Merge branch 'master' into restrictednet

.github/ISSUE_TEMPLATE/bug.yml

@@ -56,7 +56,6 @@ body:
         - IVPN
         - Mullvad
         - NordVPN
-        - OVPN
         - Privado
         - Private Internet Access
         - PrivateVPN

.github/labels.yml

@@ -64,8 +64,6 @@
   color: "cfe8d4"
 - name: "☁️ NordVPN"
   color: "cfe8d4"
-- name: "☁️ OVPN"
-  color: "cfe8d4"
 - name: "☁️ Perfect Privacy"
   color: "cfe8d4"
 - name: "☁️ PIA"

.github/workflows/ci.yml

@@ -67,6 +67,10 @@ jobs:
           -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \
           test-container
 
+      - name: Run integration tests in test container
+        run: |
+          docker run --rm --entrypoint go test-container test -tags=integration ./internal/restrictednet
+
       - name: Verify dev cross platform compatibility
         run: docker build --target xcompile .
 

AGENTS.md

@@ -50,6 +50,7 @@ Guidance for coding agents working in this repository.
 - Prefer splitting a code line only when it triggers the `lll` linter, do not split a command or arguments list for each element
 - Use `netip` types instead of `net` types whenever possible
 - Use constants instead of variables whenever possible, especially function-local inline constants.
+- Prefer using pure functions over methods when possible. Especially if the method does not need any fields from the receiving struct, it should be a pure function.
 - Do not use `time.Sleep`, prefer using a `time.Timer` with a `select` statement also listening on a context cancelation
 - `panic`:
   - should only be used when a programming error is encountered and you should NOT return errors for programming errors (such as passing nil objects)
@@ -115,6 +116,7 @@ Mocking works with the `go.uber.org/mock` library, and the `mockgen` tool.
   - **Never** use `.AnyTimes()` on mocks. Always define the number of times a certain mock call should be called, with `.Times(3)` for example.
   - **Always** set the `.Return(...)` on the mock if the function returns something.
   - Avoid using **mock helpers** functions, prefer a bit of repetition than tight coupling and dependency
+  - Always define the gomock controller `ctrl` in the subtest and not in the parent test, or a subtest mock failing will crash all the other subtests.
 
 ### main.go
 
@@ -127,6 +129,7 @@ The Go formatter used is gofumpt.
 ### Errors
 
 - Always prefer wrapping errors with some context with `fmt.Errorf("doing this: %w", err)`
+- Use `errors.New("error message")` when creating a 'bottom' constant string error without additional context, instead of `fmt.Errorf`
 - In rare cases, you can just use `return err` notably:
   - If the function is called **recursively**, since we don't wrap the wrapping multiple times for each recursion
   - If the current function only statement is the call to another function, for example:
@@ -179,6 +182,8 @@ The Go formatter used is gofumpt.
 
 - Do not use `http.DefaultClient`, use a custom `*http.Client` with a fixed timeout and share with dependency injections.
 - Do not check for injected dependencies being `nil`, prefer to just panic on a nil pointer. By default it's fine to panic if a developer injects a dependency `nil`. `nil` does not mean use a default.
+- Prefer using a `switch { case ...}` statement over multiple consecutive `if` statements to have shorter code.
+- Prefer using `[...]T` instead of `[]T` when the length is fixed and known at compile time, to avoid unnecessary allocations.
 
 ## Validation checklist
 

Dockerfile

@@ -186,14 +186,12 @@ ENV VPN_SERVICE_PROVIDER=pia \
     # # ProtonVPN only:
     SECURE_CORE_ONLY= \
     TOR_ONLY= \
-    # # Surfshark and ovpn only:
+    # # Surfshark only:
     MULTIHOP_ONLY= \
     # # VPN Secure only:
     PREMIUM_ONLY= \
     # # PIA and ProtonVPN only:
     PORT_FORWARD_ONLY= \
-    # # Ovpn only:
-    SERVER_DEDICATED=no \
     # Firewall
     FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT=on \
     FIREWALL_VPN_INPUT_PORTS= \

README.md

@@ -60,10 +60,10 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
 ## Features
 
 - Based on Alpine 3.23 for a small Docker image of 43.1MB
-- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad** (Wireguard only), **NordVPN**, **Ovpn**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **Windscribe** servers
+- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad** (Wireguard only), **NordVPN**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **Windscribe** servers
 - Supports OpenVPN for all providers listed
 - Supports Wireguard both kernelspace and userspace
-  - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Ovpn**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
+  - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
   - For **Cyberghost**, **Private Internet Access**, **PrivateVPN**, **PureVPN**, **Torguard**, **VPN Unlimited** and **VyprVPN** using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
   - For custom Wireguard configurations using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
   - More in progress, see [#134](https://github.com/passteque/gluetun/issues/134)

go.mod

@@ -4,19 +4,18 @@ go 1.25.0
 
 require (
 	github.com/ProtonMail/go-srp v0.0.7
-	github.com/amnezia-vpn/amneziawg-go v0.2.18
+	github.com/amnezia-vpn/amneziawg-go v0.2.16
 	github.com/breml/rootcerts v0.3.4
 	github.com/fatih/color v1.18.0
 	github.com/golang/mock v1.6.0
 	github.com/jsimonetti/rtnetlink v1.4.2
 	github.com/klauspost/compress v1.18.4
 	github.com/klauspost/pgzip v1.2.6
-	github.com/mdlayher/genetlink v1.4.0
+	github.com/mdlayher/genetlink v1.3.2
 	github.com/mdlayher/netlink v1.9.0
-	github.com/miekg/dns v1.1.62
 	github.com/pelletier/go-toml/v2 v2.2.4
 	github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260421173011-9de8e7fdbe3a
-	github.com/qdm12/gluetun-servers v0.1.1-0.20260522005421-14277e92ce82
+	github.com/qdm12/gluetun-servers v0.1.0
 	github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978
 	github.com/qdm12/gosettings v0.4.4
 	github.com/qdm12/goshutdown v0.3.0
@@ -30,7 +29,7 @@ require (
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a
 	golang.org/x/net v0.55.0
 	golang.org/x/sys v0.45.0
-	golang.org/x/text v0.38.0
+	golang.org/x/text v0.37.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	gopkg.in/ini.v1 v1.67.1
@@ -47,7 +46,8 @@ require (
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mdlayher/socket v0.6.0 // indirect
+	github.com/mdlayher/socket v0.5.1 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -58,9 +58,9 @@ require (
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
 	golang.org/x/crypto v0.51.0 // indirect
 	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
-	golang.org/x/mod v0.36.0 // indirect
-	golang.org/x/sync v0.21.0 // indirect
-	golang.org/x/tools v0.45.0 // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -6,8 +6,8 @@ github.com/ProtonMail/go-crypto v1.3.0-proton h1:tAQKQRZX/73VmzK6yHSCaRUOvS/3OYS
 github.com/ProtonMail/go-crypto v1.3.0-proton/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/ProtonMail/go-srp v0.0.7 h1:Sos3Qk+th4tQR64vsxGIxYpN3rdnG9Wf9K4ZloC1JrI=
 github.com/ProtonMail/go-srp v0.0.7/go.mod h1:giCp+7qRnMIcCvI6V6U3S1lDDXDQYx2ewJ6F/9wdlJk=
-github.com/amnezia-vpn/amneziawg-go v0.2.18 h1:pUn7/P8qdGmHd6JmE3bCQXPblZs3vruWR98nLODQLJg=
-github.com/amnezia-vpn/amneziawg-go v0.2.18/go.mod h1:aMgOk9MuX0xI7b5TKAYp8pLM54RlXcOPzDvYw3YEO5A=
+github.com/amnezia-vpn/amneziawg-go v0.2.16 h1:XY6HOq/xtqH8ZXMncRWkjFs85EKdN10NLNnw23kTpE0=
+github.com/amnezia-vpn/amneziawg-go v0.2.16/go.mod h1:nRkPpIzjCxMW8pZKXTRkpqAQVlmFJdVOGkeQSC7wbms=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/breml/rootcerts v0.3.4 h1:9i7WNl/ctd9OEAOaTfLy//Wrlfxq/tRQ7v4okYFN9Ys=
@@ -48,12 +48,12 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mdlayher/genetlink v1.4.0 h1:f/Xs7Y2T+GyX9b3dbiUhnLE9InGs5F9RxJ2JwBMl71o=
-github.com/mdlayher/genetlink v1.4.0/go.mod h1:d1hrKr8fwZU2JkcAtQUAzeTrI7nbgQSl+5k1cC0biSA=
+github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
+github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.9.0 h1:G8+GLq2x3v4D4MVIqDdNUhTUC7TKiCy/6MDkmItfKco=
 github.com/mdlayher/netlink v1.9.0/go.mod h1:YBnl5BXsCoRuwBjKKlZ+aYmEoq0r12FDA/3JC+94KDg=
-github.com/mdlayher/socket v0.6.0 h1:ScZPaAGyO1icQnbFrhPM8mnXyMu9qukC1K4ZoM2IQKU=
-github.com/mdlayher/socket v0.6.0/go.mod h1:q7vozUAnxSqnjHc12Fik5yUKIzfZ8ITCfMkhOtE9z18=
+github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
+github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
 github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
@@ -76,8 +76,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260421173011-9de8e7fdbe3a h1:TE157yPQmAbVruH0MWCQzs0vTT/6t96DkoWUXd6PVuc=
 github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260421173011-9de8e7fdbe3a/go.mod h1:98foWgXJZ+g8gJIuO+fdO+oWpFei5WShMFTeN4Im2lE=
-github.com/qdm12/gluetun-servers v0.1.1-0.20260522005421-14277e92ce82 h1:tE44IEW7o9yPQaO8HBeoO9RxtTTxqhboIypegrQlVt8=
-github.com/qdm12/gluetun-servers v0.1.1-0.20260522005421-14277e92ce82/go.mod h1:acttuyHyoFDu6GTbf3kAV+QXeiX8oJeh0MBic67/9z8=
+github.com/qdm12/gluetun-servers v0.1.0 h1:w9JLghKZwI0Gzpp9p5rNANgEYUUZ1dxdxsG6NKIojaY=
+github.com/qdm12/gluetun-servers v0.1.0/go.mod h1:acttuyHyoFDu6GTbf3kAV+QXeiX8oJeh0MBic67/9z8=
 github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978 h1:TRGpCU1l0lNwtogEUSs5U+RFceYxkAJUmrGabno7J5c=
 github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978/go.mod h1:D1Po4CRQLYjccnAR2JsVlN1sBMgQrcNLONbvyuzcdTg=
 github.com/qdm12/gosettings v0.4.4 h1:SM6tOZDf6k8qbjWU8KWyBF4mWIixfsKCfh9DGRLHlj4=
@@ -127,8 +127,8 @@ golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
-golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -142,8 +142,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
-golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -167,8 +167,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
-golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -176,8 +176,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
-golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

internal/command/startnlog.go

@@ -36,7 +36,6 @@ func streamLines(done chan<- struct{}, logger Logger,
 		case line, ok := <-stdout:
 			if ok {
 				logger.Info(line)
-				break
 			}
 			if stderr == nil {
 				return
@@ -45,7 +44,6 @@ func streamLines(done chan<- struct{}, logger Logger,
 		case line, ok := <-stderr:
 			if ok {
 				logger.Error(line)
-				break
 			}
 			if stdout == nil {
 				return

internal/configuration/settings/openvpnselection.go

@@ -70,7 +70,7 @@ func (o OpenVPNSelection) validate(vpnProvider string) (err error) {
 		switch vpnProvider {
 		// no restriction on port
 		case providers.Custom, providers.Cyberghost, providers.HideMyAss,
-			providers.Ovpn, providers.Privatevpn, providers.Torguard:
+			providers.Privatevpn, providers.Torguard:
 		// no custom port allowed
 		case providers.Expressvpn, providers.Fastestvpn,
 			providers.Giganews, providers.Ipvanish,

internal/configuration/settings/provider.go

@@ -49,7 +49,6 @@ func (p *Provider) validate(vpnType string, filterChoicesGetter FilterChoicesGet
 			providers.Ivpn,
 			providers.Mullvad,
 			providers.Nordvpn,
-			providers.Ovpn,
 			providers.Protonvpn,
 			providers.Surfshark,
 			providers.Windscribe,

