)
+
 	if err := os.MkdirAll("/tmp/gluetun", 0644); err != nil {
 		return err
 	}
 	if err := os.MkdirAll("/gluetun", 0644); err != nil {
 		return err
 	}
 	const defaultUsername = "nonrootuser"
 	nonRootUsername, err := alpineConf.CreateUser(defaultUsername, puid)
 	if err != nil {
-		logger.Error(err)
+		return fmt.Errorf("creating user: %w", err)
 		return 1
 	}
-
+	if nonRootUsername != defaultUsername {
-	// Should never change
+		logger.Info("using existing username " + nonRootUsername + " corresponding to user id " + fmt.Sprint(puid))
 	uid, gid := allSettings.System.UID, allSettings.System.GID
 	err = alpineConf.CreateUser("nonrootuser", uid)
 	if err != nil {
 		logger.Error(err)
 		return 1
 	}
 	err = fileManager.SetOwnership("/etc/unbound", uid, gid)
 	if err != nil {
 		logger.Error(err)
 		return 1
 	}
 	// set it for Unbound
 	// TODO remove this when migrating to qdm12/dns v2
 	allSettings.DNS.DoT.Unbound.Username = nonRootUsername
 	allSettings.VPN.OpenVPN.ProcessUser = nonRootUsername
-	if allSettings.Firewall.Debug {
+	if err := os.Chown("/etc/unbound", puid, pgid); err != nil {
-		firewallConf.SetDebug()
+		return err
 		routingConf.SetDebug()
 	}
 	defaultInterface, defaultGateway, err := routingConf.DefaultRoute()
 	if err != nil {
 		logger.Error(err)
 		return 1
 	}
 	localSubnet, err := routingConf.LocalSubnet()
 	if err != nil {
 		logger.Error(err)
 		return 1
 	}
 	defaultIP, err := routingConf.DefaultIP()
 	if err != nil {
 		logger.Error(err)
 		return 1
 	}
 	firewallConf.SetNetworkInformation(defaultInterface, defaultGateway, localSubnet, defaultIP)
 	if err := routingConf.Setup(); err != nil {
-		logger.Error(err)
+		if strings.Contains(err.Error(), "operation not permitted") {
-		return 1
+			logger.Warn("💡 Tip: Are you passing NET_ADMIN capability to gluetun?")
 		}
 		return fmt.Errorf("setting up routing: %w", err)
 	}
 	defer func() {
-		routingConf.SetVerbose(false)
+		routingLogger.Info("routing cleanup...")
 		if err := routingConf.TearDown(); err != nil {
-			logger.Error(err)
+			routingLogger.Error("cannot teardown routing: " + err.Error())
 		}
 	}()
 	if err := firewallConf.SetOutboundSubnets(ctx, allSettings.Firewall.OutboundSubnets); err != nil {
-		logger.Error(err)
+		return err
 		return 1
 	}
 	if err := routingConf.SetOutboundRoutes(allSettings.Firewall.OutboundSubnets); err != nil {
-		logger.Error(err)
+		return err
 		return 1
 	}
-	if err := ovpnConf.CheckTUN(); err != nil {
+	err = routingConf.AddLocalRules(localNetworks)
-		logger.Warn(err)
+	if err != nil {
-		err = ovpnConf.CreateTUN()
+		return fmt.Errorf("adding local rules: %w", err)
 		if err != nil {
 			logger.Error(err)
 			return 1
 		}
 	}
-	tunnelReadyCh, dnsReadyCh := make(chan struct{}), make(chan struct{})
+	const tunDevice = "/dev/net/tun"
-	signalTunnelReady := func() { tunnelReadyCh <- struct{}{} }
+	if err := tun.Check(tunDevice); err != nil {
-	signalDNSReady := func() { dnsReadyCh <- struct{}{} }
+		logger.Info(err.Error() + "; creating it...")
-	defer close(tunnelReadyCh)
+		err = tun.Create(tunDevice)
 	defer close(dnsReadyCh)
 	if allSettings.Firewall.Enabled {
 		err := firewallConf.SetEnabled(ctx, true) // disabled by default
 		if err != nil {
-			logger.Error(err)
+			return err
 			return 1
 		}
 	}
 	for _, vpnPort := range allSettings.Firewall.VPNInputPorts {
 		err = firewallConf.SetAllowedPort(ctx, vpnPort, string(constants.TUN))
 		if err != nil {
 			logger.Error(err)
 			return 1
 		}
 	}
 	for _, port := range allSettings.Firewall.InputPorts {
-		err = firewallConf.SetAllowedPort(ctx, port, defaultInterface)
+		for _, defaultRoute := range defaultRoutes {
-		if err != nil {
+			err = firewallConf.SetAllowedPort(ctx, port, defaultRoute.NetInterface)
-			logger.Error(err)
+			if err != nil {
-			return 1
+				return err
 			}
 		}
 	} // TODO move inside firewall?
-	wg := &sync.WaitGroup{}
+	// Shutdown settings
-
+	const totalShutdownTimeout = 3 * time.Second
-	go collectStreamLines(ctx, streamMerger, logger, signalTunnelReady)
+	const defaultShutdownTimeout = 400 * time.Millisecond
-
+	defaultShutdownOnSuccess := func(goRoutineName string) {
-	openvpnLooper := openvpn.NewLooper(allSettings.VPNSP, allSettings.OpenVPN, uid, gid, allServers,
+		logger.Info(goRoutineName + ": terminated ✔️")
 		ovpnConf, firewallConf, routingConf, logger, httpClient, fileManager, streamMerger, cancel)
 	wg.Add(1)
 	// wait for restartOpenvpn
 	go openvpnLooper.Run(ctx, wg)
 	updaterOptions := updater.NewOptions("127.0.0.1")
 	updaterLooper := updater.NewLooper(updaterOptions, allSettings.UpdaterPeriod,
 		allServers, storage, openvpnLooper.SetAllServers, httpClient, logger)
 	wg.Add(1)
 	// wait for updaterLooper.Restart() or its ticket launched with RunRestartTicker
 	go updaterLooper.Run(ctx, wg)
 	unboundLooper := dns.NewLooper(dnsConf, allSettings.DNS, logger, streamMerger, uid, gid)
 	wg.Add(1)
 	// wait for unboundLooper.Restart or its ticker launched with RunRestartTicker
 	go unboundLooper.Run(ctx, wg, signalDNSReady)
 	publicIPLooper := publicip.NewLooper(client, logger, fileManager,
 		allSettings.System.IPStatusFilepath, allSettings.PublicIPPeriod, uid, gid)
 	wg.Add(1)
 	go publicIPLooper.Run(ctx, wg)
 	wg.Add(1)
 	go publicIPLooper.RunRestartTicker(ctx, wg)
 	publicIPLooper.SetPeriod(allSettings.PublicIPPeriod) // call after RunRestartTicker
 	httpProxyLooper := httpproxy.NewLooper(httpClient, logger, allSettings.HTTPProxy)
 	wg.Add(1)
 	go httpProxyLooper.Run(ctx, wg)
 	shadowsocksLooper := shadowsocks.NewLooper(allSettings.ShadowSocks, logger, defaultInterface)
 	restartShadowsocks := shadowsocksLooper.Restart
 	wg.Add(1)
 	go shadowsocksLooper.Run(ctx, wg)
 	if allSettings.HTTPProxy.Enabled {
 		httpProxyLooper.Restart()
 	}
-	if allSettings.ShadowSocks.Enabled {
+	defaultShutdownOnFailure := func(goRoutineName string, err error) {
-		restartShadowsocks()
+		logger.Warn(goRoutineName + ": " + err.Error() + " ⚠️")
 	}
 	defaultGroupOptions := []group.Option{
 		group.OptionTimeout(defaultShutdownTimeout),
 		group.OptionOnSuccess(defaultShutdownOnSuccess)}
 	controlGroupHandler := goshutdown.NewGroupHandler("control", defaultGroupOptions...)
 	tickersGroupHandler := goshutdown.NewGroupHandler("tickers", defaultGroupOptions...)
 	otherGroupHandler := goshutdown.NewGroupHandler("other", defaultGroupOptions...)
 	if *allSettings.Pprof.Enabled {
 		// TODO run in run loop so this can be patched at runtime
 		pprofReady := make(chan struct{})
 		pprofHandler, pprofCtx, pprofDone := goshutdown.NewGoRoutineHandler("pprof server")
 		go pprofServer.Run(pprofCtx, pprofReady, pprofDone)
 		otherGroupHandler.Add(pprofHandler)
 		<-pprofReady
 	}
-	wg.Add(1)
+	portForwardLogger := logger.New(log.SetComponent("port forwarding"))
-	go routeReadyEvents(ctx, wg, tunnelReadyCh, dnsReadyCh,
+	portForwardLooper := portforward.NewLoop(allSettings.VPN.Provider.PortForwarding,
-		unboundLooper, updaterLooper, publicIPLooper, routingConf, logger, httpClient,
+		routingConf, httpClient, firewallConf, portForwardLogger, puid, pgid)
-		allSettings.VersionInformation, allSettings.OpenVPN.Provider.PortForwarding.Enabled, openvpnLooper.PortForward,
+	portForwardRunError, err := portForwardLooper.Start(ctx)
 	)
 	controlServerAddress := fmt.Sprintf("0.0.0.0:%d", allSettings.ControlServer.Port)
 	controlServerLogging := allSettings.ControlServer.Log
 	httpServer := server.New(controlServerAddress, controlServerLogging,
 		logger, buildInfo, openvpnLooper, unboundLooper, updaterLooper)
 	wg.Add(1)
 	go httpServer.Run(ctx, wg)
 	healthcheckServer := healthcheck.NewServer(
 		constants.HealthcheckAddress, logger)
 	wg.Add(1)
 	go healthcheckServer.Run(ctx, wg)
 	// Start openvpn for the first time
 	openvpnLooper.Restart()
 	signalsCh := make(chan os.Signal, 1)
 	signal.Notify(signalsCh,
 		syscall.SIGINT,
 		syscall.SIGTERM,
 		os.Interrupt,
 	)
 	shutdownErrorsCount := 0
 	select {
 	case signal := <-signalsCh:
 		logger.Warn("Caught OS signal %s, shutting down", signal)
 		cancel()
 	case <-ctx.Done():
 		logger.Warn("context canceled, shutting down")
 	}
 	logger.Info("Clearing ip status file %s", allSettings.System.IPStatusFilepath)
 	if err := fileManager.Remove(string(allSettings.System.IPStatusFilepath)); err != nil {
 		logger.Error(err)
 		shutdownErrorsCount++
 	}
 	if allSettings.OpenVPN.Provider.PortForwarding.Enabled {
 		logger.Info("Clearing forwarded port status file %s", allSettings.OpenVPN.Provider.PortForwarding.Filepath)
 		if err := fileManager.Remove(string(allSettings.OpenVPN.Provider.PortForwarding.Filepath)); err != nil {
 			logger.Error(err)
 			shutdownErrorsCount++
 		}
 	}
 	const shutdownGracePeriod = 5 * time.Second
 	waiting, waited := context.WithTimeout(context.Background(), shutdownGracePeriod)
 	go func() {
 		defer waited()
 		wg.Wait()
 	}()
 	<-waiting.Done()
 	if waiting.Err() == context.DeadlineExceeded {
 		if shutdownErrorsCount > 0 {
 			logger.Warn("Shutdown had %d errors", shutdownErrorsCount)
 		}
 		logger.Warn("Shutdown timed out")
 		return 1
 	}
 	if shutdownErrorsCount > 0 {
 		logger.Warn("Shutdown had %d errors")
 		return 1
 	}
 	logger.Info("Shutdown successful")
 	return 0
 }
 func createLogger() logging.Logger {
 	logger, err := logging.NewLogger(logging.ConsoleEncoding, logging.InfoLevel)
 	if err != nil {
-		panic(err)
+		return fmt.Errorf("starting port forwarding loop: %w", err)
 	}
-	return logger
+
 	unboundLogger := logger.New(log.SetComponent("dns"))
 	unboundLooper := dns.NewLoop(dnsConf, allSettings.DNS, httpClient,
 		unboundLogger)
 	dnsHandler, dnsCtx, dnsDone := goshutdown.NewGoRoutineHandler(
 		"unbound", goroutine.OptionTimeout(defaultShutdownTimeout))
 	// wait for unboundLooper.Restart or its ticker launched with RunRestartTicker
 	go unboundLooper.Run(dnsCtx, dnsDone)
 	otherGroupHandler.Add(dnsHandler)
 	dnsTickerHandler, dnsTickerCtx, dnsTickerDone := goshutdown.NewGoRoutineHandler(
 		"dns ticker", goroutine.OptionTimeout(defaultShutdownTimeout))
 	go unboundLooper.RunRestartTicker(dnsTickerCtx, dnsTickerDone)
 	controlGroupHandler.Add(dnsTickerHandler)
 	publicipAPI, _ := pubipapi.ParseProvider(allSettings.PublicIP.API)
 	ipFetcher, err := pubipapi.New(publicipAPI, httpClient, *allSettings.PublicIP.APIToken)
 	if err != nil {
 		return fmt.Errorf("creating public IP API client: %w", err)
 	}
 	publicIPLooper := publicip.NewLoop(ipFetcher,
 		logger.New(log.SetComponent("ip getter")),
 		allSettings.PublicIP, puid, pgid)
 	publicIPRunError, err := publicIPLooper.Start(ctx)
 	if err != nil {
 		return fmt.Errorf("starting public ip loop: %w", err)
 	}
 	updaterLogger := logger.New(log.SetComponent("updater"))
 	unzipper := unzip.New(httpClient)
 	parallelResolver := resolver.NewParallelResolver(allSettings.Updater.DNSAddress)
 	openvpnFileExtractor := extract.New()
 	providers := provider.NewProviders(storage, time.Now, updaterLogger,
 		httpClient, unzipper, parallelResolver, ipFetcher, openvpnFileExtractor)
 	vpnLogger := logger.New(log.SetComponent("vpn"))
 	vpnLooper := vpn.NewLoop(allSettings.VPN, ipv6Supported, allSettings.Firewall.VPNInputPorts,
 		providers, storage, ovpnConf, netLinker, firewallConf, routingConf, portForwardLooper,
 		cmder, publicIPLooper, unboundLooper, vpnLogger, httpClient,
 		buildInfo, *allSettings.Version.Enabled)
 	vpnHandler, vpnCtx, vpnDone := goshutdown.NewGoRoutineHandler(
 		"vpn", goroutine.OptionTimeout(time.Second))
 	go vpnLooper.Run(vpnCtx, vpnDone)
 	updaterLooper := updater.NewLoop(allSettings.Updater,
 		providers, storage, httpClient, updaterLogger)
 	updaterHandler, updaterCtx, updaterDone := goshutdown.NewGoRoutineHandler(
 		"updater", goroutine.OptionTimeout(defaultShutdownTimeout))
 	// wait for updaterLooper.Restart() or its ticket launched with RunRestartTicker
 	go updaterLooper.Run(updaterCtx, updaterDone)
 	tickersGroupHandler.Add(updaterHandler)
 	updaterTickerHandler, updaterTickerCtx, updaterTickerDone := goshutdown.NewGoRoutineHandler(
 		"updater ticker", goroutine.OptionTimeout(defaultShutdownTimeout))
 	go updaterLooper.RunRestartTicker(updaterTickerCtx, updaterTickerDone)
 	controlGroupHandler.Add(updaterTickerHandler)
 	httpProxyLooper := httpproxy.NewLoop(
 		logger.New(log.SetComponent("http proxy")),
 		allSettings.HTTPProxy)
 	httpProxyHandler, httpProxyCtx, httpProxyDone := goshutdown.NewGoRoutineHandler(
 		"http proxy", goroutine.OptionTimeout(defaultShutdownTimeout))
 	go httpProxyLooper.Run(httpProxyCtx, httpProxyDone)
 	otherGroupHandler.Add(httpProxyHandler)
 	shadowsocksLooper := shadowsocks.NewLoop(allSettings.Shadowsocks,
 		logger.New(log.SetComponent("shadowsocks")))
 	shadowsocksHandler, shadowsocksCtx, shadowsocksDone := goshutdown.NewGoRoutineHandler(
 		"shadowsocks proxy", goroutine.OptionTimeout(defaultShutdownTimeout))
 	go shadowsocksLooper.Run(shadowsocksCtx, shadowsocksDone)
 	otherGroupHandler.Add(shadowsocksHandler)
 	controlServerAddress := *allSettings.ControlServer.Address
 	controlServerLogging := *allSettings.ControlServer.Log
 	httpServerHandler, httpServerCtx, httpServerDone := goshutdown.NewGoRoutineHandler(
 		"http server", goroutine.OptionTimeout(defaultShutdownTimeout))
 	httpServer, err := server.New(httpServerCtx, controlServerAddress, controlServerLogging,
 		logger.New(log.SetComponent("http server")),
 		buildInfo, vpnLooper, portForwardLooper, unboundLooper, updaterLooper, publicIPLooper,
 		storage, ipv6Supported)
 	if err != nil {
 		return fmt.Errorf("setting up control server: %w", err)
 	}
 	httpServerReady := make(chan struct{})
 	go httpServer.Run(httpServerCtx, httpServerReady, httpServerDone)
 	<-httpServerReady
 	controlGroupHandler.Add(httpServerHandler)
 	healthLogger := logger.New(log.SetComponent("healthcheck"))
 	healthcheckServer := healthcheck.NewServer(allSettings.Health, healthLogger, vpnLooper)
 	healthServerHandler, healthServerCtx, healthServerDone := goshutdown.NewGoRoutineHandler(
 		"HTTP health server", goroutine.OptionTimeout(defaultShutdownTimeout))
 	go healthcheckServer.Run(healthServerCtx, healthServerDone)
 	orderHandler := goshutdown.NewOrderHandler("gluetun",
 		order.OptionTimeout(totalShutdownTimeout),
 		order.OptionOnSuccess(defaultShutdownOnSuccess),
 		order.OptionOnFailure(defaultShutdownOnFailure))
 	orderHandler.Append(controlGroupHandler, tickersGroupHandler, healthServerHandler,
 		vpnHandler, otherGroupHandler)
 	// Start VPN for the first time in a blocking call
 	// until the VPN is launched
 	_, _ = vpnLooper.ApplyStatus(ctx, constants.Running) // TODO option to disable with variable
 	select {
 	case <-ctx.Done():
 		stoppers := []interface {
 			String() string
 			Stop() error
 		}{
 			portForwardLooper, publicIPLooper,
 		}
 		for _, stopper := range stoppers {
 			err := stopper.Stop()
 			if err != nil {
 				logger.Error(fmt.Sprintf("stopping %s: %s", stopper, err))
 			}
 		}
 	case err := <-portForwardRunError:
 		logger.Errorf("port forwarding loop crashed: %s", err)
 	case err := <-publicIPRunError:
 		logger.Errorf("public IP loop crashed: %s", err)
 	}
 	return orderHandler.Shutdown(context.Background())
 }
-func printVersions(ctx context.Context, logger logging.Logger,
+type printVersionElement struct {
-	versionFunctions map[string]func(ctx context.Context) (string, error)) {
+	name       string
 	getVersion func(ctx context.Context) (version string, err error)
 }
 type infoer interface {
 	Info(s string)
 }
 func printVersions(ctx context.Context, logger infoer,
 	elements []printVersionElement) (err error) {
 	const timeout = 5 * time.Second
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
-	for name, f := range versionFunctions {
+
-		version, err := f(ctx)
+	for _, element := range elements {
 		version, err := element.getVersion(ctx)
 		if err != nil {
-			logger.Error(err)
+			return fmt.Errorf("getting %s version: %w", element.name, err)
 		} else {
 			logger.Info("%s version: %s", name, version)
 		}
 		logger.Info(element.name + " version: " + version)
 	}
 	return nil
 }
-//nolint:lll
+type netLinker interface {
-func collectStreamLines(ctx context.Context, streamMerger command.StreamMerger,
+	Addresser
-	logger logging.Logger, signalTunnelReady func()) {
+	Router
-	// Blocking line merging paramsReader for openvpn and unbound
+	Ruler
-	logger.Info("Launching standard output merger")
+	Linker
-	streamMerger.CollectLines(ctx, func(line string) {
+	IsWireguardSupported() (ok bool, err error)
-		line, level := gluetunLogging.PostProcessLine(line)
+	IsIPv6Supported() (ok bool, err error)
-		if line == "" {
+	PatchLoggerLevel(level log.Level)
 			return
 		}
 		switch level {
 		case logging.DebugLevel:
 			logger.Debug(line)
 		case logging.InfoLevel:
 			logger.Info(line)
 		case logging.WarnLevel:
 			logger.Warn(line)
 		case logging.ErrorLevel:
 			logger.Error(line)
 		}
 		switch {
 		case strings.Contains(line, "Initialization Sequence Completed"):
 			signalTunnelReady()
 		case strings.Contains(line, "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)"):
 			logger.Warn("This means that either...")
