fix(purevpn): update openvpn configuration

- Credits to @mlapaj - Taken and verified from #2991
fix(slickvpn/updater): only keep 11 servers hardcoded
2026-06-28 23:07:38 +02:00 · 2025-12-24 03:18:02 +00:00 · 2025-12-24 03:18:02 +00:00 · 2025-12-24 03:18:02 +00:00 · 2025-12-24 03:18:02 +00:00 · 2025-12-24 03:18:02 +00:00
299 changed files with 28383 additions and 30311 deletions
@@ -1,2 +1,2 @@
-FROM ghcr.io/qdm12/godevcontainer:v0.21-alpine
-RUN apk add wireguard-tools htop openssl tcpdump iptables nftables
+FROM qmcgaw/godevcontainer:v0.20-alpine
+RUN apk add wireguard-tools htop openssl
@@ -19,16 +19,16 @@ It works on Linux, Windows (WSL2) and OSX.
    mkdir -p ~/.ssh
    ```

-1. **For OSX hosts**: ensure the project directory and your home directory `~` are accessible by Docker.
+1. **For Docker on OSX**: ensure the project directory and your home directory `~` are accessible by Docker.
 1. Open the command palette in Visual Studio Code (CTRL+SHIFT+P).
-1. Select `Dev-Containers: Open Folder in Container...` and choose the project directory.
+1. Select `Dev Containers: Open Folder in Container...` and choose the project directory.

 ## Customization

 For any customization to take effect, you should "rebuild and reopen":

 1. Open the command palette in Visual Studio Code (CTRL+SHIFT+P)
-2. Select `Dev-Containers: Rebuild Container`
+2. Select `Dev Containers: Rebuild Container`

 Changes you can make are notably:

@@ -82,9 +82,6 @@
                "gopls": {
                    "usePlaceholders": false,
                    "staticcheck": true,
-                    "ui.diagnostic.analyses": {
-                        "ST1000": false
-                    },
                    "formatting.gofumpt": true,
                },
                "go.lintTool": "golangci-lint",
@@ -67,6 +67,7 @@ body:
        - VPNSecure.me
        - VPNUnlimited
        - VyprVPN
+        - WeVPN
        - Windscribe
    validations:
      required: true
@@ -6,35 +6,12 @@ labels: ":bulb: New provider"

 ---

-Important notes:
+One of the following is required:

- There is no need to support both OpenVPN and Wireguard for a provider, but it's better to support both if possible
- We do **not** implement authentication to access servers information behind a login. This is way too time consuming unfortunately
- If it's not possible to support a provider natively, you can still use the [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
-
-## For Wireguard
-
-Wireguard can be natively supported ONLY if:
-
- the `PrivateKey` field value is the same across all servers for one user account
- the `Address` field value is:
-  - can be found in a structured (JSON etc.) list of servers publicly available; OR
-  - the same across all servers for one user account
- the `PublicKey` field value is:
-  - can be found in a structured (JSON etc.) list of servers publicly available; OR
-  - the same across all servers for one user account
- the `Endpoint` field value:
-  - can be found in a structured (JSON etc.) list of servers publicly available
-  - can be determined using a pattern, for example using country codes in hostnames
-
-If any of these conditions are not met, Wireguard cannot be natively supported or there is no advantage compared to using a custom Wireguard configuration file.
-
-If **all** of these conditions are met, please provide an answer for each of them.
-
-## For OpenVPN
-
-OpenVPN can be natively supported ONLY if one of the following can be provided, by preference in this order:
-
- Publicly accessible URL to a structured (JSON etc.) list of servers **and attach** an example Openvpn configuration file for both TCP and UDP; OR
- Publicly accessible URL to a zip file containing the Openvpn configuration files; OR
+- Publicly accessible URL to a zip file containing the Openvpn configuration files
+- Publicly accessible URL to a structured (JSON etc.) list of servers **and attach** an example Openvpn configuration file for both TCP and UDP
 - Publicly accessible URL to the list of servers **and attach** an example Openvpn configuration file for both TCP and UDP
+
+If the list of servers requires to login **or** is hidden behind an interactive configurator,
+you can only use a custom Openvpn configuration file.
+[The Wiki's OpenVPN configuration file page](https://github.com/qdm12/gluetun-wiki/blob/main/setup/openvpn-configuration-file.md) describes how to do so.
@@ -86,6 +86,8 @@
  color: "cfe8d4"
 - name: "☁️ Vyprvpn"
  color: "cfe8d4"
+- name: "☁️ WeVPN"
+  color: "cfe8d4"
 - name: "☁️ Windscribe"
  color: "cfe8d4"

@@ -1,12 +0,0 @@
-# Description
-
-<!-- Please describe the reason for the changes being proposed. -->
-
-# Issue
-
-<!-- Please link to the issue(s) this change relates to. -->
-
-# Assertions
-
-* [ ] I am aware that we do not accept manual changes to the servers.json file <!-- If this is your goal, please consult https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-using-the-command-line -->
-* [ ] I am aware that any changes to settings should be reflected in the [wiki](https://github.com/qdm12/gluetun-wiki/)
@@ -37,7 +37,7 @@ jobs:
    env:
      DOCKER_BUILDKIT: "1"
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      - uses: reviewdog/action-misspell@v1
        with:
@@ -45,7 +45,6 @@ jobs:
          level: error
          exclude: |
            ./internal/storage/servers.json
-            ./golangci.yml
            *.md

      - name: Linting
@@ -60,46 +59,13 @@ jobs:
      - name: Run tests in test container
        run: |
          touch coverage.txt
-          docker run --rm --cap-add=NET_ADMIN --device /dev/net/tun \
+          docker run --rm --device /dev/net/tun \
          -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \
          test-container

-      - name: Verify dev cross platform compatibility
-        run: docker build --target xcompile .
-
      - name: Build final image
        run: docker build -t final-image .

-  verify-private:
-    if: |
-      github.repository == 'qdm12/gluetun' &&
-      (
-        github.event_name == 'push' ||
-        github.event_name == 'release' ||
-        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
-      )
-    needs: [verify]
-    runs-on: ubuntu-latest
-    environment: secrets
-    steps:
-      - uses: actions/checkout@v6
-
-      - run: docker build -t qmcgaw/gluetun .
-
-      - name: Setup Go for CI utility
-        uses: actions/setup-go@v6
-        with:
-          go-version-file: ci/go.mod
-
-      - name: Build utility
-        run: go build -C ./ci -o runner ./cmd/main.go
-
-      - name: Run Gluetun container with Mullvad configuration
-        run: echo -e "${{ secrets.MULLVAD_WIREGUARD_PRIVATE_KEY }}\n${{ secrets.MULLVAD_WIREGUARD_ADDRESS }}" | ./ci/runner mullvad
-
-      - name: Run Gluetun container with ProtonVPN configuration
-        run: echo -e "${{ secrets.PROTONVPN_WIREGUARD_PRIVATE_KEY }}" | ./ci/runner protonvpn
-
  codeql:
    runs-on: ubuntu-latest
    permissions:
@@ -107,15 +73,15 @@ jobs:
      contents: read
      security-events: write
    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-go@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
-          go-version-file: go.mod
-      - uses: github/codeql-action/init@v4
+          go-version: "^1.23"
+      - uses: github/codeql-action/init@v3
        with:
          languages: go
-      - uses: github/codeql-action/autobuild@v4
-      - uses: github/codeql-action/analyze@v4
+      - uses: github/codeql-action/autobuild@v3
+      - uses: github/codeql-action/analyze@v3

  publish:
    if: |
@@ -125,14 +91,14 @@ jobs:
        github.event_name == 'release' ||
        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
      )
-    needs: [verify, verify-private, codeql]
+    needs: [verify, codeql]
    permissions:
      actions: read
      contents: read
      packages: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

      # extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
@@ -9,7 +9,7 @@ jobs:
      issues: write
    runs-on: ubuntu-latest
    steps:
-      - uses: peter-evans/create-or-update-comment@v5
+      - uses: peter-evans/create-or-update-comment@v4
        with:
          token: ${{ github.token }}
          issue-number: ${{ github.event.issue.number }}
@@ -8,7 +8,6 @@
  "retryOn429": false,
  "fallbackRetryDelay": "30s",
  "aliveStatusCodes": [
-    200,
-    429
+    200
  ]
 }
@@ -11,7 +11,7 @@ jobs:
      issues: write
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
      - uses: crazy-max/ghaction-github-labeler@v5
        with:
          yaml-file: .github/labels.yml
@@ -18,12 +18,12 @@ jobs:
      actions: read
      contents: read
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4

-      - uses: DavidAnson/markdownlint-cli2-action@v21
+      - uses: DavidAnson/markdownlint-cli2-action@v18
        with:
          globs: "**.md"
-          config: .markdownlint-cli2.jsonc
+          config: .markdownlint.json

      - uses: reviewdog/action-misspell@v1
        with:
@@ -9,7 +9,7 @@ jobs:
      issues: write
    runs-on: ubuntu-latest
    steps:
-      - uses: peter-evans/create-or-update-comment@v5
+      - uses: peter-evans/create-or-update-comment@v4
        with:
          token: ${{ github.token }}
          issue-number: ${{ github.event.issue.number }}
@@ -1,74 +1,30 @@
-version: "2"
+linters-settings:
+  misspell:
+    locale: US

-formatters:
-  enable:
-    - gci
-    - gofumpt
-    - goimports
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+issues:
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - dupl
+        - err113
+        - containedctx
+        - maintidx
+    - path: "internal\\/server\\/.+\\.go"
+      linters:
+        - dupl
+    - text: "returns interface \\(github\\.com\\/vishvananda\\/netlink\\.Link\\)"
+      linters:
+        - ireturn
+    - path: "internal\\/openvpn\\/pkcs8\\/descbc\\.go"
+      text: "newCipherDESCBCBlock returns interface \\(github\\.com\\/youmark\\/pkcs8\\.Cipher\\)"
+      linters:
+        - ireturn
+    - source: "^\\/\\/ https\\:\\/\\/.+$"
+      linters:
+        - lll

 linters:
-  settings:
-    misspell:
-      locale: US
-    goconst:
-      ignore-string-values:
-        # commonly used settings strings
-        - "^disabled$"
-        # Firewall and routing strings
-        - "^(ACCEPT|DROP)$"
-        - "^--append$"
-        - "^--delete$"
-        - "^all$"
-        - "^(tcp|udp)$"
-        # Server route strings
-        - "^/status$"
-
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    rules:
-      - linters:
-          - containedctx
-          - dupl
-          - err113
-          - maintidx
-        path: _test\.go
-      - linters:
-          - dupl
-        path: internal\/server\/.+\.go
-      - linters:
-          - ireturn
-        text: returns interface \(golang\.org\/x\/sys\/unix\.Sockaddr\)
-      - linters:
-          - ireturn
-        path: internal\/openvpn\/pkcs8\/descbc\.go
-        text: newCipherDESCBCBlock returns interface \(github\.com\/youmark\/pkcs8\.Cipher\)
-      - linters:
-          - revive
-        path: internal\/provider\/(common|utils)\/.+\.go
-        text: "var-naming: avoid (bad|meaningless) package names"
-      - linters:
-          - lll
-        source: "^// https://.+$"
-      - linters:
-          - err113
-          - mnd
-        path: ci\/.+\.go
-
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
  enable:
    # - cyclop
    # - errorlint
@@ -89,6 +45,7 @@ linters:
    - exhaustive
    - fatcontext
    - forcetypeassert
+    - gci
    - gocheckcompilerdirectives
    - gochecknoglobals
    - gochecknoinits
@@ -97,7 +54,9 @@ linters:
    - gocritic
    - gocyclo
    - godot
+    - gofumpt
    - goheader
+    - goimports
    - gomoddirectives
    - goprintffuncname
    - gosec
@@ -130,6 +89,7 @@ linters:
    - rowserrcheck
    - sqlclosecheck
    - tagalign
+    - tenv
    - thelper
    - tparallel
    - unconvert
@@ -1,9 +0,0 @@
-{
-  "config": {
-    "default": true,
-    "MD013": false,
-  },
-  "ignores": [
-    ".github/pull_request_template.md"
-  ]
-}
@@ -0,0 +1,3 @@
+{
+  "MD013": false
+}
@@ -0,0 +1,35 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Update a VPN provider servers data",
+            "type": "go",
+            "request": "launch",
+            "cwd": "${workspaceFolder}",
+            "program": "cmd/gluetun/main.go",
+            "args": [
+                "update",
+                "${input:updateMode}",
+                "-providers",
+                "${input:provider}"
+            ],
+        }
+    ],
+    "inputs": [
+        {
+            "id": "provider",
+            "type": "promptString",
+            "description": "Please enter a provider (or comma separated list of providers)",
+        },
+        {
+            "id": "updateMode",
+            "type": "pickString",
+            "description": "Update mode to use",
+            "options": [
+                "-maintainer",
+                "-enduser"
+            ],
+            "default": "-maintainer"
+        },
+    ]
+}
@@ -1,51 +0,0 @@
-{
-    "version": "2.0.0",
-    "tasks": [
-        {
-            "label": "Update a VPN provider servers data",
-            "type": "shell",
-            "command": "go",
-            "args": [
-                "run",
-                "./cmd/gluetun/main.go",
-                "update",
-                "${input:updateMode}",
-                "-providers",
-                "${input:provider}"
-            ],
-        },
-        {
-            "label": "Add a Gluetun Github Git remote",
-            "type": "shell",
-            "command": "git",
-            "args": [
-                "remote",
-                "add",
-                "${input:githubRemoteUsername}",
-                "git@github.com:${input:githubRemoteUsername}/gluetun.git"
-            ],
-        }
-    ],
-    "inputs": [
-        {
-            "id": "provider",
-            "type": "promptString",
-            "description": "Please enter a provider (or comma separated list of providers)",
-        },
-        {
-            "id": "updateMode",
-            "type": "pickString",
-            "description": "Update mode to use",
-            "options": [
-                "-maintainer",
-                "-enduser"
-            ],
-            "default": "-maintainer"
-        },
-        {
-            "id": "githubRemoteUsername",
-            "type": "promptString",
-            "description": "Please enter a Github username",
-        },
-    ]
-}
@@ -1,19 +1,19 @@
-ARG ALPINE_VERSION=3.22
-ARG GO_ALPINE_VERSION=3.22
-ARG GO_VERSION=1.25
-ARG XCPUTRANSLATE_VERSION=v0.9.0
-ARG GOLANGCI_LINT_VERSION=v2.4.0
+ARG ALPINE_VERSION=3.20
+ARG GO_ALPINE_VERSION=3.20
+ARG GO_VERSION=1.23
+ARG XCPUTRANSLATE_VERSION=v0.6.0
+ARG GOLANGCI_LINT_VERSION=v1.61.0
 ARG MOCKGEN_VERSION=v1.6.0
 ARG BUILDPLATFORM=linux/amd64

-FROM --platform=${BUILDPLATFORM} ghcr.io/qdm12/xcputranslate:${XCPUTRANSLATE_VERSION} AS xcputranslate
-FROM --platform=${BUILDPLATFORM} ghcr.io/qdm12/binpot:golangci-lint-${GOLANGCI_LINT_VERSION} AS golangci-lint
-FROM --platform=${BUILDPLATFORM} ghcr.io/qdm12/binpot:mockgen-${MOCKGEN_VERSION} AS mockgen
+FROM --platform=${BUILDPLATFORM} qmcgaw/xcputranslate:${XCPUTRANSLATE_VERSION} AS xcputranslate
+FROM --platform=${BUILDPLATFORM} qmcgaw/binpot:golangci-lint-${GOLANGCI_LINT_VERSION} AS golangci-lint
+FROM --platform=${BUILDPLATFORM} qmcgaw/binpot:mockgen-${MOCKGEN_VERSION} AS mockgen

 FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine${GO_ALPINE_VERSION} AS base
 COPY --from=xcputranslate /xcputranslate /usr/local/bin/xcputranslate
 # Note: findutils needed to have xargs support `-d` flag for mocks stage.
-RUN apk --update add git g++ findutils iptables
+RUN apk --update add git g++ findutils
 ENV CGO_ENABLED=0
 COPY --from=golangci-lint /bin /go/bin/golangci-lint
 COPY --from=mockgen /bin /go/bin/mockgen
@@ -32,7 +32,7 @@ ENTRYPOINT go test -race -coverpkg=./... -coverprofile=coverage.txt -covermode=a

 FROM --platform=${BUILDPLATFORM} base AS lint
 COPY .golangci.yml ./
-RUN golangci-lint run
+RUN golangci-lint run --timeout=10m

 FROM --platform=${BUILDPLATFORM} base AS mocks
 RUN git init && \
@@ -46,10 +46,6 @@ RUN git init && \
    git diff --exit-code && \
    rm -rf .git/

-FROM --platform=${BUILDPLATFORM} base AS xcompile
-RUN GOOS=darwin go build -o /dev/null ./...
-RUN GOOS=windows go build -o /dev/null ./...
-
 FROM --platform=${BUILDPLATFORM} base AS build
 ARG TARGETPLATFORM
 ARG VERSION=unknown
@@ -110,11 +106,8 @@ ENV VPN_SERVICE_PROVIDER=pia \
    WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL=0 \
    WIREGUARD_ADDRESSES= \
    WIREGUARD_ADDRESSES_SECRETFILE=/run/secrets/wireguard_addresses \
-    WIREGUARD_MTU= \
+    WIREGUARD_MTU=1320 \
    WIREGUARD_IMPLEMENTATION=auto \
-    # PMTUD
-    PMTUD_ICMP_ADDRESSES=1.1.1.1,8.8.8.8 \
-    PMTUD_TCP_ADDRESSES=1.1.1.1:443,8.8.8.8:443,1.1.1.1:53,8.8.8.8:53,[2606:4700:4700::1111]:53,[2001:4860:4860::8888]:53,[2606:4700:4700::1111]:443,[2001:4860:4860::8888]:443 \
    # VPN server filtering
    SERVER_REGIONS= \
    SERVER_COUNTRIES= \
@@ -170,23 +163,20 @@ ENV VPN_SERVICE_PROVIDER=pia \
    LOG_LEVEL=info \
    # Health
    HEALTH_SERVER_ADDRESS=127.0.0.1:9999 \
-    HEALTH_TARGET_ADDRESSES=cloudflare.com:443,github.com:443 \
-    HEALTH_ICMP_TARGET_IPS=1.1.1.1,8.8.8.8 \
-    HEALTH_SMALL_CHECK_TYPE=icmp \
-    HEALTH_RESTART_VPN=on \
-    # DNS
-    DNS_SERVER=on \
-    DNS_UPSTREAM_RESOLVER_TYPE=DoT \
-    DNS_UPSTREAM_RESOLVERS=cloudflare \
-    DNS_BLOCK_IPS= \
-    DNS_BLOCK_IP_PREFIXES= \
-    DNS_CACHING=on \
-    DNS_UPSTREAM_IPV6=off \
+    HEALTH_TARGET_ADDRESS=cloudflare.com:443 \
+    HEALTH_SUCCESS_WAIT_DURATION=5s \
+    HEALTH_VPN_DURATION_INITIAL=6s \
+    HEALTH_VPN_DURATION_ADDITION=5s \
+    # DNS over TLS
+    DOT=on \
+    DOT_PROVIDERS=cloudflare \
+    DOT_PRIVATE_ADDRESS=127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112 \
+    DOT_CACHING=on \
+    DOT_IPV6=off \
    BLOCK_MALICIOUS=on \
    BLOCK_SURVEILLANCE=off \
    BLOCK_ADS=off \
-    DNS_UNBLOCK_HOSTNAMES= \
-    DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES= \
+    UNBLOCK= \
    DNS_UPDATE_PERIOD=24h \
    DNS_ADDRESS=127.0.0.1 \
    DNS_KEEP_NAMESERVER=off \
@@ -210,7 +200,6 @@ ENV VPN_SERVICE_PROVIDER=pia \
    HTTP_CONTROL_SERVER_LOG=on \
    HTTP_CONTROL_SERVER_ADDRESS=":8000" \
    HTTP_CONTROL_SERVER_AUTH_CONFIG_FILEPATH=/gluetun/auth/config.toml \
-    HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE="{}" \
    # Server data updater
    UPDATER_PERIOD=0 \
    UPDATER_MIN_RATIO=0.8 \
@@ -232,8 +221,8 @@ ENV VPN_SERVICE_PROVIDER=pia \
    # Extras
    VERSION_INFORMATION=on \
    TZ= \
-    PUID=1000 \
-    PGID=1000
+    PUID= \
+    PGID=
 ENTRYPOINT ["/gluetun-entrypoint"]
 EXPOSE 8000/tcp 8888/tcp 8388/tcp 8388/udp
 HEALTHCHECK --interval=5s --timeout=5s --start-period=10s --retries=3 CMD /gluetun-entrypoint healthcheck
@@ -1,8 +1,6 @@
 # Gluetun VPN client

-⚠️ This and [gluetun-wiki](https://github.com/qdm12/gluetun-wiki) are the only websites for Gluetun, other websites claiming to be official are scams ⚠️
-
-Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
+Lightweight swiss-knife-like VPN client to multiple VPN service providers

 ![Title image](https://raw.githubusercontent.com/qdm12/gluetun/master/title.svg)

@@ -28,6 +26,7 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
 [![GitHub issues](https://img.shields.io/github/issues/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues)
 [![GitHub closed issues](https://img.shields.io/github/issues-closed/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues?q=is%3Aissue+is%3Aclosed)

+[![Lines of code](https://img.shields.io/tokei/lines/github/qdm12/gluetun)](https://github.com/qdm12/gluetun)
 ![Code size](https://img.shields.io/github/languages/code-size/qdm12/gluetun)
 ![GitHub repo size](https://img.shields.io/github/repo-size/qdm12/gluetun)
 ![Go version](https://img.shields.io/github/go-mod/go-version/qdm12/gluetun)
@@ -57,12 +56,12 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers

 ## Features

- Based on Alpine 3.22 for a small Docker image of 41.1MB
- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad** (Wireguard only), **NordVPN**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **Windscribe** servers
+- Based on Alpine 3.20 for a small Docker image of 35.6MB
+- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad**, **NordVPN**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **WeVPN**, **Windscribe** servers
 - Supports OpenVPN for all providers listed
 - Supports Wireguard both kernelspace and userspace
  - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
-  - For **Cyberghost**, **Private Internet Access**, **PrivateVPN**, **PureVPN**, **Torguard**, **VPN Unlimited** and **VyprVPN** using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
+  - For **Cyberghost**, **Private Internet Access**, **PrivateVPN**, **PureVPN**, **Torguard**, **VPN Unlimited**, **VyprVPN** and **WeVPN** using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
  - For custom Wireguard configurations using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
  - More in progress, see [#134](https://github.com/qdm12/gluetun/issues/134)
 - DNS over TLS baked in with service provider(s) of your choice
@@ -89,7 +88,7 @@ Go to the [Wiki](https://github.com/qdm12/gluetun-wiki)!
 Here's a docker-compose.yml for the laziest:

 ```yml
---
+version: "3"
 services:
  gluetun:
    image: qmcgaw/gluetun
@@ -125,10 +124,6 @@ services:

 🆕 Image also available as `ghcr.io/qdm12/gluetun`

-## Fun graphs
-
-[![Star History Chart](https://api.star-history.com/svg?repos=qdm12/gluetun&type=date&legend=top-left)](https://www.star-history.com/#qdm12/gluetun&type=date&legend=top-left)
-
 ## License

 [![MIT](https://img.shields.io/github/license/qdm12/gluetun)](https://github.com/qdm12/gluetun/blob/master/LICENSE)
@@ -1,37 +0,0 @@
-package main
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"os/signal"
-
-	"github.com/qdm12/gluetun/ci/internal"
-	"github.com/qdm12/log"
-)
-
-func main() {
-	logger := log.New()
-	if len(os.Args) < 2 {
-		logger.Error("Usage: " + os.Args[0] + " <command>")
-		os.Exit(1)
-	}
-
-	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
-
-	var err error
-	switch os.Args[1] {
-	case "mullvad":
-		err = internal.MullvadTest(ctx, logger)
-	case "protonvpn":
-		err = internal.ProtonVPNTest(ctx, logger)
-	default:
-		err = fmt.Errorf("unknown command: %s", os.Args[1])
-	}
-	stop()
-	if err != nil {
-		logger.Error(err.Error())
-		os.Exit(1)
-	}
-	logger.Info("test completed successfully")
-}
@@ -1,40 +0,0 @@
-module github.com/qdm12/gluetun/ci
-
-go 1.25.0
-
-require (
-	github.com/docker/docker v28.5.1+incompatible
-	github.com/opencontainers/image-spec v1.1.1
-)
-
-require (
-	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
-	github.com/containerd/log v0.1.0 // indirect
-	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/go-connections v0.6.0 // indirect
-	github.com/docker/go-units v0.5.0 // indirect
-	github.com/fatih/color v1.13.0 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/mattn/go-colorable v0.1.9 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
-	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/sys/atomicwriter v0.1.0 // indirect
-	github.com/moby/term v0.5.2 // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/qdm12/log v0.1.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
-	go.opentelemetry.io/otel v1.38.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
-	go.opentelemetry.io/otel/metric v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/time v0.14.0 // indirect
-	gotest.tools/v3 v3.5.2 // indirect
-)
@@ -1,109 +0,0 @@
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
-github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
-github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
-github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
-github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
-github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
-github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
-github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
-github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
-github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
-github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM=
-github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
-github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
-github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
-github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
-github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
-github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
-github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
-github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
-github.com/mattn/go-colorable v0.1.9 h1:sqDoxXbdeALODt0DAeJCVp38ps9ZogZEAXjus69YV3U=
-github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
-github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
-github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
-github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
-github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
-github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
-github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
-github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
-github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
-github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
-github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
-github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/qdm12/log v0.1.0 h1:jYBd/xscHYpblzZAd2kjZp2YmuYHjAAfbTViJWxoPTw=
-github.com/qdm12/log v0.1.0/go.mod h1:Vchi5M8uBvHfPNIblN4mjXn/oSbiWguQIbsgF1zdQPI=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
-go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
-go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
-go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
-go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
-go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
-go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
-go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
-go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
-go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
-go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
-go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
-go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
-golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
-golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
-golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
-google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=
-google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc=
-google.golang.org/grpc v1.75.0 h1:+TW+dqTd2Biwe6KKfhE5JpiYIBWq865PhKGSXiivqt4=
-google.golang.org/grpc v1.75.0/go.mod h1:JtPAzKiq4v1xcAB2hydNlWI2RnF85XXcV0mhKXr2ecQ=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
-gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
@@ -1,27 +0,0 @@
-package internal
-
-import (
-	"context"
-	"fmt"
-)
-
-func MullvadTest(ctx context.Context, logger Logger) error {
-	expectedSecrets := []string{
-		"Wireguard private key",
-		"Wireguard address",
-	}
-	secrets, err := readSecrets(ctx, expectedSecrets, logger)
-	if err != nil {
-		return fmt.Errorf("reading secrets: %w", err)
-	}
-
-	env := []string{
-		"VPN_SERVICE_PROVIDER=mullvad",
-		"VPN_TYPE=wireguard",
-		"LOG_LEVEL=debug",
-		"SERVER_COUNTRIES=USA",
-		"WIREGUARD_PRIVATE_KEY=" + secrets[0],
-		"WIREGUARD_ADDRESSES=" + secrets[1],
-	}
-	return simpleTest(ctx, env, logger)
-}
@@ -1,25 +0,0 @@
-package internal
-
-import (
-	"context"
-	"fmt"
-)
-
-func ProtonVPNTest(ctx context.Context, logger Logger) error {
-	expectedSecrets := []string{
-		"Wireguard private key",
-	}
-	secrets, err := readSecrets(ctx, expectedSecrets, logger)
-	if err != nil {
-		return fmt.Errorf("reading secrets: %w", err)
-	}
-
-	env := []string{
-		"VPN_SERVICE_PROVIDER=protonvpn",
-		"VPN_TYPE=wireguard",
-		"LOG_LEVEL=debug",
-		"SERVER_COUNTRIES=United States",
-		"WIREGUARD_PRIVATE_KEY=" + secrets[0],
-	}
-	return simpleTest(ctx, env, logger)
-}
@@ -1,49 +0,0 @@
-package internal
-
-import (
-	"bufio"
-	"context"
-	"fmt"
-	"os"
-	"strings"
-)
-
-type Logger interface {
-	Info(msg string)
-	Infof(format string, args ...any)
-}
-
-func readSecrets(ctx context.Context, expectedSecrets []string,
-	logger Logger,
-) (lines []string, err error) {
-	scanner := bufio.NewScanner(os.Stdin)
-	lines = make([]string, 0, len(expectedSecrets))
-
-	for i := range expectedSecrets {
-		logger.Infof("🤫 reading %s from Stdin...", expectedSecrets[i])
-		if !scanner.Scan() {
-			break
-		}
-		lines = append(lines, strings.TrimSpace(scanner.Text()))
-		logger.Infof("🤫 %s secret read successfully", expectedSecrets[i])
-		if ctx.Err() != nil {
-			return nil, ctx.Err()
-		}
-	}
-
-	if err := scanner.Err(); err != nil {
-		return nil, fmt.Errorf("reading secrets from stdin: %w", err)
-	}
-
-	if len(lines) < len(expectedSecrets) {
-		return nil, fmt.Errorf("expected %d secrets via Stdin, but only received %d",
-			len(expectedSecrets), len(lines))
-	}
-	for i, line := range lines {
-		if line == "" {
-			return nil, fmt.Errorf("secret on line %d/%d was empty", i+1, len(lines))
-		}
-	}
-
-	return lines, nil
-}
@@ -1,134 +0,0 @@
-package internal
-
-import (
-	"bufio"
-	"context"
-	"fmt"
-	"io"
-	"regexp"
-	"time"
-
-	"github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/client"
-	v1 "github.com/opencontainers/image-spec/specs-go/v1"
-)
-
-func ptrTo[T any](v T) *T { return &v }
-
-func simpleTest(ctx context.Context, env []string, logger Logger) error {
-	const timeout = 30 * time.Second
-	ctx, cancel := context.WithTimeout(ctx, timeout)
-	defer cancel()
-
-	client, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
-	if err != nil {
-		return fmt.Errorf("creating Docker client: %w", err)
-	}
-	defer client.Close()
-
-	config := &container.Config{
-		Image:       "qmcgaw/gluetun",
-		StopTimeout: ptrTo(3),
-		Env:         env,
-	}
-	hostConfig := &container.HostConfig{
-		AutoRemove: true,
-		CapAdd:     []string{"NET_ADMIN", "NET_RAW"},
-	}
-	networkConfig := (*network.NetworkingConfig)(nil)
-	platform := (*v1.Platform)(nil)
-	const containerName = "" // auto-generated name
-
-	response, err := client.ContainerCreate(ctx, config, hostConfig, networkConfig, platform, containerName)
-	if err != nil {
-		return fmt.Errorf("creating container: %w", err)
-	}
-	for _, warning := range response.Warnings {
-		fmt.Println("Warning during container creation:", warning)
-	}
-	containerID := response.ID
-	defer stopContainer(client, containerID)
-
-	beforeStartTime := time.Now()
-
-	err = client.ContainerStart(ctx, containerID, container.StartOptions{})
-	if err != nil {
-		return fmt.Errorf("starting container: %w", err)
-	}
-
-	return waitForLogLine(ctx, client, containerID, beforeStartTime, logger)
-}
-
-func stopContainer(client *client.Client, containerID string) {
-	const stopTimeout = 5 * time.Second // must be higher than 3s, see above [container.Config]'s StopTimeout field
-	stopCtx, stopCancel := context.WithTimeout(context.Background(), stopTimeout)
-	defer stopCancel()
-
-	err := client.ContainerStop(stopCtx, containerID, container.StopOptions{})
-	if err != nil {
-		fmt.Println("failed to stop container:", err)
-	}
-}
-
-var successRegexp = regexp.MustCompile(`^.+Public IP address is .+$`)
-
-func waitForLogLine(ctx context.Context, client *client.Client, containerID string,
-	beforeStartTime time.Time, logger Logger,
-) error {
-	logOptions := container.LogsOptions{
-		ShowStdout: true,
-		Follow:     true,
-		Since:      beforeStartTime.Format(time.RFC3339Nano),
-	}
-
-	reader, err := client.ContainerLogs(ctx, containerID, logOptions)
-	if err != nil {
-		return fmt.Errorf("error getting container logs: %w", err)
-	}
-	defer reader.Close()
-
-	var linesSeen []string
-	scanner := bufio.NewScanner(reader)
-	for ctx.Err() == nil {
-		if scanner.Scan() {
-			line := scanner.Text()
-			if len(line) > 8 { // remove Docker log prefix
-				line = line[8:]
-			}
-			linesSeen = append(linesSeen, line)
-			if successRegexp.MatchString(line) {
-				fmt.Println("✅ Success line logged")
-				return nil
-			}
-			continue
-		}
-		err := scanner.Err()
-		if err != nil && err != io.EOF {
-			logSeenLines(logger, linesSeen)
-			return fmt.Errorf("reading log stream: %w", err)
-		}
-
-		// The scanner is either done or cannot read because of EOF
-		logger.Info("the log scanner stopped")
-		logSeenLines(logger, linesSeen)
-
-		// Check if the container is still running
-		inspect, err := client.ContainerInspect(ctx, containerID)
-		if err != nil {
-			return fmt.Errorf("inspecting container: %w", err)
-		}
-		if !inspect.State.Running {
-			return fmt.Errorf("container stopped unexpectedly while waiting for log line. Exit code: %d", inspect.State.ExitCode)
-		}
-	}
-
-	return ctx.Err()
-}
-
-func logSeenLines(logger Logger, lines []string) {
-	fmt.Println("Logs seen so far:")
-	for _, line := range lines {
-		fmt.Println("  " + line)
-	}
-}
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"io/fs"
 	"net/http"
-	"net/netip"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -23,7 +22,6 @@ import (
 	"github.com/qdm12/gluetun/internal/configuration/sources/files"
 	"github.com/qdm12/gluetun/internal/configuration/sources/secrets"
 	"github.com/qdm12/gluetun/internal/constants"
-	copenvpn "github.com/qdm12/gluetun/internal/constants/openvpn"
 	"github.com/qdm12/gluetun/internal/dns"
 	"github.com/qdm12/gluetun/internal/firewall"
 	"github.com/qdm12/gluetun/internal/healthcheck"
@@ -166,9 +164,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		}
 	}

-	defer fmt.Println(gluetunLogo)
-
-	announcementExp, err := time.Parse(time.RFC3339, "2026-04-01T00:00:00Z")
+	announcementExp, err := time.Parse(time.RFC3339, "2024-12-01T00:00:00Z")
 	if err != nil {
 		return err
 	}
@@ -179,7 +175,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		Version:      buildInfo.Version,
 		Commit:       buildInfo.Commit,
 		Created:      buildInfo.Created,
-		Announcement: "All control server routes are now private by default",
+		Announcement: "All control server routes will become private by default after the v3.41.0 release",
 		AnnounceExp:  announcementExp,
 		// Sponsor information
 		PaypalUser:    "qmcgaw",
@@ -237,10 +233,6 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		if err != nil {
 			return err
 		}
-		err = netLinker.FlushConntrack()
-		if err != nil {
-			logger.Warnf("flushing conntrack failed: %s", err)
-		}
 	}

 	// TODO run this in a loop or in openvpn to reload from file without restarting
@@ -268,22 +260,19 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,

 	puid, pgid := int(*allSettings.System.PUID), int(*allSettings.System.PGID)

-	const clientTimeout = 35 * time.Second
+	const clientTimeout = 15 * time.Second
 	httpClient := &http.Client{Timeout: clientTimeout}
 	// Create configurators
 	alpineConf := alpine.New()
 	ovpnConf := openvpn.New(
 		logger.New(log.SetComponent("openvpn configurator")),
 		cmder, puid, pgid)
-	ovpnVersion := ovpnConf.Version26
-	if allSettings.VPN.OpenVPN.Version == copenvpn.Openvpn25 {
-		ovpnVersion = ovpnConf.Version25
-	}

 	err = printVersions(ctx, logger, []printVersionElement{
 		{name: "Alpine", getVersion: alpineConf.Version},
-		{name: "OpenVPN", getVersion: ovpnVersion},
-		{name: "Firewall", getVersion: firewallConf.Version},
+		{name: "OpenVPN 2.5", getVersion: ovpnConf.Version25},
+		{name: "OpenVPN 2.6", getVersion: ovpnConf.Version26},
+		{name: "IPtables", getVersion: firewallConf.Version},
 	})
 	if err != nil {
 		return err
@@ -425,13 +414,6 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		return fmt.Errorf("starting public ip loop: %w", err)
 	}

-	healthLogger := logger.New(log.SetComponent("healthcheck"))
-	healthcheckServer := healthcheck.NewServer(allSettings.Health, healthLogger)
-	healthServerHandler, healthServerCtx, healthServerDone := goshutdown.NewGoRoutineHandler(
-		"HTTP health server", goroutine.OptionTimeout(defaultShutdownTimeout))
-	go healthcheckServer.Run(healthServerCtx, healthServerDone)
-	healthChecker := healthcheck.NewChecker(healthLogger)
-
 	updaterLogger := logger.New(log.SetComponent("updater"))

 	unzipper := unzip.New(httpClient)
@@ -443,8 +425,8 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,

 	vpnLogger := logger.New(log.SetComponent("vpn"))
 	vpnLooper := vpn.NewLoop(allSettings.VPN, ipv6Supported, allSettings.Firewall.VPNInputPorts,
-		providers, storage, allSettings.Health, healthChecker, healthcheckServer, ovpnConf, netLinker, firewallConf,
-		routingConf, portForwardLooper, cmder, publicIPLooper, dnsLooper, vpnLogger, httpClient,
+		providers, storage, ovpnConf, netLinker, firewallConf, routingConf, portForwardLooper,
+		cmder, publicIPLooper, dnsLooper, vpnLogger, httpClient,
 		buildInfo, *allSettings.Version.Enabled)
 	vpnHandler, vpnCtx, vpnDone := goshutdown.NewGoRoutineHandler(
 		"vpn", goroutine.OptionTimeout(time.Second))
@@ -478,10 +460,13 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 	go shadowsocksLooper.Run(shadowsocksCtx, shadowsocksDone)
 	otherGroupHandler.Add(shadowsocksHandler)

+	controlServerAddress := *allSettings.ControlServer.Address
+	controlServerLogging := *allSettings.ControlServer.Log
 	httpServerHandler, httpServerCtx, httpServerDone := goshutdown.NewGoRoutineHandler(
 		"http server", goroutine.OptionTimeout(defaultShutdownTimeout))
-	httpServer, err := server.New(httpServerCtx, allSettings.ControlServer,
+	httpServer, err := server.New(httpServerCtx, controlServerAddress, controlServerLogging,
 		logger.New(log.SetComponent("http server")),
+		allSettings.ControlServer.AuthFilePath,
 		buildInfo, vpnLooper, portForwardLooper, dnsLooper, updaterLooper, publicIPLooper,
 		storage, ipv6Supported)
 	if err != nil {
@@ -492,6 +477,12 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 	<-httpServerReady
 	controlGroupHandler.Add(httpServerHandler)

+	healthLogger := logger.New(log.SetComponent("healthcheck"))
+	healthcheckServer := healthcheck.NewServer(allSettings.Health, healthLogger, vpnLooper)
+	healthServerHandler, healthServerCtx, healthServerDone := goshutdown.NewGoRoutineHandler(
+		"HTTP health server", goroutine.OptionTimeout(defaultShutdownTimeout))
+	go healthcheckServer.Run(healthServerCtx, healthServerDone)
+
 	orderHandler := goshutdown.NewOrderHandler("gluetun",
 		order.OptionTimeout(totalShutdownTimeout),
 		order.OptionOnSuccess(defaultShutdownOnSuccess),
@@ -560,25 +551,24 @@ type netLinker interface {
 	Linker
 	IsWireguardSupported() (ok bool, err error)
 	IsIPv6Supported() (ok bool, err error)
-	FlushConntrack() error
 	PatchLoggerLevel(level log.Level)
 }

 type Addresser interface {
-	AddrList(linkIndex uint32, family uint8) (
-		addresses []netip.Prefix, err error)
-	AddrReplace(linkIndex uint32, addr netip.Prefix) error
+	AddrList(link netlink.Link, family int) (
+		addresses []netlink.Addr, err error)
+	AddrReplace(link netlink.Link, addr netlink.Addr) error
 }

 type Router interface {
-	RouteList(family uint8) (routes []netlink.Route, err error)
+	RouteList(family int) (routes []netlink.Route, err error)
 	RouteAdd(route netlink.Route) error
 	RouteDel(route netlink.Route) error
 	RouteReplace(route netlink.Route) error
 }

 type Ruler interface {
-	RuleList(family uint8) (rules []netlink.Rule, err error)
+	RuleList(family int) (rules []netlink.Rule, err error)
 	RuleAdd(rule netlink.Rule) error
 	RuleDel(rule netlink.Rule) error
 }
@@ -586,12 +576,11 @@ type Ruler interface {
 type Linker interface {
 	LinkList() (links []netlink.Link, err error)
 	LinkByName(name string) (link netlink.Link, err error)
-	LinkByIndex(index uint32) (link netlink.Link, err error)
-	LinkAdd(link netlink.Link) (linkIndex uint32, err error)
-	LinkDel(linkIndex uint32) (err error)
-	LinkSetUp(linkIndex uint32) (err error)
-	LinkSetDown(linkIndex uint32) (err error)
-	LinkSetMTU(linkIndex, mtu uint32) error
+	LinkByIndex(index int) (link netlink.Link, err error)
+	LinkAdd(link netlink.Link) (linkIndex int, err error)
+	LinkDel(link netlink.Link) (err error)
+	LinkSetUp(link netlink.Link) (linkIndex int, err error)
+	LinkSetDown(link netlink.Link) (err error)
 }

 type clier interface {
@@ -613,34 +602,3 @@ type RunStarter interface {
 	Start(cmd *exec.Cmd) (stdoutLines, stderrLines <-chan string,
 		waitError <-chan error, err error)
 }
-
-const gluetunLogo = `                         @@@
-                         @@@@
-                        @@@@@@
-                       @@@@.@@                       @@@@@@@@@@
-                       @@@@.@@@                   @@@@@@@@==@@@@
-                      @@@.@..@@                @@@@@@@=@..==@@@@
-            @@@@      @@@.@@.@@              @@@@@@===@@@@.=@@@
-           @...-@@   @@@@.@@.@@@  @@@     @@@@@@=======@@@=@@@@
-           @@@@@@@@  @@@.-%@.+@@@@@@@@  @@@@@%============@@@@
-                     @@@.--@..@@@@.-@@@@@@@==============@@@@
-              @@@@  @@@-@--@@.@@.---@@@@@==============#@@@@@
-              @@@   @@@.@@-@@.@@--@@@@@===============@@@@@@
-                   @@@@.@--@@@@@@@@@@================@@@@@@@
-                   @@@..--@@*@@@@@@================@@@@+*@@
-                   @@@.---@@.@@@@=================@@@@--@@
-                  @@@-.---@@@@@@================@@@@*--@@@
-                  @@@.:-#@@@@@@===============*@@@@.---@@
-                  @@@.-------.@@@============@@@@@@.--@@@
-                 @@@..--------:@@@=========@@@@@@@@.--@@@
-                 @@@.-@@@@@@@@@@@========@@@@@  @@@.--@@
-                 @@.@@@@===============@@@@@ @@@@@@---@@@@@@
-                @@@@@@@==============@@@@@@@@@@@@*@---@@@@@@@@
-                @@@@@@=============@@@@@ @@@...------------.*@@@
-                @@@@%===========@@@@@@ @@@..------@@@@.-----.-@@@
-                @@@@@@.=======@@@@@@  @@@.-------@@@@@@-.------=@@
-               @@@@@@@@@===@@@@@@     @@.------@@@@   @@@@.-----@@@
-               @@@==@@@=@@@@@@@      @@@.-@@@@@@@       @@@@@@@--@@
-               @@@@@@@@@@@@@         @@@@@@@@                @@@@@@@
-                @@@@@@@@             @@@@                       @@@@
-                                                                       `
@@ -1,34 +1,30 @@
 module github.com/qdm12/gluetun

-go 1.25.0
+go 1.23

 require (
 	github.com/ProtonMail/go-srp v0.0.7
-	github.com/breml/rootcerts v0.3.4
+	github.com/breml/rootcerts v0.2.19
 	github.com/fatih/color v1.18.0
 	github.com/golang/mock v1.6.0
-	github.com/google/nftables v0.3.0
-	github.com/jsimonetti/rtnetlink v1.4.2
-	github.com/klauspost/compress v1.18.1
+	github.com/klauspost/compress v1.17.11
 	github.com/klauspost/pgzip v1.2.6
-	github.com/mdlayher/genetlink v1.3.2
-	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42
-	github.com/pelletier/go-toml/v2 v2.2.4
-	github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260216151239-36b3306f2205
+	github.com/pelletier/go-toml/v2 v2.2.3
+	github.com/qdm12/dns/v2 v2.0.0-rc8
 	github.com/qdm12/gosettings v0.4.4
 	github.com/qdm12/goshutdown v0.3.0
 	github.com/qdm12/gosplash v0.2.0
 	github.com/qdm12/gotree v0.3.0
 	github.com/qdm12/log v0.1.0
 	github.com/qdm12/ss-server v0.6.0
-	github.com/stretchr/testify v1.11.1
-	github.com/ti-mo/netfilter v0.5.3
-	github.com/ulikunitz/xz v0.5.15
+	github.com/stretchr/testify v1.10.0
+	github.com/ulikunitz/xz v0.5.11
+	github.com/vishvananda/netlink v1.2.1
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
-	golang.org/x/net v0.49.0
-	golang.org/x/sys v0.40.0
-	golang.org/x/text v0.33.0
+	golang.org/x/net v0.31.0
+	golang.org/x/sys v0.30.0
+	golang.org/x/text v0.22.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	gopkg.in/ini.v1 v1.67.0
@@ -39,13 +35,16 @@ require (
 	github.com/ProtonMail/go-crypto v1.3.0-proton // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/cronokirby/saferith v0.33.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/josharian/native v1.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mdlayher/socket v0.5.1 // indirect
+	github.com/mdlayher/genetlink v1.3.2 // indirect
+	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/miekg/dns v1.1.62 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@@ -54,13 +53,13 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.60.1 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978 // indirect
+	github.com/qdm12/goservices v0.1.0 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
-	golang.org/x/crypto v0.47.0 // indirect
-	golang.org/x/mod v0.31.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/sync v0.11.0 // indirect
+	golang.org/x/tools v0.26.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
@@ -8,16 +8,14 @@ github.com/ProtonMail/go-srp v0.0.7 h1:Sos3Qk+th4tQR64vsxGIxYpN3rdnG9Wf9K4ZloC1J
 github.com/ProtonMail/go-srp v0.0.7/go.mod h1:giCp+7qRnMIcCvI6V6U3S1lDDXDQYx2ewJ6F/9wdlJk=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/breml/rootcerts v0.3.4 h1:9i7WNl/ctd9OEAOaTfLy//Wrlfxq/tRQ7v4okYFN9Ys=
-github.com/breml/rootcerts v0.3.4/go.mod h1:S/PKh+4d1HUn4HQovEB8hPJZO6pUZYrIhmXBhsegfXw=
+github.com/breml/rootcerts v0.2.19 h1:3D/qwAC1xoh82GmZ21mYzQ1NaLOICUVntIo+MRZYr4U=
+github.com/breml/rootcerts v0.2.19/go.mod h1:S/PKh+4d1HUn4HQovEB8hPJZO6pUZYrIhmXBhsegfXw=
 github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4=
-github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM=
 github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
-github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
-github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
+github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cronokirby/saferith v0.33.0 h1:TgoQlfsD4LIwx71+ChfRcIpjkw+RPOapDEVxa+LhwLo=
 github.com/cronokirby/saferith v0.33.0/go.mod h1:QKJhjoqUtBsXCAVEjw38mFqoi7DebT7kthcD7UzbnoA=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -28,14 +26,12 @@ github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
-github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/nftables v0.3.0 h1:bkyZ0cbpVeMHXOrtlFc8ISmfVqq5gPJukoYieyVmITg=
