Remove unneeded allow-compression asym

Remove support for multihop
Add missing "key-direction 1"
2024-12-27 20:14:57 +00:00 · 2024-12-27 20:14:54 +00:00 · 2024-12-27 20:08:21 +00:00 · 2024-12-27 20:08:21 +00:00 · 2024-12-27 20:08:21 +00:00 · 2024-12-27 20:08:21 +00:00
55 changed files with 3496 additions and 50 deletions
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -56,6 +56,7 @@ body:
        - IVPN
        - Mullvad
        - NordVPN
+        - OVPN
        - Privado
        - Private Internet Access
        - PrivateVPN
--- a/.github/labels.yml
+++ b/.github/labels.yml
@@ -62,6 +62,8 @@
  color: "cfe8d4"
 - name: "☁️ NordVPN"
  color: "cfe8d4"
+- name: "☁️ OVPN"
+  color: "cfe8d4"
 - name: "☁️ Perfect Privacy"
  color: "cfe8d4"
 - name: "☁️ PIA"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -59,7 +59,7 @@ jobs:
      - name: Run tests in test container
        run: |
          touch coverage.txt
-          docker run --rm \
+          docker run --rm --device /dev/net/tun \
          -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \
          test-container

--- a/.github/workflows/markdown.yml
+++ b/.github/workflows/markdown.yml
@@ -20,7 +20,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4

-      - uses: DavidAnson/markdownlint-cli2-action@v16
+      - uses: DavidAnson/markdownlint-cli2-action@v18
        with:
          globs: "**.md"
          config: .markdownlint.json
--- a/4
+++ b/4
@@ -125,6 +125,8 @@ ENV VPN_SERVICE_PROVIDER=pia \
    VPN_PORT_FORWARDING_STATUS_FILE="/tmp/gluetun/forwarded_port" \
    VPN_PORT_FORWARDING_USERNAME= \
    VPN_PORT_FORWARDING_PASSWORD= \
+    VPN_PORT_FORWARDING_UP_COMMAND= \
+    VPN_PORT_FORWARDING_DOWN_COMMAND= \
    # # Cyberghost only:
    OPENVPN_CERT= \
    OPENVPN_KEY= \
@@ -145,7 +147,7 @@ ENV VPN_SERVICE_PROVIDER=pia \
    # # ProtonVPN only:
    SECURE_CORE_ONLY= \
    TOR_ONLY= \
-    # # Surfshark only:
+    # # Surfshark and ovpn only:
    MULTIHOP_ONLY= \
    # # VPN Secure only:
    PREMIUM_ONLY= \
--- a/README.md
+++ b/README.md
@@ -57,10 +57,10 @@ Lightweight swiss-knife-like VPN client to multiple VPN service providers
 ## Features

 - Based on Alpine 3.20 for a small Docker image of 35.6MB
- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad**, **NordVPN**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **WeVPN**, **Windscribe** servers
+- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad**, **NordVPN**, **Ovpn**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **WeVPN**, **Windscribe** servers
 - Supports OpenVPN for all providers listed
 - Supports Wireguard both kernelspace and userspace
-  - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
+  - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Ovpn**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
  - For **Cyberghost**, **Private Internet Access**, **PrivateVPN**, **PureVPN**, **Torguard**, **VPN Unlimited**, **VyprVPN** and **WeVPN** using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
  - For custom Wireguard configurations using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
  - More in progress, see [#134](https://github.com/qdm12/gluetun/issues/134)
--- a/cmd/gluetun/main.go
+++ b/cmd/gluetun/main.go
@@ -380,7 +380,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,

 	portForwardLogger := logger.New(log.SetComponent("port forwarding"))
 	portForwardLooper := portforward.NewLoop(allSettings.VPN.Provider.PortForwarding,
-		routingConf, httpClient, firewallConf, portForwardLogger, puid, pgid)
+		routingConf, httpClient, firewallConf, portForwardLogger, cmder, puid, pgid)
 	portForwardRunError, err := portForwardLooper.Start(ctx)
 	if err != nil {
 		return fmt.Errorf("starting port forwarding loop: %w", err)
--- a/go.mod
+++ b/go.mod
@@ -3,27 +3,27 @@ module github.com/qdm12/gluetun
 go 1.23

 require (
-	github.com/breml/rootcerts v0.2.18
+	github.com/breml/rootcerts v0.2.19
 	github.com/fatih/color v1.18.0
 	github.com/golang/mock v1.6.0
 	github.com/klauspost/compress v1.17.11
 	github.com/klauspost/pgzip v1.2.6
 	github.com/pelletier/go-toml/v2 v2.2.3
 	github.com/qdm12/dns/v2 v2.0.0-rc8
-	github.com/qdm12/gosettings v0.4.3
+	github.com/qdm12/gosettings v0.4.4
 	github.com/qdm12/goshutdown v0.3.0
 	github.com/qdm12/gosplash v0.2.0
 	github.com/qdm12/gotree v0.3.0
 	github.com/qdm12/log v0.1.0
 	github.com/qdm12/ss-server v0.6.0
-	github.com/stretchr/testify v1.9.0
+	github.com/stretchr/testify v1.10.0
 	github.com/ulikunitz/xz v0.5.11
 	github.com/vishvananda/netlink v1.2.1
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
-	golang.org/x/net v0.30.0
+	golang.org/x/net v0.31.0
 	golang.org/x/sys v0.27.0
-	golang.org/x/text v0.19.0
+	golang.org/x/text v0.20.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	gopkg.in/ini.v1 v1.67.0
@@ -50,9 +50,9 @@ require (
 	github.com/qdm12/goservices v0.1.0 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
-	golang.org/x/crypto v0.28.0 // indirect
+	golang.org/x/crypto v0.29.0 // indirect
 	golang.org/x/mod v0.21.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/sync v0.9.0 // indirect
 	golang.org/x/tools v0.26.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -1,7 +1,7 @@
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/breml/rootcerts v0.2.18 h1:KjZaNT7AX/akUjzpStuwTMQs42YHlPyc6NmdwShVba0=
-github.com/breml/rootcerts v0.2.18/go.mod h1:S/PKh+4d1HUn4HQovEB8hPJZO6pUZYrIhmXBhsegfXw=
+github.com/breml/rootcerts v0.2.19 h1:3D/qwAC1xoh82GmZ21mYzQ1NaLOICUVntIo+MRZYr4U=
+github.com/breml/rootcerts v0.2.19/go.mod h1:S/PKh+4d1HUn4HQovEB8hPJZO6pUZYrIhmXBhsegfXw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -57,8 +57,8 @@ github.com/qdm12/dns/v2 v2.0.0-rc8 h1:kbgKPkbT+79nScfuZ0ZcVhksTGo8IUqQ8TTQGnQlZ1
 github.com/qdm12/dns/v2 v2.0.0-rc8/go.mod h1:VaF02KWEL7xNV4oKfG4N9nEv/kR6bqyIcBReCV5NJhw=
 github.com/qdm12/goservices v0.1.0 h1:9sODefm/yuIGS7ynCkEnNlMTAYn9GzPhtcK4F69JWvc=
 github.com/qdm12/goservices v0.1.0/go.mod h1:/JOFsAnHFiSjyoXxa5FlfX903h20K5u/3rLzCjYVMck=
-github.com/qdm12/gosettings v0.4.3 h1:oGAjiKVtml9oHVlPQo6H3yk6TmtWpVYicNeGFcM7AP8=
-github.com/qdm12/gosettings v0.4.3/go.mod h1:CPrt2YC4UsURTrslmhxocVhMCW03lIrqdH2hzIf5prg=
+github.com/qdm12/gosettings v0.4.4 h1:SM6tOZDf6k8qbjWU8KWyBF4mWIixfsKCfh9DGRLHlj4=
+github.com/qdm12/gosettings v0.4.4/go.mod h1:CPrt2YC4UsURTrslmhxocVhMCW03lIrqdH2hzIf5prg=
 github.com/qdm12/goshutdown v0.3.0 h1:pqBpJkdwlZlfTEx4QHtS8u8CXx6pG0fVo6S1N0MpSEM=
 github.com/qdm12/goshutdown v0.3.0/go.mod h1:EqZ46No00kCTZ5qzdd3qIzY6ayhMt24QI8Mh8LVQYmM=
 github.com/qdm12/gosplash v0.2.0 h1:DOxCEizbW6ZG+FgpH2oK1atT6bM8MHL9GZ2ywSS4zZY=
@@ -73,8 +73,8 @@ github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
 github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/vishvananda/netlink v1.2.1 h1:pfLv/qlJUwOTPvtWREA7c3PI4u81YkqZw1DYhI2HmLA=
@@ -87,8 +87,8 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -97,12 +97,12 @@ golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
-golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -117,8 +117,8 @@ golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/internal/cli/openvpnconfig.go
+++ b/internal/cli/openvpnconfig.go
@@ -56,6 +56,7 @@ func (c *CLI) OpenvpnConfig(logger OpenvpnConfigLogger, reader *reader.Reader,
 	if err != nil {
 		return err
 	}
+	allSettings.SetDefaults()