 			logger.Warn("1. The VPN server IP address you are trying to connect to is no longer valid, see https://github.com/qdm12/gluetun/wiki/Update-servers-information")
 			logger.Warn("2. The VPN server crashed, try changing region")
 			logger.Warn("3. Your Internet connection is not working, ensure it works")
 			logger.Warn("Feel free to create an issue at https://github.com/qdm12/gluetun/issues/new/choose")
 		}
 	}, func(err error) {
 		logger.Warn(err)
 	})
 }
-func routeReadyEvents(ctx context.Context, wg *sync.WaitGroup, tunnelReadyCh, dnsReadyCh <-chan struct{},
+type Addresser interface {
-	unboundLooper dns.Looper, updaterLooper updater.Looper, publicIPLooper publicip.Looper,
+	AddrList(link netlink.Link, family int) (
-	routing routing.Routing, logger logging.Logger, httpClient *http.Client,
+		addresses []netlink.Addr, err error)
-	versionInformation, portForwardingEnabled bool, startPortForward func(vpnGateway net.IP)) {
+	AddrReplace(link netlink.Link, addr netlink.Addr) error
-	defer wg.Done()
+}
-	tickerWg := &sync.WaitGroup{}
+
-	// for linters only
+type Router interface {
-	var restartTickerContext context.Context
+	RouteList(family int) (routes []netlink.Route, err error)
-	var restartTickerCancel context.CancelFunc = func() {}
+	RouteAdd(route netlink.Route) error
-	for {
+	RouteDel(route netlink.Route) error
-		select {
+	RouteReplace(route netlink.Route) error
-		case <-ctx.Done():
+}
-			restartTickerCancel() // for linters only
+
-			tickerWg.Wait()
+type Ruler interface {
-			return
+	RuleList(family int) (rules []netlink.Rule, err error)
-		case <-tunnelReadyCh: // blocks until openvpn is connected
+	RuleAdd(rule netlink.Rule) error
-			unboundLooper.Restart()
+	RuleDel(rule netlink.Rule) error
-			restartTickerCancel() // stop previous restart tickers
+}
-			tickerWg.Wait()
+
-			restartTickerContext, restartTickerCancel = context.WithCancel(ctx)
+type Linker interface {
-			tickerWg.Add(2) //nolint:gomnd
+	LinkList() (links []netlink.Link, err error)
-			go unboundLooper.RunRestartTicker(restartTickerContext, tickerWg)
+	LinkByName(name string) (link netlink.Link, err error)
-			go updaterLooper.RunRestartTicker(restartTickerContext, tickerWg)
+	LinkByIndex(index int) (link netlink.Link, err error)
-			vpnDestination, err := routing.VPNDestinationIP()
+	LinkAdd(link netlink.Link) (linkIndex int, err error)
-			if err != nil {
+	LinkDel(link netlink.Link) (err error)
-				logger.Warn(err)
+	LinkSetUp(link netlink.Link) (linkIndex int, err error)
-			} else {
+	LinkSetDown(link netlink.Link) (err error)
-				logger.Info("VPN routing IP address: %s", vpnDestination)
+}
-			}
+
-			if portForwardingEnabled {
+type clier interface {
-				// vpnGateway required only for PIA
+	ClientKey(args []string) error
-				vpnGateway, err := routing.VPNLocalGatewayIP()
+	FormatServers(args []string) error
-				if err != nil {
+	OpenvpnConfig(logger cli.OpenvpnConfigLogger, source cli.Source, ipv6Checker cli.IPv6Checker) error
-					logger.Error(err)
+	HealthCheck(ctx context.Context, source cli.Source, warner cli.Warner) error
-				}
+	Update(ctx context.Context, args []string, logger cli.UpdaterLogger) error
-				logger.Info("VPN gateway IP address: %s", vpnGateway)
+}
-				startPortForward(vpnGateway)
+
-			}
+type Tun interface {
-		case <-dnsReadyCh:
+	Check(tunDevice string) error
-			publicIPLooper.Restart() // TODO do not restart if disabled
+	Create(tunDevice string) error
-			if !versionInformation {
+}
-				break
+
-			}
+type Source interface {
-			message, err := versionpkg.GetMessage(ctx, buildInfo, httpClient)
+	Read() (settings settings.Settings, err error)
-			if err != nil {
+	ReadHealth() (health settings.Health, err error)
-				logger.Error(err)
+	String() string
 				break
 			}
 			logger.Info(message)
 		}
 	}
 }
--- a/doc/logo.svg
+++ b/doc/logo.svg
--- a/doc/logo_256.png
+++ b/doc/logo_256.png
--- a/doc/paypal.jpg
+++ b/doc/paypal.jpg
--- a/doc/sponsors.jpg
+++ b/doc/sponsors.jpg
--- a/doc/windscribe.jpg
+++ b/doc/windscribe.jpg
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,38 +0,0 @@
 version: "3.7"
 services:
  gluetun:
    image: qmcgaw/private-internet-access
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    network_mode: bridge
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8000:8000/tcp # Built-in HTTP control server
    # command:
    volumes:
      - /yourpath:/gluetun
    environment:
      # More variables are available, see the readme table
      - VPNSP=private internet access
      # Timezone for accurate logs times
      - TZ=
      # All VPN providers
      - USER=js89ds7
      # All VPN providers but Mullvad
      - PASSWORD=8fd9s239G
      # Cyberghost only
      - CLIENT_KEY=
      # All VPN providers but Mullvad
      - REGION=Austria
      # Mullvad only
      - COUNTRY=Sweden
    restart: always
--- a/go.mod
+++ b/go.mod
@@ -1,14 +1,55 @@
 module github.com/qdm12/gluetun
-go 1.15
+go 1.21
 require (
-	github.com/fatih/color v1.9.0
+	github.com/breml/rootcerts v0.2.16
-	github.com/golang/mock v1.4.4
+	github.com/fatih/color v1.16.0
-	github.com/kyokomi/emoji v2.2.4+incompatible
+	github.com/golang/mock v1.6.0
-	github.com/qdm12/golibs v0.0.0-20201025221346-fe352060c25a
+	github.com/klauspost/compress v1.17.4
-	github.com/qdm12/ss-server v0.1.0
+	github.com/klauspost/pgzip v1.2.6
-	github.com/stretchr/testify v1.6.1
+	github.com/qdm12/dns v1.11.0
-	github.com/vishvananda/netlink v1.1.0
+	github.com/qdm12/golibs v0.0.0-20210822203818-5c568b0777b6
-	golang.org/x/sys v0.0.0-20201018121011-98379d014ca7
+	github.com/qdm12/gosettings v0.4.0-rc1
 	github.com/qdm12/goshutdown v0.3.0
 	github.com/qdm12/gosplash v0.1.0
 	github.com/qdm12/gotree v0.2.0
 	github.com/qdm12/govalid v0.2.0-rc1
 	github.com/qdm12/log v0.1.0
 	github.com/qdm12/ss-server v0.5.0
 	github.com/qdm12/updated v0.0.0-20210603204757-205acfe6937e
 	github.com/stretchr/testify v1.8.4
 	github.com/ulikunitz/xz v0.5.11
 	github.com/vishvananda/netlink v1.2.1-beta.2
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a
 	golang.org/x/net v0.19.0
 	golang.org/x/sys v0.15.0
 	golang.org/x/text v0.14.0
 	golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde
 	gopkg.in/ini.v1 v1.67.0
 	inet.af/netaddr v0.0.0-20220811202034-502d2d690317
 )
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/josharian/native v1.0.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mdlayher/genetlink v1.2.0 // indirect
 	github.com/mdlayher/netlink v1.6.2 // indirect
 	github.com/mdlayher/socket v0.2.3 // indirect
 	github.com/miekg/dns v1.1.40 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
 	github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae // indirect
 	go4.org/intern v0.0.0-20211027215823-ae77deb06f29 // indirect
 	go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 // indirect
 	golang.org/x/crypto v0.17.0 // indirect
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,140 +1,254 @@
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/PuerkitoBio/purell v1.1.0 h1:rmGxhojJlM0tuKtfdvliR84CFHljx9ag64t2xmVkjK4=
 github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf h1:eg0MeVzsP1G42dRafH3vf+al2vQIJU0YHX+1Tw87oco=
+github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7/go.mod h1:6zEj6s6u/ghQa61ZWa/C2Aw3RkjiTBOix7dkqa1VLIs=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/breml/rootcerts v0.2.16 h1:yN1TGvicfHx8dKz3OQRIrx/5nE/iN3XT1ibqGbd6urc=
 github.com/breml/rootcerts v0.2.16/go.mod h1:S/PKh+4d1HUn4HQovEB8hPJZO6pUZYrIhmXBhsegfXw=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
+github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
-github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
+github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
-github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb h1:D4uzjWwKYQ5XnAvUbuvHW93esHg7F8N/OYeBBcJoTr0=
+github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
 github.com/go-openapi/analysis v0.17.0 h1:8JV+dzJJiK46XqGLqqLav8ZfEiJECp8jlOFhpiCdZ+0=
 github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
 github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
 github.com/go-openapi/errors v0.17.2 h1:azEQ8Fnx0jmtFF2fxsnmd6I0x6rsweUF63qqSO1NmKk=
 github.com/go-openapi/errors v0.17.2/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
 github.com/go-openapi/jsonpointer v0.17.0 h1:nH6xp8XdXHx8dqveo0ZuJBluCO2qGrPbDNZ0dwoRHP0=
 github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
 github.com/go-openapi/jsonreference v0.17.0 h1:yJW3HCkTHg7NOA+gZ83IPHzUSnUzGXhGmsdiCcMexbA=
 github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
 github.com/go-openapi/loads v0.17.0 h1:H22nMs3GDQk4SwAaFQ+jLNw+0xoFeCueawhZlv8MBYs=
 github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
 github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
 github.com/go-openapi/runtime v0.17.2 h1:/ZK67ikFhQAMFFH/aPu2MaGH7QjP4wHBvHYOVIzDAw0=
 github.com/go-openapi/runtime v0.17.2/go.mod h1:QO936ZXeisByFmZEO1IS1Dqhtf4QV1sYYFtIq6Ld86Q=
 github.com/go-openapi/spec v0.17.0 h1:XNvrt8FlSVP8T1WuhbAFF6QDhJc0zsoWzX4wXARhhpE=
 github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/strfmt v0.17.0 h1:1isAxYf//QDTnVzbLAMrUK++0k1EjeLJU/gTOR0o3Mc=
 github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
 github.com/go-openapi/swag v0.17.0 h1:iqrgMg7Q7SvtbWLlltPrkMs0UBJI6oTSs79JFRUi880=
 github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
 github.com/go-openapi/validate v0.17.0 h1:pqoViQz3YLOGIhAmD0N4Lt6pa/3Gnj3ymKqQwq8iS6U=
 github.com/go-openapi/validate v0.17.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
-github.com/golang/mock v1.4.3 h1:GV+pQPG/EUUbkh47niozDcADz6go/dUwhVzdUQHIVRw=
+github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
-github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
+github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gotify/go-api-client/v2 v2.0.4 h1:0w8skCr8aLBDKaQDg31LKKHUGF7rt7zdRpR+6cqIAlE=
 github.com/gotify/go-api-client/v2 v2.0.4/go.mod h1:VKiah/UK20bXsr0JObE1eBVLW44zbBouzjuri9iwjFU=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
 github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kyokomi/emoji v2.2.4+incompatible h1:np0woGKwx9LiHAQmwZx79Oc0rHpNw3o+3evou4BEPv4=
 github.com/kyokomi/emoji v2.2.4+incompatible/go.mod h1:mZ6aGCD7yk8j6QY6KICwnZ2pxoszVseX1DNoGtU2tBA=
 github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329 h1:2gxZ0XQIU/5z3Z3bUBu+FXuk2pFbkN6tcwi/pjyaDic=
 github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
+github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.11 h1:FxPOTFNqGkuDUGi3H/qkUbQO4ZiBa2brKq5r0l8TGeM=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mdlayher/genetlink v1.2.0 h1:4yrIkRV5Wfk1WfpWTcoOlGmsWgQj3OtQN9ZsbrE+XtU=
 github.com/mdlayher/genetlink v1.2.0/go.mod h1:ra5LDov2KrUCZJiAtEvXXZBxGMInICMXIwshlJ+qRxQ=
 github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA=
 github.com/mdlayher/netlink v1.6.2 h1:D2zGSkvYsJ6NreeED3JiVTu1lj2sIYATqSaZlhPzUgQ=
 github.com/mdlayher/netlink v1.6.2/go.mod h1:O1HXX2sIWSMJ3Qn1BYZk1yZM+7iMki/uYGGiwGyq/iU=
 github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs=
 github.com/mdlayher/socket v0.2.3 h1:XZA2X2TjdOwNoNPVPclRCURoX/hokBY8nkTmRZFEheM=
 github.com/mdlayher/socket v0.2.3/go.mod h1:bz12/FozYNH/VbvC3q7TRIK/Y6dH1kCKsXaUeXi/FmY=
 github.com/miekg/dns v1.1.40 h1:pyyPFfGMnciYUk/mXpKkVmeMQjfXqt3FAJ2hy7tPiLA=
 github.com/miekg/dns v1.1.40/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mr-tron/base58 v1.1.3 h1:v+sk57XuaCKGXpWtVBX8YJzO7hMGx4Aajh4TQbdEFdc=
+github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
-github.com/mr-tron/base58 v1.1.3/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
+github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/phayes/permbits v0.0.0-20190612203442-39d7c581d2ee h1:P6U24L02WMfj9ymZTxl7CxS73JC99x3ukk+DBkgQGQs=
+github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
 github.com/phayes/permbits v0.0.0-20190612203442-39d7c581d2ee/go.mod h1:3uODdxMgOaPYeWU7RzZLxVtJHZ/x1f/iHkBZuKJDzuY=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/qdm12/golibs v0.0.0-20201025221346-fe352060c25a h1:v0zUA1FWeVkTEd9KyxfehbRVJeFGOqyMY6FHO/Q9ITU=
+github.com/qdm12/dns v1.11.0 h1:jpcD5DZXXQSQe5a263PL09ghukiIdptvXFOZvyKEm6Q=
-github.com/qdm12/golibs v0.0.0-20201025221346-fe352060c25a/go.mod h1:pikkTN7g7zRuuAnERwqW1yAFq6pYmxrxpjiwGvb0Ysc=
+github.com/qdm12/dns v1.11.0/go.mod h1:FmQsNOUcrrZ4UFzWAiED56AKXeNgaX3ySbmPwEfNjjE=
-github.com/qdm12/ss-server v0.1.0 h1:WV9MkHCDEWRwe4WpnYFeR/zcZAxYoTbfntLDnw9AQ50=
+github.com/qdm12/golibs v0.0.0-20210603202746-e5494e9c2ebb/go.mod h1:15RBzkun0i8XB7ADIoLJWp9ITRgsz3LroEI2FiOXLRg=
-github.com/qdm12/ss-server v0.1.0/go.mod h1:ABVUkxubboL3vqBkOwDV9glX1/x7SnYrckBe5d+M/zw=
+github.com/qdm12/golibs v0.0.0-20210723175634-a75ca7fd74c2/go.mod h1:6aRbg4Z/bTbm9JfxsGXfWKHi7zsOvPfUTK1S5HuAFKg=
 github.com/qdm12/golibs v0.0.0-20210822203818-5c568b0777b6 h1:bge5AL7cjHJMPz+5IOz5yF01q/l8No6+lIEBieA8gMg=
 github.com/qdm12/golibs v0.0.0-20210822203818-5c568b0777b6/go.mod h1:6aRbg4Z/bTbm9JfxsGXfWKHi7zsOvPfUTK1S5HuAFKg=
 github.com/qdm12/gosettings v0.4.0-rc1 h1:UYA92yyeDPbmZysIuG65yrpZVPtdIoRmtEHft/AyI38=
 github.com/qdm12/gosettings v0.4.0-rc1/go.mod h1:JRV3opOpHvnKlIA29lKQMdYw1WSMVMfHYLLHPHol5ME=
 github.com/qdm12/goshutdown v0.3.0 h1:pqBpJkdwlZlfTEx4QHtS8u8CXx6pG0fVo6S1N0MpSEM=
 github.com/qdm12/goshutdown v0.3.0/go.mod h1:EqZ46No00kCTZ5qzdd3qIzY6ayhMt24QI8Mh8LVQYmM=
 github.com/qdm12/gosplash v0.1.0 h1:Sfl+zIjFZFP7b0iqf2l5UkmEY97XBnaKkH3FNY6Gf7g=
 github.com/qdm12/gosplash v0.1.0/go.mod h1:+A3fWW4/rUeDXhY3ieBzwghKdnIPFJgD8K3qQkenJlw=
 github.com/qdm12/gotree v0.2.0 h1:+58ltxkNLUyHtATFereAcOjBVfY6ETqRex8XK90Fb/c=
 github.com/qdm12/gotree v0.2.0/go.mod h1:1SdFaqKZuI46U1apbXIf25pDMNnrPuYLEqMF/qL4lY4=
 github.com/qdm12/govalid v0.2.0-rc1 h1:4iYQvU4ibrASgzelsEgZX4JyKX3UTB/DcHObzQ7BXtw=
 github.com/qdm12/govalid v0.2.0-rc1/go.mod h1:/uWzVWMuS71wmbsVnlUxpQiy6EAXqm8eQ2RbyA72roQ=
 github.com/qdm12/log v0.1.0 h1:jYBd/xscHYpblzZAd2kjZp2YmuYHjAAfbTViJWxoPTw=
 github.com/qdm12/log v0.1.0/go.mod h1:Vchi5M8uBvHfPNIblN4mjXn/oSbiWguQIbsgF1zdQPI=
 github.com/qdm12/ss-server v0.5.0 h1:ARAqJayohDM51BmJ/R5Yplkpo+Qxgp7xizBF1HWd7uQ=
 github.com/qdm12/ss-server v0.5.0/go.mod h1:eFd8PL/uy0ZvJ4KeSUzToruJctVQoYqXk+LRy9vcOiI=
 github.com/qdm12/updated v0.0.0-20210603204757-205acfe6937e h1:4q+uFLawkaQRq3yARYLsjJPZd2wYwxn4g6G/5v0xW1g=
 github.com/qdm12/updated v0.0.0-20210603204757-205acfe6937e/go.mod h1:UvJRGkZ9XL3/D7e7JiTTVLm1F3Cymd3/gFpD6frEpBo=
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr8meMVVGxhp+QBTqY91tM8HjEuMjGg=
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJH8j0=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
+github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
-github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k=
+github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
+github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
-go.uber.org/atomic v1.5.0 h1:OI5t8sDa1Or+q8AeE+yKeB/SDYioSHAgcVljj9JIETY=
+github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
-go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
+github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae h1:4hwBBUfQCFe3Cym0ZtKyq7L16eZUtYKs+BaHDN6mAns=
-go.uber.org/multierr v1.3.0 h1:sFPn2GLc3poCkfrpIXGhBD2X0CMIo4Q/zSULXrj/+uc=
+github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-go.uber.org/multierr v1.3.0/go.mod h1:VgVr7evmIr6uPjLBxg28wmKNXyqE9akIJ5XnfpiKl+4=
+github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee h1:0mgffUl7nfd+FpvXMVz4IDEaUSmT1ysygQC7qYo7sG4=
+github.com/yl2chen/cidranger v1.0.2/go.mod h1:9U1yz7WPYDwf0vpNWFaeRh0bjwz5RVgRy/9UEQfHl0g=
-go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
+github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a h1:fZHgsYlfvtyqToslyjUt3VOPF4J7aK/3MPcK7xp3PDk=
-go.uber.org/zap v1.13.0 h1:nR6NoDBgAf67s68NhaXbsojM+2gxp3S1hWkHDl27pVU=
+github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a/go.mod h1:ul22v+Nro/R083muKhosV54bj5niojjWZvU8xrevuH4=
-go.uber.org/zap v1.13.0/go.mod h1:zwrFLgMcdUuIBviXEYEH1YKNaOBnKXsx2IPda5bBwHM=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go4.org/intern v0.0.0-20210108033219-3eb7198706b2/go.mod h1:vLqJ+12kCw61iCWsPto0EOHhBS+o4rO5VIucbc9g2Cc=
 go4.org/intern v0.0.0-20211027215823-ae77deb06f29 h1:UXLjNohABv4S58tHmeuIZDO6e3mHpW2Dx33gaNt03LE=
 go4.org/intern v0.0.0-20211027215823-ae77deb06f29/go.mod h1:cS2ma+47FKrLPdXFpr7CuxiTW3eyJbWew4qx0qtQWDA=
 go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222175341-b30ae309168e/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
 go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222180813-1025295fd063/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
 go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
 go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
 go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2 h1:WJhcL4p+YeDxmZWg141nRm7XC8IDmhz7lk5GpadO1Sg=
 go4.org/unsafe/assume-no-moving-gc v0.0.0-20230525183740-e7c30c78aeb2/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200117160349-530e935923ad/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de h1:ikNHVSjEfnvz6sxdSPCaPt572qowuyMDMJLLm3Db3ig=
+golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de h1:5hukYrvBGR8/eNkX5mdUezrA6JiaEZDtJb9Ei+1LlBs=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
 golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220923203811-8be639271d50/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
 golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201018121011-98379d014ca7 h1:CNOpL+H7PSxBI7dF/EIUsfOguRSzWp6CQ91yxZE6PG4=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201018121011-98379d014ca7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5 h1:hKsoRgsbwY1NafxrwTs+k64bikrLBkAgPir1TNCj3Zs=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/tools v0.0.0-20191029190741-b9c20aec41a5/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190729092621-ff9f1409240a/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b h1:J1CaxgLerRR5lgx3wnr6L04cJFbWoceSK9JWBdglINo=
 golang.zx2c4.com/wireguard v0.0.0-20230325221338-052af4a8072b/go.mod h1:tqur9LnfstdR9ep2LaJT4lFUl0EjlHtge+gAjmsHUG4=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde h1:ybF7AMzIUikL9x4LgwEmzhXtzRpKNqngme1VGDWz+Nk=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230215201556-9c5414ab4bde/go.mod h1:mQqgjkW8GQQcJQsbBvK890TKqUK1DfKWkuBGbOkuMHQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/src-d/go-billy.v4 v4.3.2/go.mod h1:nDjArDMp+XMs1aFAESLRjfGSgfvoYN0hDfzEk0GjC98=
 gopkg.in/src-d/go-git-fixtures.v3 v3.5.0/go.mod h1:dLBcvytrw/TYZsNTWCnkNF2DSIlzWYqTe3rJR56Ac7g=
 gopkg.in/src-d/go-git.v4 v4.13.1/go.mod h1:nx5NYcxdKxq5fpltdHnPa2Exj4Sx0EclMWZQbYDu2z8=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-honnef.co/go/tools v0.0.1-2019.2.3 h1:3JgtbtFHMiCmsznwGVTUWbgGov+pVqnlf1dEJTNAXeM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 h1:Wobr37noukisGxpKo5jAsLREcpj61RxrWYzD8uwveOY=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0/go.mod h1:Dn5idtptoW1dIos9U6A2rpebLs/MtTwFacjKb8jLdQA=
 inet.af/netaddr v0.0.0-20210511181906-37180328850c/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
 inet.af/netaddr v0.0.0-20220811202034-502d2d690317 h1:U2fwK6P2EqmopP/hFLTOAjWTki0qgd4GMJn5X8wOleU=
 inet.af/netaddr v0.0.0-20220811202034-502d2d690317/go.mod h1:OIezDfdzOgFhuw4HuWapWq2e9l0H9tK4F1j+ETRtF3k=
--- a/internal/alpine/alpine.go
+++ b/internal/alpine/alpine.go
@@ -2,24 +2,20 @@ package alpine
 import (
 	"os/user"
 	"github.com/qdm12/golibs/files"
 )
-type Configurator interface {
+type Alpine struct {
-	CreateUser(username string, uid int) error
+	alpineReleasePath string
 	passwdPath        string
 	lookupID          func(uid string) (*user.User, error)
 	lookup            func(username string) (*user.User, error)
 }
-type configurator struct {
+func New() *Alpine {
-	fileManager files.FileManager
+	return &Alpine{
-	lookupUID   func(uid string) (*user.User, error)
+		alpineReleasePath: "/etc/alpine-release",
-	lookupUser  func(username string) (*user.User, error)
+		passwdPath:        "/etc/passwd",
-}
+		lookupID:          user.LookupId,
-
+		lookup:            user.Lookup,
 func NewConfigurator(fileManager files.FileManager) Configurator {
 	return &configurator{
 		fileManager: fileManager,
 		lookupUID:   user.LookupId,
 		lookupUser:  user.Lookup,
 	}
 }
--- a/internal/alpine/users.go
+++ b/internal/alpine/users.go
@@ -1,39 +1,54 @@
 package alpine
 import (
 	"errors"
 	"fmt"
 	"os"
 	"os/user"
 	"strconv"
 )
 var (
 	ErrUserAlreadyExists = errors.New("user already exists")
 )
 // CreateUser creates a user in Alpine with the given UID.
-func (c *configurator) CreateUser(username string, uid int) error {
+func (a *Alpine) CreateUser(username string, uid int) (createdUsername string, err error) {
-	UIDStr := fmt.Sprintf("%d", uid)
+	UIDStr := strconv.Itoa(uid)
-	u, err := c.lookupUID(UIDStr)
+	u, err := a.lookupID(UIDStr)
 	_, unknownUID := err.(user.UnknownUserIdError)
 	if err != nil && !unknownUID {
-		return fmt.Errorf("cannot create user: %w", err)
+		return "", err
 	} else if u != nil {
 		if u.Username == username {
 			return nil
 		}
 		return fmt.Errorf("user with ID %d exists with username %q instead of %q", uid, u.Username, username)
 	}
-	u, err = c.lookupUser(username)
+
 	if u != nil {
 		if u.Username == username {
 			return "", nil
 		}
 		return u.Username, nil
 	}
 	u, err = a.lookup(username)
 	_, unknownUsername := err.(user.UnknownUserError)
 	if err != nil && !unknownUsername {
-		return fmt.Errorf("cannot create user: %w", err)
+		return "", err
 	} else if u != nil {
 		return fmt.Errorf("cannot create user: user with name %s already exists for ID %s instead of %d",
 			username, u.Uid, uid)
 	}
 	passwd, err := c.fileManager.ReadFile("/etc/passwd")
 	if err != nil {
 		return fmt.Errorf("cannot create user: %w", err)
 	}
 	passwd = append(passwd, []byte(fmt.Sprintf("%s:x:%d:::/dev/null:/sbin/nologin\n", username, uid))...)
-	if err := c.fileManager.WriteToFile("/etc/passwd", passwd); err != nil {
+	if u != nil {
-		return fmt.Errorf("cannot create user: %w", err)
+		return "", fmt.Errorf("%w: with name %s for ID %s instead of %d",
 			ErrUserAlreadyExists, username, u.Uid, uid)
 	}
-	return nil
+
 	file, err := os.OpenFile(a.passwdPath, os.O_APPEND|os.O_WRONLY, 0644)
 	if err != nil {
 		return "", err
 	}
 	s := fmt.Sprintf("%s:x:%d:::/dev/null:/sbin/nologin\n", username, uid)
 	_, err = file.WriteString(s)
 	if err != nil {
 		_ = file.Close()
 		return "", err
 	}
 	return username, file.Close()
 }
--- a/internal/alpine/version.go
+++ b/internal/alpine/version.go
@@ -0,0 +1,27 @@
 package alpine
 import (
 	"context"
 	"io"
 	"os"
 	"strings"
 )
 func (a *Alpine) Version(context.Context) (version string, err error) {
 	file, err := os.OpenFile(a.alpineReleasePath, os.O_RDONLY, 0)
 	if err != nil {
 		return "", err
 	}
 	b, err := io.ReadAll(file)
 	if err != nil {
 		return "", err
 	}
 	if err := file.Close(); err != nil {
 		return "", err
 	}
 	version = strings.ReplaceAll(string(b), "\n", "")
 	return version, nil
 }
--- a/internal/cli/ci.go
+++ b/internal/cli/ci.go
@@ -0,0 +1,7 @@
 package cli
 import "context"
 func (c *CLI) CI(context.Context) error {
 	return nil
 }
--- a/internal/cli/cli.go
+++ b/internal/cli/cli.go
@@ -1,132 +1,11 @@
 package cli
-import (
+type CLI struct {
-	"context"
+	repoServersPath string
 	"flag"
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/healthcheck"
 	"github.com/qdm12/gluetun/internal/params"
 	"github.com/qdm12/gluetun/internal/provider"
 	"github.com/qdm12/gluetun/internal/settings"
 	"github.com/qdm12/gluetun/internal/storage"
 	"github.com/qdm12/gluetun/internal/updater"
 	"github.com/qdm12/golibs/files"
 	"github.com/qdm12/golibs/logging"
 )
 func ClientKey(args []string) error {
 	flagSet := flag.NewFlagSet("clientkey", flag.ExitOnError)
 	filepath := flagSet.String("path", string(constants.ClientKey), "file path to the client.key file")
 	if err := flagSet.Parse(args); err != nil {
 		return err
 	}
 	fileManager := files.NewFileManager()
 	data, err := fileManager.ReadFile(*filepath)
 	if err != nil {
 		return err
 	}
 	s := string(data)
 	s = strings.ReplaceAll(s, "\n", "")
 	s = strings.ReplaceAll(s, "\r", "")
 	s = strings.TrimPrefix(s, "-----BEGIN PRIVATE KEY-----")
 	s = strings.TrimSuffix(s, "-----END PRIVATE KEY-----")
 	fmt.Println(s)
 	return nil
 }
-func HealthCheck(ctx context.Context) error {
+func New() *CLI {
-	const timeout = 3 * time.Second
+	return &CLI{
-	httpClient := &http.Client{Timeout: timeout}
+		repoServersPath: "./internal/storage/servers.json",
-	healthchecker := healthcheck.NewChecker(httpClient)
+	}
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 	const url = "http://" + constants.HealthcheckAddress
 	return healthchecker.Check(ctx, url)
 }
 func OpenvpnConfig() error {
 	logger, err := logging.NewLogger(logging.ConsoleEncoding, logging.InfoLevel)
 	if err != nil {
 		return err
 	}
 	paramsReader := params.NewReader(logger, files.NewFileManager())
 	allSettings, err := settings.GetAllSettings(paramsReader)
 	if err != nil {
 		return err
 	}
 	allServers, err := storage.New(logger).SyncServers(constants.GetAllServers(), false)
 	if err != nil {
 		return err
 	}
 	providerConf := provider.New(allSettings.OpenVPN.Provider.Name, allServers, time.Now)
 	connection, err := providerConf.GetOpenVPNConnection(allSettings.OpenVPN.Provider.ServerSelection)
 	if err != nil {
 		return err
 	}
 	lines := providerConf.BuildConf(
 		connection,
 		allSettings.OpenVPN.Verbosity,
 		allSettings.System.UID,
 		allSettings.System.GID,
 		allSettings.OpenVPN.Root,
 		allSettings.OpenVPN.Cipher,
 		allSettings.OpenVPN.Auth,
 		allSettings.OpenVPN.Provider.ExtraConfigOptions,
 	)
 	fmt.Println(strings.Join(lines, "\n"))
 	return nil
 }
 func Update(args []string) error {
 	options := updater.Options{CLI: true}
 	var flushToFile bool
 	flagSet := flag.NewFlagSet("update", flag.ExitOnError)
 	flagSet.BoolVar(&flushToFile, "file", false, "Write results to /gluetun/servers.json (for end users)")
 	flagSet.BoolVar(&options.Stdout, "stdout", false, "Write results to console to modify the program (for maintainers)")
 	flagSet.StringVar(&options.DNSAddress, "dns", "1.1.1.1", "DNS resolver address to use")
 	flagSet.BoolVar(&options.Cyberghost, "cyberghost", false, "Update Cyberghost servers")
 	flagSet.BoolVar(&options.Mullvad, "mullvad", false, "Update Mullvad servers")
 	flagSet.BoolVar(&options.Nordvpn, "nordvpn", false, "Update Nordvpn servers")
 	flagSet.BoolVar(&options.PIA, "pia", false, "Update Private Internet Access post-summer 2020 servers")
 	flagSet.BoolVar(&options.Privado, "privado", false, "Update Privado servers")
 	flagSet.BoolVar(&options.Purevpn, "purevpn", false, "Update Purevpn servers")
 	flagSet.BoolVar(&options.Surfshark, "surfshark", false, "Update Surfshark servers")
 	flagSet.BoolVar(&options.Vyprvpn, "vyprvpn", false, "Update Vyprvpn servers")
 	flagSet.BoolVar(&options.Windscribe, "windscribe", false, "Update Windscribe servers")
 	if err := flagSet.Parse(args); err != nil {
 		return err
 	}
 	logger, err := logging.NewLogger(logging.ConsoleEncoding, logging.InfoLevel)
 	if err != nil {
 		return err
 	}
 	if !flushToFile && !options.Stdout {
 		return fmt.Errorf("at least one of -file or -stdout must be specified")
 	}
 	ctx := context.Background()
 	const clientTimeout = 10 * time.Second
 	httpClient := &http.Client{Timeout: clientTimeout}
 	storage := storage.New(logger)
 	const writeSync = false
 	currentServers, err := storage.SyncServers(constants.GetAllServers(), writeSync)
 	if err != nil {
 		return fmt.Errorf("cannot update servers: %w", err)
 	}
 	updater := updater.New(options, httpClient, currentServers, logger)
 	allServers, err := updater.UpdateServers(ctx)
 	if err != nil {
 		return err
 	}
 	if flushToFile {
 		if err := storage.FlushToFile(allServers); err != nil {
 			return fmt.Errorf("cannot update servers: %w", err)
 		}
 	}
 	return nil
 }
--- a/internal/cli/clientkey.go
+++ b/internal/cli/clientkey.go
@@ -0,0 +1,41 @@
 package cli
 import (
 	"flag"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 	"github.com/qdm12/gluetun/internal/configuration/sources/files"
 )
 func (c *CLI) ClientKey(args []string) error {
 	flagSet := flag.NewFlagSet("clientkey", flag.ExitOnError)
 	filepath := flagSet.String("path", files.OpenVPNClientKeyPath, "file path to the client.key file")
 	if err := flagSet.Parse(args); err != nil {
 		return err
 	}
 	file, err := os.OpenFile(*filepath, os.O_RDONLY, 0)
 	if err != nil {
 		return err
 	}
 	data, err := io.ReadAll(file)
 	if err != nil {
 		_ = file.Close()
 		return err
 	}
 	if err := file.Close(); err != nil {
 		return err
 	}
 	if err != nil {
 		return err
 	}
 	s := string(data)
 	s = strings.ReplaceAll(s, "\n", "")
 	s = strings.ReplaceAll(s, "\r", "")
 	s = strings.TrimPrefix(s, "-----BEGIN PRIVATE KEY-----")
 	s = strings.TrimSuffix(s, "-----END PRIVATE KEY-----")
 	fmt.Println(s)
 	return nil
 }
--- a/internal/cli/formatservers.go
+++ b/internal/cli/formatservers.go
@@ -0,0 +1,110 @@
 package cli
 import (
 	"errors"
 	"flag"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/storage"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 )
 var (
 	ErrFormatNotRecognized       = errors.New("format is not recognized")
 	ErrProviderUnspecified       = errors.New("VPN provider to format was not specified")
 	ErrMultipleProvidersToFormat = errors.New("more than one VPN provider to format were specified")
 )
 func addProviderFlag(flagSet *flag.FlagSet, providerToFormat map[string]*bool,
 	provider string, titleCaser cases.Caser) {
 	boolPtr, ok := providerToFormat[provider]
 	if !ok {
 		panic(fmt.Sprintf("unknown provider in format map: %s", provider))
 	}
 	flagSet.BoolVar(boolPtr, provider, false, "Format "+titleCaser.String(provider)+" servers")
 }
 func (c *CLI) FormatServers(args []string) error {
 	var format, output string
 	allProviders := providers.All()
 	allProviderFlags := make([]string, len(allProviders))
 	for i, provider := range allProviders {
 		allProviderFlags[i] = strings.ReplaceAll(provider, " ", "-")
 	}
 	providersToFormat := make(map[string]*bool, len(allProviders))
 	for _, provider := range allProviderFlags {
 		providersToFormat[provider] = new(bool)
 	}
 	flagSet := flag.NewFlagSet("format-servers", flag.ExitOnError)
 	flagSet.StringVar(&format, "format", "markdown", "Format to use which can be: 'markdown'")
 	flagSet.StringVar(&output, "output", "/dev/stdout", "Output file to write the formatted data to")
 	titleCaser := cases.Title(language.English)
 	for _, provider := range allProviderFlags {
 		addProviderFlag(flagSet, providersToFormat, provider, titleCaser)
 	}
 	if err := flagSet.Parse(args); err != nil {
 		return err
 	}
 	if format != "markdown" {
 		return fmt.Errorf("%w: %s", ErrFormatNotRecognized, format)
 	}
 	// Verify only one provider is set to be formatted.