internal/configuration/settings/serverselection.go

@@ -63,9 +63,6 @@ type ServerSelection struct {
 	// TorOnly is true if VPN servers without tor should
 	// be filtered. This is used with ProtonVPN.
 	TorOnly *bool `json:"tor_only"`
-	// Dedicated is true if dedicated VPN servers should be chosen only.
-	// This is used with OVPN.
-	Dedicated *bool `json:"dedicated"`
 	// OpenVPN contains settings to select OpenVPN servers
 	// and the final connection.
 	OpenVPN OpenVPNSelection `json:"openvpn"`
@@ -275,8 +272,6 @@ func validateFeatureFilters(settings ServerSelection, vpnServiceProvider string)
 		return errors.New("secure core only filter is not supported")
 	case *settings.TorOnly && vpnServiceProvider != providers.Protonvpn:
 		return errors.New("tor only filter is not supported")
-	case *settings.Dedicated && vpnServiceProvider != providers.Ovpn:
-		return errors.New("dedicated filter is not supported")
 	default:
 		return nil
 	}
@@ -301,7 +296,6 @@ func (ss *ServerSelection) copy() (copied ServerSelection) {
 		TorOnly:         gosettings.CopyPointer(ss.TorOnly),
 		PortForwardOnly: gosettings.CopyPointer(ss.PortForwardOnly),
 		MultiHopOnly:    gosettings.CopyPointer(ss.MultiHopOnly),
-		Dedicated:       gosettings.CopyPointer(ss.Dedicated),
 		OpenVPN:         ss.OpenVPN.copy(),
 		Wireguard:       ss.Wireguard.copy(),
 	}
@@ -325,7 +319,6 @@ func (ss *ServerSelection) overrideWith(other ServerSelection) {
 	ss.TorOnly = gosettings.OverrideWithPointer(ss.TorOnly, other.TorOnly)
 	ss.MultiHopOnly = gosettings.OverrideWithPointer(ss.MultiHopOnly, other.MultiHopOnly)
 	ss.PortForwardOnly = gosettings.OverrideWithPointer(ss.PortForwardOnly, other.PortForwardOnly)
-	ss.Dedicated = gosettings.OverrideWithPointer(ss.Dedicated, other.Dedicated)
 	ss.OpenVPN.overrideWith(other.OpenVPN)
 	ss.Wireguard.overrideWith(other.Wireguard)
 }
@@ -342,7 +335,6 @@ func (ss *ServerSelection) setDefaults(vpnProvider string, portForwardingEnabled
 	defaultPortForwardOnly := portForwardingEnabled &&
 		helpers.IsOneOf(vpnProvider, providers.PrivateInternetAccess, providers.Protonvpn)
 	ss.PortForwardOnly = gosettings.DefaultPointer(ss.PortForwardOnly, defaultPortForwardOnly)
-	ss.Dedicated = gosettings.DefaultPointer(ss.Dedicated, false)
 	ss.OpenVPN.setDefaults(vpnProvider)
 	ss.Wireguard.setDefaults()
 }
@@ -418,10 +410,6 @@ func (ss ServerSelection) toLinesNode() (node *gotree.Node) {
 		node.Appendf("Multi-hop only servers: yes")
 	}
 
-	if *ss.Dedicated {
-		node.Appendf("Dedicated servers: yes")
-	}
-
 	if *ss.PortForwardOnly {
 		node.Appendf("Port forwarding only servers: yes")
 	}
@@ -513,12 +501,6 @@ func (ss *ServerSelection) read(r *reader.Reader,
 		return err
 	}
 
-	// Ovpn only
-	ss.Dedicated, err = r.BoolPtr("SERVER_DEDICATED")
-	if err != nil {
-		return err
-	}
-
 	err = ss.OpenVPN.read(r)
 	if err != nil {
 		return err

internal/configuration/settings/wireguardselection.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net/netip"
 
-	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/reader"
@@ -23,7 +22,7 @@ type WireguardSelection struct {
 	// It can never be the zero value in the internal state.
 	EndpointIP netip.Addr `json:"endpoint_ip"`
 	// EndpointPort is a the server port to use for the VPN server.
-	// It is optional for VPN providers IVPN, Mullvad, Ovpn, Surfshark
+	// It is optional for VPN providers IVPN, Mullvad, Surfshark
 	// and Windscribe, and compulsory for the others.
 	// When optional, it can be set to 0 to indicate not use
 	// a custom endpoint port. It cannot be nil in the internal
@@ -41,9 +40,8 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate EndpointIP
 	switch vpnProvider {
 	case providers.Airvpn, providers.Fastestvpn, providers.Ivpn,
-		providers.Mullvad, providers.Nordvpn, providers.Ovpn,
-		providers.Protonvpn, providers.Surfshark,
-		providers.Windscribe:
+		providers.Mullvad, providers.Nordvpn, providers.Protonvpn,
+		providers.Surfshark, providers.Windscribe:
 		// endpoint IP addresses are baked in
 	case providers.Custom:
 		if !w.EndpointIP.IsValid() || w.EndpointIP.IsUnspecified() {
@@ -65,16 +63,12 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 		if *w.EndpointPort != 0 {
 			return errors.New("endpoint port is set")
 		}
-	case providers.Airvpn, providers.Ivpn, providers.Mullvad,
-		providers.Ovpn, providers.Windscribe:
+	case providers.Airvpn, providers.Ivpn, providers.Mullvad, providers.Windscribe:
 		// EndpointPort is optional and can be 0
 		if *w.EndpointPort == 0 {
 			break // no custom endpoint port set
 		}
-		if helpers.IsOneOf(vpnProvider,
-			providers.Mullvad,
-			providers.Ovpn,
-		) {
+		if vpnProvider == providers.Mullvad {
 			break // no restriction on custom endpoint port value
 		}
 		var allowed []uint16
@@ -98,7 +92,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate PublicKey
 	switch vpnProvider {
 	case providers.Fastestvpn, providers.Ivpn, providers.Mullvad,
-		providers.Ovpn, providers.Surfshark, providers.Windscribe:
+		providers.Surfshark, providers.Windscribe:
 		// public keys are baked in
 	case providers.Custom:
 		if w.PublicKey == "" {

internal/constants/providers/providers.go

@@ -15,7 +15,6 @@ const (
 	Ivpn                  = "ivpn"
 	Mullvad               = "mullvad"
 	Nordvpn               = "nordvpn"
-	Ovpn                  = "ovpn"
 	Perfectprivacy        = "perfect privacy"
 	Privado               = "privado"
 	PrivateInternetAccess = "private internet access"
@@ -44,7 +43,6 @@ func All() []string {
 		Ivpn,
 		Mullvad,
 		Nordvpn,
-		Ovpn,
 		Perfectprivacy,
 		Privado,
 		PrivateInternetAccess,

internal/dns/leak.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"io"
 	"math"
 	"math/rand/v2"
 	"net/http"
@@ -85,14 +84,11 @@ func triggerDNSQuery(ctx context.Context, client *http.Client, session string) (
 		IP      map[string]uint `json:"ip"`
 	}
 
-	rawData, err := io.ReadAll(response.Body)
-	if err != nil {
-		return nil, fmt.Errorf("reading response body: %w", err)
-	}
+	decoder := json.NewDecoder(response.Body)
 	var data ipLeakData
-	err = json.Unmarshal(rawData, &data)
+	err = decoder.Decode(&data)
 	if err != nil {
-		return nil, fmt.Errorf("decoding response %q: %w", rawData, err)
+		return nil, fmt.Errorf("decoding response: %w", err)
 	} else if data.Session != session {
 		return nil, fmt.Errorf("ipleak.net session mismatch: expected %s, got %s", session, data.Session)
 	}

internal/firewall/interfaces.go

@@ -28,6 +28,8 @@ type firewallImpl interface { //nolint:interfacebloat
 	AcceptIpv6MulticastOutput(ctx context.Context, intf string) error
 	AcceptOutput(ctx context.Context, protocol, intf string,
 		ip netip.Addr, port uint16, remove bool) error
+	AcceptOutputFromIPPortToIPPort(ctx context.Context, protocol, intf string,
+		source, destination netip.AddrPort, remove bool) error
 	AcceptOutputFromIPToSubnet(ctx context.Context, intf string, assignedIP netip.Addr,
 		subnet netip.Prefix, remove bool) error
 	AcceptOutputThroughInterface(ctx context.Context, intf string, remove bool) error

internal/firewall/iptables/iptables.go

@@ -2,6 +2,7 @@ package iptables
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/netip"
@@ -177,6 +178,29 @@ func (c *Config) AcceptOutput(ctx context.Context,
 	return c.runIP6tablesInstruction(ctx, instruction)
 }
 
+func (c *Config) AcceptOutputFromIPPortToIPPort(ctx context.Context,
+	protocol, intf string, source, destination netip.AddrPort, remove bool,
+) error {
+	if source.Addr().BitLen() != destination.Addr().BitLen() {
+		return errors.New("source and destination address families do not match")
+	}
+
+	interfaceFlag := "-o " + intf
+	if intf == "*" { // all interfaces
+		interfaceFlag = ""
+	}
+
+	instruction := fmt.Sprintf("%s OUTPUT %s -s %s -d %s -p %s -m %s --sport %d --dport %d -j ACCEPT",
+		appendOrDelete(remove), interfaceFlag, source.Addr(), destination.Addr(),
+		protocol, protocol, source.Port(), destination.Port())
+	if destination.Addr().Is4() {
+		return c.runIptablesInstruction(ctx, instruction)
+	} else if c.ip6Tables == "" {
+		return fmt.Errorf("accept output from %s to %s: %s", source, destination, needIP6Tables)
+	}
+	return c.runIP6tablesInstruction(ctx, instruction)
+}
+
 // AcceptOutputFromIPToSubnet accepts outgoing traffic from sourceIP to destinationSubnet
 // on the interface intf. If intf is empty, it is set to "*" which means all interfaces.
 // If remove is true, the rule is removed instead of added.

internal/firewall/wrappers.go

@@ -25,3 +25,10 @@ func (c *Config) AcceptOutput(ctx context.Context, protocol, intf string,
 ) error {
 	return c.impl.AcceptOutput(ctx, protocol, intf, ip, port, remove)
 }
+
+func (c *Config) AcceptOutputFromIPPortToIPPort(ctx context.Context,
+	protocol, intf string, source, destination netip.AddrPort, remove bool,
+) error {
+	return c.impl.AcceptOutputFromIPPortToIPPort(ctx, protocol, intf,
+		source, destination, remove)
+}

internal/models/server.go

@@ -34,11 +34,8 @@ type Server struct {
 	SecureCore  bool         `json:"secure_core,omitempty"`
 	Tor         bool         `json:"tor,omitempty"`
 	PortForward bool         `json:"port_forward,omitempty"`
-	Dedicated   bool         `json:"dedicated,omitempty"`
 	Keep        bool         `json:"keep,omitempty"`
 	IPs         []netip.Addr `json:"ips,omitempty"`
-	PortsTCP    []uint16     `json:"ports_tcp,omitempty"`
-	PortsUDP    []uint16     `json:"ports_udp,omitempty"`
 }
 
 func (s *Server) HasMinimumInformation() (err error) {

internal/provider/ovpn/connection.go

@@ -1,15 +0,0 @@
-package ovpn
-
-import (
-	"github.com/qdm12/gluetun/internal/configuration/settings"
-	"github.com/qdm12/gluetun/internal/models"
-	"github.com/qdm12/gluetun/internal/provider/utils"
-)
-
-func (p *Provider) GetConnection(selection settings.ServerSelection, ipv6Supported bool) (
-	connection models.Connection, err error,
-) {
-	defaults := utils.NewConnectionDefaults(443, 1194, 9929) //nolint:mnd
-	return utils.GetConnection(p.Name(),
-		p.storage, selection, defaults, ipv6Supported, p.connPicker)
-}