-github.com/google/nftables v0.3.0/go.mod h1:BCp9FsrbF1Fn/Yu6CLUc9GGZFw/+hsxfluNXXmxBfRM=
-github.com/jsimonetti/rtnetlink v1.4.2 h1:Df9w9TZ3npHTyDn0Ev9e1uzmN2odmXd0QX+J5GTEn90=
-github.com/jsimonetti/rtnetlink v1.4.2/go.mod h1:92s6LJdE+1iOrw+F2/RO7LYI2Qd8pPpFNNUYW06gcoM=
-github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
-github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -49,18 +45,18 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
-github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
-github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
-github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
+github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
 github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
 github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -73,10 +69,10 @@ github.com/prometheus/common v0.60.1 h1:FUas6GcOw66yB/73KC+BOZoFJmbo/1pojoILArPA
 github.com/prometheus/common v0.60.1/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260216151239-36b3306f2205 h1:0ycKUDQ50cYb2QpeyGcEnvVs9HJmC9jsb/XZNC1z28c=
-github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260216151239-36b3306f2205/go.mod h1:98foWgXJZ+g8gJIuO+fdO+oWpFei5WShMFTeN4Im2lE=
-github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978 h1:TRGpCU1l0lNwtogEUSs5U+RFceYxkAJUmrGabno7J5c=
-github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978/go.mod h1:D1Po4CRQLYjccnAR2JsVlN1sBMgQrcNLONbvyuzcdTg=
+github.com/qdm12/dns/v2 v2.0.0-rc8 h1:kbgKPkbT+79nScfuZ0ZcVhksTGo8IUqQ8TTQGnQlZ18=
+github.com/qdm12/dns/v2 v2.0.0-rc8/go.mod h1:VaF02KWEL7xNV4oKfG4N9nEv/kR6bqyIcBReCV5NJhw=
+github.com/qdm12/goservices v0.1.0 h1:9sODefm/yuIGS7ynCkEnNlMTAYn9GzPhtcK4F69JWvc=
+github.com/qdm12/goservices v0.1.0/go.mod h1:/JOFsAnHFiSjyoXxa5FlfX903h20K5u/3rLzCjYVMck=
 github.com/qdm12/gosettings v0.4.4 h1:SM6tOZDf6k8qbjWU8KWyBF4mWIixfsKCfh9DGRLHlj4=
 github.com/qdm12/gosettings v0.4.4/go.mod h1:CPrt2YC4UsURTrslmhxocVhMCW03lIrqdH2hzIf5prg=
 github.com/qdm12/goshutdown v0.3.0 h1:pqBpJkdwlZlfTEx4QHtS8u8CXx6pG0fVo6S1N0MpSEM=
@@ -93,12 +89,12 @@ github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s=
 github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-github.com/ti-mo/netfilter v0.5.3 h1:ikzduvnaUMwre5bhbNwWOd6bjqLMVb33vv0XXbK0xGQ=
-github.com/ti-mo/netfilter v0.5.3/go.mod h1:08SyBCg6hu1qyQk4s3DjjJKNrm3RTb32nm6AzyT972E=
-github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
-github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
+github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/vishvananda/netlink v1.2.1 h1:pfLv/qlJUwOTPvtWREA7c3PI4u81YkqZw1DYhI2HmLA=
+github.com/vishvananda/netlink v1.2.1/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a h1:fZHgsYlfvtyqToslyjUt3VOPF4J7aK/3MPcK7xp3PDk=
@@ -110,15 +106,15 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -126,14 +122,14 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -144,10 +140,12 @@ golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -157,17 +155,17 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
+golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -88,11 +88,7 @@ func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) e
 		return fmt.Errorf("options validation failed: %w", err)
 	}

-	serversDataPath := constants.ServersData
-	if maintainerMode {
-		serversDataPath = ""
-	}
-	storage, err := storage.New(logger, serversDataPath)
+	storage, err := storage.New(logger, constants.ServersData)
 	if err != nil {
 		return fmt.Errorf("creating servers storage: %w", err)
 	}
@@ -9,11 +9,9 @@ import (

 func readObsolete(r *reader.Reader) (warnings []string) {
 	keyToMessage := map[string]string{
-		"DOT_VERBOSITY":                "DOT_VERBOSITY is obsolete, use LOG_LEVEL instead.",
-		"DOT_VERBOSITY_DETAILS":        "DOT_VERBOSITY_DETAILS is obsolete because it was specific to Unbound.",
-		"DOT_VALIDATION_LOGLEVEL":      "DOT_VALIDATION_LOGLEVEL is obsolete because DNSSEC validation is not implemented.",
-		"HEALTH_VPN_DURATION_INITIAL":  "HEALTH_VPN_DURATION_INITIAL is obsolete",
-		"HEALTH_VPN_DURATION_ADDITION": "HEALTH_VPN_DURATION_ADDITION is obsolete",
+		"DOT_VERBOSITY":           "DOT_VERBOSITY is obsolete, use LOG_LEVEL instead.",
+		"DOT_VERBOSITY_DETAILS":   "DOT_VERBOSITY_DETAILS is obsolete because it was specific to Unbound.",
+		"DOT_VALIDATION_LOGLEVEL": "DOT_VALIDATION_LOGLEVEL is obsolete because DNSSEC validation is not implemented.",
 	}
 	sortedKeys := maps.Keys(keyToMessage)
 	slices.Sort(sortedKeys)
@@ -1,13 +1,9 @@
 package settings

 import (
-	"errors"
 	"fmt"
 	"net/netip"
-	"time"

-	"github.com/qdm12/dns/v2/pkg/provider"
-	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/reader"
 	"github.com/qdm12/gotree"
@@ -15,31 +11,10 @@ import (

 // DNS contains settings to configure DNS.
 type DNS struct {
-	// ServerEnabled is true if the server should be running
-	// and used. It defaults to true, and cannot be nil
-	// in the internal state.
-	ServerEnabled *bool
-	// UpstreamType can be dot or plain, and defaults to dot.
-	UpstreamType string `json:"upstream_type"`
-	// UpdatePeriod is the period to update DNS block lists.
-	// It can be set to 0 to disable the update.
-	// It defaults to 24h and cannot be nil in
-	// the internal state.
-	UpdatePeriod *time.Duration
-	// Providers is a list of DNS providers
-	Providers []string `json:"providers"`
-	// Caching is true if the server should cache
-	// DNS responses.
-	Caching *bool `json:"caching"`
-	// IPv6 is true if the server should connect over IPv6.
-	IPv6 *bool `json:"ipv6"`
-	// Blacklist contains settings to configure the filter
-	// block lists.
-	Blacklist DNSBlacklist
 	// ServerAddress is the DNS server to use inside
 	// the Go program and for the system.
 	// It defaults to '127.0.0.1' to be used with the
-	// local server. It cannot be the zero value in the internal
+	// DoT server. It cannot be the zero value in the internal
 	// state.
 	ServerAddress netip.Addr
 	// KeepNameserver is true if the existing DNS server
@@ -48,40 +23,20 @@ type DNS struct {
 	// outside the VPN tunnel since it would go through
 	// the local DNS server of your Docker/Kubernetes
 	// configuration, which is likely not going through the tunnel.
-	// This will also disable the DNS forwarder server and the
+	// This will also disable the DNS over TLS server and the
 	// `ServerAddress` field will be ignored.
 	// It defaults to false and cannot be nil in the
 	// internal state.
 	KeepNameserver *bool
+	// DOT contains settings to configure the DoT
+	// server.
+	DoT DoT
 }

-var (
-	ErrDNSUpstreamTypeNotValid = errors.New("DNS upstream type is not valid")
-	ErrDNSUpdatePeriodTooShort = errors.New("update period is too short")
-)
-
 func (d DNS) validate() (err error) {
-	if !helpers.IsOneOf(d.UpstreamType, "dot", "doh", "plain") {
-		return fmt.Errorf("%w: %s", ErrDNSUpstreamTypeNotValid, d.UpstreamType)
-	}
-
-	const minUpdatePeriod = 30 * time.Second
-	if *d.UpdatePeriod != 0 && *d.UpdatePeriod < minUpdatePeriod {
-		return fmt.Errorf("%w: %s must be bigger than %s",
-			ErrDNSUpdatePeriodTooShort, *d.UpdatePeriod, minUpdatePeriod)
-	}
-
-	providers := provider.NewProviders()
-	for _, providerName := range d.Providers {
-		_, err := providers.Get(providerName)
-		if err != nil {
-			return err
-		}
-	}
-
-	err = d.Blacklist.validate()
+	err = d.DoT.validate()
 	if err != nil {
-		return err
+		return fmt.Errorf("validating DoT settings: %w", err)
 	}

 	return nil
@@ -89,15 +44,9 @@ func (d DNS) validate() (err error) {

 func (d *DNS) Copy() (copied DNS) {
 	return DNS{
-		ServerEnabled:  gosettings.CopyPointer(d.ServerEnabled),
-		UpstreamType:   d.UpstreamType,
-		UpdatePeriod:   gosettings.CopyPointer(d.UpdatePeriod),
-		Providers:      gosettings.CopySlice(d.Providers),
-		Caching:        gosettings.CopyPointer(d.Caching),
-		IPv6:           gosettings.CopyPointer(d.IPv6),
-		Blacklist:      d.Blacklist.copy(),
 		ServerAddress:  d.ServerAddress,
 		KeepNameserver: gosettings.CopyPointer(d.KeepNameserver),
+		DoT:            d.DoT.copy(),
 	}
 }

@@ -105,48 +54,16 @@ func (d *DNS) Copy() (copied DNS) {
 // settings object with any field set in the other
 // settings.
 func (d *DNS) overrideWith(other DNS) {
-	d.ServerEnabled = gosettings.OverrideWithPointer(d.ServerEnabled, other.ServerEnabled)
-	d.UpstreamType = gosettings.OverrideWithComparable(d.UpstreamType, other.UpstreamType)
-	d.UpdatePeriod = gosettings.OverrideWithPointer(d.UpdatePeriod, other.UpdatePeriod)
-	d.Providers = gosettings.OverrideWithSlice(d.Providers, other.Providers)
-	d.Caching = gosettings.OverrideWithPointer(d.Caching, other.Caching)
-	d.IPv6 = gosettings.OverrideWithPointer(d.IPv6, other.IPv6)
-	d.Blacklist.overrideWith(other.Blacklist)
 	d.ServerAddress = gosettings.OverrideWithValidator(d.ServerAddress, other.ServerAddress)
 	d.KeepNameserver = gosettings.OverrideWithPointer(d.KeepNameserver, other.KeepNameserver)
+	d.DoT.overrideWith(other.DoT)
 }

 func (d *DNS) setDefaults() {
-	d.ServerEnabled = gosettings.DefaultPointer(d.ServerEnabled, true)
-	d.UpstreamType = gosettings.DefaultComparable(d.UpstreamType, "dot")
-	const defaultUpdatePeriod = 24 * time.Hour
-	d.UpdatePeriod = gosettings.DefaultPointer(d.UpdatePeriod, defaultUpdatePeriod)
-	d.Providers = gosettings.DefaultSlice(d.Providers, []string{
-		provider.Cloudflare().Name,
-	})
-	d.Caching = gosettings.DefaultPointer(d.Caching, true)
-	d.IPv6 = gosettings.DefaultPointer(d.IPv6, false)
-	d.Blacklist.setDefaults()
-	d.ServerAddress = gosettings.DefaultValidator(d.ServerAddress,
-		netip.AddrFrom4([4]byte{127, 0, 0, 1}))
-	d.KeepNameserver = gosettings.DefaultPointer(d.KeepNameserver, false)
-}
-
-func (d DNS) GetFirstPlaintextIPv4() (ipv4 netip.Addr) {
 	localhost := netip.AddrFrom4([4]byte{127, 0, 0, 1})
-	if d.ServerAddress.Compare(localhost) != 0 && d.ServerAddress.Is4() {
-		return d.ServerAddress
-	}
-
-	providers := provider.NewProviders()
-	provider, err := providers.Get(d.Providers[0])
-	if err != nil {
-		// Settings should be validated before calling this function,
-		// so an error happening here is a programming error.
-		panic(err)
-	}
-
-	return provider.Plain.IPv4[0].Addr()
+	d.ServerAddress = gosettings.DefaultValidator(d.ServerAddress, localhost)
+	d.KeepNameserver = gosettings.DefaultPointer(d.KeepNameserver, false)
+	d.DoT.setDefaults()
 }

 func (d DNS) String() string {
@@ -160,63 +77,11 @@ func (d DNS) toLinesNode() (node *gotree.Node) {
 		return node
 	}
 	node.Appendf("DNS server address to use: %s", d.ServerAddress)
-
-	node.Appendf("DNS forwarder server enabled: %s", gosettings.BoolToYesNo(d.ServerEnabled))
-	if !*d.ServerEnabled {
-		return node
-	}
-
-	node.Appendf("Upstream resolver type: %s", d.UpstreamType)
-
-	upstreamResolvers := node.Append("Upstream resolvers:")
-	for _, provider := range d.Providers {
-		upstreamResolvers.Append(provider)
-	}
-
-	node.Appendf("Caching: %s", gosettings.BoolToYesNo(d.Caching))
-	node.Appendf("IPv6: %s", gosettings.BoolToYesNo(d.IPv6))
-
-	update := "disabled"
-	if *d.UpdatePeriod > 0 {
-		update = "every " + d.UpdatePeriod.String()
-	}
-	node.Appendf("Update period: %s", update)
-
-	node.AppendNode(d.Blacklist.toLinesNode())
-
+	node.AppendNode(d.DoT.toLinesNode())
 	return node
 }

 func (d *DNS) read(r *reader.Reader) (err error) {
-	d.ServerEnabled, err = r.BoolPtr("DNS_SERVER", reader.RetroKeys("DOT"))
-	if err != nil {
-		return err
-	}
-
-	d.UpstreamType = r.String("DNS_UPSTREAM_RESOLVER_TYPE")
-
-	d.UpdatePeriod, err = r.DurationPtr("DNS_UPDATE_PERIOD")
-	if err != nil {
-		return err
-	}
-
-	d.Providers = r.CSV("DNS_UPSTREAM_RESOLVERS", reader.RetroKeys("DOT_PROVIDERS"))
-
-	d.Caching, err = r.BoolPtr("DNS_CACHING", reader.RetroKeys("DOT_CACHING"))
-	if err != nil {
-		return err
-	}
-
-	d.IPv6, err = r.BoolPtr("DNS_UPSTREAM_IPV6", reader.RetroKeys("DOT_IPV6"))
-	if err != nil {
-		return err
-	}
-
-	err = d.Blacklist.read(r)
-	if err != nil {
-		return err
-	}
-
 	d.ServerAddress, err = r.NetipAddr("DNS_ADDRESS", reader.RetroKeys("DNS_PLAINTEXT_ADDRESS"))
 	if err != nil {
 		return err
@@ -227,5 +92,10 @@ func (d *DNS) read(r *reader.Reader) (err error) {
 		return err
 	}

+	err = d.DoT.read(r)
+	if err != nil {
+		return fmt.Errorf("DNS over TLS settings: %w", err)
+	}
+
 	return nil
 }
@@ -22,11 +22,6 @@ type DNSBlacklist struct {
 	AddBlockedHosts      []string
 	AddBlockedIPs        []netip.Addr
 	AddBlockedIPPrefixes []netip.Prefix
-	// RebindingProtectionExemptHostnames is a list of hostnames
-	// exempt from DNS rebinding protection. It can contain parent
-	// domains which are of the form "*.example.com". Note the wildcard
-	// can only be used at the start of the hostname.
-	RebindingProtectionExemptHostnames []string
 }

 func (b *DNSBlacklist) setDefaults() {
@@ -38,9 +33,8 @@ func (b *DNSBlacklist) setDefaults() {
 var hostRegex = regexp.MustCompile(`^([a-zA-Z0-9]|[a-zA-Z0-9_][a-zA-Z0-9\-_]{0,61}[a-zA-Z0-9_])(\.([a-zA-Z0-9]|[a-zA-Z0-9_][a-zA-Z0-9\-_]{0,61}[a-zA-Z0-9]))*$`) //nolint:lll

 var (
-	ErrAllowedHostNotValid                   = errors.New("allowed host is not valid")
-	ErrBlockedHostNotValid                   = errors.New("blocked host is not valid")
-	ErrRebindingProtectionExemptHostNotValid = errors.New("rebinding protection exempt host is not valid")
+	ErrAllowedHostNotValid = errors.New("allowed host is not valid")
+	ErrBlockedHostNotValid = errors.New("blocked host is not valid")
 )

 func (b DNSBlacklist) validate() (err error) {
@@ -56,28 +50,18 @@ func (b DNSBlacklist) validate() (err error) {
 		}
 	}

-	for _, host := range b.RebindingProtectionExemptHostnames {
-		if len(host) > 2 && host[:2] == "*." {
-			host = host[2:]
-		}
-		if !hostRegex.MatchString(host) {
-			return fmt.Errorf("%w: %s", ErrRebindingProtectionExemptHostNotValid, host)
-		}
-	}
-
 	return nil
 }

 func (b DNSBlacklist) copy() (copied DNSBlacklist) {
 	return DNSBlacklist{
-		BlockMalicious:                     gosettings.CopyPointer(b.BlockMalicious),
-		BlockAds:                           gosettings.CopyPointer(b.BlockAds),
-		BlockSurveillance:                  gosettings.CopyPointer(b.BlockSurveillance),
-		AllowedHosts:                       gosettings.CopySlice(b.AllowedHosts),
-		AddBlockedHosts:                    gosettings.CopySlice(b.AddBlockedHosts),
-		AddBlockedIPs:                      gosettings.CopySlice(b.AddBlockedIPs),
-		AddBlockedIPPrefixes:               gosettings.CopySlice(b.AddBlockedIPPrefixes),
-		RebindingProtectionExemptHostnames: gosettings.CopySlice(b.RebindingProtectionExemptHostnames),
+		BlockMalicious:       gosettings.CopyPointer(b.BlockMalicious),
+		BlockAds:             gosettings.CopyPointer(b.BlockAds),
+		BlockSurveillance:    gosettings.CopyPointer(b.BlockSurveillance),
+		AllowedHosts:         gosettings.CopySlice(b.AllowedHosts),
+		AddBlockedHosts:      gosettings.CopySlice(b.AddBlockedHosts),
+		AddBlockedIPs:        gosettings.CopySlice(b.AddBlockedIPs),
+		AddBlockedIPPrefixes: gosettings.CopySlice(b.AddBlockedIPPrefixes),
 	}
 }

@@ -89,8 +73,6 @@ func (b *DNSBlacklist) overrideWith(other DNSBlacklist) {
 	b.AddBlockedHosts = gosettings.OverrideWithSlice(b.AddBlockedHosts, other.AddBlockedHosts)
 	b.AddBlockedIPs = gosettings.OverrideWithSlice(b.AddBlockedIPs, other.AddBlockedIPs)
 	b.AddBlockedIPPrefixes = gosettings.OverrideWithSlice(b.AddBlockedIPPrefixes, other.AddBlockedIPPrefixes)
-	b.RebindingProtectionExemptHostnames = gosettings.OverrideWithSlice(b.RebindingProtectionExemptHostnames,
-		other.RebindingProtectionExemptHostnames)
 }

 func (b DNSBlacklist) ToBlockBuilderSettings(client *http.Client) (
@@ -147,13 +129,6 @@ func (b DNSBlacklist) toLinesNode() (node *gotree.Node) {
 		}
 	}

-	if len(b.RebindingProtectionExemptHostnames) > 0 {
-		exemptHostsNode := node.Append("Rebinding protection exempt hostnames:")
-		for _, host := range b.RebindingProtectionExemptHostnames {
-			exemptHostsNode.Append(host)
-		}
-	}
-
 	return node
 }

@@ -174,47 +149,23 @@ func (b *DNSBlacklist) read(r *reader.Reader) (err error) {
 		return err
 	}

-	b.AddBlockedIPs, b.AddBlockedIPPrefixes, err = readDNSBlockedIPs(r)
+	b.AddBlockedIPs, b.AddBlockedIPPrefixes,
+		err = readDoTPrivateAddresses(r) // TODO v4 split in 2
 	if err != nil {
 		return err
 	}

-	b.AllowedHosts = r.CSV("DNS_UNBLOCK_HOSTNAMES", reader.RetroKeys("UNBLOCK"))
-
-	b.RebindingProtectionExemptHostnames = r.CSV("DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES")
+	b.AllowedHosts = r.CSV("UNBLOCK") // TODO v4 change name

 	return nil
 }

-func readDNSBlockedIPs(r *reader.Reader) (ips []netip.Addr,
-	ipPrefixes []netip.Prefix, err error,
-) {
-	ips, err = r.CSVNetipAddresses("DNS_BLOCK_IPS")
-	if err != nil {
-		return nil, nil, err
-	}
-	ipPrefixes, err = r.CSVNetipPrefixes("DNS_BLOCK_IP_PREFIXES")
-	if err != nil {
-		return nil, nil, err
-	}
-
-	// TODO v4 remove this block below
-	privateIPs, privateIPPrefixes, err := readDNSPrivateAddresses(r)
-	if err != nil {
-		return nil, nil, err
-	}
-	ips = append(ips, privateIPs...)
-	ipPrefixes = append(ipPrefixes, privateIPPrefixes...)
-
-	return ips, ipPrefixes, nil
-}
-
 var ErrPrivateAddressNotValid = errors.New("private address is not a valid IP or CIDR range")

-func readDNSPrivateAddresses(r *reader.Reader) (ips []netip.Addr,
+func readDoTPrivateAddresses(reader *reader.Reader) (ips []netip.Addr,
 	ipPrefixes []netip.Prefix, err error,
 ) {
-	privateAddresses := r.CSV("DOT_PRIVATE_ADDRESS", reader.IsRetro("DNS_BLOCK_IP_PREFIXES"))
+	privateAddresses := reader.CSV("DOT_PRIVATE_ADDRESS")
 	if len(privateAddresses) == 0 {
 		return nil, nil, nil
 	}
@@ -0,0 +1,170 @@
+package settings
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"time"
+
+	"github.com/qdm12/dns/v2/pkg/provider"
+	"github.com/qdm12/gosettings"
+	"github.com/qdm12/gosettings/reader"
+	"github.com/qdm12/gotree"
+)
+
+// DoT contains settings to configure the DoT server.
+type DoT struct {
+	// Enabled is true if the DoT server should be running
+	// and used. It defaults to true, and cannot be nil
+	// in the internal state.
+	Enabled *bool
+	// UpdatePeriod is the period to update DNS block lists.
+	// It can be set to 0 to disable the update.
+	// It defaults to 24h and cannot be nil in
+	// the internal state.
+	UpdatePeriod *time.Duration
+	// Providers is a list of DNS over TLS providers
+	Providers []string `json:"providers"`
+	// Caching is true if the DoT server should cache
+	// DNS responses.
+	Caching *bool `json:"caching"`
+	// IPv6 is true if the DoT server should connect over IPv6.
+	IPv6 *bool `json:"ipv6"`
+	// Blacklist contains settings to configure the filter
+	// block lists.
+	Blacklist DNSBlacklist
+}
+
+var ErrDoTUpdatePeriodTooShort = errors.New("update period is too short")
+
+func (d DoT) validate() (err error) {
+	const minUpdatePeriod = 30 * time.Second
+	if *d.UpdatePeriod != 0 && *d.UpdatePeriod < minUpdatePeriod {
+		return fmt.Errorf("%w: %s must be bigger than %s",
+			ErrDoTUpdatePeriodTooShort, *d.UpdatePeriod, minUpdatePeriod)
+	}
+
+	providers := provider.NewProviders()
+	for _, providerName := range d.Providers {
+		_, err := providers.Get(providerName)
+		if err != nil {
+			return err
+		}
+	}
+
+	err = d.Blacklist.validate()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (d *DoT) copy() (copied DoT) {
+	return DoT{
+		Enabled:      gosettings.CopyPointer(d.Enabled),
+		UpdatePeriod: gosettings.CopyPointer(d.UpdatePeriod),
+		Providers:    gosettings.CopySlice(d.Providers),
+		Caching:      gosettings.CopyPointer(d.Caching),
+		IPv6:         gosettings.CopyPointer(d.IPv6),
+		Blacklist:    d.Blacklist.copy(),
+	}
+}
+
+// overrideWith overrides fields of the receiver
+// settings object with any field set in the other
+// settings.
+func (d *DoT) overrideWith(other DoT) {
+	d.Enabled = gosettings.OverrideWithPointer(d.Enabled, other.Enabled)
+	d.UpdatePeriod = gosettings.OverrideWithPointer(d.UpdatePeriod, other.UpdatePeriod)
+	d.Providers = gosettings.OverrideWithSlice(d.Providers, other.Providers)
+	d.Caching = gosettings.OverrideWithPointer(d.Caching, other.Caching)
+	d.IPv6 = gosettings.OverrideWithPointer(d.IPv6, other.IPv6)
+	d.Blacklist.overrideWith(other.Blacklist)
+}
+
+func (d *DoT) setDefaults() {
+	d.Enabled = gosettings.DefaultPointer(d.Enabled, true)
+	const defaultUpdatePeriod = 24 * time.Hour
+	d.UpdatePeriod = gosettings.DefaultPointer(d.UpdatePeriod, defaultUpdatePeriod)
+	d.Providers = gosettings.DefaultSlice(d.Providers, []string{
+		provider.Cloudflare().Name,
+	})
+	d.Caching = gosettings.DefaultPointer(d.Caching, true)
+	d.IPv6 = gosettings.DefaultPointer(d.IPv6, false)
+	d.Blacklist.setDefaults()
+}
+
+func (d DoT) GetFirstPlaintextIPv4() (ipv4 netip.Addr) {
+	providers := provider.NewProviders()
+	provider, err := providers.Get(d.Providers[0])
+	if err != nil {
+		// Settings should be validated before calling this function,
+		// so an error happening here is a programming error.
+		panic(err)
+	}
+
+	return provider.DoT.IPv4[0].Addr()
+}
+
+func (d DoT) String() string {
+	return d.toLinesNode().String()
+}
+
+func (d DoT) toLinesNode() (node *gotree.Node) {
+	node = gotree.New("DNS over TLS settings:")
+
+	node.Appendf("Enabled: %s", gosettings.BoolToYesNo(d.Enabled))
+	if !*d.Enabled {
+		return node
+	}
+
+	update := "disabled" //nolint:goconst
+	if *d.UpdatePeriod > 0 {
+		update = "every " + d.UpdatePeriod.String()
+	}
+	node.Appendf("Update period: %s", update)
+
+	upstreamResolvers := node.Append("Upstream resolvers:")
+	for _, provider := range d.Providers {
+		upstreamResolvers.Append(provider)
+	}
+
+	node.Appendf("Caching: %s", gosettings.BoolToYesNo(d.Caching))
+	node.Appendf("IPv6: %s", gosettings.BoolToYesNo(d.IPv6))
+
+	node.AppendNode(d.Blacklist.toLinesNode())
+
+	return node
+}
+
+func (d *DoT) read(reader *reader.Reader) (err error) {
+	d.Enabled, err = reader.BoolPtr("DOT")
+	if err != nil {
+		return err
+	}
+
+	d.UpdatePeriod, err = reader.DurationPtr("DNS_UPDATE_PERIOD")
+	if err != nil {
+		return err
+	}
+
+	d.Providers = reader.CSV("DOT_PROVIDERS")
+
+	d.Caching, err = reader.BoolPtr("DOT_CACHING")
+	if err != nil {
+		return err
+	}
+
+	d.IPv6, err = reader.BoolPtr("DOT_IPV6")
+	if err != nil {
+		return err
+	}
+
+	err = d.Blacklist.read(reader)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
@@ -1,10 +1,9 @@
 package settings

 import (
-	"errors"
 	"fmt"
-	"net/netip"
 	"os"
+	"time"

 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/reader"
@@ -18,51 +17,34 @@ type Health struct {
 	// for the health check server.
 	// It cannot be the empty string in the internal state.
 	ServerAddress string
-	// TargetAddresses are the addresses (host or host:port)
-	// to TCP TLS dial to periodically for the health check.
-	// Addresses after the first one are used as fallbacks for retries.
-	// It cannot be empty in the internal state.
-	TargetAddresses []string
-	// ICMPTargetIPs are the IP addresses to use for ICMP echo requests
-	// in the health checker. The slice can be set to a single
-	// unspecified address (0.0.0.0) such that the VPN server IP is used,
-	// although this can be less reliable. It defaults to [1.1.1.1,8.8.8.8],
-	// and cannot be left empty in the internal state.
-	ICMPTargetIPs []netip.Addr
-	// SmallCheckType is the type of small health check to perform.
-	// It can be "icmp" or "dns", and defaults to "icmp".
-	// Note it changes automatically to dns if icmp is not supported.
-	SmallCheckType string
-	// RestartVPN indicates whether to restart the VPN connection
-	// when the healthcheck fails.
-	RestartVPN *bool
+	// ReadHeaderTimeout is the HTTP server header read timeout
+	// duration of the HTTP server. It defaults to 100 milliseconds.
+	ReadHeaderTimeout time.Duration
+	// ReadTimeout is the HTTP read timeout duration of the
+	// HTTP server. It defaults to 500 milliseconds.
+	ReadTimeout time.Duration
+	// TargetAddress is the address (host or host:port)
+	// to TCP dial to periodically for the health check.
+	// It cannot be the empty string in the internal state.
+	TargetAddress string
+	// SuccessWait is the duration to wait to re-run the
+	// healthcheck after a successful healthcheck.
+	// It defaults to 5 seconds and cannot be zero in
+	// the internal state.
+	SuccessWait time.Duration
+	// VPN has health settings specific to the VPN loop.
+	VPN HealthyWait
 }

-var (
-	ErrICMPTargetIPNotValid       = errors.New("ICMP target IP address is not valid")
-	ErrICMPTargetIPsNotCompatible = errors.New("ICMP target IP addresses are not compatible")
-	ErrSmallCheckTypeNotValid     = errors.New("small check type is not valid")
-)
-
 func (h Health) Validate() (err error) {
 	err = validate.ListeningAddress(h.ServerAddress, os.Getuid())
 	if err != nil {
 		return fmt.Errorf("server listening address is not valid: %w", err)
 	}

-	for _, ip := range h.ICMPTargetIPs {
-		switch {
-		case !ip.IsValid():
-			return fmt.Errorf("%w: %s", ErrICMPTargetIPNotValid, ip)
-		case ip.IsUnspecified() && len(h.ICMPTargetIPs) > 1:
-			return fmt.Errorf("%w: only a single IP address must be set if it is to be unspecified",
-				ErrICMPTargetIPsNotCompatible)
-		}
-	}
-
-	err = validate.IsOneOf(h.SmallCheckType, "icmp", "dns")
+	err = h.VPN.validate()
 	if err != nil {
-		return fmt.Errorf("%w: %s", ErrSmallCheckTypeNotValid, err)
+		return fmt.Errorf("health VPN settings: %w", err)
 	}

 	return nil
@@ -70,11 +52,12 @@ func (h Health) Validate() (err error) {

 func (h *Health) copy() (copied Health) {
 	return Health{
-		ServerAddress:   h.ServerAddress,
-		TargetAddresses: h.TargetAddresses,
-		ICMPTargetIPs:   gosettings.CopySlice(h.ICMPTargetIPs),
-		SmallCheckType:  h.SmallCheckType,
-		RestartVPN:      gosettings.CopyPointer(h.RestartVPN),
+		ServerAddress:     h.ServerAddress,
+		ReadHeaderTimeout: h.ReadHeaderTimeout,
+		ReadTimeout:       h.ReadTimeout,
+		TargetAddress:     h.TargetAddress,
+		SuccessWait:       h.SuccessWait,
+		VPN:               h.VPN.copy(),
 	}
 }

@@ -83,21 +66,23 @@ func (h *Health) copy() (copied Health) {
 // settings.
 func (h *Health) OverrideWith(other Health) {