 	var providers []string
 	for provider, formatPtr := range providersToFormat {
 		if *formatPtr {
 			providers = append(providers, provider)
 		}
 	}
 	switch len(providers) {
 	case 0:
 		return fmt.Errorf("%w", ErrProviderUnspecified)
 	case 1:
 	default:
 		return fmt.Errorf("%w: %d specified: %s",
 			ErrMultipleProvidersToFormat, len(providers),
 			strings.Join(providers, ", "))
 	}
 	var providerToFormat string
 	for _, providerToFormat = range allProviders {
 		if strings.ReplaceAll(providerToFormat, " ", "-") == providers[0] {
 			break
 		}
 	}
 	logger := newNoopLogger()
 	storage, err := storage.New(logger, constants.ServersData)
 	if err != nil {
 		return fmt.Errorf("creating servers storage: %w", err)
 	}
 	formatted := storage.FormatToMarkdown(providerToFormat)
 	output = filepath.Clean(output)
 	file, err := os.OpenFile(output, os.O_TRUNC|os.O_WRONLY|os.O_CREATE, 0644)
 	if err != nil {
 		return fmt.Errorf("opening output file: %w", err)
 	}
 	_, err = fmt.Fprint(file, formatted)
 	if err != nil {
 		_ = file.Close()
 		return fmt.Errorf("writing to output file: %w", err)
 	}
 	err = file.Close()
 	if err != nil {
 		return fmt.Errorf("closing output file: %w", err)
 	}
 	return nil
 }
--- a/internal/cli/healthcheck.go
+++ b/internal/cli/healthcheck.go
@@ -0,0 +1,39 @@
 package cli
 import (
 	"context"
 	"net"
 	"net/http"
 	"time"
 	"github.com/qdm12/gluetun/internal/healthcheck"
 )
 func (c *CLI) HealthCheck(ctx context.Context, source Source, _ Warner) error {
 	// Extract the health server port from the configuration.
 	config, err := source.ReadHealth()
 	if err != nil {
 		return err
 	}
 	config.SetDefaults()
 	err = config.Validate()
 	if err != nil {
 		return err
 	}
 	_, port, err := net.SplitHostPort(config.ServerAddress)
 	if err != nil {
 		return err
 	}
 	const timeout = 10 * time.Second
 	httpClient := &http.Client{Timeout: timeout}
 	client := healthcheck.NewClient(httpClient)
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 	url := "http://127.0.0.1:" + port
 	return client.Check(ctx, url)
 }
--- a/internal/cli/interfaces.go
+++ b/internal/cli/interfaces.go
@@ -0,0 +1,9 @@
 package cli
 import "github.com/qdm12/gluetun/internal/configuration/settings"
 type Source interface {
 	Read() (settings settings.Settings, err error)
 	ReadHealth() (health settings.Health, err error)
 	String() string
 }
--- a/internal/cli/nooplogger.go
+++ b/internal/cli/nooplogger.go
@@ -0,0 +1,16 @@
 package cli
 import "github.com/qdm12/golibs/logging"
 type noopLogger struct{}
 func newNoopLogger() *noopLogger {
 	return new(noopLogger)
 }
 func (l *noopLogger) Debug(string)             {}
 func (l *noopLogger) Info(string)              {}
 func (l *noopLogger) Warn(string)              {}
 func (l *noopLogger) Error(string)             {}
 func (l *noopLogger) PatchLevel(logging.Level) {}
 func (l *noopLogger) PatchPrefix(string)       {}
--- a/internal/cli/openvpnconfig.go
+++ b/internal/cli/openvpnconfig.go
@@ -0,0 +1,85 @@
 package cli
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"net/netip"
 	"strings"
 	"time"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gluetun/internal/openvpn/extract"
 	"github.com/qdm12/gluetun/internal/provider"
 	"github.com/qdm12/gluetun/internal/storage"
 	"github.com/qdm12/gluetun/internal/updater/resolver"
 )
 type OpenvpnConfigLogger interface {
 	Info(s string)
 	Warn(s string)
 }
 type Unzipper interface {
 	FetchAndExtract(ctx context.Context, url string) (
 		contents map[string][]byte, err error)
 }
 type ParallelResolver interface {
 	Resolve(ctx context.Context, settings resolver.ParallelSettings) (
 		hostToIPs map[string][]netip.Addr, warnings []string, err error)
 }
 type IPFetcher interface {
 	FetchInfo(ctx context.Context, ip netip.Addr) (data models.PublicIP, err error)
 }
 type IPv6Checker interface {
 	IsIPv6Supported() (supported bool, err error)
 }
 func (c *CLI) OpenvpnConfig(logger OpenvpnConfigLogger, source Source,
 	ipv6Checker IPv6Checker) error {
 	storage, err := storage.New(logger, constants.ServersData)
 	if err != nil {
 		return err
 	}
 	allSettings, err := source.Read()
 	if err != nil {
 		return err
 	}
 	ipv6Supported, err := ipv6Checker.IsIPv6Supported()
 	if err != nil {
 		return fmt.Errorf("checking for IPv6 support: %w", err)
 	}
 	if err = allSettings.Validate(storage, ipv6Supported); err != nil {
 		return fmt.Errorf("validating settings: %w", err)
 	}
 	// Unused by this CLI command
 	unzipper := (Unzipper)(nil)
 	client := (*http.Client)(nil)
 	warner := (Warner)(nil)
 	parallelResolver := (ParallelResolver)(nil)
 	ipFetcher := (IPFetcher)(nil)
 	openvpnFileExtractor := extract.New()
 	providers := provider.NewProviders(storage, time.Now, warner, client,
 		unzipper, parallelResolver, ipFetcher, openvpnFileExtractor)
 	providerConf := providers.Get(*allSettings.VPN.Provider.Name)
 	connection, err := providerConf.GetConnection(
 		allSettings.VPN.Provider.ServerSelection, ipv6Supported)
 	if err != nil {
 		return err
 	}
 	lines := providerConf.OpenVPNConfig(connection,
 		allSettings.VPN.OpenVPN, ipv6Supported)
 	fmt.Println(strings.Join(lines, "\n"))
 	return nil
 }
--- a/internal/cli/update.go
+++ b/internal/cli/update.go
@@ -0,0 +1,106 @@
 package cli
 import (
 	"context"
 	"errors"
 	"flag"
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/openvpn/extract"
 	"github.com/qdm12/gluetun/internal/provider"
 	"github.com/qdm12/gluetun/internal/publicip/api"
 	"github.com/qdm12/gluetun/internal/storage"
 	"github.com/qdm12/gluetun/internal/updater"
 	"github.com/qdm12/gluetun/internal/updater/resolver"
 	"github.com/qdm12/gluetun/internal/updater/unzip"
 )
 var (
 	ErrModeUnspecified     = errors.New("at least one of -enduser or -maintainer must be specified")
 	ErrNoProviderSpecified = errors.New("no provider was specified")
 )
 type UpdaterLogger interface {
 	Info(s string)
 	Warn(s string)
 	Error(s string)
 }
 func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) error {
 	options := settings.Updater{}
 	var endUserMode, maintainerMode, updateAll bool
 	var csvProviders, ipToken string
 	flagSet := flag.NewFlagSet("update", flag.ExitOnError)
 	flagSet.BoolVar(&endUserMode, "enduser", false, "Write results to /gluetun/servers.json (for end users)")
 	flagSet.BoolVar(&maintainerMode, "maintainer", false,
 		"Write results to ./internal/storage/servers.json to modify the program (for maintainers)")
 	flagSet.StringVar(&options.DNSAddress, "dns", "8.8.8.8", "DNS resolver address to use")
 	const defaultMinRatio = 0.8
 	flagSet.Float64Var(&options.MinRatio, "minratio", defaultMinRatio,
 		"Minimum ratio of servers to find for the update to succeed")
 	flagSet.BoolVar(&updateAll, "all", false, "Update servers for all VPN providers")
 	flagSet.StringVar(&csvProviders, "providers", "", "CSV string of VPN providers to update server data for")
 	flagSet.StringVar(&ipToken, "ip-token", "", "IP data service token (e.g. ipinfo.io) to use")
 	if err := flagSet.Parse(args); err != nil {
 		return err
 	}
 	if !endUserMode && !maintainerMode {
 		return fmt.Errorf("%w", ErrModeUnspecified)
 	}
 	if updateAll {
 		options.Providers = providers.All()
 	} else {
 		if csvProviders == "" {
 			return fmt.Errorf("%w", ErrNoProviderSpecified)
 		}
 		options.Providers = strings.Split(csvProviders, ",")
 	}
 	options.SetDefaults(options.Providers[0])
 	err := options.Validate()
 	if err != nil {
 		return fmt.Errorf("options validation failed: %w", err)
 	}
 	storage, err := storage.New(logger, constants.ServersData)
 	if err != nil {
 		return fmt.Errorf("creating servers storage: %w", err)
 	}
 	const clientTimeout = 10 * time.Second
 	httpClient := &http.Client{Timeout: clientTimeout}
 	unzipper := unzip.New(httpClient)
 	parallelResolver := resolver.NewParallelResolver(options.DNSAddress)
 	ipFetcher, err := api.New(api.IPInfo, httpClient, ipToken)
 	if err != nil {
 		return fmt.Errorf("creating public IP API client: %w", err)
 	}
 	openvpnFileExtractor := extract.New()
 	providers := provider.NewProviders(storage, time.Now, logger, httpClient,
 		unzipper, parallelResolver, ipFetcher, openvpnFileExtractor)
 	updater := updater.New(httpClient, storage, providers, logger)
 	err = updater.UpdateServers(ctx, options.Providers, options.MinRatio)
 	if err != nil {
 		return fmt.Errorf("updating server information: %w", err)
 	}
 	if maintainerMode {
 		err := storage.FlushToFile(c.repoServersPath)
 		if err != nil {
 			return fmt.Errorf("writing servers data to embedded JSON file: %w", err)
 		}
 	}
 	return nil
 }
--- a/internal/cli/warner.go
+++ b/internal/cli/warner.go
@@ -0,0 +1,5 @@
 package cli
 type Warner interface {
 	Warn(s string)
 }
--- a/internal/configuration/settings/dns.go
+++ b/internal/configuration/settings/dns.go
@@ -0,0 +1,89 @@
 package settings
 import (
 	"fmt"
 	"net/netip"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 // DNS contains settings to configure DNS.
 type DNS struct {
 	// ServerAddress is the DNS server to use inside
 	// the Go program and for the system.
 	// It defaults to '127.0.0.1' to be used with the
 	// DoT server. It cannot be the zero value in the internal
 	// state.
 	ServerAddress netip.Addr
 	// KeepNameserver is true if the existing DNS server
 	// found in /etc/resolv.conf should be used
 	// Note setting this to true will likely DNS traffic
 	// outside the VPN tunnel since it would go through
 	// the local DNS server of your Docker/Kubernetes
 	// configuration, which is likely not going through the tunnel.
 	// This will also disable the DNS over TLS server and the
 	// `ServerAddress` field will be ignored.
 	// It defaults to false and cannot be nil in the
 	// internal state.
 	KeepNameserver *bool
 	// DOT contains settings to configure the DoT
 	// server.
 	DoT DoT
 }
 func (d DNS) validate() (err error) {
 	err = d.DoT.validate()
 	if err != nil {
 		return fmt.Errorf("validating DoT settings: %w", err)
 	}
 	return nil
 }
 func (d *DNS) Copy() (copied DNS) {
 	return DNS{
 		ServerAddress:  d.ServerAddress,
 		KeepNameserver: gosettings.CopyPointer(d.KeepNameserver),
 		DoT:            d.DoT.copy(),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (d *DNS) mergeWith(other DNS) {
 	d.ServerAddress = gosettings.MergeWithValidator(d.ServerAddress, other.ServerAddress)
 	d.KeepNameserver = gosettings.MergeWithPointer(d.KeepNameserver, other.KeepNameserver)
 	d.DoT.mergeWith(other.DoT)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (d *DNS) overrideWith(other DNS) {
 	d.ServerAddress = gosettings.OverrideWithValidator(d.ServerAddress, other.ServerAddress)
 	d.KeepNameserver = gosettings.OverrideWithPointer(d.KeepNameserver, other.KeepNameserver)
 	d.DoT.overrideWith(other.DoT)
 }
 func (d *DNS) setDefaults() {
 	localhost := netip.AddrFrom4([4]byte{127, 0, 0, 1})
 	d.ServerAddress = gosettings.DefaultValidator(d.ServerAddress, localhost)
 	d.KeepNameserver = gosettings.DefaultPointer(d.KeepNameserver, false)
 	d.DoT.setDefaults()
 }
 func (d DNS) String() string {
 	return d.toLinesNode().String()
 }
 func (d DNS) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("DNS settings:")
 	node.Appendf("Keep existing nameserver(s): %s", gosettings.BoolToYesNo(d.KeepNameserver))
 	if *d.KeepNameserver {
 		return node
 	}
 	node.Appendf("DNS server address to use: %s", d.ServerAddress)
 	node.AppendNode(d.DoT.toLinesNode())
 	return node
 }
--- a/internal/configuration/settings/dnsblacklist.go
+++ b/internal/configuration/settings/dnsblacklist.go
@@ -0,0 +1,138 @@
 package settings
 import (
 	"errors"
 	"fmt"
 	"net/netip"
 	"regexp"
 	"github.com/qdm12/dns/pkg/blacklist"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 // DNSBlacklist is settings for the DNS blacklist building.
 type DNSBlacklist struct {
 	BlockMalicious       *bool
 	BlockAds             *bool
 	BlockSurveillance    *bool
 	AllowedHosts         []string
 	AddBlockedHosts      []string
 	AddBlockedIPs        []netip.Addr
 	AddBlockedIPPrefixes []netip.Prefix
 }
 func (b *DNSBlacklist) setDefaults() {
 	b.BlockMalicious = gosettings.DefaultPointer(b.BlockMalicious, true)
 	b.BlockAds = gosettings.DefaultPointer(b.BlockAds, false)
 	b.BlockSurveillance = gosettings.DefaultPointer(b.BlockSurveillance, true)
 }
 var hostRegex = regexp.MustCompile(`^([a-zA-Z0-9]|[a-zA-Z0-9_][a-zA-Z0-9\-_]{0,61}[a-zA-Z0-9_])(\.([a-zA-Z0-9]|[a-zA-Z0-9_][a-zA-Z0-9\-_]{0,61}[a-zA-Z0-9]))*$`) //nolint:lll
 var (
 	ErrAllowedHostNotValid = errors.New("allowed host is not valid")
 	ErrBlockedHostNotValid = errors.New("blocked host is not valid")
 )
 func (b DNSBlacklist) validate() (err error) {
 	for _, host := range b.AllowedHosts {
 		if !hostRegex.MatchString(host) {
 			return fmt.Errorf("%w: %s", ErrAllowedHostNotValid, host)
 		}
 	}
 	for _, host := range b.AddBlockedHosts {
 		if !hostRegex.MatchString(host) {
 			return fmt.Errorf("%w: %s", ErrBlockedHostNotValid, host)
 		}
 	}
 	return nil
 }
 func (b DNSBlacklist) copy() (copied DNSBlacklist) {
 	return DNSBlacklist{
 		BlockMalicious:       gosettings.CopyPointer(b.BlockMalicious),
 		BlockAds:             gosettings.CopyPointer(b.BlockAds),
 		BlockSurveillance:    gosettings.CopyPointer(b.BlockSurveillance),
 		AllowedHosts:         gosettings.CopySlice(b.AllowedHosts),
 		AddBlockedHosts:      gosettings.CopySlice(b.AddBlockedHosts),
 		AddBlockedIPs:        gosettings.CopySlice(b.AddBlockedIPs),
 		AddBlockedIPPrefixes: gosettings.CopySlice(b.AddBlockedIPPrefixes),
 	}
 }
 func (b *DNSBlacklist) mergeWith(other DNSBlacklist) {
 	b.BlockMalicious = gosettings.MergeWithPointer(b.BlockMalicious, other.BlockMalicious)
 	b.BlockAds = gosettings.MergeWithPointer(b.BlockAds, other.BlockAds)
 	b.BlockSurveillance = gosettings.MergeWithPointer(b.BlockSurveillance, other.BlockSurveillance)
 	b.AllowedHosts = gosettings.MergeWithSlice(b.AllowedHosts, other.AllowedHosts)
 	b.AddBlockedHosts = gosettings.MergeWithSlice(b.AddBlockedHosts, other.AddBlockedHosts)
 	b.AddBlockedIPs = gosettings.MergeWithSlice(b.AddBlockedIPs, other.AddBlockedIPs)
 	b.AddBlockedIPPrefixes = gosettings.MergeWithSlice(b.AddBlockedIPPrefixes, other.AddBlockedIPPrefixes)
 }
 func (b *DNSBlacklist) overrideWith(other DNSBlacklist) {
 	b.BlockMalicious = gosettings.OverrideWithPointer(b.BlockMalicious, other.BlockMalicious)
 	b.BlockAds = gosettings.OverrideWithPointer(b.BlockAds, other.BlockAds)
 	b.BlockSurveillance = gosettings.OverrideWithPointer(b.BlockSurveillance, other.BlockSurveillance)
 	b.AllowedHosts = gosettings.OverrideWithSlice(b.AllowedHosts, other.AllowedHosts)
 	b.AddBlockedHosts = gosettings.OverrideWithSlice(b.AddBlockedHosts, other.AddBlockedHosts)
 	b.AddBlockedIPs = gosettings.OverrideWithSlice(b.AddBlockedIPs, other.AddBlockedIPs)
 	b.AddBlockedIPPrefixes = gosettings.OverrideWithSlice(b.AddBlockedIPPrefixes, other.AddBlockedIPPrefixes)
 }
 func (b DNSBlacklist) ToBlacklistFormat() (settings blacklist.BuilderSettings, err error) {
 	return blacklist.BuilderSettings{
 		BlockMalicious:       *b.BlockMalicious,
 		BlockAds:             *b.BlockAds,
 		BlockSurveillance:    *b.BlockSurveillance,
 		AllowedHosts:         b.AllowedHosts,
 		AddBlockedHosts:      b.AddBlockedHosts,
 		AddBlockedIPs:        netipAddressesToNetaddrIPs(b.AddBlockedIPs),
 		AddBlockedIPPrefixes: netipPrefixesToNetaddrIPPrefixes(b.AddBlockedIPPrefixes),
 	}, nil
 }
 func (b DNSBlacklist) String() string {
 	return b.toLinesNode().String()
 }
 func (b DNSBlacklist) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("DNS filtering settings:")
 	node.Appendf("Block malicious: %s", gosettings.BoolToYesNo(b.BlockMalicious))
 	node.Appendf("Block ads: %s", gosettings.BoolToYesNo(b.BlockAds))
 	node.Appendf("Block surveillance: %s", gosettings.BoolToYesNo(b.BlockSurveillance))
 	if len(b.AllowedHosts) > 0 {
 		allowedHostsNode := node.Appendf("Allowed hosts:")
 		for _, host := range b.AllowedHosts {
 			allowedHostsNode.Appendf(host)
 		}
 	}
 	if len(b.AddBlockedHosts) > 0 {
 		blockedHostsNode := node.Appendf("Blocked hosts:")
 		for _, host := range b.AddBlockedHosts {
 			blockedHostsNode.Appendf(host)
 		}
 	}
 	if len(b.AddBlockedIPs) > 0 {
 		blockedIPsNode := node.Appendf("Blocked IP addresses:")
 		for _, ip := range b.AddBlockedIPs {
 			blockedIPsNode.Appendf(ip.String())
 		}
 	}
 	if len(b.AddBlockedIPPrefixes) > 0 {
 		blockedIPPrefixesNode := node.Appendf("Blocked IP networks:")
 		for _, ipNetwork := range b.AddBlockedIPPrefixes {
 			blockedIPPrefixesNode.Appendf(ipNetwork.String())
 		}
 	}
 	return node
 }
--- a/internal/configuration/settings/dot.go
+++ b/internal/configuration/settings/dot.go
@@ -0,0 +1,113 @@
 package settings
 import (
 	"errors"
 	"fmt"
 	"time"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 // DoT contains settings to configure the DoT server.
 type DoT struct {
 	// Enabled is true if the DoT server should be running
 	// and used. It defaults to true, and cannot be nil
 	// in the internal state.
 	Enabled *bool
 	// UpdatePeriod is the period to update DNS block
 	// lists and cryptographic files for DNSSEC validation.
 	// It can be set to 0 to disable the update.
 	// It defaults to 24h and cannot be nil in
 	// the internal state.
 	UpdatePeriod *time.Duration
 	// Unbound contains settings to configure Unbound.
 	Unbound Unbound
 	// Blacklist contains settings to configure the filter
 	// block lists.
 	Blacklist DNSBlacklist
 }
 var (
 	ErrDoTUpdatePeriodTooShort = errors.New("update period is too short")
 )
 func (d DoT) validate() (err error) {
 	const minUpdatePeriod = 30 * time.Second
 	if *d.UpdatePeriod != 0 && *d.UpdatePeriod < minUpdatePeriod {
 		return fmt.Errorf("%w: %s must be bigger than %s",
 			ErrDoTUpdatePeriodTooShort, *d.UpdatePeriod, minUpdatePeriod)
 	}
 	err = d.Unbound.validate()
 	if err != nil {
 		return err
 	}
 	err = d.Blacklist.validate()
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func (d *DoT) copy() (copied DoT) {
 	return DoT{
 		Enabled:      gosettings.CopyPointer(d.Enabled),
 		UpdatePeriod: gosettings.CopyPointer(d.UpdatePeriod),
 		Unbound:      d.Unbound.copy(),
 		Blacklist:    d.Blacklist.copy(),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (d *DoT) mergeWith(other DoT) {
 	d.Enabled = gosettings.MergeWithPointer(d.Enabled, other.Enabled)
 	d.UpdatePeriod = gosettings.MergeWithPointer(d.UpdatePeriod, other.UpdatePeriod)
 	d.Unbound.mergeWith(other.Unbound)
 	d.Blacklist.mergeWith(other.Blacklist)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (d *DoT) overrideWith(other DoT) {
 	d.Enabled = gosettings.OverrideWithPointer(d.Enabled, other.Enabled)
 	d.UpdatePeriod = gosettings.OverrideWithPointer(d.UpdatePeriod, other.UpdatePeriod)
 	d.Unbound.overrideWith(other.Unbound)
 	d.Blacklist.overrideWith(other.Blacklist)
 }
 func (d *DoT) setDefaults() {
 	d.Enabled = gosettings.DefaultPointer(d.Enabled, true)
 	const defaultUpdatePeriod = 24 * time.Hour
 	d.UpdatePeriod = gosettings.DefaultPointer(d.UpdatePeriod, defaultUpdatePeriod)
 	d.Unbound.setDefaults()
 	d.Blacklist.setDefaults()
 }
 func (d DoT) String() string {
 	return d.toLinesNode().String()
 }
 func (d DoT) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("DNS over TLS settings:")
 	node.Appendf("Enabled: %s", gosettings.BoolToYesNo(d.Enabled))
 	if !*d.Enabled {
 		return node
 	}
 	update := "disabled" //nolint:goconst
 	if *d.UpdatePeriod > 0 {
 		update = "every " + d.UpdatePeriod.String()
 	}
 	node.Appendf("Update period: %s", update)
 	node.AppendNode(d.Unbound.toLinesNode())
 	node.AppendNode(d.Blacklist.toLinesNode())
 	return node
 }
--- a/internal/configuration/settings/errors.go
+++ b/internal/configuration/settings/errors.go
@@ -0,0 +1,53 @@
 package settings
 import "errors"
 var (
 	ErrCityNotValid                    = errors.New("the city specified is not valid")
 	ErrControlServerPrivilegedPort     = errors.New("cannot use privileged port without running as root")
 	ErrCategoryNotValid                = errors.New("the category specified is not valid")
 	ErrCountryNotValid                 = errors.New("the country specified is not valid")
 	ErrFilepathMissing                 = errors.New("filepath is missing")
 	ErrFirewallZeroPort                = errors.New("cannot have a zero port")
 	ErrFirewallPublicOutboundSubnet    = errors.New("outbound subnet has an unspecified address")
 	ErrHostnameNotValid                = errors.New("the hostname specified is not valid")
 	ErrISPNotValid                     = errors.New("the ISP specified is not valid")
 	ErrMinRatioNotValid                = errors.New("minimum ratio is not valid")
 	ErrMissingValue                    = errors.New("missing value")
 	ErrNameNotValid                    = errors.New("the server name specified is not valid")
 	ErrOpenVPNClientKeyMissing         = errors.New("client key is missing")
 	ErrOpenVPNCustomPortNotAllowed     = errors.New("custom endpoint port is not allowed")
 	ErrOpenVPNEncryptionPresetNotValid = errors.New("PIA encryption preset is not valid")
 	ErrOpenVPNInterfaceNotValid        = errors.New("interface name is not valid")
 	ErrOpenVPNKeyPassphraseIsEmpty     = errors.New("key passphrase is empty")
 	ErrOpenVPNMSSFixIsTooHigh          = errors.New("mssfix option value is too high")
 	ErrOpenVPNPasswordIsEmpty          = errors.New("password is empty")
 	ErrOpenVPNTCPNotSupported          = errors.New("TCP protocol is not supported")
 	ErrOpenVPNUserIsEmpty              = errors.New("user is empty")
 	ErrOpenVPNVerbosityIsOutOfBounds   = errors.New("verbosity value is out of bounds")
 	ErrOpenVPNVersionIsNotValid        = errors.New("version is not valid")
 	ErrPortForwardingEnabled           = errors.New("port forwarding cannot be enabled")
 	ErrPublicIPPeriodTooShort          = errors.New("public IP address check period is too short")
 	ErrRegionNotValid                  = errors.New("the region specified is not valid")
 	ErrServerAddressNotValid           = errors.New("server listening address is not valid")
 	ErrSystemPGIDNotValid              = errors.New("process group id is not valid")
 	ErrSystemPUIDNotValid              = errors.New("process user id is not valid")
 	ErrSystemTimezoneNotValid          = errors.New("timezone is not valid")
 	ErrUpdaterPeriodTooSmall           = errors.New("VPN server data updater period is too small")
 	ErrVPNProviderNameNotValid         = errors.New("VPN provider name is not valid")
 	ErrVPNTypeNotValid                 = errors.New("VPN type is not valid")
 	ErrWireguardAllowedIPNotSet        = errors.New("allowed IP is not set")
 	ErrWireguardAllowedIPsNotSet       = errors.New("allowed IPs is not set")
 	ErrWireguardEndpointIPNotSet       = errors.New("endpoint IP is not set")
 	ErrWireguardEndpointPortNotAllowed = errors.New("endpoint port is not allowed")
 	ErrWireguardEndpointPortNotSet     = errors.New("endpoint port is not set")
 	ErrWireguardEndpointPortSet        = errors.New("endpoint port is set")
 	ErrWireguardInterfaceAddressNotSet = errors.New("interface address is not set")
 	ErrWireguardInterfaceAddressIPv6   = errors.New("interface address is IPv6 but IPv6 is not supported")
 	ErrWireguardInterfaceNotValid      = errors.New("interface name is not valid")
 	ErrWireguardPreSharedKeyNotSet     = errors.New("pre-shared key is not set")
 	ErrWireguardPrivateKeyNotSet       = errors.New("private key is not set")
 	ErrWireguardPublicKeyNotSet        = errors.New("public key is not set")
 	ErrWireguardPublicKeyNotValid      = errors.New("public key is not valid")
 	ErrWireguardImplementationNotValid = errors.New("implementation is not valid")
 )
--- a/internal/configuration/settings/firewall.go
+++ b/internal/configuration/settings/firewall.go
@@ -0,0 +1,124 @@
 package settings
 import (
 	"fmt"
 	"net/netip"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 // Firewall contains settings to customize the firewall operation.
