qdm12 Release Notes

Name: qdm12
Brand: qdm12

Last updated: Jan 7, 2026

RSS Email API Slack n8n Zapier

qdm12 Products

Gluetun

10 releases

All qdm12 Release Notes

Dec 25, 2025
- Parsed from source:
  Dec 25, 2025
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.41.0

Gluetun delivers a major DNS and health check overhaul with private DNS, DNS over HTTPS, enhanced health checks, and expanded server data plus new health target options. Expect improved reliability, throughput and better DNS protection as this release powers toward v3.42.0.
Video of me reading out this release

Thank you all for your patience for this release which took its sweet time 🙏⏲️

I have been rather absent in a good part of 2025 due to work and life getting in the way, and I would like to thank many of you for helping out around in issues and discussions, and for the few code contributors whilst I was away.

On this release, many of the features you see are the result of behind-the-scene work of the last few years (notably on dns) and I'm super glad they are finally in Gluetun! A lot more to come in v3.42.0, there is already a pile of pull requests waiting 🚀

Final note, introducing the RANTING SECTION at the bottom of this changelog. This section might also be in the future releases (unfortunately)!

Happy holidays! 🎄 🎅 ❄️ ⛄

Features

DNS

(K8s users read this) Local network names resolution using private DNS resolvers found at container start (#2970)

DNS over HTTPS support (see DNS_UPSTREAM_RESOLVER_TYPE below)

DNS_UPSTREAM_RESOLVER_TYPE option which can be dot (DNS over TLS), doh (DNS over HTTPS) or plain (plaintext over UDP)

DNS over TLS re-uses TCP connections which should put less stress on TCP-connections-rate-limiting by the VPN server

DNS requests blocked are logged with a reason

DNS rebinding protection is always enabled, but hostnames can be excluded with DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES

i/o timeout errors are now logged at the debug level instead of warn level

healthcheck system reworked: more robust and less impact on other applications (#2923)

Three checks are performed:

startup full check: when the VPN connection is first established, perform a TCP+TLS dial to HEALTH_TARGET_ADDRESSES with a timeout of 6 seconds

periodic full check: every 5 minutes, perform a TCP+TLS dial to HEALTH_TARGET_ADDRESSES, with up to 3 tries of 10s, 15s, and 30s timeouts

periodic small check: every minute, perform ICMP pings to HEALTH_ICMP_TARGET_IPS, with a fallback to plain DNS (UDP) lookups of github.com to cloudflare+google, with up to 10 tries of 5s, 5s, 5s, 10s, 10s, 10s, 15s, 15s, 15s, and 30s timeouts

If any of these checks fail, the VPN connection is restarted

Reduced impact on TCP to allow for higher bandwidth in TCP torrenting

New option HEALTH_TARGET_ADDRESSES=cloudflare.com:443,github.com:443 to have a fallback address

New option HEALTH_ICMP_TARGET_IPS=1.1.1.1,8.8.8.8 to have 8.8.8.8 as a fallback address

New option HEALTH_SMALL_CHECK_TYPE which can be dns or icmp. By default it uses icmp and falls back to dns if icmp isn't permitted.

New option HEALTH_RESTART_VPN: you should really leave it to on, unless you have trust issues with the healthcheck.

built-in servers data updates:

Cyberghost

ExpressVPN

Mullvad

Privado

Private Internet Access

SlickVPN (mere 29 hardcoded servers 🤷)

ProtonVPN

Surfshark

Torguard

control server:

HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE option (JSON encoded). For example: {"auth":"basic","username":"me","password":"pass"} or {"auth":"apiKey","apikey":"xyz"} or {"auth":"none"}.

log number of roles read from auth file

VPN server side port forwarding:

support {{PORT}} template variable on top of {{PORTS}}

support {{VPN_INTERFACE}} template variable which is by default tun0

Public IP data fetcher queries all data sources in parallel and picks the most popular result

bump Alpine from 3.20 to 3.22

wireguard: on error parsing WIREGUARD_ENDPOINT_IP, mention it must be an IP address for the time being

new ascii logo logged out at program exit... did any of you spot it? 👀

Fixes

Wireguard:

specify IP family for new route (#2629)

WIREGUARD_ENDPOINT_IP regression (v3.39.0) fixed to override the IP address of a picked connection

Providers specific:

Cyberghost: log warnings from updater resolver but not for "no such host" which happen quite a lot

ExpressVPN: update hardcoded servers data (#2888)