 	h.ServerAddress = gosettings.OverrideWithComparable(h.ServerAddress, other.ServerAddress)
-	h.TargetAddresses = gosettings.OverrideWithSlice(h.TargetAddresses, other.TargetAddresses)
-	h.ICMPTargetIPs = gosettings.OverrideWithSlice(h.ICMPTargetIPs, other.ICMPTargetIPs)
-	h.SmallCheckType = gosettings.OverrideWithComparable(h.SmallCheckType, other.SmallCheckType)
-	h.RestartVPN = gosettings.OverrideWithPointer(h.RestartVPN, other.RestartVPN)
+	h.ReadHeaderTimeout = gosettings.OverrideWithComparable(h.ReadHeaderTimeout, other.ReadHeaderTimeout)
+	h.ReadTimeout = gosettings.OverrideWithComparable(h.ReadTimeout, other.ReadTimeout)
+	h.TargetAddress = gosettings.OverrideWithComparable(h.TargetAddress, other.TargetAddress)
+	h.SuccessWait = gosettings.OverrideWithComparable(h.SuccessWait, other.SuccessWait)
+	h.VPN.overrideWith(other.VPN)
 }

 func (h *Health) SetDefaults() {
 	h.ServerAddress = gosettings.DefaultComparable(h.ServerAddress, "127.0.0.1:9999")
-	h.TargetAddresses = gosettings.DefaultSlice(h.TargetAddresses, []string{"cloudflare.com:443", "github.com:443"})
-	h.ICMPTargetIPs = gosettings.DefaultSlice(h.ICMPTargetIPs, []netip.Addr{
-		netip.AddrFrom4([4]byte{1, 1, 1, 1}),
-		netip.AddrFrom4([4]byte{8, 8, 8, 8}),
-	})
-	h.SmallCheckType = gosettings.DefaultComparable(h.SmallCheckType, "icmp")
-	h.RestartVPN = gosettings.DefaultPointer(h.RestartVPN, true)
+	const defaultReadHeaderTimeout = 100 * time.Millisecond
+	h.ReadHeaderTimeout = gosettings.DefaultComparable(h.ReadHeaderTimeout, defaultReadHeaderTimeout)
+	const defaultReadTimeout = 500 * time.Millisecond
+	h.ReadTimeout = gosettings.DefaultComparable(h.ReadTimeout, defaultReadTimeout)
+	h.TargetAddress = gosettings.DefaultComparable(h.TargetAddress, "cloudflare.com:443")
+	const defaultSuccessWait = 5 * time.Second
+	h.SuccessWait = gosettings.DefaultComparable(h.SuccessWait, defaultSuccessWait)
+	h.VPN.setDefaults()
 }

 func (h Health) String() string {
@@ -107,40 +92,28 @@ func (h Health) String() string {
 func (h Health) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("Health settings:")
 	node.Appendf("Server listening address: %s", h.ServerAddress)
-	targetAddrs := node.Appendf("Target addresses:")
-	for _, targetAddr := range h.TargetAddresses {
-		targetAddrs.Append(targetAddr)
-	}
-	switch h.SmallCheckType {
-	case "icmp":
-		icmpNode := node.Appendf("Small health check type: ICMP echo request")
-		if len(h.ICMPTargetIPs) == 1 && h.ICMPTargetIPs[0].IsUnspecified() {
-			icmpNode.Appendf("ICMP target IP: VPN server IP address")
-		} else {
-			icmpIPs := icmpNode.Appendf("ICMP target IPs:")
-			for _, ip := range h.ICMPTargetIPs {
-				icmpIPs.Append(ip.String())
-			}
-		}
-	case "dns":
-		node.Appendf("Small health check type: Plain DNS lookup over UDP")
-	}
-	node.Appendf("Restart VPN on healthcheck failure: %s", gosettings.BoolToYesNo(h.RestartVPN))
+	node.Appendf("Target address: %s", h.TargetAddress)
+	node.Appendf("Duration to wait after success: %s", h.SuccessWait)
+	node.Appendf("Read header timeout: %s", h.ReadHeaderTimeout)
+	node.Appendf("Read timeout: %s", h.ReadTimeout)
+	node.AppendNode(h.VPN.toLinesNode("VPN"))
 	return node
 }

 func (h *Health) Read(r *reader.Reader) (err error) {
 	h.ServerAddress = r.String("HEALTH_SERVER_ADDRESS")
-	h.TargetAddresses = r.CSV("HEALTH_TARGET_ADDRESSES",
-		reader.RetroKeys("HEALTH_ADDRESS_TO_PING", "HEALTH_TARGET_ADDRESS"))
-	h.ICMPTargetIPs, err = r.CSVNetipAddresses("HEALTH_ICMP_TARGET_IPS", reader.RetroKeys("HEALTH_ICMP_TARGET_IP"))
+	h.TargetAddress = r.String("HEALTH_TARGET_ADDRESS",
+		reader.RetroKeys("HEALTH_ADDRESS_TO_PING"))
+
+	h.SuccessWait, err = r.Duration("HEALTH_SUCCESS_WAIT_DURATION")
 	if err != nil {
 		return err
 	}
-	h.SmallCheckType = r.String("HEALTH_SMALL_CHECK_TYPE")
-	h.RestartVPN, err = r.BoolPtr("HEALTH_RESTART_VPN")
+
+	err = h.VPN.read(r)
 	if err != nil {
-		return err
+		return fmt.Errorf("VPN health settings: %w", err)
 	}
+
 	return nil
 }
@@ -0,0 +1,76 @@
+package settings
+
+import (
+	"time"
+
+	"github.com/qdm12/gosettings"
+	"github.com/qdm12/gosettings/reader"
+	"github.com/qdm12/gotree"
+)
+
+type HealthyWait struct {
+	// Initial is the initial duration to wait for the program
+	// to be healthy before taking action.
+	// It cannot be nil in the internal state.
+	Initial *time.Duration
+	// Addition is the duration to add to the Initial duration
+	// after Initial has expired to wait longer for the program
+	// to be healthy.
+	// It cannot be nil in the internal state.
+	Addition *time.Duration
+}
+
+func (h HealthyWait) validate() (err error) {
+	return nil
+}
+
+func (h *HealthyWait) copy() (copied HealthyWait) {
+	return HealthyWait{
+		Initial:  gosettings.CopyPointer(h.Initial),
+		Addition: gosettings.CopyPointer(h.Addition),
+	}
+}
+
+// overrideWith overrides fields of the receiver
+// settings object with any field set in the other
+// settings.
+func (h *HealthyWait) overrideWith(other HealthyWait) {
+	h.Initial = gosettings.OverrideWithPointer(h.Initial, other.Initial)
+	h.Addition = gosettings.OverrideWithPointer(h.Addition, other.Addition)
+}
+
+func (h *HealthyWait) setDefaults() {
+	const initialDurationDefault = 6 * time.Second
+	const additionDurationDefault = 5 * time.Second
+	h.Initial = gosettings.DefaultPointer(h.Initial, initialDurationDefault)
+	h.Addition = gosettings.DefaultPointer(h.Addition, additionDurationDefault)
+}
+
+func (h HealthyWait) String() string {
+	return h.toLinesNode("Health").String()
+}
+
+func (h HealthyWait) toLinesNode(kind string) (node *gotree.Node) {
+	node = gotree.New(kind + " wait durations:")
+	node.Appendf("Initial duration: %s", *h.Initial)
+	node.Appendf("Additional duration: %s", *h.Addition)
+	return node
+}
+
+func (h *HealthyWait) read(r *reader.Reader) (err error) {
+	h.Initial, err = r.DurationPtr(
+		"HEALTH_VPN_DURATION_INITIAL",
+		reader.RetroKeys("HEALTH_OPENVPN_DURATION_INITIAL"))
+	if err != nil {
+		return err
+	}
+
+	h.Addition, err = r.DurationPtr(
+		"HEALTH_VPN_DURATION_ADDITION",
+		reader.RetroKeys("HEALTH_OPENVPN_DURATION_ADDITION"))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
@@ -209,7 +209,8 @@ func validateOpenVPNClientKey(vpnProvider, clientKey string) (err error) {
 	case
 		providers.Airvpn,
 		providers.Cyberghost,
-		providers.VPNUnlimited:
+		providers.VPNUnlimited,
+		providers.Wevpn:
 		if clientKey == "" {
 			return fmt.Errorf("%w", ErrMissingValue)
 		}
@@ -104,10 +104,13 @@ func (o OpenVPNSelection) validate(vpnProvider string) (err error) {
 				allowedUDP = []uint16{53, 1194, 1197, 1198, 8080, 9201}
 			case providers.Protonvpn:
 				allowedTCP = []uint16{443, 5995, 8443}
-				allowedUDP = []uint16{80, 443, 1194, 4569, 5060, 51820}
+				allowedUDP = []uint16{80, 443, 1194, 4569, 5060}
 			case providers.SlickVPN:
 				allowedTCP = []uint16{443, 8080, 8888}
 				allowedUDP = []uint16{443, 8080, 8888}
+			case providers.Wevpn:
+				allowedTCP = []uint16{53, 1195, 1199, 2018}
+				allowedUDP = []uint16{80, 1194, 1198}
 			case providers.Windscribe:
 				allowedTCP = []uint16{21, 22, 80, 123, 143, 443, 587, 1194, 3306, 8080, 54783}
 				allowedUDP = []uint16{53, 80, 123, 443, 1194, 54783}
@@ -1,111 +0,0 @@
-package settings
-
-import (
-	"errors"
-	"fmt"
-	"net/netip"
-
-	"github.com/qdm12/gosettings"
-	"github.com/qdm12/gosettings/reader"
-	"github.com/qdm12/gotree"
-)
-
-// PMTUD contains settings to configure Path MTU Discovery.
-type PMTUD struct {
-	// ICMPAddresses is the redundancy list of addresses to use
-	// for ICMP path MTU discovery. Each address MUST handle ICMP
-	// packets for PMTUD to work.
-	// It cannot be nil in the internal state.
-	ICMPAddresses []netip.Addr `json:"icmp_addresses"`
-	// TCPAddresses is the redundancy list of addresses to use
-	// for TCP path MTU discovery. Each address MUST have a listening
-	// TCP server on the port specified.
-	// It cannot be nil in the internal state.
-	TCPAddresses []netip.AddrPort `json:"tcp_addresses"`
-}
-
-var (
-	ErrPMTUDICMPAddressNotValid = errors.New("PMTUD ICMP address is not valid")
-	ErrPMTUDTCPAddressNotValid  = errors.New("PMTUD TCP address is not valid")
-)
-
-// Validate validates PMTUD settings.
-func (p PMTUD) validate() (err error) {
-	for i, addr := range p.ICMPAddresses {
-		if !addr.IsValid() {
-			return fmt.Errorf("%w: at index %d", ErrPMTUDICMPAddressNotValid, i)
-		}
-	}
-	for i, addr := range p.TCPAddresses {
-		if !addr.IsValid() {
-			return fmt.Errorf("%w: at index %d", ErrPMTUDTCPAddressNotValid, i)
-		}
-	}
-	return nil
-}
-
-func (p *PMTUD) copy() (copied PMTUD) {
-	return PMTUD{
-		ICMPAddresses: gosettings.CopySlice(p.ICMPAddresses),
-		TCPAddresses:  gosettings.CopySlice(p.TCPAddresses),
-	}
-}
-
-func (p *PMTUD) overrideWith(other PMTUD) {
-	p.ICMPAddresses = gosettings.OverrideWithSlice(p.ICMPAddresses, other.ICMPAddresses)
-	p.TCPAddresses = gosettings.OverrideWithSlice(p.TCPAddresses, other.TCPAddresses)
-}
-
-func (p *PMTUD) setDefaults() {
-	defaultICMPAddresses := []netip.Addr{
-		netip.AddrFrom4([4]byte{1, 1, 1, 1}),
-		netip.AddrFrom4([4]byte{8, 8, 8, 8}),
-	}
-	p.ICMPAddresses = gosettings.DefaultSlice(p.ICMPAddresses, defaultICMPAddresses)
-
-	const dnsPort, tlsPort = 53, 443
-	defaultTCPAddresses := []netip.AddrPort{
-		netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), dnsPort),
-		netip.AddrPortFrom(netip.AddrFrom4([4]byte{8, 8, 8, 8}), dnsPort),
-		netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), tlsPort),
-		netip.AddrPortFrom(netip.AddrFrom4([4]byte{8, 8, 8, 8}), tlsPort),
-		netip.AddrPortFrom(netip.MustParseAddr("2606:4700:4700::1111"), dnsPort),
-		netip.AddrPortFrom(netip.MustParseAddr("2001:4860:4860::8888"), dnsPort),
-		netip.AddrPortFrom(netip.MustParseAddr("2606:4700:4700::1111"), tlsPort),
-		netip.AddrPortFrom(netip.MustParseAddr("2001:4860:4860::8888"), tlsPort),
-	}
-	p.TCPAddresses = gosettings.DefaultSlice(p.TCPAddresses, defaultTCPAddresses)
-}
-
-func (p PMTUD) String() string {
-	return p.toLinesNode().String()
-}
-
-func (p PMTUD) toLinesNode() (node *gotree.Node) {
-	node = gotree.New("Path MTU discovery:")
-
-	icmpAddrNode := node.Append("ICMP addresses:")
-	for _, addr := range p.ICMPAddresses {
-		icmpAddrNode.Append(addr.String())
-	}
-
-	tcpAddrNode := node.Append("TCP addresses:")
-	for _, addr := range p.TCPAddresses {
-		tcpAddrNode.Append(addr.String())
-	}
-	return node
-}
-
-func (p *PMTUD) read(r *reader.Reader) (err error) {
-	p.ICMPAddresses, err = r.CSVNetipAddresses("PMTUD_ICMP_ADDRESSES")
-	if err != nil {
-		return err
-	}
-
-	p.TCPAddresses, err = r.CSVNetipAddrPorts("PMTUD_TCP_ADDRESSES")
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
@@ -2,8 +2,6 @@ package settings

 import (
 	"fmt"
-	"slices"
-	"sort"
 	"strings"

 	"github.com/qdm12/gluetun/internal/constants/providers"
@@ -33,11 +31,6 @@ func (p *Provider) validate(vpnType string, filterChoicesGetter FilterChoicesGet
 	if vpnType == vpn.OpenVPN {
 		validNames = providers.AllWithCustom()
 		validNames = append(validNames, "pia") // Retro-compatibility
-		// Remove Mullvad since it no longer supports OpenVPN as of January 15th, 2026
-		mullvadIndex := slices.Index(validNames, providers.Mullvad)
-		validNames[mullvadIndex], validNames[len(validNames)-1] = validNames[len(validNames)-1], validNames[mullvadIndex]
-		validNames = validNames[:len(validNames)-1]
-		sort.Strings(validNames)
 	} else { // Wireguard
 		validNames = []string{
 			providers.Airvpn,
@@ -1,14 +1,11 @@
 package settings

 import (
-	"bytes"
-	"encoding/json"
 	"fmt"
 	"net"
 	"os"
 	"strconv"

-	"github.com/qdm12/gluetun/internal/server/middlewares/auth"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/reader"
 	"github.com/qdm12/gotree"
@@ -27,9 +24,6 @@ type ControlServer struct {
 	// It cannot be empty in the internal state and defaults to
 	// /gluetun/auth/config.toml.
 	AuthFilePath string
-	// AuthDefaultRole is a JSON encoded object defining the default role
-	// that applies to all routes without a previously user-defined role assigned to.
-	AuthDefaultRole string
 }

 func (c ControlServer) validate() (err error) {
@@ -50,30 +44,14 @@ func (c ControlServer) validate() (err error) {
 			ErrControlServerPrivilegedPort, port, uid)
 	}

-	jsonDecoder := json.NewDecoder(bytes.NewBufferString(c.AuthDefaultRole))
-	jsonDecoder.DisallowUnknownFields()
-	var role auth.Role
-	err = jsonDecoder.Decode(&role)
-	if err != nil {
-		return fmt.Errorf("default authentication role is not valid JSON: %w", err)
-	}
-
-	if role.Auth != "" {
-		err = role.Validate()
-		if err != nil {
-			return fmt.Errorf("default authentication role is not valid: %w", err)
-		}
-	}
-
 	return nil
 }

 func (c *ControlServer) copy() (copied ControlServer) {
 	return ControlServer{
-		Address:         gosettings.CopyPointer(c.Address),
-		Log:             gosettings.CopyPointer(c.Log),
-		AuthFilePath:    c.AuthFilePath,
-		AuthDefaultRole: c.AuthDefaultRole,
+		Address:      gosettings.CopyPointer(c.Address),
+		Log:          gosettings.CopyPointer(c.Log),
+		AuthFilePath: c.AuthFilePath,
 	}
 }

@@ -84,21 +62,12 @@ func (c *ControlServer) overrideWith(other ControlServer) {
 	c.Address = gosettings.OverrideWithPointer(c.Address, other.Address)
 	c.Log = gosettings.OverrideWithPointer(c.Log, other.Log)
 	c.AuthFilePath = gosettings.OverrideWithComparable(c.AuthFilePath, other.AuthFilePath)
-	c.AuthDefaultRole = gosettings.OverrideWithComparable(c.AuthDefaultRole, other.AuthDefaultRole)
 }

 func (c *ControlServer) setDefaults() {
 	c.Address = gosettings.DefaultPointer(c.Address, ":8000")
 	c.Log = gosettings.DefaultPointer(c.Log, true)
 	c.AuthFilePath = gosettings.DefaultComparable(c.AuthFilePath, "/gluetun/auth/config.toml")
-	c.AuthDefaultRole = gosettings.DefaultComparable(c.AuthDefaultRole, "{}")
-	if c.AuthDefaultRole != "{}" {
-		var role auth.Role
-		_ = json.Unmarshal([]byte(c.AuthDefaultRole), &role)
-		role.Name = "default"
-		roleBytes, _ := json.Marshal(role) //nolint:errchkjson
-		c.AuthDefaultRole = string(roleBytes)
-	}
 }

 func (c ControlServer) String() string {
@@ -110,11 +79,6 @@ func (c ControlServer) toLinesNode() (node *gotree.Node) {
 	node.Appendf("Listening address: %s", *c.Address)
 	node.Appendf("Logging: %s", gosettings.BoolToYesNo(c.Log))
 	node.Appendf("Authentication file path: %s", c.AuthFilePath)
-	if c.AuthDefaultRole != "{}" {
-		var role auth.Role
-		_ = json.Unmarshal([]byte(c.AuthDefaultRole), &role)
-		node.AppendNode(role.ToLinesNode())
-	}
 	return node
 }

@@ -127,7 +91,6 @@ func (c *ControlServer) read(r *reader.Reader) (err error) {
 	c.Address = r.Get("HTTP_CONTROL_SERVER_ADDRESS")

 	c.AuthFilePath = r.String("HTTP_CONTROL_SERVER_AUTH_CONFIG_FILEPATH")
-	c.AuthDefaultRole = r.String("HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE", reader.ForceLowercase(false))

 	return nil
 }
@@ -16,7 +16,7 @@ import (
 	"github.com/qdm12/gotree"
 )

-type ServerSelection struct {
+type ServerSelection struct { //nolint:maligned
 	// VPN is the VPN type which can be 'openvpn'
 	// or 'wireguard'. It cannot be the empty string
 	// in the internal state.
@@ -344,8 +344,11 @@ func (ss *ServerSelection) setDefaults(vpnProvider string, portForwardingEnabled
 	ss.SecureCoreOnly = gosettings.DefaultPointer(ss.SecureCoreOnly, false)
 	ss.TorOnly = gosettings.DefaultPointer(ss.TorOnly, false)
 	ss.MultiHopOnly = gosettings.DefaultPointer(ss.MultiHopOnly, false)
-	defaultPortForwardOnly := portForwardingEnabled &&
-		helpers.IsOneOf(vpnProvider, providers.PrivateInternetAccess, providers.Protonvpn)
+	defaultPortForwardOnly := false
+	if portForwardingEnabled && helpers.IsOneOf(vpnProvider,
+		providers.PrivateInternetAccess, providers.Protonvpn) {
+		defaultPortForwardOnly = true
+	}
 	ss.PortForwardOnly = gosettings.DefaultPointer(ss.PortForwardOnly, defaultPortForwardOnly)
 	ss.OpenVPN.setDefaults(vpnProvider)
 	ss.Wireguard.setDefaults()
@@ -177,10 +177,10 @@ func (s Settings) Warnings() (warnings []string) {
 	// TODO remove in v4
 	if s.DNS.ServerAddress.Unmap().Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) != 0 {
 		warnings = append(warnings, "DNS address is set to "+s.DNS.ServerAddress.String()+
-			" so the local forwarding DNS server will not be used."+
-			" The default value changed to 127.0.0.1 so it uses the internal DNS server."+
-			" If this server fails to start, the IPv4 address of the first plaintext DNS server"+
-			" corresponding to the first DNS provider chosen is used.")
+			" so the DNS over TLS (DoT) server will not be used."+
+			" The default value changed to 127.0.0.1 so it uses the internal DoT serves."+
+			" If the DoT server fails to start, the IPv4 address of the first plaintext DNS server"+
+			" corresponding to the first DoT provider chosen is used.")
 	}

 	return warnings
@@ -29,55 +29,41 @@ func Test_Settings_String(t *testing.T) {
 |   |       └── OpenVPN server selection settings:
 |   |           ├── Protocol: UDP
 |   |           └── Private Internet Access encryption preset: strong
-|   ├── OpenVPN settings:
-|   |   ├── OpenVPN version: 2.6
-|   |   ├── User: [not set]
-|   |   ├── Password: [not set]
-|   |   ├── Private Internet Access encryption preset: strong
-|   |   ├── Network interface: tun0
-|   |   ├── Run OpenVPN as: root
-|   |   └── Verbosity level: 1
-|   └── Path MTU discovery:
-|       ├── ICMP addresses:
-|       |   ├── 1.1.1.1
-|       |   └── 8.8.8.8
-|       └── TCP addresses:
-|           ├── 1.1.1.1:53
-|           ├── 8.8.8.8:53
-|           ├── 1.1.1.1:443
-|           ├── 8.8.8.8:443
-|           ├── [2606:4700:4700::1111]:53
-|           ├── [2001:4860:4860::8888]:53
-|           ├── [2606:4700:4700::1111]:443
-|           └── [2001:4860:4860::8888]:443
+|   └── OpenVPN settings:
+|       ├── OpenVPN version: 2.6
+|       ├── User: [not set]
+|       ├── Password: [not set]
+|       ├── Private Internet Access encryption preset: strong
+|       ├── Network interface: tun0
+|       ├── Run OpenVPN as: root
+|       └── Verbosity level: 1
 ├── DNS settings:
 |   ├── Keep existing nameserver(s): no
 |   ├── DNS server address to use: 127.0.0.1
-|   ├── DNS forwarder server enabled: yes
-|   ├── Upstream resolver type: dot
-|   ├── Upstream resolvers:
-|   |   └── Cloudflare
-|   ├── Caching: yes
-|   ├── IPv6: no
-|   ├── Update period: every 24h0m0s
-|   └── DNS filtering settings:
-|       ├── Block malicious: yes
-|       ├── Block ads: no
-|       └── Block surveillance: yes
+|   └── DNS over TLS settings:
+|       ├── Enabled: yes
+|       ├── Update period: every 24h0m0s
+|       ├── Upstream resolvers:
+|       |   └── Cloudflare
+|       ├── Caching: yes
+|       ├── IPv6: no
+|       └── DNS filtering settings:
+|           ├── Block malicious: yes
+|           ├── Block ads: no
+|           └── Block surveillance: yes
 ├── Firewall settings:
 |   └── Enabled: yes
 ├── Log settings:
 |   └── Log level: INFO
 ├── Health settings:
 |   ├── Server listening address: 127.0.0.1:9999
-|   ├── Target addresses:
-|   |   ├── cloudflare.com:443
-|   |   └── github.com:443
-|   ├── Small health check type: ICMP echo request
-|   |   └── ICMP target IPs:
-|   |       ├── 1.1.1.1
-|   |       └── 8.8.8.8
-|   └── Restart VPN on healthcheck failure: yes
+|   ├── Target address: cloudflare.com:443
+|   ├── Duration to wait after success: 5s
+|   ├── Read header timeout: 100ms
+|   ├── Read timeout: 500ms
+|   └── VPN wait durations:
+|       ├── Initial duration: 6s
+|       └── Additional duration: 5s
 ├── Shadowsocks server settings:
 |   └── Enabled: no
 ├── HTTP proxy settings:
@@ -15,7 +15,7 @@ type Shadowsocks struct {
 	// It defaults to false, and cannot be nil in the internal state.
 	Enabled *bool
 	// Settings are settings for the TCP+UDP server.
-	Settings tcpudp.Settings
+	tcpudp.Settings
 }

 func (s Shadowsocks) validate() (err error) {
@@ -18,7 +18,6 @@ type VPN struct {
 	Provider  Provider  `json:"provider"`
 	OpenVPN   OpenVPN   `json:"openvpn"`
 	Wireguard Wireguard `json:"wireguard"`
-	PMTUD     PMTUD     `json:"pmtud"`
 }

 // TODO v4 remove pointer for receiver (because of Surfshark).
@@ -46,11 +45,6 @@ func (v *VPN) Validate(filterChoicesGetter FilterChoicesGetter, ipv6Supported bo
 		}
 	}

-	err = v.PMTUD.validate()
-	if err != nil {
-		return fmt.Errorf("PMTUD settings: %w", err)
-	}
-
 	return nil
 }

@@ -60,7 +54,6 @@ func (v *VPN) Copy() (copied VPN) {
 		Provider:  v.Provider.copy(),
 		OpenVPN:   v.OpenVPN.copy(),
 		Wireguard: v.Wireguard.copy(),
-		PMTUD:     v.PMTUD.copy(),
 	}
 }

@@ -69,7 +62,6 @@ func (v *VPN) OverrideWith(other VPN) {
 	v.Provider.overrideWith(other.Provider)
 	v.OpenVPN.overrideWith(other.OpenVPN)
 	v.Wireguard.overrideWith(other.Wireguard)
-	v.PMTUD.overrideWith(other.PMTUD)
 }

 func (v *VPN) setDefaults() {
@@ -77,7 +69,6 @@ func (v *VPN) setDefaults() {
 	v.Provider.setDefaults()
 	v.OpenVPN.setDefaults(v.Provider.Name)
 	v.Wireguard.setDefaults(v.Provider.Name)
-	v.PMTUD.setDefaults()
 }

 func (v VPN) String() string {
@@ -94,7 +85,6 @@ func (v VPN) toLinesNode() (node *gotree.Node) {
 	} else {
 		node.AppendNode(v.Wireguard.toLinesNode())
 	}
-	node.AppendNode(v.PMTUD.toLinesNode())

 	return node
 }
@@ -117,10 +107,5 @@ func (v *VPN) read(r *reader.Reader) (err error) {
 		return fmt.Errorf("wireguard: %w", err)
 	}

-	err = v.PMTUD.read(r)
-	if err != nil {
-		return fmt.Errorf("PMTUD: %w", err)
-	}
-
 	return nil
 }
@@ -38,9 +38,14 @@ type Wireguard struct {
 	Interface                   string         `json:"interface"`
 	PersistentKeepaliveInterval *time.Duration `json:"persistent_keep_alive_interval"`
 	// Maximum Transmission Unit (MTU) of the Wireguard interface.
-	// It cannot be nil in the internal state, and defaults to
-	// 0 indicating to use PMTUD.
-	MTU *uint32 `json:"mtu"`
+	// It cannot be zero in the internal state, and defaults to
+	// 1320. Note it is not the wireguard-go MTU default of 1420
+	// because this impacts bandwidth a lot on some VPN providers,
+	// see https://github.com/qdm12/gluetun/issues/1650.
+	// It has been lowered to 1320 following quite a bit of
+	// investigation in the issue:
+	// https://github.com/qdm12/gluetun/issues/2533.
+	MTU uint16 `json:"mtu"`
 	// Implementation is the Wireguard implementation to use.
 	// It can be "auto", "userspace" or "kernelspace".
 	// It defaults to "auto" and cannot be the empty string
@@ -189,7 +194,8 @@ func (w *Wireguard) setDefaults(vpnProvider string) {
 	w.AllowedIPs = gosettings.DefaultSlice(w.AllowedIPs, defaultAllowedIPs)
 	w.PersistentKeepaliveInterval = gosettings.DefaultPointer(w.PersistentKeepaliveInterval, 0)
 	w.Interface = gosettings.DefaultComparable(w.Interface, "wg0")
-	w.MTU = gosettings.DefaultPointer(w.MTU, 0)
+	const defaultMTU = 1320
+	w.MTU = gosettings.DefaultComparable(w.MTU, defaultMTU)
 	w.Implementation = gosettings.DefaultComparable(w.Implementation, "auto")
 }

@@ -225,11 +231,7 @@ func (w Wireguard) toLinesNode() (node *gotree.Node) {
 	}

 	interfaceNode := node.Appendf("Network interface: %s", w.Interface)
-	if *w.MTU == 0 {
-		interfaceNode.Append("MTU: use path MTU discovery")
-	} else {
-		interfaceNode.Appendf("MTU: %d", *w.MTU)
-	}
+	interfaceNode.Appendf("MTU: %d", w.MTU)

 	if w.Implementation != "auto" {
 		node.Appendf("Implementation: %s", w.Implementation)
@@ -270,9 +272,11 @@ func (w *Wireguard) read(r *reader.Reader) (err error) {
 		return err
 	}

-	w.MTU, err = r.Uint32Ptr("WIREGUARD_MTU")
+	mtuPtr, err := r.Uint16Ptr("WIREGUARD_MTU")
 	if err != nil {
 		return err
+	} else if mtuPtr != nil {
+		w.MTU = *mtuPtr
 	}
 	return nil
 }
@@ -155,8 +155,7 @@ func (w WireguardSelection) toLinesNode() (node *gotree.Node) {
 func (w *WireguardSelection) read(r *reader.Reader) (err error) {
 	w.EndpointIP, err = r.NetipAddr("WIREGUARD_ENDPOINT_IP", reader.RetroKeys("VPN_ENDPOINT_IP"))
 	if err != nil {
-		return fmt.Errorf("%w - note this MUST be an IP address, "+
-			"see https://github.com/qdm12/gluetun/issues/788", err)
+		return err
 	}

 	w.EndpointPort, err = r.Uint16Ptr("WIREGUARD_ENDPOINT_PORT", reader.RetroKeys("VPN_ENDPOINT_PORT"))
@@ -27,6 +27,7 @@ const (
 	VPNSecure             = "vpnsecure"
 	VPNUnlimited          = "vpn unlimited"
 	Vyprvpn               = "vyprvpn"
+	Wevpn                 = "wevpn"
 	Windscribe            = "windscribe"
 )

@@ -55,6 +56,7 @@ func All() []string {
 		VPNSecure,
 		VPNUnlimited,
 		Vyprvpn,
+		Wevpn,
 		Windscribe,
 	}
 }
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"net/netip"
 	"time"

 	"github.com/qdm12/dns/v2/pkg/middlewares/filter/mapfilter"
@@ -17,23 +16,22 @@ import (
 )

 type Loop struct {
-	statusManager  *loopstate.State
-	state          *state.State
-	server         *server.Server
-	filter         *mapfilter.Filter
-	localResolvers []netip.Addr
-	resolvConf     string
-	client         *http.Client
-	logger         Logger
-	userTrigger    bool
-	start          <-chan struct{}
-	running        chan<- models.LoopStatus
-	stop           <-chan struct{}
-	stopped        chan<- struct{}
-	updateTicker   <-chan struct{}
-	backoffTime    time.Duration
-	timeNow        func() time.Time
-	timeSince      func(time.Time) time.Duration
+	statusManager *loopstate.State
+	state         *state.State
+	server        *server.Server
+	filter        *mapfilter.Filter
+	resolvConf    string
+	client        *http.Client
+	logger        Logger
+	userTrigger   bool
+	start         <-chan struct{}
+	running       chan<- models.LoopStatus
+	stop          <-chan struct{}
+	stopped       chan<- struct{}
+	updateTicker  <-chan struct{}
+	backoffTime   time.Duration
+	timeNow       func() time.Time
+	timeSince     func(time.Time) time.Duration
 }

 const defaultBackoffTime = 10 * time.Second
@@ -50,9 +48,7 @@ func NewLoop(settings settings.DNS,
 	statusManager := loopstate.New(constants.Stopped, start, running, stop, stopped)
 	state := state.New(statusManager, settings, updateTicker)

-	filter, err := mapfilter.New(mapfilter.Settings{
-		Logger: buildFilterLogger(logger),
-	})
+	filter, err := mapfilter.New(mapfilter.Settings{})
 	if err != nil {
 		return nil, fmt.Errorf("creating map filter: %w", err)
 	}
@@ -104,15 +100,3 @@ func (l *Loop) signalOrSetStatus(status models.LoopStatus) {