 type Firewall struct {
 	VPNInputPorts   []uint16
 	InputPorts      []uint16
 	OutboundSubnets []netip.Prefix
 	Enabled         *bool
 	Debug           *bool
 }
 func (f Firewall) validate() (err error) {
 	if hasZeroPort(f.VPNInputPorts) {
 		return fmt.Errorf("VPN input ports: %w", ErrFirewallZeroPort)
 	}
 	if hasZeroPort(f.InputPorts) {
 		return fmt.Errorf("input ports: %w", ErrFirewallZeroPort)
 	}
 	for _, subnet := range f.OutboundSubnets {
 		if subnet.Addr().IsUnspecified() {
 			return fmt.Errorf("%w: %s", ErrFirewallPublicOutboundSubnet, subnet)
 		}
 	}
 	return nil
 }
 func hasZeroPort(ports []uint16) (has bool) {
 	for _, port := range ports {
 		if port == 0 {
 			return true
 		}
 	}
 	return false
 }
 func (f *Firewall) copy() (copied Firewall) {
 	return Firewall{
 		VPNInputPorts:   gosettings.CopySlice(f.VPNInputPorts),
 		InputPorts:      gosettings.CopySlice(f.InputPorts),
 		OutboundSubnets: gosettings.CopySlice(f.OutboundSubnets),
 		Enabled:         gosettings.CopyPointer(f.Enabled),
 		Debug:           gosettings.CopyPointer(f.Debug),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 // It merges values of slices together, even if they
 // are set in the receiver settings.
 func (f *Firewall) mergeWith(other Firewall) {
 	f.VPNInputPorts = gosettings.MergeWithSlice(f.VPNInputPorts, other.VPNInputPorts)
 	f.InputPorts = gosettings.MergeWithSlice(f.InputPorts, other.InputPorts)
 	f.OutboundSubnets = gosettings.MergeWithSlice(f.OutboundSubnets, other.OutboundSubnets)
 	f.Enabled = gosettings.MergeWithPointer(f.Enabled, other.Enabled)
 	f.Debug = gosettings.MergeWithPointer(f.Debug, other.Debug)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (f *Firewall) overrideWith(other Firewall) {
 	f.VPNInputPorts = gosettings.OverrideWithSlice(f.VPNInputPorts, other.VPNInputPorts)
 	f.InputPorts = gosettings.OverrideWithSlice(f.InputPorts, other.InputPorts)
 	f.OutboundSubnets = gosettings.OverrideWithSlice(f.OutboundSubnets, other.OutboundSubnets)
 	f.Enabled = gosettings.OverrideWithPointer(f.Enabled, other.Enabled)
 	f.Debug = gosettings.OverrideWithPointer(f.Debug, other.Debug)
 }
 func (f *Firewall) setDefaults() {
 	f.Enabled = gosettings.DefaultPointer(f.Enabled, true)
 	f.Debug = gosettings.DefaultPointer(f.Debug, false)
 }
 func (f Firewall) String() string {
 	return f.toLinesNode().String()
 }
 func (f Firewall) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Firewall settings:")
 	node.Appendf("Enabled: %s", gosettings.BoolToYesNo(f.Enabled))
 	if !*f.Enabled {
 		return node
 	}
 	if *f.Debug {
 		node.Appendf("Debug mode: on")
 	}
 	if len(f.VPNInputPorts) > 0 {
 		vpnInputPortsNode := node.Appendf("VPN input ports:")
 		for _, port := range f.VPNInputPorts {
 			vpnInputPortsNode.Appendf("%d", port)
 		}
 	}
 	if len(f.InputPorts) > 0 {
 		inputPortsNode := node.Appendf("Input ports:")
 		for _, port := range f.InputPorts {
 			inputPortsNode.Appendf("%d", port)
 		}
 	}
 	if len(f.OutboundSubnets) > 0 {
 		outboundSubnets := node.Appendf("Outbound subnets:")
 		for _, subnet := range f.OutboundSubnets {
 			subnet := subnet
 			outboundSubnets.Appendf("%s", &subnet)
 		}
 	}
 	return node
 }
--- a/internal/configuration/settings/firewall_test.go
+++ b/internal/configuration/settings/firewall_test.go
@@ -0,0 +1,74 @@
 package settings
 import (
 	"net/netip"
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func Test_Firewall_validate(t *testing.T) {
 	t.Parallel()
 	testCases := map[string]struct {
 		firewall   Firewall
 		errWrapped error
 		errMessage string
 	}{
 		"empty": {},
 		"zero_vpn_input_port": {
 			firewall: Firewall{
 				VPNInputPorts: []uint16{0},
 			},
 			errWrapped: ErrFirewallZeroPort,
 			errMessage: "VPN input ports: cannot have a zero port",
 		},
 		"zero_input_port": {
 			firewall: Firewall{
 				InputPorts: []uint16{0},
 			},
 			errWrapped: ErrFirewallZeroPort,
 			errMessage: "input ports: cannot have a zero port",
 		},
 		"unspecified_outbound_subnet": {
 			firewall: Firewall{
 				OutboundSubnets: []netip.Prefix{
 					netip.MustParsePrefix("0.0.0.0/0"),
 				},
 			},
 			errWrapped: ErrFirewallPublicOutboundSubnet,
 			errMessage: "outbound subnet has an unspecified address: 0.0.0.0/0",
 		},
 		"public_outbound_subnet": {
 			firewall: Firewall{
 				OutboundSubnets: []netip.Prefix{
 					netip.MustParsePrefix("1.2.3.4/32"),
 				},
 			},
 		},
 		"valid_settings": {
 			firewall: Firewall{
 				VPNInputPorts: []uint16{100, 101},
 				InputPorts:    []uint16{200, 201},
 				OutboundSubnets: []netip.Prefix{
 					netip.MustParsePrefix("192.168.1.0/24"),
 					netip.MustParsePrefix("10.10.1.1/32"),
 				},
 			},
 		},
 	}
 	for name, testCase := range testCases {
 		testCase := testCase
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 			err := testCase.firewall.validate()
 			assert.ErrorIs(t, err, testCase.errWrapped)
 			if testCase.errWrapped != nil {
 				assert.EqualError(t, err, testCase.errMessage)
 			}
 		})
 	}
 }
--- a/internal/configuration/settings/health.go
+++ b/internal/configuration/settings/health.go
@@ -0,0 +1,113 @@
 package settings
 import (
 	"fmt"
 	"os"
 	"time"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 	"github.com/qdm12/govalid/address"
 )
 // Health contains settings for the healthcheck and health server.
 type Health struct {
 	// ServerAddress is the listening address
 	// for the health check server.
 	// It cannot be the empty string in the internal state.
 	ServerAddress string
 	// ReadHeaderTimeout is the HTTP server header read timeout
 	// duration of the HTTP server. It defaults to 100 milliseconds.
 	ReadHeaderTimeout time.Duration
 	// ReadTimeout is the HTTP read timeout duration of the
 	// HTTP server. It defaults to 500 milliseconds.
 	ReadTimeout time.Duration
 	// TargetAddress is the address (host or host:port)
 	// to TCP dial to periodically for the health check.
 	// It cannot be the empty string in the internal state.
 	TargetAddress string
 	// SuccessWait is the duration to wait to re-run the
 	// healthcheck after a successful healthcheck.
 	// It defaults to 5 seconds and cannot be zero in
 	// the internal state.
 	SuccessWait time.Duration
 	// VPN has health settings specific to the VPN loop.
 	VPN HealthyWait
 }
 func (h Health) Validate() (err error) {
 	uid := os.Getuid()
 	err = address.Validate(h.ServerAddress,
 		address.OptionListening(uid))
 	if err != nil {
 		return fmt.Errorf("server listening address is not valid: %w", err)
 	}
 	err = h.VPN.validate()
 	if err != nil {
 		return fmt.Errorf("health VPN settings: %w", err)
 	}
 	return nil
 }
 func (h *Health) copy() (copied Health) {
 	return Health{
 		ServerAddress:     h.ServerAddress,
 		ReadHeaderTimeout: h.ReadHeaderTimeout,
 		ReadTimeout:       h.ReadTimeout,
 		TargetAddress:     h.TargetAddress,
 		SuccessWait:       h.SuccessWait,
 		VPN:               h.VPN.copy(),
 	}
 }
 // MergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (h *Health) MergeWith(other Health) {
 	h.ServerAddress = gosettings.MergeWithString(h.ServerAddress, other.ServerAddress)
 	h.ReadHeaderTimeout = gosettings.MergeWithNumber(h.ReadHeaderTimeout, other.ReadHeaderTimeout)
 	h.ReadTimeout = gosettings.MergeWithNumber(h.ReadTimeout, other.ReadTimeout)
 	h.TargetAddress = gosettings.MergeWithString(h.TargetAddress, other.TargetAddress)
 	h.SuccessWait = gosettings.MergeWithNumber(h.SuccessWait, other.SuccessWait)
 	h.VPN.mergeWith(other.VPN)
 }
 // OverrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (h *Health) OverrideWith(other Health) {
 	h.ServerAddress = gosettings.OverrideWithString(h.ServerAddress, other.ServerAddress)
 	h.ReadHeaderTimeout = gosettings.OverrideWithNumber(h.ReadHeaderTimeout, other.ReadHeaderTimeout)
 	h.ReadTimeout = gosettings.OverrideWithNumber(h.ReadTimeout, other.ReadTimeout)
 	h.TargetAddress = gosettings.OverrideWithString(h.TargetAddress, other.TargetAddress)
 	h.SuccessWait = gosettings.OverrideWithNumber(h.SuccessWait, other.SuccessWait)
 	h.VPN.overrideWith(other.VPN)
 }
 func (h *Health) SetDefaults() {
 	h.ServerAddress = gosettings.DefaultString(h.ServerAddress, "127.0.0.1:9999")
 	const defaultReadHeaderTimeout = 100 * time.Millisecond
 	h.ReadHeaderTimeout = gosettings.DefaultNumber(h.ReadHeaderTimeout, defaultReadHeaderTimeout)
 	const defaultReadTimeout = 500 * time.Millisecond
 	h.ReadTimeout = gosettings.DefaultNumber(h.ReadTimeout, defaultReadTimeout)
 	h.TargetAddress = gosettings.DefaultString(h.TargetAddress, "cloudflare.com:443")
 	const defaultSuccessWait = 5 * time.Second
 	h.SuccessWait = gosettings.DefaultNumber(h.SuccessWait, defaultSuccessWait)
 	h.VPN.setDefaults()
 }
 func (h Health) String() string {
 	return h.toLinesNode().String()
 }
 func (h Health) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Health settings:")
 	node.Appendf("Server listening address: %s", h.ServerAddress)
 	node.Appendf("Target address: %s", h.TargetAddress)
 	node.Appendf("Duration to wait after success: %s", h.SuccessWait)
 	node.Appendf("Read header timeout: %s", h.ReadHeaderTimeout)
 	node.Appendf("Read timeout: %s", h.ReadTimeout)
 	node.AppendNode(h.VPN.toLinesNode("VPN"))
 	return node
 }
--- a/internal/configuration/settings/healthywait.go
+++ b/internal/configuration/settings/healthywait.go
@@ -0,0 +1,66 @@
 package settings
 import (
 	"time"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 type HealthyWait struct {
 	// Initial is the initial duration to wait for the program
 	// to be healthy before taking action.
 	// It cannot be nil in the internal state.
 	Initial *time.Duration
 	// Addition is the duration to add to the Initial duration
 	// after Initial has expired to wait longer for the program
 	// to be healthy.
 	// It cannot be nil in the internal state.
 	Addition *time.Duration
 }
 func (h HealthyWait) validate() (err error) {
 	return nil
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (h *HealthyWait) copy() (copied HealthyWait) {
 	return HealthyWait{
 		Initial:  gosettings.CopyPointer(h.Initial),
 		Addition: gosettings.CopyPointer(h.Addition),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (h *HealthyWait) mergeWith(other HealthyWait) {
 	h.Initial = gosettings.MergeWithPointer(h.Initial, other.Initial)
 	h.Addition = gosettings.MergeWithPointer(h.Addition, other.Addition)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (h *HealthyWait) overrideWith(other HealthyWait) {
 	h.Initial = gosettings.OverrideWithPointer(h.Initial, other.Initial)
 	h.Addition = gosettings.OverrideWithPointer(h.Addition, other.Addition)
 }
 func (h *HealthyWait) setDefaults() {
 	const initialDurationDefault = 6 * time.Second
 	const additionDurationDefault = 5 * time.Second
 	h.Initial = gosettings.DefaultPointer(h.Initial, initialDurationDefault)
 	h.Addition = gosettings.DefaultPointer(h.Addition, additionDurationDefault)
 }
 func (h HealthyWait) String() string {
 	return h.toLinesNode("Health").String()
 }
 func (h HealthyWait) toLinesNode(kind string) (node *gotree.Node) {
 	node = gotree.New(kind + " wait durations:")
 	node.Appendf("Initial duration: %s", *h.Initial)
 	node.Appendf("Additional duration: %s", *h.Addition)
 	return node
 }
--- a/internal/configuration/settings/helpers/belong.go
+++ b/internal/configuration/settings/helpers/belong.go
@@ -0,0 +1,10 @@
 package helpers
 func IsOneOf[T comparable](value T, choices ...T) (ok bool) {
 	for _, choice := range choices {
 		if value == choice {
 			return true
 		}
 	}
 	return false
 }
--- a/internal/configuration/settings/helpers/string.go
+++ b/internal/configuration/settings/helpers/string.go
@@ -0,0 +1,8 @@
 package helpers
 func TCPPtrToString(tcp *bool) string {
 	if *tcp {
 		return "TCP"
 	}
 	return "UDP"
 }
--- a/internal/configuration/settings/helpers_test.go
+++ b/internal/configuration/settings/helpers_test.go
@@ -0,0 +1,4 @@
 package settings
 func boolPtr(b bool) *bool    { return &b }
 func uint8Ptr(n uint8) *uint8 { return &n }
--- a/internal/configuration/settings/httpproxy.go
+++ b/internal/configuration/settings/httpproxy.go
@@ -0,0 +1,130 @@
 package settings
 import (
 	"fmt"
 	"os"
 	"time"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 	"github.com/qdm12/govalid/address"
 )
 // HTTPProxy contains settings to configure the HTTP proxy.
 type HTTPProxy struct {
 	// User is the username to use for the HTTP proxy.
 	// It cannot be nil in the internal state.
 	User *string
 	// Password is the password to use for the HTTP proxy.
 	// It cannot be nil in the internal state.
 	Password *string
 	// ListeningAddress is the listening address
 	// of the HTTP proxy server.
 	// It cannot be the empty string in the internal state.
 	ListeningAddress string
 	// Enabled is true if the HTTP proxy server should run,
 	// and false otherwise. It cannot be nil in the
 	// internal state.
 	Enabled *bool
 	// Stealth is true if the HTTP proxy server should hide
 	// each request has been proxied to the destination.
 	// It cannot be nil in the internal state.
 	Stealth *bool
 	// Log is true if the HTTP proxy server should log
 	// each request/response. It cannot be nil in the
 	// internal state.
 	Log *bool
 	// ReadHeaderTimeout is the HTTP header read timeout duration
 	// of the HTTP server. It defaults to 1 second if left unset.
 	ReadHeaderTimeout time.Duration
 	// ReadTimeout is the HTTP read timeout duration
 	// of the HTTP server. It defaults to 3 seconds if left unset.
 	ReadTimeout time.Duration
 }
 func (h HTTPProxy) validate() (err error) {
 	// Do not validate user and password
 	uid := os.Getuid()
 	err = address.Validate(h.ListeningAddress, address.OptionListening(uid))
 	if err != nil {
 		return fmt.Errorf("%w: %s", ErrServerAddressNotValid, h.ListeningAddress)
 	}
 	return nil
 }
 func (h *HTTPProxy) copy() (copied HTTPProxy) {
 	return HTTPProxy{
 		User:              gosettings.CopyPointer(h.User),
 		Password:          gosettings.CopyPointer(h.Password),
 		ListeningAddress:  h.ListeningAddress,
 		Enabled:           gosettings.CopyPointer(h.Enabled),
 		Stealth:           gosettings.CopyPointer(h.Stealth),
 		Log:               gosettings.CopyPointer(h.Log),
 		ReadHeaderTimeout: h.ReadHeaderTimeout,
 		ReadTimeout:       h.ReadTimeout,
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (h *HTTPProxy) mergeWith(other HTTPProxy) {
 	h.User = gosettings.MergeWithPointer(h.User, other.User)
 	h.Password = gosettings.MergeWithPointer(h.Password, other.Password)
 	h.ListeningAddress = gosettings.MergeWithString(h.ListeningAddress, other.ListeningAddress)
 	h.Enabled = gosettings.MergeWithPointer(h.Enabled, other.Enabled)
 	h.Stealth = gosettings.MergeWithPointer(h.Stealth, other.Stealth)
 	h.Log = gosettings.MergeWithPointer(h.Log, other.Log)
 	h.ReadHeaderTimeout = gosettings.MergeWithNumber(h.ReadHeaderTimeout, other.ReadHeaderTimeout)
 	h.ReadTimeout = gosettings.MergeWithNumber(h.ReadTimeout, other.ReadTimeout)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (h *HTTPProxy) overrideWith(other HTTPProxy) {
 	h.User = gosettings.OverrideWithPointer(h.User, other.User)
 	h.Password = gosettings.OverrideWithPointer(h.Password, other.Password)
 	h.ListeningAddress = gosettings.OverrideWithString(h.ListeningAddress, other.ListeningAddress)
 	h.Enabled = gosettings.OverrideWithPointer(h.Enabled, other.Enabled)
 	h.Stealth = gosettings.OverrideWithPointer(h.Stealth, other.Stealth)
 	h.Log = gosettings.OverrideWithPointer(h.Log, other.Log)
 	h.ReadHeaderTimeout = gosettings.OverrideWithNumber(h.ReadHeaderTimeout, other.ReadHeaderTimeout)
 	h.ReadTimeout = gosettings.OverrideWithNumber(h.ReadTimeout, other.ReadTimeout)
 }
 func (h *HTTPProxy) setDefaults() {
 	h.User = gosettings.DefaultPointer(h.User, "")
 	h.Password = gosettings.DefaultPointer(h.Password, "")
 	h.ListeningAddress = gosettings.DefaultString(h.ListeningAddress, ":8888")
 	h.Enabled = gosettings.DefaultPointer(h.Enabled, false)
 	h.Stealth = gosettings.DefaultPointer(h.Stealth, false)
 	h.Log = gosettings.DefaultPointer(h.Log, false)
 	const defaultReadHeaderTimeout = time.Second
 	h.ReadHeaderTimeout = gosettings.DefaultNumber(h.ReadHeaderTimeout, defaultReadHeaderTimeout)
 	const defaultReadTimeout = 3 * time.Second
 	h.ReadTimeout = gosettings.DefaultNumber(h.ReadTimeout, defaultReadTimeout)
 }
 func (h HTTPProxy) String() string {
 	return h.toLinesNode().String()
 }
 func (h HTTPProxy) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("HTTP proxy settings:")
 	node.Appendf("Enabled: %s", gosettings.BoolToYesNo(h.Enabled))
 	if !*h.Enabled {
 		return node
 	}
 	node.Appendf("Listening address: %s", h.ListeningAddress)
 	node.Appendf("User: %s", *h.User)
 	node.Appendf("Password: %s", gosettings.ObfuscateKey(*h.Password))
 	node.Appendf("Stealth mode: %s", gosettings.BoolToYesNo(h.Stealth))
 	node.Appendf("Log: %s", gosettings.BoolToYesNo(h.Log))
 	node.Appendf("Read header timeout: %s", h.ReadHeaderTimeout)
 	node.Appendf("Read timeout: %s", h.ReadTimeout)
 	return node
 }
--- a/internal/configuration/settings/log.go
+++ b/internal/configuration/settings/log.go
@@ -0,0 +1,51 @@
 package settings
 import (
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 	"github.com/qdm12/log"
 )
 // Log contains settings to configure the logger.
 type Log struct {
 	// Level is the log level of the logger.
 	// It cannot be nil in the internal state.
 	Level *log.Level
 }
 func (l Log) validate() (err error) {
 	return nil
 }
 func (l *Log) copy() (copied Log) {
 	return Log{
 		Level: gosettings.CopyPointer(l.Level),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (l *Log) mergeWith(other Log) {
 	l.Level = gosettings.MergeWithPointer(l.Level, other.Level)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (l *Log) overrideWith(other Log) {
 	l.Level = gosettings.OverrideWithPointer(l.Level, other.Level)
 }
 func (l *Log) setDefaults() {
 	l.Level = gosettings.DefaultPointer(l.Level, log.LevelInfo)
 }
 func (l Log) String() string {
 	return l.toLinesNode().String()
 }
 func (l Log) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Log settings:")
 	node.Appendf("Log level: %s", l.Level.String())
 	return node
 }
--- a/internal/configuration/settings/netaddr.go
+++ b/internal/configuration/settings/netaddr.go
@@ -0,0 +1,36 @@
 package settings
 import (
 	"net/netip"
 	"inet.af/netaddr"
 )
 func netipAddressToNetaddrIP(address netip.Addr) (ip netaddr.IP) {
 	if address.Is4() {
 		return netaddr.IPFrom4(address.As4())
 	}
 	return netaddr.IPFrom16(address.As16())
 }
 func netipAddressesToNetaddrIPs(addresses []netip.Addr) (ips []netaddr.IP) {
 	ips = make([]netaddr.IP, len(addresses))
 	for i := range addresses {
 		ips[i] = netipAddressToNetaddrIP(addresses[i])
 	}
 	return ips
 }
 func netipPrefixToNetaddrIPPrefix(prefix netip.Prefix) (ipPrefix netaddr.IPPrefix) {
 	netaddrIP := netipAddressToNetaddrIP(prefix.Addr())
 	bits := prefix.Bits()
 	return netaddr.IPPrefixFrom(netaddrIP, uint8(bits))
 }
 func netipPrefixesToNetaddrIPPrefixes(prefixes []netip.Prefix) (ipPrefixes []netaddr.IPPrefix) {
 	ipPrefixes = make([]netaddr.IPPrefix, len(prefixes))
 	for i := range ipPrefixes {
 		ipPrefixes[i] = netipPrefixToNetaddrIPPrefix(prefixes[i])
 	}
 	return ipPrefixes
 }
--- a/internal/configuration/settings/nordvpn_retro.go
+++ b/internal/configuration/settings/nordvpn_retro.go
@@ -0,0 +1,42 @@
 package settings
 // Retro-compatibility because SERVER_REGIONS changed to SERVER_COUNTRIES
 // and SERVER_REGIONS is now the continent field for servers.
 // TODO v4 remove.
 func nordvpnRetroRegion(selection ServerSelection, validRegions, validCountries []string) (
 	updatedSelection ServerSelection) {
 	validRegionsMap := stringSliceToMap(validRegions)
 	validCountriesMap := stringSliceToMap(validCountries)
 	updatedSelection = selection.copy()
 	updatedSelection.Regions = make([]string, 0, len(selection.Regions))
 	for _, region := range selection.Regions {
 		_, isValid := validRegionsMap[region]
 		if isValid {
 			updatedSelection.Regions = append(updatedSelection.Regions, region)
 			continue
 		}
 		_, isValid = validCountriesMap[region]
 		if !isValid {
 			// Region is not valid for the country or region
 			// just leave it to the validation to fail it later
 			continue
 		}
 		// Region is not valid for a region, but is a valid country
 		// Handle retro-compatibility and transfer the value to the
 		// country field.
 		updatedSelection.Countries = append(updatedSelection.Countries, region)
 	}
 	return updatedSelection
 }
 func stringSliceToMap(slice []string) (m map[string]struct{}) {
 	m = make(map[string]struct{}, len(slice))
 	for _, s := range slice {
 		m[s] = struct{}{}
 	}
 	return m
 }
--- a/internal/configuration/settings/openvpn.go
+++ b/internal/configuration/settings/openvpn.go
@@ -0,0 +1,397 @@
 package settings
 import (
 	"encoding/base64"
 	"fmt"
 	"regexp"
 	"github.com/qdm12/gluetun/internal/constants/openvpn"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/openvpn/extract"
 	"github.com/qdm12/gluetun/internal/provider/privateinternetaccess/presets"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/validate"
 	"github.com/qdm12/gotree"
 )
 // OpenVPN contains settings to configure the OpenVPN client.
 type OpenVPN struct {
 	// Version is the OpenVPN version to run.
 	// It can only be "2.5" or "2.6".
 	Version string `json:"version"`
 	// User is the OpenVPN authentication username.
 	// It cannot be nil in the internal state if OpenVPN is used.
 	// It is usually required but in some cases can be the empty string
 	// to indicate no user+password authentication is needed.
 	User *string `json:"user"`
 	// Password is the OpenVPN authentication password.
 	// It cannot be nil in the internal state if OpenVPN is used.
 	// It is usually required but in some cases can be the empty string
 	// to indicate no user+password authentication is needed.
 	Password *string `json:"password"`
 	// ConfFile is a custom OpenVPN configuration file path.
 	// It can be set to the empty string for it to be ignored.
 	// It cannot be nil in the internal state.
 	ConfFile *string `json:"config_file_path"`
 	// Ciphers is a list of ciphers to use for OpenVPN,
 	// different from the ones specified by the VPN
 	// service provider configuration files.
 	Ciphers []string `json:"ciphers"`
 	// Auth is an auth algorithm to use in OpenVPN instead
 	// of the one specified by the VPN service provider.
 	// It cannot be nil in the internal state.
 	// It is ignored if it is set to the empty string.
 	Auth *string `json:"auth"`
 	// Cert is the base64 encoded DER of an OpenVPN certificate for the <cert> block.
 	// This is notably used by Cyberghost and VPN secure.
 	// It can be set to the empty string to be ignored.
 	// It cannot be nil in the internal state.
 	Cert *string `json:"cert"`
 	// Key is the base64 encoded DER of an OpenVPN key.
 	// This is used by Cyberghost and VPN Unlimited.
 	// It can be set to the empty string to be ignored.
 	// It cannot be nil in the internal state.
 	Key *string `json:"key"`
 	// EncryptedKey is the base64 encoded DER of an encrypted key for OpenVPN.
 	// It is used by VPN secure.
 	// It defaults to the empty string meaning it is not
 	// to be used. KeyPassphrase must be set if this one is set.
 	EncryptedKey *string `json:"encrypted_key"`
 	// KeyPassphrase is the key passphrase to be used by OpenVPN
 	// to decrypt the EncryptedPrivateKey. It defaults to the
 	// empty string and must be set if EncryptedPrivateKey is set.
 	KeyPassphrase *string `json:"key_passphrase"`
 	// PIAEncPreset is the encryption preset for
 	// Private Internet Access. It can be set to an
 	// empty string for other providers.
 	PIAEncPreset *string `json:"pia_encryption_preset"`
 	// MSSFix is the value (1 to 10000) to set for the
 	// mssfix option for OpenVPN. It is ignored if set to 0.
 	// It cannot be nil in the internal state.
 	MSSFix *uint16 `json:"mssfix"`
 	// Interface is the OpenVPN device interface name.
 	// It cannot be an empty string in the internal state.
 	Interface string `json:"interface"`
 	// ProcessUser is the OpenVPN process OS username
 	// to use. It cannot be empty in the internal state.
 	// It defaults to 'root'.
 	ProcessUser string `json:"process_user"`
 	// Verbosity is the OpenVPN verbosity level from 0 to 6.
 	// It cannot be nil in the internal state.
 	Verbosity *int `json:"verbosity"`
 	// Flags is a slice of additional flags to be passed
 	// to the OpenVPN program.
