Merge branch 'master' into restrictednet

- default to weekly instead of daily
- check gluetun-servers daily
- check some Go modules only quartely since they are not important

.github/CONTRIBUTING.md

@@ -4,12 +4,12 @@ Contributions are [released](https://help.github.com/articles/github-terms-of-se
 
 ## Submitting a pull request
 
-1. [Fork](https://github.com/qdm12/gluetun/fork) and clone the repository
+1. [Fork](https://github.com/passteque/gluetun/fork) and clone the repository
 1. Create a new branch `git checkout -b my-branch-name`
 1. Modify the code
 1. Ensure the docker build succeeds `docker build .` (you might need `export DOCKER_BUILDKIT=1`)
 1. Commit your modifications
-1. Push to your fork and [submit a pull request](https://github.com/qdm12/gluetun/compare)
+1. Push to your fork and [submit a pull request](https://github.com/passteque/gluetun/compare)
 
 ## Resources
 

.github/ISSUE_TEMPLATE/config.yml

@@ -4,8 +4,8 @@ contact_links:
     url: https://github.com/qdm12/gluetun-wiki/issues/new/choose
     about: Please create an issue on the gluetun-wiki repository.
   - name: Configuration help?
-    url: https://github.com/qdm12/gluetun/discussions/new/choose
+    url: https://github.com/passteque/gluetun/discussions/new/choose
     about: Please create a Github discussion.
   - name: Unraid template issue
-    url: https://github.com/qdm12/gluetun/discussions/550
+    url: https://github.com/passteque/gluetun/discussions/550
     about: Please read the relevant Github discussion.

.github/dependabot.yml

@@ -4,12 +4,38 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
   - package-ecosystem: docker
     directory: /
     schedule:
-      interval: "daily"
-  - package-ecosystem: gomod
-    directory: /
+      interval: "weekly"
+  - # Servers data dependency that should be updated as soon as
+    # possible when a new version is released, to have the latest
+    # servers available
+    package-ecosystem: "gomod"
+    directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
+    ignore:
+      - # In particular avoid amneziawg-go which have v1.x.y versions available
+        # on the Go modules proxy, but are not in the Github repository tags
+        # and are not the latest releases either. Most likely a mistake from the
+        # maintainers, which is persisted on the Go proxy.
+        dependency-name: "github.com/amnezia-vpn/amneziawg-go"
+        versions: ["1.x"]
+    groups:
+      low-importance:
+        patterns:
+          - "github.com/breml/rootcerts"
+          - "github.com/fatih/color"
+          - "github.com/golang/mock"
+          - "github.com/klauspost/compress"
+          - "github.com/klauspost/pgzip"
+          - "github.com/pelletier/go-toml/v2"
+          - "github.com/qdm12/goshutdown"
+          - "github.com/qdm12/gosplash"
+          - "github.com/qdm12/gotree"
+          - "github.com/qdm12/log"
+          - "github.com/stretchr/testify"
+          - "github.com/ulikunitz/xz"
+          - "gopkg.in/ini.v1"

.github/labels.yml

@@ -140,6 +140,8 @@
   color: "ffc7ea"
 - name: "Category: Shadowsocks 🔁"
   color: "ffc7ea"
+- name: "Category: Socks5 proxy 🔁"
+  color: "ffc7ea"
 - name: "Category: control server ⚙️"
   color: "ffc7ea"
 - name: "Category: kernel 🧠"

.github/pull_request_template.md

@@ -8,5 +8,4 @@
 
 # Assertions
 
-* [ ] I am aware that we do not accept manual changes to the servers.json file <!-- If this is your goal, please consult https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-using-the-command-line -->
 * [ ] I am aware that any changes to settings should be reflected in the [wiki](https://github.com/qdm12/gluetun-wiki/)

.github/workflows/ci.yml

@@ -28,6 +28,10 @@ on:
       - go.mod
       - go.sum
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   verify:
     runs-on: ubuntu-latest
@@ -44,7 +48,6 @@ jobs:
           locale: "US"
           level: error
           exclude: |
-            ./internal/storage/servers.json
             ./.golangci.yml
             *.md
 
@@ -64,6 +67,10 @@ jobs:
           -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \
           test-container
 
+      - name: Run integration tests in test container
+        run: |
+          docker run --rm --entrypoint go test-container test -tags=integration ./internal/restrictednet
+
       - name: Verify dev cross platform compatibility
         run: docker build --target xcompile .
 
@@ -92,13 +99,13 @@ jobs:
 
   verify-private:
     if: |
-      github.repository == 'qdm12/gluetun' &&
+      github.repository == 'passteque/gluetun' &&
       (
         github.event_name == 'push' ||
         github.event_name == 'release' ||
         (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
       )
-    needs: [ verify ]
+    needs: [verify]
     runs-on: ubuntu-latest
     environment: secrets
     steps:
@@ -120,7 +127,8 @@ jobs:
 
       - name: Run Gluetun container with ProtonVPN Wireguard and port forwarding
           configuration
-        run: echo -e "${{ secrets.PROTONVPN_WIREGUARD_PRIVATE_KEY }}" | ./ci/runner
+        run:
+          echo -e "${{ secrets.PROTONVPN_WIREGUARD_PRIVATE_KEY }}" | ./ci/runner
           protonvpn-wireguard-port-forwarding
 
       - name: Run Gluetun container with ProtonVPN OpenVPN and port forwarding
@@ -129,11 +137,12 @@ jobs:
           secrets.PROTONVPN_OPENVPN_PASSWORD }}" | ./ci/runner
           protonvpn-openvpn-port-forwarding
 
-      - name: Run Gluetun container with Private Internet Access OpenVPN and port
-          forwarding configuration
-        run: echo -e "${{ secrets.PRIVATEINTERNETACCESS_OPENVPN_USER }}\n${{
-          secrets.PRIVATEINTERNETACCESS_OPENVPN_PASSWORD }}" | ./ci/runner
-          private-internet-access-openvpn-port-forwarding
+      # - name:
+      #     Run Gluetun container with Private Internet Access OpenVPN and port
+      #     forwarding configuration
+      #   run: echo -e "${{ secrets.PRIVATEINTERNETACCESS_OPENVPN_USER }}\n${{
+      #     secrets.PRIVATEINTERNETACCESS_OPENVPN_PASSWORD }}" | ./ci/runner
+      #     private-internet-access-openvpn-port-forwarding
 
       - name: Run Gluetun container with AirVPN Wireguard configuration
         run: echo -e "${{ secrets.AIRVPN_WIREGUARD_PRIVATE_KEY }}\n${{
@@ -141,7 +150,8 @@ jobs:
           secrets.AIRVPN_WIREGUARD_ADDRESSES }}" | ./ci/runner airvpn-wireguard
 
       - name: Run Gluetun container with AirVPN OpenVPN configuration
-        run: echo -e "${{ secrets.AIRVPN_OPENVPN_KEY }}\n${{ secrets.AIRVPN_OPENVPN_CERT
+        run:
+          echo -e "${{ secrets.AIRVPN_OPENVPN_KEY }}\n${{ secrets.AIRVPN_OPENVPN_CERT
           }}" | ./ci/runner airvpn-openvpn
 
   codeql:
@@ -163,18 +173,19 @@ jobs:
 
   publish:
     if: |
-      github.repository == 'qdm12/gluetun' &&
+      github.repository == 'passteque/gluetun' &&
       (
         github.event_name == 'push' ||
         github.event_name == 'release' ||
         (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
       )
-    needs: [ verify, verify-private, codeql ]
+    needs: [verify, verify-private, codeql]
     permissions:
       actions: read
       contents: read
       packages: write
     runs-on: ubuntu-latest
+    environment: secrets
     steps:
       - uses: actions/checkout@v6
 
@@ -209,7 +220,7 @@ jobs:
         with:
           registry: ghcr.io
           username: qdm12
-          password: ${{ github.token }}
+          password: ${{ secrets.GHCR_PAT }}
 
       - name: Short commit
         id: shortcommit

.github/workflows/markdown.yml

@@ -11,12 +11,17 @@ on:
       - "**.md"
       - .github/workflows/markdown.yml
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
   markdown:
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
+    environment: secrets
     steps:
       - uses: actions/checkout@v6
 
@@ -38,7 +43,7 @@ jobs:
           config-file: .github/workflows/configs/mlc-config.json
 
       - uses: peter-evans/dockerhub-description@v5
-        if: github.repository == 'qdm12/gluetun' && github.event_name == 'push'
+        if: github.repository == 'passteque/gluetun' && github.event_name == 'push'
         with:
           username: qmcgaw
           password: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/update-servers-list.yml

@@ -1,98 +0,0 @@
-name: Update servers list
-on:
-  workflow_dispatch:
-    inputs:
-      provider:
-        description: "VPN Provider to update"
-        required: true
-        default: "all"
-        type: choice
-        options:
-          - all
-          - airvpn
-          - cyberghost
-          - expressvpn
-          - fastestvpn
-          - giganews
-          - hidemyass
-          - ipvanish
-          - ivpn
-          - mullvad
-          - nordvpn
-          - perfect privacy
-          - privado
-          - private internet access
-          - privatevpn
-          - protonvpn
-          - purevpn
-          - slickvpn
-          - surfshark
-          - torguard
-          - vpnsecure
-          - vpn unlimited
-          - vyprvpn
-          - windscribe
-  schedule:
-    - cron: "11 3 1 */2 *" # Run at 03:11 on the 1st of every 2nd month
-jobs:
-  update-servers-list:
-    if: github.repository == 'qdm12/gluetun'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: write
-      pull-requests: write
-    steps:
-      - uses: actions/checkout@v6
-
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-
-      - name: Update servers list
-        run: |
-          SELECTED_PROVIDER="${{ github.event.inputs.provider || 'all' }}"
-
-          if [ "$SELECTED_PROVIDER" = "all" ]; then
-            FLAGS="-all"
-          else
-            FLAGS="-providers $SELECTED_PROVIDER"
-          fi
-
-          go run ./cmd/gluetun/main.go update $FLAGS \
-            -maintainer \
-            -proton-email "${{ secrets.PROTON_EMAIL }}" \
-            -proton-password "${{ secrets.PROTON_PASSWORD }}"
-
-      - name: Check for changes
-        run: |
-          if git diff --exit-code internal/storage/servers.json >/dev/null; then
-            echo "Error: internal/storage/servers.json was not modified."
-            exit 1
-          fi
-
-      - name: Check no other file changes
-        run: |
-          if ! git diff --exit-code --quiet ':!internal/storage/servers.json'; then
-            echo "Error: Unexpected changes detected in files other than servers.json"
-            git status --short
-            exit 1
-          fi
-
-      - name: Create Pull Request
-        id: createpr
-        uses: peter-evans/create-pull-request@v8
-        with:
-          branch-suffix: timestamp
-          branch: bot/update-servers-list
-          base: master
-          delete-branch: true
-          title: "feat(providers/${{ github.event.inputs.provider || 'all' }}): servers data update"
-          body: |
-            This PR was automatically generated by the [Update servers list](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) workflow run.
-
-      # - name: Merge Pull Request
-      #   env:
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      #   run: |
-      #     gh pr merge ${{ steps.createpr.outputs.pull-request-number }} --auto -m -d

.golangci.yml

@@ -12,6 +12,10 @@ formatters:
       - builtin$
       - examples$
 
+run:
+  build-tags:
+    - integration
+
 linters:
   settings:
     misspell:

.vscode/settings.json

@@ -3,7 +3,7 @@
   // to develop this project.
   "files.eol": "\n",
   "editor.formatOnSave": true,
-  "go.buildTags": "linux",
+  "go.buildTags": "linux,integration",
   "go.toolsEnvVars": {
     "CGO_ENABLED": "0"
   },

AGENTS.md

@@ -50,6 +50,7 @@ Guidance for coding agents working in this repository.
 - Prefer splitting a code line only when it triggers the `lll` linter, do not split a command or arguments list for each element
 - Use `netip` types instead of `net` types whenever possible
 - Use constants instead of variables whenever possible, especially function-local inline constants.
+- Prefer using pure functions over methods when possible. Especially if the method does not need any fields from the receiving struct, it should be a pure function.
 - Do not use `time.Sleep`, prefer using a `time.Timer` with a `select` statement also listening on a context cancelation
 - `panic`:
   - should only be used when a programming error is encountered and you should NOT return errors for programming errors (such as passing nil objects)
@@ -115,6 +116,7 @@ Mocking works with the `go.uber.org/mock` library, and the `mockgen` tool.
   - **Never** use `.AnyTimes()` on mocks. Always define the number of times a certain mock call should be called, with `.Times(3)` for example.
   - **Always** set the `.Return(...)` on the mock if the function returns something.
   - Avoid using **mock helpers** functions, prefer a bit of repetition than tight coupling and dependency
+  - Always define the gomock controller `ctrl` in the subtest and not in the parent test, or a subtest mock failing will crash all the other subtests.
 
 ### main.go
 
@@ -127,6 +129,7 @@ The Go formatter used is gofumpt.
 ### Errors
 
 - Always prefer wrapping errors with some context with `fmt.Errorf("doing this: %w", err)`
+- Use `errors.New("error message")` when creating a 'bottom' constant string error without additional context, instead of `fmt.Errorf`
 - In rare cases, you can just use `return err` notably:
   - If the function is called **recursively**, since we don't wrap the wrapping multiple times for each recursion
   - If the current function only statement is the call to another function, for example:
@@ -179,6 +182,8 @@ The Go formatter used is gofumpt.
 