ProtonVPN: authenticated servers data updating

If updating servers data periodically, use UPDATER_PROTONVPN_EMAIL and UPDATER_PROTONVPN_PASSWORD

If using the CLI, use -proton-email and -proton-password flags

PureVPN:

update OpenVPN configuration settings (from #2991 credits to @mlapaj)

updater parses country and city from hostname and merges with ip address information (#2991)

VPN Unlimited:

update certificates value (#2835) and remove no longer valid hardcoded hosts

VPN Secure updater:

fixed by allowing their website servers list to have "N / A" region/city

WeVPN:

removed since it decomissioned

Servers storage:

do not crash the container but log a warning if flushing merged servers to file fails

VPN server side port forwarding:

clear port file instead of removing it (see why)

remove double log when clearing port forward file

Control server:

log out full URL path not just bottom request URI

change route with retrocompatibility from /v1/openvpn/portforwarded to /v1/portforward: this route has nothing to do with openvpn specifically, removed the ed in portforwarded to accomodate future routes such as changing the state of port forwarding

PUBLICIP_ENABLED is now respected

publicip/api/cloudflare: add now required Referer header (#3058)

cli openvpnconfig command no longer panics due to missing SetDefaults call

DNS:

retry on next period if a blocklists update failed previously

fix DNS_KEEP_NAMESERVER behavior (by the way, you should no longer need to use this option!)

no longer hangs the code when establishing the VPN connection

no longer makes Gluetun panic when exiting

Healthcheck:

fix grammar issue in log (#2773)

Documentation

Readme

remove no longer valid LoC badge

update Alpine version and image size

warning on "official" websites which are scams

add star history graph because it's fun

Dockerfile: specify default PUID and PGID to avoid confusion, since both are already defaulted to 1000 in the Go code

add pull request template (#2918)

update provider issue template

Maintenance

Code

Change DNS option names with retro-compatibility:

DOT to DNS_SERVER

DOT_PROVIDERS to DNS_UPSTREAM_RESOLVERS

DOT_PRIVATE_ADDRESS to DNS_PRIVATE_ADDRESSES

DOT_CACHING to DNS_CACHING

DOT_IPV6 to DNS_UPSTREAM_IPV6

DOT_PRIVATE_ADDRESS split into DNS_BLOCK_IPS and DNS_BLOCK_IP_PREFIXES

UNBLOCK with DNS_UNBLOCK_HOSTNAMES

clear DNS_BLOCK_IP_PREFIXES values since DNS rebinding protection is built-in the filter middleware

internal/vpn: rename openvpn* to vpn* variables

internal/configuration/settings:

merge DoT settings with DNS settings

remove unneeded Health struct fields

internal/storage:

do not read/write to user file when updating in maintainer mode

ignore persisted servers data with a timestamp in the future

internal/publicip/api/ip2location: rename countries to match standard country names from the mapping constants.CountryCodes()`

dependencies

bump Go from 1.23 to 1.25

bump github.com/breml/rootcerts from 0.2.19 to 0.3.3 (#2683, #2964)

bump github.com/klauspost/compress from 1.17.11 to 1.18.1 (#2957)

bump github.com/pelletier/go-toml/v2 from 2.2.3 to 2.2.4 (#2958)

bump github.com/qdm12/dns from v2.0.0-rc8 to v2.0.0-rc10

bump github.com/stretchr/testify from 1.10.0 to 1.11.1 (#2959)

bump github.com/ulikunitz/xz from 0.5.11 to 0.5.15 (#2955)

bump github.com/vishvananda/netlink from 1.2.1 to 1.3.1 (#2932)

bump golang.org/x/crypto from 0.29.0 to 0.45.0 (#2619, #2999)

bump golang.org/x/net from 0.31.0 to 0.47.0 (#2648, #2937, #2976)

bump golang.org/x/sys from 0.29.0 to 0.38.0 (#2939, #2973)

bump golang.org/x/text from 0.21.0 to 0.31.0 (#2938, #2975)

upgrade linter to v2.4.0

migrate configuration file

fix existing code issues

add exclusion rules

update linter names

CI

run container and wait for it to connect for both Mullvad and ProtonVPN (#2956)

bump github actions and use go.mod Go version (#2880)

pull container images at build time from ghcr.io when possible

reduce silly image pull rate limiting from docker hub registry

still rely on docker hub registry to pull golang and alpine images since these are not on ghcr.io

ignore .github/pull_request_template.md with markdown linter

consider 429 as valid status code for markdown links

bump actions/setup-go from 5 to 6 (#2929)

bump actions/checkout from 5 to 6 (#3001)

bump DavidAnson/markdownlint-cli2-action from 18 to 21 (#2632, #2984)

bump github/codeql-action from 3 to 4 (#2935)

bump peter-evans/create-or-update-comment from 4 to 5 (#2931)

dev setup

upgrade dev container to v0.21

convert .vscode/launch.json to tasks.json

add vscode git remote add task

The ranting section

The ranting section

🥀 this is a new section in which I'll share my rant among various Gluetun-related things 🌻