internal/provider/ovpn/connection_test.go

@@ -1,126 +0,0 @@
-package ovpn
-
-import (
-	"errors"
-	"net/http"
-	"net/netip"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/qdm12/gluetun/internal/configuration/settings"
-	"github.com/qdm12/gluetun/internal/constants"
-	"github.com/qdm12/gluetun/internal/constants/providers"
-	"github.com/qdm12/gluetun/internal/constants/vpn"
-	"github.com/qdm12/gluetun/internal/models"
-	"github.com/qdm12/gluetun/internal/provider/common"
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_Provider_GetConnection(t *testing.T) {
-	t.Parallel()
-
-	const provider = providers.Ovpn
-
-	errTest := errors.New("test error")
-
-	testCases := map[string]struct {
-		filteredServers []models.Server
-		storageErr      error
-		selection       settings.ServerSelection
-		ipv6Supported   bool
-		connection      models.Connection
-		errWrapped      error
-		errMessage      string
-	}{
-		"error": {
-			storageErr: errTest,
-			errWrapped: errTest,
-			errMessage: "filtering servers: test error",
-		},
-		"default_openvpn_tcp_port": {
-			filteredServers: []models.Server{
-				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}},
-			},
-			selection: settings.ServerSelection{
-				OpenVPN: settings.OpenVPNSelection{
-					Protocol: constants.TCP,
-				},
-			}.WithDefaults(provider),
-			connection: models.Connection{
-				Type:     vpn.OpenVPN,
-				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
-				Port:     443,
-				Protocol: constants.TCP,
-			},
-		},
-		"default_openvpn_udp_port": {
-			filteredServers: []models.Server{
-				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}},
-			},
-			selection: settings.ServerSelection{
-				OpenVPN: settings.OpenVPNSelection{
-					Protocol: constants.UDP,
-				},
-			}.WithDefaults(provider),
-			connection: models.Connection{
-				Type:     vpn.OpenVPN,
-				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
-				Port:     1194,
-				Protocol: constants.UDP,
-			},
-		},
-		"default_wireguard_port": {
-			filteredServers: []models.Server{
-				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}, WgPubKey: "x"},
-			},
-			selection: settings.ServerSelection{
-				VPN: vpn.Wireguard,
-			}.WithDefaults(provider),
-			connection: models.Connection{
-				Type:     vpn.Wireguard,
-				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
-				Port:     9929,
-				Protocol: constants.UDP,
-				PubKey:   "x",
-			},
-		},
-		"default_multihop_port": {
-			filteredServers: []models.Server{
-				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}, WgPubKey: "x", PortsUDP: []uint16{30044}},
-			},
-			selection: settings.ServerSelection{
-				VPN: vpn.Wireguard,
-			}.WithDefaults(provider),
-			connection: models.Connection{
-				Type:     vpn.Wireguard,
-				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
-				Port:     30044,
-				Protocol: constants.UDP,
-				PubKey:   "x",
-			},
-		},
-	}
-
-	for name, testCase := range testCases {
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-			ctrl := gomock.NewController(t)
-
-			storage := common.NewMockStorage(ctrl)
-			storage.EXPECT().FilterServers(provider, testCase.selection).
-				Return(testCase.filteredServers, testCase.storageErr)
-
-			client := (*http.Client)(nil)
-			provider := New(storage, client)
-
-			connection, err := provider.GetConnection(testCase.selection, testCase.ipv6Supported)
-
-			assert.ErrorIs(t, err, testCase.errWrapped)
-			if testCase.errWrapped != nil {
-				assert.EqualError(t, err, testCase.errMessage)
-			}
-
-			assert.Equal(t, testCase.connection, connection)
-		})
-	}
-}

internal/provider/ovpn/openvpnconf.go

@@ -1,38 +0,0 @@
-package ovpn
-
-import (
-	"strings"
-
-	"github.com/qdm12/gluetun/internal/configuration/settings"
-	"github.com/qdm12/gluetun/internal/constants/openvpn"
-	"github.com/qdm12/gluetun/internal/models"
-	"github.com/qdm12/gluetun/internal/provider/utils"
-)
-
-func (p *Provider) OpenVPNConfig(connection models.Connection,
-	settings settings.OpenVPN, ipv6Supported bool,
-) (lines []string) {
-	providerSettings := utils.OpenVPNProviderSettings{
-		AuthUserPass:  true,
-		RemoteCertTLS: true,
-		Ciphers: []string{
-			openvpn.AES256gcm,
-			openvpn.AES256cbc,
-			openvpn.AES128gcm,
-			openvpn.Chacha20Poly1305,
-		},
-		CAs: []string{
-			"MIIEfTCCA2WgAwIBAgIJAK2aIWqpLj1/MA0GCSqGSIb3DQEBBQUAMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTAeFw0xNDA4MTcxODIxMjlaFw0zNDA4MTIxODIxMjlaMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMR+aP4GTuZwurZuOA2NYzMfqKyZi/TJcLEPlGTB/b4CWA9bTd8f0pHPrDAZsXIEayxxB58BIFNDNiybnbO15JN/QwlsqmA+aZX6mCSkScs/rRwasM6LDo8iGx+KmYEqAgzziONGbCMnlO+OaarXte7LhZ9X6Z/bryu4xq/i1v3raak13kXsrogtu4iDzxqJE/QhbNOi0yhCdlm5RYQjmlKGdPB9pNTgcakVI4HcngRYMzBlrGin0YkvWCdpx5FrDNeld7BSWrJMNYyvd+buaid0Fu1T9/P/Srj/8AiabKoaDyiGFbZdTnGfK+04lWRvwAmvazpqbUt5Omw634jJDuMCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUEvJcHHcTiDtu7bAyZw+xaqg+xdIwgboGA1UdIwSBsjCBr4AUEvJcHHcTiDtu7bAyZw+xaqg+xdKhgYukgYgwgYUxCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xEjAQBgNVBAcTCVN0b2NraG9sbTEcMBoGA1UECxMTRmlybWEgRGF2aWQgV2liZXJnaDETMBEGA1UEAxMKb3Zwbi5zZSBjYTEbMBkGCSqGSIb3DQEJARYMaW5mb0BvdnBuLnNlggkArZohaqkuPX8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAJmID6OyBJbV7ayPPgquojF+FICuDdOfGVKP828cyISxcbVA04VpD0QLYVb0k9pFUx0NbgX2SvRTiFhP7LcyS1HV9s+XLCb2WItPPsrdRTwtqU2n3TlCEzWA3WOcOCtT6JSkv1eelmx1JnP0gYJrDvDvRYBFctwWhtE0bineSQkZwN6980zkknADLAiHpeZSu/AMx7CGTwA6SmoFvpNBmHXDcfe/9ZqbbYfUfyPNe+0JbMrcv1elKi+6wlEkHFaEBphiZwGEbOX1CjUMcQFgW/cIp3n50Eiyx6ktuqimhyb59P4Nw8gqH452tTtE4MM/brA5y0Q0WFBRBojfZIbGWWQ==", //nolint:lll
-		},
-		TLSAuth:      "81782767e4d59c4464cc5d1896f1cf6015017d53ac62e2e3b94b889e00b2c69ddc01944fe1c6d895b4d80540502eb71910b8d785c9efa9e3182343532adffe1cfbb7bb6eae39c502da2748edf0fb89b8a20b0a1085cc1f06135037881bc0c4ad8f2c0f4f72d2ab466fb54af3d8264c5fddeb0f21aa0ca41863678f5fc4c44de4ca0926b36dfddc42c6f2fabd1694bdc8215b2d223b9c21dc6734c2c778093187afb8c33403b228b9af68b540c284f6d183bcc88bd41d47bd717996e499ce1cbbfa768a9723c19c58314c4d19cfed82e543ee92e73d38ad26d4fbec231c0f9f3b30773a5c87792e9bc7c34e8d7611002ebedd044e48a0f1f96527bfdcc940aa09", //nolint:lll
-		KeyDirection: "1",
-	}
-
-	if strings.HasSuffix(connection.Hostname, "singapore.ovpn.com") {
-		providerSettings.TLSCrypt = providerSettings.TLSAuth
-		providerSettings.TLSAuth = ""
-		providerSettings.KeyDirection = ""
-	}
-
-	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
-}

internal/provider/ovpn/provider.go

@@ -1,28 +0,0 @@
-package ovpn
-
-import (
-	"net/http"
-
-	"github.com/qdm12/gluetun/internal/constants/providers"
-	"github.com/qdm12/gluetun/internal/provider/common"
-	"github.com/qdm12/gluetun/internal/provider/ovpn/updater"
-	"github.com/qdm12/gluetun/internal/provider/utils"
-)
-
-type Provider struct {
-	storage    common.Storage
-	connPicker *utils.ConnectionPicker
-	common.Fetcher
-}
-
-func New(storage common.Storage, client *http.Client) *Provider {
-	return &Provider{
-		storage:    storage,
-		connPicker: utils.NewConnectionPicker(),
-		Fetcher:    updater.New(client),
-	}
-}
-
-func (p *Provider) Name() string {
-	return providers.Ovpn
-}

internal/provider/ovpn/updater/api.go

@@ -1,153 +0,0 @@
-package updater
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"net/netip"
-	"strings"
-)
-
-type apiData struct {
-	Success     bool            `json:"success"`
-	DataCenters []apiDataCenter `json:"datacenters"`
-}
-
-type apiDataCenter struct {
-	City        string      `json:"city"`
-	CountryName string      `json:"country_name"`
-	Servers     []apiServer `json:"servers"`
-}
-
-type apiServer struct {
-	IP     netip.Addr `json:"ip"`
-	Ptr    string     `json:"ptr"` // hostname
-	Online bool       `json:"online"`
-	// PublicKey is for the Standard Shared Entry Point
-	PublicKey string `json:"public_key"`
-	// PublicKeyIPv4 is for the Public / Dedicated IP Entry Point
-	PublicKeyIPv4         string   `json:"public_key_ipv4"`
-	WireguardPorts        []uint16 `json:"wireguard_ports"`
-	MultiHopOpenvpnPort   uint16   `json:"multihop_openvpn_port"`
-	MultiHopWireguardPort uint16   `json:"multihop_wireguard_port"`
-}
-
-func fetchAPI(ctx context.Context, client *http.Client) (
-	data apiData, err error,
-) {
-	const url = "https://www.ovpn.com/v2/api/client/entry"
-
-	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
-	if err != nil {
-		return data, err
-	}
-
-	response, err := client.Do(request)
-	if err != nil {
-		return data, err
-	}
-
-	if response.StatusCode != http.StatusOK {
-		_ = response.Body.Close()
-		return data, fmt.Errorf("HTTP response status code is not OK: %d %s",
-			response.StatusCode, response.Status)
-	}
-
-	decoder := json.NewDecoder(response.Body)
-	err = decoder.Decode(&data)
-	if err != nil {
-		_ = response.Body.Close()
-		return data, fmt.Errorf("decoding response body: %w", err)
-	}
-
-	err = response.Body.Close()
-	if err != nil {
-		return data, fmt.Errorf("closing response body: %w", err)
-	}
-
-	return data, nil
-}
-
-func (a *apiDataCenter) validate() (err error) {
-	conditionalErrors := []conditionalError{
-		{err: "city is not set", condition: a.City == ""},
-		{err: "country name is not set", condition: a.CountryName == ""},
-		{err: "servers array is not set", condition: len(a.Servers) == 0},
-	}
-	err = collectErrors(conditionalErrors)
-	if err != nil {
-		var dataCenterSetFields []string
-		if a.CountryName != "" {
-			dataCenterSetFields = append(dataCenterSetFields, a.CountryName)
-		}
-		if a.City != "" {
-			dataCenterSetFields = append(dataCenterSetFields, a.City)
-		}
-		if len(dataCenterSetFields) == 0 {
-			return err
-		}
-		return fmt.Errorf("data center %s: %w",
-			strings.Join(dataCenterSetFields, ", "), err)
-	}
-
-	for i, server := range a.Servers {
-		err = server.validate()
-		if err != nil {
-			return fmt.Errorf("datacenter %s, %s: server %d of %d: %w",
-				a.CountryName, a.City, i+1, len(a.Servers), err)
-		}
-	}
-
-	return nil
-}
-
-func (a *apiServer) validate() (err error) {
-	const defaultWireguardPort = 9929
-	conditionalErrors := []conditionalError{
-		{err: "ip address is not set", condition: !a.IP.IsValid()},
-		{err: "hostname field is not set", condition: a.Ptr == ""},
-		{err: "public key field is not set", condition: a.PublicKey == ""},
-		{err: "public key IPv4 field is not set", condition: a.PublicKeyIPv4 == ""},
-		{err: "wireguard ports array is not set", condition: len(a.WireguardPorts) == 0},
-		{
-			err:       "wireguard port is not the default 9929",
-			condition: len(a.WireguardPorts) != 1 || a.WireguardPorts[0] != defaultWireguardPort,
-		},
-		{err: "multihop OpenVPN port is not set", condition: a.MultiHopOpenvpnPort == 0},
-		{err: "multihop WireGuard port is not set", condition: a.MultiHopWireguardPort == 0},
-	}
-	err = collectErrors(conditionalErrors)
-	switch {
-	case err == nil:
-		return nil
-	case a.Ptr != "":
-		return fmt.Errorf("server %s: %w", a.Ptr, err)
-	case a.IP.IsValid():
-		return fmt.Errorf("server %s: %w", a.IP.String(), err)
-	default:
-		return err
-	}
-}
-
-type conditionalError struct {
-	err       string
-	condition bool
-}
-
-func collectErrors(conditionalErrors []conditionalError) (err error) {
-	errs := make([]string, 0, len(conditionalErrors))
-	for _, conditionalError := range conditionalErrors {
-		if !conditionalError.condition {
-			continue
-		}
-		errs = append(errs, conditionalError.err)
-	}
-
-	if len(errs) == 0 {
-		return nil
-	}
-
-	return errors.New(strings.Join(errs, "; "))
-}