 - Do not use `http.DefaultClient`, use a custom `*http.Client` with a fixed timeout and share with dependency injections.
 - Do not check for injected dependencies being `nil`, prefer to just panic on a nil pointer. By default it's fine to panic if a developer injects a dependency `nil`. `nil` does not mean use a default.
+- Prefer using a `switch { case ...}` statement over multiple consecutive `if` statements to have shorter code.
+- Prefer using `[...]T` instead of `[]T` when the length is fixed and known at compile time, to avoid unnecessary allocations.
 
 ## Validation checklist
 

Dockerfile

@@ -72,9 +72,9 @@ LABEL \
     org.opencontainers.image.created=$CREATED \
     org.opencontainers.image.version=$VERSION \
     org.opencontainers.image.revision=$COMMIT \
-    org.opencontainers.image.url="https://github.com/qdm12/gluetun" \
-    org.opencontainers.image.documentation="https://github.com/qdm12/gluetun" \
-    org.opencontainers.image.source="https://github.com/qdm12/gluetun" \
+    org.opencontainers.image.url="https://github.com/passteque/gluetun" \
+    org.opencontainers.image.documentation="https://github.com/passteque/gluetun" \
+    org.opencontainers.image.source="https://github.com/passteque/gluetun" \
     org.opencontainers.image.title="VPN swiss-knife like client for multiple VPN providers" \
     org.opencontainers.image.description="VPN swiss-knife like client to tunnel to multiple VPN servers using OpenVPN, IPtables, DNS over TLS, Shadowsocks, an HTTP proxy and Alpine Linux"
 ENV VPN_SERVICE_PROVIDER=pia \
@@ -240,6 +240,11 @@ ENV VPN_SERVICE_PROVIDER=pia \
     SHADOWSOCKS_PASSWORD= \
     SHADOWSOCKS_PASSWORD_SECRETFILE=/run/secrets/shadowsocks_password \
     SHADOWSOCKS_CIPHER=chacha20-ietf-poly1305 \
+    # Socks5
+    SOCKS5_ENABLED=off \
+    SOCKS5_LISTENING_ADDRESS=":1080" \
+    SOCKS5_USER= \
+    SOCKS5_PASSWORD= \
     # Control server
     HTTP_CONTROL_SERVER_LOG=on \
     HTTP_CONTROL_SERVER_ADDRESS=":8000" \
@@ -271,7 +276,7 @@ ENV VPN_SERVICE_PROVIDER=pia \
     PUID=1000 \
     PGID=1000
 ENTRYPOINT ["/gluetun-entrypoint"]
-EXPOSE 8000/tcp 8888/tcp 8388/tcp 8388/udp
+EXPOSE 8000/tcp 8888/tcp 8388/tcp 8388/udp 1080/tcp 1080/udp
 HEALTHCHECK --interval=5s --timeout=5s --start-period=10s --retries=3 CMD /gluetun-entrypoint healthcheck
 ARG TARGETPLATFORM
 RUN apk add --no-cache --update -l wget && \

README.md

@@ -6,9 +6,9 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
 
 🗯️ this repository will be migrated to [github.com/passteque/gluetun](https://github.com/passteque/gluetun) on 2026-05-21, which is a Github organization under my sole control, so don't get alarmed if you get redirected in the coming days 😉 Reason being migrating Github sponsors to the Open source collective due to my personal situation, basically annoying paperwork. On the plus side, it will be more transparent and funds donated will only be used for the project. The Docker image names will remain the same.
 
-![Title image](https://raw.githubusercontent.com/qdm12/gluetun/master/title.svg)
+![Title image](https://raw.githubusercontent.com/passteque/gluetun/master/title.svg)
 
-[![Build status](https://github.com/qdm12/gluetun/actions/workflows/ci.yml/badge.svg)](https://github.com/qdm12/gluetun/actions/workflows/ci.yml)
+[![Build status](https://github.com/passteque/gluetun/actions/workflows/ci.yml/badge.svg)](https://github.com/passteque/gluetun/actions/workflows/ci.yml)
 
 [![Docker pulls qmcgaw/gluetun](https://img.shields.io/docker/pulls/qmcgaw/gluetun.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
 [![Docker pulls qmcgaw/private-internet-access](https://img.shields.io/docker/pulls/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
@@ -16,23 +16,23 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
 [![Docker stars qmcgaw/gluetun](https://img.shields.io/docker/stars/qmcgaw/gluetun.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
 [![Docker stars qmcgaw/private-internet-access](https://img.shields.io/docker/stars/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
 
-![Last release](https://img.shields.io/github/release/qdm12/gluetun?label=Last%20release)
+![Last release](https://img.shields.io/github/release/passteque/gluetun?label=Last%20release)
 ![Last Docker tag](https://img.shields.io/docker/v/qmcgaw/gluetun?sort=semver&label=Last%20Docker%20tag)
 [![Last release size](https://img.shields.io/docker/image-size/qmcgaw/gluetun?sort=semver&label=Last%20released%20image)](https://hub.docker.com/r/qmcgaw/gluetun/tags?page=1&ordering=last_updated)
-![GitHub last release date](https://img.shields.io/github/release-date/qdm12/gluetun?label=Last%20release%20date)
-![Commits since release](https://img.shields.io/github/commits-since/qdm12/gluetun/latest?sort=semver)
+![GitHub last release date](https://img.shields.io/github/release-date/passteque/gluetun?label=Last%20release%20date)
+![Commits since release](https://img.shields.io/github/commits-since/passteque/gluetun/latest?sort=semver)
 
 [![Latest size](https://img.shields.io/docker/image-size/qmcgaw/gluetun/latest?label=Latest%20image)](https://hub.docker.com/r/qmcgaw/gluetun/tags)
 
-[![GitHub last commit](https://img.shields.io/github/last-commit/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/commits/master)
-[![GitHub commit activity](https://img.shields.io/github/commit-activity/y/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/graphs/contributors)
-[![GitHub closed PRs](https://img.shields.io/github/issues-pr-closed/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/pulls?q=is%3Apr+is%3Aclosed)
-[![GitHub issues](https://img.shields.io/github/issues/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues)
-[![GitHub closed issues](https://img.shields.io/github/issues-closed/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues?q=is%3Aissue+is%3Aclosed)
+[![GitHub last commit](https://img.shields.io/github/last-commit/passteque/gluetun.svg)](https://github.com/passteque/gluetun/commits/master)
+[![GitHub commit activity](https://img.shields.io/github/commit-activity/y/passteque/gluetun.svg)](https://github.com/passteque/gluetun/graphs/contributors)
+[![GitHub closed PRs](https://img.shields.io/github/issues-pr-closed/passteque/gluetun.svg)](https://github.com/passteque/gluetun/pulls?q=is%3Apr+is%3Aclosed)
+[![GitHub issues](https://img.shields.io/github/issues/passteque/gluetun.svg)](https://github.com/passteque/gluetun/issues)
+[![GitHub closed issues](https://img.shields.io/github/issues-closed/passteque/gluetun.svg)](https://github.com/passteque/gluetun/issues?q=is%3Aissue+is%3Aclosed)
 
-![Code size](https://img.shields.io/github/languages/code-size/qdm12/gluetun)
-![GitHub repo size](https://img.shields.io/github/repo-size/qdm12/gluetun)
-![Go version](https://img.shields.io/github/go-mod/go-version/qdm12/gluetun)
+![Code size](https://img.shields.io/github/languages/code-size/passteque/gluetun)
+![GitHub repo size](https://img.shields.io/github/repo-size/passteque/gluetun)
+![Go version](https://img.shields.io/github/go-mod/go-version/passteque/gluetun)
 
 ![Visitors count](https://visitor-badge.laobi.icu/badge?page_id=gluetun.readme)
 
@@ -42,10 +42,10 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
 - [Features](#features)
 - Problem?
   - Check the Wiki [common errors](https://github.com/qdm12/gluetun-wiki/tree/main/errors) and [faq](https://github.com/qdm12/gluetun-wiki/tree/main/faq)
-  - [Start a discussion](https://github.com/qdm12/gluetun/discussions)
-  - [Fix the Unraid template](https://github.com/qdm12/gluetun/discussions/550)
+  - [Start a discussion](https://github.com/passteque/gluetun/discussions)
+  - [Fix the Unraid template](https://github.com/passteque/gluetun/discussions/550)
 - Suggestion?
-  - [Create an issue](https://github.com/qdm12/gluetun/issues)
+  - [Create an issue](https://github.com/passteque/gluetun/issues)
 - Happy?
   - Sponsor me on [github.com/sponsors/qdm12](https://github.com/sponsors/qdm12)
   - Donate to [paypal.me/qmcgaw](https://www.paypal.me/qmcgaw)
@@ -66,13 +66,14 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
   - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
   - For **Cyberghost**, **Private Internet Access**, **PrivateVPN**, **PureVPN**, **Torguard**, **VPN Unlimited** and **VyprVPN** using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
   - For custom Wireguard configurations using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
-  - More in progress, see [#134](https://github.com/qdm12/gluetun/issues/134)
+  - More in progress, see [#134](https://github.com/passteque/gluetun/issues/134)
 - Supports AmneziaWG only with the custom provider for now
 - DNS over TLS baked in with service provider(s) of your choice
 - DNS fine blocking of malicious/ads/surveillance hostnames and IP addresses, with live update every 24 hours
 - Choose the vpn network protocol, `udp` or `tcp`
 - Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
 - Built in Shadowsocks proxy server (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
+- Built in Socks5 proxy server (tunnels TCP+UDP) - partial credits to @angelakis and @adjscent
 - Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
 - [Connect other containers to it](https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md)
 - [Connect LAN devices to it](https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-lan-device-to-gluetun.md)
@@ -130,8 +131,8 @@ services:
 
 ## Fun graphs
 
-[![Star History Chart](https://api.star-history.com/svg?repos=qdm12/gluetun&type=date&legend=top-left)](https://www.star-history.com/#qdm12/gluetun&type=date&legend=top-left)
+[![Star History Chart](https://api.star-history.com/svg?repos=passteque/gluetun&type=date&legend=top-left)](https://www.star-history.com/#passteque/gluetun&type=date&legend=top-left)
 
 ## License
 
-[![MIT](https://img.shields.io/github/license/qdm12/gluetun)](https://github.com/qdm12/gluetun/blob/master/LICENSE)
+[![MIT](https://img.shields.io/github/license/passteque/gluetun)](https://github.com/passteque/gluetun/blob/master/LICENSE)

cmd/gluetun/main.go

@@ -41,6 +41,7 @@ import (
 	"github.com/qdm12/gluetun/internal/routing"
 	"github.com/qdm12/gluetun/internal/server"
 	"github.com/qdm12/gluetun/internal/shadowsocks"
+	"github.com/qdm12/gluetun/internal/socks5"
 	"github.com/qdm12/gluetun/internal/storage"
 	updater "github.com/qdm12/gluetun/internal/updater/loop"
 	"github.com/qdm12/gluetun/internal/updater/resolver"
@@ -411,6 +412,18 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		return fmt.Errorf("starting public ip loop: %w", err)
 	}
 
+	socks5Loop := socks5.NewLoop(socks5.Settings{
+		Enabled:  *allSettings.Socks5.Enabled,
+		Username: *allSettings.Socks5.Username,
+		Password: *allSettings.Socks5.Password,
+		Address:  allSettings.Socks5.ListeningAddress,
+		Logger:   logger.New(log.SetComponent("socks5")),
+	})
+	socks5RunError, err := socks5Loop.Start(ctx)
+	if err != nil {
+		return fmt.Errorf("starting SOCKS5 server loop: %w", err)
+	}
+
 	healthLogger := logger.New(log.SetComponent("healthcheck"))
 	healthcheckServer := healthcheck.NewServer(allSettings.Health, healthLogger)
 	healthServerHandler, healthServerCtx, healthServerDone := goshutdown.NewGoRoutineHandler(
@@ -506,7 +519,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 			String() string
 			Stop() error
 		}{
-			portForwardLooper, publicIPLooper,
+			portForwardLooper, publicIPLooper, socks5Loop,
 		}
 		for _, stopper := range stoppers {
 			err := stopper.Stop()
@@ -518,6 +531,8 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		logger.Errorf("port forwarding loop crashed: %s", err)
 	case err := <-publicIPRunError:
 		logger.Errorf("public IP loop crashed: %s", err)
+	case err := <-socks5RunError:
+		logger.Errorf("SOCKS5 server loop crashed: %s", err)
 	}
 
 	return orderHandler.Shutdown(context.Background())

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/pelletier/go-toml/v2 v2.2.4
 	github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260421173011-9de8e7fdbe3a
 	github.com/qdm12/gluetun-servers v0.1.0
+	github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978
 	github.com/qdm12/gosettings v0.4.4
 	github.com/qdm12/goshutdown v0.3.0
 	github.com/qdm12/gosplash v0.2.1-0.20260305164749-b713de4fee6c
@@ -26,10 +27,9 @@ require (
 	github.com/ti-mo/netfilter v0.5.3
 	github.com/ulikunitz/xz v0.5.15
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a
-	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
-	golang.org/x/net v0.51.0
-	golang.org/x/sys v0.42.0
-	golang.org/x/text v0.35.0
+	golang.org/x/net v0.55.0
+	golang.org/x/sys v0.45.0
+	golang.org/x/text v0.37.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	gopkg.in/ini.v1 v1.67.1
@@ -55,12 +55,12 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.60.1 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
-	golang.org/x/crypto v0.48.0 // indirect
-	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
+	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -120,15 +120,15 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -136,8 +136,8 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -156,8 +156,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -167,8 +167,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -176,8 +176,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

internal/cli/update.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"net"
 	"net/http"
 	"slices"
 	"strings"
@@ -104,6 +105,10 @@ func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) e
 	if err != nil {
 		return fmt.Errorf("creating DoH dialer: %w", err)
 	}
+	net.DefaultResolver = &net.Resolver{
+		PreferGo: true,
+		Dial:     dnsDialer.Dial,
+	}
 
 	const clientTimeout = 10 * time.Second
 	httpClient := &http.Client{Timeout: clientTimeout}

internal/command/start.go

@@ -9,8 +9,9 @@ import (
 )
 