 		l.statusManager.SetStatus(status)
 	}
 }
-
-type filterLogger struct {
-	logger Logger
-}
-
-func (l *filterLogger) Log(msg string) {
-	l.logger.Debug(msg)
-}
-
-func buildFilterLogger(logger Logger) *filterLogger {
-	return &filterLogger{logger: logger}
-}
@@ -10,7 +10,15 @@ import (
 func (l *Loop) useUnencryptedDNS(fallback bool) {
 	settings := l.GetSettings()

-	targetIP := settings.GetFirstPlaintextIPv4()
+	// Try with user provided plaintext ip address
+	// if it's not 127.0.0.1 (default for DoT), otherwise
+	// use the first DoT provider ipv4 address found.
+	var targetIP netip.Addr
+	if settings.ServerAddress.Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) != 0 {
+		targetIP = settings.ServerAddress
+	} else {
+		targetIP = settings.DoT.GetFirstPlaintextIPv4()
+	}

 	if fallback {
 		l.logger.Info("falling back on plaintext DNS at address " + targetIP.String())
@@ -19,15 +27,14 @@ func (l *Loop) useUnencryptedDNS(fallback bool) {
 	}

 	const dialTimeout = 3 * time.Second
-	const defaultDNSPort = 53
 	settingsInternalDNS := nameserver.SettingsInternalDNS{
-		AddrPort: netip.AddrPortFrom(targetIP, defaultDNSPort),
-		Timeout:  dialTimeout,
+		IP:      targetIP,
+		Timeout: dialTimeout,
 	}
 	nameserver.UseDNSInternally(settingsInternalDNS)

 	settingsSystemWide := nameserver.SettingsSystemDNS{
-		IPs:        []netip.Addr{targetIP},
+		IP:         targetIP,
 		ResolvPath: l.resolvConf,
 	}
 	err := nameserver.UseDNSSystemWide(settingsSystemWide)
@@ -2,21 +2,14 @@ package dns

 import (
 	"context"
+	"errors"

-	"github.com/qdm12/dns/v2/pkg/nameserver"
 	"github.com/qdm12/gluetun/internal/constants"
 )

 func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 	defer close(done)

-	var err error
-	l.localResolvers, err = nameserver.GetPrivateDNSServers()
-	if err != nil {
-		l.logger.Error("getting private DNS servers: " + err.Error())
-		return
-	}
-
 	if *l.GetSettings().KeepNameserver {
 		l.logger.Warn("⚠️⚠️⚠️  keeping the default container nameservers, " +
 			"this will likely leak DNS traffic outside the VPN " +
@@ -33,22 +26,17 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 	}

 	for ctx.Err() == nil {
-		// Upper scope variables for the DNS forwarder server only
+		// Upper scope variables for the DNS over TLS server only
 		// Their values are to be used if DOT=off
 		var runError <-chan error

 		settings := l.GetSettings()
-		for !*settings.KeepNameserver && *settings.ServerEnabled {
+		for !*settings.KeepNameserver && *settings.DoT.Enabled {
 			var err error
 			runError, err = l.setupServer(ctx)
 			if err == nil {
 				l.backoffTime = defaultBackoffTime
-				l.logger.Info("ready and using DNS server at address " + settings.ServerAddress.String())
-
-				err = l.updateFiles(ctx, settings)
-				if err != nil {
-					l.logger.Warn("downloading block lists failed, skipping: " + err.Error())
-				}
+				l.logger.Info("ready")
 				break
 			}

@@ -57,13 +45,18 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 			if ctx.Err() != nil {
 				return
 			}
+
+			if !errors.Is(err, errUpdateBlockLists) {
+				const fallback = true
+				l.useUnencryptedDNS(fallback)
+			}
 			l.logAndWait(ctx, err)
 			settings = l.GetSettings()
 		}
 		l.signalOrSetStatus(constants.Running)

 		settings = l.GetSettings()
-		if !*settings.KeepNameserver && !*settings.ServerEnabled {
+		if !*settings.KeepNameserver && !*settings.DoT.Enabled {
 			const fallback = false
 			l.useUnencryptedDNS(fallback)
 		}
@@ -82,7 +75,7 @@ func (l *Loop) runWait(ctx context.Context, runError <-chan error) (exitLoop boo
 		select {
 		case <-ctx.Done():
 			settings := l.GetSettings()
-			if !*settings.KeepNameserver && *settings.ServerEnabled {
+			if !*settings.KeepNameserver && *settings.DoT.Enabled {
 				l.stopServer()
 				// TODO revert OS and Go nameserver when exiting
 			}
@@ -91,7 +84,7 @@ func (l *Loop) runWait(ctx context.Context, runError <-chan error) (exitLoop boo
 			l.userTrigger = true
 			l.logger.Info("stopping")
 			settings := l.GetSettings()
-			if !*settings.KeepNameserver && *settings.ServerEnabled {
+			if !*settings.KeepNameserver && *settings.DoT.Enabled {
 				const fallback = false
 				l.useUnencryptedDNS(fallback)
 				l.stopServer()
@@ -114,6 +107,6 @@ func (l *Loop) runWait(ctx context.Context, runError <-chan error) (exitLoop boo
 func (l *Loop) stopServer() {
 	stopErr := l.server.Stop()
 	if stopErr != nil {
-		l.logger.Error("stopping server: " + stopErr.Error())
+		l.logger.Error("stopping DoT server: " + stopErr.Error())
 	}
 }
@@ -3,16 +3,12 @@ package dns
 import (
 	"context"
 	"fmt"
-	"net/netip"

-	"github.com/qdm12/dns/v2/pkg/doh"
 	"github.com/qdm12/dns/v2/pkg/dot"
 	cachemiddleware "github.com/qdm12/dns/v2/pkg/middlewares/cache"
 	"github.com/qdm12/dns/v2/pkg/middlewares/cache/lru"
 	filtermiddleware "github.com/qdm12/dns/v2/pkg/middlewares/filter"
 	"github.com/qdm12/dns/v2/pkg/middlewares/filter/mapfilter"
-	"github.com/qdm12/dns/v2/pkg/middlewares/localdns"
-	"github.com/qdm12/dns/v2/pkg/plain"
 	"github.com/qdm12/dns/v2/pkg/provider"
 	"github.com/qdm12/dns/v2/pkg/server"
 	"github.com/qdm12/gluetun/internal/configuration/settings"
@@ -26,63 +22,33 @@ func (l *Loop) SetSettings(ctx context.Context, settings settings.DNS) (
 	return l.state.SetSettings(ctx, settings)
 }

-func buildServerSettings(settings settings.DNS,
-	filter *mapfilter.Filter, localResolvers []netip.Addr,
-	logger Logger) (
+func buildDoTSettings(settings settings.DNS,
+	filter *mapfilter.Filter, logger Logger) (
 	serverSettings server.Settings, err error,
 ) {
 	serverSettings.Logger = logger

+	var dotSettings dot.Settings
 	providersData := provider.NewProviders()
-	upstreamResolvers := make([]provider.Provider, len(settings.Providers))
-	for i := range settings.Providers {
+	dotSettings.UpstreamResolvers = make([]provider.Provider, len(settings.DoT.Providers))
+	for i := range settings.DoT.Providers {
 		var err error
-		upstreamResolvers[i], err = providersData.Get(settings.Providers[i])
+		dotSettings.UpstreamResolvers[i], err = providersData.Get(settings.DoT.Providers[i])
 		if err != nil {
 			panic(err) // this should already had been checked
 		}
 	}
-
-	ipVersion := "ipv4"
-	if *settings.IPv6 {
-		ipVersion = "ipv6"
+	dotSettings.IPVersion = "ipv4"
+	if *settings.DoT.IPv6 {
+		dotSettings.IPVersion = "ipv6"
 	}

-	var dialer server.Dialer
-	switch settings.UpstreamType {
-	case "dot":
-		dialerSettings := dot.Settings{
-			UpstreamResolvers: upstreamResolvers,
-			IPVersion:         ipVersion,
-		}
-		dialer, err = dot.New(dialerSettings)
-		if err != nil {
-			return server.Settings{}, fmt.Errorf("creating DNS over TLS dialer: %w", err)
-		}
-	case "doh":
-		dialerSettings := doh.Settings{
-			UpstreamResolvers: upstreamResolvers,
-			IPVersion:         ipVersion,
-		}
-		dialer, err = doh.New(dialerSettings)
-		if err != nil {
-			return server.Settings{}, fmt.Errorf("creating DNS over HTTPS dialer: %w", err)
-		}
-	case "plain":
-		dialerSettings := plain.Settings{
-			UpstreamResolvers: upstreamResolvers,
-			IPVersion:         ipVersion,
-		}
-		dialer, err = plain.New(dialerSettings)
-		if err != nil {
-			return server.Settings{}, fmt.Errorf("creating plain DNS dialer: %w", err)
-		}
-	default:
-		panic("unknown upstream type: " + settings.UpstreamType)
+	serverSettings.Dialer, err = dot.New(dotSettings)
+	if err != nil {
+		return server.Settings{}, fmt.Errorf("creating DNS over TLS dialer: %w", err)
 	}
-	serverSettings.Dialer = dialer

-	if *settings.Caching {
+	if *settings.DoT.Caching {
 		lruCache, err := lru.New(lru.Settings{})
 		if err != nil {
 			return server.Settings{}, fmt.Errorf("creating LRU cache: %w", err)
@@ -104,22 +70,5 @@ func buildServerSettings(settings settings.DNS,
 	}
 	serverSettings.Middlewares = append(serverSettings.Middlewares, filterMiddleware)

-	localResolversAddrPorts := make([]netip.AddrPort, len(localResolvers))
-	const defaultDNSPort = 53
-	for i, addr := range localResolvers {
-		localResolversAddrPorts[i] = netip.AddrPortFrom(addr, defaultDNSPort)
-	}
-	localDNSMiddleware, err := localdns.New(localdns.Settings{
-		Resolvers: localResolversAddrPorts, // auto-detected at container start only
-		Logger:    logger,
-	})
-	if err != nil {
-		return server.Settings{}, fmt.Errorf("creating local DNS middleware: %w", err)
-	}
-	// Place after cache middleware, since we want to avoid caching for local
-	// hostnames that may change regularly.
-	// Place after filter middleware to avoid conflicts with the rebinding protection.
-	serverSettings.Middlewares = append(serverSettings.Middlewares, localDNSMiddleware)
-
 	return serverSettings, nil
 }
@@ -2,32 +2,32 @@ package dns

 import (
 	"context"
+	"errors"
 	"fmt"
-	"net/netip"

 	"github.com/qdm12/dns/v2/pkg/check"
-	"github.com/qdm12/dns/v2/pkg/middlewares/filter/update"
 	"github.com/qdm12/dns/v2/pkg/nameserver"
 	"github.com/qdm12/dns/v2/pkg/server"
 )

+var errUpdateBlockLists = errors.New("cannot update filter block lists")
+
 func (l *Loop) setupServer(ctx context.Context) (runError <-chan error, err error) {
+	err = l.updateFiles(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %w", errUpdateBlockLists, err)
+	}
+
 	settings := l.GetSettings()
-	var updateSettings update.Settings
-	updateSettings.SetRebindingProtectionExempt(settings.Blacklist.RebindingProtectionExemptHostnames)
-	err = l.filter.Update(updateSettings)
+
+	dotSettings, err := buildDoTSettings(settings, l.filter, l.logger)
 	if err != nil {
-		return nil, fmt.Errorf("updating filter for rebinding protection: %w", err)
+		return nil, fmt.Errorf("building DoT settings: %w", err)
 	}

-	serverSettings, err := buildServerSettings(settings, l.filter, l.localResolvers, l.logger)
+	server, err := server.New(dotSettings)
 	if err != nil {
-		return nil, fmt.Errorf("building server settings: %w", err)
-	}
-
-	server, err := server.New(serverSettings)
-	if err != nil {
-		return nil, fmt.Errorf("creating server: %w", err)
+		return nil, fmt.Errorf("creating DoT server: %w", err)
 	}

 	runError, err = server.Start(ctx)
@@ -37,12 +37,11 @@ func (l *Loop) setupServer(ctx context.Context) (runError <-chan error, err erro
 	l.server = server

 	// use internal DNS server
-	const defaultDNSPort = 53
 	nameserver.UseDNSInternally(nameserver.SettingsInternalDNS{
-		AddrPort: netip.AddrPortFrom(settings.ServerAddress, defaultDNSPort),
+		IP: settings.ServerAddress,
 	})
 	err = nameserver.UseDNSSystemWide(nameserver.SettingsSystemDNS{
-		IPs:        []netip.Addr{settings.ServerAddress},
+		IP:         settings.ServerAddress,
 		ResolvPath: l.resolvConf,
 	})
 	if err != nil {
@@ -27,7 +27,7 @@ func (s *State) SetSettings(ctx context.Context, settings settings.DNS) (

 	// Check for only update period change
 	tempSettings := s.settings.Copy()
-	*tempSettings.UpdatePeriod = *settings.UpdatePeriod
+	*tempSettings.DoT.UpdatePeriod = *settings.DoT.UpdatePeriod
 	onlyUpdatePeriodChanged := reflect.DeepEqual(tempSettings, settings)

 	s.settings = settings
@@ -40,7 +40,7 @@ func (s *State) SetSettings(ctx context.Context, settings settings.DNS) (

 	// Restart
 	_, _ = s.statusApplier.ApplyStatus(ctx, constants.Stopped)
-	if *settings.ServerEnabled {
+	if *settings.DoT.Enabled {
 		outcome, _ = s.statusApplier.ApplyStatus(ctx, constants.Running)
 	}
 	return outcome
@@ -14,7 +14,7 @@ func (l *Loop) RunRestartTicker(ctx context.Context, done chan<- struct{}) {
 	timer.Stop()
 	timerIsStopped := true
 	settings := l.GetSettings()
-	if period := *settings.UpdatePeriod; period > 0 {
+	if period := *settings.DoT.UpdatePeriod; period > 0 {
 		timer.Reset(period)
 		timerIsStopped = false
 	}
@@ -28,20 +28,31 @@ func (l *Loop) RunRestartTicker(ctx context.Context, done chan<- struct{}) {
 			return
 		case <-timer.C:
 			lastTick = l.timeNow()
-			settings := l.GetSettings()
-			if l.GetStatus() == constants.Running {
-				if err := l.updateFiles(ctx, settings); err != nil {
-					l.logger.Warn("updating block lists failed, skipping: " + err.Error())
+
+			status := l.GetStatus()
+			if status == constants.Running {
+				if err := l.updateFiles(ctx); err != nil {
+					l.statusManager.SetStatus(constants.Crashed)
+					l.logger.Error(err.Error())
+					l.logger.Warn("skipping DNS server restart due to failed files update")
+					settings := l.GetSettings()
+					timer.Reset(*settings.DoT.UpdatePeriod)
+					continue
 				}
 			}
-			timer.Reset(*settings.UpdatePeriod)
+
+			_, _ = l.statusManager.ApplyStatus(ctx, constants.Stopped)
+			_, _ = l.statusManager.ApplyStatus(ctx, constants.Running)
+
+			settings := l.GetSettings()
+			timer.Reset(*settings.DoT.UpdatePeriod)
 		case <-l.updateTicker:
 			if !timer.Stop() {
 				<-timer.C
 			}
 			timerIsStopped = true
 			settings := l.GetSettings()
-			newUpdatePeriod := *settings.UpdatePeriod
+			newUpdatePeriod := *settings.DoT.UpdatePeriod
 			if newUpdatePeriod == 0 {
 				continue
 			}
@@ -6,12 +6,13 @@ import (

 	"github.com/qdm12/dns/v2/pkg/blockbuilder"
 	"github.com/qdm12/dns/v2/pkg/middlewares/filter/update"
-	"github.com/qdm12/gluetun/internal/configuration/settings"
 )

-func (l *Loop) updateFiles(ctx context.Context, settings settings.DNS) (err error) {
+func (l *Loop) updateFiles(ctx context.Context) (err error) {
+	settings := l.GetSettings()
+
 	l.logger.Info("downloading hostnames and IP block lists")
-	blacklistSettings := settings.Blacklist.ToBlockBuilderSettings(l.client)
+	blacklistSettings := settings.DoT.Blacklist.ToBlockBuilderSettings(l.client)

 	blockBuilder, err := blockbuilder.New(blacklistSettings)
 	if err != nil {
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"fmt"
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"context"
@@ -16,7 +16,7 @@ func isDeleteMatchInstruction(instruction string) bool {
 	fields := strings.Fields(instruction)
 	for i, field := range fields {
 		switch {
-		case field != "-D" && field != "--delete":
+		case field != "-D" && field != "--delete": //nolint:goconst
 			continue
 		case i == len(fields)-1: // malformed: missing chain name
 			return false
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"context"
@@ -69,8 +69,8 @@ func Test_deleteIPTablesRule(t *testing.T) {
 		"invalid_instruction": {
 			instruction: "invalid",
 			errWrapped:  ErrIptablesCommandMalformed,
-			errMessage: "parsing iptables command: parsing \"invalid\": " +
-				"iptables command is malformed: flag \"invalid\" requires a value, but got none",
+			errMessage: "parsing iptables command: iptables command is malformed: " +
+				"fields count 1 is not even: \"invalid\"",
 		},
 		"list_error": {
 			instruction: "-t nat --delete PREROUTING -i tun0 -p tcp --dport 43716 -j REDIRECT --to-ports 5678",
@@ -22,7 +22,9 @@ func (c *Config) SetEnabled(ctx context.Context, enabled bool) (err error) {

 	if !enabled {
 		c.logger.Info("disabling...")
-		c.restore(ctx)
+		if err = c.disable(ctx); err != nil {
+			return fmt.Errorf("disabling firewall: %w", err)
+		}
 		c.enabled = false
 		c.logger.Info("disabled successfully")
 		return nil
@@ -39,33 +41,64 @@ func (c *Config) SetEnabled(ctx context.Context, enabled bool) (err error) {
 	return nil
 }

-func (c *Config) enable(ctx context.Context) (err error) {
-	c.restore, err = c.impl.SaveAndRestore(ctx)
-	if err != nil {
-		return fmt.Errorf("saving firewall rules: %w", err)
+func (c *Config) disable(ctx context.Context) (err error) {
+	if err = c.clearAllRules(ctx); err != nil {
+		return fmt.Errorf("clearing all rules: %w", err)
+	}
+	if err = c.setIPv4AllPolicies(ctx, "ACCEPT"); err != nil {
+		return fmt.Errorf("setting ipv4 policies: %w", err)
+	}
+	if err = c.setIPv6AllPolicies(ctx, "ACCEPT"); err != nil {
+		return fmt.Errorf("setting ipv6 policies: %w", err)
 	}

-	defer func() {
-		if err != nil {
-			c.restore(context.Background())
-		}
-	}()
+	const remove = true
+	err = c.redirectPorts(ctx, remove)
+	if err != nil {
+		return fmt.Errorf("removing port redirections: %w", err)
+	}

-	if err = c.impl.SetBaseChainsPolicy(ctx, "DROP"); err != nil {
+	return nil
+}
+
+// To use in defered call when enabling the firewall.
+func (c *Config) fallbackToDisabled(ctx context.Context) {
+	if ctx.Err() != nil {
+		return
+	}
+	if err := c.disable(ctx); err != nil {
+		c.logger.Error("failed reversing firewall changes: " + err.Error())
+	}
+}
+
+func (c *Config) enable(ctx context.Context) (err error) {
+	touched := false
+	if err = c.setIPv4AllPolicies(ctx, "DROP"); err != nil {
 		return err
 	}
+	touched = true

-	// Loopback traffic
-	if err = c.impl.AcceptInputThroughInterface(ctx, "lo"); err != nil {
+	if err = c.setIPv6AllPolicies(ctx, "DROP"); err != nil {
 		return err
 	}

 	const remove = false
-	if err = c.impl.AcceptOutputThroughInterface(ctx, "lo", remove); err != nil {
+
+	defer func() {
+		if touched && err != nil {
+			c.fallbackToDisabled(ctx)
+		}
+	}()
+
+	// Loopback traffic
+	if err = c.acceptInputThroughInterface(ctx, "lo", remove); err != nil {
+		return err
+	}
+	if err = c.acceptOutputThroughInterface(ctx, "lo", remove); err != nil {
 		return err
 	}

-	if err = c.impl.AcceptEstablishedRelatedTraffic(ctx); err != nil {
+	if err = c.acceptEstablishedRelatedTraffic(ctx, remove); err != nil {
 		return err
 	}

@@ -75,9 +108,7 @@ func (c *Config) enable(ctx context.Context) (err error) {

 	localInterfaces := make(map[string]struct{}, len(c.localNetworks))
 	for _, network := range c.localNetworks {
-		err = c.impl.AcceptOutputFromIPToSubnet(ctx,
-			network.InterfaceName, network.IP, network.IPNet, remove)
-		if err != nil {
+		if err := c.acceptOutputFromIPToSubnet(ctx, network.InterfaceName, network.IP, network.IPNet, remove); err != nil {
 			return err
 		}

@@ -86,7 +117,7 @@ func (c *Config) enable(ctx context.Context) (err error) {
 			continue
 		}
 		localInterfaces[network.InterfaceName] = struct{}{}
-		err = c.impl.AcceptIpv6MulticastOutput(ctx, network.InterfaceName)
+		err = c.acceptIpv6MulticastOutput(ctx, network.InterfaceName, remove)
 		if err != nil {
 			return fmt.Errorf("accepting IPv6 multicast output: %w", err)
 		}
@@ -99,7 +130,7 @@ func (c *Config) enable(ctx context.Context) (err error) {
 	// Allows packets from any IP address to go through eth0 / local network
 	// to reach Gluetun.
 	for _, network := range c.localNetworks {
-		if err := c.impl.AcceptInputToSubnet(ctx, network.InterfaceName, network.IPNet); err != nil {
+		if err := c.acceptInputToSubnet(ctx, network.InterfaceName, network.IPNet, remove); err != nil {
 			return err
 		}
 	}
@@ -108,12 +139,12 @@ func (c *Config) enable(ctx context.Context) (err error) {
 		return err
 	}

-	err = c.redirectPorts(ctx)
+	err = c.redirectPorts(ctx, remove)
 	if err != nil {
 		return fmt.Errorf("redirecting ports: %w", err)
 	}

-	if err := c.impl.RunUserPostRules(ctx, c.customRulesPath); err != nil {
+	if err := c.runUserPostRules(ctx, c.customRulesPath, remove); err != nil {
 		return fmt.Errorf("running user defined post firewall rules: %w", err)
 	}

@@ -133,7 +164,7 @@ func (c *Config) allowVPNIP(ctx context.Context) (err error) {
 			continue
 		}
 		interfacesSeen[defaultRoute.NetInterface] = struct{}{}
-		err = c.impl.AcceptOutputTrafficToVPN(ctx, defaultRoute.NetInterface, c.vpnConnection, remove)
+		err = c.acceptOutputTrafficToVPN(ctx, defaultRoute.NetInterface, c.vpnConnection, remove)
 		if err != nil {
 			return fmt.Errorf("accepting output traffic through VPN: %w", err)
 		}
@@ -155,7 +186,7 @@ func (c *Config) allowOutboundSubnets(ctx context.Context) (err error) {
 			firewallUpdated = true

 			const remove = false
-			err := c.impl.AcceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
+			err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
 				defaultRoute.AssignedIP, subnet, remove)
 			if err != nil {
 				return err
@@ -173,7 +204,7 @@ func (c *Config) allowInputPorts(ctx context.Context) (err error) {
 	for port, netInterfaces := range c.allowedInputPorts {
 		for netInterface := range netInterfaces {
 			const remove = false
-			err = c.impl.AcceptInputToPort(ctx, netInterface, port, remove)
+			err = c.acceptInputToPort(ctx, netInterface, port, remove)
 			if err != nil {
 				return fmt.Errorf("accepting input port %d on interface %s: %w",
 					port, netInterface, err)
@@ -183,10 +214,9 @@ func (c *Config) allowInputPorts(ctx context.Context) (err error) {
 	return nil
 }

-func (c *Config) redirectPorts(ctx context.Context) (err error) {
+func (c *Config) redirectPorts(ctx context.Context, remove bool) (err error) {
 	for _, portRedirection := range c.portRedirections {
-		const remove = false
-		err = c.impl.RedirectPort(ctx, portRedirection.interfaceName, portRedirection.sourcePort,
+		err = c.redirectPort(ctx, portRedirection.interfaceName, portRedirection.sourcePort,
 			portRedirection.destinationPort, remove)
 		if err != nil {
 			return err
@@ -2,28 +2,28 @@ package firewall

 import (
 	"context"
-	"fmt"
 	"net/netip"
 	"sync"

-	"github.com/qdm12/gluetun/internal/firewall/iptables"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gluetun/internal/routing"
 )

-type Config struct {
-	runner        CmdRunner
-	logger        Logger
-	defaultRoutes []routing.DefaultRoute
-	localNetworks []routing.LocalNetwork
+type Config struct { //nolint:maligned
+	runner         CmdRunner
+	logger         Logger
+	iptablesMutex  sync.Mutex
+	ip6tablesMutex sync.Mutex
+	defaultRoutes  []routing.DefaultRoute
+	localNetworks  []routing.LocalNetwork

-	// Fixed
-	impl            firewallImpl
+	// Fixed state
+	ipTables        string
+	ip6Tables       string
 	customRulesPath string

 	// State
 	enabled           bool
-	restore           func(context.Context)
 	vpnConnection     models.Connection
 	vpnIntf           string
 	outboundSubnets   []netip.Prefix
@@ -38,19 +38,25 @@ func NewConfig(ctx context.Context, logger Logger,
 	runner CmdRunner, defaultRoutes []routing.DefaultRoute,
 	localNetworks []routing.LocalNetwork,
 ) (config *Config, err error) {
-	impl, err := iptables.New(ctx, runner, logger)
+	iptables, err := checkIptablesSupport(ctx, runner, "iptables", "iptables-nft", "iptables-legacy")
 	if err != nil {
-		return nil, fmt.Errorf("creating iptables firewall: %w", err)
+		return nil, err
+	}
+
+	ip6tables, err := findIP6tablesSupported(ctx, runner)
+	if err != nil {
+		return nil, err
 	}

 	return &Config{
 		runner:            runner,
 		logger:            logger,
 		allowedInputPorts: make(map[uint16]map[string]struct{}),
+		ipTables:          iptables,
+		ip6Tables:         ip6tables,
+		customRulesPath:   "/iptables/post-rules.txt",
 		// Obtained from routing
-		defaultRoutes:   defaultRoutes,
-		localNetworks:   localNetworks,
-		impl:            impl,
-		customRulesPath: "/iptables/post-rules.txt",
+		defaultRoutes: defaultRoutes,
+		localNetworks: localNetworks,
 	}, nil
 }
@@ -1,12 +1,6 @@
 package firewall

-import (
-	"context"
-	"net/netip"
-	"os/exec"
-
-	"github.com/qdm12/gluetun/internal/models"
-)
+import "os/exec"

 type CmdRunner interface {
 	Run(cmd *exec.Cmd) (output string, err error)
@@ -18,24 +12,3 @@ type Logger interface {
 	Warn(s string)
 	Error(s string)
 }
-
-type firewallImpl interface { //nolint:interfacebloat
-	SaveAndRestore(ctx context.Context) (restore func(context.Context), err error)
-	AcceptEstablishedRelatedTraffic(ctx context.Context) error
-	AcceptInputThroughInterface(ctx context.Context, intf string) error
-	AcceptInputToPort(ctx context.Context, intf string, port uint16, remove bool) error
-	AcceptInputToSubnet(ctx context.Context, intf string, subnet netip.Prefix) error
-	AcceptIpv6MulticastOutput(ctx context.Context, intf string) error
-	AcceptOutputFromIPToSubnet(ctx context.Context, intf string, assignedIP netip.Addr,
-		subnet netip.Prefix, remove bool) error
-	AcceptOutputThroughInterface(ctx context.Context, intf string, remove bool) error
-	AcceptOutputTrafficToVPN(ctx context.Context, intf string,
-		connection models.Connection, remove bool) error
-	RedirectPort(ctx context.Context, intf string, sourcePort,
-		destinationPort uint16, remove bool) error
-	RunUserPostRules(ctx context.Context, customRulesPath string) error
-	SetBaseChainsPolicy(ctx context.Context, policy string) error
-	TempDropOutputTCPRST(ctx context.Context, src, dst netip.AddrPort, excludeMark int) (
-		revert func(ctx context.Context) error, err error)
-	Version(ctx context.Context) (version string, err error)
-}
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"context"
@@ -14,8 +14,8 @@ import (
 func findIP6tablesSupported(ctx context.Context, runner CmdRunner) (
 	ip6tablesPath string, err error,
 ) {
-	ip6tablesPath, err = checkIptablesSupport(ctx, runner, "ip6tables", "ip6tables-legacy")
-	if errors.Is(err, ErrNotSupported) {
+	ip6tablesPath, err = checkIptablesSupport(ctx, runner, "ip6tables", "ip6tables-nft", "ip6tables-legacy")
+	if errors.Is(err, ErrIPTablesNotSupported) {
 		return "", nil
 	} else if err != nil {
 		return "", err
@@ -24,23 +24,8 @@ func findIP6tablesSupported(ctx context.Context, runner CmdRunner) (
 }

 func (c *Config) runIP6tablesInstructions(ctx context.Context, instructions []string) error {
-	c.ip6tablesMutex.Lock() // only one ip6tables command at once
-	defer c.ip6tablesMutex.Unlock()
-
-	restore, err := c.saveAndRestoreIPv6(ctx)
-	if err != nil {
-		return err
-	}
-	err = c.runIP6tablesInstructionsNoSave(ctx, instructions)
-	if err != nil {
-		restore(ctx)
-	}
-	return err
-}
-
-func (c *Config) runIP6tablesInstructionsNoSave(ctx context.Context, instructions []string) error {
 	for _, instruction := range instructions {
-		if err := c.runIP6tablesInstructionNoSave(ctx, instruction); err != nil {
+		if err := c.runIP6tablesInstruction(ctx, instruction); err != nil {
 			return err
 		}
 	}
@@ -48,24 +33,11 @@ func (c *Config) runIP6tablesInstructionsNoSave(ctx context.Context, instruction
 }

 func (c *Config) runIP6tablesInstruction(ctx context.Context, instruction string) error {
-	c.ip6tablesMutex.Lock() // only one ip6tables command at once
-	defer c.ip6tablesMutex.Unlock()
-
-	restore, err := c.saveAndRestoreIPv6(ctx)
-	if err != nil {
-		return err
-	}
-	err = c.runIP6tablesInstructionNoSave(ctx, instruction)