 	ipv6Supported, err := ipv6Checker.IsIPv6Supported()
 	if err != nil {
--- a/internal/command/split.go
+++ b/internal/command/split.go
@@ -0,0 +1,150 @@
+package command
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strings"
+	"unicode/utf8"
+)
+
+var (
+	ErrCommandEmpty            = errors.New("command is empty")
+	ErrSingleQuoteUnterminated = errors.New("unterminated single-quoted string")
+	ErrDoubleQuoteUnterminated = errors.New("unterminated double-quoted string")
+	ErrEscapeUnterminated      = errors.New("unterminated backslash-escape")
+)
+
+// Split splits a command string into a slice of arguments.
+// This is especially important for commands such as:
+// /bin/sh -c "echo hello"
+// which should be split into: ["/bin/sh", "-c", "echo hello"]
+// It supports backslash-escapes, single-quotes and double-quotes.
+// It does not support:
+// - the $" quoting style.
+// - expansion (brace, shell or pathname).
+func Split(command string) (words []string, err error) {
+	if command == "" {
+		return nil, fmt.Errorf("%w", ErrCommandEmpty)
+	}
+
+	const bufferSize = 1024
+	buffer := bytes.NewBuffer(make([]byte, bufferSize))
+
+	startIndex := 0
+
+	for startIndex < len(command) {
+		// skip any split characters at the start
+		character, runeSize := utf8.DecodeRuneInString(command[startIndex:])
+		switch {
+		case strings.ContainsRune(" \n\t", character):
+			startIndex += runeSize
+		case character == '\\':
+			// Look ahead to eventually skip an escaped newline
+			if command[startIndex+runeSize:] == "" {
+				return nil, fmt.Errorf("%w: %q", ErrEscapeUnterminated, command)
+			}
+			character, runeSize := utf8.DecodeRuneInString(command[startIndex+runeSize:])
+			if character == '\n' {
+				startIndex += runeSize + runeSize // backslash and newline
+			}
+		default:
+			var word string
+			buffer.Reset()
+			word, startIndex, err = splitWord(command, startIndex, buffer)
+			if err != nil {
+				return nil, fmt.Errorf("splitting word in %q: %w", command, err)
+			}
+			words = append(words, word)
+		}
+	}
+	return words, nil
+}
+
+// WARNING: buffer must be cleared before calling this function.
+func splitWord(input string, startIndex int, buffer *bytes.Buffer) (
+	word string, newStartIndex int, err error,
+) {
+	cursor := startIndex
+	for cursor < len(input) {
+		character, runeLength := utf8.DecodeRuneInString(input[cursor:])
+		cursor += runeLength
+		if character == '"' ||
+			character == '\'' ||
+			character == '\\' ||
+			character == ' ' ||
+			character == '\n' ||
+			character == '\t' {
+			buffer.WriteString(input[startIndex : cursor-runeLength])
+		}
+
+		switch {
+		case strings.ContainsRune(" \n\t", character): // spacing character
+			return buffer.String(), cursor, nil
+		case character == '"':
+			return handleDoubleQuoted(input, cursor, buffer)
+		case character == '\'':
+			return handleSingleQuoted(input, cursor, buffer)
+		case character == '\\':
+			return handleEscaped(input, cursor, buffer)
+		}
+	}
+
+	buffer.WriteString(input[startIndex:])
+	return buffer.String(), len(input), nil
+}
+
+func handleDoubleQuoted(input string, startIndex int, buffer *bytes.Buffer) (
+	word string, newStartIndex int, err error,
+) {
+	cursor := startIndex
+	for cursor < len(input) {
+		nextCharacter, nextRuneLength := utf8.DecodeRuneInString(input[cursor:])
+		cursor += nextRuneLength
+		switch nextCharacter {
+		case '"': // end of the double quoted string
+			buffer.WriteString(input[startIndex : cursor-nextRuneLength])
+			return splitWord(input, cursor, buffer)
+		case '\\': // escaped character
+			escapedCharacter, escapedRuneLength := utf8.DecodeRuneInString(input[cursor:])
+			cursor += escapedRuneLength
+			if !strings.ContainsRune("$`\"\n\\", escapedCharacter) {
+				break
+			}
+			buffer.WriteString(input[startIndex : cursor-nextRuneLength-escapedRuneLength])
+			if escapedCharacter != '\n' {
+				// skip backslash entirely for the newline character
+				buffer.WriteRune(escapedCharacter)
+			}
+			startIndex = cursor
+		}
+	}
+	return "", 0, fmt.Errorf("%w", ErrDoubleQuoteUnterminated)
+}
+
+func handleSingleQuoted(input string, startIndex int, buffer *bytes.Buffer) (
+	word string, newStartIndex int, err error,
+) {
+	closingQuoteIndex := strings.IndexRune(input[startIndex:], '\'')
+	if closingQuoteIndex == -1 {
+		return "", 0, fmt.Errorf("%w", ErrSingleQuoteUnterminated)
+	}
+	buffer.WriteString(input[startIndex : startIndex+closingQuoteIndex])
+	const singleQuoteRuneLength = 1
+	startIndex += closingQuoteIndex + singleQuoteRuneLength
+	return splitWord(input, startIndex, buffer)
+}
+
+func handleEscaped(input string, startIndex int, buffer *bytes.Buffer) (
+	word string, newStartIndex int, err error,
+) {
+	if input[startIndex:] == "" {
+		return "", 0, fmt.Errorf("%w", ErrEscapeUnterminated)
+	}
+	character, runeLength := utf8.DecodeRuneInString(input[startIndex:])
+	if character != '\n' { // backslash-escaped newline is ignored
+		buffer.WriteString(input[startIndex : startIndex+runeLength])
+	}
+	startIndex += runeLength
+	return splitWord(input, startIndex, buffer)
+}
--- a/internal/command/split_test.go
+++ b/internal/command/split_test.go
@@ -0,0 +1,110 @@
+package command
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Split(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		command    string
+		words      []string
+		errWrapped error
+		errMessage string
+	}{
+		"empty": {
+			command:    "",
+			errWrapped: ErrCommandEmpty,
+			errMessage: "command is empty",
+		},
+		"concrete_sh_command": {
+			command: `/bin/sh -c "echo 123"`,
+			words:   []string{"/bin/sh", "-c", "echo 123"},
+		},
+		"single_word": {
+			command: "word1",
+			words:   []string{"word1"},
+		},
+		"two_words_single_space": {
+			command: "word1 word2",
+			words:   []string{"word1", "word2"},
+		},
+		"two_words_multiple_space": {
+			command: "word1    word2",
+			words:   []string{"word1", "word2"},
+		},
+		"two_words_no_expansion": {
+			command: "word1*    word2?",
+			words:   []string{"word1*", "word2?"},
+		},
+		"escaped_single quote": {
+			command: "ain\\'t good",
+			words:   []string{"ain't", "good"},
+		},
+		"escaped_single_quote_all_single_quoted": {
+			command: "'ain'\\''t good'",
+			words:   []string{"ain't good"},
+		},
+		"empty_single_quoted": {
+			command: "word1 ''  word2",
+			words:   []string{"word1", "", "word2"},
+		},
+		"escaped_newline": {
+			command: "word1\\\nword2",
+			words:   []string{"word1word2"},
+		},
+		"quoted_newline": {
+			command: "text \"with\na\" quoted newline",
+			words:   []string{"text", "with\na", "quoted", "newline"},
+		},
+		"quoted_escaped_newline": {
+			command: "\"word1\\d\\\\\\\" word2\\\nword3 word4\"",
+			words:   []string{"word1\\d\\\" word2word3 word4"},
+		},
+		"escaped_separated_newline": {
+			command: "word1 \\\n word2",
+			words:   []string{"word1", "word2"},
+		},
+		"double_quotes_no_spacing": {
+			command: "word1\"word2\"word3",
+			words:   []string{"word1word2word3"},
+		},
+		"unterminated_single_quote": {
+			command:    "'abc'\\''def",
+			errWrapped: ErrSingleQuoteUnterminated,
+			errMessage: `splitting word in "'abc'\\''def": unterminated single-quoted string`,
+		},
+		"unterminated_double_quote": {
+			command:    "\"abc'def",
+			errWrapped: ErrDoubleQuoteUnterminated,
+			errMessage: `splitting word in "\"abc'def": unterminated double-quoted string`,
+		},
+		"unterminated_escape": {
+			command:    "abc\\",
+			errWrapped: ErrEscapeUnterminated,
+			errMessage: `splitting word in "abc\\": unterminated backslash-escape`,
+		},
+		"unterminated_escape_only": {
+			command:    "   \\",
+			errWrapped: ErrEscapeUnterminated,
+			errMessage: `unterminated backslash-escape: "   \\"`,
+		},
+	}
+
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			words, err := Split(testCase.command)
+
+			assert.Equal(t, testCase.words, words)
+			assert.ErrorIs(t, err, testCase.errWrapped)
+			if testCase.errWrapped != nil {
+				assert.EqualError(t, err, testCase.errMessage)
+			}
+		})
+	}
+}
--- a/internal/configuration/settings/openvpnselection.go
+++ b/internal/configuration/settings/openvpnselection.go
@@ -65,7 +65,7 @@ func (o OpenVPNSelection) validate(vpnProvider string) (err error) {
 		switch vpnProvider {
 		// no restriction on port
 		case providers.Custom, providers.Cyberghost, providers.HideMyAss,
-			providers.Privatevpn, providers.Torguard:
+			providers.Ovpn, providers.Privatevpn, providers.Torguard:
 		// no custom port allowed
 		case providers.Expressvpn, providers.Fastestvpn,
 			providers.Giganews, providers.Ipvanish, providers.Nordvpn,
--- a/internal/configuration/settings/portforward.go
+++ b/internal/configuration/settings/portforward.go
@@ -29,6 +29,14 @@ type PortForwarding struct {
 	// to write to a file. It cannot be nil for the
 	// internal state
 	Filepath *string `json:"status_file_path"`
+	// UpCommand is the command to use when the port forwarding is up.
+	// It can be the empty string to indicate not to run a command.
+	// It cannot be nil in the internal state.
+	UpCommand *string `json:"up_command"`
+	// DownCommand is the command to use after the port forwarding goes down.
+	// It can be the empty string to indicate to NOT run a command.
+	// It cannot be nil in the internal state.
+	DownCommand *string `json:"down_command"`
 	// ListeningPort is the port traffic would be redirected to from the
 	// forwarded port. The redirection is disabled if it is set to 0, which
 	// is its default as well.
@@ -84,6 +92,8 @@ func (p *PortForwarding) Copy() (copied PortForwarding) {
 		Enabled:       gosettings.CopyPointer(p.Enabled),
 		Provider:      gosettings.CopyPointer(p.Provider),
 		Filepath:      gosettings.CopyPointer(p.Filepath),
+		UpCommand:     gosettings.CopyPointer(p.UpCommand),
+		DownCommand:   gosettings.CopyPointer(p.DownCommand),
 		ListeningPort: gosettings.CopyPointer(p.ListeningPort),
 		Username:      p.Username,
 		Password:      p.Password,
@@ -94,6 +104,8 @@ func (p *PortForwarding) OverrideWith(other PortForwarding) {
 	p.Enabled = gosettings.OverrideWithPointer(p.Enabled, other.Enabled)
 	p.Provider = gosettings.OverrideWithPointer(p.Provider, other.Provider)
 	p.Filepath = gosettings.OverrideWithPointer(p.Filepath, other.Filepath)
+	p.UpCommand = gosettings.OverrideWithPointer(p.UpCommand, other.UpCommand)
+	p.DownCommand = gosettings.OverrideWithPointer(p.DownCommand, other.DownCommand)
 	p.ListeningPort = gosettings.OverrideWithPointer(p.ListeningPort, other.ListeningPort)
 	p.Username = gosettings.OverrideWithComparable(p.Username, other.Username)
 	p.Password = gosettings.OverrideWithComparable(p.Password, other.Password)
@@ -103,6 +115,8 @@ func (p *PortForwarding) setDefaults() {
 	p.Enabled = gosettings.DefaultPointer(p.Enabled, false)
 	p.Provider = gosettings.DefaultPointer(p.Provider, "")
 	p.Filepath = gosettings.DefaultPointer(p.Filepath, "/tmp/gluetun/forwarded_port")
+	p.UpCommand = gosettings.DefaultPointer(p.UpCommand, "")
+	p.DownCommand = gosettings.DefaultPointer(p.DownCommand, "")
 	p.ListeningPort = gosettings.DefaultPointer(p.ListeningPort, 0)
 }

@@ -135,6 +149,13 @@ func (p PortForwarding) toLinesNode() (node *gotree.Node) {
 	}
 	node.Appendf("Forwarded port file path: %s", filepath)

+	if *p.UpCommand != "" {
+		node.Appendf("Forwarded port up command: %s", *p.UpCommand)
+	}
+	if *p.DownCommand != "" {
+		node.Appendf("Forwarded port down command: %s", *p.DownCommand)
+	}
+
 	if p.Username != "" {
 		credentialsNode := node.Appendf("Credentials:")
 		credentialsNode.Appendf("Username: %s", p.Username)
@@ -163,6 +184,12 @@ func (p *PortForwarding) read(r *reader.Reader) (err error) {
 			"PRIVATE_INTERNET_ACCESS_VPN_PORT_FORWARDING_STATUS_FILE",
 		))