 // Start launches a command and streams stdout and stderr to channels.
-// All the channels returned are ready only and won't be closed
-// if the command fails later.
+// stdoutLines and stderrLines channels will be closed when there is no more
+// output to read, in order for the caller to catch all lines even after the
+// command has finished. The waitError channel returned will never be closed.
 func (c *Cmder) Start(cmd *exec.Cmd) (
 	stdoutLines, stderrLines <-chan string,
 	waitError <-chan error, startErr error,
@@ -38,6 +39,7 @@ func start(cmd execCmd) (stdoutLines, stderrLines <-chan string,
 	if err != nil {
 		_ = stdout.Close()
 		<-stdoutDone
+		close(stdoutLinesCh)
 		return nil, nil, nil, err
 	}
 	go streamToChannel(stderrReady, stderrDone, stderr, stderrLinesCh)
@@ -45,9 +47,11 @@ func start(cmd execCmd) (stdoutLines, stderrLines <-chan string,
 	err = cmd.Start()
 	if err != nil {
 		_ = stdout.Close()
-		_ = stderr.Close()
 		<-stdoutDone
+		close(stdoutLinesCh)
+		_ = stderr.Close()
 		<-stderrDone
+		close(stderrLinesCh)
 		return nil, nil, nil, err
 	}
 
@@ -55,8 +59,10 @@ func start(cmd execCmd) (stdoutLines, stderrLines <-chan string,
 	go func() {
 		err := cmd.Wait()
 		<-stdoutDone
-		<-stderrDone
+		close(stdoutLinesCh)
 		_ = stdout.Close()
+		<-stderrDone
+		close(stderrLinesCh)
 		_ = stderr.Close()
 		waitErrorCh <- err
 	}()

internal/command/start_test.go

@@ -89,30 +89,48 @@ func Test_start(t *testing.T) {
 
 			require.NoError(t, err)
 
-			var stdoutIndex, stderrIndex int
-
-			done := false
-			for !done {
-				select {
-				case line := <-stdoutLines:
-					assert.Equal(t, testCase.stdout[stdoutIndex], line)
-					stdoutIndex++
-				case line := <-stderrLines:
-					assert.Equal(t, testCase.stderr[stderrIndex], line)
-					stderrIndex++
-				case err := <-waitError:
-					if testCase.waitErr != nil {
-						require.Error(t, err)
-						assert.Equal(t, testCase.waitErr.Error(), err.Error())
-					} else {
-						assert.NoError(t, err)
-					}
-					done = true
-				}
-			}
-
-			assert.Equal(t, len(testCase.stdout), stdoutIndex)
-			assert.Equal(t, len(testCase.stderr), stderrIndex)
+			collectAndCheckChannels(t, stdoutLines, stderrLines, waitError,
+				testCase.stdout, testCase.stderr, testCase.waitErr)
 		})
 	}
 }
+
+func collectAndCheckChannels(t *testing.T, stdoutLines, stderrLines <-chan string,
+	waitError <-chan error, expectedStdout, expectedStderr []string, expectedWaitErr error,
+) {
+	t.Helper()
+
+	stdoutIndex := 0
+	stderrIndex := 0
+
+	done := false
+	for !done {
+		select {
+		case line, ok := <-stdoutLines:
+			if !ok {
+				stdoutLines = nil
+				continue
+			}
+			assert.Equal(t, expectedStdout[stdoutIndex], line)
+			stdoutIndex++
+		case line, ok := <-stderrLines:
+			if !ok {
+				stderrLines = nil
+				continue
+			}
+			assert.Equal(t, expectedStderr[stderrIndex], line)
+			stderrIndex++
+		case err := <-waitError:
+			if expectedWaitErr != nil {
+				require.Error(t, err)
+				assert.Equal(t, expectedWaitErr.Error(), err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+			done = true
+		}
+	}
+
+	assert.Equal(t, len(expectedStdout), stdoutIndex)
+	assert.Equal(t, len(expectedStderr), stderrIndex)
+}

internal/command/startnlog.go

@@ -18,31 +18,37 @@ func (c *Cmder) RunAndLog(ctx context.Context, command string, logger Logger) (e
 		return err
 	}
 
-	streamCtx, streamCancel := context.WithCancel(context.Background())
 	streamDone := make(chan struct{})
-	go streamLines(streamCtx, streamDone, logger, stdout, stderr)
+	go streamLines(streamDone, logger, stdout, stderr)
 
 	err = <-waitError
-	streamCancel()
 	<-streamDone
 	return err
 }
 
-func streamLines(ctx context.Context, done chan<- struct{},
-	logger Logger, stdout, stderr <-chan string,
+func streamLines(done chan<- struct{}, logger Logger,
+	stdout, stderr <-chan string,
 ) {
 	defer close(done)
 
-	var line string
-
 	for {
 		select {
-		case <-ctx.Done():
-			return
-		case line = <-stdout:
-			logger.Info(line)
-		case line = <-stderr:
-			logger.Error(line)
+		case line, ok := <-stdout:
+			if ok {
+				logger.Info(line)
+			}
+			if stderr == nil {
+				return
+			}
+			stdout = nil
+		case line, ok := <-stderr:
+			if ok {
+				logger.Error(line)
+			}
+			if stdout == nil {
+				return
+			}
+			stderr = nil
 		}
 	}
 }

internal/configuration/settings/deprecated.go

@@ -1,10 +1,10 @@
 package settings
 
 import (
+	"maps"
 	"slices"
 
 	"github.com/qdm12/gosettings/reader"
-	"golang.org/x/exp/maps"
 )
 
 func readObsolete(r *reader.Reader) (warnings []string) {
@@ -17,7 +17,7 @@ func readObsolete(r *reader.Reader) (warnings []string) {
 		"DNS_KEEP_NAMESERVER": "DNS_KEEP_NAMESERVER is obsolete because you should use the built-in server which now " +
 			"forwards local names to private DNS resolvers found in /etc/resolv.conf at container start",
 	}
-	sortedKeys := maps.Keys(keyToMessage)
+	sortedKeys := slices.Collect(maps.Keys(keyToMessage))
 	slices.Sort(sortedKeys)
 	warnings = make([]string, 0, len(keyToMessage))
 	for _, key := range sortedKeys {

internal/configuration/settings/portforward.go

@@ -95,7 +95,7 @@ func (p PortForwarding) Validate(vpnProvider string) (err error) {
 			return errors.New("port forwarding password is empty")
 		}
 	case providers.Protonvpn:
-		const maxPortsCount = 4
+		const maxPortsCount = 5
 		if p.PortsCount > maxPortsCount {
 			return fmt.Errorf("ports count too high: %d > %d", p.PortsCount, maxPortsCount)
 		}

internal/configuration/settings/settings.go

@@ -20,6 +20,7 @@ type Settings struct {
 	HTTPProxy     HTTPProxy
 	Log           Log
 	PublicIP      PublicIP
+	Socks5        Socks5
 	Shadowsocks   Shadowsocks
 	Storage       Storage
 	System        System
@@ -49,6 +50,7 @@ func (s *Settings) Validate(filterChoicesGetter FilterChoicesGetter, ipv6Support
 		"http proxy":      s.HTTPProxy.validate,
 		"log":             s.Log.validate,
 		"public ip check": s.PublicIP.validate,
+		"socks5":          s.Socks5.validate,
 		"shadowsocks":     s.Shadowsocks.validate,
 		"storage":         s.Storage.validate,
 		"system":          s.System.validate,
@@ -81,6 +83,7 @@ func (s *Settings) copy() (copied Settings) {
 		HTTPProxy:     s.HTTPProxy.copy(),
 		Log:           s.Log.copy(),
 		PublicIP:      s.PublicIP.copy(),
+		Socks5:        s.Socks5.copy(),
 		Shadowsocks:   s.Shadowsocks.copy(),
 		Storage:       s.Storage.copy(),
 		System:        s.System.copy(),
@@ -104,6 +107,7 @@ func (s *Settings) OverrideWith(other Settings,
 	patchedSettings.HTTPProxy.overrideWith(other.HTTPProxy)
 	patchedSettings.Log.overrideWith(other.Log)
 	patchedSettings.PublicIP.overrideWith(other.PublicIP)
+	patchedSettings.Socks5.overrideWith(other.Socks5)
 	patchedSettings.Shadowsocks.overrideWith(other.Shadowsocks)
 	patchedSettings.Storage.overrideWith(other.Storage)
 	patchedSettings.System.overrideWith(other.System)
@@ -131,6 +135,7 @@ func (s *Settings) SetDefaults() {
 	s.Log.setDefaults()
 	s.IPv6.setDefaults()
 	s.PublicIP.setDefaults()
+	s.Socks5.setDefaults()
 	s.Shadowsocks.setDefaults()
 	s.Storage.SetDefaults()
 	s.System.setDefaults()
@@ -154,6 +159,7 @@ func (s Settings) toLinesNode() (node *gotree.Node) {
 	node.AppendNode(s.Log.toLinesNode())
 	node.AppendNode(s.IPv6.toLinesNode())
 	node.AppendNode(s.Health.toLinesNode())
+	node.AppendNode(s.Socks5.toLinesNode())
 	node.AppendNode(s.Shadowsocks.toLinesNode())
 	node.AppendNode(s.HTTPProxy.toLinesNode())
 	node.AppendNode(s.ControlServer.toLinesNode())
@@ -212,6 +218,7 @@ func (s *Settings) Read(r *reader.Reader, warner Warner) (err error) {
 		"public ip": func(r *reader.Reader) error {
 			return s.PublicIP.read(r, warner)
 		},
+		"socks5":      s.Socks5.read,
 		"shadowsocks": s.Shadowsocks.read,
 		"storage":     s.Storage.Read,
 		"system":      s.System.read,

internal/configuration/settings/settings_test.go

@@ -81,6 +81,8 @@ func Test_Settings_String(t *testing.T) {
 |   |       ├── 1.1.1.1
 |   |       └── 8.8.8.8
 |   └── Restart VPN on healthcheck failure: yes
+├── SOCKS5 proxy server settings:
+|   └── Enabled: no
 ├── Shadowsocks server settings:
 |   └── Enabled: no
 ├── HTTP proxy settings:

internal/configuration/settings/socks5.go

@@ -0,0 +1,91 @@
+package settings
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/qdm12/gosettings"
+	"github.com/qdm12/gosettings/reader"
+	"github.com/qdm12/gosettings/validate"
+	"github.com/qdm12/gotree"
+)
+
+// Socks5 contains settings to configure the Socks5 proxy server.
+type Socks5 struct {
+	Enabled          *bool
+	ListeningAddress string
+	Username         *string
+	Password         *string
+}
+
+func (s Socks5) validate() (err error) {
+	err = validate.ListeningAddress(s.ListeningAddress, os.Getuid())
+	if err != nil {
+		return fmt.Errorf("server listening address is not valid: %w", err)
+	}
+
+	switch {
+	case *s.Username != "" && *s.Password == "":
+		return errors.New("password must be set if username is set")
+	case *s.Username == "" && *s.Password != "":
+		return errors.New("username must be set if password is set")
+	}
+
+	return nil
+}
+
+func (s *Socks5) copy() (copied Socks5) {
+	return Socks5{
+		Enabled:          gosettings.CopyPointer(s.Enabled),
+		ListeningAddress: s.ListeningAddress,
+		Username:         gosettings.CopyPointer(s.Username),
+		Password:         gosettings.CopyPointer(s.Password),
+	}
+}
+
+func (s *Socks5) overrideWith(other Socks5) {
+	s.Enabled = gosettings.OverrideWithPointer(s.Enabled, other.Enabled)
+	s.ListeningAddress = gosettings.OverrideWithComparable(s.ListeningAddress, other.ListeningAddress)
+	s.Username = gosettings.OverrideWithPointer(s.Username, other.Username)
+	s.Password = gosettings.OverrideWithPointer(s.Password, other.Password)
+}
+
+func (s *Socks5) setDefaults() {
+	s.Enabled = gosettings.DefaultPointer(s.Enabled, false)
+	s.ListeningAddress = gosettings.DefaultComparable(s.ListeningAddress, ":1080")
+	s.Username = gosettings.DefaultPointer(s.Username, "")
+	s.Password = gosettings.DefaultPointer(s.Password, "")
+}
+
+func (s Socks5) String() string {
+	return s.toLinesNode().String()
+}
+
+func (s Socks5) toLinesNode() (node *gotree.Node) {
+	node = gotree.New("SOCKS5 proxy server settings:")
+	node.Appendf("Enabled: %s", gosettings.BoolToYesNo(s.Enabled))
+	if !*s.Enabled {
+		return node
+	}
+
+	node.Appendf("Listening address: %s", s.ListeningAddress)
+	if *s.Username != "" || *s.Password != "" {
+		node.Appendf("Username: %s", *s.Username)
+		node.Appendf("Password: %s", gosettings.ObfuscateKey(*s.Password))
+	}
+	return node
+}
+
+func (s *Socks5) read(r *reader.Reader) (err error) {
+	s.Enabled, err = r.BoolPtr("SOCKS5_ENABLED")
+	if err != nil {
+		return err
+	}
+
+	s.ListeningAddress = r.String("SOCKS5_LISTENING_ADDRESS")
+	s.Username = r.Get("SOCKS5_USER", reader.ForceLowercase(false))
+	s.Password = r.Get("SOCKS5_PASSWORD", reader.ForceLowercase(false))
+
+	return nil
+}

internal/firewall/interfaces.go

@@ -28,6 +28,8 @@ type firewallImpl interface { //nolint:interfacebloat
 	AcceptIpv6MulticastOutput(ctx context.Context, intf string) error
 	AcceptOutput(ctx context.Context, protocol, intf string,
 		ip netip.Addr, port uint16, remove bool) error
+	AcceptOutputFromIPPortToIPPort(ctx context.Context, protocol, intf string,
+		source, destination netip.AddrPort, remove bool) error
 	AcceptOutputFromIPToSubnet(ctx context.Context, intf string, assignedIP netip.Addr,
 		subnet netip.Prefix, remove bool) error
 	AcceptOutputThroughInterface(ctx context.Context, intf string, remove bool) error

internal/firewall/iptables/atomic.go

@@ -1,7 +1,6 @@
 package iptables
 
 import (
-	"bufio"
 	"context"
 	"fmt"
 	"os/exec"
@@ -97,25 +96,24 @@ func saveData(ctx context.Context, binary string) (data string, err error) {
 		}
 		return "", fmt.Errorf("running %s-save: %w", binary, err)
 	}
-	err = checkData(string(output))
-	if err != nil {
-		return "", fmt.Errorf("checking saved data: %w", err)
-	}
-	return string(output), nil
+	return filterData(output)
 }
 