internal/provider/ovpn/updater/api_test.go

@@ -1,118 +0,0 @@
-package updater
-
-import (
-	"context"
-	"errors"
-	"io"
-	"net/http"
-	"net/netip"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func Test_fetchAPI(t *testing.T) {
-	t.Parallel()
-
-	testCases := map[string]struct {
-		responseStatus int
-		responseBody   io.ReadCloser
-		data           apiData
-		err            error
-	}{
-		"http response status not ok": {
-			responseStatus: http.StatusNoContent,
-			err:            errors.New("HTTP response status code is not OK: 204 No Content"),
-		},
-		"nil body": {
-			responseStatus: http.StatusOK,
-			err:            errors.New("decoding response body: EOF"),
-		},
-		"no server": {
-			responseStatus: http.StatusOK,
-			responseBody:   io.NopCloser(strings.NewReader(`{}`)),
-		},
-		"success": {
-			responseStatus: http.StatusOK,
-			responseBody: io.NopCloser(strings.NewReader(`{
-		  "success": true,
-		  "datacenters": [
-		    {
-		      "slug": "vienna",
-		      "city": "Vienna",
-		      "country": "AT",
-		      "country_name": "Austria",
-		      "pools": [
-		        "pool-1.prd.at.vienna.ovpn.com"
-		      ],
-		      "ping_address": "37.120.212.227",
-		      "servers": [
-		        {
-		          "ip": "37.120.212.227",
-		          "ptr": "vpn44.prd.vienna.ovpn.com",
-		          "name": "VPN44 - Vienna",
-		          "online": true,
-		          "load": 8,
-		          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
-		          "public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
-		          "wireguard_ports": [
-		            9929
-		          ],
-		          "multihop_openvpn_port": 20044,
-		          "multihop_wireguard_port": 30044
-		        }
-		      ]
-		    }
-		  ]
-		}`)),
-			data: apiData{
-				Success: true,
-				DataCenters: []apiDataCenter{
-					{CountryName: "Austria", City: "Vienna", Servers: []apiServer{
-						{
-							IP:                    netip.MustParseAddr("37.120.212.227"),
-							Ptr:                   "vpn44.prd.vienna.ovpn.com",
-							Online:                true,
-							PublicKey:             "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
-							PublicKeyIPv4:         "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
-							WireguardPorts:        []uint16{9929},
-							MultiHopOpenvpnPort:   20044,
-							MultiHopWireguardPort: 30044,
-						},
-					}},
-				},
-			},
-		},
-	}
-	for name, testCase := range testCases {
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			ctx := context.Background()
-
-			client := &http.Client{
-				Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
-					assert.Equal(t, http.MethodGet, r.Method)
-					assert.Equal(t, r.URL.String(), "https://www.ovpn.com/v2/api/client/entry")
-					return &http.Response{
-						StatusCode: testCase.responseStatus,
-						Status:     http.StatusText(testCase.responseStatus),
-						Body:       testCase.responseBody,
-					}, nil
-				}),
-			}
-
-			data, err := fetchAPI(ctx, client)
-
-			assert.Equal(t, testCase.data, data)
-			if testCase.err != nil {
-				require.Error(t, err)
-				assert.Equal(t, testCase.err.Error(), err.Error())
-			} else {
-				assert.NoError(t, err)
-			}
-		})
-	}
-}

internal/provider/ovpn/updater/roundtrip_test.go

@@ -1,9 +0,0 @@
-package updater
-
-import "net/http"
-
-type roundTripFunc func(r *http.Request) (*http.Response, error)
-
-func (f roundTripFunc) RoundTrip(r *http.Request) (*http.Response, error) {
-	return f(r)
-}

internal/provider/ovpn/updater/servers.go

@@ -1,82 +0,0 @@
-package updater
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/netip"
-	"sort"
-
-	"github.com/qdm12/gluetun/internal/constants/vpn"
-	"github.com/qdm12/gluetun/internal/models"
-	"github.com/qdm12/gluetun/internal/provider/common"
-)
-
-func (u *Updater) FetchServers(ctx context.Context, minServers int) (
-	servers []models.Server, err error,
-) {
-	data, err := fetchAPI(ctx, u.client)
-	if err != nil {
-		return nil, fmt.Errorf("fetching API: %w", err)
-	} else if !data.Success {
-		return nil, errors.New("response success field is false")
-	}
-
-	for dataCenterIndex, dataCenter := range data.DataCenters {
-		err = dataCenter.validate()
-		if err != nil {
-			return nil, fmt.Errorf("validating data center %d of %d: %w",
-				dataCenterIndex+1, len(data.DataCenters), err)
-		}
-
-		for _, apiServer := range dataCenter.Servers {
-			if !apiServer.Online {
-				continue
-			}
-
-			baseServer := models.Server{
-				Country:  dataCenter.CountryName,
-				City:     dataCenter.City,
-				Hostname: apiServer.Ptr,
-				IPs:      []netip.Addr{apiServer.IP},
-			}
-			openVPNServer := baseServer
-			openVPNServer.VPN = vpn.OpenVPN
-			openVPNServer.TCP = true
-			openVPNServer.UDP = true
-			multiHopOpenVPNServer := openVPNServer
-			multiHopOpenVPNServer.MultiHop = true
-			multiHopOpenVPNServer.PortsTCP = []uint16{apiServer.MultiHopOpenvpnPort}
-			multiHopOpenVPNServer.PortsUDP = []uint16{apiServer.MultiHopOpenvpnPort}
-			servers = append(servers, openVPNServer, multiHopOpenVPNServer)
-
-			wireguardServer := baseServer
-			wireguardServer.VPN = vpn.Wireguard
-			wireguardServer.WgPubKey = apiServer.PublicKey
-			multiHopWireguardServer := wireguardServer
-			multiHopWireguardServer.MultiHop = true
-			multiHopWireguardServer.PortsUDP = []uint16{apiServer.MultiHopWireguardPort}
-			dedicatedWireguardServer := wireguardServer
-			dedicatedWireguardServer.WgPubKey = apiServer.PublicKeyIPv4
-			dedicatedWireguardServer.Dedicated = true
-			dedicatedMultiHopWireguardServer := multiHopWireguardServer
-			dedicatedMultiHopWireguardServer.WgPubKey = apiServer.PublicKeyIPv4
-			dedicatedMultiHopWireguardServer.Dedicated = true
-			servers = append(servers,
-				wireguardServer,
-				multiHopWireguardServer,
-				dedicatedWireguardServer,
-				dedicatedMultiHopWireguardServer,
-			)
-		}
-	}
-
-	if len(servers) < minServers {
-		return nil, fmt.Errorf("%w: %d and expected at least %d",
-			common.ErrNotEnoughServers, len(servers), minServers)
-	}
-
-	sort.Sort(models.SortableServers(servers))
-
-	return servers, nil
-}

internal/provider/ovpn/updater/servers_test.go

@@ -1,228 +0,0 @@
-package updater
-
-import (
-	"context"
-	"io"
-	"net/http"
-	"net/netip"
-	"strings"
-	"testing"
-
-	"github.com/qdm12/gluetun/internal/constants/vpn"
-	"github.com/qdm12/gluetun/internal/models"
-	"github.com/qdm12/gluetun/internal/provider/common"
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_Updater_FetchServers(t *testing.T) {
-	t.Parallel()
-
-	testCases := map[string]struct {
-		// Inputs
-		minServers int
-
-		// From API
-		responseStatus int
-		responseBody   string
-
-		// Output
-		servers    []models.Server
-		errWrapped error
-		errMessage string
-	}{
-		"http_response_error": {
-			responseStatus: http.StatusNoContent,
-			errMessage:     "fetching API: HTTP response status code is not OK: 204 No Content",
-		},
-		"success_field_false": {
-			responseStatus: http.StatusOK,
-			responseBody:   `{"success": false}`,
-			errMessage:     "response success field is false",
-		},
-		"validation_failed": {
-			responseStatus: http.StatusOK,
-			responseBody: `{
-  "success": true,
-  "datacenters": [
-    {
-      "city": "Vienna",
-      "servers": [
-        {}
-      ]
-    }
-  ]
-}`,
-			errMessage: "validating data center 1 of 1: data center Vienna: country name is not set",
-		},
-		"not_enough_servers": {
-			minServers:     7,
-			responseStatus: http.StatusOK,
-			responseBody: `{
-  "success": true,
-  "datacenters": [
-    {
-      "city": "Vienna",
-      "country_name": "Austria",
-      "servers": [
-        {
-          "ip": "37.120.212.227",
-          "ptr": "vpn44.prd.vienna.ovpn.com",
-          "online": true,
-          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
-					"public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
-          "wireguard_ports": [9929],
-          "multihop_openvpn_port": 20044,
-          "multihop_wireguard_port": 30044
-        }
-      ]
-    }
-  ]
-}`,
-			errWrapped: common.ErrNotEnoughServers,
-			// Wireguard + dedicated Wireguard + Wireguard multi-hop +
-			// dedicated Wireguard multi-hop + OpenVPN + OpenVPN multi-hop
-			errMessage: "not enough servers found: 6 and expected at least 7",
-		},
-		"success": {
-			minServers: 4,
-			responseBody: `{
-  "success": true,
-  "datacenters": [
-    {
-      "slug": "vienna",
-      "city": "Vienna",
-      "country": "AT",
-      "country_name": "Austria",
-      "pools": [
-        "pool-1.prd.at.vienna.ovpn.com"
-      ],
-      "ping_address": "37.120.212.227",
-      "servers": [
-        {
-          "ip": "37.120.212.227",
-          "ptr": "vpn44.prd.vienna.ovpn.com",
-          "name": "VPN44 - Vienna",
-          "online": true,
-          "load": 8,
-          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
-          "public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
-          "wireguard_ports": [
-            9929
-          ],
-          "multihop_openvpn_port": 20044,
-          "multihop_wireguard_port": 30044
-        },
-        {
-          "ip": "37.120.212.228",
-          "ptr": "vpn45.prd.vienna.ovpn.com",
-          "online": false,
-          "public_key": "r93LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
-					"public_key_ipv4": "wGbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
-          "wireguard_ports": [9929],
-          "multihop_openvpn_port": 20045,
-          "multihop_wireguard_port": 30045
-        }
-      ]
-    }
-  ]
-}`,
-			responseStatus: http.StatusOK,
-			servers: []models.Server{
-				{
-					Country:  "Austria",
-					City:     "Vienna",
-					Hostname: "vpn44.prd.vienna.ovpn.com",
-					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
-					VPN:      vpn.OpenVPN,
-					UDP:      true,
-					TCP:      true,
-				},
-				{
-					Country:  "Austria",
-					City:     "Vienna",
-					Hostname: "vpn44.prd.vienna.ovpn.com",
-					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
-					VPN:      vpn.OpenVPN,
-					UDP:      true,
-					TCP:      true,
-					MultiHop: true,
-					PortsTCP: []uint16{20044},
-					PortsUDP: []uint16{20044},
-				},
-				{
-					Country:  "Austria",
-					City:     "Vienna",
-					Hostname: "vpn44.prd.vienna.ovpn.com",
-					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
-					VPN:      vpn.Wireguard,
-					WgPubKey: "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
-				},
-				{
-					Country:  "Austria",
-					City:     "Vienna",
-					Hostname: "vpn44.prd.vienna.ovpn.com",
-					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
-					VPN:      vpn.Wireguard,
-					WgPubKey: "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
-					MultiHop: true,
-					PortsUDP: []uint16{30044},
-				},
-				{
-					Country:   "Austria",
-					City:      "Vienna",
-					Hostname:  "vpn44.prd.vienna.ovpn.com",
-					IPs:       []netip.Addr{netip.MustParseAddr("37.120.212.227")},
-					VPN:       vpn.Wireguard,
-					WgPubKey:  "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
-					Dedicated: true,
-				},
-				{
-					Country:   "Austria",
-					City:      "Vienna",
-					Hostname:  "vpn44.prd.vienna.ovpn.com",
-					IPs:       []netip.Addr{netip.MustParseAddr("37.120.212.227")},
-					VPN:       vpn.Wireguard,
-					WgPubKey:  "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
-					MultiHop:  true,
-					Dedicated: true,
-					PortsUDP:  []uint16{30044},
-				},
-			},
-		},
-	}
-	for name, testCase := range testCases {
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			ctx := context.Background()
-
-			client := &http.Client{
-				Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
-					assert.Equal(t, http.MethodGet, r.Method)
-					assert.Equal(t, r.URL.String(), "https://www.ovpn.com/v2/api/client/entry")
-					return &http.Response{
-						StatusCode: testCase.responseStatus,
-						Status:     http.StatusText(testCase.responseStatus),
-						Body:       io.NopCloser(strings.NewReader(testCase.responseBody)),
-					}, nil
-				}),
-			}
-
-			updater := &Updater{
-				client: client,
-			}
-
-			servers, err := updater.FetchServers(ctx, testCase.minServers)
-
-			assert.Equal(t, testCase.servers, servers)
-			if testCase.errMessage == "" {
-				assert.NoError(t, err)
-			} else {
-				assert.Contains(t, err.Error(), testCase.errMessage)
-			}
-			if testCase.errWrapped != nil {
-				assert.ErrorIs(t, err, testCase.errWrapped)
-			}
-		})
-	}
-}