💁 expect a lot of uppercasing, heavy punctuation and no structure whatsoever. Enjoy the read ❗

ALPINE!!! STOP BREAKING IPTABLES ON EVERY TWO RELEASES! When I enter iptables -nL, -n means NUMERIC! Then why the hell did 0 become all on Alpine 3.22??!!!?!

Gluetun was configured like clockwork to parse these numeric values, and all hell broke lose on some systems where it would return TEXTUAL values!

💁 2e2e5f9 and 6712adf for more information

PUREVPN did change everything for OpenVPN: certificates, keys, CAs. Like, can't you keep the previous ones working instead of breaking everyone? No-one was really warned on this as far as I know, so obviously Gluetun started failing more and more with PureVPN. Thanks to @mlapaj for patching this and notifying me.

SlickVPN: Ok fine you're going bankrupt or something, but I spent hours programming code to scrape your locations webpage for you to just add some ugly-ass text directly to list your mere 11 servers left? Couldn't you update the table on your website, which, by the way, is still there below, but empty!!? What the heck!? I ended up throwing all my code and just hardcoding their silly 11 29 servers in Gluetun, because I'm not spending more hours fixing this scrapper, this is ridiculous.

https://www.slickvpn.com/locations/

Ok I'm not going to write the url here but it's h**ps://gluetun.com. It's an AI generated bullshlt website from some Pakistani idiot in the UK, trying to advertise for themselves to sell "website development" (=AI prompts). I did reach out to them telling them to please shut it down, no answer obviously. I suppose I should trademark gluetun... At least, since it's fully AI-generated, it's almost decent information and there is a bit of honesty in there, like "Not affiliated with Gluetun" at the bottom, although it also says "We at Gluetun" 😄

And keeping the best for last: PROTON!... Ah Proton... Proton Proton Proton...

First of all, let's start with Proton blocking their VPN servers data behind a login wall.

There is no reason for this. None. Zip. Zero. Nada.

You can literally connect to a VPN server with a free account.

And anyone with a paid account, including me, could just get that list and share it.

Absolute non-sense of a choice.

But, fine, let's see what's next...

I exchange with other Gluetun users trying to debug how to access this list, how to login programmatically to get that stupid list.

We all throw our keyboards at our monitor out of frustration because Proton's login system is an overly complex thing.

I decide to contact Proton support.

Ah, Proton "support"...

It's like subconsciously they want their users to run away.

I opened a support ticket explaining the situation, very politely of course, and simply asking for a tiny bit of guidance on helping out with the curl commands necessary to login and obtain a valid token.

Their answer? Polite "go away leave us alone" message:

Public access to the https://api.protonvpn.ch/vpn/logicals endpoint is no longer available due to internal changes and security reasons.

WHAT SECURITY REASONS!??? You are making a fool of yourselves Proton!

Additionally, the setup in question is not officially supported on our end; therefore, I will be unable to provide any steps on how to achieve it, nor guarantee that it will work.

DO YOU THINK I AM STUPID PROTON!??? AND THANKS FOR BEING SO HELPFUL YOU BUNCH OF 10-NEURONS SUPPORT!

We strongly recommend using the native Proton VPN apps on your devices or utilizing one of the downloaded configuration files if you wish to set up a manual connection https://account.protonvpn.com/downloads.

You sweet sweet summer child... Really, are you pretending to be a child now? PROTONNNNNN you are just an embarassment to the tech scene.

Have a nice weekend!

Yeah thanks for nothing and not even budging a tiny bit on anything.

I even then told them I would tell my users to avoid Proton like the plague because of this ridiculous behavior.

The answer? Basically same thing, reworded.

Guess what?

Well we figured out your authentication (#2878), you unhelpful spineless wonders, so have fun blocking your own users from using your own VPN servers data...

But wait.... this is not even over; A few days later, a Gluetun user notices paid servers are not part of the Gluetun servers data.

Because Proton decided to hide away paid servers data from free users. Mind blown 🤯 This is absolutely stupid to its finest extent.