+	p.UpCommand = r.Get("VPN_PORT_FORWARDING_UP_COMMAND",
+		reader.ForceLowercase(false))
+
+	p.DownCommand = r.Get("VPN_PORT_FORWARDING_DOWN_COMMAND",
+		reader.ForceLowercase(false))
+
 	p.ListeningPort, err = r.Uint16Ptr("VPN_PORT_FORWARDING_LISTENING_PORT")
 	if err != nil {
 		return err
--- a/internal/configuration/settings/provider.go
+++ b/internal/configuration/settings/provider.go
@@ -39,6 +39,7 @@ func (p *Provider) validate(vpnType string, filterChoicesGetter FilterChoicesGet
 			providers.Ivpn,
 			providers.Mullvad,
 			providers.Nordvpn,
+			providers.Ovpn,
 			providers.Protonvpn,
 			providers.Surfshark,
 			providers.Windscribe,
--- a/internal/configuration/settings/wireguard.go
+++ b/internal/configuration/settings/wireguard.go
@@ -65,6 +65,7 @@ func (w Wireguard) validate(vpnProvider string, ipv6Supported bool) (err error)
 		providers.Ivpn,
 		providers.Mullvad,
 		providers.Nordvpn,
+		providers.Ovpn,
 		providers.Protonvpn,
 		providers.Surfshark,
 		providers.Windscribe,
--- a/internal/configuration/settings/wireguardselection.go
+++ b/internal/configuration/settings/wireguardselection.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/netip"

+	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/reader"
@@ -21,7 +22,7 @@ type WireguardSelection struct {
 	// in the internal state.
 	EndpointIP netip.Addr `json:"endpoint_ip"`
 	// EndpointPort is a the server port to use for the VPN server.
-	// It is optional for VPN providers IVPN, Mullvad, Surfshark
+	// It is optional for VPN providers IVPN, Mullvad, Ovpn, Surfshark
 	// and Windscribe, and compulsory for the others.
 	// When optional, it can be set to 0 to indicate not use
 	// a custom endpoint port. It cannot be nil in the internal
@@ -39,8 +40,9 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate EndpointIP
 	switch vpnProvider {
 	case providers.Airvpn, providers.Fastestvpn, providers.Ivpn,
-		providers.Mullvad, providers.Nordvpn, providers.Protonvpn,
-		providers.Surfshark, providers.Windscribe:
+		providers.Mullvad, providers.Nordvpn, providers.Ovpn,
+		providers.Protonvpn, providers.Surfshark,
+		providers.Windscribe:
 		// endpoint IP addresses are baked in
 	case providers.Custom:
 		if !w.EndpointIP.IsValid() || w.EndpointIP.IsUnspecified() {
@@ -62,12 +64,16 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 		if *w.EndpointPort != 0 {
 			return fmt.Errorf("%w", ErrWireguardEndpointPortSet)
 		}
-	case providers.Airvpn, providers.Ivpn, providers.Mullvad, providers.Windscribe:
+	case providers.Airvpn, providers.Ivpn, providers.Mullvad,
+		providers.Ovpn, providers.Windscribe:
 		// EndpointPort is optional and can be 0
 		if *w.EndpointPort == 0 {
 			break // no custom endpoint port set
 		}
-		if vpnProvider == providers.Mullvad {
+		if helpers.IsOneOf(vpnProvider,
+			providers.Mullvad,
+			providers.Ovpn,
+		) {
 			break // no restriction on custom endpoint port value
 		}
 		var allowed []uint16
@@ -92,7 +98,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate PublicKey
 	switch vpnProvider {
 	case providers.Fastestvpn, providers.Ivpn, providers.Mullvad,
-		providers.Surfshark, providers.Windscribe:
+		providers.Ovpn, providers.Surfshark, providers.Windscribe:
 		// public keys are baked in
 	case providers.Custom:
 		if w.PublicKey == "" {
--- a/internal/constants/providers/providers.go
+++ b/internal/constants/providers/providers.go
@@ -15,6 +15,7 @@ const (
 	Ivpn                  = "ivpn"
 	Mullvad               = "mullvad"
 	Nordvpn               = "nordvpn"
+	Ovpn                  = "ovpn"
 	Perfectprivacy        = "perfect privacy"
 	Privado               = "privado"
 	PrivateInternetAccess = "private internet access"
@@ -44,6 +45,7 @@ func All() []string {
 		Ivpn,
 		Mullvad,
 		Nordvpn,
+		Ovpn,
 		Perfectprivacy,
 		Privado,
 		PrivateInternetAccess,
--- a/internal/firewall/list.go
+++ b/internal/firewall/list.go
@@ -22,7 +22,7 @@ type chainRule struct {
 	packets         uint64
 	bytes           uint64
 	target          string       // "ACCEPT", "DROP", "REJECT" or "REDIRECT"
-	protocol        string       // "tcp", "udp" or "" for all protocols.
+	protocol        string       // "icmp", "tcp", "udp" or "" for all protocols.
 	inputInterface  string       // input interface, for example "tun0" or "*""
 	outputInterface string       // output interface, for example "eth0" or "*""
 	source          netip.Prefix // source IP CIDR, for example 0.0.0.0/0. Must be valid.
@@ -324,6 +324,8 @@ var ErrProtocolUnknown = errors.New("unknown protocol")
 func parseProtocol(s string) (protocol string, err error) {
 	switch s {
 	case "0":
+	case "1":
+		protocol = "icmp"
 	case "6":
 		protocol = "tcp"
 	case "17":
--- a/internal/firewall/list_test.go
+++ b/internal/firewall/list_test.go
@@ -56,7 +56,8 @@ num pkts bytes target     prot opt in     out     source               destinati
 num pkts bytes target     prot opt in     out     source               destination
 1   0     0 ACCEPT     17   --  tun0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:55405
 2   0     0 ACCEPT     6    --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:55405
-3   0     0 DROP       0    --  tun0   *       1.2.3.4              0.0.0.0/0
+3   0     0 ACCEPT     1    --  tun0   *       0.0.0.0/0            0.0.0.0/0
+4   0     0 DROP       0    --  tun0   *       1.2.3.4              0.0.0.0/0
 `,
 			table: chain{
 				name:    "INPUT",
@@ -92,6 +93,17 @@ num pkts bytes target     prot opt in     out     source               destinati
 						lineNumber:      3,
 						packets:         0,
 						bytes:           0,
+						target:          "ACCEPT",
+						protocol:        "icmp",
+						inputInterface:  "tun0",
+						outputInterface: "*",
+						source:          netip.MustParsePrefix("0.0.0.0/0"),
+						destination:     netip.MustParsePrefix("0.0.0.0/0"),
+					},
+					{
+						lineNumber:      4,
+						packets:         0,
+						bytes:           0,
 						target:          "DROP",
 						protocol:        "",
 						inputInterface:  "tun0",
--- a/internal/firewall/support.go
+++ b/internal/firewall/support.go
@@ -92,7 +92,7 @@ func testIptablesPath(ctx context.Context, path string,
 	// Set policy as the existing policy so no mutation is done.
 	// This is an extra check for some buggy kernels where setting the policy
 	// does not work.
-	cmd = exec.CommandContext(ctx, path, "-L", "INPUT")
+	cmd = exec.CommandContext(ctx, path, "-nL", "INPUT")
 	output, err = runner.Run(cmd)
 	if err != nil {
 		unsupportedMessage = fmt.Sprintf("%s (%s)", output, err)
--- a/internal/firewall/support_test.go
+++ b/internal/firewall/support_test.go
@@ -24,7 +24,7 @@ func newDeleteTestRuleMatcher(path string) *cmdMatcher {

 func newListInputRulesMatcher(path string) *cmdMatcher {
 	return newCmdMatcher(path,
-		"^-L$", "^INPUT$")
+		"^-nL$", "^INPUT$")
 }

 func newSetPolicyMatcher(path, inputPolicy string) *cmdMatcher { //nolint:unparam
--- a/internal/models/server.go
+++ b/internal/models/server.go
@@ -36,6 +36,8 @@ type Server struct {
 	PortForward bool         `json:"port_forward,omitempty"`
 	Keep        bool         `json:"keep,omitempty"`
 	IPs         []netip.Addr `json:"ips,omitempty"`
+	PortsTCP    []uint16     `json:"ports_tcp,omitempty"`
+	PortsUDP    []uint16     `json:"ports_udp,omitempty"`
 }

 var (
--- a/internal/natpmp/externaladdress_test.go
+++ b/internal/natpmp/externaladdress_test.go
@@ -2,6 +2,7 @@ package natpmp

 import (
 	"context"
+	"net"
 	"net/netip"
 	"testing"
 	"time"
@@ -23,14 +24,15 @@ func Test_Client_ExternalAddress(t *testing.T) {
 		durationSinceStartOfEpoch time.Duration
 		externalIPv4Address       netip.Addr
 		err                       error
-		errMessage                string
+		errMessageRegex           string
 	}{
 		"failure": {
 			ctx:                 canceledCtx,
 			gateway:             netip.AddrFrom4([4]byte{127, 0, 0, 1}),
 			initialConnDuration: initialConnectionDuration,
-			err:                 context.Canceled,
-			errMessage:          "executing remote procedure call: reading from udp connection: context canceled",
+			err:                 net.ErrClosed,
+			errMessageRegex: "executing remote procedure call: setting connection deadline: " +
+				"set udp 127.0.0.1:[1-9][0-9]{1,4}: use of closed network connection",
 		},
 		"success": {
 			ctx:                 context.Background(),
@@ -60,7 +62,7 @@ func Test_Client_ExternalAddress(t *testing.T) {
 			durationSinceStartOfEpoch, externalIPv4Address, err := client.ExternalAddress(testCase.ctx, testCase.gateway)
 			assert.ErrorIs(t, err, testCase.err)
 			if testCase.err != nil {
-				assert.EqualError(t, err, testCase.errMessage)
+				assert.Regexp(t, testCase.errMessageRegex, err.Error())
 			}
 			assert.Equal(t, testCase.durationSinceStartOfEpoch, durationSinceStartOfEpoch)
 			assert.Equal(t, testCase.externalIPv4Address, externalIPv4Address)
--- a/internal/natpmp/rpc.go
+++ b/internal/natpmp/rpc.go
@@ -45,8 +45,10 @@ func (c *Client) rpc(ctx context.Context, gateway netip.Addr,
 		cancel()
 		<-endGoroutineDone
 	}()
+	ctxListeningReady := make(chan struct{})
 	go func() {
 		defer close(endGoroutineDone)
+		close(ctxListeningReady)
 		// Context is canceled either by the parent context or
 		// when this function returns.
 		<-ctx.Done()
@@ -60,6 +62,7 @@ func (c *Client) rpc(ctx context.Context, gateway netip.Addr,
 		}
 		err = fmt.Errorf("%w; closing connection: %w", err, closeErr)
 	}()
+	<-ctxListeningReady // really to make unit testing reliable

 	const maxResponseSize = 16
 	response = make([]byte, maxResponseSize)
--- a/internal/portforward/interfaces.go
+++ b/internal/portforward/interfaces.go
@@ -3,6 +3,7 @@ package portforward
 import (
 	"context"
 	"net/netip"
+	"os/exec"
 )

 type Service interface {
@@ -29,3 +30,8 @@ type Logger interface {
 	Warn(s string)
 	Error(s string)
 }
+
+type Cmder interface {
+	Start(cmd *exec.Cmd) (stdoutLines, stderrLines <-chan string,
+		waitError <-chan error, startErr error)
+}
--- a/internal/portforward/loop.go
+++ b/internal/portforward/loop.go
@@ -20,6 +20,7 @@ type Loop struct {
 	client      *http.Client
 	portAllower PortAllower
 	logger      Logger
+	cmder       Cmder
 	// Fixed parameters
 	uid, gid int
 	// Internal channels and locks
@@ -34,7 +35,7 @@ type Loop struct {