 	Flags []string `json:"flags"`
 }
 var ivpnAccountID = regexp.MustCompile(`^(i|ivpn)\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}$`)
 func (o OpenVPN) validate(vpnProvider string) (err error) {
 	// Validate version
 	validVersions := []string{openvpn.Openvpn25, openvpn.Openvpn26}
 	if err = validate.IsOneOf(o.Version, validVersions...); err != nil {
 		return fmt.Errorf("%w: %w", ErrOpenVPNVersionIsNotValid, err)
 	}
 	isCustom := vpnProvider == providers.Custom
 	isUserRequired := !isCustom &&
 		vpnProvider != providers.Airvpn &&
 		vpnProvider != providers.VPNSecure
 	if isUserRequired && *o.User == "" {
 		return fmt.Errorf("%w", ErrOpenVPNUserIsEmpty)
 	}
 	passwordRequired := isUserRequired &&
 		(vpnProvider != providers.Ivpn || !ivpnAccountID.MatchString(*o.User))
 	if passwordRequired && *o.Password == "" {
 		return fmt.Errorf("%w", ErrOpenVPNPasswordIsEmpty)
 	}
 	err = validateOpenVPNConfigFilepath(isCustom, *o.ConfFile)
 	if err != nil {
 		return fmt.Errorf("custom configuration file: %w", err)
 	}
 	err = validateOpenVPNClientCertificate(vpnProvider, *o.Cert)
 	if err != nil {
 		return fmt.Errorf("client certificate: %w", err)
 	}
 	err = validateOpenVPNClientKey(vpnProvider, *o.Key)
 	if err != nil {
 		return fmt.Errorf("client key: %w", err)
 	}
 	err = validateOpenVPNEncryptedKey(vpnProvider, *o.EncryptedKey)
 	if err != nil {
 		return fmt.Errorf("encrypted key: %w", err)
 	}
 	if *o.EncryptedKey != "" && *o.KeyPassphrase == "" {
 		return fmt.Errorf("%w", ErrOpenVPNKeyPassphraseIsEmpty)
 	}
 	const maxMSSFix = 10000
 	if *o.MSSFix > maxMSSFix {
 		return fmt.Errorf("%w: %d is over the maximum value of %d",
 			ErrOpenVPNMSSFixIsTooHigh, *o.MSSFix, maxMSSFix)
 	}
 	if !regexpInterfaceName.MatchString(o.Interface) {
 		return fmt.Errorf("%w: '%s' does not match regex '%s'",
 			ErrOpenVPNInterfaceNotValid, o.Interface, regexpInterfaceName)
 	}
 	if *o.Verbosity < 0 || *o.Verbosity > 6 {
 		return fmt.Errorf("%w: %d can only be between 0 and 5",
 			ErrOpenVPNVerbosityIsOutOfBounds, o.Verbosity)
 	}
 	return nil
 }
 func validateOpenVPNConfigFilepath(isCustom bool,
 	confFile string) (err error) {
 	if !isCustom {
 		return nil
 	}
 	if confFile == "" {
 		return fmt.Errorf("%w", ErrFilepathMissing)
 	}
 	err = validate.FileExists(confFile)
 	if err != nil {
 		return err
 	}
 	extractor := extract.New()
 	_, _, err = extractor.Data(confFile)
 	if err != nil {
 		return fmt.Errorf("extracting information from custom configuration file: %w", err)
 	}
 	return nil
 }
 func validateOpenVPNClientCertificate(vpnProvider,
 	clientCert string) (err error) {
 	switch vpnProvider {
 	case
 		providers.Airvpn,
 		providers.Cyberghost,
 		providers.VPNSecure,
 		providers.VPNUnlimited:
 		if clientCert == "" {
 			return fmt.Errorf("%w", ErrMissingValue)
 		}
 	}
 	if clientCert == "" {
 		return nil
 	}
 	_, err = base64.StdEncoding.DecodeString(clientCert)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func validateOpenVPNClientKey(vpnProvider, clientKey string) (err error) {
 	switch vpnProvider {
 	case
 		providers.Airvpn,
 		providers.Cyberghost,
 		providers.VPNUnlimited,
 		providers.Wevpn:
 		if clientKey == "" {
 			return fmt.Errorf("%w", ErrMissingValue)
 		}
 	}
 	if clientKey == "" {
 		return nil
 	}
 	_, err = base64.StdEncoding.DecodeString(clientKey)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func validateOpenVPNEncryptedKey(vpnProvider,
 	encryptedPrivateKey string) (err error) {
 	if vpnProvider == providers.VPNSecure && encryptedPrivateKey == "" {
 		return fmt.Errorf("%w", ErrMissingValue)
 	}
 	if encryptedPrivateKey == "" {
 		return nil
 	}
 	_, err = base64.StdEncoding.DecodeString(encryptedPrivateKey)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 func (o *OpenVPN) copy() (copied OpenVPN) {
 	return OpenVPN{
 		Version:       o.Version,
 		User:          gosettings.CopyPointer(o.User),
 		Password:      gosettings.CopyPointer(o.Password),
 		ConfFile:      gosettings.CopyPointer(o.ConfFile),
 		Ciphers:       gosettings.CopySlice(o.Ciphers),
 		Auth:          gosettings.CopyPointer(o.Auth),
 		Cert:          gosettings.CopyPointer(o.Cert),
 		Key:           gosettings.CopyPointer(o.Key),
 		EncryptedKey:  gosettings.CopyPointer(o.EncryptedKey),
 		KeyPassphrase: gosettings.CopyPointer(o.KeyPassphrase),
 		PIAEncPreset:  gosettings.CopyPointer(o.PIAEncPreset),
 		MSSFix:        gosettings.CopyPointer(o.MSSFix),
 		Interface:     o.Interface,
 		ProcessUser:   o.ProcessUser,
 		Verbosity:     gosettings.CopyPointer(o.Verbosity),
 		Flags:         gosettings.CopySlice(o.Flags),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (o *OpenVPN) mergeWith(other OpenVPN) {
 	o.Version = gosettings.MergeWithString(o.Version, other.Version)
 	o.User = gosettings.MergeWithPointer(o.User, other.User)
 	o.Password = gosettings.MergeWithPointer(o.Password, other.Password)
 	o.ConfFile = gosettings.MergeWithPointer(o.ConfFile, other.ConfFile)
 	o.Ciphers = gosettings.MergeWithSlice(o.Ciphers, other.Ciphers)
 	o.Auth = gosettings.MergeWithPointer(o.Auth, other.Auth)
 	o.Cert = gosettings.MergeWithPointer(o.Cert, other.Cert)
 	o.Key = gosettings.MergeWithPointer(o.Key, other.Key)
 	o.EncryptedKey = gosettings.MergeWithPointer(o.EncryptedKey, other.EncryptedKey)
 	o.KeyPassphrase = gosettings.MergeWithPointer(o.KeyPassphrase, other.KeyPassphrase)
 	o.PIAEncPreset = gosettings.MergeWithPointer(o.PIAEncPreset, other.PIAEncPreset)
 	o.MSSFix = gosettings.MergeWithPointer(o.MSSFix, other.MSSFix)
 	o.Interface = gosettings.MergeWithString(o.Interface, other.Interface)
 	o.ProcessUser = gosettings.MergeWithString(o.ProcessUser, other.ProcessUser)
 	o.Verbosity = gosettings.MergeWithPointer(o.Verbosity, other.Verbosity)
 	o.Flags = gosettings.MergeWithSlice(o.Flags, other.Flags)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (o *OpenVPN) overrideWith(other OpenVPN) {
 	o.Version = gosettings.OverrideWithString(o.Version, other.Version)
 	o.User = gosettings.OverrideWithPointer(o.User, other.User)
 	o.Password = gosettings.OverrideWithPointer(o.Password, other.Password)
 	o.ConfFile = gosettings.OverrideWithPointer(o.ConfFile, other.ConfFile)
 	o.Ciphers = gosettings.OverrideWithSlice(o.Ciphers, other.Ciphers)
 	o.Auth = gosettings.OverrideWithPointer(o.Auth, other.Auth)
 	o.Cert = gosettings.OverrideWithPointer(o.Cert, other.Cert)
 	o.Key = gosettings.OverrideWithPointer(o.Key, other.Key)
 	o.EncryptedKey = gosettings.OverrideWithPointer(o.EncryptedKey, other.EncryptedKey)
 	o.KeyPassphrase = gosettings.OverrideWithPointer(o.KeyPassphrase, other.KeyPassphrase)
 	o.PIAEncPreset = gosettings.OverrideWithPointer(o.PIAEncPreset, other.PIAEncPreset)
 	o.MSSFix = gosettings.OverrideWithPointer(o.MSSFix, other.MSSFix)
 	o.Interface = gosettings.OverrideWithString(o.Interface, other.Interface)
 	o.ProcessUser = gosettings.OverrideWithString(o.ProcessUser, other.ProcessUser)
 	o.Verbosity = gosettings.OverrideWithPointer(o.Verbosity, other.Verbosity)
 	o.Flags = gosettings.OverrideWithSlice(o.Flags, other.Flags)
 }
 func (o *OpenVPN) setDefaults(vpnProvider string) {
 	o.Version = gosettings.DefaultString(o.Version, openvpn.Openvpn25)
 	o.User = gosettings.DefaultPointer(o.User, "")
 	if vpnProvider == providers.Mullvad {
 		o.Password = gosettings.DefaultPointer(o.Password, "m")
 	} else {
 		o.Password = gosettings.DefaultPointer(o.Password, "")
 	}
 	o.ConfFile = gosettings.DefaultPointer(o.ConfFile, "")
 	o.Auth = gosettings.DefaultPointer(o.Auth, "")
 	o.Cert = gosettings.DefaultPointer(o.Cert, "")
 	o.Key = gosettings.DefaultPointer(o.Key, "")
 	o.EncryptedKey = gosettings.DefaultPointer(o.EncryptedKey, "")
 	o.KeyPassphrase = gosettings.DefaultPointer(o.KeyPassphrase, "")
 	var defaultEncPreset string
 	if vpnProvider == providers.PrivateInternetAccess {
 		defaultEncPreset = presets.Strong
 	}
 	o.PIAEncPreset = gosettings.DefaultPointer(o.PIAEncPreset, defaultEncPreset)
 	o.MSSFix = gosettings.DefaultPointer(o.MSSFix, 0)
 	o.Interface = gosettings.DefaultString(o.Interface, "tun0")
 	o.ProcessUser = gosettings.DefaultString(o.ProcessUser, "root")
 	o.Verbosity = gosettings.DefaultPointer(o.Verbosity, 1)
 }
 func (o OpenVPN) String() string {
 	return o.toLinesNode().String()
 }
 func (o OpenVPN) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("OpenVPN settings:")
 	node.Appendf("OpenVPN version: %s", o.Version)
 	node.Appendf("User: %s", gosettings.ObfuscateKey(*o.User))
 	node.Appendf("Password: %s", gosettings.ObfuscateKey(*o.Password))
 	if *o.ConfFile != "" {
 		node.Appendf("Custom configuration file: %s", *o.ConfFile)
 	}
 	if len(o.Ciphers) > 0 {
 		node.Appendf("Ciphers: %s", o.Ciphers)
 	}
 	if *o.Auth != "" {
 		node.Appendf("Auth: %s", *o.Auth)
 	}
 	if *o.Cert != "" {
 		node.Appendf("Client crt: %s", gosettings.ObfuscateKey(*o.Cert))
 	}
 	if *o.Key != "" {
 		node.Appendf("Client key: %s", gosettings.ObfuscateKey(*o.Key))
 	}
 	if *o.EncryptedKey != "" {
 		node.Appendf("Encrypted key: %s (key passhrapse %s)",
 			gosettings.ObfuscateKey(*o.EncryptedKey), gosettings.ObfuscateKey(*o.KeyPassphrase))
 	}
 	if *o.PIAEncPreset != "" {
 		node.Appendf("Private Internet Access encryption preset: %s", *o.PIAEncPreset)
 	}
 	if *o.MSSFix > 0 {
 		node.Appendf("MSS Fix: %d", *o.MSSFix)
 	}
 	if o.Interface != "" {
 		node.Appendf("Network interface: %s", o.Interface)
 	}
 	node.Appendf("Run OpenVPN as: %s", o.ProcessUser)
 	node.Appendf("Verbosity level: %d", *o.Verbosity)
 	if len(o.Flags) > 0 {
 		node.Appendf("Flags: %s", o.Flags)
 	}
 	return node
 }
 // WithDefaults is a shorthand using setDefaults.
 // It's used in unit tests in other packages.
 func (o OpenVPN) WithDefaults(provider string) OpenVPN {
 	o.setDefaults(provider)
 	return o
 }
--- a/internal/configuration/settings/openvpn_test.go
+++ b/internal/configuration/settings/openvpn_test.go
@@ -0,0 +1,44 @@
 package settings
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func Test_ivpnAccountID(t *testing.T) {
 	t.Parallel()
 	testCases := []struct {
 		s     string
 		match bool
 	}{
 		{},
 		{s: "abc"},
 		{s: "i"},
 		{s: "ivpn"},
 		{s: "ivpn-aaaa"},
 		{s: "ivpn-aaaa-aaaa"},
 		{s: "ivpn-aaaa-aaaa-aaa"},
 		{s: "ivpn-aaaa-aaaa-aaaa", match: true},
 		{s: "ivpn-aaaa-aaaa-aaaaa"},
 		{s: "ivpn-a6B7-fP91-Zh6Y", match: true},
 		{s: "i-aaaa"},
 		{s: "i-aaaa-aaaa"},
 		{s: "i-aaaa-aaaa-aaa"},
 		{s: "i-aaaa-aaaa-aaaa", match: true},
 		{s: "i-aaaa-aaaa-aaaaa"},
 		{s: "i-a6B7-fP91-Zh6Y", match: true},
 	}
 	for _, testCase := range testCases {
 		testCase := testCase
 		t.Run(testCase.s, func(t *testing.T) {
 			t.Parallel()
 			match := ivpnAccountID.MatchString(testCase.s)
 			assert.Equal(t, testCase.match, match)
 		})
 	}
 }
--- a/internal/configuration/settings/openvpnselection.go
+++ b/internal/configuration/settings/openvpnselection.go
@@ -0,0 +1,189 @@
 package settings
 import (
 	"fmt"
 	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/provider/privateinternetaccess/presets"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/validate"
 	"github.com/qdm12/gotree"
 )
 type OpenVPNSelection struct {
 	// ConfFile is the custom configuration file path.
 	// It can be set to an empty string to indicate to
 	// NOT use a custom configuration file.
 	// It cannot be nil in the internal state.
 	ConfFile *string `json:"config_file_path"`
 	// TCP is true if the OpenVPN protocol is TCP,
 	// and false for UDP.
 	// It cannot be nil in the internal state.
 	TCP *bool `json:"tcp"`
 	// CustomPort is the OpenVPN server endpoint port.
 	// It can be set to 0 to indicate no custom port should
 	// be used. It cannot be nil in the internal state.
 	CustomPort *uint16 `json:"custom_port"`
 	// PIAEncPreset is the encryption preset for
 	// Private Internet Access. It can be set to an
 	// empty string for other providers.
 	PIAEncPreset *string `json:"pia_encryption_preset"`
 }
 func (o OpenVPNSelection) validate(vpnProvider string) (err error) {
 	// Validate ConfFile
 	if confFile := *o.ConfFile; confFile != "" {
 		err := validate.FileExists(confFile)
 		if err != nil {
 			return fmt.Errorf("configuration file: %w", err)
 		}
 	}
 	// Validate TCP
 	if *o.TCP && helpers.IsOneOf(vpnProvider,
 		providers.Ipvanish,
 		providers.Perfectprivacy,
 		providers.Privado,
 		providers.VPNUnlimited,
 		providers.Vyprvpn,
 	) {
 		return fmt.Errorf("%w: for VPN service provider %s",
 			ErrOpenVPNTCPNotSupported, vpnProvider)
 	}
 	// Validate CustomPort
 	if *o.CustomPort != 0 {
 		switch vpnProvider {
 		// no restriction on port
 		case providers.Custom, providers.Cyberghost, providers.HideMyAss,
 			providers.Privatevpn, providers.Torguard:
 		// no custom port allowed
 		case providers.Expressvpn, providers.Fastestvpn,
 			providers.Ipvanish, providers.Nordvpn,
 			providers.Privado, providers.Purevpn,
 			providers.Surfshark, providers.VPNSecure,
 			providers.VPNUnlimited, providers.Vyprvpn:
 			return fmt.Errorf("%w: for VPN service provider %s",
 				ErrOpenVPNCustomPortNotAllowed, vpnProvider)
 		default:
 			var allowedTCP, allowedUDP []uint16
 			switch vpnProvider {
 			case providers.Airvpn:
 				allowedTCP = []uint16{
 					53, 80, 443, // IP in 1, 3
 					1194, 2018, 41185, // IP in 1, 2, 3, 4
 				}
 				allowedUDP = []uint16{53, 80, 443, 1194, 2018, 41185}
 			case providers.Ivpn:
 				allowedTCP = []uint16{80, 443, 1143}
 				allowedUDP = []uint16{53, 1194, 2049, 2050}
 			case providers.Mullvad:
 				allowedTCP = []uint16{80, 443, 1401}
 				allowedUDP = []uint16{53, 1194, 1195, 1196, 1197, 1300, 1301, 1302, 1303, 1400}
 			case providers.Perfectprivacy:
 				allowedTCP = []uint16{44, 443, 4433}
 				allowedUDP = []uint16{44, 443, 4433}
 			case providers.PrivateInternetAccess:
 				allowedTCP = []uint16{80, 110, 443}
 				allowedUDP = []uint16{53, 1194, 1197, 1198, 8080, 9201}
 			case providers.Protonvpn:
 				allowedTCP = []uint16{443, 5995, 8443}
 				allowedUDP = []uint16{80, 443, 1194, 4569, 5060}
 			case providers.SlickVPN:
 				allowedTCP = []uint16{443, 8080, 8888}
 				allowedUDP = []uint16{443, 8080, 8888}
 			case providers.Wevpn:
 				allowedTCP = []uint16{53, 1195, 1199, 2018}
 				allowedUDP = []uint16{80, 1194, 1198}
 			case providers.Windscribe:
 				allowedTCP = []uint16{21, 22, 80, 123, 143, 443, 587, 1194, 3306, 8080, 54783}
 				allowedUDP = []uint16{53, 80, 123, 443, 1194, 54783}
 			default:
 				panic(fmt.Sprintf("VPN provider %s has no registered allowed ports", vpnProvider))
 			}
 			allowedPorts := allowedUDP
 			if *o.TCP {
 				allowedPorts = allowedTCP
 			}
 			err = validate.IsOneOf(*o.CustomPort, allowedPorts...)
 			if err != nil {
 				return fmt.Errorf("%w: for VPN service provider %s: %w",
 					ErrOpenVPNCustomPortNotAllowed, vpnProvider, err)
 			}
 		}
 	}
 	// Validate EncPreset
 	if vpnProvider == providers.PrivateInternetAccess {
 		validEncryptionPresets := []string{
 			presets.None,
 			presets.Normal,
 			presets.Strong,
 		}
 		if err = validate.IsOneOf(*o.PIAEncPreset, validEncryptionPresets...); err != nil {
 			return fmt.Errorf("%w: %w", ErrOpenVPNEncryptionPresetNotValid, err)
 		}
 	}
 	return nil
 }
 func (o *OpenVPNSelection) copy() (copied OpenVPNSelection) {
 	return OpenVPNSelection{
 		ConfFile:     gosettings.CopyPointer(o.ConfFile),
 		TCP:          gosettings.CopyPointer(o.TCP),
 		CustomPort:   gosettings.CopyPointer(o.CustomPort),
 		PIAEncPreset: gosettings.CopyPointer(o.PIAEncPreset),
 	}
 }
 func (o *OpenVPNSelection) mergeWith(other OpenVPNSelection) {
 	o.ConfFile = gosettings.MergeWithPointer(o.ConfFile, other.ConfFile)
 	o.TCP = gosettings.MergeWithPointer(o.TCP, other.TCP)
 	o.CustomPort = gosettings.MergeWithPointer(o.CustomPort, other.CustomPort)
 	o.PIAEncPreset = gosettings.MergeWithPointer(o.PIAEncPreset, other.PIAEncPreset)
 }
 func (o *OpenVPNSelection) overrideWith(other OpenVPNSelection) {
 	o.ConfFile = gosettings.OverrideWithPointer(o.ConfFile, other.ConfFile)
 	o.TCP = gosettings.OverrideWithPointer(o.TCP, other.TCP)
 	o.CustomPort = gosettings.OverrideWithPointer(o.CustomPort, other.CustomPort)
 	o.PIAEncPreset = gosettings.OverrideWithPointer(o.PIAEncPreset, other.PIAEncPreset)
 }
 func (o *OpenVPNSelection) setDefaults(vpnProvider string) {
 	o.ConfFile = gosettings.DefaultPointer(o.ConfFile, "")
 	o.TCP = gosettings.DefaultPointer(o.TCP, false)
 	o.CustomPort = gosettings.DefaultPointer(o.CustomPort, 0)
 	var defaultEncPreset string
 	if vpnProvider == providers.PrivateInternetAccess {
 		defaultEncPreset = presets.Strong
 	}
 	o.PIAEncPreset = gosettings.DefaultPointer(o.PIAEncPreset, defaultEncPreset)
 }
 func (o OpenVPNSelection) String() string {
 	return o.toLinesNode().String()
 }
 func (o OpenVPNSelection) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("OpenVPN server selection settings:")
 	node.Appendf("Protocol: %s", helpers.TCPPtrToString(o.TCP))
 	if *o.CustomPort != 0 {
 		node.Appendf("Custom port: %d", *o.CustomPort)
 	}
 	if *o.PIAEncPreset != "" {
 		node.Appendf("Private Internet Access encryption preset: %s", *o.PIAEncPreset)
 	}
 	if *o.ConfFile != "" {
 		node.Appendf("Custom configuration file: %s", *o.ConfFile)
 	}
 	return node
 }
--- a/internal/configuration/settings/portforward.go
+++ b/internal/configuration/settings/portforward.go
@@ -0,0 +1,126 @@
 package settings
 import (
 	"fmt"
 	"path/filepath"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/validate"
 	"github.com/qdm12/gotree"
 )
 // PortForwarding contains settings for port forwarding.
 type PortForwarding struct {
 	// Enabled is true if port forwarding should be activated.
 	// It cannot be nil for the internal state.
 	Enabled *bool `json:"enabled"`
 	// Provider is set to specify which custom port forwarding code
 	// should be used. This is especially necessary for the custom
 	// provider using Wireguard for a provider where Wireguard is not
 	// natively supported but custom port forwading code is available.
 	// It defaults to the empty string, meaning the current provider
 	// should be the one used for port forwarding.
 	// It cannot be nil for the internal state.
 	Provider *string `json:"provider"`
 	// Filepath is the port forwarding status file path
 	// to use. It can be the empty string to indicate not
 	// to write to a file. It cannot be nil for the
 	// internal state
 	Filepath *string `json:"status_file_path"`
 	// ListeningPort is the port traffic would be redirected to from the
 	// forwarded port. The redirection is disabled if it is set to 0, which
 	// is its default as well.
 	ListeningPort *uint16 `json:"listening_port"`
 }
 func (p PortForwarding) Validate(vpnProvider string) (err error) {
 	if !*p.Enabled {
 		return nil
 	}
 	// Validate current provider or custom provider specified
 	providerSelected := vpnProvider
 	if *p.Provider != "" {
 		providerSelected = *p.Provider
 	}
 	validProviders := []string{
 		providers.PrivateInternetAccess,
 		providers.Protonvpn,
 	}
 	if err = validate.IsOneOf(providerSelected, validProviders...); err != nil {
 		return fmt.Errorf("%w: %w", ErrPortForwardingEnabled, err)
 	}
 	// Validate Filepath
 	if *p.Filepath != "" { // optional
 		_, err := filepath.Abs(*p.Filepath)
 		if err != nil {
 			return fmt.Errorf("filepath is not valid: %w", err)
 		}
 	}
 	return nil
 }
 func (p *PortForwarding) Copy() (copied PortForwarding) {
 	return PortForwarding{
 		Enabled:       gosettings.CopyPointer(p.Enabled),
 		Provider:      gosettings.CopyPointer(p.Provider),
 		Filepath:      gosettings.CopyPointer(p.Filepath),
 		ListeningPort: gosettings.CopyPointer(p.ListeningPort),
 	}
 }
 func (p *PortForwarding) mergeWith(other PortForwarding) {
 	p.Enabled = gosettings.MergeWithPointer(p.Enabled, other.Enabled)
 	p.Provider = gosettings.MergeWithPointer(p.Provider, other.Provider)
 	p.Filepath = gosettings.MergeWithPointer(p.Filepath, other.Filepath)
 	p.ListeningPort = gosettings.MergeWithPointer(p.ListeningPort, other.ListeningPort)
 }
 func (p *PortForwarding) OverrideWith(other PortForwarding) {
 	p.Enabled = gosettings.OverrideWithPointer(p.Enabled, other.Enabled)
 	p.Provider = gosettings.OverrideWithPointer(p.Provider, other.Provider)
 	p.Filepath = gosettings.OverrideWithPointer(p.Filepath, other.Filepath)
 	p.ListeningPort = gosettings.OverrideWithPointer(p.ListeningPort, other.ListeningPort)
 }
 func (p *PortForwarding) setDefaults() {
 	p.Enabled = gosettings.DefaultPointer(p.Enabled, false)
 	p.Provider = gosettings.DefaultPointer(p.Provider, "")
 	p.Filepath = gosettings.DefaultPointer(p.Filepath, "/tmp/gluetun/forwarded_port")
 	p.ListeningPort = gosettings.DefaultPointer(p.ListeningPort, 0)
 }
 func (p PortForwarding) String() string {
 	return p.toLinesNode().String()
 }
 func (p PortForwarding) toLinesNode() (node *gotree.Node) {
 	if !*p.Enabled {
 		return nil
 	}
 	node = gotree.New("Automatic port forwarding settings:")
 	listeningPort := "disabled"
 	if *p.ListeningPort != 0 {
 		listeningPort = fmt.Sprintf("%d", *p.ListeningPort)
 	}
 	node.Appendf("Redirection listening port: %s", listeningPort)
 	if *p.Provider == "" {
 		node.Appendf("Use port forwarding code for current provider")
 	} else {
 		node.Appendf("Use code for provider: %s", *p.Provider)
 	}
 	filepath := *p.Filepath
 	if filepath == "" {
 		filepath = "[not set]"
 	}
 	node.Appendf("Forwarded port file path: %s", filepath)
 	return node
 }
--- a/internal/configuration/settings/portforward_test.go
+++ b/internal/configuration/settings/portforward_test.go
@@ -0,0 +1,19 @@
 package settings
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func Test_PortForwarding_String(t *testing.T) {
 	t.Parallel()
 	settings := PortForwarding{
 		Enabled: boolPtr(false),
 	}
 	s := settings.String()
 	assert.Empty(t, s)
 }
--- a/internal/configuration/settings/provider.go
+++ b/internal/configuration/settings/provider.go
@@ -0,0 +1,96 @@
 package settings
 import (
 	"fmt"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/validate"
 	"github.com/qdm12/gotree"
 )
 // Provider contains settings specific to a VPN provider.
 type Provider struct {
 	// Name is the VPN service provider name.
 	// It cannot be nil in the internal state.
 	Name *string `json:"name"`
 	// ServerSelection is the settings to
 	// select the VPN server.
 	ServerSelection ServerSelection `json:"server_selection"`
 	// PortForwarding is the settings about port forwarding.