Anyway, I signed in with a paid account, re-updated the servers data. Done. Now your list is public. Congratulations Proton for your security measures, completely useless.

In conclusion... Proton is unhelpful and takes security decisions that make absolutely no sense.

Please migrate away from Proton whenever you can.

Original source Report a problem
Dec 24, 2025
- Parsed from source:
  Dec 24, 2025
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.40.4

VPN client update fixes DNS restart crash when DOT is off and DNS_KEEP_NAMESERVER is off and adds a retry for blocklists after failures. WireGuard IP override regression is fixed and updaters plus data for ExpressVPN, PureVPN, SlickVPN, VPNSecure, and VPN Unlimited are refreshed, including city/region handling and removal of website scraping.
Fixes

DNS:

prevent restart crash if DOT=off and DNS_KEEP_NAMESERVER=off

retry on next period the blocklists update after a failed update

WIREGUARD_ENDPOINT_IP overrides the IP address correctly (regression introduced in v3.39.0)

ExpressVPN hardcoded servers data updated (#2888 - huge thanks to the manual work of @Lobstrosity)

PureVPN OpenVPN configuration updated (from #2991, credits to @mlapaj)

SlickVPN updater: only keep 11 servers hardcoded and drop website scraping code

VPNSecure updater fixed, with region and city data allowed to be set to N / A

VPN Unlimited updater: no longer valid hardcoded hosts removed

Original source Report a problem
Nov 19, 2025
- Parsed from source:
  Nov 19, 2025
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.40.1

Bug-fix release on top of v3.40.0 brings important fixes and stability tweaks. v3.41.0 is coming soon, so upgrade now if you hit issues. Highlights include WireGuard routing improvements, port file handling, full URL logging, and provider data updates.
v3.41.0 release notes

Bug-fix-only release on top of v3.40.0.

v3.41.0 coming soon 🎉 If you have any issues with v3.40.0 please report it rather soon please 🙏 !

Fixes

Wireguard: specify IP family for new route (#2629)

PUBLICIP_ENABLED is now respected

Port forwarding: clear port file instead of removing it (see why)

Control server: log out full URL path not just bottom request URI

cli openvpnconfig command no longer panics due to missing SetDefaults call

Providers specific:

Cyberghost: log warnings from updater resolver

ExpressVPN: update hardcoded servers data (#2888) My mistake, the commit was forgotten. It will be part of v3.40.4. For now use the latest image.

ProtonVPN: authenticated servers data updating (#2878)

VPN Unlimited: update certificates value (#2835)

PS: sorry for the double notification, CI failed on the first release try

Original source Report a problem
Nov 18, 2025
- Parsed from source:
  Nov 18, 2025
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.40.3
Fixes

Fixed previous fix on ProtonVPN: credentials are not required to be set.

Original source Report a problem
Nov 18, 2025
- Parsed from source:
  Nov 18, 2025
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.40.2
Fixes

DNS

fix DNS_KEEP_NAMESERVER behavior

no longer hangs the code when establishing the VPN connection

no longer makes Gluetun panic when exiting

ProtonVPN

updater authentication fixed for some accounts

If updating servers data periodically, use UPDATER_PROTONVPN_EMAIL instead of UPDATER_PROTONVPN_USERNAME (retrocompatibility maintained)

If using the CLI, use -proton-email instead of -proton-username (retrocompatibility maintained)

ProtonVPN servers data updated to include paid servers

Servers storage

do not crash the container but log a warning if flushing merged servers to file fails

Original source Report a problem
Dec 25, 2024
- Parsed from source:
  Dec 25, 2024
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.40.0

Seasonal release adds VPN DNS upgrades, faster startup, clearer errors, broader Gluetun customization, and a resilient public IP fetch with backup sources. It introduces port forwarding options, stronger auth, and broad stability and code quality improvements.
Happy holidays release time 🎄 🎅 🎁

💁 If anything doesn't work compared to previous release, please create an issue and revert to using v3.39.1 😉
ℹ️ Life is pretty busy all around currently (moving soon, new job, ill parent) so I might be even slower than usual until summer 2025, I'll do my best!