-func checkData(data string) error {
-	scanner := bufio.NewScanner(strings.NewReader(data))
-	i := 0
-	for scanner.Scan() {
-		line := scanner.Text()
-		if strings.HasPrefix(line, "[unsupported") {
-			return fmt.Errorf("unsupported revision marker found in line %d: %s", i+1, line)
+func filterData(cmdOutput []byte) (filtered string, err error) {
+	lines := strings.Split(string(cmdOutput), "\n")
+	filteredLines := make([]string, 0, len(lines))
+	for _, line := range lines {
+		switch {
+		case strings.HasPrefix(line, ":DOCKER_OUTPUT"),
+			strings.HasPrefix(line, ":DOCKER_POSTROUTING"),
+			strings.HasPrefix(line, "-A DOCKER_OUTPUT"),
+			strings.HasPrefix(line, "-A DOCKER_POSTROUTING"):
+			// Do not touch (aka save and restore) NAT rules added by Docker
+			continue
+		case strings.Contains(line, "[unsupported revision]"):
+			return "", fmt.Errorf("mismatch container iptables-save and kernel: %s", line)
 		}
-		i++
+		filteredLines = append(filteredLines, line)
 	}
-	if scanner.Err() != nil {
-		return fmt.Errorf("scanning data: %w", scanner.Err())
-	}
-	return nil
+	return strings.Join(filteredLines, "\n"), nil
 }

internal/firewall/iptables/iptables.go

@@ -2,6 +2,7 @@ package iptables
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/netip"
@@ -177,6 +178,29 @@ func (c *Config) AcceptOutput(ctx context.Context,
 	return c.runIP6tablesInstruction(ctx, instruction)
 }
 
+func (c *Config) AcceptOutputFromIPPortToIPPort(ctx context.Context,
+	protocol, intf string, source, destination netip.AddrPort, remove bool,
+) error {
+	if source.Addr().BitLen() != destination.Addr().BitLen() {
+		return errors.New("source and destination address families do not match")
+	}
+
+	interfaceFlag := "-o " + intf
+	if intf == "*" { // all interfaces
+		interfaceFlag = ""
+	}
+
+	instruction := fmt.Sprintf("%s OUTPUT %s -s %s -d %s -p %s -m %s --sport %d --dport %d -j ACCEPT",
+		appendOrDelete(remove), interfaceFlag, source.Addr(), destination.Addr(),
+		protocol, protocol, source.Port(), destination.Port())
+	if destination.Addr().Is4() {
+		return c.runIptablesInstruction(ctx, instruction)
+	} else if c.ip6Tables == "" {
+		return fmt.Errorf("accept output from %s to %s: %s", source, destination, needIP6Tables)
+	}
+	return c.runIP6tablesInstruction(ctx, instruction)
+}
+
 // AcceptOutputFromIPToSubnet accepts outgoing traffic from sourceIP to destinationSubnet
 // on the interface intf. If intf is empty, it is set to "*" which means all interfaces.
 // If remove is true, the rule is removed instead of added.
@@ -278,7 +302,6 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 			appendOrDelete(remove), interfaceFlag, destinationPort),
 	})
 	if err != nil {
-		restore(ctx) // just in case
 		errMessage := err.Error()
 		if strings.Contains(errMessage, "can't initialize ip6tables table `nat': Table does not exist") {
 			if !remove {
@@ -286,6 +309,7 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 			}
 			return nil
 		}
+		restore(ctx)
 		return fmt.Errorf("redirecting IPv6 source port %d to destination port %d on interface %s: %w",
 			sourcePort, destinationPort, intf, err)
 	}

internal/firewall/wrappers.go

@@ -25,3 +25,10 @@ func (c *Config) AcceptOutput(ctx context.Context, protocol, intf string,
 ) error {
 	return c.impl.AcceptOutput(ctx, protocol, intf, ip, port, remove)
 }
+
+func (c *Config) AcceptOutputFromIPPortToIPPort(ctx context.Context,
+	protocol, intf string, source, destination netip.AddrPort, remove bool,
+) error {
+	return c.impl.AcceptOutputFromIPPortToIPPort(ctx, protocol, intf,
+		source, destination, remove)
+}

internal/openvpn/run.go

@@ -29,19 +29,16 @@ func (r *Runner) Run(ctx context.Context, errCh chan<- error, ready chan<- struc
 		return
 	}
 
-	streamCtx, streamCancel := context.WithCancel(context.Background())
 	streamDone := make(chan struct{})
-	go streamLines(streamCtx, streamDone, r.logger,
+	go streamLines(streamDone, r.logger,
 		stdoutLines, stderrLines, ready)
 
 	select {
 	case <-ctx.Done():
 		<-waitError
-		streamCancel()
 		<-streamDone
 		errCh <- ctx.Err()
 	case err := <-waitError:
-		streamCancel()
 		<-streamDone
 		errCh <- err
 	}

internal/openvpn/stream.go

@@ -1,26 +1,37 @@
 package openvpn
 
 import (
-	"context"
 	"strings"
 )
 
-func streamLines(ctx context.Context, done chan<- struct{},
+func streamLines(done chan<- struct{},
 	logger Logger, stdout, stderr <-chan string,
 	tunnelReady chan<- struct{},
 ) {
 	defer close(done)
 
-	var line string
-
 	for {
+		var line string
+		var ok bool
 		errLine := false
 		select {
-		case <-ctx.Done():
-			return
-		case line = <-stdout:
-		case line = <-stderr:
-			errLine = true
+		case line, ok = <-stdout:
+			if ok {
+				break
+			}
+			if stderr == nil {
+				return
+			}
+			stdout = nil
+		case line, ok = <-stderr:
+			if ok {
+				errLine = true
+				break
+			}
+			if stdout == nil {
+				return
+			}
+			stderr = nil
 		}
 		line, level := processLogLine(line)
 		if line == "" {

internal/portforward/service/command.go

@@ -15,7 +15,11 @@ func runCommand(ctx context.Context, cmder Cmder, logger Logger,
 	}
 	portsString := strings.Join(portStrings, ",")
 	commandString := strings.ReplaceAll(commandTemplate, "{{PORTS}}", portsString)
-	commandString = strings.ReplaceAll(commandString, "{{PORT}}", portStrings[0])
+	var firstPort string
+	if len(portStrings) > 0 {
+		firstPort = portStrings[0]
+	}
+	commandString = strings.ReplaceAll(commandString, "{{PORT}}", firstPort)
 	commandString = strings.ReplaceAll(commandString, "{{VPN_INTERFACE}}", vpnInterface)
 	return cmder.RunAndLog(ctx, commandString, logger)
 }

internal/portforward/service/service.go

@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"slices"
@@ -59,6 +60,10 @@ func (s *Service) SetPortsForwarded(ctx context.Context, ports []uint16) (err er
 	s.portMutex.Lock()
 	defer s.portMutex.Unlock()
 
+	if s.settings.PortForwarder != nil {
+		return errors.New("setting port forwarded at runtime is not supported with internally running port forwarding code")
+	}
+
 	slices.Sort(ports)
 	if slices.Equal(s.ports, ports) {
 		return nil
@@ -78,7 +83,5 @@ func (s *Service) SetPortsForwarded(ctx context.Context, ports []uint16) (err er
 		return fmt.Errorf("handling new ports: %w", err)
 	}
 
-	s.logger.Info("updated: " + portsToString(s.ports))
-
 	return nil
 }

internal/portforward/service/settings.go

@@ -88,7 +88,7 @@ func (s *Settings) Validate(forStartup bool) (err error) {
 			return errors.New("password not set")
 		}
 	case providers.Protonvpn:
-		const maxPortsCount = 4
+		const maxPortsCount = 5
 		if s.PortsCount > maxPortsCount {
 			return fmt.Errorf("ports count too high: %d > %d", s.PortsCount, maxPortsCount)
 		}

internal/portforward/service/start.go

@@ -92,13 +92,9 @@ func (s *Service) onNewPorts(ctx context.Context, internalToExternalPorts map[ui
 	s.logger.Info(portPairsToString(internalToExternalPorts))
 
 	externalPorts := slices.Collect(maps.Values(internalToExternalPorts))
-	autoRedirectionNeeded := false
 	externalToInternalPorts := make(map[uint16]uint16, len(internalToExternalPorts))
 	for internal, external := range internalToExternalPorts {
 		externalToInternalPorts[external] = internal
-		if internal != external {
-			autoRedirectionNeeded = true
-		}
 	}
 	slices.Sort(externalPorts)
 	userRedirectionEnabled := !slices.Equal(s.settings.ListeningPorts, []uint16{0})
@@ -109,23 +105,21 @@ func (s *Service) onNewPorts(ctx context.Context, internalToExternalPorts map[ui
 			return fmt.Errorf("allowing port in firewall: %w", err)
 		}
 
-		var sourcePort, destinationPort uint16
+		var destinationPort uint16
 		switch {
 		case userRedirectionEnabled: // precedence over auto redirection
-			sourcePort = externalToInternalPorts[port]
 			destinationPort = s.settings.ListeningPorts[i]
-		case autoRedirectionNeeded:
-			sourcePort = externalToInternalPorts[port]
+		case port != internalPort: // auto redirection needed, source and destination ports differ
 			destinationPort = port
 		default:
 			// No redirection needed, source and destination ports are the same.
 			continue
 		}
 
-		err = s.portAllower.RedirectPort(ctx, s.settings.Interface, sourcePort, destinationPort)
+		err = s.portAllower.RedirectPort(ctx, s.settings.Interface, internalPort, destinationPort)
 		if err != nil {
 			return fmt.Errorf("redirecting port %d to %d in firewall: %w",
-				sourcePort, destinationPort, err)
+				internalPort, destinationPort, err)
 		}
 	}
 

internal/provider/custom/openvpnconf.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/openvpn"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gluetun/internal/provider/utils"
@@ -65,7 +66,11 @@ func modifyConfig(lines []string, connection models.Connection,
 	}
 
 	// Add values
-	modified = append(modified, "proto "+connection.Protocol)
+	protocol := connection.Protocol
+	if protocol == constants.TCP {
+		protocol = "tcp-client"
+	}
+	modified = append(modified, "proto "+protocol)
 	modified = append(modified, fmt.Sprintf("remote %s %d", connection.IP, connection.Port))
 	modified = append(modified, "dev "+settings.Interface)
 	modified = append(modified, "mute-replay-warnings")

internal/provider/protonvpn/portforward.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"maps"
+	"net/netip"
 	"strings"
 	"time"
 
@@ -12,14 +13,14 @@ import (
 	"github.com/qdm12/gluetun/internal/provider/utils"
 )
 
-const nonSymmetricPortStart uint16 = 56789
-
 // PortForward obtains a VPN server side port forwarded from ProtonVPN gateway.
 func (p *Provider) PortForward(ctx context.Context, objects utils.PortForwardObjects) (
 	internalToExternalPorts map[uint16]uint16, err error,
 ) {
 	if !objects.CanPortForward {
 		return nil, errors.New("server does not support port forwarding")
+	} else if objects.PortsCount == 0 {
+		return nil, nil //nolint:nilnil
 	}
 
 	client := natpmp.New()
@@ -39,38 +40,75 @@ func (p *Provider) PortForward(ctx context.Context, objects utils.PortForwardObj
 	logger := objects.Logger
 
 	logger.Debug("gateway external IPv4 address is " + externalIPv4Address.String())
-	const externalPort = 0
-	const lifetime = 60 * time.Second
 
 	p.internalToExternalPorts = make(map[uint16]uint16, objects.PortsCount)
-	for i := range objects.PortsCount {
-		internalPort := nonSymmetricPortStart + i
-		protoToInternalPort := map[string]uint16{
-			"udp": 0,
-			"tcp": 0,
-		}
-		protoToExternalPort := maps.Clone(protoToInternalPort)
-		for protocol := range protoToExternalPort {
-			_, assignedInternalPort, assignedExternalPort, assignedLifetime, err := client.AddPortMapping(
-				ctx, objects.Gateway, protocol, internalPort, externalPort, lifetime)
-			if err != nil {
-				return nil, fmt.Errorf("adding %d/%d %s port mapping: %w",
-					i+1, objects.PortsCount, strings.ToUpper(protocol), err)
-			}
-			checkLifetime(logger, strings.ToUpper(protocol), lifetime, assignedLifetime)
-			checkInternalPort(logger, internalPort, assignedInternalPort)
-			protoToInternalPort[protocol] = assignedInternalPort
-			protoToExternalPort[protocol] = assignedExternalPort
-		}
+	const lifetime = 60 * time.Second
 