 	PortForwarding PortForwarding `json:"port_forwarding"`
 }
 // TODO v4 remove pointer for receiver (because of Surfshark).
 func (p *Provider) validate(vpnType string, storage Storage) (err error) {
 	// Validate Name
 	var validNames []string
 	if vpnType == vpn.OpenVPN {
 		validNames = providers.AllWithCustom()
 		validNames = append(validNames, "pia") // Retro-compatibility
 	} else { // Wireguard
 		validNames = []string{
 			providers.Airvpn,
 			providers.Custom,
 			providers.Ivpn,
 			providers.Mullvad,
 			providers.Nordvpn,
 			providers.Surfshark,
 			providers.Windscribe,
 		}
 	}
 	if err = validate.IsOneOf(*p.Name, validNames...); err != nil {
 		return fmt.Errorf("%w for Wireguard: %w", ErrVPNProviderNameNotValid, err)
 	}
 	err = p.ServerSelection.validate(*p.Name, storage)
 	if err != nil {
 		return fmt.Errorf("server selection: %w", err)
 	}
 	err = p.PortForwarding.Validate(*p.Name)
 	if err != nil {
 		return fmt.Errorf("port forwarding: %w", err)
 	}
 	return nil
 }
 func (p *Provider) copy() (copied Provider) {
 	return Provider{
 		Name:            gosettings.CopyPointer(p.Name),
 		ServerSelection: p.ServerSelection.copy(),
 		PortForwarding:  p.PortForwarding.Copy(),
 	}
 }
 func (p *Provider) mergeWith(other Provider) {
 	p.Name = gosettings.MergeWithPointer(p.Name, other.Name)
 	p.ServerSelection.mergeWith(other.ServerSelection)
 	p.PortForwarding.mergeWith(other.PortForwarding)
 }
 func (p *Provider) overrideWith(other Provider) {
 	p.Name = gosettings.OverrideWithPointer(p.Name, other.Name)
 	p.ServerSelection.overrideWith(other.ServerSelection)
 	p.PortForwarding.OverrideWith(other.PortForwarding)
 }
 func (p *Provider) setDefaults() {
 	p.Name = gosettings.DefaultPointer(p.Name, providers.PrivateInternetAccess)
 	p.ServerSelection.setDefaults(*p.Name)
 	p.PortForwarding.setDefaults()
 }
 func (p Provider) String() string {
 	return p.toLinesNode().String()
 }
 func (p Provider) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("VPN provider settings:")
 	node.Appendf("Name: %s", *p.Name)
 	node.AppendNode(p.ServerSelection.toLinesNode())
 	node.AppendNode(p.PortForwarding.toLinesNode())
 	return node
 }
--- a/internal/configuration/settings/publicip.go
+++ b/internal/configuration/settings/publicip.go
@@ -0,0 +1,131 @@
 package settings
 import (
 	"fmt"
 	"path/filepath"
 	"time"
 	"github.com/qdm12/gluetun/internal/publicip/api"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 // PublicIP contains settings for port forwarding.
 type PublicIP struct {
 	// Period is the period to get the public IP address.
 	// It can be set to 0 to disable periodic checking.
 	// It cannot be nil for the internal state.
 	// TODO change to value and add enabled field
 	Period *time.Duration
 	// IPFilepath is the public IP address status file path
 	// to use. It can be the empty string to indicate not
 	// to write to a file. It cannot be nil for the
 	// internal state
 	IPFilepath *string
 	// API is the API name to use to fetch public IP information.
 	// It can be ipinfo or ip2location. It defaults to ipinfo.
 	API string
 	// APIToken is the token to use for the IP data service
 	// such as ipinfo.io. It can be the empty string to
 	// indicate not to use a token. It cannot be nil for the
 	// internal state.
 	APIToken *string
 }
 // UpdateWith deep copies the receiving settings, overrides the copy with
 // fields set in the partialUpdate argument, validates the new settings
 // and returns them if they are valid, or returns an error otherwise.
 // In all cases, the receiving settings are unmodified.
 func (p PublicIP) UpdateWith(partialUpdate PublicIP) (updatedSettings PublicIP, err error) {
 	updatedSettings = p.copy()
 	updatedSettings.overrideWith(partialUpdate)
 	err = updatedSettings.validate()
 	if err != nil {
 		return updatedSettings, fmt.Errorf("validating updated settings: %w", err)
 	}
 	return updatedSettings, nil
 }
 func (p PublicIP) validate() (err error) {
 	const minPeriod = 5 * time.Second
 	if *p.Period < minPeriod {
 		return fmt.Errorf("%w: %s must be at least %s",
 			ErrPublicIPPeriodTooShort, p.Period, minPeriod)
 	}
 	if *p.IPFilepath != "" { // optional
 		_, err := filepath.Abs(*p.IPFilepath)
 		if err != nil {
 			return fmt.Errorf("filepath is not valid: %w", err)
 		}
 	}
 	_, err = api.ParseProvider(p.API)
 	if err != nil {
 		return fmt.Errorf("API name: %w", err)
 	}
 	return nil
 }
 func (p *PublicIP) copy() (copied PublicIP) {
 	return PublicIP{
 		Period:     gosettings.CopyPointer(p.Period),
 		IPFilepath: gosettings.CopyPointer(p.IPFilepath),
 		API:        p.API,
 		APIToken:   gosettings.CopyPointer(p.APIToken),
 	}
 }
 func (p *PublicIP) mergeWith(other PublicIP) {
 	p.Period = gosettings.MergeWithPointer(p.Period, other.Period)
 	p.IPFilepath = gosettings.MergeWithPointer(p.IPFilepath, other.IPFilepath)
 	p.API = gosettings.MergeWithString(p.API, other.API)
 	p.APIToken = gosettings.MergeWithPointer(p.APIToken, other.APIToken)
 }
 func (p *PublicIP) overrideWith(other PublicIP) {
 	p.Period = gosettings.OverrideWithPointer(p.Period, other.Period)
 	p.IPFilepath = gosettings.OverrideWithPointer(p.IPFilepath, other.IPFilepath)
 	p.API = gosettings.OverrideWithString(p.API, other.API)
 	p.APIToken = gosettings.OverrideWithPointer(p.APIToken, other.APIToken)
 }
 func (p *PublicIP) setDefaults() {
 	const defaultPeriod = 12 * time.Hour
 	p.Period = gosettings.DefaultPointer(p.Period, defaultPeriod)
 	p.IPFilepath = gosettings.DefaultPointer(p.IPFilepath, "/tmp/gluetun/ip")
 	p.API = gosettings.DefaultString(p.API, "ipinfo")
 	p.APIToken = gosettings.DefaultPointer(p.APIToken, "")
 }
 func (p PublicIP) String() string {
 	return p.toLinesNode().String()
 }
 func (p PublicIP) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Public IP settings:")
 	if *p.Period == 0 {
 		node.Appendf("Enabled: no")
 		return node
 	}
 	updatePeriod := "disabled"
 	if *p.Period > 0 {
 		updatePeriod = "every " + p.Period.String()
 	}
 	node.Appendf("Fetching: %s", updatePeriod)
 	if *p.IPFilepath != "" {
 		node.Appendf("IP file path: %s", *p.IPFilepath)
 	}
 	node.Appendf("Public IP data API: %s", p.API)
 	if *p.APIToken != "" {
 		node.Appendf("API token: %s", gosettings.ObfuscateKey(*p.APIToken))
 	}
 	return node
 }
--- a/internal/configuration/settings/server.go
+++ b/internal/configuration/settings/server.go
@@ -0,0 +1,80 @@
 package settings
 import (
 	"fmt"
 	"net"
 	"os"
 	"strconv"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 // ControlServer contains settings to customize the control server operation.
 type ControlServer struct {
 	// Address is the listening address to use.
 	// It cannot be nil in the internal state.
 	Address *string
 	// Log can be true or false to enable logging on requests.
 	// It cannot be nil in the internal state.
 	Log *bool
 }
 func (c ControlServer) validate() (err error) {
 	_, portStr, err := net.SplitHostPort(*c.Address)
 	if err != nil {
 		return fmt.Errorf("listening address is not valid: %w", err)
 	}
 	port, err := strconv.Atoi(portStr)
 	if err != nil {
 		return fmt.Errorf("listening port it not valid: %w", err)
 	}
 	uid := os.Getuid()
 	const maxPrivilegedPort = 1023
 	if uid != 0 && port != 0 && port <= maxPrivilegedPort {
 		return fmt.Errorf("%w: %d when running with user ID %d",
 			ErrControlServerPrivilegedPort, port, uid)
 	}
 	return nil
 }
 func (c *ControlServer) copy() (copied ControlServer) {
 	return ControlServer{
 		Address: gosettings.CopyPointer(c.Address),
 		Log:     gosettings.CopyPointer(c.Log),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (c *ControlServer) mergeWith(other ControlServer) {
 	c.Address = gosettings.MergeWithPointer(c.Address, other.Address)
 	c.Log = gosettings.MergeWithPointer(c.Log, other.Log)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (c *ControlServer) overrideWith(other ControlServer) {
 	c.Address = gosettings.OverrideWithPointer(c.Address, other.Address)
 	c.Log = gosettings.OverrideWithPointer(c.Log, other.Log)
 }
 func (c *ControlServer) setDefaults() {
 	c.Address = gosettings.DefaultPointer(c.Address, ":8000")
 	c.Log = gosettings.DefaultPointer(c.Log, true)
 }
 func (c ControlServer) String() string {
 	return c.toLinesNode().String()
 }
 func (c ControlServer) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Control server settings:")
 	node.Appendf("Listening address: %s", *c.Address)
 	node.Appendf("Logging: %s", gosettings.BoolToYesNo(c.Log))
 	return node
 }
--- a/internal/configuration/settings/serverselection.go
+++ b/internal/configuration/settings/serverselection.go
@@ -0,0 +1,396 @@
 package settings
 import (
 	"errors"
 	"fmt"
 	"net/netip"
 	"strings"
 	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/configuration/settings/validation"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/validate"
 	"github.com/qdm12/gotree"
 )
 type ServerSelection struct { //nolint:maligned
 	// VPN is the VPN type which can be 'openvpn'
 	// or 'wireguard'. It cannot be the empty string
 	// in the internal state.
 	VPN string `json:"vpn"`
 	// TargetIP is the server endpoint IP address to use.
 	// It will override any IP address from the picked
 	// built-in server. It cannot be the empty value in the internal
 	// state, and can be set to the unspecified address to indicate
 	// there is not target IP address to use.
 	TargetIP netip.Addr `json:"target_ip"`
 	// Countries is the list of countries to filter VPN servers with.
 	Countries []string `json:"countries"`
 	// Categories is the list of categories to filter VPN servers with.
 	Categories []string `json:"categories"`
 	// Regions is the list of regions to filter VPN servers with.
 	Regions []string `json:"regions"`
 	// Cities is the list of cities to filter VPN servers with.
 	Cities []string `json:"cities"`
 	// ISPs is the list of ISP names to filter VPN servers with.
 	ISPs []string `json:"isps"`
 	// Names is the list of server names to filter VPN servers with.
 	Names []string `json:"names"`
 	// Numbers is the list of server numbers to filter VPN servers with.
 	Numbers []uint16 `json:"numbers"`
 	// Hostnames is the list of hostnames to filter VPN servers with.
 	Hostnames []string `json:"hostnames"`
 	// OwnedOnly is true if VPN provider servers that are not owned
 	// should be filtered. This is used with Mullvad.
 	OwnedOnly *bool `json:"owned_only"`
 	// FreeOnly is true if VPN servers that are not free should
 	// be filtered. This is used with ProtonVPN and VPN Unlimited.
 	FreeOnly *bool `json:"free_only"`
 	// PremiumOnly is true if VPN servers that are not premium should
 	// be filtered. This is used with VPN Secure.
 	// TODO extend to providers using FreeOnly.
 	PremiumOnly *bool `json:"premium_only"`
 	// StreamOnly is true if VPN servers not for streaming should
 	// be filtered. This is used with VPNUnlimited.
 	StreamOnly *bool `json:"stream_only"`
 	// MultiHopOnly is true if VPN servers that are not multihop
 	// should be filtered. This is used with Surfshark.
 	MultiHopOnly *bool `json:"multi_hop_only"`
 	// PortForwardOnly is true if VPN servers that don't support
 	// port forwarding should be filtered. This is used with PIA.
 	PortForwardOnly *bool `json:"port_forward_only"`
 	// OpenVPN contains settings to select OpenVPN servers
 	// and the final connection.
 	OpenVPN OpenVPNSelection `json:"openvpn"`
 	// Wireguard contains settings to select Wireguard servers
 	// and the final connection.
 	Wireguard WireguardSelection `json:"wireguard"`
 }
 var (
 	ErrOwnedOnlyNotSupported       = errors.New("owned only filter is not supported")
 	ErrFreeOnlyNotSupported        = errors.New("free only filter is not supported")
 	ErrPremiumOnlyNotSupported     = errors.New("premium only filter is not supported")
 	ErrStreamOnlyNotSupported      = errors.New("stream only filter is not supported")
 	ErrMultiHopOnlyNotSupported    = errors.New("multi hop only filter is not supported")
 	ErrPortForwardOnlyNotSupported = errors.New("port forwarding only filter is not supported")
 	ErrFreePremiumBothSet          = errors.New("free only and premium only filters are both set")
 )
 func (ss *ServerSelection) validate(vpnServiceProvider string,
 	storage Storage) (err error) {
 	switch ss.VPN {
 	case vpn.OpenVPN, vpn.Wireguard:
 	default:
 		return fmt.Errorf("%w: %s", ErrVPNTypeNotValid, ss.VPN)
 	}
 	filterChoices, err := getLocationFilterChoices(vpnServiceProvider, ss, storage)
 	if err != nil {
 		return err // already wrapped error
 	}
 	// Retro-compatibility
 	switch vpnServiceProvider {
 	case providers.Nordvpn:
 		*ss = nordvpnRetroRegion(*ss, filterChoices.Regions, filterChoices.Countries)
 	case providers.Surfshark:
 		*ss = surfsharkRetroRegion(*ss)
 	}
 	err = validateServerFilters(*ss, filterChoices)
 	if err != nil {
 		return fmt.Errorf("for VPN service provider %s: %w", vpnServiceProvider, err)
 	}
 	if *ss.OwnedOnly &&
 		vpnServiceProvider != providers.Mullvad {
 		return fmt.Errorf("%w: for VPN service provider %s",
 			ErrOwnedOnlyNotSupported, vpnServiceProvider)
 	}
 	if *ss.FreeOnly &&
 		!helpers.IsOneOf(vpnServiceProvider,
 			providers.Protonvpn,
 			providers.VPNUnlimited,
 		) {
 		return fmt.Errorf("%w: for VPN service provider %s",
 			ErrFreeOnlyNotSupported, vpnServiceProvider)
 	}
 	if *ss.PremiumOnly &&
 		!helpers.IsOneOf(vpnServiceProvider,
 			providers.VPNSecure,
 		) {
 		return fmt.Errorf("%w: for VPN service provider %s",
 			ErrPremiumOnlyNotSupported, vpnServiceProvider)
 	}
 	if *ss.FreeOnly && *ss.PremiumOnly {
 		return fmt.Errorf("%w", ErrFreePremiumBothSet)
 	}
 	if *ss.StreamOnly &&
 		!helpers.IsOneOf(vpnServiceProvider,
 			providers.Protonvpn,
 			providers.VPNUnlimited,
 		) {
 		return fmt.Errorf("%w: for VPN service provider %s",
 			ErrStreamOnlyNotSupported, vpnServiceProvider)
 	}
 	if *ss.MultiHopOnly &&
 		vpnServiceProvider != providers.Surfshark {
 		return fmt.Errorf("%w: for VPN service provider %s",
 			ErrMultiHopOnlyNotSupported, vpnServiceProvider)
 	}
 	if *ss.PortForwardOnly &&
 		vpnServiceProvider != providers.PrivateInternetAccess {
 		// ProtonVPN also supports port forwarding, but on all their servers, so these
 		// don't have the port forwarding boolean field. As a consequence, we only allow
 		// the use of PortForwardOnly for Private Internet Access.
 		return fmt.Errorf("%w: for VPN service provider %s",
 			ErrPortForwardOnlyNotSupported, vpnServiceProvider)
 	}
 	if ss.VPN == vpn.OpenVPN {
 		err = ss.OpenVPN.validate(vpnServiceProvider)
 		if err != nil {
 			return fmt.Errorf("OpenVPN server selection settings: %w", err)
 		}
 	} else {
 		err = ss.Wireguard.validate(vpnServiceProvider)
 		if err != nil {
 			return fmt.Errorf("Wireguard server selection settings: %w", err)
 		}
 	}
 	return nil
 }
 func getLocationFilterChoices(vpnServiceProvider string,
 	ss *ServerSelection, storage Storage) (filterChoices models.FilterChoices,
 	err error) {
 	filterChoices = storage.GetFilterChoices(vpnServiceProvider)
 	if vpnServiceProvider == providers.Surfshark {
 		// // Retro compatibility
 		// TODO v4 remove
 		newAndRetroRegions := append(filterChoices.Regions, validation.SurfsharkRetroLocChoices()...) //nolint:gocritic
 		err := validate.AreAllOneOfCaseInsensitive(ss.Regions, newAndRetroRegions)
 		if err != nil {
 			// Only return error comparing with newer regions, we don't want to confuse the user
 			// with the retro regions in the error message.
 			err = validate.AreAllOneOfCaseInsensitive(ss.Regions, filterChoices.Regions)
 			return models.FilterChoices{}, fmt.Errorf("%w: %w", ErrRegionNotValid, err)
 		}
 	}
 	return filterChoices, nil
 }
 // validateServerFilters validates filters against the choices given as arguments.
 // Set an argument to nil to pass the check for a particular filter.
 func validateServerFilters(settings ServerSelection, filterChoices models.FilterChoices) (err error) {
 	err = validate.AreAllOneOfCaseInsensitive(settings.Countries, filterChoices.Countries)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrCountryNotValid, err)
 	}
 	err = validate.AreAllOneOfCaseInsensitive(settings.Regions, filterChoices.Regions)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrRegionNotValid, err)
 	}
 	err = validate.AreAllOneOfCaseInsensitive(settings.Cities, filterChoices.Cities)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrCityNotValid, err)
 	}
 	err = validate.AreAllOneOfCaseInsensitive(settings.ISPs, filterChoices.ISPs)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrISPNotValid, err)
 	}
 	err = validate.AreAllOneOfCaseInsensitive(settings.Hostnames, filterChoices.Hostnames)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrHostnameNotValid, err)
 	}
 	err = validate.AreAllOneOfCaseInsensitive(settings.Names, filterChoices.Names)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrNameNotValid, err)
 	}
 	err = validate.AreAllOneOfCaseInsensitive(settings.Categories, filterChoices.Categories)
 	if err != nil {
 		return fmt.Errorf("%w: %w", ErrCategoryNotValid, err)
 	}
 	return nil
 }
 func (ss *ServerSelection) copy() (copied ServerSelection) {
 	return ServerSelection{
 		VPN:             ss.VPN,
 		TargetIP:        ss.TargetIP,
 		Countries:       gosettings.CopySlice(ss.Countries),
 		Categories:      gosettings.CopySlice(ss.Categories),
 		Regions:         gosettings.CopySlice(ss.Regions),
 		Cities:          gosettings.CopySlice(ss.Cities),
 		ISPs:            gosettings.CopySlice(ss.ISPs),
 		Hostnames:       gosettings.CopySlice(ss.Hostnames),
 		Names:           gosettings.CopySlice(ss.Names),
 		Numbers:         gosettings.CopySlice(ss.Numbers),
 		OwnedOnly:       gosettings.CopyPointer(ss.OwnedOnly),
 		FreeOnly:        gosettings.CopyPointer(ss.FreeOnly),
 		PremiumOnly:     gosettings.CopyPointer(ss.PremiumOnly),
 		StreamOnly:      gosettings.CopyPointer(ss.StreamOnly),
 		PortForwardOnly: gosettings.CopyPointer(ss.PortForwardOnly),
 		MultiHopOnly:    gosettings.CopyPointer(ss.MultiHopOnly),
 		OpenVPN:         ss.OpenVPN.copy(),
 		Wireguard:       ss.Wireguard.copy(),
 	}
 }
 func (ss *ServerSelection) mergeWith(other ServerSelection) {
 	ss.VPN = gosettings.MergeWithString(ss.VPN, other.VPN)
 	ss.TargetIP = gosettings.MergeWithValidator(ss.TargetIP, other.TargetIP)
 	ss.Countries = gosettings.MergeWithSlice(ss.Countries, other.Countries)
 	ss.Categories = gosettings.MergeWithSlice(ss.Categories, other.Categories)
 	ss.Regions = gosettings.MergeWithSlice(ss.Regions, other.Regions)
 	ss.Cities = gosettings.MergeWithSlice(ss.Cities, other.Cities)
 	ss.ISPs = gosettings.MergeWithSlice(ss.ISPs, other.ISPs)
 	ss.Hostnames = gosettings.MergeWithSlice(ss.Hostnames, other.Hostnames)
 	ss.Names = gosettings.MergeWithSlice(ss.Names, other.Names)
 	ss.Numbers = gosettings.MergeWithSlice(ss.Numbers, other.Numbers)
 	ss.OwnedOnly = gosettings.MergeWithPointer(ss.OwnedOnly, other.OwnedOnly)
 	ss.FreeOnly = gosettings.MergeWithPointer(ss.FreeOnly, other.FreeOnly)
 	ss.PremiumOnly = gosettings.MergeWithPointer(ss.PremiumOnly, other.PremiumOnly)
 	ss.StreamOnly = gosettings.MergeWithPointer(ss.StreamOnly, other.StreamOnly)
 	ss.MultiHopOnly = gosettings.MergeWithPointer(ss.MultiHopOnly, other.MultiHopOnly)
 	ss.PortForwardOnly = gosettings.MergeWithPointer(ss.PortForwardOnly, other.PortForwardOnly)
 	ss.OpenVPN.mergeWith(other.OpenVPN)
 	ss.Wireguard.mergeWith(other.Wireguard)
 }
 func (ss *ServerSelection) overrideWith(other ServerSelection) {
 	ss.VPN = gosettings.OverrideWithString(ss.VPN, other.VPN)
 	ss.TargetIP = gosettings.OverrideWithValidator(ss.TargetIP, other.TargetIP)
 	ss.Countries = gosettings.OverrideWithSlice(ss.Countries, other.Countries)
 	ss.Categories = gosettings.OverrideWithSlice(ss.Categories, other.Categories)
 	ss.Regions = gosettings.OverrideWithSlice(ss.Regions, other.Regions)
 	ss.Cities = gosettings.OverrideWithSlice(ss.Cities, other.Cities)
 	ss.ISPs = gosettings.OverrideWithSlice(ss.ISPs, other.ISPs)
 	ss.Hostnames = gosettings.OverrideWithSlice(ss.Hostnames, other.Hostnames)
 	ss.Names = gosettings.OverrideWithSlice(ss.Names, other.Names)
 	ss.Numbers = gosettings.OverrideWithSlice(ss.Numbers, other.Numbers)
 	ss.OwnedOnly = gosettings.OverrideWithPointer(ss.OwnedOnly, other.OwnedOnly)
 	ss.FreeOnly = gosettings.OverrideWithPointer(ss.FreeOnly, other.FreeOnly)
 	ss.PremiumOnly = gosettings.OverrideWithPointer(ss.PremiumOnly, other.PremiumOnly)
 	ss.StreamOnly = gosettings.OverrideWithPointer(ss.StreamOnly, other.StreamOnly)
 	ss.MultiHopOnly = gosettings.OverrideWithPointer(ss.MultiHopOnly, other.MultiHopOnly)
 	ss.PortForwardOnly = gosettings.OverrideWithPointer(ss.PortForwardOnly, other.PortForwardOnly)
 	ss.OpenVPN.overrideWith(other.OpenVPN)
 	ss.Wireguard.overrideWith(other.Wireguard)
 }
 func (ss *ServerSelection) setDefaults(vpnProvider string) {
 	ss.VPN = gosettings.DefaultString(ss.VPN, vpn.OpenVPN)
 	ss.TargetIP = gosettings.DefaultValidator(ss.TargetIP, netip.IPv4Unspecified())
 	ss.OwnedOnly = gosettings.DefaultPointer(ss.OwnedOnly, false)
 	ss.FreeOnly = gosettings.DefaultPointer(ss.FreeOnly, false)
 	ss.PremiumOnly = gosettings.DefaultPointer(ss.PremiumOnly, false)
 	ss.StreamOnly = gosettings.DefaultPointer(ss.StreamOnly, false)
 	ss.MultiHopOnly = gosettings.DefaultPointer(ss.MultiHopOnly, false)
 	ss.PortForwardOnly = gosettings.DefaultPointer(ss.PortForwardOnly, false)
 	ss.OpenVPN.setDefaults(vpnProvider)
 	ss.Wireguard.setDefaults()
 }
 func (ss ServerSelection) String() string {
 	return ss.toLinesNode().String()
 }
 func (ss ServerSelection) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Server selection settings:")
 	node.Appendf("VPN type: %s", ss.VPN)
 	if !ss.TargetIP.IsUnspecified() {
 		node.Appendf("Target IP address: %s", ss.TargetIP)
 	}
 	if len(ss.Countries) > 0 {
 		node.Appendf("Countries: %s", strings.Join(ss.Countries, ", "))
 	}
 	if len(ss.Categories) > 0 {
 		node.Appendf("Categories: %s", strings.Join(ss.Categories, ", "))
 	}
 	if len(ss.Regions) > 0 {
 		node.Appendf("Regions: %s", strings.Join(ss.Regions, ", "))
 	}
 	if len(ss.Cities) > 0 {
 		node.Appendf("Cities: %s", strings.Join(ss.Cities, ", "))
 	}
 	if len(ss.ISPs) > 0 {
 		node.Appendf("ISPs: %s", strings.Join(ss.ISPs, ", "))
 	}
 	if len(ss.Names) > 0 {
 		node.Appendf("Server names: %s", strings.Join(ss.Names, ", "))
 	}
 	if len(ss.Numbers) > 0 {
 		numbersNode := node.Appendf("Server numbers:")
 		for _, number := range ss.Numbers {
 			numbersNode.Appendf("%d", number)
 		}
 	}
 	if len(ss.Hostnames) > 0 {
 		node.Appendf("Hostnames: %s", strings.Join(ss.Hostnames, ", "))
 	}
 	if *ss.OwnedOnly {
 		node.Appendf("Owned only servers: yes")
 	}
 	if *ss.FreeOnly {
 		node.Appendf("Free only servers: yes")
 	}
 	if *ss.PremiumOnly {
 		node.Appendf("Premium only servers: yes")
 	}
 	if *ss.StreamOnly {
 		node.Appendf("Stream only servers: yes")
 	}
 	if *ss.MultiHopOnly {
 		node.Appendf("Multi-hop only servers: yes")
 	}
 	if ss.VPN == vpn.OpenVPN {
 		node.AppendNode(ss.OpenVPN.toLinesNode())
 	} else {
 		node.AppendNode(ss.Wireguard.toLinesNode())
 	}
 	return node
 }
 // WithDefaults is a shorthand using setDefaults.
 // It's used in unit tests in other packages.
 func (ss ServerSelection) WithDefaults(provider string) ServerSelection {
 	ss.setDefaults(provider)
 	return ss
 }
--- a/internal/configuration/settings/settings.go
+++ b/internal/configuration/settings/settings.go
@@ -0,0 +1,183 @@
 package settings
 import (
 	"fmt"
 	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gluetun/internal/pprof"
 	"github.com/qdm12/gotree"
 )
 type Settings struct {
 	ControlServer ControlServer
 	DNS           DNS
 	Firewall      Firewall
 	Health        Health
 	HTTPProxy     HTTPProxy
 	Log           Log
 	PublicIP      PublicIP
 	Shadowsocks   Shadowsocks
 	System        System
 	Updater       Updater
 	Version       Version
 	VPN           VPN
 	Pprof         pprof.Settings
 }
 type Storage interface {
 	GetFilterChoices(provider string) models.FilterChoices
 }
 // Validate validates all the settings and returns an error
 // if one of them is not valid.