internal/provider/ovpn/updater/updater.go

@@ -1,15 +0,0 @@
-package updater
-
-import (
-	"net/http"
-)
-
-type Updater struct {
-	client *http.Client
-}
-
-func New(client *http.Client) *Updater {
-	return &Updater{
-		client: client,
-	}
-}

internal/provider/providers.go

@@ -20,7 +20,6 @@ import (
 	"github.com/qdm12/gluetun/internal/provider/ivpn"
 	"github.com/qdm12/gluetun/internal/provider/mullvad"
 	"github.com/qdm12/gluetun/internal/provider/nordvpn"
-	"github.com/qdm12/gluetun/internal/provider/ovpn"
 	"github.com/qdm12/gluetun/internal/provider/perfectprivacy"
 	"github.com/qdm12/gluetun/internal/provider/privado"
 	"github.com/qdm12/gluetun/internal/provider/privateinternetaccess"
@@ -68,7 +67,6 @@ func NewProviders(storage Storage, timeNow func() time.Time,
 		providers.Ivpn:                  ivpn.New(storage, client, updaterWarner, parallelResolver),
 		providers.Mullvad:               mullvad.New(storage, client),
 		providers.Nordvpn:               nordvpn.New(storage, client, updaterWarner),
-		providers.Ovpn:                  ovpn.New(storage, client),
 		providers.Perfectprivacy:        perfectprivacy.New(storage, unzipper, updaterWarner),
 		providers.Privado:               privado.New(storage, client, updaterWarner),
 		providers.PrivateInternetAccess: privateinternetaccess.New(storage, timeNow, client),

internal/provider/utils/connection.go

@@ -52,6 +52,8 @@ func GetConnection(provider string,
 	})
 
 	protocol := getProtocol(selection)
+	port := getPort(selection, defaults.OpenVPNTCPPort,
+		defaults.OpenVPNUDPPort, defaults.WireguardPort)
 
 	connections := make([]models.Connection, 0, len(servers))
 	for _, server := range servers {
@@ -67,9 +69,6 @@ func GetConnection(provider string,
 				hostname = server.OvpnX509
 			}
 
-			port := getPort(selection, server, defaults.OpenVPNTCPPort,
-				defaults.OpenVPNUDPPort, defaults.WireguardPort)
-
 			connection := models.Connection{
 				Type:        selection.VPN,
 				IP:          ip,

internal/provider/utils/port.go

@@ -6,44 +6,29 @@ import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
-	"github.com/qdm12/gluetun/internal/models"
 )
 
-func getPort(selection settings.ServerSelection, server models.Server,
+func getPort(selection settings.ServerSelection,
 	defaultOpenVPNTCP, defaultOpenVPNUDP, defaultWireguard uint16,
 ) (port uint16) {
 	switch selection.VPN {
 	case vpn.Wireguard:
 		customPort := *selection.Wireguard.EndpointPort
 		if customPort > 0 {
-			// Note: servers filtering ensures the custom port is within the
-			// server ports defined if any is set.
 			return customPort
 		}
-
-		if len(server.PortsUDP) > 0 {
-			defaultWireguard = server.PortsUDP[0]
-		}
 		checkDefined("Wireguard", defaultWireguard)
 		return defaultWireguard
 	default: // OpenVPN
 		customPort := *selection.OpenVPN.CustomPort
 		if customPort > 0 {
-			// Note: servers filtering ensures the custom port is within the
-			// server ports defined if any is set.
 			return customPort
 		}
 		if selection.OpenVPN.Protocol == constants.TCP {
-			if len(server.PortsTCP) > 0 {
-				defaultOpenVPNTCP = server.PortsTCP[0]
-			}
 			checkDefined("OpenVPN TCP", defaultOpenVPNTCP)
 			return defaultOpenVPNTCP
 		}
 
-		if len(server.PortsUDP) > 0 {
-			defaultOpenVPNUDP = server.PortsUDP[0]
-		}
 		checkDefined("OpenVPN UDP", defaultOpenVPNUDP)
 		return defaultOpenVPNUDP
 	}

internal/provider/utils/port_test.go

@@ -6,7 +6,6 @@ import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
-	"github.com/qdm12/gluetun/internal/models"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -23,7 +22,6 @@ func Test_GetPort(t *testing.T) {
 
 	testCases := map[string]struct {
 		selection         settings.ServerSelection
-		server            models.Server
 		defaultOpenVPNTCP uint16
 		defaultOpenVPNUDP uint16
 		defaultWireguard  uint16
@@ -50,20 +48,6 @@ func Test_GetPort(t *testing.T) {
 			defaultWireguard:  defaultWireguard,
 			port:              defaultOpenVPNUDP,
 		},
-		"OpenVPN_server_port_udp": {
-			selection: settings.ServerSelection{
-				VPN: vpn.OpenVPN,
-				OpenVPN: settings.OpenVPNSelection{
-					CustomPort: uint16Ptr(0),
-					Protocol:   constants.UDP,
-				},
-			},
-			server: models.Server{
-				PortsUDP: []uint16{1234},
-			},
-			defaultOpenVPNUDP: defaultOpenVPNUDP,
-			port:              1234,
-		},
 		"OpenVPN UDP no default port defined": {
 			selection: settings.ServerSelection{
 				VPN: vpn.OpenVPN,
@@ -104,20 +88,6 @@ func Test_GetPort(t *testing.T) {
 			},
 			port: 1234,
 		},
-		"OpenVPN_server_port_tcp": {
-			selection: settings.ServerSelection{
-				VPN: vpn.OpenVPN,
-				OpenVPN: settings.OpenVPNSelection{
-					CustomPort: uint16Ptr(0),
-					Protocol:   constants.TCP,
-				},
-			},
-			server: models.Server{
-				PortsTCP: []uint16{1234},
-			},
-			defaultOpenVPNTCP: defaultOpenVPNTCP,
-			port:              1234,
-		},
 		"Wireguard": {
 			selection: settings.ServerSelection{
 				VPN: vpn.Wireguard,
@@ -135,19 +105,6 @@ func Test_GetPort(t *testing.T) {
 			defaultWireguard: defaultWireguard,
 			port:             1234,
 		},
-		"Wireguard_server_port": {
-			selection: settings.ServerSelection{
-				VPN: vpn.Wireguard,
-				Wireguard: settings.WireguardSelection{
-					EndpointPort: uint16Ptr(0),
-				},
-			},
-			server: models.Server{
-				PortsUDP: []uint16{1234},
-			},
-			defaultWireguard: defaultWireguard,
-			port:             1234,
-		},
 		"Wireguard no default port defined": {
 			selection: settings.ServerSelection{
 				VPN: vpn.Wireguard,
@@ -163,7 +120,6 @@ func Test_GetPort(t *testing.T) {
 			if testCase.panics != "" {
 				assert.PanicsWithValue(t, testCase.panics, func() {
 					_ = getPort(testCase.selection,
-						testCase.server,
 						testCase.defaultOpenVPNTCP,
 						testCase.defaultOpenVPNUDP,
 						testCase.defaultWireguard)
@@ -172,7 +128,6 @@ func Test_GetPort(t *testing.T) {
 			}
 
 			port := getPort(testCase.selection,
-				testCase.server,
 				testCase.defaultOpenVPNTCP,
 				testCase.defaultOpenVPNUDP,
 				testCase.defaultWireguard)

internal/restrictednet/client.go

@@ -0,0 +1,82 @@
+package restrictednet
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/netip"
+	"strconv"
+
+	"github.com/qdm12/dns/v2/pkg/provider"
+)
+
+// Client is a client for making restricted network requests,
+// such as opening temporary firewall rules for HTTPS connections.
+// It is not meant to be high performance, although it can be used for
+// multiple requests and concurrently.
+type Client struct {
+	outboundInterface string
+	ipv6Supported     bool
+	firewall          Firewall
+	dohServers        []provider.DoHServer
+}
+
+func New(settings Settings) *Client {
+	if err := settings.validate(); err != nil {
+		panic(fmt.Sprintf("invalid settings: %v", err)) // programming error
+	}
+	dohServers := make([]provider.DoHServer, len(settings.UpstreamResolvers))
+	for i, upstreamResolver := range settings.UpstreamResolvers {
+		dohServers[i] = upstreamResolver.DoH
+	}
+
+	return &Client{
+		outboundInterface: settings.DefaultInterface,
+		ipv6Supported:     *settings.IPv6Supported,
+		firewall:          settings.Firewall,
+		dohServers:        dohServers,
+	}
+}
+
+// OpenHTTPSByHostname opens an https connection through the firewall,
+// to the hostname which in the format `host:port`. The returned cleanup
+// function must be called to remove the temporary firewall rule and close connections.
+// It first resolves the domain in hostname using DNS over HTTPS and then opens
+// the restricted HTTPS connection to the resolved IP.
+func (c *Client) OpenHTTPSByHostname(ctx context.Context, hostname string) (
+	httpClient *http.Client, cleanup func() error, err error,
+) {
+	host, portStr, err := net.SplitHostPort(hostname)
+	if err != nil {
+		return nil, nil, fmt.Errorf("splitting host and port: %w", err)
+	}
+	resolvedIPs, err := c.ResolveName(ctx, host)
+	if err != nil {
+		return nil, nil, fmt.Errorf("resolving name: %w", err)
+	} else if len(resolvedIPs) == 0 {
+		return nil, nil, fmt.Errorf("no IP address found for name %q", host)
+	}
+
+	portUint, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return nil, nil, fmt.Errorf("parsing port: %w", err)
+	} else if portUint == 0 {
+		return nil, nil, errors.New("destination port cannot be 0")
+	}
+	port := uint16(portUint)
+
+	errs := make([]error, 0, len(resolvedIPs))
+	for _, ip := range resolvedIPs {
+		addrPort := netip.AddrPortFrom(ip, port)
+		httpClient, cleanup, err := c.OpenHTTPS(ctx, host, addrPort)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("for %s: %w", ip, err))
+			continue
+		}
+		return httpClient, cleanup, nil
+	}
+
+	return nil, nil, fmt.Errorf("opening HTTPS to %s: %w", hostname, errors.Join(errs...))
+}

internal/restrictednet/helpers_test.go

@@ -0,0 +1,7 @@
+//go:build integration
+
+package restrictednet
+
+func ptrTo[T any](value T) *T {
+	return &value
+}