-		checkInternalPorts(logger, protoToInternalPort["udp"], protoToInternalPort["tcp"])
-		checkExternalPorts(logger, protoToExternalPort["udp"], protoToExternalPort["tcp"])
-		p.internalToExternalPorts[protoToInternalPort["tcp"]] = protoToExternalPort["tcp"]
+	// Only one port can be a symmetric mapping
+	const internalPort, externalPort = 0, 1
+	_, assignedExternalPort, err := addPortMappingTCPUDP(ctx,
+		client, logger, objects.Gateway, internalPort, externalPort, lifetime)
+	// Note the returned assignedInternalPort is always 0 in this case
+	if err != nil {
+		return nil, fmt.Errorf("adding first port mapping: %w", err)
+	}
+	p.internalToExternalPorts[assignedExternalPort] = assignedExternalPort
+
+	// Extra ports must be non-symmetric, meaning that the internal port is
+	// different from the external port.
+	const nonSymmetricPortStart = uint16(56789)
+	nonSymmetricPortStartMinusOne := nonSymmetricPortStart - 1
+	if _, ok := p.internalToExternalPorts[nonSymmetricPortStart]; ok {
+		nonSymmetricPortStartMinusOne++
+	}
+	for i := uint16(1); i < objects.PortsCount; i++ {
+		internalPort := nonSymmetricPortStartMinusOne + i
+		const externalPort = 0
+		assignedInternalPort, assignedExternalPort, err := addPortMappingTCPUDP(ctx,
+			client, logger, objects.Gateway, internalPort, externalPort, lifetime)
+		if err != nil {
+			return nil, fmt.Errorf("adding %d/%d port mapping: %w", i+1, objects.PortsCount, err)
+		}
+		p.internalToExternalPorts[assignedInternalPort] = assignedExternalPort
 	}
 
 	return maps.Clone(p.internalToExternalPorts), nil
 }
 
+func addPortMappingTCPUDP(ctx context.Context, client *natpmp.Client, logger utils.Logger,
+	gateway netip.Addr, internalPort, externalPort uint16, lifetime time.Duration,
+) (assignedInternalPort, assignedExternalPort uint16, err error) {
+	var assignedLifetime time.Duration
+	protocolToExternalPort := map[string]uint16{
+		"tcp": 0,
+		"udp": 0,
+	}
+	for _, protocol := range [...]string{"udp", "tcp"} {
+		protocolStr := strings.ToUpper(protocol)
+		_, assignedInternalPort, assignedExternalPort, assignedLifetime, err = client.AddPortMapping(
+			ctx, gateway, protocol, internalPort, externalPort, lifetime)
+		if err != nil {
+			return 0, 0, fmt.Errorf("adding %s port mapping: %w", protocolStr, err)
+		}
+		protocolToExternalPort[protocol] = assignedExternalPort
+		checkLifetime(logger, protocolStr, lifetime, assignedLifetime)
+		if internalPort != assignedInternalPort {
+			return 0, 0, fmt.Errorf("%s internal port requested as %d but received %d",
+				protocolStr, internalPort, assignedInternalPort)
+		} else if externalPort != 0 && externalPort != 1 && externalPort != assignedExternalPort {
+			return 0, 0, fmt.Errorf("%s external port requested as %d but received %d",
+				protocolStr, externalPort, assignedExternalPort)
+		}
+	}
+
+	if protocolToExternalPort["tcp"] != protocolToExternalPort["udp"] {
+		return 0, 0, fmt.Errorf("TCP and UDP external ports differ: %d and %d",
+			protocolToExternalPort["tcp"], protocolToExternalPort["udp"])
+	}
+
+	return assignedInternalPort, assignedExternalPort, nil
+}
+
 func checkLifetime(logger utils.Logger, protocol string,
 	requested, actual time.Duration,
 ) {
@@ -81,27 +119,6 @@ func checkLifetime(logger utils.Logger, protocol string,
 	}
 }
 
-func checkInternalPort(logger utils.Logger, sent, received uint16) {
-	if sent != received {
-		logger.Warn(fmt.Sprintf("internal port assigned %d differs from requested internal port %d",
-			sent, received))
-	}
-}
-
-func checkInternalPorts(logger utils.Logger, udpPort, tcpPort uint16) {
-	if udpPort != tcpPort {
-		logger.Warn(fmt.Sprintf("UDP internal port %d differs from TCP internal port %d",
-			udpPort, tcpPort))
-	}
-}
-
-func checkExternalPorts(logger utils.Logger, udpPort, tcpPort uint16) {
-	if udpPort != tcpPort {
-		logger.Warn(fmt.Sprintf("UDP external port %d differs from TCP external port %d",
-			udpPort, tcpPort))
-	}
-}
-
 func (p *Provider) KeepPortForward(ctx context.Context,
 	objects utils.PortForwardObjects,
 ) (err error) {
@@ -117,22 +134,12 @@ func (p *Provider) KeepPortForward(ctx context.Context,
 		}
 
 		objects.Logger.Debug("refreshing forwarded ports since 45 seconds have elapsed")
-		networkProtocols := [...]string{"udp", "tcp"}
 		const lifetime = 60 * time.Second
 		for internalPort, externalPort := range p.internalToExternalPorts {
-			for _, networkProtocol := range networkProtocols {
-				_, assignedInternalPort, assignedExternalPort, assignedLiftetime, err := client.AddPortMapping(
-					ctx, objects.Gateway, networkProtocol, internalPort, externalPort, lifetime)
-				if err != nil {
-					return fmt.Errorf("adding port mapping: %w", err)
-				}
-				checkLifetime(logger, networkProtocol, lifetime, assignedLiftetime)
-				if externalPort != assignedExternalPort {
-					return fmt.Errorf("external port changed from %d to %d", externalPort, assignedExternalPort)
-				} else if internalPort != assignedInternalPort {
-					return fmt.Errorf("internal port changed from %d (for external port %d) to %d",
-						internalPort, externalPort, assignedInternalPort)
-				}
+			_, _, err := addPortMappingTCPUDP(ctx, client, logger, objects.Gateway, internalPort, externalPort, lifetime)
+			if err != nil {
+				return fmt.Errorf("refreshing port mapping for internal port %d and external port %d: %w",
+					internalPort, externalPort, err)
 			}
 			objects.Logger.Debug(fmt.Sprintf("port forwarded %d maintained", externalPort))
 		}

internal/restrictednet/client.go

@@ -0,0 +1,82 @@
+package restrictednet
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/netip"
+	"strconv"
+
+	"github.com/qdm12/dns/v2/pkg/provider"
+)
+
+// Client is a client for making restricted network requests,
+// such as opening temporary firewall rules for HTTPS connections.
+// It is not meant to be high performance, although it can be used for
+// multiple requests and concurrently.
+type Client struct {
+	outboundInterface string
+	ipv6Supported     bool
+	firewall          Firewall
+	dohServers        []provider.DoHServer
+}
+
+func New(settings Settings) *Client {
+	if err := settings.validate(); err != nil {
+		panic(fmt.Sprintf("invalid settings: %v", err)) // programming error
+	}
+	dohServers := make([]provider.DoHServer, len(settings.UpstreamResolvers))
+	for i, upstreamResolver := range settings.UpstreamResolvers {
+		dohServers[i] = upstreamResolver.DoH
+	}
+
+	return &Client{
+		outboundInterface: settings.DefaultInterface,
+		ipv6Supported:     *settings.IPv6Supported,
+		firewall:          settings.Firewall,
+		dohServers:        dohServers,
+	}
+}
+
+// OpenHTTPSByHostname opens an https connection through the firewall,
+// to the hostname which in the format `host:port`. The returned cleanup
+// function must be called to remove the temporary firewall rule and close connections.
+// It first resolves the domain in hostname using DNS over HTTPS and then opens
+// the restricted HTTPS connection to the resolved IP.
+func (c *Client) OpenHTTPSByHostname(ctx context.Context, hostname string) (
+	httpClient *http.Client, cleanup func() error, err error,
+) {
+	host, portStr, err := net.SplitHostPort(hostname)
+	if err != nil {
+		return nil, nil, fmt.Errorf("splitting host and port: %w", err)
+	}
+	resolvedIPs, err := c.ResolveName(ctx, host)
+	if err != nil {
+		return nil, nil, fmt.Errorf("resolving name: %w", err)
+	} else if len(resolvedIPs) == 0 {
+		return nil, nil, fmt.Errorf("no IP address found for name %q", host)
+	}
+
+	portUint, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return nil, nil, fmt.Errorf("parsing port: %w", err)
+	} else if portUint == 0 {
+		return nil, nil, errors.New("destination port cannot be 0")
+	}
+	port := uint16(portUint)
+
+	errs := make([]error, 0, len(resolvedIPs))
+	for _, ip := range resolvedIPs {
+		addrPort := netip.AddrPortFrom(ip, port)
+		httpClient, cleanup, err := c.OpenHTTPS(ctx, host, addrPort)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("for %s: %w", ip, err))
+			continue
+		}
+		return httpClient, cleanup, nil
+	}
+
+	return nil, nil, fmt.Errorf("opening HTTPS to %s: %w", hostname, errors.Join(errs...))
+}

internal/restrictednet/helpers_test.go

@@ -0,0 +1,7 @@
+//go:build integration
+
+package restrictednet
+
+func ptrTo[T any](value T) *T {
+	return &value
+}

internal/restrictednet/https.go

@@ -0,0 +1,202 @@
+package restrictednet
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/netip"
+	"os"
+	"time"
+
+	"github.com/jsimonetti/rtnetlink"
+	"github.com/qdm12/gluetun/internal/pmtud/constants"
+)
+
+// OpenHTTPS opens temporary restrictive firewall output for one HTTPS destination.
+// The returned [*http.Client] must be used sequentially only, and each request must
+// have its response body fully read/discarded and then closed.
+// The returned cleanup function must be called to remove the temporary firewall rule and close connections.
+func (c *Client) OpenHTTPS(ctx context.Context, destinationTLSName string, destinationAddrPort netip.AddrPort,
+) (httpClient *http.Client, cleanup func() error, err error) {
+	fd, sourceAddrPort, err := bindSourceConnection(destinationAddrPort.Addr())
+	if err != nil {
+		return nil, nil, fmt.Errorf("binding source port: %w", err)
+	}
+
+	const remove = false
+	err = c.firewall.AcceptOutputFromIPPortToIPPort(ctx, "tcp", c.outboundInterface,
+		sourceAddrPort, destinationAddrPort, remove)
+	if err != nil {
+		closeFD(fd)
+		return nil, nil, fmt.Errorf("allowing output traffic through firewall: %w", err)
+	}
+
+	connection, err := connectSourceConnection(ctx, fd, destinationAddrPort)
+	if err != nil {
+		const remove = true
+		_ = c.firewall.AcceptOutputFromIPPortToIPPort(context.Background(), "tcp", c.outboundInterface,
+			sourceAddrPort, destinationAddrPort, remove)
+		return nil, nil, fmt.Errorf("connecting source socket: %w", err)
+	}
+
+	dial := makeDial(connection, destinationTLSName)
+	httpClient = newHTTPSClient(destinationTLSName, dial)
+	cleanup = func() error {
+		var errs []error
+		httpClient.CloseIdleConnections()
+		err := connection.Close()
+		if err != nil && !errors.Is(err, net.ErrClosed) {
+			errs = append(errs, fmt.Errorf("closing connection: %w", err))
+		}
+		const remove = true
+		err = c.firewall.AcceptOutputFromIPPortToIPPort(context.Background(), "tcp", c.outboundInterface,
+			sourceAddrPort, destinationAddrPort, remove)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("removing output traffic rule: %w", err))
+		}
+		if len(errs) > 0 {
+			return errors.Join(errs...)
+		}
+		return nil
+	}
+	return httpClient, cleanup, nil
+}
+
+type dialFunc func(ctx context.Context, network, address string) (net.Conn, error)
+
+func newHTTPSClient(destinationTLSName string, dial dialFunc) *http.Client {
+	const timeout = 5 * time.Second
+	transport := &http.Transport{
+		MaxIdleConns:        1,
+		MaxIdleConnsPerHost: 1,
+		MaxConnsPerHost:     1,
+		TLSClientConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+			ServerName: destinationTLSName,
+		},
+		DialContext: dial,
+	}
+	return &http.Client{
+		Timeout:   timeout,
+		Transport: transport,
+	}
+}
+
+func makeDial(connection net.Conn, tlsName string) dialFunc {
+	_, destinationPort, err := net.SplitHostPort(connection.RemoteAddr().String())
+	if err != nil {
+		panic(err) // connection remote address should always be in the form "host:port"
+	}
+	expectedAddress := net.JoinHostPort(tlsName, destinationPort)
+	used := false
+	return func(_ context.Context, network, address string) (net.Conn, error) {
+		if used {
+			return nil, errors.New("dial function called more than once")
+		}
+		used = true
+		switch network {
+		case "tcp", "tcp4", "tcp6":
+		default:
+			return nil, fmt.Errorf("unexpected dial network %q", network)
+		}
+		if address != expectedAddress {
+			return nil, fmt.Errorf("unexpected dial address %q (expected %q)", address, expectedAddress)
+		}
+		return connection, nil
+	}
+}
+
+func bindSourceConnection(destinationIP netip.Addr) (fd int, sourceAddr netip.AddrPort, err error) {
+	sourceIP, err := sourceIPForDestination(destinationIP)
+	if err != nil {
+		return 0, netip.AddrPort{}, fmt.Errorf("finding source IP: %w", err)
+	}
+
+	family := constants.AF_INET
+	if sourceIP.Is6() {
+		family = constants.AF_INET6
+	}
+
+	fd, err = newTCPSockStream(family)
+	if err != nil {
+		return 0, netip.AddrPort{}, fmt.Errorf("creating socket: %w", err)
+	}
+
+	bindAddrPort := netip.AddrPortFrom(sourceIP, 0)
+	err = bindFD(fd, bindAddrPort)
+	if err != nil {
+		closeFD(fd)
+		return 0, netip.AddrPort{}, fmt.Errorf("binding socket: %w", err)
+	}
+
+	sourceAddr, err = fdToSourceAddr(fd)
+	if err != nil {
+		closeFD(fd)
+		return 0, netip.AddrPort{}, fmt.Errorf("getting source address: %w", err)
+	}
+
+	return fd, sourceAddr, nil
+}
+
+func connectSourceConnection(ctx context.Context, fd int, destinationAddrPort netip.AddrPort) (
+	connection net.Conn, err error,
+) {
+	err = connectFD(ctx, fd, destinationAddrPort)
+	if err != nil {
+		closeFD(fd)
+		return nil, fmt.Errorf("connecting socket: %w", err)
+	}
+
+	file := os.NewFile(uintptr(fd), "")
+	if file == nil {
+		closeFD(fd)
+		return nil, fmt.Errorf("creating socket file")
+	}
+	defer file.Close()
+
+	connection, err = net.FileConn(file)
+	if err != nil {
+		return nil, fmt.Errorf("wrapping socket connection: %w", err)
+	}
+
+	return connection, nil
+}
+
+func sourceIPForDestination(destinationIP netip.Addr) (srcIP netip.Addr, err error) {
+	conn, err := rtnetlink.Dial(nil)
+	if err != nil {
+		return netip.Addr{}, err
+	}
+	defer conn.Close()
+
+	family := uint8(constants.AF_INET)
+	if destinationIP.Is6() {
+		family = constants.AF_INET6
+	}
+
+	requestMessage := &rtnetlink.RouteMessage{
+		Family: family,
+		Attributes: rtnetlink.RouteAttributes{
+			Dst: destinationIP.AsSlice(),
+		},
+	}
+	messages, err := conn.Route.Get(requestMessage)
+	if err != nil {
+		return netip.Addr{}, fmt.Errorf("getting routes to %s: %w", destinationIP, err)
+	}
+
+	for _, message := range messages {
+		if message.Attributes.Src == nil {
+			continue
+		}
+		if message.Attributes.Src.To4() == nil {
+			return netip.AddrFrom16([16]byte(message.Attributes.Src)), nil
+		}
+		return netip.AddrFrom4([4]byte(message.Attributes.Src)), nil
+	}
+
+	return netip.Addr{}, fmt.Errorf("no route to %s", destinationIP)
+}