 // TODO v4 remove pointer for receiver (because of Surfshark).
 func (s *Settings) Validate(storage Storage, ipv6Supported bool) (err error) {
 	nameToValidation := map[string]func() error{
 		"control server":  s.ControlServer.validate,
 		"dns":             s.DNS.validate,
 		"firewall":        s.Firewall.validate,
 		"health":          s.Health.Validate,
 		"http proxy":      s.HTTPProxy.validate,
 		"log":             s.Log.validate,
 		"public ip check": s.PublicIP.validate,
 		"shadowsocks":     s.Shadowsocks.validate,
 		"system":          s.System.validate,
 		"updater":         s.Updater.Validate,
 		"version":         s.Version.validate,
 		// Pprof validation done in pprof constructor
 		"VPN": func() error {
 			return s.VPN.Validate(storage, ipv6Supported)
 		},
 	}
 	for name, validation := range nameToValidation {
 		err = validation()
 		if err != nil {
 			return fmt.Errorf("%s settings: %w", name, err)
 		}
 	}
 	return nil
 }
 func (s *Settings) copy() (copied Settings) {
 	return Settings{
 		ControlServer: s.ControlServer.copy(),
 		DNS:           s.DNS.Copy(),
 		Firewall:      s.Firewall.copy(),
 		Health:        s.Health.copy(),
 		HTTPProxy:     s.HTTPProxy.copy(),
 		Log:           s.Log.copy(),
 		PublicIP:      s.PublicIP.copy(),
 		Shadowsocks:   s.Shadowsocks.copy(),
 		System:        s.System.copy(),
 		Updater:       s.Updater.copy(),
 		Version:       s.Version.copy(),
 		VPN:           s.VPN.Copy(),
 		Pprof:         s.Pprof.Copy(),
 	}
 }
 func (s *Settings) MergeWith(other Settings) {
 	s.ControlServer.mergeWith(other.ControlServer)
 	s.DNS.mergeWith(other.DNS)
 	s.Firewall.mergeWith(other.Firewall)
 	s.Health.MergeWith(other.Health)
 	s.HTTPProxy.mergeWith(other.HTTPProxy)
 	s.Log.mergeWith(other.Log)
 	s.PublicIP.mergeWith(other.PublicIP)
 	s.Shadowsocks.mergeWith(other.Shadowsocks)
 	s.System.mergeWith(other.System)
 	s.Updater.mergeWith(other.Updater)
 	s.Version.mergeWith(other.Version)
 	s.VPN.mergeWith(other.VPN)
 	s.Pprof.MergeWith(other.Pprof)
 }
 func (s *Settings) OverrideWith(other Settings,
 	storage Storage, ipv6Supported bool) (err error) {
 	patchedSettings := s.copy()
 	patchedSettings.ControlServer.overrideWith(other.ControlServer)
 	patchedSettings.DNS.overrideWith(other.DNS)
 	patchedSettings.Firewall.overrideWith(other.Firewall)
 	patchedSettings.Health.OverrideWith(other.Health)
 	patchedSettings.HTTPProxy.overrideWith(other.HTTPProxy)
 	patchedSettings.Log.overrideWith(other.Log)
 	patchedSettings.PublicIP.overrideWith(other.PublicIP)
 	patchedSettings.Shadowsocks.overrideWith(other.Shadowsocks)
 	patchedSettings.System.overrideWith(other.System)
 	patchedSettings.Updater.overrideWith(other.Updater)
 	patchedSettings.Version.overrideWith(other.Version)
 	patchedSettings.VPN.OverrideWith(other.VPN)
 	patchedSettings.Pprof.OverrideWith(other.Pprof)
 	err = patchedSettings.Validate(storage, ipv6Supported)
 	if err != nil {
 		return err
 	}
 	*s = patchedSettings
 	return nil
 }
 func (s *Settings) SetDefaults() {
 	s.ControlServer.setDefaults()
 	s.DNS.setDefaults()
 	s.Firewall.setDefaults()
 	s.Health.SetDefaults()
 	s.HTTPProxy.setDefaults()
 	s.Log.setDefaults()
 	s.PublicIP.setDefaults()
 	s.Shadowsocks.setDefaults()
 	s.System.setDefaults()
 	s.Version.setDefaults()
 	s.VPN.setDefaults()
 	s.Updater.SetDefaults(*s.VPN.Provider.Name)
 	s.Pprof.SetDefaults()
 }
 func (s Settings) String() string {
 	return s.toLinesNode().String()
 }
 func (s Settings) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Settings summary:")
 	node.AppendNode(s.VPN.toLinesNode())
 	node.AppendNode(s.DNS.toLinesNode())
 	node.AppendNode(s.Firewall.toLinesNode())
 	node.AppendNode(s.Log.toLinesNode())
 	node.AppendNode(s.Health.toLinesNode())
 	node.AppendNode(s.Shadowsocks.toLinesNode())
 	node.AppendNode(s.HTTPProxy.toLinesNode())
 	node.AppendNode(s.ControlServer.toLinesNode())
 	node.AppendNode(s.System.toLinesNode())
 	node.AppendNode(s.PublicIP.toLinesNode())
 	node.AppendNode(s.Updater.toLinesNode())
 	node.AppendNode(s.Version.toLinesNode())
 	node.AppendNode(s.Pprof.ToLinesNode())
 	return node
 }
 func (s Settings) Warnings() (warnings []string) {
 	if *s.VPN.Provider.Name == providers.HideMyAss {
 		warnings = append(warnings, "HideMyAss dropped support for Linux OpenVPN "+
 			" so this will likely not work anymore. See https://github.com/qdm12/gluetun/issues/1498.")
 	}
 	if helpers.IsOneOf(*s.VPN.Provider.Name, providers.SlickVPN) &&
 		s.VPN.Type == vpn.OpenVPN {
 		warnings = append(warnings, "OpenVPN 2.5 uses OpenSSL 3 "+
 			"which prohibits the usage of weak security in today's standards. "+
 			*s.VPN.Provider.Name+" uses weak security which is out "+
 			"of Gluetun's control so the only workaround is to allow such weaknesses "+
 			`using the OpenVPN option tls-cipher "DEFAULT:@SECLEVEL=0". `+
 			"You might want to reach to your provider so they upgrade their certificates. "+
 			"Once this is done, you will have to let the Gluetun maintainers know "+
 			"by creating an issue, attaching the new certificate and we will update Gluetun.")
 	}
 	return warnings
 }
--- a/internal/configuration/settings/settings_test.go
+++ b/internal/configuration/settings/settings_test.go
@@ -0,0 +1,104 @@
 package settings
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func Test_Settings_String(t *testing.T) {
 	t.Parallel()
 	withDefaults := func(s Settings) Settings {
 		s.SetDefaults()
 		return s
 	}
 	testCases := map[string]struct {
 		settings Settings
 		s        string
 	}{
 		"default settings": {
 			settings: withDefaults(Settings{}),
 			s: `Settings summary:
 ├── VPN settings:
 |   ├── VPN provider settings:
 |   |   ├── Name: private internet access
 |   |   └── Server selection settings:
 |   |       ├── VPN type: openvpn
 |   |       └── OpenVPN server selection settings:
 |   |           ├── Protocol: UDP
 |   |           └── Private Internet Access encryption preset: strong
 |   └── OpenVPN settings:
 |       ├── OpenVPN version: 2.5
 |       ├── User: [not set]
 |       ├── Password: [not set]
 |       ├── Private Internet Access encryption preset: strong
 |       ├── Network interface: tun0
 |       ├── Run OpenVPN as: root
 |       └── Verbosity level: 1
 ├── DNS settings:
 |   ├── Keep existing nameserver(s): no
 |   ├── DNS server address to use: 127.0.0.1
 |   └── DNS over TLS settings:
 |       ├── Enabled: yes
 |       ├── Update period: every 24h0m0s
 |       ├── Unbound settings:
 |       |   ├── Authoritative servers:
 |       |   |   └── Cloudflare
 |       |   ├── Caching: yes
 |       |   ├── IPv6: no
 |       |   ├── Verbosity level: 1
 |       |   ├── Verbosity details level: 0
 |       |   ├── Validation log level: 0
 |       |   ├── System user: root
 |       |   └── Allowed networks:
 |       |       ├── 0.0.0.0/0
 |       |       └── ::/0
 |       └── DNS filtering settings:
 |           ├── Block malicious: yes
 |           ├── Block ads: no
 |           └── Block surveillance: yes
 ├── Firewall settings:
 |   └── Enabled: yes
 ├── Log settings:
 |   └── Log level: INFO
 ├── Health settings:
 |   ├── Server listening address: 127.0.0.1:9999
 |   ├── Target address: cloudflare.com:443
 |   ├── Duration to wait after success: 5s
 |   ├── Read header timeout: 100ms
 |   ├── Read timeout: 500ms
 |   └── VPN wait durations:
 |       ├── Initial duration: 6s
 |       └── Additional duration: 5s
 ├── Shadowsocks server settings:
 |   └── Enabled: no
 ├── HTTP proxy settings:
 |   └── Enabled: no
 ├── Control server settings:
 |   ├── Listening address: :8000
 |   └── Logging: yes
 ├── OS Alpine settings:
 |   ├── Process UID: 1000
 |   └── Process GID: 1000
 ├── Public IP settings:
 |   ├── Fetching: every 12h0m0s
 |   ├── IP file path: /tmp/gluetun/ip
 |   └── Public IP data API: ipinfo
 └── Version settings:
    └── Enabled: yes`,
 		},
 	}
 	for name, testCase := range testCases {
 		testCase := testCase
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 			s := testCase.settings.String()
 			assert.Equal(t, testCase.s, s)
 		})
 	}
 }
--- a/internal/configuration/settings/shadowsocks.go
+++ b/internal/configuration/settings/shadowsocks.go
@@ -0,0 +1,68 @@
 package settings
 import (
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 	"github.com/qdm12/ss-server/pkg/tcpudp"
 )
 // Shadowsocks contains settings to configure the Shadowsocks server.
 type Shadowsocks struct {
 	// Enabled is true if the server should be running.
 	// It defaults to false, and cannot be nil in the internal state.
 	Enabled *bool
 	// Settings are settings for the TCP+UDP server.
 	tcpudp.Settings
 }
 func (s Shadowsocks) validate() (err error) {
 	return s.Settings.Validate()
 }
 func (s *Shadowsocks) copy() (copied Shadowsocks) {
 	return Shadowsocks{
 		Enabled:  gosettings.CopyPointer(s.Enabled),
 		Settings: s.Settings.Copy(),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (s *Shadowsocks) mergeWith(other Shadowsocks) {
 	s.Enabled = gosettings.MergeWithPointer(s.Enabled, other.Enabled)
 	s.Settings = s.Settings.MergeWith(other.Settings)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (s *Shadowsocks) overrideWith(other Shadowsocks) {
 	s.Enabled = gosettings.OverrideWithPointer(s.Enabled, other.Enabled)
 	s.Settings.OverrideWith(other.Settings)
 }
 func (s *Shadowsocks) setDefaults() {
 	s.Enabled = gosettings.DefaultPointer(s.Enabled, false)
 	s.Settings.SetDefaults()
 }
 func (s Shadowsocks) String() string {
 	return s.toLinesNode().String()
 }
 func (s Shadowsocks) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Shadowsocks server settings:")
 	node.Appendf("Enabled: %s", gosettings.BoolToYesNo(s.Enabled))
 	if !*s.Enabled {
 		return node
 	}
 	// TODO have ToLinesNode in qdm12/ss-server
 	node.Appendf("Listening address: %s", *s.Address)
 	node.Appendf("Cipher: %s", s.CipherName)
 	node.Appendf("Password: %s", gosettings.ObfuscateKey(*s.Password))
 	node.Appendf("Log addresses: %s", gosettings.BoolToYesNo(s.LogAddresses))
 	return node
 }
--- a/internal/configuration/settings/surfshark_retro.go
+++ b/internal/configuration/settings/surfshark_retro.go
@@ -0,0 +1,55 @@
 package settings
 import (
 	"strings"
 	"github.com/qdm12/gluetun/internal/provider/surfshark/servers"
 )
 func surfsharkRetroRegion(selection ServerSelection) (
 	updatedSelection ServerSelection) {
 	locationData := servers.LocationData()
 	retroToLocation := make(map[string]servers.ServerLocation, len(locationData))
 	for _, data := range locationData {
 		if data.RetroLoc == "" {
 			continue
 		}
 		retroToLocation[strings.ToLower(data.RetroLoc)] = data
 	}
 	for i, region := range selection.Regions {
 		location, ok := retroToLocation[region]
 		if !ok {
 			continue
 		}
 		selection.Regions[i] = strings.ToLower(location.Region)
 		selection.Countries = append(selection.Countries, strings.ToLower(location.Country))
 		selection.Cities = append(selection.Cities, strings.ToLower(location.City)) // even empty string
 		selection.Hostnames = append(selection.Hostnames, location.Hostname)
 	}
 	selection.Regions = dedupSlice(selection.Regions)
 	selection.Countries = dedupSlice(selection.Countries)
 	selection.Cities = dedupSlice(selection.Cities)
 	selection.Hostnames = dedupSlice(selection.Hostnames)
 	return selection
 }
 func dedupSlice(slice []string) (deduped []string) {
 	if slice == nil {
 		return nil
 	}
 	deduped = make([]string, 0, len(slice))
 	seen := make(map[string]struct{}, len(slice))
 	for _, s := range slice {
 		if _, ok := seen[s]; !ok {
 			seen[s] = struct{}{}
 			deduped = append(deduped, s)
 		}
 	}
 	return deduped
 }
--- a/internal/configuration/settings/system.go
+++ b/internal/configuration/settings/system.go
@@ -0,0 +1,61 @@
 package settings
 import (
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 // System contains settings to configure system related elements.
 type System struct {
 	PUID     *uint32
 	PGID     *uint32
 	Timezone string
 }
 // Validate validates System settings.
 func (s System) validate() (err error) {
 	return nil
 }
 func (s *System) copy() (copied System) {
 	return System{
 		PUID:     gosettings.CopyPointer(s.PUID),
 		PGID:     gosettings.CopyPointer(s.PGID),
 		Timezone: s.Timezone,
 	}
 }
 func (s *System) mergeWith(other System) {
 	s.PUID = gosettings.MergeWithPointer(s.PUID, other.PUID)
 	s.PGID = gosettings.MergeWithPointer(s.PGID, other.PGID)
 	s.Timezone = gosettings.MergeWithString(s.Timezone, other.Timezone)
 }
 func (s *System) overrideWith(other System) {
 	s.PUID = gosettings.OverrideWithPointer(s.PUID, other.PUID)
 	s.PGID = gosettings.OverrideWithPointer(s.PGID, other.PGID)
 	s.Timezone = gosettings.OverrideWithString(s.Timezone, other.Timezone)
 }
 func (s *System) setDefaults() {
 	const defaultID = 1000
 	s.PUID = gosettings.DefaultPointer(s.PUID, defaultID)
 	s.PGID = gosettings.DefaultPointer(s.PGID, defaultID)
 }
 func (s System) String() string {
 	return s.toLinesNode().String()
 }
 func (s System) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("OS Alpine settings:")
 	node.Appendf("Process UID: %d", *s.PUID)
 	node.Appendf("Process GID: %d", *s.PGID)
 	if s.Timezone != "" {
 		node.Appendf("Timezone: %s", s.Timezone)
 	}
 	return node
 }
--- a/internal/configuration/settings/unbound.go
+++ b/internal/configuration/settings/unbound.go
@@ -0,0 +1,202 @@
 package settings
 import (
 	"errors"
 	"fmt"
 	"net/netip"
 	"github.com/qdm12/dns/pkg/provider"
 	"github.com/qdm12/dns/pkg/unbound"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 // Unbound is settings for the Unbound program.
 type Unbound struct {
 	Providers             []string       `json:"providers"`
 	Caching               *bool          `json:"caching"`
 	IPv6                  *bool          `json:"ipv6"`
 	VerbosityLevel        *uint8         `json:"verbosity_level"`
 	VerbosityDetailsLevel *uint8         `json:"verbosity_details_level"`
 	ValidationLogLevel    *uint8         `json:"validation_log_level"`
 	Username              string         `json:"username"`
 	Allowed               []netip.Prefix `json:"allowed"`
 }
 func (u *Unbound) setDefaults() {
 	if len(u.Providers) == 0 {
 		u.Providers = []string{
 			provider.Cloudflare().String(),
 		}
 	}
 	u.Caching = gosettings.DefaultPointer(u.Caching, true)
 	u.IPv6 = gosettings.DefaultPointer(u.IPv6, false)
 	const defaultVerbosityLevel = 1
 	u.VerbosityLevel = gosettings.DefaultPointer(u.VerbosityLevel, defaultVerbosityLevel)
 	const defaultVerbosityDetailsLevel = 0
 	u.VerbosityDetailsLevel = gosettings.DefaultPointer(u.VerbosityDetailsLevel, defaultVerbosityDetailsLevel)
 	const defaultValidationLogLevel = 0
 	u.ValidationLogLevel = gosettings.DefaultPointer(u.ValidationLogLevel, defaultValidationLogLevel)
 	if u.Allowed == nil {
 		u.Allowed = []netip.Prefix{
 			netip.PrefixFrom(netip.AddrFrom4([4]byte{}), 0),
 			netip.PrefixFrom(netip.AddrFrom16([16]byte{}), 0),
 		}
 	}
 	u.Username = gosettings.DefaultString(u.Username, "root")
 }
 var (
 	ErrUnboundVerbosityLevelNotValid        = errors.New("Unbound verbosity level is not valid")
 	ErrUnboundVerbosityDetailsLevelNotValid = errors.New("Unbound verbosity details level is not valid")
 	ErrUnboundValidationLogLevelNotValid    = errors.New("Unbound validation log level is not valid")
 )
 func (u Unbound) validate() (err error) {
 	for _, s := range u.Providers {
 		_, err := provider.Parse(s)
 		if err != nil {
 			return err
 		}
 	}
 	const maxVerbosityLevel = 5
 	if *u.VerbosityLevel > maxVerbosityLevel {
 		return fmt.Errorf("%w: %d must be between 0 and %d",
 			ErrUnboundVerbosityLevelNotValid,
 			*u.VerbosityLevel,
 			maxVerbosityLevel)
 	}
 	const maxVerbosityDetailsLevel = 4
 	if *u.VerbosityDetailsLevel > maxVerbosityDetailsLevel {
 		return fmt.Errorf("%w: %d must be between 0 and %d",
 			ErrUnboundVerbosityDetailsLevelNotValid,
 			*u.VerbosityDetailsLevel,
 			maxVerbosityDetailsLevel)
 	}
 	const maxValidationLogLevel = 2
 	if *u.ValidationLogLevel > maxValidationLogLevel {
 		return fmt.Errorf("%w: %d must be between 0 and %d",
 			ErrUnboundValidationLogLevelNotValid,
 			*u.ValidationLogLevel, maxValidationLogLevel)
 	}
 	return nil
 }
 func (u Unbound) copy() (copied Unbound) {
 	return Unbound{
 		Providers:             gosettings.CopySlice(u.Providers),
 		Caching:               gosettings.CopyPointer(u.Caching),
 		IPv6:                  gosettings.CopyPointer(u.IPv6),
 		VerbosityLevel:        gosettings.CopyPointer(u.VerbosityLevel),
 		VerbosityDetailsLevel: gosettings.CopyPointer(u.VerbosityDetailsLevel),
 		ValidationLogLevel:    gosettings.CopyPointer(u.ValidationLogLevel),
 		Username:              u.Username,
 		Allowed:               gosettings.CopySlice(u.Allowed),
 	}
 }
 func (u *Unbound) mergeWith(other Unbound) {
 	u.Providers = gosettings.MergeWithSlice(u.Providers, other.Providers)
 	u.Caching = gosettings.MergeWithPointer(u.Caching, other.Caching)
 	u.IPv6 = gosettings.MergeWithPointer(u.IPv6, other.IPv6)
 	u.VerbosityLevel = gosettings.MergeWithPointer(u.VerbosityLevel, other.VerbosityLevel)
 	u.VerbosityDetailsLevel = gosettings.MergeWithPointer(u.VerbosityDetailsLevel, other.VerbosityDetailsLevel)
 	u.ValidationLogLevel = gosettings.MergeWithPointer(u.ValidationLogLevel, other.ValidationLogLevel)
 	u.Username = gosettings.MergeWithString(u.Username, other.Username)
 	u.Allowed = gosettings.MergeWithSlice(u.Allowed, other.Allowed)
 }
 func (u *Unbound) overrideWith(other Unbound) {
 	u.Providers = gosettings.OverrideWithSlice(u.Providers, other.Providers)
 	u.Caching = gosettings.OverrideWithPointer(u.Caching, other.Caching)
 	u.IPv6 = gosettings.OverrideWithPointer(u.IPv6, other.IPv6)
 	u.VerbosityLevel = gosettings.OverrideWithPointer(u.VerbosityLevel, other.VerbosityLevel)
 	u.VerbosityDetailsLevel = gosettings.OverrideWithPointer(u.VerbosityDetailsLevel, other.VerbosityDetailsLevel)
 	u.ValidationLogLevel = gosettings.OverrideWithPointer(u.ValidationLogLevel, other.ValidationLogLevel)
 	u.Username = gosettings.OverrideWithString(u.Username, other.Username)
 	u.Allowed = gosettings.OverrideWithSlice(u.Allowed, other.Allowed)
 }
 func (u Unbound) ToUnboundFormat() (settings unbound.Settings, err error) {
 	providers := make([]provider.Provider, len(u.Providers))
 	for i := range providers {
 		providers[i], err = provider.Parse(u.Providers[i])
 		if err != nil {
 			return settings, err
 		}
 	}
 	const port = 53
 	return unbound.Settings{
 		ListeningPort:         port,
 		IPv4:                  true,
 		Providers:             providers,
 		Caching:               *u.Caching,
 		IPv6:                  *u.IPv6,
 		VerbosityLevel:        *u.VerbosityLevel,
 		VerbosityDetailsLevel: *u.VerbosityDetailsLevel,
 		ValidationLogLevel:    *u.ValidationLogLevel,
 		AccessControl: unbound.AccessControlSettings{
 			Allowed: netipPrefixesToNetaddrIPPrefixes(u.Allowed),
 		},
 		Username: u.Username,
 	}, nil
 }
 var (
 	ErrConvertingNetip = errors.New("converting net.IP to netip.Addr failed")
 )
 func (u Unbound) GetFirstPlaintextIPv4() (ipv4 netip.Addr, err error) {
 	s := u.Providers[0]
 	provider, err := provider.Parse(s)
 	if err != nil {
 		return ipv4, err
 	}
 	ip := provider.DNS().IPv4[0]
 	ipv4, ok := netip.AddrFromSlice(ip)
 	if !ok {
 		return ipv4, fmt.Errorf("%w: for ip %s (%#v)",
 			ErrConvertingNetip, ip, ip)
 	}
 	return ipv4.Unmap(), nil
 }
 func (u Unbound) String() string {
 	return u.toLinesNode().String()
 }
 func (u Unbound) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Unbound settings:")
 	authServers := node.Appendf("Authoritative servers:")
 	for _, provider := range u.Providers {
 		authServers.Appendf(provider)
 	}
 	node.Appendf("Caching: %s", gosettings.BoolToYesNo(u.Caching))
 	node.Appendf("IPv6: %s", gosettings.BoolToYesNo(u.IPv6))
 	node.Appendf("Verbosity level: %d", *u.VerbosityLevel)
 	node.Appendf("Verbosity details level: %d", *u.VerbosityDetailsLevel)
 	node.Appendf("Validation log level: %d", *u.ValidationLogLevel)
 	node.Appendf("System user: %s", u.Username)
 	allowedNetworks := node.Appendf("Allowed networks:")
 	for _, network := range u.Allowed {
 		allowedNetworks.Appendf(network.String())
 	}
 	return node
 }
--- a/internal/configuration/settings/unbound_test.go
+++ b/internal/configuration/settings/unbound_test.go
@@ -0,0 +1,43 @@
 package settings
 import (
 	"encoding/json"
 	"net/netip"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func Test_Unbound_JSON(t *testing.T) {
 	t.Parallel()
 	settings := Unbound{
 		Providers:             []string{"cloudflare"},
 		Caching:               boolPtr(true),
 		IPv6:                  boolPtr(false),
 		VerbosityLevel:        uint8Ptr(1),
 		VerbosityDetailsLevel: nil,
 		ValidationLogLevel:    uint8Ptr(0),
 		Username:              "user",
 		Allowed: []netip.Prefix{
 			netip.PrefixFrom(netip.AddrFrom4([4]byte{}), 0),
 			netip.PrefixFrom(netip.AddrFrom16([16]byte{}), 0),
 		},
 	}
 	b, err := json.Marshal(settings)
 	require.NoError(t, err)
 	const expected = `{"providers":["cloudflare"],"caching":true,"ipv6":false,` +
 		`"verbosity_level":1,"verbosity_details_level":null,"validation_log_level":0,` +
 		`"username":"user","allowed":["0.0.0.0/0","::/0"]}`
 	assert.Equal(t, expected, string(b))
 	var resultSettings Unbound
 	err = json.Unmarshal(b, &resultSettings)
 	require.NoError(t, err)
 	assert.Equal(t, settings, resultSettings)
 }
--- a/internal/configuration/settings/updater.go
+++ b/internal/configuration/settings/updater.go
@@ -0,0 +1,116 @@
 package settings
 import (
 	"fmt"
 	"strings"
 	"time"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/validate"
 	"github.com/qdm12/gotree"
 )
 // Updater contains settings to configure the VPN
 // server information updater.
 type Updater struct {
 	// Period is the period for which the updater
 	// should run. It can be set to 0 to disable the
 	// updater. It cannot be nil in the internal state.
 	// TODO change to value and add Enabled field.
 	Period *time.Duration
 	// DNSAddress is the DNS server address to use
 	// to resolve VPN server hostnames to IP addresses.
 	// It cannot be the empty string in the internal state.
 	DNSAddress string
 	// MinRatio is the minimum ratio of servers to
 	// find per provider, compared to the total current
 	// number of servers. It defaults to 0.8.
 	MinRatio float64
 	// Providers is the list of VPN service providers
 	// to update server information for.
 	Providers []string
 }
 func (u Updater) Validate() (err error) {
 	const minPeriod = time.Minute
 	if *u.Period > 0 && *u.Period < minPeriod {
 		return fmt.Errorf("%w: %d must be larger than %s",
 			ErrUpdaterPeriodTooSmall, *u.Period, minPeriod)
 	}
 	if u.MinRatio <= 0 || u.MinRatio > 1 {
 		return fmt.Errorf("%w: %.2f must be between 0+ and 1",
 			ErrMinRatioNotValid, u.MinRatio)
 	}
 	validProviders := providers.All()
 	for _, provider := range u.Providers {
 		err = validate.IsOneOf(provider, validProviders...)
 		if err != nil {
 			return fmt.Errorf("%w: %w", ErrVPNProviderNameNotValid, err)
 		}
 	}
 	return nil
 }
 func (u *Updater) copy() (copied Updater) {
 	return Updater{
 		Period:     gosettings.CopyPointer(u.Period),
 		DNSAddress: u.DNSAddress,
 		MinRatio:   u.MinRatio,
 		Providers:  gosettings.CopySlice(u.Providers),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (u *Updater) mergeWith(other Updater) {
 	u.Period = gosettings.MergeWithPointer(u.Period, other.Period)
 	u.DNSAddress = gosettings.MergeWithString(u.DNSAddress, other.DNSAddress)
 	u.MinRatio = gosettings.MergeWithNumber(u.MinRatio, other.MinRatio)
 	u.Providers = gosettings.MergeWithSlice(u.Providers, other.Providers)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (u *Updater) overrideWith(other Updater) {
 	u.Period = gosettings.OverrideWithPointer(u.Period, other.Period)
 	u.DNSAddress = gosettings.OverrideWithString(u.DNSAddress, other.DNSAddress)
 	u.MinRatio = gosettings.OverrideWithNumber(u.MinRatio, other.MinRatio)
 	u.Providers = gosettings.OverrideWithSlice(u.Providers, other.Providers)
 }
 func (u *Updater) SetDefaults(vpnProvider string) {
 	u.Period = gosettings.DefaultPointer(u.Period, 0)
 	u.DNSAddress = gosettings.DefaultString(u.DNSAddress, "1.1.1.1:53")
 	if u.MinRatio == 0 {
 		const defaultMinRatio = 0.8
 		u.MinRatio = defaultMinRatio
 	}
 	if len(u.Providers) == 0 && vpnProvider != providers.Custom {
 		u.Providers = []string{vpnProvider}
 	}
 }
 func (u Updater) String() string {
 	return u.toLinesNode().String()
 }
 func (u Updater) toLinesNode() (node *gotree.Node) {
 	if *u.Period == 0 || len(u.Providers) == 0 {
 		return nil
 	}
 	node = gotree.New("Server data updater settings:")
 	node.Appendf("Update period: %s", *u.Period)
 	node.Appendf("DNS address: %s", u.DNSAddress)
 	node.Appendf("Minimum ratio: %.1f", u.MinRatio)
 	node.Appendf("Providers to update: %s", strings.Join(u.Providers, ", "))
 	return node
 }
--- a/internal/configuration/settings/validation/servers.go
+++ b/internal/configuration/settings/validation/servers.go
@@ -0,0 +1,151 @@
 package validation
 import (
 	"sort"
 	"github.com/qdm12/gluetun/internal/models"
 )
 func sortedInsert(ss []string, s string) []string {
 	i := sort.SearchStrings(ss, s)
 	ss = append(ss, "")
 	copy(ss[i+1:], ss[i:])
 	ss[i] = s
 	return ss
 }
 func ExtractCountries(servers []models.Server) (values []string) {
 	seen := make(map[string]struct{}, len(servers))
 	values = make([]string, 0, len(servers))
 	for _, server := range servers {
 		value := server.Country
 		if value == "" {
 			continue
 		}
 		_, alreadySeen := seen[value]
 		if alreadySeen {
 			continue
 		}
 		seen[value] = struct{}{}
 		values = sortedInsert(values, value)
 	}
 	return values
 }
 func ExtractCategories(servers []models.Server) (values []string) {
 	seen := make(map[string]struct{}, len(servers))
 	values = make([]string, 0, len(servers))
 	for _, server := range servers {
 		categories := server.Categories
 		if len(categories) == 0 {
 			continue
 		}
 		for _, value := range categories {
 			_, alreadySeen := seen[value]
 			if alreadySeen {
 				continue
 			}
 			seen[value] = struct{}{}
 			values = sortedInsert(values, value)
 		}
 	}
 	return values
 }
 func ExtractRegions(servers []models.Server) (values []string) {
 	seen := make(map[string]struct{}, len(servers))
 	values = make([]string, 0, len(servers))
 	for _, server := range servers {
 		value := server.Region
 		if value == "" {
 			continue
 		}
 		_, alreadySeen := seen[value]
 		if alreadySeen {
 			continue
 		}
 		seen[value] = struct{}{}
 		values = sortedInsert(values, value)
 	}
 	return values
 }
 func ExtractCities(servers []models.Server) (values []string) {
 	seen := make(map[string]struct{}, len(servers))
 	values = make([]string, 0, len(servers))
 	for _, server := range servers {
 		value := server.City
 		if value == "" {
 			continue
 		}
 		_, alreadySeen := seen[value]
 		if alreadySeen {
 			continue
 		}
 		seen[value] = struct{}{}
 		values = sortedInsert(values, value)
 	}
 	return values
 }
 func ExtractISPs(servers []models.Server) (values []string) {
 	seen := make(map[string]struct{}, len(servers))
 	values = make([]string, 0, len(servers))
 	for _, server := range servers {
 		value := server.ISP
 		if value == "" {
 			continue
 		}
 		_, alreadySeen := seen[value]
 		if alreadySeen {
 			continue
 		}
 		seen[value] = struct{}{}
 		values = sortedInsert(values, value)
 	}
 	return values
 }
 func ExtractServerNames(servers []models.Server) (values []string) {
 	seen := make(map[string]struct{}, len(servers))
 	values = make([]string, 0, len(servers))
 	for _, server := range servers {
 		value := server.ServerName
 		if value == "" {
 			continue
 		}
 		_, alreadySeen := seen[value]
 		if alreadySeen {
 			continue
 		}
 		seen[value] = struct{}{}
 		values = sortedInsert(values, value)
 	}
 	return values
 }
 func ExtractHostnames(servers []models.Server) (values []string) {
 	seen := make(map[string]struct{}, len(servers))
 	values = make([]string, 0, len(servers))
 	for _, server := range servers {
 		value := server.Hostname
 		if value == "" {
 			continue
 		}
 		_, alreadySeen := seen[value]
 		if alreadySeen {
 			continue
 		}
 		seen[value] = struct{}{}
 		values = sortedInsert(values, value)
 	}
 	return values
 }
--- a/internal/configuration/settings/validation/surfshark.go
+++ b/internal/configuration/settings/validation/surfshark.go
@@ -0,0 +1,24 @@
 package validation
 import (
 	"github.com/qdm12/gluetun/internal/provider/surfshark/servers"
 )
 // TODO remove in v4.
 func SurfsharkRetroLocChoices() (choices []string) {
 	locationData := servers.LocationData()
 	choices = make([]string, 0, len(locationData))
 	seen := make(map[string]struct{}, len(locationData))
 	for _, data := range locationData {
 		if data.RetroLoc == "" {
 			continue
 		}
 		if _, ok := seen[data.RetroLoc]; ok {
 			continue
 		}
 		seen[data.RetroLoc] = struct{}{}
 		choices = sortedInsert(choices, data.RetroLoc)
 	}
 	return choices
 }
--- a/internal/configuration/settings/version.go
+++ b/internal/configuration/settings/version.go
@@ -0,0 +1,53 @@
 package settings
 import (
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gotree"
 )
 // Version contains settings to configure the version
 // information fetcher.
 type Version struct {
 	// Enabled is true if the version information should
 	// be fetched from Github.