-	if err != nil {
-		restore(ctx)
-	}
-	return err
-}
-
-func (c *Config) runIP6tablesInstructionNoSave(ctx context.Context, instruction string) error {
 	if c.ip6Tables == "" {
 		return nil
 	}
+	c.ip6tablesMutex.Lock() // only one ip6tables command at once
+	defer c.ip6tablesMutex.Unlock()

 	if isDeleteMatchInstruction(instruction) {
 		return deleteIPTablesRule(ctx, c.ip6Tables, instruction,
@@ -81,3 +53,18 @@ func (c *Config) runIP6tablesInstructionNoSave(ctx context.Context, instruction
 	}
 	return nil
 }
+
+var ErrPolicyNotValid = errors.New("policy is not valid")
+
+func (c *Config) setIPv6AllPolicies(ctx context.Context, policy string) error {
+	switch policy {
+	case "ACCEPT", "DROP": //nolint:goconst
+	default:
+		return fmt.Errorf("%w: %s", ErrPolicyNotValid, policy)
+	}
+	return c.runIP6tablesInstructions(ctx, []string{
+		"--policy INPUT " + policy,
+		"--policy OUTPUT " + policy,
+		"--policy FORWARD " + policy,
+	})
+}
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"context"
@@ -26,6 +26,22 @@ func appendOrDelete(remove bool) string {
 	return "--append"
 }

+// flipRule changes an append rule in a delete rule or a delete rule into an
+// append rule.
+func flipRule(rule string) string {
+	switch {
+	case strings.HasPrefix(rule, "-A"):
+		return strings.Replace(rule, "-A", "-D", 1)
+	case strings.HasPrefix(rule, "--append"):
+		return strings.Replace(rule, "--append", "-D", 1)
+	case strings.HasPrefix(rule, "-D"):
+		return strings.Replace(rule, "-D", "-A", 1)
+	case strings.HasPrefix(rule, "--delete"):
+		return strings.Replace(rule, "--delete", "-A", 1)
+	}
+	return rule
+}
+
 // Version obtains the version of the installed iptables.
 func (c *Config) Version(ctx context.Context) (string, error) {
 	cmd := exec.CommandContext(ctx, c.ipTables, "--version") //nolint:gosec
@@ -38,28 +54,12 @@ func (c *Config) Version(ctx context.Context) (string, error) {
 	if len(words) < minWords {
 		return "", fmt.Errorf("%w: %s", ErrIPTablesVersionTooShort, output)
 	}
-	return "iptables " + words[1], nil
+	return words[1], nil
 }

 func (c *Config) runIptablesInstructions(ctx context.Context, instructions []string) error {
-	c.iptablesMutex.Lock()
-	defer c.iptablesMutex.Unlock()
-
-	restore, err := c.saveAndRestoreIPv4(ctx)
-	if err != nil {
-		return err
-	}
-
-	err = c.runIptablesInstructionsNoSave(ctx, instructions)
-	if err != nil {
-		restore(ctx)
-	}
-	return err
-}
-
-func (c *Config) runIptablesInstructionsNoSave(ctx context.Context, instructions []string) error {
 	for _, instruction := range instructions {
-		if err := c.runIptablesInstructionNoSave(ctx, instruction); err != nil {
+		if err := c.runIptablesInstruction(ctx, instruction); err != nil {
 			return err
 		}
 	}
@@ -70,19 +70,6 @@ func (c *Config) runIptablesInstruction(ctx context.Context, instruction string)
 	c.iptablesMutex.Lock() // only one iptables command at once
 	defer c.iptablesMutex.Unlock()

-	restore, err := c.saveAndRestoreIPv4(ctx)
-	if err != nil {
-		return err
-	}
-
-	err = c.runIptablesInstructionNoSave(ctx, instruction)
-	if err != nil {
-		restore(ctx)
-	}
-	return err
-}
-
-func (c *Config) runIptablesInstructionNoSave(ctx context.Context, instruction string) error {
 	if isDeleteMatchInstruction(instruction) {
 		return deleteIPTablesRule(ctx, c.ipTables, instruction,
 			c.runner, c.logger)
@@ -98,33 +85,42 @@ func (c *Config) runIptablesInstructionNoSave(ctx context.Context, instruction s
 	return nil
 }

-func (c *Config) SetBaseChainsPolicy(ctx context.Context, policy string) error {
-	policy = strings.ToUpper(policy)
+func (c *Config) clearAllRules(ctx context.Context) error {
+	return c.runMixedIptablesInstructions(ctx, []string{
+		"--flush",        // flush all chains
+		"--delete-chain", // delete all chains
+	})
+}
+
+func (c *Config) setIPv4AllPolicies(ctx context.Context, policy string) error {
 	switch policy {
 	case "ACCEPT", "DROP":
 	default:
 		return fmt.Errorf("%w: %s", ErrPolicyUnknown, policy)
 	}
-	return c.runMixedIptablesInstructions(ctx, []string{
+	return c.runIptablesInstructions(ctx, []string{
 		"--policy INPUT " + policy,
 		"--policy OUTPUT " + policy,
 		"--policy FORWARD " + policy,
 	})
 }

-func (c *Config) AcceptInputThroughInterface(ctx context.Context, intf string) error {
+func (c *Config) acceptInputThroughInterface(ctx context.Context, intf string, remove bool) error {
 	return c.runMixedIptablesInstruction(ctx, fmt.Sprintf(
-		"--append INPUT -i %s -j ACCEPT", intf))
+		"%s INPUT -i %s -j ACCEPT", appendOrDelete(remove), intf,
+	))
 }

-func (c *Config) AcceptInputToSubnet(ctx context.Context, intf string, destination netip.Prefix) error {
+func (c *Config) acceptInputToSubnet(ctx context.Context, intf string,
+	destination netip.Prefix, remove bool,
+) error {
 	interfaceFlag := "-i " + intf
 	if intf == "*" { // all interfaces
 		interfaceFlag = ""
 	}

-	instruction := fmt.Sprintf("--append INPUT %s -d %s -j ACCEPT",
-		interfaceFlag, destination.String())
+	instruction := fmt.Sprintf("%s INPUT %s -d %s -j ACCEPT",
+		appendOrDelete(remove), interfaceFlag, destination.String())

 	if destination.Addr().Is4() {
 		return c.runIptablesInstruction(ctx, instruction)
@@ -135,25 +131,25 @@ func (c *Config) AcceptInputToSubnet(ctx context.Context, intf string, destinati
 	return c.runIP6tablesInstruction(ctx, instruction)
 }

-func (c *Config) AcceptOutputThroughInterface(ctx context.Context, intf string, remove bool) error {
+func (c *Config) acceptOutputThroughInterface(ctx context.Context, intf string, remove bool) error {
 	return c.runMixedIptablesInstruction(ctx, fmt.Sprintf(
 		"%s OUTPUT -o %s -j ACCEPT", appendOrDelete(remove), intf,
 	))
 }

-func (c *Config) AcceptEstablishedRelatedTraffic(ctx context.Context) error {
+func (c *Config) acceptEstablishedRelatedTraffic(ctx context.Context, remove bool) error {
 	return c.runMixedIptablesInstructions(ctx, []string{
-		"--append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
-		"--append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
+		fmt.Sprintf("%s OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT", appendOrDelete(remove)),
+		fmt.Sprintf("%s INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT", appendOrDelete(remove)),
 	})
 }

-func (c *Config) AcceptOutputTrafficToVPN(ctx context.Context,
+func (c *Config) acceptOutputTrafficToVPN(ctx context.Context,
 	defaultInterface string, connection models.Connection, remove bool,
 ) error {
 	protocol := connection.Protocol
 	if protocol == "tcp-client" {
-		protocol = "tcp"
+		protocol = "tcp" //nolint:goconst
 	}
 	instruction := fmt.Sprintf("%s OUTPUT -d %s -o %s -p %s -m %s --dport %d -j ACCEPT",
 		appendOrDelete(remove), connection.IP, defaultInterface, protocol,
@@ -166,11 +162,8 @@ func (c *Config) AcceptOutputTrafficToVPN(ctx context.Context,
 	return c.runIP6tablesInstruction(ctx, instruction)
 }

-// AcceptOutputFromIPToSubnet accepts outgoing traffic from sourceIP to destinationSubnet
-// on the interface intf. If intf is empty, it is set to "*" which means all interfaces.
-// If remove is true, the rule is removed instead of added.
 // Thanks to @npawelek.
-func (c *Config) AcceptOutputFromIPToSubnet(ctx context.Context,
+func (c *Config) acceptOutputFromIPToSubnet(ctx context.Context,
 	intf string, sourceIP netip.Addr, destinationSubnet netip.Prefix, remove bool,
 ) error {
 	doIPv4 := sourceIP.Is4() && destinationSubnet.Addr().Is4()
@@ -191,24 +184,21 @@ func (c *Config) AcceptOutputFromIPToSubnet(ctx context.Context,
 	return c.runIP6tablesInstruction(ctx, instruction)
 }

-// AcceptIpv6MulticastOutput accepts outgoing traffic to the IPv6 multicast address
-// ff02::1:ff00:0/104, which is used for NDP (Neighbor Discovery Protocol) to resolve
-// IPv6 addresses to MAC addresses. If intf is empty, it is set to "*" which means
-// all interfaces. If remove is true, the rule is removed instead of added.
-func (c *Config) AcceptIpv6MulticastOutput(ctx context.Context, intf string) error {
+// NDP uses multicast address (theres no broadcast in IPv6 like ARP uses in IPv4).
+func (c *Config) acceptIpv6MulticastOutput(ctx context.Context,
+	intf string, remove bool,
+) error {
 	interfaceFlag := "-o " + intf
 	if intf == "*" { // all interfaces
 		interfaceFlag = ""
 	}
-	instruction := fmt.Sprintf("--append OUTPUT %s -d ff02::1:ff00:0/104 -j ACCEPT", interfaceFlag)
+	instruction := fmt.Sprintf("%s OUTPUT %s -d ff02::1:ff00:0/104 -j ACCEPT",
+		appendOrDelete(remove), interfaceFlag)
 	return c.runIP6tablesInstruction(ctx, instruction)
 }

-// AcceptInputToPort accepts incoming traffic on the specified port, for both TCP and UDP
-// protocols, on the interface intf. If intf is empty, it is set to "*" which means all interfaces.
-// If remove is true, the rule is removed instead of added. This is used for port forwarding, with
-// intf set to the VPN tunnel interface.
-func (c *Config) AcceptInputToPort(ctx context.Context, intf string, port uint16, remove bool) error {
+// Used for port forwarding, with intf set to tun.
+func (c *Config) acceptInputToPort(ctx context.Context, intf string, port uint16, remove bool) error {
 	interfaceFlag := "-i " + intf
 	if intf == "*" { // all interfaces
 		interfaceFlag = ""
@@ -219,12 +209,8 @@ func (c *Config) AcceptInputToPort(ctx context.Context, intf string, port uint16
 	})
 }

-// RedirectPort redirects incoming traffic on the specified source port to the
-// specified destination port, for both TCP and UDP protocols, on the interface intf.
-// If intf is empty, it is set to "*" which means all interfaces. If remove is true,
-// the redirection is removed instead of added. This is used for VPN server side
-// port forwarding, with intf set to the VPN tunnel interface.
-func (c *Config) RedirectPort(ctx context.Context, intf string,
+// Used for VPN server side port forwarding, with intf set to the VPN tunnel interface.
+func (c *Config) redirectPort(ctx context.Context, intf string,
 	sourcePort, destinationPort uint16, remove bool,
 ) (err error) {
 	interfaceFlag := "-i " + intf
@@ -232,17 +218,7 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 		interfaceFlag = ""
 	}

-	c.iptablesMutex.Lock()
-	c.ip6tablesMutex.Lock()
-	defer c.iptablesMutex.Unlock()
-	defer c.ip6tablesMutex.Unlock()
-
-	restore, err := c.saveAndRestore(ctx)
-	if err != nil {
-		return err
-	}
-
-	err = c.runIptablesInstructionsNoSave(ctx, []string{
+	err = c.runIptablesInstructions(ctx, []string{
 		fmt.Sprintf("-t nat %s PREROUTING %s -p tcp --dport %d -j REDIRECT --to-ports %d",
 			appendOrDelete(remove), interfaceFlag, sourcePort, destinationPort),
 		fmt.Sprintf("%s INPUT %s -p tcp -m tcp --dport %d -j ACCEPT",
@@ -253,12 +229,11 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 			appendOrDelete(remove), interfaceFlag, destinationPort),
 	})
 	if err != nil {
-		restore(ctx)
 		return fmt.Errorf("redirecting IPv4 source port %d to destination port %d on interface %s: %w",
 			sourcePort, destinationPort, intf, err)
 	}

-	err = c.runIP6tablesInstructionsNoSave(ctx, []string{
+	err = c.runIP6tablesInstructions(ctx, []string{
 		fmt.Sprintf("-t nat %s PREROUTING %s -p tcp --dport %d -j REDIRECT --to-ports %d",
 			appendOrDelete(remove), interfaceFlag, sourcePort, destinationPort),
 		fmt.Sprintf("%s INPUT %s -p tcp -m tcp --dport %d -j ACCEPT",
@@ -269,7 +244,6 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 			appendOrDelete(remove), interfaceFlag, destinationPort),
 	})
 	if err != nil {
-		restore(ctx) // just in case
 		errMessage := err.Error()
 		if strings.Contains(errMessage, "can't initialize ip6tables table `nat': Table does not exist") {
 			if !remove {
@@ -283,7 +257,7 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 	return nil
 }

-func (c *Config) RunUserPostRules(ctx context.Context, filepath string) error {
+func (c *Config) runUserPostRules(ctx context.Context, filepath string, remove bool) error {
 	file, err := os.OpenFile(filepath, os.O_RDONLY, 0)
 	if os.IsNotExist(err) {
 		return nil
@@ -299,17 +273,16 @@ func (c *Config) RunUserPostRules(ctx context.Context, filepath string) error {
 		return err
 	}
 	lines := strings.Split(string(b), "\n")
-
-	c.iptablesMutex.Lock()
-	c.ip6tablesMutex.Lock()
-	defer c.iptablesMutex.Unlock()
-	defer c.ip6tablesMutex.Unlock()
-
-	restore, err := c.saveAndRestore(ctx)
-	if err != nil {
-		return err
-	}
-
+	successfulRules := []string{}
+	defer func() {
+		// transaction-like rollback
+		if err == nil || ctx.Err() != nil {
+			return
+		}
+		for _, rule := range successfulRules {
+			_ = c.runIptablesInstruction(ctx, flipRule(rule))
+		}
+	}()
 	for _, line := range lines {
 		var ipv4 bool
 		var rule string
@@ -336,18 +309,23 @@ func (c *Config) RunUserPostRules(ctx context.Context, filepath string) error {
 			continue
 		}

+		if remove {
+			rule = flipRule(rule)
+		}
+
 		switch {
 		case ipv4:
-			err = c.runIptablesInstructionNoSave(ctx, rule)
+			err = c.runIptablesInstruction(ctx, rule)
 		case c.ip6Tables == "":
 			err = fmt.Errorf("running user ip6tables rule: %w", ErrNeedIP6Tables)
 		default: // ipv6
-			err = c.runIP6tablesInstructionNoSave(ctx, rule)
+			err = c.runIP6tablesInstruction(ctx, rule)
 		}
 		if err != nil {
-			restore(ctx)
 			return err
 		}
+
+		successfulRules = append(successfulRules, rule)
 	}
 	return nil
 }
@@ -1,85 +0,0 @@
-package iptables
-
-import (
-	"context"
-	"fmt"
-	"os/exec"
-	"strings"
-)
-
-// SaveAndRestore saves the current iptables and ip6tables rules and
-// returns a restore function that can be called to restore the saved rules.
-func (c *Config) SaveAndRestore(ctx context.Context) (restore func(context.Context), err error) {
-	c.iptablesMutex.Lock()
-	c.ip6tablesMutex.Lock()
-	defer c.iptablesMutex.Unlock()
-	defer c.ip6tablesMutex.Unlock()
-
-	return c.saveAndRestore(ctx)
-}
-
-// callers MUST always lock both the [Config] iptablesMutex and the ip6tablesMutex
-// before calling this function. Note the restore function does not interact with mutexes
-// so the caller must make sure the mutexes are locked when calling the restore function.
-func (c *Config) saveAndRestore(ctx context.Context) (restore func(context.Context), err error) {
-	restoreIPv4, err := c.saveAndRestoreIPv4(ctx)
-	if err != nil {
-		return nil, err
-	}
-	restoreIPv6, err := c.saveAndRestoreIPv6(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	restore = func(ctx context.Context) {
-		restoreIPv4(ctx)
-		if restoreIPv6 != nil {
-			restoreIPv6(ctx)
-		}
-	}
-	return restore, nil
-}
-
-// Callers of saveAndRestoreIPv4 MUST always lock the [Config] iptablesMutex
-// before calling this function.
-func (c *Config) saveAndRestoreIPv4(ctx context.Context) (restore func(context.Context), err error) {
-	cmd := exec.CommandContext(ctx, c.ipTables+"-save") //nolint:gosec
-	data, err := c.runner.Run(cmd)
-	if err != nil {
-		return nil, fmt.Errorf("saving IPv4 iptables: %w", err)
-	}
-
-	restore = func(ctx context.Context) {
-		cmd := exec.CommandContext(ctx, c.ipTables+"-restore") //nolint:gosec
-		cmd.Stdin = strings.NewReader(data)
-		output, err := c.runner.Run(cmd)
-		if err != nil {
-			c.logger.Warn(fmt.Sprintf("restoring IPv4 iptables failed: %v: %s", err, output))
-		}
-	}
-	return restore, nil
-}
-
-// Callers of saveAndRestoreIPv6 MUST always lock the [Config] ip6tablesMutex
-// before calling this function.
-func (c *Config) saveAndRestoreIPv6(ctx context.Context) (restore func(context.Context), err error) {
-	if c.ip6Tables == "" {
-		return nil, nil //nolint:nilnil
-	}
-
-	cmd := exec.CommandContext(ctx, c.ip6Tables+"-save") //nolint:gosec
-	data, err := c.runner.Run(cmd)
-	if err != nil {
-		return nil, fmt.Errorf("saving IPv6 iptables: %w", err)
-	}
-
-	restore = func(ctx context.Context) {
-		cmd = exec.CommandContext(ctx, c.ip6Tables+"-restore") //nolint:gosec
-		cmd.Stdin = strings.NewReader(data)
-		output, err := c.runner.Run(cmd)
-		if err != nil {
-			c.logger.Warn(fmt.Sprintf("restoring IPv6 iptables failed: %v: %s", err, output))
-		}
-	}
-	return restore, nil
-}
@@ -1,51 +0,0 @@
-package iptables
-
-import (
-	"context"
-	"sync"
-
-	"github.com/qdm12/gluetun/internal/mod"
-)
-
-type Config struct {
-	runner         CmdRunner
-	logger         Logger
-	iptablesMutex  sync.Mutex
-	ip6tablesMutex sync.Mutex
-
-	// Fixed state
-	ipTables  string
-	ip6Tables string
-	nftables  bool
-	xtMark    bool
-}
-
-func New(ctx context.Context, runner CmdRunner, logger Logger) (*Config, error) {
-	iptables, err := checkIptablesSupport(ctx, runner, "iptables", "iptables-nft", "iptables-legacy")
-	if err != nil {
-		return nil, err
-	}
-
-	ip6tables, err := findIP6tablesSupported(ctx, runner)
-	if err != nil {
-		return nil, err
-	}
-
-	modules := map[string]bool{
-		"xt_mark":   false,
-		"nf_tables": false,
-	}
-	for module := range modules {
-		err := mod.Probe(module)
-		modules[module] = err == nil
-	}
-
-	return &Config{
-		runner:    runner,
-		logger:    logger,
-		ipTables:  iptables,
-		ip6Tables: ip6tables,
-		nftables:  modules["nf_tables"],
-		xtMark:    modules["xt_mark"],
-	}, nil
-}
@@ -1,14 +0,0 @@
-package iptables
-
-import "os/exec"
-
-type CmdRunner interface {
-	Run(cmd *exec.Cmd) (output string, err error)
-}
-
-type Logger interface {
-	Debug(s string)
-	Info(s string)
-	Warn(s string)
-	Error(s string)
-}
@@ -1,49 +0,0 @@
-package iptables
-
-import (
-	"context"
-)
-
-func (c *Config) runMixedIptablesInstructions(ctx context.Context, instructions []string) error {
-	c.iptablesMutex.Lock()
-	c.ip6tablesMutex.Lock()
-	defer c.iptablesMutex.Unlock()
-	defer c.ip6tablesMutex.Unlock()
-
-	restore, err := c.saveAndRestore(ctx)
-	if err != nil {
-		return err
-	}
-
-	for _, instruction := range instructions {
-		if err := c.runMixedIptablesInstructionNoSave(ctx, instruction); err != nil {
-			restore(ctx)
-			return err
-		}
-	}
-	return nil
-}
-
-func (c *Config) runMixedIptablesInstruction(ctx context.Context, instruction string) error {
-	c.iptablesMutex.Lock()
-	c.ip6tablesMutex.Lock()
-	defer c.iptablesMutex.Unlock()
-	defer c.ip6tablesMutex.Unlock()
-
-	restore, err := c.saveAndRestore(ctx)
-	if err != nil {
-		return err
-	}
-	err = c.runMixedIptablesInstructionNoSave(ctx, instruction)
-	if err != nil {
-		restore(ctx)
-	}
-	return err
-}
-
-func (c *Config) runMixedIptablesInstructionNoSave(ctx context.Context, instruction string) error {
-	if err := c.runIptablesInstructionNoSave(ctx, instruction); err != nil {
-		return err
-	}
-	return c.runIP6tablesInstructionNoSave(ctx, instruction)
-}
@@ -1,96 +0,0 @@
-package iptables
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/netip"
-)
-
-type tcpFlags struct {
-	mask       []tcpFlag
-	comparison []tcpFlag
-}
-
-type tcpFlag uint8
-
-const (
-	tcpFlagFIN tcpFlag = 1 << iota
-	tcpFlagSYN
-	tcpFlagRST
-	tcpFlagPSH
-	tcpFlagACK
-	tcpFlagURG
-	tcpFlagECE
-	tcpFlagCWR
-)
-
-func (f tcpFlag) String() string {
-	switch f {
-	case tcpFlagFIN:
-		return "FIN"
-	case tcpFlagSYN:
-		return "SYN"
-	case tcpFlagRST:
-		return "RST"
-	case tcpFlagPSH:
-		return "PSH"
-	case tcpFlagACK:
-		return "ACK"
-	case tcpFlagURG:
-		return "URG"
-	case tcpFlagECE:
-		return "ECE"
-	case tcpFlagCWR:
-		return "CWR"
-	default:
-		panic(fmt.Sprintf("%s: %d", errTCPFlagUnknown, f))
-	}
-}
-
-var errTCPFlagUnknown = errors.New("unknown TCP flag")
-
-func parseTCPFlag(s string) (tcpFlag, error) {
-	allFlags := []tcpFlag{
-		tcpFlagFIN, tcpFlagSYN, tcpFlagRST, tcpFlagPSH,
-		tcpFlagACK, tcpFlagURG, tcpFlagECE, tcpFlagCWR,
-	}
-	for _, flag := range allFlags {
-		if s == fmt.Sprintf("%#02x", uint8(flag)) || s == flag.String() {
-			return flag, nil
-		}
-	}
-	return 0, fmt.Errorf("%w: %s", errTCPFlagUnknown, s)
-}
-
-var ErrMarkMatchModuleMissing = errors.New("kernel is missing the mark module libxt_mark.so")
-
-// TempDropOutputTCPRST temporarily drops outgoing TCP RST packets to the specified address and port,
-// for any TCP packets not marked with the excludeMark given.
-// This is necessary for TCP path MTU discovery to work, as the kernel will try to terminate the connection
-// by sending a TCP RST packet, although we want to handle the connection manually.
-func (c *Config) TempDropOutputTCPRST(ctx context.Context,
-	src, dst netip.AddrPort, excludeMark int) (
-	revert func(ctx context.Context) error, err error,
-) {
-	if !c.nftables && !c.xtMark {
-		return nil, fmt.Errorf("%w", ErrMarkMatchModuleMissing)
-	}
-
-	const template = "%s OUTPUT -p tcp -s %s --sport %d -d %s --dport %d " +
-		"--tcp-flags RST RST -m mark ! --mark %d -j DROP" //nolint:dupword
-	instruction := fmt.Sprintf(template, "--append", src.Addr(), src.Port(), dst.Addr(), dst.Port(), excludeMark)
-	revertInstruction := fmt.Sprintf(template, "--delete", src.Addr(), src.Port(), dst.Addr(), dst.Port(), excludeMark)
-	run := c.runIptablesInstruction
-	if dst.Addr().Is6() {
-		run = c.runIP6tablesInstruction
-	}
-	revert = func(ctx context.Context) error {
-		return run(ctx, revertInstruction)
-	}
-	err = run(ctx, instruction)
-	if err != nil {
-		return nil, fmt.Errorf("running instruction: %w", err)
-	}
-	return revert, nil
-}
@@ -0,0 +1,21 @@
+package firewall
+
+import (
+	"context"
+)
+
+func (c *Config) runMixedIptablesInstructions(ctx context.Context, instructions []string) error {
+	for _, instruction := range instructions {
+		if err := c.runMixedIptablesInstruction(ctx, instruction); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *Config) runMixedIptablesInstruction(ctx context.Context, instruction string) error {
+	if err := c.runIptablesInstruction(ctx, instruction); err != nil {
+		return err
+	}
+	return c.runIP6tablesInstruction(ctx, instruction)
+}
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"errors"
@@ -26,18 +26,10 @@ type chainRule struct {
 	inputInterface  string       // input interface, for example "tun0" or "*""
 	outputInterface string       // output interface, for example "eth0" or "*""
 	source          netip.Prefix // source IP CIDR, for example 0.0.0.0/0. Must be valid.
-	sourcePort      uint16       // Not specified if set to zero.
 	destination     netip.Prefix // destination IP CIDR, for example 0.0.0.0/0. Must be valid.
 	destinationPort uint16       // Not specified if set to zero.
 	redirPorts      []uint16     // Not specified if empty.
 	ctstate         []string     // for example ["RELATED","ESTABLISHED"]. Can be empty.
-	tcpFlags        tcpFlags
-	mark            mark
-}
-
-type mark struct {
-	invert bool
-	value  uint
 }

 var ErrChainListMalformed = errors.New("iptables chain list output is malformed")
@@ -249,23 +241,19 @@ func parseChainRuleField(fieldIndex int, field string, rule *chainRule) (err err
 }

 func parseChainRuleOptionalFields(optionalFields []string, rule *chainRule) (err error) {
-	i := 0
-	for i < len(optionalFields) {
-		switch optionalFields[i] {
-		case "udp":
+	for i := 0; i < len(optionalFields); i++ {
+		key := optionalFields[i]
+		switch key {
+		case "tcp", "udp":
 			i++
-			consumed, err := parseUDPOptional(optionalFields[i:], rule)
+			value := optionalFields[i]
+			value = strings.TrimPrefix(value, "dpt:")
+			const base, bitLength = 10, 16
+			destinationPort, err := strconv.ParseUint(value, base, bitLength)
 			if err != nil {
-				return fmt.Errorf("parsing UDP optional fields: %w", err)
+				return fmt.Errorf("parsing destination port %q: %w", value, err)
 			}
-			i += consumed
-		case "tcp":
-			i++
-			consumed, err := parseTCPOptional(optionalFields[i:], rule)
-			if err != nil {
-				return fmt.Errorf("parsing TCP optional fields: %w", err)
-			}
-			i += consumed
+			rule.destinationPort = uint16(destinationPort)
 		case "redir":
 			i++
 			switch optionalFields[i] {
@@ -276,136 +264,20 @@ func parseChainRuleOptionalFields(optionalFields []string, rule *chainRule) (err
 					return fmt.Errorf("parsing redirection ports: %w", err)
 				}
 				rule.redirPorts = ports
-				i++
 			default:
-				return fmt.Errorf("%w: unexpected %q after redir",
-					ErrChainRuleMalformed, optionalFields[1])
+				return fmt.Errorf("%w: unexpected optional field: %s",
+					ErrChainRuleMalformed, optionalFields[i])
 			}
 		case "ctstate":
 			i++
 			rule.ctstate = strings.Split(optionalFields[i], ",")
-			i++
-		case "mark":
-			i++
-			mark, consumed, err := parseMark(optionalFields[i:])
-			if err != nil {
-				return fmt.Errorf("parsing mark: %w", err)
-			}
-			rule.mark = mark
-			i += consumed
 		default:
-			return fmt.Errorf("%w: unexpected optional field: %s",
-				ErrChainRuleMalformed, optionalFields[i])
+			return fmt.Errorf("%w: unexpected optional field: %s", ErrChainRuleMalformed, key)
 		}
 	}
 	return nil
 }

-var errUDPOptionalUnknown = errors.New("unknown UDP optional field")
-
-func parseUDPOptional(optionalFields []string, rule *chainRule) (consumed int, err error) {
-	for _, value := range optionalFields {
-		if !strings.ContainsRune(value, ':') {
-			// no longer a UDP-associated option
-			return consumed, nil
-		}
-		switch {
-		case strings.HasPrefix(value, "dpt:"):
-			rule.destinationPort, err = parseDestinationPort(value)
-			if err != nil {
-				return 0, fmt.Errorf("parsing destination port: %w", err)
-			}
-			consumed++
-		case strings.HasPrefix(value, "spt:"):
-			rule.sourcePort, err = parseSourcePort(value)
-			if err != nil {
-				return 0, fmt.Errorf("parsing source port: %w", err)
-			}
-			consumed++
-		default:
-			return 0, fmt.Errorf("%w: %s", errUDPOptionalUnknown, value)
-		}
-	}
-	return consumed, nil
-}
-
-var errTCPOptionalUnknown = errors.New("unknown TCP optional field")
-
-func parseTCPOptional(optionalFields []string, rule *chainRule) (consumed int, err error) {
-	for _, value := range optionalFields {
-		if !strings.ContainsRune(value, ':') {
-			// no longer a TCP-associated option
-			return consumed, nil
-		}
-		switch {
-		case strings.HasPrefix(value, "dpt:"):
-			rule.destinationPort, err = parseDestinationPort(value)
-			if err != nil {
-				return 0, fmt.Errorf("parsing destination port: %w", err)
-			}
-			consumed++
-		case strings.HasPrefix(value, "spt:"):
-			rule.sourcePort, err = parseSourcePort(value)
-			if err != nil {
-				return 0, fmt.Errorf("parsing source port: %w", err)