internal/restrictednet/https.go

@@ -0,0 +1,202 @@
+package restrictednet
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/netip"
+	"os"
+	"time"
+
+	"github.com/jsimonetti/rtnetlink"
+	"github.com/qdm12/gluetun/internal/pmtud/constants"
+)
+
+// OpenHTTPS opens temporary restrictive firewall output for one HTTPS destination.
+// The returned [*http.Client] must be used sequentially only, and each request must
+// have its response body fully read/discarded and then closed.
+// The returned cleanup function must be called to remove the temporary firewall rule and close connections.
+func (c *Client) OpenHTTPS(ctx context.Context, destinationTLSName string, destinationAddrPort netip.AddrPort,
+) (httpClient *http.Client, cleanup func() error, err error) {
+	fd, sourceAddrPort, err := bindSourceConnection(destinationAddrPort.Addr())
+	if err != nil {
+		return nil, nil, fmt.Errorf("binding source port: %w", err)
+	}
+
+	const remove = false
+	err = c.firewall.AcceptOutputFromIPPortToIPPort(ctx, "tcp", c.outboundInterface,
+		sourceAddrPort, destinationAddrPort, remove)
+	if err != nil {
+		closeFD(fd)
+		return nil, nil, fmt.Errorf("allowing output traffic through firewall: %w", err)
+	}
+
+	connection, err := connectSourceConnection(ctx, fd, destinationAddrPort)
+	if err != nil {
+		const remove = true
+		_ = c.firewall.AcceptOutputFromIPPortToIPPort(context.Background(), "tcp", c.outboundInterface,
+			sourceAddrPort, destinationAddrPort, remove)
+		return nil, nil, fmt.Errorf("connecting source socket: %w", err)
+	}
+
+	dial := makeDial(connection, destinationTLSName)
+	httpClient = newHTTPSClient(destinationTLSName, dial)
+	cleanup = func() error {
+		var errs []error
+		httpClient.CloseIdleConnections()
+		err := connection.Close()
+		if err != nil && !errors.Is(err, net.ErrClosed) {
+			errs = append(errs, fmt.Errorf("closing connection: %w", err))
+		}
+		const remove = true
+		err = c.firewall.AcceptOutputFromIPPortToIPPort(context.Background(), "tcp", c.outboundInterface,
+			sourceAddrPort, destinationAddrPort, remove)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("removing output traffic rule: %w", err))
+		}
+		if len(errs) > 0 {
+			return errors.Join(errs...)
+		}
+		return nil
+	}
+	return httpClient, cleanup, nil
+}
+
+type dialFunc func(ctx context.Context, network, address string) (net.Conn, error)
+
+func newHTTPSClient(destinationTLSName string, dial dialFunc) *http.Client {
+	const timeout = 5 * time.Second
+	transport := &http.Transport{
+		MaxIdleConns:        1,
+		MaxIdleConnsPerHost: 1,
+		MaxConnsPerHost:     1,
+		TLSClientConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+			ServerName: destinationTLSName,
+		},
+		DialContext: dial,
+	}
+	return &http.Client{
+		Timeout:   timeout,
+		Transport: transport,
+	}
+}
+
+func makeDial(connection net.Conn, tlsName string) dialFunc {
+	_, destinationPort, err := net.SplitHostPort(connection.RemoteAddr().String())
+	if err != nil {
+		panic(err) // connection remote address should always be in the form "host:port"
+	}
+	expectedAddress := net.JoinHostPort(tlsName, destinationPort)
+	used := false
+	return func(_ context.Context, network, address string) (net.Conn, error) {
+		if used {
+			return nil, errors.New("dial function called more than once")
+		}
+		used = true
+		switch network {
+		case "tcp", "tcp4", "tcp6":
+		default:
+			return nil, fmt.Errorf("unexpected dial network %q", network)
+		}
+		if address != expectedAddress {
+			return nil, fmt.Errorf("unexpected dial address %q (expected %q)", address, expectedAddress)
+		}
+		return connection, nil
+	}
+}
+
+func bindSourceConnection(destinationIP netip.Addr) (fd int, sourceAddr netip.AddrPort, err error) {
+	sourceIP, err := sourceIPForDestination(destinationIP)
+	if err != nil {
+		return 0, netip.AddrPort{}, fmt.Errorf("finding source IP: %w", err)
+	}
+
+	family := constants.AF_INET
+	if sourceIP.Is6() {
+		family = constants.AF_INET6
+	}
+
+	fd, err = newTCPSockStream(family)
+	if err != nil {
+		return 0, netip.AddrPort{}, fmt.Errorf("creating socket: %w", err)
+	}
+
+	bindAddrPort := netip.AddrPortFrom(sourceIP, 0)
+	err = bindFD(fd, bindAddrPort)
+	if err != nil {
+		closeFD(fd)
+		return 0, netip.AddrPort{}, fmt.Errorf("binding socket: %w", err)
+	}
+
+	sourceAddr, err = fdToSourceAddr(fd)
+	if err != nil {
+		closeFD(fd)
+		return 0, netip.AddrPort{}, fmt.Errorf("getting source address: %w", err)
+	}
+
+	return fd, sourceAddr, nil
+}
+
+func connectSourceConnection(ctx context.Context, fd int, destinationAddrPort netip.AddrPort) (
+	connection net.Conn, err error,
+) {
+	err = connectFD(ctx, fd, destinationAddrPort)
+	if err != nil {
+		closeFD(fd)
+		return nil, fmt.Errorf("connecting socket: %w", err)
+	}
+
+	file := os.NewFile(uintptr(fd), "")
+	if file == nil {
+		closeFD(fd)
+		return nil, fmt.Errorf("creating socket file")
+	}
+	defer file.Close()
+
+	connection, err = net.FileConn(file)
+	if err != nil {
+		return nil, fmt.Errorf("wrapping socket connection: %w", err)
+	}
+
+	return connection, nil
+}
+
+func sourceIPForDestination(destinationIP netip.Addr) (srcIP netip.Addr, err error) {
+	conn, err := rtnetlink.Dial(nil)
+	if err != nil {
+		return netip.Addr{}, err
+	}
+	defer conn.Close()
+
+	family := uint8(constants.AF_INET)
+	if destinationIP.Is6() {
+		family = constants.AF_INET6
+	}
+
+	requestMessage := &rtnetlink.RouteMessage{
+		Family: family,
+		Attributes: rtnetlink.RouteAttributes{
+			Dst: destinationIP.AsSlice(),
+		},
+	}
+	messages, err := conn.Route.Get(requestMessage)
+	if err != nil {
+		return netip.Addr{}, fmt.Errorf("getting routes to %s: %w", destinationIP, err)
+	}
+
+	for _, message := range messages {
+		if message.Attributes.Src == nil {
+			continue
+		}
+		if message.Attributes.Src.To4() == nil {
+			return netip.AddrFrom16([16]byte(message.Attributes.Src)), nil
+		}
+		return netip.AddrFrom4([4]byte(message.Attributes.Src)), nil
+	}
+
+	return netip.Addr{}, fmt.Errorf("no route to %s", destinationIP)
+}

internal/restrictednet/https_integration_test.go

@@ -0,0 +1,117 @@
+//go:build integration
+
+package restrictednet
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/netip"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/qdm12/dns/v2/pkg/provider"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type listenAddrPortMatcher struct {
+	expected netip.AddrPort
+}
+
+func (m listenAddrPortMatcher) Matches(x any) bool {
+	ip, ok := x.(netip.AddrPort)
+	if !ok {
+		return false
+	}
+	if m.expected.IsValid() {
+		return ip == m.expected
+	}
+	return ip.IsValid() && ip.Addr().IsValid() && ip.Port() > 0
+}
+
+func (m listenAddrPortMatcher) String() string {
+	if m.expected.IsValid() {
+		return "is the same as " + m.expected.String()
+	}
+	return "is a valid netip.AddrPort with a valid IP and non-zero port"
+}
+
+type destinationAddrPortMatcher struct {
+	expected netip.AddrPort
+}
+
+func (m destinationAddrPortMatcher) Matches(x any) bool {
+	ip, ok := x.(netip.AddrPort)
+	if !ok {
+		return false
+	}
+	if m.expected.IsValid() {
+		return ip == m.expected
+	}
+	return ip.IsValid() && ip.Port() == m.expected.Port()
+}
+
+func (m destinationAddrPortMatcher) String() string {
+	if m.expected.IsValid() {
+		return "is the same as " + m.expected.String()
+	}
+	return "matches the port " + fmt.Sprint(m.expected.Port())
+}
+
+func Test_Client_OpenHTTPS(t *testing.T) {
+	t.Parallel()
+	ctx := t.Context()
+	ctrl := gomock.NewController(t)
+
+	const destinationTLSName = "one.one.one.one"
+	destinationAddrPort := netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 443)
+
+	firewall := NewMockFirewall(ctrl)
+	sourceMatcher := listenAddrPortMatcher{}
+	firewall.EXPECT().AcceptOutputFromIPPortToIPPort(
+		ctx, "tcp", "eth0", sourceMatcher, destinationAddrPort, false,
+	).DoAndReturn(func(_ context.Context,
+		_, _ string, source, _ netip.AddrPort, _ bool,
+	) error {
+		sourceMatcher.expected = source
+		return nil
+	})
+	firewall.EXPECT().AcceptOutputFromIPPortToIPPort(
+		context.Background(), "tcp", "eth0", sourceMatcher, destinationAddrPort, true,
+	).Return(nil)
+
+	const ipv6Supported = false
+	upstreamResolvers := []provider.Provider{provider.Google()}
+	settings := Settings{
+		Firewall:          firewall,
+		DefaultInterface:  "eth0",
+		IPv6Supported:     ptrTo(ipv6Supported),
+		UpstreamResolvers: upstreamResolvers,
+	}
+	client := New(settings)
+
+	httpClient, cleanup, err := client.OpenHTTPS(ctx, destinationTLSName, destinationAddrPort)
+	require.NoError(t, err)
+	require.NotNil(t, httpClient)
+	require.NotNil(t, cleanup)
+
+	const requests = 2
+
+	for range requests {
+		request, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://"+destinationTLSName, nil)
+		require.NoError(t, err)
+
+		response, err := httpClient.Do(request)
+		require.NoError(t, err)
+		_, err = io.Copy(io.Discard, response.Body)
+		require.NoError(t, err)
+		err = response.Body.Close()
+		require.NoError(t, err)
+		assert.Equal(t, http.StatusOK, response.StatusCode)
+	}
+
+	err = cleanup()
+	require.NoError(t, err)
+}

internal/restrictednet/interfaces.go

@@ -0,0 +1,12 @@
+package restrictednet
+
+import (
+	"context"
+	"net/netip"
+)
+
+type Firewall interface {
+	AcceptOutputFromIPPortToIPPort(ctx context.Context,
+		protocol, intf string, source, destination netip.AddrPort, remove bool,
+	) error
+}

internal/restrictednet/mocks_generate_test.go

@@ -0,0 +1,3 @@
+package restrictednet
+
+//go:generate mockgen -destination=mocks_test.go -package=$GOPACKAGE . Firewall

internal/restrictednet/mocks_test.go

@@ -0,0 +1,50 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/qdm12/gluetun/internal/restrictednet (interfaces: Firewall)
+
+// Package restrictednet is a generated GoMock package.
+package restrictednet
+
+import (
+	context "context"
+	netip "net/netip"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockFirewall is a mock of Firewall interface.
+type MockFirewall struct {
+	ctrl     *gomock.Controller
+	recorder *MockFirewallMockRecorder
+}
+
+// MockFirewallMockRecorder is the mock recorder for MockFirewall.
+type MockFirewallMockRecorder struct {
+	mock *MockFirewall
+}
+
+// NewMockFirewall creates a new mock instance.
+func NewMockFirewall(ctrl *gomock.Controller) *MockFirewall {
+	mock := &MockFirewall{ctrl: ctrl}
+	mock.recorder = &MockFirewallMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockFirewall) EXPECT() *MockFirewallMockRecorder {
+	return m.recorder
+}
+
+// AcceptOutputFromIPPortToIPPort mocks base method.
+func (m *MockFirewall) AcceptOutputFromIPPortToIPPort(arg0 context.Context, arg1, arg2 string, arg3, arg4 netip.AddrPort, arg5 bool) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AcceptOutputFromIPPortToIPPort", arg0, arg1, arg2, arg3, arg4, arg5)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// AcceptOutputFromIPPortToIPPort indicates an expected call of AcceptOutputFromIPPortToIPPort.
+func (mr *MockFirewallMockRecorder) AcceptOutputFromIPPortToIPPort(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AcceptOutputFromIPPortToIPPort", reflect.TypeOf((*MockFirewall)(nil).AcceptOutputFromIPPortToIPPort), arg0, arg1, arg2, arg3, arg4, arg5)
+}