 func NewLoop(settings settings.PortForwarding, routing Routing,
 	client *http.Client, portAllower PortAllower,
-	logger Logger, uid, gid int,
+	logger Logger, cmder Cmder, uid, gid int,
 ) *Loop {
 	return &Loop{
 		settings: Settings{
@@ -42,6 +43,8 @@ func NewLoop(settings settings.PortForwarding, routing Routing,
 			Service: service.Settings{
 				Enabled:       settings.Enabled,
 				Filepath:      *settings.Filepath,
+				UpCommand:     *settings.UpCommand,
+				DownCommand:   *settings.DownCommand,
 				ListeningPort: *settings.ListeningPort,
 			},
 		},
@@ -49,6 +52,7 @@ func NewLoop(settings settings.PortForwarding, routing Routing,
 		client:      client,
 		portAllower: portAllower,
 		logger:      logger,
+		cmder:       cmder,
 		uid:         uid,
 		gid:         gid,
 	}
@@ -115,7 +119,7 @@ func (l *Loop) run(runCtx context.Context, runDone chan<- struct{},
 		*serviceSettings.Enabled = *serviceSettings.Enabled && *l.settings.VPNIsUp

 		l.service = service.New(serviceSettings, l.routing, l.client,
-			l.portAllower, l.logger, l.uid, l.gid)
+			l.portAllower, l.logger, l.cmder, l.uid, l.gid)

 		var err error
 		serviceRunError, err = l.service.Start(runCtx)
--- a/internal/portforward/service/command.go
+++ b/internal/portforward/service/command.go
@@ -0,0 +1,59 @@
+package service
+
+import (
+	"context"
+	"fmt"
+	"os/exec"
+	"strings"
+
+	"github.com/qdm12/gluetun/internal/command"
+)
+
+func runCommand(ctx context.Context, cmder Cmder, logger Logger,
+	commandTemplate string, ports []uint16,
+) (err error) {
+	portStrings := make([]string, len(ports))
+	for i, port := range ports {
+		portStrings[i] = fmt.Sprint(int(port))
+	}
+	portsString := strings.Join(portStrings, ",")
+	commandString := strings.ReplaceAll(commandTemplate, "{{PORTS}}", portsString)
+	args, err := command.Split(commandString)
+	if err != nil {
+		return fmt.Errorf("parsing command: %w", err)
+	}
+
+	cmd := exec.CommandContext(ctx, args[0], args[1:]...) // #nosec G204
+	stdout, stderr, waitError, err := cmder.Start(cmd)
+	if err != nil {
+		return err
+	}
+
+	streamCtx, streamCancel := context.WithCancel(context.Background())
+	streamDone := make(chan struct{})
+	go streamLines(streamCtx, streamDone, logger, stdout, stderr)
+
+	err = <-waitError
+	streamCancel()
+	<-streamDone
+	return err
+}
+
+func streamLines(ctx context.Context, done chan<- struct{},
+	logger Logger, stdout, stderr <-chan string,
+) {
+	defer close(done)
+
+	var line string
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case line = <-stdout:
+			logger.Info(line)
+		case line = <-stderr:
+			logger.Error(line)
+		}
+	}
+}
--- a/internal/portforward/service/command_test.go
+++ b/internal/portforward/service/command_test.go
@@ -0,0 +1,28 @@
+//go:build linux
+
+package service
+
+import (
+	"context"
+	"testing"
+
+	gomock "github.com/golang/mock/gomock"
+	"github.com/qdm12/gluetun/internal/command"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_Service_runCommand(t *testing.T) {
+	t.Parallel()
+	ctrl := gomock.NewController(t)
+
+	ctx := context.Background()
+	cmder := command.New()
+	const commandTemplate = `/bin/sh -c "echo {{PORTS}}"`
+	ports := []uint16{1234, 5678}
+	logger := NewMockLogger(ctrl)
+	logger.EXPECT().Info("1234,5678")
+
+	err := runCommand(ctx, cmder, logger, commandTemplate, ports)
+
+	require.NoError(t, err)
+}
--- a/internal/portforward/service/interfaces.go
+++ b/internal/portforward/service/interfaces.go
@@ -3,6 +3,7 @@ package service
 import (
 	"context"
 	"net/netip"
+	"os/exec"

 	"github.com/qdm12/gluetun/internal/provider/utils"
 )
@@ -32,3 +33,8 @@ type PortForwarder interface {
 		ports []uint16, err error)
 	KeepPortForward(ctx context.Context, objects utils.PortForwardObjects) (err error)
 }
+
+type Cmder interface {
+	Start(cmd *exec.Cmd) (stdoutLines, stderrLines <-chan string,
+		waitError <-chan error, startErr error)
+}
--- a/internal/portforward/service/mocks_generate_test.go
+++ b/internal/portforward/service/mocks_generate_test.go
@@ -0,0 +1,3 @@
+package service
+
+//go:generate mockgen -destination=mocks_test.go -package=$GOPACKAGE . Logger
--- a/internal/portforward/service/mocks_test.go
+++ b/internal/portforward/service/mocks_test.go
@@ -0,0 +1,82 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/qdm12/gluetun/internal/portforward/service (interfaces: Logger)
+
+// Package service is a generated GoMock package.
+package service
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockLogger is a mock of Logger interface.
+type MockLogger struct {
+	ctrl     *gomock.Controller
+	recorder *MockLoggerMockRecorder
+}
+
+// MockLoggerMockRecorder is the mock recorder for MockLogger.
+type MockLoggerMockRecorder struct {
+	mock *MockLogger
+}
+
+// NewMockLogger creates a new mock instance.
+func NewMockLogger(ctrl *gomock.Controller) *MockLogger {
+	mock := &MockLogger{ctrl: ctrl}
+	mock.recorder = &MockLoggerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockLogger) EXPECT() *MockLoggerMockRecorder {
+	return m.recorder
+}
+
+// Debug mocks base method.
+func (m *MockLogger) Debug(arg0 string) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "Debug", arg0)
+}
+
+// Debug indicates an expected call of Debug.
+func (mr *MockLoggerMockRecorder) Debug(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Debug", reflect.TypeOf((*MockLogger)(nil).Debug), arg0)
+}
+
+// Error mocks base method.
+func (m *MockLogger) Error(arg0 string) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "Error", arg0)
+}
+
+// Error indicates an expected call of Error.
+func (mr *MockLoggerMockRecorder) Error(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Error", reflect.TypeOf((*MockLogger)(nil).Error), arg0)
+}
+
+// Info mocks base method.
+func (m *MockLogger) Info(arg0 string) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "Info", arg0)
+}
+
+// Info indicates an expected call of Info.
+func (mr *MockLoggerMockRecorder) Info(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Info", reflect.TypeOf((*MockLogger)(nil).Info), arg0)
+}
+
+// Warn mocks base method.
+func (m *MockLogger) Warn(arg0 string) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "Warn", arg0)
+}
+
+// Warn indicates an expected call of Warn.
+func (mr *MockLoggerMockRecorder) Warn(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Warn", reflect.TypeOf((*MockLogger)(nil).Warn), arg0)
+}
--- a/internal/portforward/service/service.go
+++ b/internal/portforward/service/service.go
@@ -19,6 +19,7 @@ type Service struct {
 	client      *http.Client
 	portAllower PortAllower
 	logger      Logger
+	cmder       Cmder
 	// Internal channels and locks
 	startStopMutex sync.Mutex
 	keepPortCancel context.CancelFunc
@@ -26,7 +27,7 @@ type Service struct {
 }

 func New(settings Settings, routing Routing, client *http.Client,
-	portAllower PortAllower, logger Logger, puid, pgid int,
+	portAllower PortAllower, logger Logger, cmder Cmder, puid, pgid int,
 ) *Service {
 	return &Service{
 		// Fixed parameters
@@ -38,6 +39,7 @@ func New(settings Settings, routing Routing, client *http.Client,
 		client:      client,
 		portAllower: portAllower,
 		logger:      logger,
+		cmder:       cmder,
 	}
 }

--- a/internal/portforward/service/settings.go
+++ b/internal/portforward/service/settings.go
@@ -12,6 +12,8 @@ type Settings struct {
 	Enabled        *bool
 	PortForwarder  PortForwarder
 	Filepath       string
+	UpCommand      string
+	DownCommand    string
 	Interface      string // needed for PIA, PrivateVPN and ProtonVPN, tun0 for example
 	ServerName     string // needed for PIA
 	CanPortForward bool   // needed for PIA
@@ -24,6 +26,8 @@ func (s Settings) Copy() (copied Settings) {
 	copied.Enabled = gosettings.CopyPointer(s.Enabled)
 	copied.PortForwarder = s.PortForwarder
 	copied.Filepath = s.Filepath
+	copied.UpCommand = s.UpCommand
+	copied.DownCommand = s.DownCommand
 	copied.Interface = s.Interface
 	copied.ServerName = s.ServerName
 	copied.CanPortForward = s.CanPortForward
@@ -37,6 +41,8 @@ func (s *Settings) OverrideWith(update Settings) {
 	s.Enabled = gosettings.OverrideWithPointer(s.Enabled, update.Enabled)
 	s.PortForwarder = gosettings.OverrideWithComparable(s.PortForwarder, update.PortForwarder)
 	s.Filepath = gosettings.OverrideWithComparable(s.Filepath, update.Filepath)
+	s.UpCommand = gosettings.OverrideWithComparable(s.UpCommand, update.UpCommand)
+	s.DownCommand = gosettings.OverrideWithComparable(s.DownCommand, update.DownCommand)
 	s.Interface = gosettings.OverrideWithComparable(s.Interface, update.Interface)
 	s.ServerName = gosettings.OverrideWithComparable(s.ServerName, update.ServerName)
 	s.CanPortForward = gosettings.OverrideWithComparable(s.CanPortForward, update.CanPortForward)
--- a/internal/portforward/service/start.go
+++ b/internal/portforward/service/start.go
@@ -73,6 +73,14 @@ func (s *Service) Start(ctx context.Context) (runError <-chan error, err error)
 	s.ports = ports
 	s.portMutex.Unlock()

+	if s.settings.UpCommand != "" {
+		err = runCommand(ctx, s.cmder, s.logger, s.settings.UpCommand, ports)
+		if err != nil {
+			err = fmt.Errorf("running up command: %w", err)
+			s.logger.Error(err.Error())
+		}
+	}
+
 	keepPortCtx, keepPortCancel := context.WithCancel(context.Background())
 	s.keepPortCancel = keepPortCancel
 	runErrorCh := make(chan error)
--- a/internal/portforward/service/stop.go
+++ b/internal/portforward/service/stop.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"time"
 )

 func (s *Service) Stop() (err error) {
@@ -30,6 +31,17 @@ func (s *Service) cleanup() (err error) {
 	s.portMutex.Lock()
 	defer s.portMutex.Unlock()