-			}
-			consumed++
-		case strings.HasPrefix(value, "flags:"):
-			rule.tcpFlags, err = parseTCPFlags(value)
-			if err != nil {
-				return 0, fmt.Errorf("parsing TCP flags: %w", err)
-			}
-			consumed++
-		default:
-			return 0, fmt.Errorf("%w: %s", errTCPOptionalUnknown, value)
-		}
-	}
-	return consumed, nil
-}
-
-func parseDestinationPort(value string) (port uint16, err error) {
-	value = strings.TrimPrefix(value, "dpt:")
-	return parsePort(value)
-}
-
-func parseSourcePort(value string) (port uint16, err error) {
-	value = strings.TrimPrefix(value, "spt:")
-	return parsePort(value)
-}
-
-var errTCPFlagsMalformed = errors.New("TCP flags are malformed")
-
-func parseTCPFlags(value string) (tcpFlags, error) {
-	value = strings.TrimPrefix(value, "flags:")
-	fields := strings.Split(value, "/")
-	const expectedFields = 2
-	if len(fields) != expectedFields {
-		return tcpFlags{}, fmt.Errorf("%w: expected format 'flags:<mask>/<comparison>' in %q",
-			errTCPFlagsMalformed, value)
-	}
-	maskFlags := strings.Split(fields[0], ",")
-	mask := make([]tcpFlag, len(maskFlags))
-	var err error
-	for i, maskFlag := range maskFlags {
-		mask[i], err = parseTCPFlag(maskFlag)
-		if err != nil {
-			return tcpFlags{}, fmt.Errorf("parsing TCP mask flags: %w", err)
-		}
-	}
-	comparisonFlags := strings.Split(fields[1], ",")
-	comparison := make([]tcpFlag, len(comparisonFlags))
-	for i, comparisonFlag := range comparisonFlags {
-		comparison[i], err = parseTCPFlag(comparisonFlag)
-		if err != nil {
-			return tcpFlags{}, fmt.Errorf("parsing TCP comparison flags: %w", err)
-		}
-	}
-	return tcpFlags{
-		mask:       mask,
-		comparison: comparison,
-	}, nil
-}
-
 func parsePortsCSV(s string) (ports []uint16, err error) {
 	if s == "" {
 		return nil, nil
@@ -414,40 +286,16 @@ func parsePortsCSV(s string) (ports []uint16, err error) {
 	fields := strings.Split(s, ",")
 	ports = make([]uint16, len(fields))
 	for i, field := range fields {
-		ports[i], err = parsePort(field)
+		const base, bitLength = 10, 16
+		port, err := strconv.ParseUint(field, base, bitLength)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("parsing port %q: %w", field, err)
 		}
+		ports[i] = uint16(port)
 	}
 	return ports, nil
 }

-var errMarkValueMalformed = errors.New("mark value is malformed")
-
-func parseMark(optionalFields []string) (m mark, consumed int, err error) {
-	switch optionalFields[consumed] {
-	case "match":
-		consumed++
-		if optionalFields[consumed] == "!" {
-			m.invert = true
-			consumed++
-		}
-
-		const base = 0 // auto-detect
-		const bits = 32
-		value, err := strconv.ParseUint(optionalFields[consumed], base, bits)
-		if err != nil {
-			return mark{}, 0, fmt.Errorf("%w: %s", errMarkValueMalformed, optionalFields[consumed])
-		}
-		m.value = uint(value)
-		consumed++
-	default:
-		return mark{}, 0, fmt.Errorf("%w: unexpected mark mode field: %s",
-			ErrChainRuleMalformed, optionalFields[consumed])
-	}
-	return m, consumed, nil
-}
-
 var ErrLineNumberIsZero = errors.New("line number is zero")

 func parseLineNumber(s string) (n uint16, err error) {
@@ -475,12 +323,12 @@ var ErrProtocolUnknown = errors.New("unknown protocol")

 func parseProtocol(s string) (protocol string, err error) {
 	switch s {
-	case "0", "all":
-	case "1", "icmp":
+	case "0":
+	case "1":
 		protocol = "icmp"
-	case "6", "tcp":
+	case "6":
 		protocol = "tcp"
-	case "17", "udp":
+	case "17":
 		protocol = "udp"
 	default:
 		return "", fmt.Errorf("%w: %s", ErrProtocolUnknown, s)
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"net/netip"
@@ -58,7 +58,6 @@ num pkts bytes target     prot opt in     out     source               destinati
 2   0     0 ACCEPT     6    --  tun0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:55405
 3   0     0 ACCEPT     1    --  tun0   *       0.0.0.0/0            0.0.0.0/0
 4   0     0 DROP       0    --  tun0   *       1.2.3.4              0.0.0.0/0
-5   0     0 ACCEPT     all  --  tun0   *       1.2.3.4              0.0.0.0/0
 `,
 			table: chain{
 				name:    "INPUT",
@@ -112,17 +111,6 @@ num pkts bytes target     prot opt in     out     source               destinati
 						source:          netip.MustParsePrefix("1.2.3.4/32"),
 						destination:     netip.MustParsePrefix("0.0.0.0/0"),
 					},
-					{
-						lineNumber:      5,
-						packets:         0,
-						bytes:           0,
-						target:          "ACCEPT",
-						protocol:        "",
-						inputInterface:  "tun0",
-						outputInterface: "*",
-						source:          netip.MustParsePrefix("1.2.3.4/32"),
-						destination:     netip.MustParsePrefix("0.0.0.0/0"),
-					},
 				},
 			},
 		},
@@ -1,3 +1,3 @@
-package iptables
+package firewall

 //go:generate mockgen -destination=mocks_test.go -package $GOPACKAGE . CmdRunner,Logger
@@ -1,8 +1,8 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/qdm12/gluetun/internal/firewall/iptables (interfaces: CmdRunner,Logger)
+// Source: github.com/qdm12/gluetun/internal/firewall (interfaces: CmdRunner,Logger)

-// Package iptables is a generated GoMock package.
-package iptables
+// Package firewall is a generated GoMock package.
+package firewall

 import (
 	exec "os/exec"
@@ -1,99 +0,0 @@
-package nftables
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/google/nftables"
-)
-
-// SaveAndRestore saves the current nftables tree and returns a restore function that
-// can be called to restore the saved tree.
-func (f *Firewall) SaveAndRestore(_ context.Context) (restore func(context.Context), err error) {
-	f.mutex.Lock()
-	defer f.mutex.Unlock()
-
-	conn, err := nftables.New()
-	if err != nil {
-		return nil, fmt.Errorf("creating nftables connection: %w", err)
-	}
-	tables, err := saveTables(conn)
-	if err != nil {
-		return nil, fmt.Errorf("saving nftables state: %w", err)
-	}
-	return func(_ context.Context) {
-		conn, err := nftables.New()
-		if err != nil {
-			f.logger.Warnf("creating nftables connection for restore: %s", err)
-			return
-		}
-		err = restoreTables(conn, tables)
-		if err != nil {
-			f.logger.Warnf("restoring nftables state: %s", err)
-		}
-	}, nil
-}
-
-type savedTable struct {
-	table  *nftables.Table
-	chains []savedChain
-}
-
-type savedChain struct {
-	chain *nftables.Chain
-	rules []*nftables.Rule
-}
-
-func saveTables(conn *nftables.Conn) ([]savedTable, error) {
-	tables, err := conn.ListTables()
-	if err != nil {
-		return nil, err
-	}
-
-	savedTables := make([]savedTable, len(tables))
-	for i, table := range tables {
-		savedTables[i].table = table
-
-		chains, err := conn.ListChains()
-		if err != nil {
-			return nil, err
-		}
-
-		for _, chain := range chains {
-			if chain.Table.Name != table.Name ||
-				chain.Table.Family != table.Family {
-				continue
-			}
-			rules, err := conn.GetRules(table, chain)
-			if err != nil {
-				return nil, fmt.Errorf("getting rules for chain %s in table %s: %w", chain.Name, table.Name, err)
-			}
-			savedChain := savedChain{chain: chain, rules: rules}
-			savedTables[i].chains = append(savedTables[i].chains, savedChain)
-		}
-	}
-
-	return savedTables, nil
-}
-
-func restoreTables(conn *nftables.Conn, savedTables []savedTable) error {
-	conn.FlushRuleset()
-
-	for _, savedTable := range savedTables {
-		table := conn.AddTable(savedTable.table)
-		for _, savedChain := range savedTable.chains {
-			// Make the [nftables.Chain.Table] points to the new [nftables.Table]
-			// created in this connection.
-			savedChain.chain.Table = table
-			savedChain.chain = conn.AddChain(savedChain.chain)
-
-			for _, rule := range savedChain.rules {
-				rule.Table = table
-				rule.Chain = savedChain.chain
-				conn.AddRule(rule)
-			}
-		}
-	}
-
-	return conn.Flush()
-}
@@ -1,50 +0,0 @@
-package nftables
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/google/nftables"
-)
-
-var ErrPolicyUnknown = errors.New("unknown policy")
-
-// SetBaseChainsPolicy sets the policy of all the base chains (INPUT, FORWARD, or OUTPUT)
-// for the filter table to the given policy (accept or drop).
-func (f *Firewall) SetBaseChainsPolicy(_ context.Context, policy string) error {
-	f.mutex.Lock()
-	defer f.mutex.Unlock()
-
-	var chainPolicy nftables.ChainPolicy
-	switch strings.ToLower(policy) {
-	case "accept":
-		chainPolicy = nftables.ChainPolicyAccept
-	case "drop":
-		chainPolicy = nftables.ChainPolicyDrop
-	default:
-		return fmt.Errorf("%w: %s", ErrPolicyUnknown, policy)
-	}
-
-	conn, err := nftables.New()
-	if err != nil {
-		return fmt.Errorf("creating nftables connection: %w", err)
-	}
-
-	_, inputChain, forwardChain, outputChain := setupFilterWithBaseChains(conn)
-	inputChain.Policy = &chainPolicy
-	forwardChain.Policy = &chainPolicy
-	outputChain.Policy = &chainPolicy
-
-	conn.AddChain(inputChain)
-	conn.AddChain(forwardChain)
-	conn.AddChain(outputChain)
-
-	err = conn.Flush()
-	if err != nil {
-		return fmt.Errorf("flushing nftables changes: %w", err)
-	}
-
-	return nil
-}
@@ -1,61 +0,0 @@
-package nftables
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/google/nftables"
-	"github.com/google/nftables/expr"
-)
-
-func (f *Firewall) AcceptEstablishedRelatedTraffic(_ context.Context) error {
-	f.mutex.Lock()
-	defer f.mutex.Unlock()
-
-	conn, err := nftables.New()
-	if err != nil {
-		return fmt.Errorf("creating nftables connection: %w", err)
-	}
-
-	table, inputChain, _, outputChain := setupFilterWithBaseChains(conn)
-
-	ctStateExprs := []expr.Any{
-		&expr.Ct{
-			Key:      expr.CtKeySTATE,
-			Register: 1,
-		},
-		&expr.Bitwise{
-			SourceRegister: 1,
-			DestRegister:   1,
-			Len:            4, //nolint:mnd
-			Mask:           []byte{byte(expr.CtStateBitESTABLISHED | expr.CtStateBitRELATED), 0x00, 0x00, 0x00},
-			Xor:            []byte{0x00, 0x00, 0x00, 0x00},
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpNeq,
-			Register: 1,
-			Data:     []byte{0x00, 0x00, 0x00, 0x00},
-		},
-		&expr.Verdict{
-			Kind: expr.VerdictAccept,
-		},
-	}
-
-	conn.AddRule(&nftables.Rule{
-		Table: table,
-		Chain: inputChain,
-		Exprs: ctStateExprs,
-	})
-
-	conn.AddRule(&nftables.Rule{
-		Table: table,
-		Chain: outputChain,
-		Exprs: ctStateExprs,
-	})
-
-	if err := conn.Flush(); err != nil {
-		return fmt.Errorf("flushing: %w", err)
-	}
-
-	return nil
-}
@@ -1,27 +0,0 @@
-package nftables
-
-import (
-	"errors"
-	"fmt"
-	"reflect"
-
-	"github.com/google/nftables"
-)
-
-var errRuleToDeleteNotFound = errors.New("rule not found for removal")
-
-func (f *Firewall) deleteRule(conn *nftables.Conn, rule *nftables.Rule) error {
-	for i, existing := range f.rules {
-		if !reflect.DeepEqual(existing, rule) {
-			continue
-		}
-		err := conn.DelRule(existing)
-		if err != nil {
-			return fmt.Errorf("deleting rule: %w", err)
-		}
-		f.rules[i], f.rules[len(f.rules)-1] = f.rules[len(f.rules)-1], f.rules[i]
-		f.rules = f.rules[:len(f.rules)-1]
-		return nil
-	}
-	return fmt.Errorf("%w: %#v", errRuleToDeleteNotFound, rule)
-}
@@ -1,38 +0,0 @@
-package nftables
-
-import "github.com/google/nftables"
-
-func setupFilterWithBaseChains(conn *nftables.Conn) (table *nftables.Table,
-	inputChain, forwardChain, outputChain *nftables.Chain,
-) {
-	table = conn.AddTable(&nftables.Table{
-		Family: nftables.TableFamilyINet,
-		Name:   "filter",
-	})
-
-	inputChain = conn.AddChain(&nftables.Chain{
-		Name:     "input",
-		Table:    table,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookInput,
-		Priority: nftables.ChainPriorityFilter,
-	})
-
-	forwardChain = conn.AddChain(&nftables.Chain{
-		Name:     "forward",
-		Table:    table,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookForward,
-		Priority: nftables.ChainPriorityFilter,
-	})
-
-	outputChain = conn.AddChain(&nftables.Chain{
-		Name:     "output",
-		Table:    table,
-		Type:     nftables.ChainTypeFilter,
-		Hooknum:  nftables.ChainHookOutput,
-		Priority: nftables.ChainPriorityFilter,
-	})
-
-	return table, inputChain, forwardChain, outputChain
-}
@@ -1,22 +0,0 @@
-package nftables
-
-import (
-	"sync"
-
-	"github.com/google/nftables"
-)
-
-type Firewall struct {
-	logger Logger
-
-	// rules are only rules added and tracked for later removal.
-	// Not all rules added are tracked for removal.
-	rules []*nftables.Rule
-	mutex sync.Mutex
-}
-
-func New(logger Logger) *Firewall {
-	return &Firewall{
-		logger: logger,
-	}
-}
@@ -1,170 +0,0 @@
-package nftables
-
-import (
-	"context"
-	"fmt"
-	"net/netip"
-
-	"github.com/google/nftables"
-	"github.com/google/nftables/expr"
-)
-
-func (f *Firewall) AcceptInputThroughInterface(_ context.Context, intf string) error {
-	f.mutex.Lock()
-	defer f.mutex.Unlock()
-
-	conn, err := nftables.New()
-	if err != nil {
-		return fmt.Errorf("creating nftables connection: %w", err)
-	}
-
-	table, inputChain, _, _ := setupFilterWithBaseChains(conn)
-
-	rule := &nftables.Rule{
-		Table: table,
-		Chain: inputChain,
-		Exprs: []expr.Any{
-			&expr.Meta{
-				Key:      expr.MetaKeyIIFNAME,
-				Register: 1,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     []byte(intf + "\x00"),
-			},
-			&expr.Verdict{
-				Kind: expr.VerdictAccept,
-			},
-		},
-	}
-
-	conn.AddRule(rule)
-
-	err = conn.Flush()
-	if err != nil {
-		return fmt.Errorf("flushing: %w", err)
-	}
-
-	return nil
-}
-
-// AcceptInputToPort accepts incoming traffic on the specified port, for both TCP and UDP
-// protocols, on the interface intf. If intf is empty or "*", the interface is not used as a filter.
-// If remove is true, the rule is removed instead of added. This is used for port forwarding, with
-// intf set to the VPN tunnel interface.
-func (f *Firewall) AcceptInputToPort(_ context.Context, intf string, port uint16, remove bool) error {
-	f.mutex.Lock()
-	defer f.mutex.Unlock()
-
-	conn, err := nftables.New()
-	if err != nil {
-		return fmt.Errorf("creating nftables connection: %w", err)
-	}
-
-	table, inputChain, _, _ := setupFilterWithBaseChains(conn)
-	portBytes := []byte{byte(port >> 8), byte(port)} //nolint:mnd
-	const tcp, udp uint8 = 6, 17
-	protocols := []uint8{tcp, udp}
-
-	for _, protocol := range protocols {
-		const maxExprsLen = 7
-		exprs := make([]expr.Any, 0, maxExprsLen)
-		if intf != "" && intf != "*" {
-			exprs = append(exprs,
-				&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-				&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte(intf + "\x00")},
-			)
-		}
-		exprs = append(exprs,
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 9, Len: 1}, //nolint:mnd
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{protocol}},
-			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2}, //nolint:mnd
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: portBytes},
-			&expr.Verdict{Kind: expr.VerdictAccept},
-		)
-
-		rule := &nftables.Rule{
-			Table: table,
-			Chain: inputChain,
-			Exprs: exprs,
-		}
-
-		if !remove {
-			conn.AddRule(rule)
-			f.rules = append(f.rules, rule)
-			continue
-		}
-		err = f.deleteRule(conn, rule)
-		if err != nil {
-			return fmt.Errorf("deleting rule: %w", err)
-		}
-	}
-
-	err = conn.Flush()
-	if err != nil {
-		f.rules = f.rules[:len(f.rules)-len(protocols)]
-		return fmt.Errorf("flushing: %w", err)
-	}
-
-	return nil
-}
-
-func (f *Firewall) AcceptInputToSubnet(_ context.Context, intf string, subnet netip.Prefix) error {
-	f.mutex.Lock()
-	defer f.mutex.Unlock()
-
-	conn, err := nftables.New()
-	if err != nil {
-		return fmt.Errorf("creating nftables connection: %w", err)
-	}
-
-	table, inputChain, _, _ := setupFilterWithBaseChains(conn)
-
-	const maxExprsLen = 5
-	exprs := make([]expr.Any, 0, maxExprsLen)
-
-	if intf != "" && intf != "*" {
-		exprs = append(exprs,
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte(intf + "\x00")},
-		)
-	}
-
-	var payloadOffset uint32
-	if subnet.Addr().Is4() {
-		payloadOffset = 16
-	} else {
-		payloadOffset = 24
-	}
-
-	exprs = append(exprs,
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       payloadOffset,
-			Len:          uint32(len(subnet.Addr().AsSlice())), //nolint:gosec
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     subnet.Addr().AsSlice(),
-		},
-		&expr.Verdict{Kind: expr.VerdictAccept},
-	)
-
-	rule := &nftables.Rule{
-		Table: table,
-		Chain: inputChain,
-		Exprs: exprs,
-	}
-
-	conn.AddRule(rule)
-
-	err = conn.Flush()
-	if err != nil {
-		return fmt.Errorf("flushing: %w", err)
-	}
-
-	return nil
-}
@@ -1,5 +0,0 @@
-package nftables
-
-type Logger interface {
-	Warnf(format string, args ...any)
-}
@@ -1,78 +0,0 @@
-package nftables
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/google/nftables"
-	"github.com/google/nftables/expr"
-)
-
-func (f *Firewall) AcceptIpv6MulticastOutput(_ context.Context, intf string) error {
-	f.mutex.Lock()
-	defer f.mutex.Unlock()
-
-	conn, err := nftables.New()
-	if err != nil {
-		return fmt.Errorf("creating nftables connection: %w", err)
-	}
-
-	table, _, _, outputChain := setupFilterWithBaseChains(conn)
-
-	const maxExprsLen = 6
-	exprs := make([]expr.Any, 0, maxExprsLen)
-
-	if intf != "" && intf != "*" {
-		exprs = append(exprs,
-			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte(intf + "\x00")},
-		)
-	}
-
-	// ff02::1:ff00:0/104 mask is 13 bytes of 0xff
-	mask := []byte{
-		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-		0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,
-	} //nolint:mnd
-	addr := []byte{
-		0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-		0x00, 0x00, 0x00, 0x01, 0xff, 0x00, 0x00, 0x00,
-	} //nolint:mnd
-
-	exprs = append(exprs,
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       24, // IPv6 Destination Address offset //nolint:mnd
-			Len:          16, //nolint:mnd
-		},
-		&expr.Bitwise{
-			SourceRegister: 1,
-			DestRegister:   1,
-			Len:            16, //nolint:mnd
-			Mask:           mask,
-			Xor:            []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, //nolint:mnd
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     addr,
-		},
-		&expr.Verdict{Kind: expr.VerdictAccept},
-	)
-
-	rule := &nftables.Rule{
-		Table: table,
-		Chain: outputChain,
-		Exprs: exprs,
-	}
-
-	conn.AddRule(rule)
-
-	err = conn.Flush()
-	if err != nil {
-		return fmt.Errorf("flushing: %w", err)
-	}
-
-	return nil
-}
@@ -1,12 +0,0 @@
-package nftables
-
-import "github.com/google/nftables"
-
-func IsSupported() bool {
-	conn, err := nftables.New()
-	if err != nil {
-		return false
-	}
-	_, err = conn.ListTable("filter")
-	return err == nil
-}
@@ -48,7 +48,7 @@ func (c *Config) removeOutboundSubnets(ctx context.Context, subnets []netip.Pref
 			}

 			firewallUpdated = true
-			err := c.impl.AcceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
+			err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
 				defaultRoute.AssignedIP, subNet, remove)
 			if err != nil {
 				c.logger.Error("cannot remove outdated outbound subnet: " + err.Error())
@@ -77,7 +77,7 @@ func (c *Config) addOutboundSubnets(ctx context.Context, subnets []netip.Prefix)
 			}

 			firewallUpdated = true
-			err := c.impl.AcceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
+			err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
 				defaultRoute.AssignedIP, subnet, remove)
 			if err != nil {
 				return err
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"errors"
@@ -18,13 +18,10 @@ type iptablesInstruction struct {
 	inputInterface  string       // for example "tun0" or "" for any interface.
 	outputInterface string       // for example "tun0" or "" for any interface.
 	source          netip.Prefix // if not valid, then it is unspecified.
-	sourcePort      uint16       // if zero, there is no source port
 	destination     netip.Prefix // if not valid, then it is unspecified.
 	destinationPort uint16       // if zero, there is no destination port
 	toPorts         []uint16     // if empty, there is no redirection
 	ctstate         []string     // if empty, there is no ctstate
-	tcpFlags        tcpFlags
-	mark            mark
 }

 func (i *iptablesInstruction) setDefaults() {
@@ -46,8 +43,6 @@ func (i *iptablesInstruction) equalToRule(table, chain string, rule chainRule) (
 		return false
 	case i.destinationPort != rule.destinationPort:
 		return false
-	case i.sourcePort != rule.sourcePort:
-		return false
 	case !slices.Equal(i.toPorts, rule.redirPorts):
 		return false
 	case !slices.Equal(i.ctstate, rule.ctstate):
@@ -60,11 +55,6 @@ func (i *iptablesInstruction) equalToRule(table, chain string, rule chainRule) (
 		return false
 	case !ipPrefixesEqual(i.destination, rule.destination):
 		return false
-	case !slices.Equal(i.tcpFlags.mask, rule.tcpFlags.mask) ||
-		!slices.Equal(i.tcpFlags.comparison, rule.tcpFlags.comparison):
-		return false
-	case i.mark != rule.mark:
-		return false
 	default:
 		return true
 	}
@@ -87,29 +77,26 @@ func parseIptablesInstruction(s string) (instruction iptablesInstruction, err er
 		return iptablesInstruction{}, fmt.Errorf("%w: empty instruction", ErrIptablesCommandMalformed)
 	}
 	fields := strings.Fields(s)
+	if len(fields)%2 != 0 {
+		return iptablesInstruction{}, fmt.Errorf("%w: fields count %d is not even: %q",
+			ErrIptablesCommandMalformed, len(fields), s)
+	}

-	i := 0
-	for i < len(fields) {
-		consumed, err := parseInstructionFlag(fields[i:], &instruction)
+	for i := 0; i < len(fields); i += 2 {
+		key := fields[i]
+		value := fields[i+1]
+		err = parseInstructionFlag(key, value, &instruction)
 		if err != nil {
 			return iptablesInstruction{}, fmt.Errorf("parsing %q: %w", s, err)
 		}
-		i += consumed
 	}

 	instruction.setDefaults()
 	return instruction, nil
 }

-func parseInstructionFlag(fields []string, instruction *iptablesInstruction) (consumed int, err error) {
-	consumed, err = preCheckInstructionFields(fields)
-	if err != nil {
-		return 0, err
-	}
-	flag := fields[0]
-	value := fields[1]
-
-	switch flag {
+func parseInstructionFlag(key, value string, instruction *iptablesInstruction) (err error) {
+	switch key {
 	case "-t", "--table":
 		instruction.table = value
 	case "-D", "--delete":
@@ -122,19 +109,7 @@ func parseInstructionFlag(fields []string, instruction *iptablesInstruction) (co
 		instruction.target = value
 	case "-p", "--protocol":
 		instruction.protocol = value
-	case "-m", "--match":
-		consumed, err = parseMatchModule(fields, instruction)
-		if err != nil {
-			return 0, fmt.Errorf("parsing match module: %w", err)
-		}
-	case "--mark":
-		const base = 0 // auto-detect
-		const bits = 32
-		value, err := strconv.ParseUint(value, base, bits)
-		if err != nil {
-			return 0, fmt.Errorf("parsing mark value %q: %w", fields[2], err)
-		}
-		instruction.mark.value = uint(value)
+	case "-m", "--match": // ignore match
 	case "-i", "--in-interface":
 		instruction.inputInterface = value
 	case "-o", "--out-interface":
@@ -142,61 +117,37 @@ func parseInstructionFlag(fields []string, instruction *iptablesInstruction) (co
 	case "-s", "--source":
 		instruction.source, err = parseIPPrefix(value)
 		if err != nil {
-			return 0, fmt.Errorf("parsing source IP CIDR: %w", err)
-		}
-	case "--sport":
-		instruction.sourcePort, err = parsePort(value)
-		if err != nil {
-			return 0, fmt.Errorf("parsing source port: %w", err)
+			return fmt.Errorf("parsing source IP CIDR: %w", err)
 		}
 	case "-d", "--destination":
 		instruction.destination, err = parseIPPrefix(value)
 		if err != nil {
-			return 0, fmt.Errorf("parsing destination IP CIDR: %w", err)
+			return fmt.Errorf("parsing destination IP CIDR: %w", err)
 		}
 	case "--dport":
-		instruction.destinationPort, err = parsePort(value)
+		const base, bitLength = 10, 16
+		destinationPort, err := strconv.ParseUint(value, base, bitLength)
 		if err != nil {
-			return 0, fmt.Errorf("parsing destination port: %w", err)
+			return fmt.Errorf("parsing destination port: %w", err)
 		}
+		instruction.destinationPort = uint16(destinationPort)
 	case "--ctstate":
 		instruction.ctstate = strings.Split(value, ",")
 	case "--to-ports":
-		instruction.toPorts, err = parseToPorts(value)
-		if err != nil {
-			return 0, fmt.Errorf("parsing port redirection: %w", err)
-		}
-	case "--tcp-flags":
-		mask, comparison := value, fields[2]
-		instruction.tcpFlags, err = parseTCPFlags(mask + "/" + comparison)
-		if err != nil {
-			return 0, fmt.Errorf("parsing TCP flags: %w", err)
+		portStrings := strings.Split(value, ",")
+		instruction.toPorts = make([]uint16, len(portStrings))
+		for i, portString := range portStrings {
+			const base, bitLength = 10, 16
+			port, err := strconv.ParseUint(portString, base, bitLength)
+			if err != nil {
+				return fmt.Errorf("parsing port redirection: %w", err)
+			}
+			instruction.toPorts[i] = uint16(port)
 		}
 	default:
-		return 0, fmt.Errorf("%w: unknown key %q", ErrIptablesCommandMalformed, flag)
-	}
-	return consumed, nil
-}
-
-func preCheckInstructionFields(fields []string) (consumed int, err error) {
-	flag := fields[0]
-	// All flags use one value after the flag, except the following:
-	switch flag {
-	case "--tcp-flags": // -m can have 1 or 2 values
-		const expected = 3
-		if len(fields) < expected {
-			return 0, fmt.Errorf("%w: flag %q requires at least 2 values, but got %s",
-				ErrIptablesCommandMalformed, flag, strings.Join(fields, " "))
-		}
-		return expected, nil
-	default:
-		const expected = 2
-		if len(fields) < expected {
-			return 0, fmt.Errorf("%w: flag %q requires a value, but got none",
-				ErrIptablesCommandMalformed, flag)
-		}
-		return expected, nil
+		return fmt.Errorf("%w: unknown key %q", ErrIptablesCommandMalformed, key)
 	}
+	return nil
 }

 func parseIPPrefix(value string) (prefix netip.Prefix, err error) {
@@ -211,52 +162,3 @@ func parseIPPrefix(value string) (prefix netip.Prefix, err error) {
 	}
 	return netip.PrefixFrom(ip, ip.BitLen()), nil
 }
-
-func parsePort(value string) (port uint16, err error) {
-	const base, bitLength = 10, 16
-	portValue, err := strconv.ParseUint(value, base, bitLength)
-	if err != nil {
-		return 0, err
-	}
-	return uint16(portValue), nil
-}
-
-func parseMatchModule(fields []string, instruction *iptablesInstruction) (
-	consumed int, err error,
-) {
-	_ = fields[consumed] // -m or --match flag already detected
-	consumed++
-	switch fields[consumed] {
-	case "tcp", "udp":
-		consumed++
-		// for now ignore the protocol match since it's auto-loaded