Features

VPN: run WaitForDNS before querying the public ip address (partly address #2325)

DNS: replace unbound with qdm12/[email protected] (#1742 & later commits)

Faster start up

Clearer error messages

Allow for more Gluetun-specific customization

Port forwarding:

VPN_PORT_FORWARDING_UP_COMMAND option (#2399)

VPN_PORT_FORWARDING_DOWN_COMMAND option

Config allow irrelevant server filters to be set (see #2337)

Disallow setting a server filter when there is no choice available

Allow setting an invalid server filter when there is at least one choice available

Log at warn level when an invalid server filter is set

Firewall: support custom ICMP rules

Healthcheck:

log out last error when auto healing VPN

run TLS handshake after TCP dial if address has 443 port

Public IP:

retry fetching information when connection refused error is encountered (partly address #2325)

support custom API url echoip#https://... (#2529)

resilient public ip fetcher with backup sources (#2518)

add ifconfigco option and cloudflare option (#2502)

PUBLICIP_ENABLED replaces PUBLICIP_PERIOD

PUBLICIP_ENABLED (on, off) can be set to enable or not public ip data fetching on VPN connection

PUBLICIP_PERIOD=0 still works to indicate to disable public ip fetching

PUBLICIP_PERIOD != 0 means to enable public ip fetching

Warnings logged when using PUBLICIP_PERIOD

STORAGE_FILEPATH option (#2416)

STORAGE_FILEPATH= disables storing to and reading from a local servers.json file

STORAGE_FILEPATH defaults to /gluetun/servers.json

Netlink: debug rule logs contain the ip family

internal/tun: mention in 'operation not permitted' error the user should specify --device /dev/net/tun (resolves #2606)

Control server role based authentication system (#2434) (part of v3.39.1 as a bugfix)

Parse toml configuration file, see https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/control-server.md#authentication

Retro-compatible with existing AND documented routes, until after this release

Log a warning if an unprotected-by-default route is accessed unprotected

Authentication methods: none, apikey, basic

genkey command to generate API keys

FastestVPN: add aes-256-gcm to OpenVPN ciphers list

Private Internet Access updater: use v6 API to get servers data

IPVanish: update servers data

PrivateVPN: native port forwarding support (#2285)

Privado: update servers data

format-servers command supports the json format option

Fixes

Wireguard: change default WIREGUARD_MTU from 1400 to 1320 (partially address #2533)

OpenVPN: set default mssfix to 1320 for all providers with no default already set (partially address #2533)

Control server: fix logged wiki authentication section link

Firewall:

iptables list uses -n flag for testing iptables path (#2574)

deduplicate VPN address accept rule for multiple default routes with the same network interface

deduplicate ipv6 multicast output accept rules

ipv6 multicast output address value fixed

log warning if ipv6 nat filter is not supported instead of returning an error (allow to port forward redirect for IPv4 and not IPv6 if IPv6 NAT is not supported and fixed #2503)

Wireguard:

Point to Kubernetes wiki page when encountering IP rule add file exists error (#2526)

IPVanish:

fix openvpn configuration by updating CA value and add comp-lzo option

update openvpn zip file url for updater

Perfect Privacy: update openvpn expired certificates (#2542)

Public IP: lock settings during entire update to prevent race conditions

Documentation

Dockerfile

add missing OPENVPN_MSSFIX environment variable

add missing option definitions

STREAM_ONLY

FREE_ONLY

Document PORT_FORWARD_ONLY is for both PIA and ProtonVPN

Maintenance

Code quality

Remove github.com/qdm12/golibs dependency

Implement friendly duration formatting locally

implement github.com/qdm12/golibs/command locally (#2418)

internal/natpmp: fix determinism for test Test_Client_ExternalAddress

let system handle OS signals after first one to request a program stop

internal/routing: remove redundant rule ip rule in error messages

internal/netlink debug log ip rule commands in netlink instead of routing package

internal/server: move log middleware to internal/server/middlewares/log

use gofumpt for code formatting

Fix gopls govet errors

Upgrade linter from v1.56.2 to v1.61.0

Remove no longer needed exclude rules

Add new exclude rules for printf govet errors

Remove deprecated linters execinquery and exportloopref

Rename linter goerr113 to err113 and gomnd to mnd

Add new linters and update codebase: canonicalheader, copyloopvar, fatcontext, intrange

Dependencies

Upgrade Go from 1.22 to 1.23

Bump vishvananda/netlink from v1.2.1-beta.2 to v1.2.1

Bump github.com/qdm12/gosettings from v0.4.3 to v0.4.4

Better support for quote expressions especially for commands such as VPN_PORT_FORWARDING_UP_COMMAND

Bump github.com/breml/rootcerts from 0.2.18 to 0.2.19 (#2601)

Bump golang.org/x/net from 0.25.0 to 0.31.0 (#2401, #2578)

Bump golang.org/x/sys from 0.260.0 to 0.27.0 (#2404, #2573)