internal/restrictednet/resolve.go

@@ -0,0 +1,205 @@
+package restrictednet
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/netip"
+	"net/url"
+	"strconv"
+
+	"github.com/miekg/dns"
+)
+
+// ResolveName resolves the given host name to IP addresses using DoH servers,
+// while opening temporary restrictive firewall rules for HTTPS traffic to DoH servers.
+// The host must be a single well-formed domain name, without port or path.
+func (c *Client) ResolveName(ctx context.Context, host string) (
+	resolvedAddresses []netip.Addr, err error,
+) {
+	const maxTypes = 2
+	questionTypes := make([]uint16, 0, maxTypes)
+	if c.ipv6Supported {
+		questionTypes = append(questionTypes, dns.TypeAAAA)
+	}
+	questionTypes = append(questionTypes, dns.TypeA)
+
+	var addresses []netip.Addr
+	errs := make([]error, 0, len(questionTypes))
+	for _, questionType := range questionTypes {
+		answerAddresses, err := c.resolveOneQuestionType(ctx, host, questionType)
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+		addresses = append(addresses, answerAddresses...)
+	}
+
+	switch {
+	case len(addresses) > 0:
+		return addresses, nil
+	case len(errs) == 0:
+		return nil, nil // no address found
+	default: // errors
+		return nil, fmt.Errorf("resolving host %q: %w", host, errors.Join(errs...))
+	}
+}
+
+func (c *Client) resolveOneQuestionType(ctx context.Context,
+	host string, questionType uint16,
+) (addresses []netip.Addr, err error) {
+	queryMessage := &dns.Msg{}
+	queryMessage.SetQuestion(dns.Fqdn(host), questionType)
+	queryWire, err := queryMessage.Pack()
+	if err != nil {
+		return nil, fmt.Errorf("packing DNS query: %w", err)
+	}
+
+	// Try every DoH server and every of each of their IP until we get a non-empty
+	// successful response.
+	errs := make([]error, 0)
+	for _, dohServer := range c.dohServers {
+		dohURL, err := url.Parse(dohServer.URL)
+		if err != nil {
+			errs = append(errs,
+				fmt.Errorf("parsing DoH server URL %s: %w", dohServer.URL, err))
+			continue
+		}
+
+		dohServerIPs := make([]netip.Addr, 0, len(dohServer.IPv4)+len(dohServer.IPv6))
+		if c.ipv6Supported {
+			// Prefer IPv6 addresses if IPv6 is supported
+			dohServerIPs = append(dohServerIPs, dohServer.IPv6...)
+		}
+		dohServerIPs = append(dohServerIPs, dohServer.IPv4...)
+
+		for _, dohServerIP := range dohServerIPs {
+			const defaultDoHPort uint16 = 443
+			port := defaultDoHPort
+			if portStr := dohURL.Port(); portStr != "" {
+				port, err = parseDestinationPort(portStr)
+				if err != nil {
+					errs = append(errs, fmt.Errorf("parsing DoH server port: %w", err))
+					continue
+				}
+			}
+			dohServerAddrPort := netip.AddrPortFrom(dohServerIP, port)
+			responseMessage, err := c.doHQuery(ctx, queryWire, dohURL, dohServerAddrPort)
+			switch {
+			case err != nil:
+				errs = append(errs, fmt.Errorf("querying DoH server %q (%s): %w",
+					dohServer.URL, dohServerAddrPort, err))
+				continue
+			case responseMessage.Rcode != dns.RcodeSuccess:
+				errs = append(errs, fmt.Errorf("querying DoH server %q (%s): DNS rcode %s",
+					dohServer.URL, dohServerAddrPort, dns.RcodeToString[responseMessage.Rcode]))
+				continue
+			}
+			addresses := answersToNetipAddrs(responseMessage)
+			if len(addresses) == 0 {
+				continue
+			}
+			return addresses, nil
+		}
+	}
+
+	if len(errs) == 0 {
+		return nil, nil
+	}
+
+	return nil, fmt.Errorf("resolving %s %s: %w",
+		dns.TypeToString[questionType], host, errors.Join(errs...))
+}
+
+func (c *Client) doHQuery(ctx context.Context, queryWire []byte,
+	dohURL *url.URL, dohServerAddrPort netip.AddrPort,
+) (responseMessage *dns.Msg, err error) {
+	httpClient, cleanup, err := c.OpenHTTPS(ctx, dohURL.Hostname(), dohServerAddrPort)
+	if err != nil {
+		return nil, fmt.Errorf("opening https connection: %w", err)
+	}
+	defer func() {
+		closeErr := cleanup()
+		if err == nil && closeErr != nil {
+			err = fmt.Errorf("cleaning up https connection: %w", closeErr)
+		}
+	}()
+
+	requestBody := bytes.NewReader(queryWire)
+	request, err := http.NewRequestWithContext(ctx, http.MethodPost, dohURL.String(), requestBody)
+	if err != nil {
+		return nil, fmt.Errorf("creating request: %w", err)
+	}
+	request.Header.Set("Content-Type", "application/dns-message")
+	request.Header.Set("Accept", "application/dns-message")
+
+	response, err := httpClient.Do(request)
+	if err != nil {
+		return nil, err
+	}
+
+	responseData, err := io.ReadAll(response.Body)
+	if err != nil {
+		_ = response.Body.Close()
+		return nil, fmt.Errorf("reading response body: %w", err)
+	}
+
+	err = response.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("closing response body: %w", err)
+	}
+
+	if response.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("response status code is %s (data length %d)",
+			response.Status, len(responseData))
+	}
+
+	responseMessage = new(dns.Msg)
+	err = responseMessage.Unpack(responseData)
+	if err != nil {
+		return nil, fmt.Errorf("parsing DoH response: %w", err)
+	}
+
+	return responseMessage, nil
+}
+
+func answersToNetipAddrs(message *dns.Msg) (addresses []netip.Addr) {
+	if message == nil {
+		return nil
+	}
+	addresses = make([]netip.Addr, 0, len(message.Answer))
+	for _, answer := range message.Answer {
+		switch record := answer.(type) {
+		case *dns.A:
+			address, ok := netip.AddrFromSlice(record.A)
+			if ok {
+				addresses = append(addresses, address.Unmap())
+			}
+		case *dns.AAAA:
+			address, ok := netip.AddrFromSlice(record.AAAA)
+			if ok {
+				addresses = append(addresses, address)
+			}
+		}
+	}
+	return addresses
+}
+
+func parseDestinationPort(portStr string) (port uint16, err error) {
+	portUint, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return 0, err
+	}
+
+	const maxPortUint = 65535
+	switch {
+	case portUint == 0:
+		return 0, errors.New("port cannot be 0")
+	case portUint > maxPortUint:
+		return 0, fmt.Errorf("port cannot be greater than %d", maxPortUint)
+	}
+	return uint16(portUint), nil
+}

internal/restrictednet/resolve_integration_test.go

@@ -0,0 +1,110 @@
+//go:build integration
+
+package restrictednet
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/miekg/dns"
+	"github.com/qdm12/dns/v2/pkg/provider"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_Client_ResolveName(t *testing.T) {
+	t.Parallel()
+	ctx := t.Context()
+	ctrl := gomock.NewController(t)
+
+	firewall := NewMockFirewall(ctrl)
+	sourceMatcher := listenAddrPortMatcher{}
+	destinationMatcher := destinationAddrPortMatcher{
+		expected: netip.AddrPortFrom(netip.Addr{}, 443),
+	}
+
+	// Add rule
+	firstCall := firewall.EXPECT().AcceptOutputFromIPPortToIPPort(
+		ctx, "tcp", "eth0", sourceMatcher, destinationMatcher, false,
+	).DoAndReturn(func(
+		_ context.Context, _, _ string, source, destination netip.AddrPort, _ bool,
+	) error {
+		sourceMatcher.expected = source
+		destinationMatcher.expected = destination
+		return nil
+	})
+
+	// Removal rule
+	firewall.EXPECT().AcceptOutputFromIPPortToIPPort(
+		context.Background(), "tcp", "eth0", sourceMatcher, destinationMatcher, true,
+	).Return(nil).After(firstCall)
+
+	settings := Settings{
+		DefaultInterface:  "eth0",
+		IPv6Supported:     ptrTo(false),
+		Firewall:          firewall,
+		UpstreamResolvers: []provider.Provider{provider.Cloudflare()},
+	}
+	client := New(settings)
+
+	addresses, err := client.ResolveName(ctx, "github.com")
+	require.NoError(t, err)
+	assert.NotEmpty(t, addresses)
+}
+
+func Test_answersToNetipAddrs(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		message  *dns.Msg
+		expected []netip.Addr
+	}{
+		"nil_message": {},
+		"no_answers": {
+			message:  &dns.Msg{},
+			expected: []netip.Addr{},
+		},
+		"a_record": {
+			message: &dns.Msg{Answer: []dns.RR{
+				&dns.A{
+					Hdr: dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET},
+					A:   net.IP{1, 1, 1, 1},
+				},
+			}},
+			expected: []netip.Addr{netip.MustParseAddr("1.1.1.1")},
+		},
+		"aaaa_record": {
+			message: &dns.Msg{Answer: []dns.RR{
+				&dns.AAAA{
+					Hdr:  dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeAAAA, Class: dns.ClassINET},
+					AAAA: net.IP{0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0, 0, 0, 0, 0, 0, 0, 0, 0x88, 0x88},
+				},
+			}},
+			expected: []netip.Addr{netip.MustParseAddr("2001:4860:4860::8888")},
+		},
+		"mixed_records": {
+			message: &dns.Msg{Answer: []dns.RR{
+				&dns.A{
+					Hdr: dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET},
+					A:   net.IP{1, 1, 1, 1},
+				},
+				&dns.AAAA{
+					Hdr:  dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeAAAA, Class: dns.ClassINET},
+					AAAA: net.IP{0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0, 0, 0, 0, 0, 0, 0, 0, 0x88, 0x88},
+				},
+			}},
+			expected: []netip.Addr{netip.MustParseAddr("1.1.1.1"), netip.MustParseAddr("2001:4860:4860::8888")},
+		},
+	}
+
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			t.Parallel()
+			addresses := answersToNetipAddrs(testCase.message)
+			assert.Equal(t, testCase.expected, addresses)
+		})
+	}
+}

internal/restrictednet/settings.go

@@ -0,0 +1,28 @@
+package restrictednet
+
+import (
+	"errors"
+
+	"github.com/qdm12/dns/v2/pkg/provider"
+)
+
+type Settings struct {
+	DefaultInterface  string
+	IPv6Supported     *bool
+	Firewall          Firewall
+	UpstreamResolvers []provider.Provider
+}
+
+func (s *Settings) validate() error {
+	switch {
+	case s.DefaultInterface == "":
+		return errors.New("default interface is not set")
+	case s.IPv6Supported == nil:
+		return errors.New("IPv6 support field is not set")
+	case s.Firewall == nil:
+		return errors.New("firewall is not set")
+	case len(s.UpstreamResolvers) == 0:
+		return errors.New("no upstream resolvers provided")
+	}
+	return nil
+}

internal/restrictednet/unix.go

@@ -0,0 +1,121 @@
+//go:build !windows
+
+package restrictednet
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"time"
+
+	"golang.org/x/sys/unix"
+)
+
+func closeFD(fd int) {
+	unix.Close(fd)
+}
+
+func newTCPSockStream(family int) (fd int, err error) {
+	fd, err = unix.Socket(family, unix.SOCK_STREAM, unix.IPPROTO_TCP)
+	if err != nil {
+		return 0, err
+	}
+	err = unix.SetNonblock(fd, true)
+	if err != nil {
+		_ = unix.Close(fd)
+		return 0, err
+	}
+	return fd, nil
+}
+
+func bindFD(fd int, address netip.AddrPort) error {
+	bindAddr := makeSockAddr(address)
+	return unix.Bind(fd, bindAddr)
+}
+
+func connectFD(ctx context.Context, fd int, destination netip.AddrPort) error {
+	err := unix.Connect(fd, makeSockAddr(destination))
+	switch {
+	case err == nil:
+		return nil
+	case !errors.Is(err, unix.EINPROGRESS):
+		return err
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			bitsIndex := fd / 64 //nolint:mnd
+			if bitsIndex >= len(unix.FdSet{}.Bits) {
+				return fmt.Errorf("fd %d exceeds unix.Select FdSet capacity", fd)
+			}
+			wset := &unix.FdSet{}
+			wset.Bits[bitsIndex] |= 1 << (uint64(fd) % 64) //nolint:gosec,mnd
+			eset := &unix.FdSet{}
+			eset.Bits[bitsIndex] |= 1 << (uint64(fd) % 64) //nolint:gosec,mnd
+			const selectTimeout = 50 * time.Millisecond
+			timeval := unix.NsecToTimeval(int64(selectTimeout))
+
+			// Wait for the FD to become writable or hit an error state
+			n, err := unix.Select(fd+1, nil, wset, eset, &timeval)
+			if err != nil {
+				if errors.Is(err, unix.EINTR) {
+					continue // Syscall interrupted, try again
+				}
+				return fmt.Errorf("select error: %w", err)
+			} else if n == 0 {
+				continue // no status change yet
+			}
+
+			// Check if the socket encountered an error
+			n, err = unix.GetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_ERROR)
+			if err != nil {
+				return fmt.Errorf("getsockopt error: %w", err)
+			} else if n != 0 {
+				return fmt.Errorf("connect failed asynchronously: %w", unix.Errno(n))
+			}
+
+			return nil
+		}
+	}
+}
+
+func fdToSourceAddr(fd int) (sourceAddrPort netip.AddrPort, err error) {
+	sockAddr, err := unix.Getsockname(fd)
+	if err != nil {
+		return netip.AddrPort{}, fmt.Errorf("getting sockname: %w", err)
+	}
+
+	sourceAddrPort, err = sockAddrToAddrPort(sockAddr)
+	if err != nil {
+		return netip.AddrPort{}, err
+	}
+	return sourceAddrPort, nil
+}
+
+func makeSockAddr(addressPort netip.AddrPort) unix.Sockaddr {
+	if addressPort.Addr().Is4() {
+		return &unix.SockaddrInet4{
+			Port: int(addressPort.Port()),
+			Addr: addressPort.Addr().As4(),
+		}
+	}
+	return &unix.SockaddrInet6{
+		Port: int(addressPort.Port()),
+		Addr: addressPort.Addr().As16(),
+	}
+}
+
+func sockAddrToAddrPort(sockAddr unix.Sockaddr) (addrPort netip.AddrPort, err error) {
+	switch typedSockAddr := sockAddr.(type) {
+	case *unix.SockaddrInet4:
+		return netip.AddrPortFrom(netip.AddrFrom4(typedSockAddr.Addr), uint16(typedSockAddr.Port)), nil //nolint:gosec
+	case *unix.SockaddrInet6:
+		return netip.AddrPortFrom(netip.AddrFrom16(typedSockAddr.Addr), uint16(typedSockAddr.Port)), nil //nolint:gosec
+	default:
+		return netip.AddrPort{}, fmt.Errorf("unexpected socket address type %T", typedSockAddr)
+	}
+}