-		// when parsing the -p/--protocol flag, and we don't need to
-		// parse it twice.
-	case "mark":
-		consumed++
-		switch fields[consumed] {
-		case "!":
-			consumed++
-			instruction.mark.invert = true
-		default:
-			return consumed, fmt.Errorf("%w: unsupported match mark with value: %s",
-				ErrIptablesCommandMalformed, fields[2])
-		}
-	default:
-		return 0, fmt.Errorf("%w: unknown match value: %s",
-			ErrIptablesCommandMalformed, fields[consumed])
-	}
-	return consumed, nil
-}
-
-func parseToPorts(value string) (toPorts []uint16, err error) {
-	portStrings := strings.Split(value, ",")
-	toPorts = make([]uint16, len(portStrings))
-	for i, portString := range portStrings {
-		toPorts[i], err = parsePort(portString)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return toPorts, nil
-}
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"net/netip"
@@ -23,7 +23,7 @@ func Test_parseIptablesInstruction(t *testing.T) {
 		"uneven_fields": {
 			s:          "-A",
 			errWrapped: ErrIptablesCommandMalformed,
-			errMessage: "parsing \"-A\": iptables command is malformed: flag \"-A\" requires a value, but got none",
+			errMessage: "iptables command is malformed: fields count 1 is not even: \"-A\"",
 		},
 		"unknown_key": {
 			s:          "-x something",
@@ -35,7 +35,7 @@ func (c *Config) SetAllowedPort(ctx context.Context, port uint16, intf string) (
 	c.logger.Info("setting allowed input port " + fmt.Sprint(port) + " through interface " + intf + "...")

 	const remove = false
-	if err := c.impl.AcceptInputToPort(ctx, intf, port, remove); err != nil {
+	if err := c.acceptInputToPort(ctx, intf, port, remove); err != nil {
 		return fmt.Errorf("allowing input to port %d through interface %s: %w",
 			port, intf, err)
 	}
@@ -68,7 +68,7 @@ func (c *Config) RemoveAllowedPort(ctx context.Context, port uint16) (err error)

 	const remove = true
 	for netInterface := range interfacesSet {
-		err := c.impl.AcceptInputToPort(ctx, netInterface, port, remove)
+		err := c.acceptInputToPort(ctx, netInterface, port, remove)
 		if err != nil {
 			return fmt.Errorf("removing allowed port %d on interface %s: %w",
 				port, netInterface, err)
@@ -50,7 +50,7 @@ func (c *Config) RedirectPort(ctx context.Context, intf string, sourcePort,
 		return nil
 	case conflict != nil:
 		const remove = true
-		err = c.impl.RedirectPort(ctx, conflict.interfaceName, conflict.sourcePort,
+		err = c.redirectPort(ctx, conflict.interfaceName, conflict.sourcePort,
 			conflict.destinationPort, remove)
 		if err != nil {
 			return fmt.Errorf("removing conflicting redirection: %w", err)
@@ -60,7 +60,7 @@ func (c *Config) RedirectPort(ctx context.Context, intf string, sourcePort,
 	}

 	const remove = false
-	err = c.impl.RedirectPort(ctx, intf, sourcePort, destinationPort, remove)
+	err = c.redirectPort(ctx, intf, sourcePort, destinationPort, remove)
 	if err != nil {
 		return fmt.Errorf("redirecting port: %w", err)
 	}
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"context"
@@ -11,10 +11,10 @@ import (
 )

 var (
-	ErrNetAdminMissing     = errors.New("NET_ADMIN capability is missing")
-	ErrTestRuleCleanup     = errors.New("failed cleaning up test rule")
-	ErrInputPolicyNotFound = errors.New("input policy not found")
-	ErrNotSupported        = errors.New("no iptables supported found")
+	ErrNetAdminMissing      = errors.New("NET_ADMIN capability is missing")
+	ErrTestRuleCleanup      = errors.New("failed cleaning up test rule")
+	ErrInputPolicyNotFound  = errors.New("input policy not found")
+	ErrIPTablesNotSupported = errors.New("no iptables supported found")
 )

 func checkIptablesSupport(ctx context.Context, runner CmdRunner,
@@ -57,7 +57,7 @@ func checkIptablesSupport(ctx context.Context, runner CmdRunner,
 	}

 	return "", fmt.Errorf("%w: errors encountered are: %s",
-		ErrNotSupported, strings.Join(allUnsupportedMessages, "; "))
+		ErrIPTablesNotSupported, strings.Join(allUnsupportedMessages, "; "))
 }

 func testIptablesPath(ctx context.Context, path string,
@@ -1,4 +1,4 @@
-package iptables
+package firewall

 import (
 	"context"
@@ -101,7 +101,7 @@ func Test_checkIptablesSupport(t *testing.T) {
 				return runner
 			},
 			iptablesPathsToTry: []string{"path1", "path2"},
-			errSentinel:        ErrNotSupported,
+			errSentinel:        ErrIPTablesNotSupported,
 			errMessage: "no iptables supported found: " +
 				"errors encountered are: " +
 				"path1: output 1 (exit code 4); " +
@@ -28,7 +28,7 @@ func (c *Config) SetVPNConnection(ctx context.Context,
 	remove := true
 	if c.vpnConnection.IP.IsValid() {
 		for _, defaultRoute := range c.defaultRoutes {
-			if err := c.impl.AcceptOutputTrafficToVPN(ctx, defaultRoute.NetInterface, c.vpnConnection, remove); err != nil {
+			if err := c.acceptOutputTrafficToVPN(ctx, defaultRoute.NetInterface, c.vpnConnection, remove); err != nil {
 				c.logger.Error("cannot remove outdated VPN connection rule: " + err.Error())
 			}
 		}
@@ -36,7 +36,7 @@ func (c *Config) SetVPNConnection(ctx context.Context,
 	c.vpnConnection = models.Connection{}

 	if c.vpnIntf != "" {
-		if err = c.impl.AcceptOutputThroughInterface(ctx, c.vpnIntf, remove); err != nil {
+		if err = c.acceptOutputThroughInterface(ctx, c.vpnIntf, remove); err != nil {
 			c.logger.Error("cannot remove outdated VPN interface rule: " + err.Error())
 		}
 	}
@@ -45,13 +45,13 @@ func (c *Config) SetVPNConnection(ctx context.Context,
 	remove = false

 	for _, defaultRoute := range c.defaultRoutes {
-		if err := c.impl.AcceptOutputTrafficToVPN(ctx, defaultRoute.NetInterface, connection, remove); err != nil {
+		if err := c.acceptOutputTrafficToVPN(ctx, defaultRoute.NetInterface, connection, remove); err != nil {
 			return fmt.Errorf("allowing output traffic through VPN connection: %w", err)
 		}
 	}
 	c.vpnConnection = connection

-	if err = c.impl.AcceptOutputThroughInterface(ctx, vpnIntf, remove); err != nil {
+	if err = c.acceptOutputThroughInterface(ctx, vpnIntf, remove); err != nil {
 		return fmt.Errorf("accepting output traffic through interface %s: %w", vpnIntf, err)
 	}
 	c.vpnIntf = vpnIntf
@@ -1,21 +0,0 @@
-package firewall
-
-import (
-	"context"
-	"net/netip"
-)
-
-func (c *Config) Version(ctx context.Context) (version string, err error) {
-	return c.impl.Version(ctx)
-}
-
-// TempDropOutputTCPRST temporarily drops outgoing TCP RST packets to the specified address and port,
-// for any TCP packets not marked with the excludeMark given.
-// This is necessary for TCP path MTU discovery to work, as the kernel will try to terminate the connection
-// by sending a TCP RST packet, although we want to handle the connection manually.
-func (c *Config) TempDropOutputTCPRST(ctx context.Context,
-	src, dst netip.AddrPort, excludeMark int) (
-	revert func(ctx context.Context) error, err error,
-) {
-	return c.impl.TempDropOutputTCPRST(ctx, src, dst, excludeMark)
-}
@@ -1,362 +0,0 @@
-package healthcheck
-
-import (
-	"context"
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/qdm12/gluetun/internal/healthcheck/dns"
-	"github.com/qdm12/gluetun/internal/healthcheck/icmp"
-)
-
-type Checker struct {
-	tlsDialAddrs   []string
-	dialer         *net.Dialer
-	echoer         *icmp.Echoer
-	dnsClient      *dns.Client
-	logger         Logger
-	icmpTargetIPs  []netip.Addr
-	smallCheckType string
-	startupOnFail  bool
-	configMutex    sync.Mutex
-
-	icmpNotPermitted *bool
-
-	// Internal periodic service signals
-	stop context.CancelFunc
-	done <-chan struct{}
-}
-
-func NewChecker(logger Logger) *Checker {
-	return &Checker{
-		dialer: &net.Dialer{
-			Resolver: &net.Resolver{
-				PreferGo: true,
-			},
-		},
-		echoer:    icmp.NewEchoer(logger),
-		dnsClient: dns.New(),
-		logger:    logger,
-	}
-}
-
-// SetConfig sets the following:
-// - TCP+TLS dial addresses
-// - ICMP echo IP addresses to target
-// - the desired small check type (dns or icmp)
-// - whether to startup the periodic checks if the startup check fails.
-// This function MUST be called before calling [Checker.Start].
-func (c *Checker) SetConfig(tlsDialAddrs []string, icmpTargets []netip.Addr,
-	smallCheckType string, startupOnFail bool,
-) {
-	c.configMutex.Lock()
-	defer c.configMutex.Unlock()
-	c.tlsDialAddrs = tlsDialAddrs
-	c.icmpTargetIPs = icmpTargets
-	c.smallCheckType = smallCheckType
-	c.startupOnFail = startupOnFail
-}
-
-// Start starts the [Checker] which behaves differently according to its
-// internal field startupOnFail, which is set by calling [Checker.SetConfig].
-//
-// By default, startupOnFail should be false and the behavior is as follows:
-// A blocking 6s-timed TCP+TLS check is performed first. If it fails,
-// an error is returned and the [Checker] is not started.
-// On success, it starts the periodic checks in a separate goroutine, returning
-// the runError error channel and a nil error.
-//
-// If startupOnFail is true, the behavior is as follows:
-// A blocking 6s-timed TCP+TLS check is performed first. If it fails,
-// the error is sent to the runError channel, but no error is returned
-// and the [Checker] continues to start the periodic checks in a separate goroutine, returning
-// the runError error channel and a nil error.
-//
-// The periodic checks consist in:
-// - a "small" ICMP echo check every minute
-// - a "full" TCP+TLS check every 5 minutes
-//
-// The [Checker] has to be ultimately stopped by calling [Checker.Stop].
-func (c *Checker) Start(ctx context.Context) (runError <-chan error, err error) {
-	if len(c.tlsDialAddrs) == 0 || len(c.icmpTargetIPs) == 0 || c.smallCheckType == "" {
-		panic("call Checker.SetConfig with non empty values before Checker.Start")
-	}
-
-	if c.icmpNotPermitted != nil && *c.icmpNotPermitted {
-		// restore forced check type to dns if icmp was found to be not permitted
-		c.smallCheckType = smallCheckDNS
-	}
-	c.echoer.Reset()
-
-	// runErrorCh MUST be buffered in the case startupOnFail is true, and
-	// a startup error was encountered, to avoid blocking the startup
-	// goroutine when sending the error, especially since the caller may
-	// not be ready to receive from the channel yet.
-	runErrorCh := make(chan error, 1)
-	runError = runErrorCh
-	err = c.startupCheck(ctx)
-	if err != nil {
-		err = fmt.Errorf("startup check: %w", err)
-		if !c.startupOnFail {
-			return nil, err
-		}
-		runErrorCh <- err
-	}
-
-	ready := make(chan struct{})
-	ctx, cancel := context.WithCancel(context.Background())
-	c.stop = cancel
-	done := make(chan struct{})
-	c.done = done
-	const smallCheckPeriod = time.Minute
-	smallCheckTimer := time.NewTimer(smallCheckPeriod)
-	const fullCheckPeriod = 5 * time.Minute
-	fullCheckTimer := time.NewTimer(fullCheckPeriod)
-	go func() {
-		defer close(done)
-		close(ready)
-		for {
-			select {
-			case <-ctx.Done():
-				fullCheckTimer.Stop()
-				smallCheckTimer.Stop()
-				return
-			case <-smallCheckTimer.C:
-				err := c.smallPeriodicCheck(ctx)
-				if err != nil {
-					err = fmt.Errorf("small periodic check: %w", err)
-				}
-				select {
-				case <-ctx.Done():
-					continue
-				case runErrorCh <- err:
-				}
-				smallCheckTimer.Reset(smallCheckPeriod)
-			case <-fullCheckTimer.C:
-				err := c.fullPeriodicCheck(ctx)
-				if err != nil {
-					err = fmt.Errorf("full periodic check: %w", err)
-				}
-				select {
-				case <-ctx.Done():
-					continue
-				case runErrorCh <- err:
-				}
-				fullCheckTimer.Reset(fullCheckPeriod)
-			}
-		}
-	}()
-	<-ready
-	return runError, nil
-}
-
-func (c *Checker) Stop() error {
-	c.stop()
-	<-c.done
-	c.tlsDialAddrs = nil
-	c.icmpTargetIPs = nil
-	c.smallCheckType = ""
-	return nil
-}
-
-func (c *Checker) smallPeriodicCheck(ctx context.Context) error {
-	c.configMutex.Lock()
-	icmpTargetIPs := make([]netip.Addr, len(c.icmpTargetIPs))
-	copy(icmpTargetIPs, c.icmpTargetIPs)
-	c.configMutex.Unlock()
-	tryTimeouts := []time.Duration{
-		5 * time.Second,
-		5 * time.Second,
-		5 * time.Second,
-		10 * time.Second,
-		10 * time.Second,
-		10 * time.Second,
-		15 * time.Second,
-		15 * time.Second,
-		15 * time.Second,
-		30 * time.Second,
-	}
-	check := func(ctx context.Context, try int) error {
-		if c.smallCheckType == smallCheckDNS {
-			return c.dnsClient.Check(ctx)
-		}
-		ip := icmpTargetIPs[try%len(icmpTargetIPs)]
-		err := c.echoer.Echo(ctx, ip)
-		if c.icmpNotPermitted == nil && errors.Is(err, icmp.ErrNotPermitted) {
-			c.icmpNotPermitted = new(bool)
-			*c.icmpNotPermitted = true
-			c.smallCheckType = smallCheckDNS
-			c.logger.Infof("%s; permanently falling back to %s checks",
-				err, smallCheckTypeToString(c.smallCheckType))
-			return c.dnsClient.Check(ctx)
-		}
-		return err
-	}
-	return withRetries(ctx, tryTimeouts, c.logger, smallCheckTypeToString(c.smallCheckType), check)
-}
-
-func (c *Checker) fullPeriodicCheck(ctx context.Context) error {
-	// 20s timeout in case the connection is under stress
-	// See https://github.com/qdm12/gluetun/issues/2270
-	tryTimeouts := []time.Duration{10 * time.Second, 15 * time.Second, 30 * time.Second}
-	check := func(ctx context.Context, try int) error {
-		tlsDialAddr := c.tlsDialAddrs[try%len(c.tlsDialAddrs)]
-		return tcpTLSCheck(ctx, c.dialer, tlsDialAddr)
-	}
-	return withRetries(ctx, tryTimeouts, c.logger, "TCP+TLS dial", check)
-}
-
-func tcpTLSCheck(ctx context.Context, dialer *net.Dialer, targetAddress string) error {
-	// TODO use mullvad API if current provider is Mullvad
-
-	address, err := makeAddressToDial(targetAddress)
-	if err != nil {
-		return err
-	}
-
-	const dialNetwork = "tcp4"
-	connection, err := dialer.DialContext(ctx, dialNetwork, address)
-	if err != nil {
-		return fmt.Errorf("dialing: %w", err)
-	}
-
-	if strings.HasSuffix(address, ":443") {
-		host, _, err := net.SplitHostPort(address)
-		if err != nil {
-			return fmt.Errorf("splitting host and port: %w", err)
-		}
-		tlsConfig := &tls.Config{
-			MinVersion: tls.VersionTLS12,
-			ServerName: host,
-		}
-		tlsConnection := tls.Client(connection, tlsConfig)
-		err = tlsConnection.HandshakeContext(ctx)
-		if err != nil {
-			return fmt.Errorf("running TLS handshake: %w", err)
-		}
-	}
-
-	err = connection.Close()
-	if err != nil {
-		return fmt.Errorf("closing connection: %w", err)
-	}
-
-	return nil
-}
-
-func makeAddressToDial(address string) (addressToDial string, err error) {
-	host, port, err := net.SplitHostPort(address)
-	if err != nil {
-		addrErr := new(net.AddrError)
-		ok := errors.As(err, &addrErr)
-		if !ok || addrErr.Err != "missing port in address" {
-			return "", fmt.Errorf("splitting host and port from address: %w", err)
-		}
-		host = address
-		const defaultPort = "443"
-		port = defaultPort
-	}
-	address = net.JoinHostPort(host, port)
-	return address, nil
-}
-
-var ErrAllCheckTriesFailed = errors.New("all check tries failed")
-
-func withRetries(ctx context.Context, tryTimeouts []time.Duration,
-	logger Logger, checkName string, check func(ctx context.Context, try int) error,
-) error {
-	maxTries := len(tryTimeouts)
-	type errData struct {
-		err        error
-		durationMS int64
-	}
-	errs := make([]errData, maxTries)
-	for i, timeout := range tryTimeouts {
-		start := time.Now()
-		checkCtx, cancel := context.WithTimeout(ctx, timeout)
-		err := check(checkCtx, i)
-		cancel()
-		switch {
-		case err == nil:
-			return nil
-		case ctx.Err() != nil:
-			return fmt.Errorf("%s: %w", checkName, ctx.Err())
-		}
-		logger.Debugf("%s attempt %d/%d failed: %s", checkName, i+1, maxTries, err)
-		errs[i].err = err
-		errs[i].durationMS = time.Since(start).Round(time.Millisecond).Milliseconds()
-	}
-
-	errStrings := make([]string, len(errs))
-	for i, err := range errs {
-		errStrings[i] = fmt.Sprintf("attempt %d (%dms): %s", i+1, err.durationMS, err.err)
-	}
-	return fmt.Errorf("%w:\n\t%s", ErrAllCheckTriesFailed, strings.Join(errStrings, "\n\t"))
-}
-
-func (c *Checker) startupCheck(ctx context.Context) error {
-	// connection isn't under load yet when the checker starts, so a short
-	// 6 seconds timeout suffices and provides quick enough feedback that
-	// the new connection is not working. However, since the addresses to dial
-	// may be multiple, we run the check in parallel. If any succeeds, the check passes.
-	// This is to prevent false negatives at startup, if one of the addresses is down
-	// for external reasons.
-	const timeout = 6 * time.Second
-	ctx, cancel := context.WithTimeout(ctx, timeout)
-	defer cancel()
-	errCh := make(chan error)
-
-	for _, address := range c.tlsDialAddrs {
-		go func(addr string) {
-			err := tcpTLSCheck(ctx, c.dialer, addr)
-			errCh <- err
-		}(address)
-	}
-
-	errs := make([]error, 0, len(c.tlsDialAddrs))
-	success := false
-	for range c.tlsDialAddrs {
-		err := <-errCh
-		if err == nil {
-			success = true
-			cancel()
-			continue
-		} else if success {
-			continue // ignore canceled errors after success
-		}
-
-		c.logger.Debugf("startup check parallel attempt failed: %s", err)
-		errs = append(errs, err)
-	}
-	if success {
-		return nil
-	}
-
-	errStrings := make([]string, len(errs))
-	for i, err := range errs {
-		errStrings[i] = fmt.Sprintf("parallel attempt %d/%d failed: %s", i+1, len(errs), err)
-	}
-	return fmt.Errorf("%w: %s", ErrAllCheckTriesFailed, strings.Join(errStrings, ", "))
-}
-
-const (
-	smallCheckDNS  = "dns"
-	smallCheckICMP = "icmp"
-)
-
-func smallCheckTypeToString(smallCheckType string) string {
-	switch smallCheckType {
-	case smallCheckICMP:
-		return "ICMP echo"
-	case smallCheckDNS:
-		return "plain DNS over UDP"
-	default:
-		panic("unknown small check type: " + smallCheckType)
-	}
-}
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"time"
 )

 var ErrHTTPStatusNotOK = errors.New("HTTP response status is not OK")
@@ -22,9 +21,6 @@ func NewClient(httpClient *http.Client) *Client {
 }

 func (c *Client) Check(ctx context.Context, url string) error {
-	ctx, cancel := context.WithTimeout(ctx, time.Second)
-	defer cancel()
-
 	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return err
@@ -1,66 +0,0 @@
-package dns
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"net/netip"
-
-	"github.com/qdm12/dns/v2/pkg/provider"
-)
-
-// Client is a simple plaintext UDP DNS client, to be used for healthchecks.
-// Note the client connects to a DNS server only over UDP on port 53,
-// because we don't want to use DoT or DoH and impact the TCP connections
-// when running a healthcheck.
-type Client struct {
-	serverAddrs []netip.AddrPort
-	dnsIPIndex  int
-}
-
-func New() *Client {
-	return &Client{
-		serverAddrs: concatAddrPorts([][]netip.AddrPort{
-			provider.Cloudflare().Plain.IPv4,
-			provider.Google().Plain.IPv4,
-			provider.Quad9().Plain.IPv4,
-			provider.OpenDNS().Plain.IPv4,
-			provider.LibreDNS().Plain.IPv4,
-			provider.Quadrant().Plain.IPv4,
-			provider.CiraProtected().Plain.IPv4,
-		}),
-	}
-}
-
-func concatAddrPorts(addrs [][]netip.AddrPort) []netip.AddrPort {
-	var result []netip.AddrPort
-	for _, addrList := range addrs {
-		result = append(result, addrList...)
-	}
-	return result
-}
-
-var ErrLookupNoIPs = errors.New("no IPs found from DNS lookup")
-
-func (c *Client) Check(ctx context.Context) error {
-	dnsAddr := c.serverAddrs[c.dnsIPIndex].String()
-	resolver := &net.Resolver{
-		PreferGo: true,
-		Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
-			dialer := net.Dialer{}
-			return dialer.DialContext(ctx, "udp", dnsAddr)
-		},
-	}
-	ips, err := resolver.LookupIP(ctx, "ip", "github.com")
-	switch {
-	case err != nil:
-		c.dnsIPIndex = (c.dnsIPIndex + 1) % len(c.serverAddrs)
-		return fmt.Errorf("with DNS server %s: %w", dnsAddr, err)
-	case len(ips) == 0:
-		c.dnsIPIndex = (c.dnsIPIndex + 1) % len(c.serverAddrs)
-		return fmt.Errorf("with DNS server %s: %w", dnsAddr, ErrLookupNoIPs)
-	default:
-		return nil
-	}
-}
@@ -9,15 +9,13 @@ import (
 type handler struct {
 	healthErr   error
 	healthErrMu sync.RWMutex
-	logger      Logger
 }

 var errHealthcheckNotRunYet = errors.New("healthcheck did not run yet")

-func newHandler(logger Logger) *handler {
+func newHandler() *handler {
 	return &handler{
 		healthErr: errHealthcheckNotRunYet,
-		logger:    logger,
 	}
 }

@@ -0,0 +1,122 @@
+package healthcheck
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+)
+
+func (s *Server) runHealthcheckLoop(ctx context.Context, done chan<- struct{}) {
+	defer close(done)
+
+	timeoutIndex := 0
+	healthcheckTimeouts := []time.Duration{
+		2 * time.Second,
+		4 * time.Second,
+		6 * time.Second,
+		8 * time.Second,
+		// This can be useful when the connection is under stress
+		// See https://github.com/qdm12/gluetun/issues/2270
+		10 * time.Second,
+	}
+	s.vpn.healthyTimer = time.NewTimer(s.vpn.healthyWait)
+
+	for {
+		previousErr := s.handler.getErr()
+
+		timeout := healthcheckTimeouts[timeoutIndex]
+		healthcheckCtx, healthcheckCancel := context.WithTimeout(
+			ctx, timeout)
+		err := s.healthCheck(healthcheckCtx)
+		healthcheckCancel()
+
+		s.handler.setErr(err)
+
+		switch {
+		case previousErr != nil && err == nil: // First success
+			s.logger.Info("healthy!")
+			timeoutIndex = 0
+			s.vpn.healthyTimer.Stop()
+			s.vpn.healthyWait = *s.config.VPN.Initial
+		case previousErr == nil && err != nil: // First failure
+			s.logger.Debug("unhealthy: " + err.Error())
+			s.vpn.healthyTimer.Stop()
+			s.vpn.healthyTimer = time.NewTimer(s.vpn.healthyWait)
+		case previousErr != nil && err != nil: // Nth failure
+			if timeoutIndex < len(healthcheckTimeouts)-1 {
+				timeoutIndex++
+			}
+			select {
+			case <-s.vpn.healthyTimer.C:
+				timeoutIndex = 0 // retry next with the smallest timeout
+				s.onUnhealthyVPN(ctx, err.Error())
+			default:
+			}
+		case previousErr == nil && err == nil: // Nth success
+			timer := time.NewTimer(s.config.SuccessWait)
+			select {
+			case <-ctx.Done():
+				return
+			case <-timer.C:
+			}
+		}
+	}
+}
+
+func (s *Server) healthCheck(ctx context.Context) (err error) {
+	// TODO use mullvad API if current provider is Mullvad
+
+	address, err := makeAddressToDial(s.config.TargetAddress)
+	if err != nil {
+		return err
+	}
+
+	const dialNetwork = "tcp4"
+	connection, err := s.dialer.DialContext(ctx, dialNetwork, address)
+	if err != nil {
+		return fmt.Errorf("dialing: %w", err)
+	}
+
+	if strings.HasSuffix(address, ":443") {
+		host, _, err := net.SplitHostPort(address)
+		if err != nil {
+			return fmt.Errorf("splitting host and port: %w", err)
+		}
+		tlsConfig := &tls.Config{
+			MinVersion: tls.VersionTLS12,
+			ServerName: host,
+		}
+		tlsConnection := tls.Client(connection, tlsConfig)
+		err = tlsConnection.HandshakeContext(ctx)
+		if err != nil {
+			return fmt.Errorf("running TLS handshake: %w", err)
+		}
+	}
+
+	err = connection.Close()
+	if err != nil {
+		return fmt.Errorf("closing connection: %w", err)
+	}
+
+	return nil
+}
+
+func makeAddressToDial(address string) (addressToDial string, err error) {
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		addrErr := new(net.AddrError)
+		ok := errors.As(err, &addrErr)
+		if !ok || addrErr.Err != "missing port in address" {
+			return "", fmt.Errorf("splitting host and port from address: %w", err)
+		}
+		host = address
+		const defaultPort = "443"
+		port = defaultPort
+	}
+	address = net.JoinHostPort(host, port)
+	return address, nil
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Quentin McGaw	bb4e61f56c	fix(purevpn): update openvpn configuration - Credits to @mlapaj - Taken and verified from #2991	2025-12-24 03:18:02 +00:00
Quentin McGaw	c72971f4c7	fix(slickvpn/updater): only keep 11 servers hardcoded	2025-12-24 03:18:02 +00:00
Quentin McGaw	05e1fc3b4e	fix(vpnunlimited/updater): remove no longer valid hosts	2025-12-24 03:18:02 +00:00
Quentin McGaw	6ee28c51a6	fix(vpnsecure/updater): allow region and city to be set to N/A	2025-12-24 03:18:02 +00:00
Quentin McGaw	3f0e48575d	fix(dns): retry on next period the blocklists update after a failed update - Fix #3053	2025-12-24 03:18:02 +00:00
Quentin McGaw	cba6070300	fix(dns): prevent dns restart crash if `DOT=off` and `DNS_KEEP_NAMESERVER=off`	2025-11-24 16:43:24 +00:00
Quentin McGaw	7450424849	fix(wireguard): WIREGUARD_ENDPOINT_IP overrides the IP address of a picked connection - Regression introduced in v3.39.0 - Fix #2759	2025-11-19 13:20:47 +00:00
Matthew Bennett	16bc27bf9f	feat(expressvpn): update hardcoded servers data (#2888 )	2025-11-19 13:20:31 +00:00
Quentin McGaw	01e9274f7b	fix(proton): giving proton password is not mandatory	2025-11-18 21:26:53 +00:00
Quentin McGaw	daff23bfb3	feat(protonvpn): update servers data including paid data	2025-11-18 13:52:45 +00:00
Quentin McGaw	aa6d26e062	fix(protonvpn/updater): API authentification fix using email - `UPDATER_PROTONVPN_USERNAME` -> `UPDATER_PROTONVPN_EMAIL` - `-proton-username` -> `-proton-email` - fix authentication flow to use email or username when appropriate - fix #2985	2025-11-18 13:51:31 +00:00
Quentin McGaw	b2859d5a06	fix(storage): only log warning if flushing merged servers to file fails	2025-11-18 13:50:22 +00:00
Quentin McGaw	ad8b0657cb	fix(dns): fix panic when using DNS_KEEP_NAMESERVER	2025-11-18 13:49:27 +00:00
Quentin McGaw	c930a4e1be	fix(protonvpn): authenticated servers data updating (#2878 ) - `-proton-username` flag for cli update - `-proton-password` flag for cli update - `UPDATER_PROTONVPN_USERNAME` option for periodic updates - `UPDATER_PROTONVPN_PASSWORD` option for periodic updates	2025-11-15 17:11:12 +00:00
Quentin McGaw	22834e9477	fix(server/log): log out full URL path not just bottom request URI	2025-11-15 17:03:53 +00:00
Quentin McGaw	62c2679da2	fix(cyberghost): log warnings from updater resolver	2025-11-15 17:03:53 +00:00
Quentin McGaw	5e9ae9fa1f	fix(wireguard): specify IP family for new route (#2629 )	2025-11-15 17:03:53 +00:00
Quentin McGaw	0f19bcfebd	fix(port-forward): clear port file instead of removing it - Prevent port forwarding loop crash when trying to delete a directly bind mounted file - See https://github.com/qdm12/gluetun/issues/2942#issuecomment-3468510402	2025-11-15 17:03:53 +00:00
Quentin McGaw	83fc91d3c6	fix(publicip): respect PUBLICIP_ENABLED	2025-11-15 17:03:53 +00:00
mutschler	4adeec8223	fix(vpnunlimited): update certificate values (#2835 )	2025-11-15 17:03:53 +00:00
Quentin McGaw	64bfbaa45d	fix(cli): fix `openvpnconfig` command panic due to missing `SetDefaults` call	2025-11-15 17:03:53 +00:00