internal/restrictednet/https_integration_test.go

@@ -0,0 +1,117 @@
+//go:build integration
+
+package restrictednet
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/netip"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/qdm12/dns/v2/pkg/provider"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type listenAddrPortMatcher struct {
+	expected netip.AddrPort
+}
+
+func (m listenAddrPortMatcher) Matches(x any) bool {
+	ip, ok := x.(netip.AddrPort)
+	if !ok {
+		return false
+	}
+	if m.expected.IsValid() {
+		return ip == m.expected
+	}
+	return ip.IsValid() && ip.Addr().IsValid() && ip.Port() > 0
+}
+
+func (m listenAddrPortMatcher) String() string {
+	if m.expected.IsValid() {
+		return "is the same as " + m.expected.String()
+	}
+	return "is a valid netip.AddrPort with a valid IP and non-zero port"
+}
+
+type destinationAddrPortMatcher struct {
+	expected netip.AddrPort
+}
+
+func (m destinationAddrPortMatcher) Matches(x any) bool {
+	ip, ok := x.(netip.AddrPort)
+	if !ok {
+		return false
+	}
+	if m.expected.IsValid() {
+		return ip == m.expected
+	}
+	return ip.IsValid() && ip.Port() == m.expected.Port()
+}
+
+func (m destinationAddrPortMatcher) String() string {
+	if m.expected.IsValid() {
+		return "is the same as " + m.expected.String()
+	}
+	return "matches the port " + fmt.Sprint(m.expected.Port())
+}
+
+func Test_Client_OpenHTTPS(t *testing.T) {
+	t.Parallel()
+	ctx := t.Context()
+	ctrl := gomock.NewController(t)
+
+	const destinationTLSName = "one.one.one.one"
+	destinationAddrPort := netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 443)
+
+	firewall := NewMockFirewall(ctrl)
+	sourceMatcher := listenAddrPortMatcher{}
+	firewall.EXPECT().AcceptOutputFromIPPortToIPPort(
+		ctx, "tcp", "eth0", sourceMatcher, destinationAddrPort, false,
+	).DoAndReturn(func(_ context.Context,
+		_, _ string, source, _ netip.AddrPort, _ bool,
+	) error {
+		sourceMatcher.expected = source
+		return nil
+	})
+	firewall.EXPECT().AcceptOutputFromIPPortToIPPort(
+		context.Background(), "tcp", "eth0", sourceMatcher, destinationAddrPort, true,
+	).Return(nil)
+
+	const ipv6Supported = false
+	upstreamResolvers := []provider.Provider{provider.Google()}
+	settings := Settings{
+		Firewall:          firewall,
+		DefaultInterface:  "eth0",
+		IPv6Supported:     ptrTo(ipv6Supported),
+		UpstreamResolvers: upstreamResolvers,
+	}
+	client := New(settings)
+
+	httpClient, cleanup, err := client.OpenHTTPS(ctx, destinationTLSName, destinationAddrPort)
+	require.NoError(t, err)
+	require.NotNil(t, httpClient)
+	require.NotNil(t, cleanup)
+
+	const requests = 2
+
+	for range requests {
+		request, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://"+destinationTLSName, nil)
+		require.NoError(t, err)
+
+		response, err := httpClient.Do(request)
+		require.NoError(t, err)
+		_, err = io.Copy(io.Discard, response.Body)
+		require.NoError(t, err)
+		err = response.Body.Close()
+		require.NoError(t, err)
+		assert.Equal(t, http.StatusOK, response.StatusCode)
+	}
+
+	err = cleanup()
+	require.NoError(t, err)
+}

internal/restrictednet/interfaces.go

@@ -0,0 +1,12 @@
+package restrictednet
+
+import (
+	"context"
+	"net/netip"
+)
+
+type Firewall interface {
+	AcceptOutputFromIPPortToIPPort(ctx context.Context,
+		protocol, intf string, source, destination netip.AddrPort, remove bool,
+	) error
+}

internal/restrictednet/mocks_generate_test.go

@@ -0,0 +1,3 @@
+package restrictednet
+
+//go:generate mockgen -destination=mocks_test.go -package=$GOPACKAGE . Firewall

internal/restrictednet/mocks_test.go

@@ -0,0 +1,50 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/qdm12/gluetun/internal/restrictednet (interfaces: Firewall)
+
+// Package restrictednet is a generated GoMock package.
+package restrictednet
+
+import (
+	context "context"
+	netip "net/netip"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockFirewall is a mock of Firewall interface.
+type MockFirewall struct {
+	ctrl     *gomock.Controller
+	recorder *MockFirewallMockRecorder
+}
+
+// MockFirewallMockRecorder is the mock recorder for MockFirewall.
+type MockFirewallMockRecorder struct {
+	mock *MockFirewall
+}
+
+// NewMockFirewall creates a new mock instance.
+func NewMockFirewall(ctrl *gomock.Controller) *MockFirewall {
+	mock := &MockFirewall{ctrl: ctrl}
+	mock.recorder = &MockFirewallMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockFirewall) EXPECT() *MockFirewallMockRecorder {
+	return m.recorder
+}
+
+// AcceptOutputFromIPPortToIPPort mocks base method.
+func (m *MockFirewall) AcceptOutputFromIPPortToIPPort(arg0 context.Context, arg1, arg2 string, arg3, arg4 netip.AddrPort, arg5 bool) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "AcceptOutputFromIPPortToIPPort", arg0, arg1, arg2, arg3, arg4, arg5)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// AcceptOutputFromIPPortToIPPort indicates an expected call of AcceptOutputFromIPPortToIPPort.
+func (mr *MockFirewallMockRecorder) AcceptOutputFromIPPortToIPPort(arg0, arg1, arg2, arg3, arg4, arg5 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AcceptOutputFromIPPortToIPPort", reflect.TypeOf((*MockFirewall)(nil).AcceptOutputFromIPPortToIPPort), arg0, arg1, arg2, arg3, arg4, arg5)
+}

internal/restrictednet/resolve.go

@@ -0,0 +1,205 @@
+package restrictednet
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/netip"
+	"net/url"
+	"strconv"
+
+	"github.com/miekg/dns"
+)
+
+// ResolveName resolves the given host name to IP addresses using DoH servers,
+// while opening temporary restrictive firewall rules for HTTPS traffic to DoH servers.
+// The host must be a single well-formed domain name, without port or path.
+func (c *Client) ResolveName(ctx context.Context, host string) (
+	resolvedAddresses []netip.Addr, err error,
+) {
+	const maxTypes = 2
+	questionTypes := make([]uint16, 0, maxTypes)
+	if c.ipv6Supported {
+		questionTypes = append(questionTypes, dns.TypeAAAA)
+	}
+	questionTypes = append(questionTypes, dns.TypeA)
+
+	var addresses []netip.Addr
+	errs := make([]error, 0, len(questionTypes))
+	for _, questionType := range questionTypes {
+		answerAddresses, err := c.resolveOneQuestionType(ctx, host, questionType)
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+		addresses = append(addresses, answerAddresses...)
+	}
+
+	switch {
+	case len(addresses) > 0:
+		return addresses, nil
+	case len(errs) == 0:
+		return nil, nil // no address found
+	default: // errors
+		return nil, fmt.Errorf("resolving host %q: %w", host, errors.Join(errs...))
+	}
+}
+
+func (c *Client) resolveOneQuestionType(ctx context.Context,
+	host string, questionType uint16,
+) (addresses []netip.Addr, err error) {
+	queryMessage := &dns.Msg{}
+	queryMessage.SetQuestion(dns.Fqdn(host), questionType)
+	queryWire, err := queryMessage.Pack()
+	if err != nil {
+		return nil, fmt.Errorf("packing DNS query: %w", err)
+	}
+
+	// Try every DoH server and every of each of their IP until we get a non-empty
+	// successful response.
+	errs := make([]error, 0)
+	for _, dohServer := range c.dohServers {
+		dohURL, err := url.Parse(dohServer.URL)
+		if err != nil {
+			errs = append(errs,
+				fmt.Errorf("parsing DoH server URL %s: %w", dohServer.URL, err))
+			continue
+		}
+
+		dohServerIPs := make([]netip.Addr, 0, len(dohServer.IPv4)+len(dohServer.IPv6))
+		if c.ipv6Supported {
+			// Prefer IPv6 addresses if IPv6 is supported
+			dohServerIPs = append(dohServerIPs, dohServer.IPv6...)
+		}
+		dohServerIPs = append(dohServerIPs, dohServer.IPv4...)
+
+		for _, dohServerIP := range dohServerIPs {
+			const defaultDoHPort uint16 = 443
+			port := defaultDoHPort
+			if portStr := dohURL.Port(); portStr != "" {
+				port, err = parseDestinationPort(portStr)
+				if err != nil {
+					errs = append(errs, fmt.Errorf("parsing DoH server port: %w", err))
+					continue
+				}
+			}
+			dohServerAddrPort := netip.AddrPortFrom(dohServerIP, port)
+			responseMessage, err := c.doHQuery(ctx, queryWire, dohURL, dohServerAddrPort)
+			switch {
+			case err != nil:
+				errs = append(errs, fmt.Errorf("querying DoH server %q (%s): %w",
+					dohServer.URL, dohServerAddrPort, err))
+				continue
+			case responseMessage.Rcode != dns.RcodeSuccess:
+				errs = append(errs, fmt.Errorf("querying DoH server %q (%s): DNS rcode %s",
+					dohServer.URL, dohServerAddrPort, dns.RcodeToString[responseMessage.Rcode]))
+				continue
+			}
+			addresses := answersToNetipAddrs(responseMessage)
+			if len(addresses) == 0 {
+				continue
+			}
+			return addresses, nil
+		}
+	}
+
+	if len(errs) == 0 {
+		return nil, nil
+	}
+
+	return nil, fmt.Errorf("resolving %s %s: %w",
+		dns.TypeToString[questionType], host, errors.Join(errs...))
+}
+
+func (c *Client) doHQuery(ctx context.Context, queryWire []byte,
+	dohURL *url.URL, dohServerAddrPort netip.AddrPort,
+) (responseMessage *dns.Msg, err error) {
+	httpClient, cleanup, err := c.OpenHTTPS(ctx, dohURL.Hostname(), dohServerAddrPort)
+	if err != nil {
+		return nil, fmt.Errorf("opening https connection: %w", err)
+	}
+	defer func() {
+		closeErr := cleanup()
+		if err == nil && closeErr != nil {
+			err = fmt.Errorf("cleaning up https connection: %w", closeErr)
+		}
+	}()
+
+	requestBody := bytes.NewReader(queryWire)
+	request, err := http.NewRequestWithContext(ctx, http.MethodPost, dohURL.String(), requestBody)
+	if err != nil {
+		return nil, fmt.Errorf("creating request: %w", err)
+	}
+	request.Header.Set("Content-Type", "application/dns-message")
+	request.Header.Set("Accept", "application/dns-message")
+
+	response, err := httpClient.Do(request)
+	if err != nil {
+		return nil, err
+	}
+
+	responseData, err := io.ReadAll(response.Body)
+	if err != nil {
+		_ = response.Body.Close()
+		return nil, fmt.Errorf("reading response body: %w", err)
+	}
+
+	err = response.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("closing response body: %w", err)
+	}
+
+	if response.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("response status code is %s (data length %d)",
+			response.Status, len(responseData))
+	}
+
+	responseMessage = new(dns.Msg)
+	err = responseMessage.Unpack(responseData)
+	if err != nil {
+		return nil, fmt.Errorf("parsing DoH response: %w", err)
+	}
+
+	return responseMessage, nil
+}
+
+func answersToNetipAddrs(message *dns.Msg) (addresses []netip.Addr) {
+	if message == nil {
+		return nil
+	}
+	addresses = make([]netip.Addr, 0, len(message.Answer))
+	for _, answer := range message.Answer {
+		switch record := answer.(type) {
+		case *dns.A:
+			address, ok := netip.AddrFromSlice(record.A)
+			if ok {
+				addresses = append(addresses, address.Unmap())
+			}
+		case *dns.AAAA:
+			address, ok := netip.AddrFromSlice(record.AAAA)
+			if ok {
+				addresses = append(addresses, address)
+			}
+		}
+	}
+	return addresses
+}
+
+func parseDestinationPort(portStr string) (port uint16, err error) {
+	portUint, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return 0, err
+	}
+
+	const maxPortUint = 65535
+	switch {
+	case portUint == 0:
+		return 0, errors.New("port cannot be 0")
+	case portUint > maxPortUint:
+		return 0, fmt.Errorf("port cannot be greater than %d", maxPortUint)
+	}
+	return uint16(portUint), nil
+}