Bump golang.org/x/text from 0.15.0 to 0.17.0 (#2400)

Bump github.com/klauspost/compress from 1.17.8 to 1.17.11 (#2319, #2550)

Bump github.com/pelletier/go-toml/v2 from 2.2.2 to 2.2.3 (#2549)

Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 (#2428)

Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 (#2600)

CI

Linting: remove canonicalheader since it's not reliable

Use --device /dev/net/tun for test container

Bump DavidAnson/markdownlint-cli2-action from 16 to 18 (#2588)

Bump docker/build-push-action from 5 to 6 (#2324)

Development setup

dev container

pin godevcontainer image to tag :v0.20-alpine

drop requirement for docker-compose and use devcontainer.json settings directly

readme update

remove Windows without WSL step

update 'remote containers extension' to 'dev containers extension'

remove invalid warning on directories creation

simplify customizations section

remove "publish a port" since it can be done at runtime now

remove "run other services" since it's rather unneeded in this case

expand documentation on custom welcome script and where to specify the bind mount

use bullet points instead of subsections headings

Github labels

change "config problem" to "user error"

add "performance", "investigation", "servers storage" and "nearly resolved" categories

Original source Report a problem
Oct 15, 2024
- Parsed from source:
  Oct 15, 2024
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.39.1
🎥 https://youtu.be/O09rP1DlcFU?si=qPdzWUWnzciNxAc7

Fixes

Firewall: delete chain rules by line number (#2411)

Control server: require authentication for vulnerable routes (#2434)

NordVPN: remove commas from region values

IVPN: split city into city and region

Fix bad city values containing a comma

update ivpn servers data

Private Internet Access: support port forwarding using custom Wireguard (#2420)

ProtonVPN: prevent using FREE_ONLY and PORT_FORWARD_ONLY together (see #2470)

internal/storage: add missing selection fields to build noServerFoundError (see #2470)

Original source Report a problem
Oct 6, 2024
- Parsed from source:
  Oct 6, 2024
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.39.0

Major VPN platform release updates OpenVPN to 2.6 and Alpine to 3.20 with smarter healthchecks and a refreshed firewall. WireGuard gains broader support and improved config handling while several providers get port forwarding and data updates. Overall a sweeping modernization with API data enhancements and bug fixes.
Features

OpenVPN: default version changed from 2.5 to 2.6

Alpine upgraded from 3.18 to 3.20 (3.19 got skipped due to buggy iptables)

Healthcheck: change timeout mechanism

Healthcheck timeout is no longer fixed to 3 seconds

Healthcheck timeout increases from 2s to 4s, 6s, 8s, 10s

No 1 second wait time between check retries after failure

VPN internal restart may be delayed by a maximum of 10 seconds

Firewall:

Query iptables binary variants to find which one to use depending on the kernel

Prefer using iptables-nft over iptables-legacy (Alpine new default is nft backend iptables)

Wireguard:

WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL option

read configuration file without case sensitivity

VPN Port forwarding: only use port forwarding enabled servers if VPN_PORT_FORWARDING=on (applies only to PIA and ProtonVPN for now)

FastestVPN:

Wireguard support (#2383 - Credits to @Zerauskire for the initial investigation and @jvanderzande for an initial implementation as well as reviewing the pull request)

use API instead of openvpn zip file to fetch servers data

add city filter SERVER_CITY

update built-in servers data

Perfect Privacy: port forwarding support with VPN_PORT_FORWARDING=on (#2378)

Private Internet Access: port forwarding options VPN_PORT_FORWARDING_USERNAME and VPN_PORT_FORWARDING_PASSWORD (retro-compatible with OPENVPN_USER and OPENVPN_PASSWORD)

ProtonVPN:

Wireguard support (#2390)

feature filters SECURE_CORE_ONLY, TOR_ONLY and PORT_FORWARD_ONLY (#2182)

determine "free" status using API tier value

update built-in servers data

Surfshark: servers data update

VPNSecure: servers data update

VPN_ENDPOINT_IP split into OPENVPN_ENDPOINT_IP and WIREGUARD_ENDPOINT_IP

VPN_ENDPOINT_PORT split into OPENVPN_ENDPOINT_PORT and WIREGUARD_ENDPOINT_PORT

Fixes

VPN_PORT_FORWARDING_LISTENING_PORT fixed

IPv6 support detection ignores loopback route destinations

Custom provider:

handle port option line for OpenVPN

ignore comments in an OpenVPN configuration file

assume port forwarding is always supported by a custom server

VPN Unlimited:

change default UDP port from 1194 to 1197

allow OpenVPN TCP on port 1197

Private Internet Access Wireguard and port forwarding

Set server name if names filter is set with the custom provider (see #2147)