+	if s.settings.DownCommand != "" {
+		const downTimeout = 60 * time.Second
+		ctx, cancel := context.WithTimeout(context.Background(), downTimeout)
+		defer cancel()
+		err = runCommand(ctx, s.cmder, s.logger, s.settings.DownCommand, s.ports)
+		if err != nil {
+			err = fmt.Errorf("running down command: %w", err)
+			s.logger.Error(err.Error())
+		}
+	}
+
 	for _, port := range s.ports {
 		err = s.portAllower.RemoveAllowedPort(context.Background(), port)
 		if err != nil {
--- a/internal/provider/ipvanish/openvpnconf.go
+++ b/internal/provider/ipvanish/openvpnconf.go
@@ -14,13 +14,17 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 	providerSettings := utils.OpenVPNProviderSettings{
 		AuthUserPass: true,
 		Ciphers: []string{
+			openvpn.AES256gcm,
 			openvpn.AES256cbc,
 		},
 		Auth:           openvpn.SHA256,
 		VerifyX509Type: "name",
 		TLSCipher:      "TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA",
-		CAs:            []string{"MIIErTCCA5WgAwIBAgIJAMYKzSS8uPKDMA0GCSqGSIb3DQEBDQUAMIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYDVQQKEwhJUFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJUFZhbmlzaCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb20wHhcNMTIwMTExMTkzMjIwWhcNMjgxMTAyMTkzMjIwWjCBlTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkZMMRQwEgYDVQQHEwtXaW50ZXIgUGFyazERMA8GA1UEChMISVBWYW5pc2gxFTATBgNVBAsTDElQVmFuaXNoIFZQTjEUMBIGA1UEAxMLSVBWYW5pc2ggQ0ExIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAaXB2YW5pc2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9DBWNr/IKOuY3TmDP5x7vYZR0DGxLbXU8TyAzBbjUtFFMbhxlHiXVQrZHmgzih94x7BgXM7tWpmMKYVb+gNaqMdWE680Qm3nOwmhy/dulXDkEHAwD05i/iTx4ZaUdtV2vsKBxRg1vdC4AEiwD7bqV4HOi13xcG971aQ55Mj1KeCdA0aNvpat1LWx2jjWxsfI8s2Lv5Fkoi1HO1+vTnnaEsJZrBgAkLXpItqP29Lik3/OBIvkBIxlKrhiVPixE5qNiD+eSPirsmROvsyIonoJtuY4Dw5K6pcNlKyYiwo1IOFYU3YxffwFJk+bSW4WVBhsdf5dGxq/uOHmuz5gdwxCwIDAQABo4H9MIH6MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFEv9FCWJHefBcIPX9p8RHCVOGe6uMIHKBgNVHSMEgcIwgb+AFEv9FCWJHefBcIPX9p8RHCVOGe6uoYGbpIGYMIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYDVQQKEwhJUFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJUFZhbmlzaCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb22CCQDGCs0kvLjygzANBgkqhkiG9w0BAQ0FAAOCAQEAI2dkh/43ksV2fdYpVGhYaFZPVqCJoToCez0IvOmLeLGzow+EOSrY508oyjYeNP4VJEjApqo0NrMbKl8g/8bpLBcotOCF1c1HZ+y9v7648uumh01SMjsbBeHOuQcLb+7gX6c0pEmxWv8qj5JiW3/1L1bktnjW5Yp5oFkFSMXjOnIoYKHyKLjN2jtwH6XowUNYpg4qVtKU0CXPdOznWcd9/zSfa393HwJPeeVLbKYaFMC4IEbIUmKYtWyoJ9pJ58smU3pWsHZUg9Zc0LZZNjkNlBdQSLmUHAJ33Bd7pJS0JQeiWviC+4UTmzEWRKa7pDGnYRYNu2cUo0/voStphv8EVA=="}, //nolint:lll
+		CAs:            []string{"MIIErzCCA5egAwIBAgIJAMYKzSS8uPKDMA0GCSqGSIb3DQEBDQUAMIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYDVQQKEwhJUFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJUFZhbmlzaCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb20wIBcNMjIwNTA5MjAyMDQ1WhgPMjA4MjA0MjQyMDIwNDVaMIGVMQswCQYDVQQGEwJVUzELMAkGA1UECBMCRkwxFDASBgNVBAcTC1dpbnRlciBQYXJrMREwDwYDVQQKEwhJUFZhbmlzaDEVMBMGA1UECxMMSVBWYW5pc2ggVlBOMRQwEgYDVQQDEwtJUFZhbmlzaCBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBpcHZhbmlzaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC30MFY2v8go65jdOYM/nHu9hlHQMbEttdTxPIDMFuNS0UUxuHGUeJdVCtkeaDOKH3jHsGBczu1amYwphVv6A1qox1YTrzRCbec7CaHL926VcOQQcDAPTmL+JPHhlpR21Xa+woHFGDW90LgASLAPtupXgc6LXfFwb3vVpDnkyPUp4J0DRo2+lq3UtbHaONbGx8jyzYu/kWSiLUc7X69OedoSwlmsGACQteki2o/b0uKTf84Ei+QEjGUquGJU+LETmo2IP55I+KuyZE6+zIiiegm25jgPDkrqlw2UrJiLCjUg4VhTdjF9/AUmT5tJbhZUGGx1/l0bGr+44ea7PmB3DELAgMBAAGjgf0wgfowDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUS/0UJYkd58Fwg9f2nxEcJU4Z7q4wgcoGA1UdIwSBwjCBv4AUS/0UJYkd58Fwg9f2nxEcJU4Z7q6hgZukgZgwgZUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJGTDEUMBIGA1UEBxMLV2ludGVyIFBhcmsxETAPBgNVBAoTCElQVmFuaXNoMRUwEwYDVQQLEwxJUFZhbmlzaCBWUE4xFDASBgNVBAMTC0lQVmFuaXNoIENBMSMwIQYJKoZIhvcNAQkBFhRzdXBwb3J0QGlwdmFuaXNoLmNvbYIJAMYKzSS8uPKDMA0GCSqGSIb3DQEBDQUAA4IBAQCc9JV7IR8BfBrF/BQTXg0SZMZyyMAxR2jfW9qMHKSeJuZVVjfHiqoynEgBCNbn71wZWv3OF/Thu9BJ4GiYJ2Bc9nIa90D1NGYgiOVYLGXfUUqy5FgfrsWh0Go5oYm9l7W9pWfIifwsaZynkY0rTIHn32FF0H3+wZrGrEUzVL6qi+KD8iR3cBbLT+xUzulMTBp4JYaQnxpV4fZNS0ZsNrWKFWz4Iz1SSBcsnvUhfWs1aKx4yOJQx33Pc+KwpUI+meTlMjoh+AoTriooKU2MbOqLQl32y3pR0MP3fX4HDVFRylxdckEc+VryGNHQLUJiIBKBCORih/YiRhtEhpoBxmkw"}, //nolint:lll
 		MssFix:         1320,
+		ExtraLines: []string{
+			"comp-lzo", // Explicitly disable compression
+		},
 	}
 	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
 }
--- a/internal/provider/ovpn/connection.go
+++ b/internal/provider/ovpn/connection.go
@@ -0,0 +1,15 @@
+package ovpn
+
+import (
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/utils"
+)
+
+func (p *Provider) GetConnection(selection settings.ServerSelection, ipv6Supported bool) (
+	connection models.Connection, err error,
+) {
+	defaults := utils.NewConnectionDefaults(443, 1194, 9929) //nolint:mnd
+	return utils.GetConnection(p.Name(),
+		p.storage, selection, defaults, ipv6Supported, p.randSource)
+}
--- a/internal/provider/ovpn/connection_test.go
+++ b/internal/provider/ovpn/connection_test.go
@@ -0,0 +1,128 @@
+package ovpn
+
+import (
+	"errors"
+	"math/rand"
+	"net/http"
+	"net/netip"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/constants"
+	"github.com/qdm12/gluetun/internal/constants/providers"
+	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/common"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Provider_GetConnection(t *testing.T) {
+	t.Parallel()
+
+	const provider = providers.Ovpn
+
+	errTest := errors.New("test error")
+
+	testCases := map[string]struct {
+		filteredServers []models.Server
+		storageErr      error
+		selection       settings.ServerSelection
+		ipv6Supported   bool
+		connection      models.Connection
+		errWrapped      error
+		errMessage      string
+	}{
+		"error": {
+			storageErr: errTest,
+			errWrapped: errTest,
+			errMessage: "filtering servers: test error",
+		},
+		"default_openvpn_tcp_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}},
+			},
+			selection: settings.ServerSelection{
+				OpenVPN: settings.OpenVPNSelection{
+					Protocol: constants.TCP,
+				},
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.OpenVPN,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     443,
+				Protocol: constants.TCP,
+			},
+		},
+		"default_openvpn_udp_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}},
+			},
+			selection: settings.ServerSelection{
+				OpenVPN: settings.OpenVPNSelection{
+					Protocol: constants.UDP,
+				},
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.OpenVPN,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     1194,
+				Protocol: constants.UDP,
+			},
+		},
+		"default_wireguard_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}, WgPubKey: "x"},
+			},
+			selection: settings.ServerSelection{
+				VPN: vpn.Wireguard,
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.Wireguard,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     9929,
+				Protocol: constants.UDP,
+				PubKey:   "x",
+			},
+		},
+		"default_multihop_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}, WgPubKey: "x", PortsUDP: []uint16{30044}},
+			},
+			selection: settings.ServerSelection{
+				VPN: vpn.Wireguard,
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.Wireguard,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     30044,
+				Protocol: constants.UDP,
+				PubKey:   "x",
+			},
+		},
+	}
+
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			ctrl := gomock.NewController(t)
+
+			storage := common.NewMockStorage(ctrl)
+			storage.EXPECT().FilterServers(provider, testCase.selection).
+				Return(testCase.filteredServers, testCase.storageErr)
+			randSource := rand.NewSource(0)
+
+			client := (*http.Client)(nil)
+			provider := New(storage, randSource, client)
+
+			connection, err := provider.GetConnection(testCase.selection, testCase.ipv6Supported)
+
+			assert.ErrorIs(t, err, testCase.errWrapped)
+			if testCase.errWrapped != nil {
+				assert.EqualError(t, err, testCase.errMessage)
+			}
+
+			assert.Equal(t, testCase.connection, connection)
+		})
+	}
+}
--- a/internal/provider/ovpn/openvpnconf.go
+++ b/internal/provider/ovpn/openvpnconf.go
@@ -0,0 +1,41 @@
+package ovpn
+
+import (
+	"strings"
+
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/constants/openvpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/utils"
+)
+
+func (p *Provider) OpenVPNConfig(connection models.Connection,
+	settings settings.OpenVPN, ipv6Supported bool,
+) (lines []string) {
+	providerSettings := utils.OpenVPNProviderSettings{
+		AuthUserPass:  true,
+		RemoteCertTLS: true,
+		Ciphers: []string{
+			openvpn.AES256gcm,
+			openvpn.AES256cbc,
+			openvpn.AES128gcm,
+			openvpn.Chacha20Poly1305,
+		},
+		CAs: []string{