internal/restrictednet/windows.go

@@ -0,0 +1,28 @@
+//go:build windows
+
+package restrictednet
+
+import (
+	"context"
+	"net/netip"
+)
+
+func closeFD(fd int) {
+	panic("not implemented")
+}
+
+func newTCPSockStream(family int) (fd int, err error) {
+	panic("not implemented")
+}
+
+func bindFD(fd int, address netip.AddrPort) error {
+	panic("not implemented")
+}
+
+func connectFD(ctx context.Context, fd int, destination netip.AddrPort) error {
+	panic("not implemented")
+}
+
+func fdToSourceAddr(fd int) (sourceAddrPort netip.AddrPort, err error) {
+	panic("not implemented")
+}

internal/socks5/server_integration_test.go

@@ -1,112 +0,0 @@
-//go:build integration
-
-package socks5
-
-import (
-	"math/rand/v2"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func Test_Server_UDPResolution(t *testing.T) {
-	t.Parallel()
-	ctx := t.Context()
-
-	server := newServer(Settings{
-		Address: "127.0.0.1:0",
-		Logger:  noopLogger{},
-	})
-	runErr, err := server.Start(ctx)
-	require.NoError(t, err, "starting SOCKS5 server")
-
-	const timeout = 3 * time.Second
-
-	// Connect to the SOCKS5 server via TCP to negotiate UDP associate
-	dialer := &net.Dialer{Timeout: timeout}
-	tcpConn, err := dialer.DialContext(ctx, "tcp", server.listeningAddress().String())
-	require.NoError(t, err, "tcp connecting to SOCKS5 server")
-	t.Cleanup(func() { tcpConn.Close() })
-
-	negotiateSOCKS5(t, tcpConn, "", "")
-
-	// UDP Associate Command: [VERSION (5), CMD (3 = UDP ASSOC), RSV (0), ATYP (1 = IPv4), ADDR (0.0.0.0), PORT (0)]
-	_, err = tcpConn.Write([]byte{5, 3, 0, 1, 0, 0, 0, 0, 0, 0})
-	require.NoError(t, err, "sending UDP ASSOC request")
-
-	relayAddressString, err := readSOCKS5ResponseAddress(t, tcpConn)
-	require.NoError(t, err, "reading UDP ASSOC reply")
-	relayAddress, err := net.ResolveUDPAddr("udp", relayAddressString)
-	require.NoError(t, err, "resolving udp relay address")
-
-	// Dial the relay using IPv4 so source IP family matches the control connection.
-	udpConn, err := net.DialUDP("udp4", nil, relayAddress)
-	require.NoError(t, err, "dialing UDP relay")
-	t.Cleanup(func() { _ = udpConn.Close() })
-
-	queryID := uint16(rand.Uint32()) //nolint:gosec
-	dnsRequest := &dns.Msg{
-		MsgHdr: dns.MsgHdr{
-			Id:               queryID,
-			RecursionDesired: true,
-		},
-		Question: []dns.Question{{
-			Name:   dns.Fqdn("github.com"),
-			Qtype:  dns.TypeA,
-			Qclass: dns.ClassINET,
-		}},
-	}
-	dnsQuery, err := dnsRequest.Pack()
-	require.NoError(t, err)
-
-	// Encapsulate DNS payload into SOCKS5 UDP Request Header
-	// [RSV (0,0), FRAG (0), ATYP (1 = IPv4), DST.ADDR (1.1.1.1), DST.PORT (53)]
-	packet := append([]byte{0, 0, 0, 1, 1, 1, 1, 1, 0, 53}, dnsQuery...)
-
-	// Send encapsulated packet to the proxy's UDP relay address
-	_, err = udpConn.Write(packet)
-	require.NoError(t, err, "sending UDP packet to relay")
-
-	// Read response from the proxy relay
-	err = udpConn.SetReadDeadline(time.Now().Add(timeout))
-	require.NoError(t, err, "setting read deadline on UDP connection")
-	buffer := make([]byte, 2048)
-	n, err := udpConn.Read(buffer)
-	require.NoError(t, err, "receiving UDP response from relay")
-	const minimumHeaderSize = 10
-	require.GreaterOrEqual(t, n, minimumHeaderSize, "received UDP packet too short to contain valid SOCKS5 header")
-
-	// Verify header layout and slice out the raw DNS response
-	// Header format: RSV(2) FRAG(1) ATYP(1) DST.ADDR(variable) DST.PORT(2)
-	atyp := buffer[3]
-	var headerSize int
-	switch atyp {
-	case 1: // IPv4
-		headerSize = 10
-	case 3: // Domain name
-		headerSize = 4 + 1 + int(buffer[4]) + 2
-	case 4: // IPv6
-		headerSize = 22
-	default:
-		t.Fatalf("Unknown ATYP in SOCKS5 UDP header: %d", atyp)
-	}
-
-	dnsResponse := new(dns.Msg)
-	err = dnsResponse.Unpack(buffer[headerSize:n])
-	require.NoError(t, err, "unpacking DNS response from SOCKS5 UDP packet")
-
-	assert.Equal(t, queryID, dnsResponse.Id, "DNS response ID should match query ID")
-
-	select {
-	case err := <-runErr:
-		require.NoError(t, err, "SOCKS5 server run error")
-	default:
-	}
-
-	err = server.Stop()
-	require.NoError(t, err, "stopping SOCKS5 server")
-}

internal/socks5/udp_router.go

@@ -76,7 +76,7 @@ func (r *udpRouter) registerAssociation(controlConn net.Conn, expectedAddrPort n
 	r.mutex.Lock()
 	defer r.mutex.Unlock()
 
-	const udpPacketChannelBuffer = 64
+	const udpPacketChannelBuffer = 2
 	associationID := r.nextAssociationID
 	r.nextAssociationID++
 

internal/storage/copy.go

@@ -1,15 +1,23 @@
 package storage
 
 import (
-	"slices"
+	"net/netip"
 
 	"github.com/qdm12/gluetun/internal/models"
 )
 
 func copyServer(server models.Server) (serverCopy models.Server) {
 	serverCopy = server
-	serverCopy.IPs = slices.Clone(server.IPs)
-	serverCopy.PortsTCP = slices.Clone(server.PortsTCP)
-	serverCopy.PortsUDP = slices.Clone(server.PortsUDP)
+	serverCopy.IPs = copyIPs(server.IPs)
 	return serverCopy
 }
+
+func copyIPs(toCopy []netip.Addr) (copied []netip.Addr) {
+	if toCopy == nil {
+		return nil
+	}
+
+	copied = make([]netip.Addr, len(toCopy))
+	copy(copied, toCopy)
+	return copied
+}

internal/storage/copy_test.go

@@ -21,9 +21,43 @@ func Test_copyServer(t *testing.T) {
 	assert.Equal(t, server, serverCopy)
 	// Check for mutation
 	serverCopy.IPs[0] = netip.AddrFrom4([4]byte{9, 9, 9, 9})
-	serverCopy.PortsTCP = []uint16{80}
-	serverCopy.PortsUDP = []uint16{53}
-	assert.NotEqual(t, server.IPs, serverCopy.IPs)
-	assert.NotEqual(t, server.PortsTCP, serverCopy.PortsTCP)
-	assert.NotEqual(t, server.PortsUDP, serverCopy.PortsUDP)
+	assert.NotEqual(t, server, serverCopy)
+}
+
+func Test_copyIPs(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		toCopy []netip.Addr
+		copied []netip.Addr
+	}{
+		"nil": {},
+		"empty": {
+			toCopy: []netip.Addr{},
+			copied: []netip.Addr{},
+		},
+		"single IP": {
+			toCopy: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})},
+			copied: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})},
+		},
+		"two IPs": {
+			toCopy: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1}), netip.AddrFrom4([4]byte{2, 2, 2, 2})},
+			copied: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1}), netip.AddrFrom4([4]byte{2, 2, 2, 2})},
+		},
+	}
+
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			copied := copyIPs(testCase.toCopy)
+
+			assert.Equal(t, testCase.copied, copied)
+
+			if len(copied) > 0 {
+				testCase.toCopy[0] = netip.AddrFrom4([4]byte{9, 9, 9, 9})
+				assert.NotEqual(t, testCase.toCopy[0], testCase.copied[0])
+			}
+		})
+	}
 }

internal/storage/filter.go

@@ -3,7 +3,6 @@ package storage
 import (
 	"errors"
 	"fmt"
-	"slices"
 	"strings"
 
 	"github.com/qdm12/gluetun/internal/configuration/settings"
@@ -49,7 +48,6 @@ func (s *Storage) FilterServers(provider string, selection settings.ServerSelect
 	return servers, nil
 }
 
-//nolint:gocognit,gocyclo
 func filterServer(server models.Server,
 	selection settings.ServerSelection,
 ) (filtered bool) {
@@ -92,11 +90,6 @@ func filterServer(server models.Server,
 		return true
 	}
 
-	if (*selection.Dedicated && !server.Dedicated) ||
-		(!*selection.Dedicated && server.Dedicated) {
-		return false
-	}
-
 	if filterByPossibilities(server.Country, selection.Countries) {
 		return true
 	}
@@ -129,14 +122,6 @@ func filterServer(server models.Server,
 		return true
 	}
 
-	serverPorts := server.PortsUDP
-	if server.VPN == vpn.OpenVPN && server.TCP {
-		serverPorts = server.PortsTCP
-	}
-	if filterByPorts(selection, serverPorts) {
-		return true
-	}
-
 	// TODO filter port forward server for PIA
 
 	return false
@@ -180,21 +165,3 @@ func filterByProtocol(selection settings.ServerSelection,
 		return (wantTCP && !serverTCP) || (wantUDP && !serverUDP)
 	}
 }
-
-func filterByPorts(selection settings.ServerSelection,
-	serverPorts []uint16,
-) (filtered bool) {
-	if len(serverPorts) == 0 {
-		return false
-	}
-
-	customPort := *selection.OpenVPN.CustomPort
-	if selection.VPN == vpn.Wireguard {
-		customPort = *selection.Wireguard.EndpointPort
-	}
-	if customPort == 0 {
-		return false
-	}
-
-	return !slices.Contains(serverPorts, customPort)
-}

internal/storage/formatting.go

@@ -14,7 +14,7 @@ func commaJoin(slice []string) string {
 	return strings.Join(slice, ", ")
 }
 
-func noServerFoundError(selection settings.ServerSelection) (err error) { //nolint:gocyclo
+func noServerFoundError(selection settings.ServerSelection) (err error) {
 	var messageParts []string
 
 	messageParts = append(messageParts, "VPN "+selection.VPN)
@@ -155,15 +155,6 @@ func noServerFoundError(selection settings.ServerSelection) (err error) { //noli
 			"target ip address "+targetIP.String())
 	}
 
-	customPort := *selection.OpenVPN.CustomPort
-	if selection.VPN == vpn.Wireguard {
-		customPort = *selection.Wireguard.EndpointPort
-	}
-	if customPort > 0 {
-		messageParts = append(messageParts,
-			fmt.Sprintf("%s endpoint port %d", selection.VPN, customPort))
-	}
-
 	message := "for " + strings.Join(messageParts, "; ")
 
 	return fmt.Errorf("no server found: %s", message)

internal/storage/hardcoded.go

@@ -20,8 +20,7 @@ func parseHardcodedServers() (allServers models.AllServers) {
 		filename := provider + ".json"
 		providerFile, err := serversmodule.Files.Open(filename)
 		if err != nil {
-			const rootURL = "https://github.com/qdm12/gluetun-servers/blob/main/pkg/servers"
-			panic(fmt.Sprintf("reading embedded provider file defined at %s/%s: %s", rootURL, filename, err))
+			panic(fmt.Sprintf("reading embedded provider file %s for %s: %s", filename, provider, err))
 		}
 		defer providerFile.Close() // no-op
 

internal/storage/hardcoded_test.go

@@ -33,10 +33,7 @@ func Test_parseHardcodedServers(t *testing.T) {
 func Test_parseHardcodedServers_filepathsAndEmbeddedProviderFiles(t *testing.T) {
 	t.Parallel()
 
-	var hardcodedServers models.AllServers
-	require.NotPanics(t, func() {
-		hardcodedServers = parseHardcodedServers()
-	})
+	hardcodedServers := parseHardcodedServers()
 
 	allProviders := providers.All()
 	for _, provider := range allProviders {