PrivateVPN: updater now sets openvpn vpn type for the no-hostname server

Torguard: update OpenVPN configuration

add aes-128-gcm and aes-128-cbc ciphers

remove mssfix, sndbuf, rcvbuf, ping and reneg options

VPNSecure: associate N / A with no data for servers

AirVPN: set default mssfix to 1320-28=1292

Surfshark: remove outdated hardcoded retro servers

Public IP echo:

ip2location parsing for latitude and longitude fixed

abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)

internal/server: /openvpn route status get and put

get status return stopped if running Wireguard

put status changes vpn type if running Wireguard

Log out if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings

Log last Gluetun release by tag name alphabetically instead of by release date

format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark

internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

Documentation

readme:

clarify shadowsocks proxy is a server, not a client

update list of providers supporting Wireguard with the custom provider

add protonvpn as custom port forwarding implementation

disable Github blank issues

Bump github.com/qdm12/gosplash to v0.2.0

Add /choose suffix to github links in logs

add Github labels: "Custom provider", "Category: logs" and "Before next release"

rename FIREWALL_ENABLED to FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT due to the sheer amount of users misusing it. FIREWALL_ENABLED won't do anything anymore. At least you've been warned not to use it...

Maintenance

Code health

PIA port forwarding:

remove dependency on storage package

return an error to port forwarding loop if server cannot port forward

internal/config:

upgrade to github.com/qdm12/gosettings v0.4.2

drop github.com/qdm12/govalid dependency

upgrade github.com/qdm12/ss-server to v0.6.0

do not un-set sensitive config settings anymore

removed bad/invalid retro-compatible keys CONTROL_SERVER_ADDRESS and CONTROL_SERVER_PORT

OpenVPN protocol field is now a string instead of a TCP boolean

Split server filter validation for features and subscription-tier

provider name field as string instead of string pointer

internal/portforward: support multiple ports forwarded

Fix typos in code comments (#2216)

internal/tun: fix unit test for unprivileged user

Development environment

fix source.organizeImports vscode setting value

linter: remove now invalid skip-dirs configuration block

Dependencies

Bump Wireguard Go dependencies

Bump Go from 1.21 to 1.22

Bump golang.org/x/net from 0.19.0 to 0.25.0 (#2138, #2208, #2269)

Bump golang.org/x/sys from 0.15.0 to 0.18.0 (#2139)

Bump github.com/klauspost/compress from 1.17.4 to 1.17.8 (#2178, #2218)

Bump github.com/fatih/color from 1.16.0 to 1.17.0 (#2279)

Bump github.com/stretchr/testify to v1.9.0

Do not upgrade busybox since vulnerabilities are fixed now with Alpine 3.19+

CI

Bump DavidAnson/markdownlint-cli2-action from 14 to 16 (#2214)

Bump peter-evans/dockerhub-description from 3 to 4 (#2075)

Github

remove empty label description fields

add /choose suffix to issue and discussion links

review all issue labels: add closed labels, add category labels, rename labels, add label category prefix, add emojis for each label

Add issue labels: Popularity extreme and high, Closed cannot be done, Categories kernel and public IP service

Original source Report a problem
Aug 9, 2024
- Parsed from source:
  Aug 9, 2024
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.37.1

Bugfix release for v3.37.0 with a nudge to upgrade to v3.39.0. It fixes VPN port forwarding, IPv6 detection, stream-only mode, and a spectrum of provider and OpenVPN tweaks for smoother connections and improved server handling.
ℹ️ This is a bugfix release for v3.37.0. If you can, please instead use the newer v3.39.0 release.

Fixes

VPN_PORT_FORWARDING_LISTENING_PORT fixed

IPv6 support detection ignores loopback route destinations

STREAM_ONLY behavior fixed (#2126)

Custom provider:

handle port option line for OpenVPN

ignore comments in an OpenVPN configuration file

assume port forwarding is always supported by a custom server

VPN Unlimited:

change default UDP port from 1194 to 1197

allow OpenVPN TCP on port 1197

Private Internet Access Wireguard and port forwarding

Set server name if names filter is set with the custom provider (see #2147)