+			"MIIEfTCCA2WgAwIBAgIJAK2aIWqpLj1/MA0GCSqGSIb3DQEBBQUAMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTAeFw0xNDA4MTcxODIxMjlaFw0zNDA4MTIxODIxMjlaMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMR+aP4GTuZwurZuOA2NYzMfqKyZi/TJcLEPlGTB/b4CWA9bTd8f0pHPrDAZsXIEayxxB58BIFNDNiybnbO15JN/QwlsqmA+aZX6mCSkScs/rRwasM6LDo8iGx+KmYEqAgzziONGbCMnlO+OaarXte7LhZ9X6Z/bryu4xq/i1v3raak13kXsrogtu4iDzxqJE/QhbNOi0yhCdlm5RYQjmlKGdPB9pNTgcakVI4HcngRYMzBlrGin0YkvWCdpx5FrDNeld7BSWrJMNYyvd+buaid0Fu1T9/P/Srj/8AiabKoaDyiGFbZdTnGfK+04lWRvwAmvazpqbUt5Omw634jJDuMCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUEvJcHHcTiDtu7bAyZw+xaqg+xdIwgboGA1UdIwSBsjCBr4AUEvJcHHcTiDtu7bAyZw+xaqg+xdKhgYukgYgwgYUxCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xEjAQBgNVBAcTCVN0b2NraG9sbTEcMBoGA1UECxMTRmlybWEgRGF2aWQgV2liZXJnaDETMBEGA1UEAxMKb3Zwbi5zZSBjYTEbMBkGCSqGSIb3DQEJARYMaW5mb0BvdnBuLnNlggkArZohaqkuPX8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAJmID6OyBJbV7ayPPgquojF+FICuDdOfGVKP828cyISxcbVA04VpD0QLYVb0k9pFUx0NbgX2SvRTiFhP7LcyS1HV9s+XLCb2WItPPsrdRTwtqU2n3TlCEzWA3WOcOCtT6JSkv1eelmx1JnP0gYJrDvDvRYBFctwWhtE0bineSQkZwN6980zkknADLAiHpeZSu/AMx7CGTwA6SmoFvpNBmHXDcfe/9ZqbbYfUfyPNe+0JbMrcv1elKi+6wlEkHFaEBphiZwGEbOX1CjUMcQFgW/cIp3n50Eiyx6ktuqimhyb59P4Nw8gqH452tTtE4MM/brA5y0Q0WFBRBojfZIbGWWQ==", //nolint:lll
+		},
+		TLSAuth:      "81782767e4d59c4464cc5d1896f1cf6015017d53ac62e2e3b94b889e00b2c69ddc01944fe1c6d895b4d80540502eb71910b8d785c9efa9e3182343532adffe1cfbb7bb6eae39c502da2748edf0fb89b8a20b0a1085cc1f06135037881bc0c4ad8f2c0f4f72d2ab466fb54af3d8264c5fddeb0f21aa0ca41863678f5fc4c44de4ca0926b36dfddc42c6f2fabd1694bdc8215b2d223b9c21dc6734c2c778093187afb8c33403b228b9af68b540c284f6d183bcc88bd41d47bd717996e499ce1cbbfa768a9723c19c58314c4d19cfed82e543ee92e73d38ad26d4fbec231c0f9f3b30773a5c87792e9bc7c34e8d7611002ebedd044e48a0f1f96527bfdcc940aa09", //nolint:lll
+		KeyDirection: "1",
+		ExtraLines: []string{
+			"replay-window 256",
+		},
+	}
+
+	if strings.HasSuffix(connection.Hostname, "singapore.ovpn.com") {
+		providerSettings.TLSCrypt = providerSettings.TLSAuth
+		providerSettings.TLSAuth = ""
+		providerSettings.KeyDirection = ""
+	}
+
+	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
+}
--- a/internal/provider/ovpn/provider.go
+++ b/internal/provider/ovpn/provider.go
@@ -0,0 +1,30 @@
+package ovpn
+
+import (
+	"math/rand"
+	"net/http"
+
+	"github.com/qdm12/gluetun/internal/constants/providers"
+	"github.com/qdm12/gluetun/internal/provider/common"
+	"github.com/qdm12/gluetun/internal/provider/ovpn/updater"
+)
+
+type Provider struct {
+	storage    common.Storage
+	randSource rand.Source
+	common.Fetcher
+}
+
+func New(storage common.Storage, randSource rand.Source,
+	client *http.Client,
+) *Provider {
+	return &Provider{
+		storage:    storage,
+		randSource: randSource,
+		Fetcher:    updater.New(client),
+	}
+}
+
+func (p *Provider) Name() string {
+	return providers.Ovpn
+}
--- a/internal/provider/ovpn/updater/api.go
+++ b/internal/provider/ovpn/updater/api.go
@@ -0,0 +1,179 @@
+package updater
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/netip"
+	"strings"
+
+	"github.com/qdm12/gluetun/internal/provider/common"
+)
+
+type apiData struct {
+	Success     bool            `json:"success"`
+	DataCenters []apiDataCenter `json:"datacenters"`
+}
+
+type apiDataCenter struct {
+	City        string      `json:"city"`
+	CountryName string      `json:"country_name"`
+	Servers     []apiServer `json:"servers"`
+}
+
+type apiServer struct {
+	IP             netip.Addr `json:"ip"`
+	Ptr            string     `json:"ptr"` // hostname
+	Online         bool       `json:"online"`
+	PublicKey      string     `json:"public_key"`
+	WireguardPorts []uint16   `json:"wireguard_ports"`
+}
+
+func fetchAPI(ctx context.Context, client *http.Client) (
+	data apiData, err error,
+) {
+	const url = "https://www.ovpn.com/v2/api/client/entry"
+
+	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return data, err
+	}
+
+	response, err := client.Do(request)
+	if err != nil {
+		return data, err
+	}
+
+	if response.StatusCode != http.StatusOK {
+		_ = response.Body.Close()
+		return data, fmt.Errorf("%w: %d %s", common.ErrHTTPStatusCodeNotOK,
+			response.StatusCode, response.Status)
+	}
+
+	decoder := json.NewDecoder(response.Body)
+	err = decoder.Decode(&data)
+	if err != nil {
+		_ = response.Body.Close()
+		return data, fmt.Errorf("decoding response body: %w", err)
+	}
+
+	err = response.Body.Close()
+	if err != nil {
+		return data, fmt.Errorf("closing response body: %w", err)
+	}
+
+	return data, nil
+}
+
+var (
+	ErrCityNotSet        = errors.New("city is not set")
+	ErrCountryNameNotSet = errors.New("country name is not set")
+	ErrServersNotSet     = errors.New("servers array is not set")
+)
+
+func (a *apiDataCenter) validate() (err error) {
+	conditionalErrors := []conditionalError{
+		{err: ErrCityNotSet, condition: a.City == ""},
+		{err: ErrCountryNameNotSet, condition: a.CountryName == ""},
+		{err: ErrServersNotSet, condition: len(a.Servers) == 0},
+	}
+	err = collectErrors(conditionalErrors)
+	if err != nil {
+		var dataCenterSetFields []string
+		if a.CountryName != "" {
+			dataCenterSetFields = append(dataCenterSetFields, a.CountryName)
+		}
+		if a.City != "" {
+			dataCenterSetFields = append(dataCenterSetFields, a.City)
+		}
+		if len(dataCenterSetFields) == 0 {
+			return err
+		}
+		return fmt.Errorf("data center %s: %w",
+			strings.Join(dataCenterSetFields, ", "), err)
+	}
+
+	for i, server := range a.Servers {
+		err = server.validate()
+		if err != nil {
+			return fmt.Errorf("datacenter %s, %s: server %d of %d: %w",
+				a.CountryName, a.City, i+1, len(a.Servers), err)
+		}
+	}
+
+	return nil
+}
+
+var (
+	ErrIPFieldNotValid         = errors.New("ip address is not set")
+	ErrHostnameFieldNotSet     = errors.New("hostname field is not set")
+	ErrPublicKeyFieldNotSet    = errors.New("public key field is not set")
+	ErrWireguardPortsNotSet    = errors.New("wireguard ports array is not set")
+	ErrWireguardPortNotDefault = errors.New("wireguard port is not the default 9929")
+)
+
+func (a *apiServer) validate() (err error) {
+	const defaultWireguardPort = 9929
+	conditionalErrors := []conditionalError{
+		{err: ErrIPFieldNotValid, condition: !a.IP.IsValid()},
+		{err: ErrHostnameFieldNotSet, condition: a.Ptr == ""},
+		{err: ErrPublicKeyFieldNotSet, condition: a.PublicKey == ""},
+		{err: ErrWireguardPortsNotSet, condition: len(a.WireguardPorts) == 0},
+		{
+			err:       ErrWireguardPortNotDefault,
+			condition: len(a.WireguardPorts) != 1 || a.WireguardPorts[0] != defaultWireguardPort,
+		},
+	}
+	err = collectErrors(conditionalErrors)
+	switch {
+	case err == nil:
+		return nil
+	case a.Ptr != "":
+		return fmt.Errorf("server %s: %w", a.Ptr, err)
+	case a.IP.IsValid():
+		return fmt.Errorf("server %s: %w", a.IP.String(), err)
+	default:
+		return err
+	}
+}
+
+type conditionalError struct {
+	err       error
+	condition bool
+}
+
+type joinedError struct {
+	errs []error
+}
+
+func (e *joinedError) Unwrap() []error {
+	return e.errs
+}
+
+func (e *joinedError) Error() string {
+	errStrings := make([]string, len(e.errs))
+	for i, err := range e.errs {
+		errStrings[i] = err.Error()
+	}
+	return strings.Join(errStrings, "; ")
+}
+
+func collectErrors(conditionalErrors []conditionalError) (err error) {
+	errs := make([]error, 0, len(conditionalErrors))
+	for _, conditionalError := range conditionalErrors {
+		if !conditionalError.condition {
+			continue
+		}
+		errs = append(errs, conditionalError.err)
+	}
+
+	if len(errs) == 0 {
+		return nil
+	}
+
+	return &joinedError{
+		errs: errs,
+	}
+}
--- a/internal/provider/ovpn/updater/api_test.go
+++ b/internal/provider/ovpn/updater/api_test.go
@@ -0,0 +1,115 @@
+package updater
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net/http"
+	"net/netip"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_fetchAPI(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		responseStatus int
+		responseBody   io.ReadCloser
+		data           apiData
+		err            error
+	}{
+		"http response status not ok": {
+			responseStatus: http.StatusNoContent,
+			err:            errors.New("HTTP status code not OK: 204 No Content"),
+		},
+		"nil body": {
+			responseStatus: http.StatusOK,
+			err:            errors.New("decoding response body: EOF"),
+		},
+		"no server": {
+			responseStatus: http.StatusOK,
+			responseBody:   io.NopCloser(strings.NewReader(`{}`)),
+		},
+		"success": {
+			responseStatus: http.StatusOK,
+			responseBody: io.NopCloser(strings.NewReader(`{
+		  "success": true,
+		  "datacenters": [
+		    {
+		      "slug": "vienna",
+		      "city": "Vienna",
+		      "country": "AT",
+		      "country_name": "Austria",
+		      "pools": [
+		        "pool-1.prd.at.vienna.ovpn.com"
+		      ],
+		      "ping_address": "37.120.212.227",
+		      "servers": [
+		        {
+		          "ip": "37.120.212.227",
+		          "ptr": "vpn44.prd.vienna.ovpn.com",
+		          "name": "VPN44 - Vienna",
+		          "online": true,
+		          "load": 8,
+		          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+		          "public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+		          "wireguard_ports": [
+		            9929
+		          ],
+		          "multihop_openvpn_port": 20044,
+		          "multihop_wireguard_port": 30044
+		        }
+		      ]
+		    }
+		  ]
+		}`)),
+			data: apiData{
+				Success: true,
+				DataCenters: []apiDataCenter{
+					{CountryName: "Austria", City: "Vienna", Servers: []apiServer{
+						{
+							IP:             netip.MustParseAddr("37.120.212.227"),
+							Ptr:            "vpn44.prd.vienna.ovpn.com",
+							Online:         true,
+							PublicKey:      "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+							WireguardPorts: []uint16{9929},