internal/restrictednet/resolve_integration_test.go

@@ -0,0 +1,110 @@
+//go:build integration
+
+package restrictednet
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/miekg/dns"
+	"github.com/qdm12/dns/v2/pkg/provider"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_Client_ResolveName(t *testing.T) {
+	t.Parallel()
+	ctx := t.Context()
+	ctrl := gomock.NewController(t)
+
+	firewall := NewMockFirewall(ctrl)
+	sourceMatcher := listenAddrPortMatcher{}
+	destinationMatcher := destinationAddrPortMatcher{
+		expected: netip.AddrPortFrom(netip.Addr{}, 443),
+	}
+
+	// Add rule
+	firstCall := firewall.EXPECT().AcceptOutputFromIPPortToIPPort(
+		ctx, "tcp", "eth0", sourceMatcher, destinationMatcher, false,
+	).DoAndReturn(func(
+		_ context.Context, _, _ string, source, destination netip.AddrPort, _ bool,
+	) error {
+		sourceMatcher.expected = source
+		destinationMatcher.expected = destination
+		return nil
+	})
+
+	// Removal rule
+	firewall.EXPECT().AcceptOutputFromIPPortToIPPort(
+		context.Background(), "tcp", "eth0", sourceMatcher, destinationMatcher, true,
+	).Return(nil).After(firstCall)
+
+	settings := Settings{
+		DefaultInterface:  "eth0",
+		IPv6Supported:     ptrTo(false),
+		Firewall:          firewall,
+		UpstreamResolvers: []provider.Provider{provider.Cloudflare()},
+	}
+	client := New(settings)
+
+	addresses, err := client.ResolveName(ctx, "github.com")
+	require.NoError(t, err)
+	assert.NotEmpty(t, addresses)
+}
+
+func Test_answersToNetipAddrs(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		message  *dns.Msg
+		expected []netip.Addr
+	}{
+		"nil_message": {},
+		"no_answers": {
+			message:  &dns.Msg{},
+			expected: []netip.Addr{},
+		},
+		"a_record": {
+			message: &dns.Msg{Answer: []dns.RR{
+				&dns.A{
+					Hdr: dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET},
+					A:   net.IP{1, 1, 1, 1},
+				},
+			}},
+			expected: []netip.Addr{netip.MustParseAddr("1.1.1.1")},
+		},
+		"aaaa_record": {
+			message: &dns.Msg{Answer: []dns.RR{
+				&dns.AAAA{
+					Hdr:  dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeAAAA, Class: dns.ClassINET},
+					AAAA: net.IP{0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0, 0, 0, 0, 0, 0, 0, 0, 0x88, 0x88},
+				},
+			}},
+			expected: []netip.Addr{netip.MustParseAddr("2001:4860:4860::8888")},
+		},
+		"mixed_records": {
+			message: &dns.Msg{Answer: []dns.RR{
+				&dns.A{
+					Hdr: dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeA, Class: dns.ClassINET},
+					A:   net.IP{1, 1, 1, 1},
+				},
+				&dns.AAAA{
+					Hdr:  dns.RR_Header{Name: "example.com.", Rrtype: dns.TypeAAAA, Class: dns.ClassINET},
+					AAAA: net.IP{0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0, 0, 0, 0, 0, 0, 0, 0, 0x88, 0x88},
+				},
+			}},
+			expected: []netip.Addr{netip.MustParseAddr("1.1.1.1"), netip.MustParseAddr("2001:4860:4860::8888")},
+		},
+	}
+
+	for testName, testCase := range testCases {
+		t.Run(testName, func(t *testing.T) {
+			t.Parallel()
+			addresses := answersToNetipAddrs(testCase.message)
+			assert.Equal(t, testCase.expected, addresses)
+		})
+	}
+}

internal/restrictednet/settings.go

@@ -0,0 +1,28 @@
+package restrictednet
+
+import (
+	"errors"
+
+	"github.com/qdm12/dns/v2/pkg/provider"
+)
+
+type Settings struct {
+	DefaultInterface  string
+	IPv6Supported     *bool
+	Firewall          Firewall
+	UpstreamResolvers []provider.Provider
+}
+
+func (s *Settings) validate() error {
+	switch {
+	case s.DefaultInterface == "":
+		return errors.New("default interface is not set")
+	case s.IPv6Supported == nil:
+		return errors.New("IPv6 support field is not set")
+	case s.Firewall == nil:
+		return errors.New("firewall is not set")
+	case len(s.UpstreamResolvers) == 0:
+		return errors.New("no upstream resolvers provided")
+	}
+	return nil
+}

internal/restrictednet/unix.go

@@ -0,0 +1,121 @@
+//go:build !windows
+
+package restrictednet
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"time"
+
+	"golang.org/x/sys/unix"
+)
+
+func closeFD(fd int) {
+	unix.Close(fd)
+}
+
+func newTCPSockStream(family int) (fd int, err error) {
+	fd, err = unix.Socket(family, unix.SOCK_STREAM, unix.IPPROTO_TCP)
+	if err != nil {
+		return 0, err
+	}
+	err = unix.SetNonblock(fd, true)
+	if err != nil {
+		_ = unix.Close(fd)
+		return 0, err
+	}
+	return fd, nil
+}
+
+func bindFD(fd int, address netip.AddrPort) error {
+	bindAddr := makeSockAddr(address)
+	return unix.Bind(fd, bindAddr)
+}
+
+func connectFD(ctx context.Context, fd int, destination netip.AddrPort) error {
+	err := unix.Connect(fd, makeSockAddr(destination))
+	switch {
+	case err == nil:
+		return nil
+	case !errors.Is(err, unix.EINPROGRESS):
+		return err
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			bitsIndex := fd / 64 //nolint:mnd
+			if bitsIndex >= len(unix.FdSet{}.Bits) {
+				return fmt.Errorf("fd %d exceeds unix.Select FdSet capacity", fd)
+			}
+			wset := &unix.FdSet{}
+			wset.Bits[bitsIndex] |= 1 << (uint64(fd) % 64) //nolint:gosec,mnd
+			eset := &unix.FdSet{}
+			eset.Bits[bitsIndex] |= 1 << (uint64(fd) % 64) //nolint:gosec,mnd
+			const selectTimeout = 50 * time.Millisecond
+			timeval := unix.NsecToTimeval(int64(selectTimeout))
+
+			// Wait for the FD to become writable or hit an error state
+			n, err := unix.Select(fd+1, nil, wset, eset, &timeval)
+			if err != nil {
+				if errors.Is(err, unix.EINTR) {
+					continue // Syscall interrupted, try again
+				}
+				return fmt.Errorf("select error: %w", err)
+			} else if n == 0 {
+				continue // no status change yet
+			}
+
+			// Check if the socket encountered an error
+			n, err = unix.GetsockoptInt(fd, unix.SOL_SOCKET, unix.SO_ERROR)
+			if err != nil {
+				return fmt.Errorf("getsockopt error: %w", err)
+			} else if n != 0 {
+				return fmt.Errorf("connect failed asynchronously: %w", unix.Errno(n))
+			}
+
+			return nil
+		}
+	}
+}
+
+func fdToSourceAddr(fd int) (sourceAddrPort netip.AddrPort, err error) {
+	sockAddr, err := unix.Getsockname(fd)
+	if err != nil {
+		return netip.AddrPort{}, fmt.Errorf("getting sockname: %w", err)
+	}
+
+	sourceAddrPort, err = sockAddrToAddrPort(sockAddr)
+	if err != nil {
+		return netip.AddrPort{}, err
+	}
+	return sourceAddrPort, nil
+}
+
+func makeSockAddr(addressPort netip.AddrPort) unix.Sockaddr {
+	if addressPort.Addr().Is4() {
+		return &unix.SockaddrInet4{
+			Port: int(addressPort.Port()),
+			Addr: addressPort.Addr().As4(),
+		}
+	}
+	return &unix.SockaddrInet6{
+		Port: int(addressPort.Port()),
+		Addr: addressPort.Addr().As16(),
+	}
+}
+
+func sockAddrToAddrPort(sockAddr unix.Sockaddr) (addrPort netip.AddrPort, err error) {
+	switch typedSockAddr := sockAddr.(type) {
+	case *unix.SockaddrInet4:
+		return netip.AddrPortFrom(netip.AddrFrom4(typedSockAddr.Addr), uint16(typedSockAddr.Port)), nil //nolint:gosec
+	case *unix.SockaddrInet6:
+		return netip.AddrPortFrom(netip.AddrFrom16(typedSockAddr.Addr), uint16(typedSockAddr.Port)), nil //nolint:gosec
+	default:
+		return netip.AddrPort{}, fmt.Errorf("unexpected socket address type %T", typedSockAddr)
+	}
+}

internal/restrictednet/windows.go

@@ -0,0 +1,28 @@
+//go:build windows
+
+package restrictednet
+
+import (
+	"context"
+	"net/netip"
+)
+
+func closeFD(fd int) {
+	panic("not implemented")
+}
+
+func newTCPSockStream(family int) (fd int, err error) {
+	panic("not implemented")
+}
+
+func bindFD(fd int, address netip.AddrPort) error {
+	panic("not implemented")
+}
+
+func connectFD(ctx context.Context, fd int, destination netip.AddrPort) error {
+	panic("not implemented")
+}
+
+func fdToSourceAddr(fd int) (sourceAddrPort netip.AddrPort, err error) {
+	panic("not implemented")
+}

internal/socks5/constants.go

@@ -0,0 +1,83 @@
+package socks5
+
+import "fmt"
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-3
+type authMethod byte
+
+const (
+	authNotRequired      authMethod = 0
+	authGssapi           authMethod = 1
+	authUsernamePassword authMethod = 2
+	authNotAcceptable    authMethod = 255
+)
+
+func (a authMethod) String() string {
+	switch a {
+	case authNotRequired:
+		return "no authentication required"
+	case authGssapi:
+		return "GSSAPI"
+	case authUsernamePassword:
+		return "username/password"
+	case authNotAcceptable:
+		return "no acceptable methods"
+	default:
+		return fmt.Sprintf("unknown method (%d)", a)
+	}
+}
+
+// Subnegotiation version
+// See https://datatracker.ietf.org/doc/html/rfc1929#section-2
+const (
+	authUsernamePasswordSubNegotiation1 byte = 1
+)
+
+// SOCKS versions.
+const (
+	socks5Version byte = 5
+)
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-4
+type cmdType byte
+
+const (
+	connect      cmdType = 1
+	udpAssociate cmdType = 3
+)
+
+func (c cmdType) String() string {
+	switch c {
+	case connect:
+		return "connect"
+	case udpAssociate:
+		return "UDP associate"
+	default:
+		return fmt.Sprintf("unknown command (%d)", c)
+	}
+}
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-4 and
+// https://datatracker.ietf.org/doc/html/rfc1928#section-5
+type addrType byte
+
+const (
+	ipv4       addrType = 1
+	domainName addrType = 3
+	ipv6       addrType = 4
+)
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-6
+type replyCode byte
+
+const (
+	succeeded replyCode = iota
+	generalServerFailure
+	connectionNotAllowedByRuleset
+	networkUnreachable
+	hostUnreachable
+	connectionRefused
+	ttlExpired
+	commandNotSupported
+	addressTypeNotSupported
+)

internal/socks5/interfaces.go

@@ -0,0 +1,6 @@
+package socks5
+
+type Logger interface {
+	Infof(format string, a ...interface{})
+	Warnf(format string, a ...interface{})
+}