 	Enabled *bool
 }
 func (v Version) validate() (err error) {
 	return nil
 }
 func (v *Version) copy() (copied Version) {
 	return Version{
 		Enabled: gosettings.CopyPointer(v.Enabled),
 	}
 }
 // mergeWith merges the other settings into any
 // unset field of the receiver settings object.
 func (v *Version) mergeWith(other Version) {
 	v.Enabled = gosettings.MergeWithPointer(v.Enabled, other.Enabled)
 }
 // overrideWith overrides fields of the receiver
 // settings object with any field set in the other
 // settings.
 func (v *Version) overrideWith(other Version) {
 	v.Enabled = gosettings.OverrideWithPointer(v.Enabled, other.Enabled)
 }
 func (v *Version) setDefaults() {
 	v.Enabled = gosettings.DefaultPointer(v.Enabled, true)
 }
 func (v Version) String() string {
 	return v.toLinesNode().String()
 }
 func (v Version) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Version settings:")
 	node.Appendf("Enabled: %s", gosettings.BoolToYesNo(v.Enabled))
 	return node
 }
--- a/internal/configuration/settings/vpn.go
+++ b/internal/configuration/settings/vpn.go
@@ -0,0 +1,96 @@
 package settings
 import (
 	"fmt"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/validate"
 	"github.com/qdm12/gotree"
 )
 type VPN struct {
 	// Type is the VPN type and can only be
 	// 'openvpn' or 'wireguard'. It cannot be the
 	// empty string in the internal state.
 	Type      string    `json:"type"`
 	Provider  Provider  `json:"provider"`
 	OpenVPN   OpenVPN   `json:"openvpn"`
 	Wireguard Wireguard `json:"wireguard"`
 }
 // TODO v4 remove pointer for receiver (because of Surfshark).
 func (v *VPN) Validate(storage Storage, ipv6Supported bool) (err error) {
 	// Validate Type
 	validVPNTypes := []string{vpn.OpenVPN, vpn.Wireguard}
 	if err = validate.IsOneOf(v.Type, validVPNTypes...); err != nil {
 		return fmt.Errorf("%w: %w", ErrVPNTypeNotValid, err)
 	}
 	err = v.Provider.validate(v.Type, storage)
 	if err != nil {
 		return fmt.Errorf("provider settings: %w", err)
 	}
 	if v.Type == vpn.OpenVPN {
 		err := v.OpenVPN.validate(*v.Provider.Name)
 		if err != nil {
 			return fmt.Errorf("OpenVPN settings: %w", err)
 		}
 	} else {
 		err := v.Wireguard.validate(*v.Provider.Name, ipv6Supported)
 		if err != nil {
 			return fmt.Errorf("Wireguard settings: %w", err)
 		}
 	}
 	return nil
 }
 func (v *VPN) Copy() (copied VPN) {
 	return VPN{
 		Type:      v.Type,
 		Provider:  v.Provider.copy(),
 		OpenVPN:   v.OpenVPN.copy(),
 		Wireguard: v.Wireguard.copy(),
 	}
 }
 func (v *VPN) mergeWith(other VPN) {
 	v.Type = gosettings.MergeWithString(v.Type, other.Type)
 	v.Provider.mergeWith(other.Provider)
 	v.OpenVPN.mergeWith(other.OpenVPN)
 	v.Wireguard.mergeWith(other.Wireguard)
 }
 func (v *VPN) OverrideWith(other VPN) {
 	v.Type = gosettings.OverrideWithString(v.Type, other.Type)
 	v.Provider.overrideWith(other.Provider)
 	v.OpenVPN.overrideWith(other.OpenVPN)
 	v.Wireguard.overrideWith(other.Wireguard)
 }
 func (v *VPN) setDefaults() {
 	v.Type = gosettings.DefaultString(v.Type, vpn.OpenVPN)
 	v.Provider.setDefaults()
 	v.OpenVPN.setDefaults(*v.Provider.Name)
 	v.Wireguard.setDefaults(*v.Provider.Name)
 }
 func (v VPN) String() string {
 	return v.toLinesNode().String()
 }
 func (v VPN) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("VPN settings:")
 	node.AppendNode(v.Provider.toLinesNode())
 	if v.Type == vpn.OpenVPN {
 		node.AppendNode(v.OpenVPN.toLinesNode())
 	} else {
 		node.AppendNode(v.Wireguard.toLinesNode())
 	}
 	return node
 }
--- a/internal/configuration/settings/wireguard.go
+++ b/internal/configuration/settings/wireguard.go
@@ -0,0 +1,224 @@
 package settings
 import (
 	"fmt"
 	"net/netip"
 	"regexp"
 	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/validate"
 	"github.com/qdm12/gotree"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 // Wireguard contains settings to configure the Wireguard client.
 type Wireguard struct {
 	// PrivateKey is the Wireguard client peer private key.
 	// It cannot be nil in the internal state.
 	PrivateKey *string `json:"private_key"`
 	// PreSharedKey is the Wireguard pre-shared key.
 	// It can be the empty string to indicate there
 	// is no pre-shared key.
 	// It cannot be nil in the internal state.
 	PreSharedKey *string `json:"pre_shared_key"`
 	// Addresses are the Wireguard interface addresses.
 	Addresses []netip.Prefix `json:"addresses"`
 	// AllowedIPs are the Wireguard allowed IPs.
 	// If left unset, they default to "0.0.0.0/0"
 	// and, if IPv6 is supported, "::0".
 	AllowedIPs []netip.Prefix `json:"allowed_ips"`
 	// Interface is the name of the Wireguard interface
 	// to create. It cannot be the empty string in the
 	// internal state.
 	Interface string `json:"interface"`
 	// Maximum Transmission Unit (MTU) of the Wireguard interface.
 	// It cannot be zero in the internal state, and defaults to
 	// 1400. Note it is not the wireguard-go MTU default of 1420
 	// because this impacts bandwidth a lot on some VPN providers,
 	// see https://github.com/qdm12/gluetun/issues/1650.
 	MTU uint16 `json:"mtu"`
 	// Implementation is the Wireguard implementation to use.
 	// It can be "auto", "userspace" or "kernelspace".
 	// It defaults to "auto" and cannot be the empty string
 	// in the internal state.
 	Implementation string `json:"implementation"`
 }
 var regexpInterfaceName = regexp.MustCompile(`^[a-zA-Z0-9_]+$`)
 // Validate validates Wireguard settings.
 // It should only be ran if the VPN type chosen is Wireguard.
 func (w Wireguard) validate(vpnProvider string, ipv6Supported bool) (err error) {
 	if !helpers.IsOneOf(vpnProvider,
 		providers.Airvpn,
 		providers.Custom,
 		providers.Ivpn,
 		providers.Mullvad,
 		providers.Nordvpn,
 		providers.Surfshark,
 		providers.Windscribe,
 	) {
 		// do not validate for VPN provider not supporting Wireguard
 		return nil
 	}
 	// Validate PrivateKey
 	if *w.PrivateKey == "" {
 		return fmt.Errorf("%w", ErrWireguardPrivateKeyNotSet)
 	}
 	_, err = wgtypes.ParseKey(*w.PrivateKey)
 	if err != nil {
 		err = fmt.Errorf("private key is not valid: %w", err)
 		if vpnProvider == providers.Nordvpn &&
 			err.Error() == "wgtypes: incorrect key size: 48" {
 			err = fmt.Errorf("%w - you might be using your access token instead of the Wireguard private key", err)
 		}
 		return err
 	}
 	if vpnProvider == providers.Airvpn {
 		if *w.PreSharedKey == "" {
 			return fmt.Errorf("%w", ErrWireguardPreSharedKeyNotSet)
 		}
 	}
 	// Validate PreSharedKey
 	if *w.PreSharedKey != "" { // Note: this is optional
 		_, err = wgtypes.ParseKey(*w.PreSharedKey)
 		if err != nil {
 			return fmt.Errorf("pre-shared key is not valid: %w", err)
 		}
 	}
 	// Validate Addresses
 	if len(w.Addresses) == 0 {
 		return fmt.Errorf("%w", ErrWireguardInterfaceAddressNotSet)
 	}
 	for i, ipNet := range w.Addresses {
 		if !ipNet.IsValid() {
 			return fmt.Errorf("%w: for address at index %d",
 				ErrWireguardInterfaceAddressNotSet, i)
 		}
 		if !ipv6Supported && ipNet.Addr().Is6() {
 			return fmt.Errorf("%w: address %s",
 				ErrWireguardInterfaceAddressIPv6, ipNet.String())
 		}
 	}
 	// Validate AllowedIPs
 	// WARNING: do not check for IPv6 networks in the allowed IPs,
 	// the wireguard code will take care to ignore it.
 	if len(w.AllowedIPs) == 0 {
 		return fmt.Errorf("%w", ErrWireguardAllowedIPsNotSet)
 	}
 	for i, allowedIP := range w.AllowedIPs {
 		if !allowedIP.IsValid() {
 			return fmt.Errorf("%w: for allowed ip %d of %d",
 				ErrWireguardAllowedIPNotSet, i+1, len(w.AllowedIPs))
 		}
 	}
 	// Validate interface
 	if !regexpInterfaceName.MatchString(w.Interface) {
 		return fmt.Errorf("%w: '%s' does not match regex '%s'",
 			ErrWireguardInterfaceNotValid, w.Interface, regexpInterfaceName)
 	}
 	validImplementations := []string{"auto", "userspace", "kernelspace"}
 	if err := validate.IsOneOf(w.Implementation, validImplementations...); err != nil {
 		return fmt.Errorf("%w: %w", ErrWireguardImplementationNotValid, err)
 	}
 	return nil
 }
 func (w *Wireguard) copy() (copied Wireguard) {
 	return Wireguard{
 		PrivateKey:     gosettings.CopyPointer(w.PrivateKey),
 		PreSharedKey:   gosettings.CopyPointer(w.PreSharedKey),
 		Addresses:      gosettings.CopySlice(w.Addresses),
 		AllowedIPs:     gosettings.CopySlice(w.AllowedIPs),
 		Interface:      w.Interface,
 		MTU:            w.MTU,
 		Implementation: w.Implementation,
 	}
 }
 func (w *Wireguard) mergeWith(other Wireguard) {
 	w.PrivateKey = gosettings.MergeWithPointer(w.PrivateKey, other.PrivateKey)
 	w.PreSharedKey = gosettings.MergeWithPointer(w.PreSharedKey, other.PreSharedKey)
 	w.Addresses = gosettings.MergeWithSlice(w.Addresses, other.Addresses)
 	w.AllowedIPs = gosettings.MergeWithSlice(w.AllowedIPs, other.AllowedIPs)
 	w.Interface = gosettings.MergeWithString(w.Interface, other.Interface)
 	w.MTU = gosettings.MergeWithNumber(w.MTU, other.MTU)
 	w.Implementation = gosettings.MergeWithString(w.Implementation, other.Implementation)
 }
 func (w *Wireguard) overrideWith(other Wireguard) {
 	w.PrivateKey = gosettings.OverrideWithPointer(w.PrivateKey, other.PrivateKey)
 	w.PreSharedKey = gosettings.OverrideWithPointer(w.PreSharedKey, other.PreSharedKey)
 	w.Addresses = gosettings.OverrideWithSlice(w.Addresses, other.Addresses)
 	w.AllowedIPs = gosettings.OverrideWithSlice(w.AllowedIPs, other.AllowedIPs)
 	w.Interface = gosettings.OverrideWithString(w.Interface, other.Interface)
 	w.MTU = gosettings.OverrideWithNumber(w.MTU, other.MTU)
 	w.Implementation = gosettings.OverrideWithString(w.Implementation, other.Implementation)
 }
 func (w *Wireguard) setDefaults(vpnProvider string) {
 	w.PrivateKey = gosettings.DefaultPointer(w.PrivateKey, "")
 	w.PreSharedKey = gosettings.DefaultPointer(w.PreSharedKey, "")
 	if vpnProvider == providers.Nordvpn {
 		defaultNordVPNAddress := netip.AddrFrom4([4]byte{10, 5, 0, 2})
 		defaultNordVPNPrefix := netip.PrefixFrom(defaultNordVPNAddress, defaultNordVPNAddress.BitLen())
 		w.Addresses = gosettings.DefaultSlice(w.Addresses, []netip.Prefix{defaultNordVPNPrefix})
 	}
 	defaultAllowedIPs := []netip.Prefix{
 		netip.PrefixFrom(netip.IPv4Unspecified(), 0),
 		netip.PrefixFrom(netip.IPv6Unspecified(), 0),
 	}
 	w.AllowedIPs = gosettings.DefaultSlice(w.AllowedIPs, defaultAllowedIPs)
 	w.Interface = gosettings.DefaultString(w.Interface, "wg0")
 	const defaultMTU = 1400
 	w.MTU = gosettings.DefaultNumber(w.MTU, defaultMTU)
 	w.Implementation = gosettings.DefaultString(w.Implementation, "auto")
 }
 func (w Wireguard) String() string {
 	return w.toLinesNode().String()
 }
 func (w Wireguard) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Wireguard settings:")
 	if *w.PrivateKey != "" {
 		s := gosettings.ObfuscateKey(*w.PrivateKey)
 		node.Appendf("Private key: %s", s)
 	}
 	if *w.PreSharedKey != "" {
 		s := gosettings.ObfuscateKey(*w.PreSharedKey)
 		node.Appendf("Pre-shared key: %s", s)
 	}
 	addressesNode := node.Appendf("Interface addresses:")
 	for _, address := range w.Addresses {
 		addressesNode.Appendf(address.String())
 	}
 	allowedIPsNode := node.Appendf("Allowed IPs:")
 	for _, allowedIP := range w.AllowedIPs {
 		allowedIPsNode.Appendf(allowedIP.String())
 	}
 	interfaceNode := node.Appendf("Network interface: %s", w.Interface)
 	interfaceNode.Appendf("MTU: %d", w.MTU)
 	if w.Implementation != "auto" {
 		node.Appendf("Implementation: %s", w.Implementation)
 	}
 	return node
 }
--- a/internal/configuration/settings/wireguardselection.go
+++ b/internal/configuration/settings/wireguardselection.go
@@ -0,0 +1,156 @@
 package settings
 import (
 	"fmt"
 	"net/netip"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/validate"
 	"github.com/qdm12/gotree"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 type WireguardSelection struct {
 	// EndpointIP is the server endpoint IP address.
 	// It is only used with VPN providers generating Wireguard
 	// configurations specific to each server and user.
 	// To indicate it should not be used, it should be set
 	// to netip.IPv4Unspecified(). It can never be the zero value
 	// in the internal state.
 	EndpointIP netip.Addr `json:"endpoint_ip"`
 	// EndpointPort is a the server port to use for the VPN server.
 	// It is optional for VPN providers IVPN, Mullvad, Surfshark
 	// and Windscribe, and compulsory for the others.
 	// When optional, it can be set to 0 to indicate not use
 	// a custom endpoint port. It cannot be nil in the internal
 	// state.
 	EndpointPort *uint16 `json:"endpoint_port"`
 	// PublicKey is the server public key.
 	// It is only used with VPN providers generating Wireguard
 	// configurations specific to each server and user.
 	PublicKey string `json:"public_key"`
 }
 // Validate validates WireguardSelection settings.
 // It should only be ran if the VPN type chosen is Wireguard.
 func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate EndpointIP
 	switch vpnProvider {
 	case providers.Airvpn, providers.Ivpn, providers.Mullvad,
 		providers.Nordvpn, providers.Surfshark, providers.Windscribe:
 		// endpoint IP addresses are baked in
 	case providers.Custom:
 		if !w.EndpointIP.IsValid() || w.EndpointIP.IsUnspecified() {
 			return fmt.Errorf("%w", ErrWireguardEndpointIPNotSet)
 		}
 	default: // Providers not supporting Wireguard
 	}
 	// Validate EndpointPort
 	switch vpnProvider {
 	// EndpointPort is required
 	case providers.Custom:
 		if *w.EndpointPort == 0 {
 			return fmt.Errorf("%w", ErrWireguardEndpointPortNotSet)
 		}
 	// EndpointPort cannot be set
 	case providers.Surfshark, providers.Nordvpn:
 		if *w.EndpointPort != 0 {
 			return fmt.Errorf("%w", ErrWireguardEndpointPortSet)
 		}
 	case providers.Airvpn, providers.Ivpn, providers.Mullvad, providers.Windscribe:
 		// EndpointPort is optional and can be 0
 		if *w.EndpointPort == 0 {
 			break // no custom endpoint port set
 		}
 		if vpnProvider == providers.Mullvad {
 			break // no restriction on custom endpoint port value
 		}
 		var allowed []uint16
 		switch vpnProvider {
 		case providers.Airvpn:
 			allowed = []uint16{1637, 47107}
 		case providers.Ivpn:
 			allowed = []uint16{2049, 2050, 53, 30587, 41893, 48574, 58237}
 		case providers.Windscribe:
 			allowed = []uint16{53, 80, 123, 443, 1194, 65142}
 		}
 		err = validate.IsOneOf(*w.EndpointPort, allowed...)
 		if err == nil {
 			break
 		}
 		return fmt.Errorf("%w: for VPN service provider %s: %w",
 			ErrWireguardEndpointPortNotAllowed, vpnProvider, err)
 	default: // Providers not supporting Wireguard
 	}
 	// Validate PublicKey
 	switch vpnProvider {
 	case providers.Ivpn, providers.Mullvad,
 		providers.Surfshark, providers.Windscribe:
 		// public keys are baked in
 	case providers.Custom:
 		if w.PublicKey == "" {
 			return fmt.Errorf("%w", ErrWireguardPublicKeyNotSet)
 		}
 	default: // Providers not supporting Wireguard
 	}
 	if w.PublicKey != "" {
 		_, err := wgtypes.ParseKey(w.PublicKey)
 		if err != nil {
 			return fmt.Errorf("%w: %s: %s",
 				ErrWireguardPublicKeyNotValid, w.PublicKey, err)
 		}
 	}
 	return nil
 }
 func (w *WireguardSelection) copy() (copied WireguardSelection) {
 	return WireguardSelection{
 		EndpointIP:   w.EndpointIP,
 		EndpointPort: gosettings.CopyPointer(w.EndpointPort),
 		PublicKey:    w.PublicKey,
 	}
 }
 func (w *WireguardSelection) mergeWith(other WireguardSelection) {
 	w.EndpointIP = gosettings.MergeWithValidator(w.EndpointIP, other.EndpointIP)
 	w.EndpointPort = gosettings.MergeWithPointer(w.EndpointPort, other.EndpointPort)
 	w.PublicKey = gosettings.MergeWithString(w.PublicKey, other.PublicKey)
 }
 func (w *WireguardSelection) overrideWith(other WireguardSelection) {
 	w.EndpointIP = gosettings.OverrideWithValidator(w.EndpointIP, other.EndpointIP)
 	w.EndpointPort = gosettings.OverrideWithPointer(w.EndpointPort, other.EndpointPort)
 	w.PublicKey = gosettings.OverrideWithString(w.PublicKey, other.PublicKey)
 }
 func (w *WireguardSelection) setDefaults() {
 	w.EndpointIP = gosettings.DefaultValidator(w.EndpointIP, netip.IPv4Unspecified())
 	w.EndpointPort = gosettings.DefaultPointer(w.EndpointPort, 0)
 }
 func (w WireguardSelection) String() string {
 	return w.toLinesNode().String()
 }
 func (w WireguardSelection) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Wireguard selection settings:")
 	if !w.EndpointIP.IsUnspecified() {
 		node.Appendf("Endpoint IP address: %s", w.EndpointIP)
 	}
 	if *w.EndpointPort != 0 {
 		node.Appendf("Endpoint port: %d", *w.EndpointPort)
 	}
 	if w.PublicKey != "" {
 		node.Appendf("Server public key: %s", w.PublicKey)
 	}
 	return node
 }
--- a/internal/configuration/sources/env/dns.go
+++ b/internal/configuration/sources/env/dns.go
@@ -0,0 +1,55 @@
 package env
 import (
 	"fmt"
 	"net/netip"
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 )
 func (s *Source) readDNS() (dns settings.DNS, err error) {
 	dns.ServerAddress, err = s.readDNSServerAddress()
 	if err != nil {
 		return dns, err
 	}
 	dns.KeepNameserver, err = s.env.BoolPtr("DNS_KEEP_NAMESERVER")
 	if err != nil {
 		return dns, err
 	}
 	dns.DoT, err = s.readDoT()
 	if err != nil {
 		return dns, fmt.Errorf("DoT settings: %w", err)
 	}
 	return dns, nil
 }
 func (s *Source) readDNSServerAddress() (address netip.Addr, err error) {
 	const currentKey = "DNS_ADDRESS"
 	key := firstKeySet(s.env, "DNS_PLAINTEXT_ADDRESS", currentKey)
 	switch key {
 	case "":
 		return address, nil
 	case currentKey:
 	default: // Retro-compatibility
 		s.handleDeprecatedKey(key, currentKey)
 	}
 	address, err = s.env.NetipAddr(key)
 	if err != nil {
 		return address, err
 	}
 	// TODO remove in v4
 	if address.Unmap().Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) != 0 {
 		s.warner.Warn(key + " is set to " + address.String() +
 			" so the DNS over TLS (DoT) server will not be used." +
 			" The default value changed to 127.0.0.1 so it uses the internal DoT serves." +
 			" If the DoT server fails to start, the IPv4 address of the first plaintext DNS server" +
 			" corresponding to the first DoT provider chosen is used.")
 	}
 	return address, nil
 }
--- a/internal/configuration/sources/env/dnsblacklist.go
+++ b/internal/configuration/sources/env/dnsblacklist.go
@@ -0,0 +1,73 @@
 package env
 import (
 	"errors"
 	"fmt"
 	"net/netip"
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gosettings/sources/env"
 )
 func (s *Source) readDNSBlacklist() (blacklist settings.DNSBlacklist, err error) {
 	blacklist.BlockMalicious, err = s.env.BoolPtr("BLOCK_MALICIOUS")
 	if err != nil {
 		return blacklist, err
 	}
 	blacklist.BlockSurveillance, err = s.env.BoolPtr("BLOCK_SURVEILLANCE",
 		env.RetroKeys("BLOCK_NSA"))
 	if err != nil {
 		return blacklist, err
 	}
 	blacklist.BlockAds, err = s.env.BoolPtr("BLOCK_ADS")
 	if err != nil {
 		return blacklist, err
 	}
 	blacklist.AddBlockedIPs, blacklist.AddBlockedIPPrefixes,
 		err = s.readDoTPrivateAddresses() // TODO v4 split in 2
 	if err != nil {
 		return blacklist, err
 	}
 	blacklist.AllowedHosts = s.env.CSV("UNBLOCK") // TODO v4 change name
 	return blacklist, nil
 }
 var (
 	ErrPrivateAddressNotValid = errors.New("private address is not a valid IP or CIDR range")
 )
 func (s *Source) readDoTPrivateAddresses() (ips []netip.Addr,
 	ipPrefixes []netip.Prefix, err error) {
 	privateAddresses := s.env.CSV("DOT_PRIVATE_ADDRESS")
 	if len(privateAddresses) == 0 {
 		return nil, nil, nil
 	}
 	ips = make([]netip.Addr, 0, len(privateAddresses))
 	ipPrefixes = make([]netip.Prefix, 0, len(privateAddresses))
 	for _, privateAddress := range privateAddresses {
 		ip, err := netip.ParseAddr(privateAddress)
 		if err == nil {
 			ips = append(ips, ip)
 			continue
 		}
 		ipPrefix, err := netip.ParsePrefix(privateAddress)
 		if err == nil {
 			ipPrefixes = append(ipPrefixes, ipPrefix)
 			continue
 		}
 		return nil, nil, fmt.Errorf(
 			"environment variable DOT_PRIVATE_ADDRESS: %w: %s",
 			ErrPrivateAddressNotValid, privateAddress)
 	}
 	return ips, ipPrefixes, nil
 }
--- a/internal/configuration/sources/env/dot.go
+++ b/internal/configuration/sources/env/dot.go
@@ -0,0 +1,29 @@
 package env
 import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 )
 func (s *Source) readDoT() (dot settings.DoT, err error) {
 	dot.Enabled, err = s.env.BoolPtr("DOT")
 	if err != nil {
 		return dot, err
 	}
 	dot.UpdatePeriod, err = s.env.DurationPtr("DNS_UPDATE_PERIOD")
 	if err != nil {
 		return dot, err
 	}
 	dot.Unbound, err = s.readUnbound()
 	if err != nil {
 		return dot, err
 	}
 	dot.Blacklist, err = s.readDNSBlacklist()
 	if err != nil {
 		return dot, err
 	}
 	return dot, nil
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`FROM qmcgaw/godevcontainer`
							`RUN apk add wireguard-tools htop openssl`