+						},
+					}},
+				},
+			},
+		},
+	}
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			ctx := context.Background()
+
+			client := &http.Client{
+				Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+					assert.Equal(t, http.MethodGet, r.Method)
+					assert.Equal(t, r.URL.String(), "https://www.ovpn.com/v2/api/client/entry")
+					return &http.Response{
+						StatusCode: testCase.responseStatus,
+						Status:     http.StatusText(testCase.responseStatus),
+						Body:       testCase.responseBody,
+					}, nil
+				}),
+			}
+
+			data, err := fetchAPI(ctx, client)
+
+			assert.Equal(t, testCase.data, data)
+			if testCase.err != nil {
+				require.Error(t, err)
+				assert.Equal(t, testCase.err.Error(), err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
--- a/internal/provider/ovpn/updater/roundtrip_test.go
+++ b/internal/provider/ovpn/updater/roundtrip_test.go
@@ -0,0 +1,9 @@
+package updater
+
+import "net/http"
+
+type roundTripFunc func(r *http.Request) (*http.Response, error)
+
+func (f roundTripFunc) RoundTrip(r *http.Request) (*http.Response, error) {
+	return f(r)
+}
--- a/internal/provider/ovpn/updater/servers.go
+++ b/internal/provider/ovpn/updater/servers.go
@@ -0,0 +1,66 @@
+package updater
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"sort"
+
+	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/common"
+)
+
+var ErrResponseSuccessFalse = errors.New("response success field is false")
+
+func (u *Updater) FetchServers(ctx context.Context, minServers int) (
+	servers []models.Server, err error,
+) {
+	data, err := fetchAPI(ctx, u.client)
+	if err != nil {
+		return nil, fmt.Errorf("fetching API: %w", err)
+	} else if !data.Success {
+		return nil, fmt.Errorf("%w", ErrResponseSuccessFalse)
+	}
+
+	for dataCenterIndex, dataCenter := range data.DataCenters {
+		err = dataCenter.validate()
+		if err != nil {
+			return nil, fmt.Errorf("validating data center %d of %d: %w",
+				dataCenterIndex+1, len(data.DataCenters), err)
+		}
+
+		for _, apiServer := range dataCenter.Servers {
+			if !apiServer.Online {
+				continue
+			}
+
+			baseServer := models.Server{
+				Country:  dataCenter.CountryName,
+				City:     dataCenter.City,
+				Hostname: apiServer.Ptr,
+				IPs:      []netip.Addr{apiServer.IP},
+			}
+			openVPNServer := baseServer
+			openVPNServer.VPN = vpn.OpenVPN
+			openVPNServer.TCP = true
+			openVPNServer.UDP = true
+			servers = append(servers, openVPNServer)
+
+			wireguardServer := baseServer
+			wireguardServer.VPN = vpn.Wireguard
+			wireguardServer.WgPubKey = apiServer.PublicKey
+			servers = append(servers, wireguardServer)
+		}
+	}
+
+	if len(servers) < minServers {
+		return nil, fmt.Errorf("%w: %d and expected at least %d",
+			common.ErrNotEnoughServers, len(servers), minServers)
+	}
+
+	sort.Sort(models.SortableServers(servers))
+
+	return servers, nil
+}
--- a/internal/provider/ovpn/updater/servers_test.go
+++ b/internal/provider/ovpn/updater/servers_test.go
@@ -0,0 +1,181 @@
+package updater
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/netip"
+	"strings"
+	"testing"
+
+	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/common"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Updater_FetchServers(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		// Inputs
+		minServers int
+
+		// From API
+		responseStatus int
+		responseBody   string
+
+		// Output
+		servers    []models.Server
+		errWrapped error
+		errMessage string
+	}{
+		"http_response_error": {
+			responseStatus: http.StatusNoContent,
+			errWrapped:     common.ErrHTTPStatusCodeNotOK,
+			errMessage:     "fetching API: HTTP status code not OK: 204 No Content",
+		},
+		"success_field_false": {
+			responseStatus: http.StatusOK,
+			responseBody:   `{"success": false}`,
+			errWrapped:     ErrResponseSuccessFalse,
+			errMessage:     "response success field is false",
+		},
+		"validation_failed": {
+			responseStatus: http.StatusOK,
+			responseBody: `{
+  "success": true,
+  "datacenters": [
+    {
+      "city": "Vienna",
+      "servers": [
+        {}
+      ]
+    }
+  ]
+}`,
+			errWrapped: ErrCountryNameNotSet,
+			errMessage: "validating data center 1 of 1: data center Vienna: country name is not set",
+		},
+		"not_enough_servers": {
+			minServers:     3,
+			responseStatus: http.StatusOK,
+			responseBody: `{
+  "success": true,
+  "datacenters": [
+    {
+      "city": "Vienna",
+      "country_name": "Austria",
+      "servers": [
+        {
+          "ip": "37.120.212.227",
+          "ptr": "vpn44.prd.vienna.ovpn.com",
+          "online": true,
+          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+          "wireguard_ports": [9929],
+          "multihop_openvpn_port": 20044,
+          "multihop_wireguard_port": 30044
+        }
+      ]
+    }
+  ]
+}`,
+			errWrapped: common.ErrNotEnoughServers,
+			errMessage: "not enough servers found: 2 and expected at least 3",
+		},
+		"success": {
+			minServers: 2,
+			responseBody: `{
+  "success": true,
+  "datacenters": [
+    {
+      "slug": "vienna",
+      "city": "Vienna",
+      "country": "AT",
+      "country_name": "Austria",
+      "pools": [
+        "pool-1.prd.at.vienna.ovpn.com"
+      ],
+      "ping_address": "37.120.212.227",
+      "servers": [
+        {
+          "ip": "37.120.212.227",
+          "ptr": "vpn44.prd.vienna.ovpn.com",
+          "name": "VPN44 - Vienna",
+          "online": true,
+          "load": 8,
+          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+          "public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+          "wireguard_ports": [
+            9929
+          ],
+          "multihop_openvpn_port": 20044,
+          "multihop_wireguard_port": 30044
+        },
+        {
+          "ip": "37.120.212.228",
+          "ptr": "vpn45.prd.vienna.ovpn.com",
+          "online": false,
+          "public_key": "r93LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+          "wireguard_ports": [9929],
+          "multihop_openvpn_port": 20045,
+          "multihop_wireguard_port": 30045
+        }
+      ]
+    }
+  ]
+}`,
+			responseStatus: http.StatusOK,
+			servers: []models.Server{
+				{
+					Country:  "Austria",
+					City:     "Vienna",
+					Hostname: "vpn44.prd.vienna.ovpn.com",
+					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:      vpn.OpenVPN,
+					UDP:      true,
+					TCP:      true,
+				},
+				{
+					Country:  "Austria",
+					City:     "Vienna",
+					Hostname: "vpn44.prd.vienna.ovpn.com",
+					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:      vpn.Wireguard,
+					WgPubKey: "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+				},
+			},
+		},
+	}
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			ctx := context.Background()
+
+			client := &http.Client{
+				Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+					assert.Equal(t, http.MethodGet, r.Method)
+					assert.Equal(t, r.URL.String(), "https://www.ovpn.com/v2/api/client/entry")
+					return &http.Response{
+						StatusCode: testCase.responseStatus,
+						Status:     http.StatusText(testCase.responseStatus),
+						Body:       io.NopCloser(strings.NewReader(testCase.responseBody)),
+					}, nil
+				}),
+			}
+
+			updater := &Updater{
+				client: client,
+			}
+
+			servers, err := updater.FetchServers(ctx, testCase.minServers)
+
+			assert.Equal(t, testCase.servers, servers)
+			assert.ErrorIs(t, err, testCase.errWrapped)
+			if testCase.errWrapped != nil {
+				assert.EqualError(t, err, testCase.errMessage)
+			}
+		})
+	}
+}
--- a/internal/provider/ovpn/updater/updater.go
+++ b/internal/provider/ovpn/updater/updater.go
@@ -0,0 +1,15 @@
+package updater
+
+import (
+	"net/http"
+)
+
+type Updater struct {
+	client *http.Client
+}
+
+func New(client *http.Client) *Updater {
+	return &Updater{
+		client: client,
+	}
+}
--- a/internal/provider/providers.go
+++ b/internal/provider/providers.go
@@ -21,6 +21,7 @@ import (
 	"github.com/qdm12/gluetun/internal/provider/ivpn"
 	"github.com/qdm12/gluetun/internal/provider/mullvad"
 	"github.com/qdm12/gluetun/internal/provider/nordvpn"
+	"github.com/qdm12/gluetun/internal/provider/ovpn"
 	"github.com/qdm12/gluetun/internal/provider/perfectprivacy"
 	"github.com/qdm12/gluetun/internal/provider/privado"
 	"github.com/qdm12/gluetun/internal/provider/privateinternetaccess"
@@ -71,6 +72,7 @@ func NewProviders(storage Storage, timeNow func() time.Time,
 		providers.Ivpn:                  ivpn.New(storage, randSource, client, updaterWarner, parallelResolver),
 		providers.Mullvad:               mullvad.New(storage, randSource, client),
 		providers.Nordvpn:               nordvpn.New(storage, randSource, client, updaterWarner),
+		providers.Ovpn:                  ovpn.New(storage, randSource, client),
 		providers.Perfectprivacy:        perfectprivacy.New(storage, randSource, unzipper, updaterWarner),
 		providers.Privado:               privado.New(storage, randSource, ipFetcher, unzipper, updaterWarner, parallelResolver),
 		providers.PrivateInternetAccess: privateinternetaccess.New(storage, randSource, timeNow, client),
--- a/internal/provider/utils/connection.go
+++ b/internal/provider/utils/connection.go
@@ -44,8 +44,6 @@ func GetConnection(provider string,
 	}

 	protocol := getProtocol(selection)
-	port := getPort(selection, defaults.OpenVPNTCPPort,
-		defaults.OpenVPNUDPPort, defaults.WireguardPort)

 	connections := make([]models.Connection, 0, len(servers))
 	for _, server := range servers {
@@ -61,6 +59,9 @@ func GetConnection(provider string,
 				hostname = server.OvpnX509
 			}

+			port := getPort(selection, server, defaults.OpenVPNTCPPort,
+				defaults.OpenVPNUDPPort, defaults.WireguardPort)
+
 			connection := models.Connection{
 				Type:        selection.VPN,
 				IP:          ip,
--- a/internal/provider/utils/port.go
+++ b/internal/provider/utils/port.go
@@ -6,29 +6,44 @@ import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
 )

-func getPort(selection settings.ServerSelection,
+func getPort(selection settings.ServerSelection, server models.Server,
 	defaultOpenVPNTCP, defaultOpenVPNUDP, defaultWireguard uint16,
 ) (port uint16) {
 	switch selection.VPN {
 	case vpn.Wireguard:
 		customPort := *selection.Wireguard.EndpointPort
 		if customPort > 0 {
+			// Note: servers filtering ensures the custom port is within the
+			// server ports defined if any is set.
 			return customPort
 		}
+
+		if len(server.PortsUDP) > 0 {
+			defaultWireguard = server.PortsUDP[0]
+		}
 		checkDefined("Wireguard", defaultWireguard)
 		return defaultWireguard
 	default: // OpenVPN
 		customPort := *selection.OpenVPN.CustomPort
 		if customPort > 0 {
+			// Note: servers filtering ensures the custom port is within the
+			// server ports defined if any is set.
 			return customPort
 		}
 		if selection.OpenVPN.Protocol == constants.TCP {
+			if len(server.PortsTCP) > 0 {
+				defaultOpenVPNTCP = server.PortsTCP[0]
+			}
 			checkDefined("OpenVPN TCP", defaultOpenVPNTCP)
 			return defaultOpenVPNTCP
 		}

+		if len(server.PortsUDP) > 0 {
+			defaultOpenVPNUDP = server.PortsUDP[0]
+		}
 		checkDefined("OpenVPN UDP", defaultOpenVPNUDP)
 		return defaultOpenVPNUDP
 	}
--- a/internal/provider/utils/port_test.go
+++ b/internal/provider/utils/port_test.go
@@ -6,6 +6,7 @@ import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
 	"github.com/stretchr/testify/assert"
 )

@@ -23,6 +24,7 @@ func Test_GetPort(t *testing.T) {

 	testCases := map[string]struct {
 		selection         settings.ServerSelection
+		server            models.Server
 		defaultOpenVPNTCP uint16
 		defaultOpenVPNUDP uint16
 		defaultWireguard  uint16
@@ -49,6 +51,20 @@ func Test_GetPort(t *testing.T) {
 			defaultWireguard:  defaultWireguard,
 			port:              defaultOpenVPNUDP,
 		},
+		"OpenVPN_server_port_udp": {
+			selection: settings.ServerSelection{
+				VPN: vpn.OpenVPN,
+				OpenVPN: settings.OpenVPNSelection{
+					CustomPort: uint16Ptr(0),
+					Protocol:   constants.UDP,
+				},
+			},
+			server: models.Server{
+				PortsUDP: []uint16{1234},
+			},
+			defaultOpenVPNUDP: defaultOpenVPNUDP,
+			port:              1234,
+		},
 		"OpenVPN UDP no default port defined": {
 			selection: settings.ServerSelection{
 				VPN: vpn.OpenVPN,
@@ -89,6 +105,20 @@ func Test_GetPort(t *testing.T) {
 			},
 			port: 1234,
 		},
+		"OpenVPN_server_port_tcp": {
+			selection: settings.ServerSelection{
+				VPN: vpn.OpenVPN,
+				OpenVPN: settings.OpenVPNSelection{
+					CustomPort: uint16Ptr(0),
+					Protocol:   constants.TCP,
+				},
+			},
+			server: models.Server{
+				PortsTCP: []uint16{1234},
+			},
+			defaultOpenVPNTCP: defaultOpenVPNTCP,
+			port:              1234,
+		},
 		"Wireguard": {
 			selection: settings.ServerSelection{
 				VPN: vpn.Wireguard,
@@ -106,6 +136,19 @@ func Test_GetPort(t *testing.T) {
 			defaultWireguard: defaultWireguard,
 			port:             1234,
 		},
+		"Wireguard_server_port": {
+			selection: settings.ServerSelection{
+				VPN: vpn.Wireguard,
+				Wireguard: settings.WireguardSelection{
+					EndpointPort: uint16Ptr(0),
+				},
+			},
+			server: models.Server{
+				PortsUDP: []uint16{1234},
+			},
+			defaultWireguard: defaultWireguard,
+			port:             1234,
+		},
 		"Wireguard no default port defined": {
 			selection: settings.ServerSelection{
 				VPN: vpn.Wireguard,
@@ -121,6 +164,7 @@ func Test_GetPort(t *testing.T) {
 			if testCase.panics != "" {
 				assert.PanicsWithValue(t, testCase.panics, func() {
 					_ = getPort(testCase.selection,
+						testCase.server,
 						testCase.defaultOpenVPNTCP,
 						testCase.defaultOpenVPNUDP,
 						testCase.defaultWireguard)
@@ -129,6 +173,7 @@ func Test_GetPort(t *testing.T) {
 			}

 			port := getPort(testCase.selection,
+				testCase.server,
 				testCase.defaultOpenVPNTCP,
 				testCase.defaultOpenVPNUDP,
 				testCase.defaultWireguard)
--- a/internal/storage/filter.go
+++ b/internal/storage/filter.go
@@ -2,6 +2,7 @@ package storage

 import (
 	"fmt"
+	"slices"
 	"strings"

 	"github.com/qdm12/gluetun/internal/configuration/settings"
@@ -121,6 +122,10 @@ func filterServer(server models.Server,
 		return true
 	}

+	if filterByPorts(selection, server.PortsTCP) {
+		return true
+	}
+
 	// TODO filter port forward server for PIA

 	return false
@@ -164,3 +169,21 @@ func filterByProtocol(selection settings.ServerSelection,
 		return (wantTCP && !serverTCP) || (wantUDP && !serverUDP)
 	}
 }
+
+func filterByPorts(selection settings.ServerSelection,
+	serverPorts []uint16,
+) (filtered bool) {
+	if len(serverPorts) == 0 {
+		return false
+	}
+
+	customPort := *selection.OpenVPN.CustomPort
+	if selection.VPN == vpn.Wireguard {
+		customPort = *selection.Wireguard.EndpointPort
+	}
+	if customPort == 0 {
+		return false
+	}
+
+	return !slices.Contains(serverPorts, customPort)
+}
--- a/internal/storage/formatting.go
+++ b/internal/storage/formatting.go
@@ -8,6 +8,7 @@ import (

 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
+	"github.com/qdm12/gluetun/internal/constants/vpn"
 )

 func commaJoin(slice []string) string {
@@ -16,7 +17,7 @@ func commaJoin(slice []string) string {

 var ErrNoServerFound = errors.New("no server found")

-func noServerFoundError(selection settings.ServerSelection) (err error) {
+func noServerFoundError(selection settings.ServerSelection) (err error) { //nolint:gocyclo
 	var messageParts []string

 	messageParts = append(messageParts, "VPN "+selection.VPN)
@@ -153,6 +154,15 @@ func noServerFoundError(selection settings.ServerSelection) (err error) {
 			"target ip address "+selection.TargetIP.String())
 	}

+	customPort := *selection.OpenVPN.CustomPort
+	if selection.VPN == vpn.Wireguard {
+		customPort = *selection.Wireguard.EndpointPort
+	}
+	if customPort > 0 {
+		messageParts = append(messageParts,
+			fmt.Sprintf("%s endpoint port %d", selection.VPN, customPort))
+	}
+
 	message := "for " + strings.Join(messageParts, "; ")

 	return fmt.Errorf("%w: %s", ErrNoServerFound, message)
--- a/internal/storage/servers.json
+++ b/internal/storage/servers.json
--- a/internal/wireguard/rule.go
+++ b/internal/wireguard/rule.go
@@ -2,6 +2,7 @@ package wireguard

 import (
 	"fmt"
+	"strings"

 	"github.com/qdm12/gluetun/internal/netlink"
 )
@@ -16,6 +17,10 @@ func (w *Wireguard) addRule(rulePriority int, firewallMark uint32,
 	rule.Table = int(firewallMark)
 	rule.Family = family
 	if err := w.netlink.RuleAdd(rule); err != nil {
+		if strings.HasSuffix(err.Error(), "file exists") {
+			w.logger.Info("if you are using Kubernetes, this may fix the error below: " +
+				"https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/kubernetes.md#adding-ipv6-rule--file-exists")
+		}
 		return nil, fmt.Errorf("adding %s: %w", rule, err)
 	}
Author	SHA1	Message	Date
Quentin McGaw	6476cedae9	Remove unneeded `allow-compression asym`	2024-12-27 20:14:57 +00:00
Quentin McGaw	8f386dd91e	Remove support for multihop	2024-12-27 20:14:54 +00:00
Quentin McGaw	9c514bf661	Add missing "key-direction 1"	2024-12-27 20:08:21 +00:00
Quentin McGaw	355cb950c3	Set TLS crypt for Singapore hostnames only	2024-12-27 20:08:21 +00:00
Quentin McGaw	ff93ea6bac	Add missing openvpn options - CA - TLS auth - TLS crypt (for singapore) - `allow-compression asym` - `replay-window 256` - remote-cert-tls server - move aes256gcm as preferred cipher	2024-12-27 20:08:21 +00:00
Quentin McGaw	231f5d9789	initial code	2024-12-27 20:08:21 +00:00
Quentin McGaw	8dae352ccc	fix(cli): fix `openvpnconfig` command panic due to missing `SetDefaults` call	2024-12-27 09:31:04 +00:00
Quentin McGaw	e890c50da6	feat(firewall): support icmp rules	2024-12-25 20:05:55 +00:00
Quentin McGaw	ddd9f4d021	chore(natpmp): fix determinism for test `Test_Client_ExternalAddress`	2024-12-14 21:04:07 +00:00
dependabot[bot]	7e58b4baee	Chore(deps): Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#2600 )	2024-12-14 21:19:30 +01:00
dependabot[bot]	a21fbb9a4f	Chore(deps): Bump github.com/breml/rootcerts from 0.2.18 to 0.2.19 (#2601 )	2024-12-14 21:19:11 +01:00
Quentin McGaw	3b7d27c919	hotfix(ci): use `--device /dev/net/tun` for test container	2024-12-14 20:15:42 +00:00
dependabot[bot]	68ddbfc0fe	Chore(deps): Bump golang.org/x/net from 0.30.0 to 0.31.0 (#2578 )	2024-11-18 10:46:04 +01:00
dependabot[bot]	a2047cb800	Chore(deps): Bump DavidAnson/markdownlint-cli2-action from 16 to 18 (#2588 )	2024-11-18 10:45:49 +01:00
Quentin McGaw	fdd499146c	fix(wireguard): point to Kubernetes wiki page when encountering IP rule add file exists error (#2526 )	2024-11-15 18:47:06 +01:00
Quentin McGaw	37900341cf	hotfix(firewall): fix unit test for previous PR	2024-11-15 17:46:10 +00:00
Jean-François Roy	36bb368cad	fix(firewall): iptables list uses `-n` flag for testing iptables path (#2574 ) Signed-off-by: Jean-Francois Roy <jf@devklog.net>	2024-11-15 16:47:08 +01:00
Quentin McGaw	f9bdb219d0	chore(deps): update gosettings to v0.4.4 - Better support for quote expressions especially for commands such as VPN_PORT_FORWARDING_UP_COMMAND	2024-11-12 09:11:48 +00:00
Quentin McGaw	0374c14e42	feat(portforwarding): `VPN_PORT_FORWARDING_DOWN_COMMAND` option	2024-11-10 10:18:29 +00:00
Alex Lavallee	a035a151bd	feat(portforwarding): allow running script upon port forwarding success (#2399 )	2024-11-10 09:49:02 +01:00
Quentin McGaw	e69966381d	feat(fastestvpn): add aes-256-gcm to ciphers list	2024-11-09 15:44:05 +00:00
Quentin McGaw	94dfb2b1f2	fix(ipvanish): fix openvpn configuration - update CA value - add `comp-lzo` option	2024-11-09 15:43:51 +00:00