PrivateVPN: updater now sets openvpn vpn type for the no-hostname server

Torguard: update OpenVPN configuration

add aes-128-gcm and aes-128-cbc to the ciphers option

remove mssfix, sndbuf, rcvbuf, ping and reneg options

set HTTP user agent to be allowed to download zip files

VPNSecure: associate N / A with no data for servers

AirVPN: set default mssfix to 1320-28=1292

Surfshark:

remove outdated hardcoded retro servers

Remove no longer valid multi hop regions

Fail validation for empty string region

Clearer error message for surfshark regions: only log possible 'new' server regions, do not log old retro-compatible server regions

Privado: update OpenVPN zip file URL

internal/server: /openvpn route status get and put

get status return stopped if running Wireguard

put status changes vpn type if running Wireguard

Log out last Gluetun release by semver tag name instead of by date

format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark

internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

Bump github.com/breml/rootcerts from 0.2.14 to 0.2.17

PS: sorry for re-releasing this one 3 times, CI has been capricious with passing
Original source Report a problem
Aug 9, 2024
- Parsed from source:
  Aug 9, 2024
- Detected by Releasebot:
  Jan 7, 2026
Gluetun by qdm12

v3.38.1

Bugfix release for v3.38.0 with a nudge to upgrade to v3.39.0. It fixes IPv6 loopback, VPN port forwarding handling, OpenVPN config tweaks, and improves VPN status handling and error resilience across providers.
ℹ️ This is a bugfix release for v3.38.0. If you can, please instead use release v3.39.0

Fixes

Custom provider:

handle port option line for OpenVPN

ignore comments in an OpenVPN configuration file

assume port forwarding is always supported by a custom server

VPN Unlimited:

change default UDP port from 1194 to 1197

allow OpenVPN TCP on port 1197

Private Internet Access Wireguard and port forwarding

Set server name if names filter is set with the custom provider (see #2147)

PrivateVPN:

updater now sets openvpn vpn type for the no-hostname server

Torguard:

update OpenVPN configuration

add aes-128-gcm and aes-128-cbc ciphers

remove mssfix, sndbuf, rcvbuf, ping and reneg options

VPNSecure:

associate N / A with no data for servers

AirVPN:

set default mssfix to 1320-28=1292

Surfshark:

remove outdated hardcoded retro servers

Public IP echo:

ip2location parsing for latitude and longitude fixed

abort ip data fetch if vpn context is canceled (prevents requesting the public IP address N times after N VPN failures)

internal/server:

/openvpn route status get and put

get status

return stopped if running Wireguard

put status

changes vpn type if running Wireguard

Log out

if PORT_FORWARD_ONLY is enabled in the server filtering tree of settings

Log last Gluetun release

by tag name alphabetically instead of by release date

format-servers

fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark

internal/tun:

only create tun device if it does not exist, do not create if it exists and does not work

Original source Report a problem

qdm12 Release Notes

qdm12 Products

All qdm12 Release Notes

v3.41.0

Video of me reading out this release

Features

DNS

Fixes

Providers specific:

PureVPN:

VPN Unlimited:

VPN Secure updater:

WeVPN:

Servers storage:

VPN server side port forwarding:

Control server:

DNS:

Healthcheck:

Documentation

Readme

Maintenance

Code

CI

dev setup

The ranting section

The ranting section

v3.40.4

Fixes

DNS:

v3.40.1

v3.41.0 release notes

Fixes

v3.40.3

Fixes

v3.40.2

Fixes

DNS

ProtonVPN

Servers storage

v3.40.0

Features

Fixes

Documentation

Maintenance

CI

Development setup

Github labels

v3.39.1

Fixes

v3.39.0

Features

Fixes

Documentation

Maintenance

Code health

Development environment

Dependencies

CI

Github

v3.37.1

Fixes

Custom provider:

VPN Unlimited:

Private Internet Access Wireguard and port forwarding

PrivateVPN: updater now sets openvpn vpn type for the no-hostname server

Torguard: update OpenVPN configuration

VPNSecure: associate N / A with no data for servers

AirVPN: set default mssfix to 1320-28=1292

Surfshark:

Privado: update OpenVPN zip file URL

internal/server: /openvpn route status get and put

Log out last Gluetun release by semver tag name instead of by date

format-servers fixed missing VPN type header for providers supporting Wireguard: NordVPN and Surfshark

internal/tun: only create tun device if it does not exist, do not create if it exists and does not work

Bump github.com/breml/rootcerts from 0.2.14 to 0.2.17

PS: sorry for re-releasing this one 3 times, CI has been capricious with passing

v3.38.1

Fixes

Custom provider:

VPN Unlimited: