feat(container): update image docker.io/qmcgaw/gluetun to v3.39.1

[renovate]

This PR contains the following updates:

Package	Update	Change
docker.io/qmcgaw/gluetun	minor	v3.38.0 -> v3.39.1

---

Release Notes

qdm12/gluetun (docker.io/qmcgaw/gluetun)

v3.39.1

Compare Source

🎥 https://youtu.be/O09rP1DlcFU?si=qPdzWUWnzciNxAc7

Fixes

• Firewall: delete chain rules by line number (#​2411)
• Control server: require authentication for vulnerable routes (#​2434)
• NordVPN: remove commas from region values
• IVPN: split city into city and region
  • Fix bad city values containing a comma
  • update ivpn servers data
• Private Internet Access: support port forwarding using custom Wireguard (#​2420)
• ProtonVPN: prevent using FREE_ONLY and PORT_FORWARD_ONLY together (see #​2470)
• internal/storage: add missing selection fields to build noServerFoundError (see #​2470)

v3.39.0

Compare Source

🎥 Youtube video explaining all this

Features

• OpenVPN: default version changed from 2.5 to 2.6
• Alpine upgraded from 3.18 to 3.20 (3.19 got skipped due to buggy iptables)
• Healthcheck: change timeout mechanism
  • Healthcheck timeout is no longer fixed to 3 seconds
  • Healthcheck timeout increases from 2s to 4s, 6s, 8s, 10s
  • No 1 second wait time between check retries after failure
  • VPN internal restart may be delayed by a maximum of 10 seconds
• Firewall:
  • Query iptables binary variants to find which one to use depending on the kernel
  • Prefer using iptables-nft over iptables-legacy (Alpine new default is nft backend iptables)
• Wireguard:
  • WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL option
  • read configuration file without case sensitivity
• VPN Port forwarding: only use port forwarding enabled servers if VPN_PORT_FORWARDING=on (applies only to PIA and ProtonVPN for now)
• FastestVPN:
  • Wireguard support (#​2383 - Credits to @​Zerauskire for the initial investigation and @​jvanderzande for an initial implementation as well as reviewing the pull request)
  • use API instead of openvpn zip file to fetch servers data
  • add city filter SERVER_CITY
  • update built-in servers data
• Perfect Privacy: port forwarding support with VPN_PORT_FORWARDING=on (#​2378)
• Private Internet Access: port forwarding options VPN_PORT_FORWARDING_USERNAME and VPN_PORT_FORWARDING_PASSWORD (retro-compatible with OPENVPN_USER and OPENVPN_PASSWORD)
• ProtonVPN:
  • Wireguard support (#​2390)
  • feature filters SECURE_CORE_ONLY, TOR_ONLY and PORT_FORWARD_ONLY (#​2182)
  • determine "free" status using API tier value
  • update built-in servers data
• Surfshark: servers data update
• VPNSecure: servers data update
• VPN_ENDPOINT_IP split into OPENVPN_ENDPOINT_IP and WIREGUARD_ENDPOINT_IP
• VPN_ENDPOINT_PORT split into OPENVPN_ENDPOINT_PORT and WIREGUARD_ENDPOINT_PORT

Fixes

• VPN_PORT_FORWARDING_LISTENING_PORT fixed
• IPv6 support detection ignores loopback route destinations
• Custom provider:
  • handle port option line for OpenVPN
  • ignore comments in an OpenVPN configuration file
  • assume port forwarding is always supported by a custom server
• VPN Unlimited:
  • change default UDP port from 1194 to 1197
  • allow OpenVPN TCP on port 1197
• Private Internet Access Wireguard and port forwarding
  • Set server name if names filter is set with the custom provider (see #​2147)
• PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
• Torguard: update OpenVPN configuration
  • add aes-128-gcm and aes-128-cbc ciphers
  • remove mssfix, sndbuf, rcvbuf, ping and reneg options
• VPNSecure: associate N / A with no data for servers
• AirVPN: set default mssfix to 1320-28=1292
• Surfshark: remove outdated hardcoded retro servers
• Public IP echo:
  • ip2location parsing for latitude and longitude fixed
  • abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
• internal/server: /openvpn route status get and put
  • get status return stopped if running Wireguard
  • put status changes vpn type if running Wireguard
• Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings
• Log last Gluetun release by tag name alphabetically instead of by release date
• format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
• internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

Documentation

• readme:
  • clarify shadowsocks proxy is a server, not a client
  • update list of providers supporting Wireguard with the custom provider
  • add protonvpn as custom port forwarding implementation
• disable Github blank issues
• Bump github.com/qdm12/gosplash to v0.2.0
  • Add /choose suffix to github links in logs
• add Github labels: "Custom provider", "Category: logs" and "Before next release"
• rename FIREWALL_ENABLED to FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT due to the sheer amount of users misusing it. FIREWALL_ENABLED won't do anything anymore. At least you've been warned not to use it...

Maintenance

• Code health
  • PIA port forwarding:
    • remove dependency on storage package
    • return an error to port forwarding loop if server cannot port forward
  • internal/config:
    • upgrade to github.com/qdm12/gosettings v0.4.2
      • drop github.com/qdm12/govalid dependency
      • upgrade github.com/qdm12/ss-server to v0.6.0
      • do not un-set sensitive config settings anymore
    • removed bad/invalid retro-compatible keys CONTROL_SERVER_ADDRESS and CONTROL_SERVER_PORT
    • OpenVPN protocol field is now a string instead of a TCP boolean
    • Split server filter validation for features and subscription-tier
    • provider name field as string instead of string pointer
  • internal/portforward: support multiple ports forwarded
  • Fix typos in code comments (#​2216)
  • internal/tun: fix unit test for unprivileged user
• Development environment
  • fix source.organizeImports vscode setting value
  • linter: remove now invalid skip-dirs configuration block
• Dependencies
  • Bump Wireguard Go dependencies
  • Bump Go from 1.21 to 1.22
  • Bump golang.org/x/net from 0.19.0 to 0.25.0 (#​2138, #​2208, #​2269)
  • Bump golang.org/x/sys from 0.15.0 to 0.18.0 (#​2139)
  • Bump github.com/klauspost/compress from 1.17.4 to 1.17.8 (#​2178, #​2218)
  • Bump github.com/fatih/color from 1.16.0 to 1.17.0 (#​2279)
  • Bump github.com/stretchr/testify to v1.9.0
  • Do not upgrade busybox since vulnerabilities are fixed now with Alpine 3.19+
• CI
  • Bump DavidAnson/markdownlint-cli2-action from 14 to 16 (#​2214)
  • Bump peter-evans/dockerhub-description from 3 to 4 (#​2075)
• Github
  • remove empty label description fields
  • add /choose suffix to issue and discussion links
  • review all issue labels: add closed labels, add category labels, rename labels, add label category prefix, add emojis for each label
  • Add issue labels: Popularity extreme and high, Closed cannot be done, Categories kernel and public IP service

v3.38.1

Compare Source

ℹ️ This is a bugfix release for v3.38.0. If you can, please instead use release v3.39.0

Fixes

• VPN_PORT_FORWARDING_LISTENING_PORT fixed
• IPv6 support detection ignores loopback route destinations
• Custom provider:
  • handle port option line for OpenVPN
  • ignore comments in an OpenVPN configuration file
  • assume port forwarding is always supported by a custom server
• VPN Unlimited:
  • change default UDP port from 1194 to 1197
  • allow OpenVPN TCP on port 1197
• Private Internet Access Wireguard and port forwarding
  • Set server name if names filter is set with the custom provider (see #​2147)
• PrivateVPN: updater now sets openvpn vpn type for the no-hostname server
• Torguard: update OpenVPN configuration
  • add aes-128-gcm and aes-128-cbc ciphers
  • remove mssfix, sndbuf, rcvbuf, ping and reneg options
• VPNSecure: associate N / A with no data for servers
• AirVPN: set default mssfix to 1320-28=1292
• Surfshark: remove outdated hardcoded retro servers
• Public IP echo:
  • ip2location parsing for latitude and longitude fixed
  • abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)
• internal/server: /openvpn route status get and put
  • get status return stopped if running Wireguard
  • put status changes vpn type if running Wireguard
• Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings
• Log last Gluetun release by tag name alphabetically instead of by release date
• format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark
• internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

--- kubernetes/apps/network/vpn-gateway/app Kustomization: flux-system/vpn-gateway HelmRelease: network/vpn-gateway

+++ kubernetes/apps/network/vpn-gateway/app Kustomization: flux-system/vpn-gateway HelmRelease: network/vpn-gateway

@@ -56,13 +56,13 @@

         envFrom:
         - secretRef:
             name: vpn-gateway-config
         gluetun:
           image:
             repository: docker.io/qmcgaw/gluetun
-            tag: v3.38.0@sha256:5522794f5cce6d84bc7f06b1e3a3b836ede9100c64aec94543cb503bb2ecb72f
+            tag: v3.39.1@sha256:6a8058e626763cbf735ac2f78c774dbb24fec2490bd9d9f7d67e22592cb4a991
         livenessProbe:
           exec:
             command:
             - sh
             - -c
             - if [ '$(wget -q -O- https://ipinfo.io/country)' == 'NO' ]; then echo

[github-actions]

--- HelmRelease: network/vpn-gateway Deployment: network/vpn-gateway-pod-gateway

+++ HelmRelease: network/vpn-gateway Deployment: network/vpn-gateway-pod-gateway

@@ -72,13 +72,13 @@

           value: debug
         - name: HEALTH_VPN_DURATION_INITIAL
           value: 30s
         envFrom:
         - secretRef:
             name: vpn-gateway-config
-        image: docker.io/qmcgaw/gluetun:v3.38.0@sha256:5522794f5cce6d84bc7f06b1e3a3b836ede9100c64aec94543cb503bb2ecb72f
+        image: docker.io/qmcgaw/gluetun:v3.39.1@sha256:6a8058e626763cbf735ac2f78c774dbb24fec2490bd9d9f7d67e22592cb4a991
         imagePullPolicy: null
         livenessProbe:
           exec:
             command:
             - sh
             - -c