internal/socks5/loop.go

@@ -0,0 +1,106 @@
+package socks5
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/qdm12/goservices"
+)
+
+type Loop struct {
+	settings Settings
+
+	mutex     sync.Mutex
+	runCancel context.CancelFunc
+	runDone   <-chan error
+}
+
+func NewLoop(settings Settings) *Loop {
+	return &Loop{
+		settings: settings,
+	}
+}
+
+func (l *Loop) String() string {
+	return "SOCKS5 server loop"
+}
+
+func (l *Loop) Start(_ context.Context) (runError <-chan error, err error) {
+	l.mutex.Lock()
+	defer l.mutex.Unlock()
+
+	var runCtx context.Context
+	runCtx, l.runCancel = context.WithCancel(context.Background())
+
+	runDone := make(chan error)
+	l.runDone = runDone
+
+	go run(runCtx, runDone, l.settings)
+
+	return nil, nil //nolint:nilnil
+}
+
+func run(ctx context.Context, done chan<- error, settings Settings) {
+	defer close(done)
+	logger := settings.Logger
+
+	for ctx.Err() == nil {
+		var server goservices.Service
+		if settings.Enabled {
+			server = newServer(settings)
+		} else {
+			server = new(noopService)
+		}
+
+		errorCh, err := server.Start(ctx)
+		if err != nil {
+			logger.Warnf("failed starting SOCKS5 server: %s", err)
+			waitBeforeRetry(ctx)
+			continue
+		}
+
+		select {
+		case <-ctx.Done():
+			done <- server.Stop()
+			return
+		case err := <-errorCh:
+			if ctx.Err() != nil {
+				return
+			}
+			logger.Warnf("SOCKS5 server crashed: %s", err)
+			waitBeforeRetry(ctx)
+		}
+	}
+}
+
+func (l *Loop) Stop() (err error) {
+	l.mutex.Lock()
+	defer l.mutex.Unlock()
+
+	l.runCancel()
+	return <-l.runDone
+}
+
+func waitBeforeRetry(ctx context.Context) {
+	const retryDelay = 10 * time.Second
+	timer := time.NewTimer(retryDelay)
+	select {
+	case <-timer.C:
+	case <-ctx.Done():
+	}
+}
+
+type noopService struct{}
+
+func (s noopService) Start(_ context.Context) (runErr <-chan error, err error) {
+	return nil, nil //nolint:nilnil
+}
+
+func (s noopService) Stop() error {
+	return nil
+}
+
+func (s noopService) String() string {
+	return "noop service"
+}

internal/socks5/mocks_generate_test.go

@@ -0,0 +1,3 @@
+package socks5
+
+//go:generate mockgen -destination=mocks_test.go -package=$GOPACKAGE . Logger

internal/socks5/mocks_test.go

@@ -0,0 +1,68 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/qdm12/gluetun/internal/socks5 (interfaces: Logger)
+
+// Package socks5 is a generated GoMock package.
+package socks5
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockLogger is a mock of Logger interface.
+type MockLogger struct {
+	ctrl     *gomock.Controller
+	recorder *MockLoggerMockRecorder
+}
+
+// MockLoggerMockRecorder is the mock recorder for MockLogger.
+type MockLoggerMockRecorder struct {
+	mock *MockLogger
+}
+
+// NewMockLogger creates a new mock instance.
+func NewMockLogger(ctrl *gomock.Controller) *MockLogger {
+	mock := &MockLogger{ctrl: ctrl}
+	mock.recorder = &MockLoggerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockLogger) EXPECT() *MockLoggerMockRecorder {
+	return m.recorder
+}
+
+// Infof mocks base method.
+func (m *MockLogger) Infof(arg0 string, arg1 ...interface{}) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0}
+	for _, a := range arg1 {
+		varargs = append(varargs, a)
+	}
+	m.ctrl.Call(m, "Infof", varargs...)
+}
+
+// Infof indicates an expected call of Infof.
+func (mr *MockLoggerMockRecorder) Infof(arg0 interface{}, arg1 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0}, arg1...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Infof", reflect.TypeOf((*MockLogger)(nil).Infof), varargs...)
+}
+
+// Warnf mocks base method.
+func (m *MockLogger) Warnf(arg0 string, arg1 ...interface{}) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0}
+	for _, a := range arg1 {
+		varargs = append(varargs, a)
+	}
+	m.ctrl.Call(m, "Warnf", varargs...)
+}
+
+// Warnf indicates an expected call of Warnf.
+func (mr *MockLoggerMockRecorder) Warnf(arg0 interface{}, arg1 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0}, arg1...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Warnf", reflect.TypeOf((*MockLogger)(nil).Warnf), varargs...)
+}

internal/socks5/response.go

@@ -0,0 +1,109 @@
+package socks5
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/netip"
+)
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-6
+func (c *socksConn) encodeFailedResponse(writer io.Writer, socksVersion byte, reply replyCode) {
+	_, err := writer.Write([]byte{
+		socksVersion,
+		byte(reply),
+		0, // RSV byte
+		// The RFC requires a full response frame even for failures.
+		// Use IPv4 address type with zeroed address and port.
+		byte(ipv4), // ATYP
+		0, 0, 0, 0, // BND.ADDR (zeroed)
+		0, 0, // BND.PORT (zeroed)
+	})
+	if err != nil {
+		c.logger.Warnf("failed writing failed response: %s", err)
+	}
+}
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-6
+func (c *socksConn) encodeSuccessResponse(writer io.Writer, socksVersion byte,
+	reply replyCode, bindAddrType addrType, bindAddress string,
+	bindPort uint16,
+) (err error) {
+	bindData, err := encodeBindData(bindAddrType, bindAddress, bindPort)
+	if err != nil {
+		return fmt.Errorf("encoding bind data: %w", err)
+	}
+
+	const initialPacketLength = 3
+	capacity := initialPacketLength + len(bindData)
+	packet := make([]byte, initialPacketLength, capacity)
+	packet[0] = socksVersion
+	packet[1] = byte(reply)
+	packet[2] = 0 // RSV byte
+	packet = append(packet, bindData...)
+
+	_, err = writer.Write(packet)
+	if err != nil {
+		return fmt.Errorf("writing packet: %w", err)
+	}
+	return nil
+}
+
+var (
+	ErrIPVersionUnexpected = errors.New("ip version is unexpected")
+	ErrDomainNameTooLong   = errors.New("domain name is too long")
+)
+
+func encodeBindData(addrType addrType, address string, port uint16) (
+	data []byte, err error,
+) {
+	capacity := bindDataLength(addrType, address)
+	data = make([]byte, 0, capacity)
+
+	data = append(data, byte(addrType))
+	switch addrType {
+	case ipv4, ipv6:
+		ip, err := netip.ParseAddr(address)
+		if err != nil {
+			return nil, fmt.Errorf("parsing IP address: %w", err)
+		}
+
+		switch {
+		case addrType == ipv4 && !ip.Is4():
+			return nil, fmt.Errorf("%w: expected IPv4 for %s", ErrIPVersionUnexpected, ip)
+		case addrType == ipv6 && !ip.Is6():
+			return nil, fmt.Errorf("%w: expected IPv6 for %s", ErrIPVersionUnexpected, ip)
+		}
+		data = append(data, ip.AsSlice()...)
+	case domainName:
+		const maxDomainNameLength = 255
+		if len(address) > maxDomainNameLength {
+			return nil, fmt.Errorf("%w: %s", ErrDomainNameTooLong, address)
+		}
+		data = append(data, byte(len(address)))
+		data = append(data, []byte(address)...)
+	default:
+		panic(fmt.Sprintf("unsupported address type %d", addrType))
+	}
+	data = binary.BigEndian.AppendUint16(data, port)
+	return data, nil
+}
+
+func bindDataLength(addrType addrType, address string) (maxLength uint) {
+	maxLength++ // address type
+	switch addrType {
+	case ipv4:
+		maxLength += net.IPv4len
+	case domainName:
+		maxLength++ // domain name length
+		maxLength += uint(len([]byte(address)))
+	case ipv6:
+		maxLength += net.IPv6len
+	default:
+		panic("unsupported address type: " + fmt.Sprint(addrType))
+	}
+	maxLength += 2 // port
+	return maxLength
+}

internal/socks5/server.go

@@ -0,0 +1,162 @@
+package socks5
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"sync"
+	"sync/atomic"
+)
+
+type server struct {
+	username string
+	password string
+	address  string
+	logger   Logger
+
+	// internal fields
+	tcpListener     net.Listener
+	udpRouter       *udpRouter
+	listening       atomic.Bool
+	socksConnCtx    context.Context //nolint:containedctx
+	socksConnCancel context.CancelFunc
+	done            <-chan error
+	stopCh          chan<- struct{}
+}
+
+func newServer(settings Settings) *server {
+	return &server{
+		username: settings.Username,
+		password: settings.Password,
+		address:  settings.Address,
+		logger:   settings.Logger,
+	}
+}
+
+func (s *server) String() string {
+	return "SOCKS5 server"
+}
+
+func (s *server) Start(ctx context.Context) (runErr <-chan error, err error) {
+	s.socksConnCtx, s.socksConnCancel = context.WithCancel(context.Background())
+	config := &net.ListenConfig{}
+	s.tcpListener, err = config.Listen(ctx, "tcp", s.address)
+	if err != nil {
+		return nil, fmt.Errorf("TCP listening on %s: %w", s.address, err)
+	}
+
+	s.udpRouter, err = newUDPRouter(ctx, s.address, s.logger)
+	if err != nil {
+		_ = s.tcpListener.Close()
+		return nil, fmt.Errorf("creating UDP router: %w", err)
+	}
+	s.listening.Store(true)
+	s.logger.Infof("SOCKS5 TCP server listening on %s", s.tcpListener.Addr())
+	s.logger.Infof("SOCKS5 UDP server listening on %s", s.udpRouter.localAddress())
+
+	ready := make(chan struct{})
+	runErrCh := make(chan error)
+	runErr = runErrCh
+	done := make(chan error)
+	s.done = done
+	stop := make(chan struct{})
+	s.stopCh = stop
+	go s.runServer(ready, runErrCh, stop, done)
+	select {
+	case <-ready:
+	case <-ctx.Done():
+		_ = s.Stop()
+		return nil, fmt.Errorf("starting server: %w", ctx.Err())
+	}
+	return runErr, nil
+}
+
+func (s *server) runServer(ready chan<- struct{},
+	runErrCh chan<- error, stop <-chan struct{}, done chan<- error,
+) {
+	close(ready)
+	defer close(done)
+
+	udpErrCh := make(chan error)
+	go func() {
+		udpErrCh <- s.udpRouter.run(s.socksConnCtx)
+	}()
+
+	tcpErrCh := make(chan error)
+	go func() {
+		var wg sync.WaitGroup
+		defer wg.Wait()
+
+		dialer := &net.Dialer{}
+		for {
+			connection, err := s.tcpListener.Accept()
+			if err != nil {
+				s.socksConnCancel() // stop ongoing TCP socks connections - no impact on UDP
+				tcpErrCh <- fmt.Errorf("accepting connection: %w", err)
+				return
+			}
+			wg.Go(func() {
+				connection := connection // capture loop variable
+				socksConn := &socksConn{
+					dialer:     dialer,
+					username:   s.username,
+					password:   s.password,
+					clientConn: connection,
+					udpRouter:  s.udpRouter,
+					logger:     s.logger,
+				}
+				err := socksConn.run(s.socksConnCtx)
+				if err != nil {
+					s.logger.Infof("running socks connection: %s", err)
+				}
+			})
+		}
+	}()
+
+	select {
+	case <-stop:
+		s.listening.Store(false)
+		var errs []error
+		err := s.tcpListener.Close()
+		if err != nil {
+			errs = append(errs, fmt.Errorf("closing TCP listener: %w", err))
+		}
+		// stop ongoing TCP socks connections. This impacts the udpRouter run error when it is being closed.
+		s.socksConnCancel()
+		<-tcpErrCh // wait for TCP server to stop
+		err = s.udpRouter.close()
+		if err != nil {
+			errs = append(errs, fmt.Errorf("closing UDP router: %w", err))
+		}
+		<-udpErrCh // wait for UDP router to stop
+		if len(errs) > 0 {
+			// Only write to the done channel if the [server.Stop] method is waiting to read from it
+			done <- errors.Join(errs...)
+		}
+		// If no error, the done channel is closed so the error is effectively `nil`
+		// Note: do NOT write an error the runError channel, since we are stopping the server gracefully.
+	case err := <-udpErrCh:
+		_ = s.tcpListener.Close() // stop accepting new TCP connections
+		s.socksConnCancel()       // stop ongoing TCP socks connections
+		<-tcpErrCh                // wait for TCP server to stop
+		runErrCh <- fmt.Errorf("running UDP router: %w", err)
+	case err := <-tcpErrCh:
+		s.socksConnCancel()
+		_ = s.udpRouter.close() // stop UDP router
+		<-udpErrCh              // wait for UDP router to stop
+		runErrCh <- fmt.Errorf("running TCP server: %w", err)
+	}
+}
+
+func (s *server) Stop() (err error) {
+	close(s.stopCh)
+	return <-s.done
+}
+
+func (s *server) listeningAddress() net.Addr {
+	if s.listening.Load() {
+		return s.tcpListener.Addr()
+	}
+	return nil
+}

internal/socks5/settings.go

@@ -0,0 +1,9 @@
+package socks5
+
+type Settings struct {
+	Enabled  bool
+	Username string
+	Password string
+	Address  string
+	Logger   Logger
+}

internal/socks5/socks5.go

@@ -0,0 +1,538 @@
+package socks5
+
+import (
+	"context"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/netip"
+	"strconv"
+	"strings"
+	"sync"
+)
+
+var (
+	errNoMethodIdentifiers     = errors.New("no method identifiers")
+	errNoValidMethodIdentifier = errors.New("no valid method identifier")
+)
+
+type socksConn struct {
+	// Injected fields
+	dialer     *net.Dialer
+	username   string
+	password   string
+	clientConn net.Conn
+	udpRouter  *udpRouter
+	logger     Logger
+}
+
+func (c *socksConn) closeClientConn(ctxErr error) {
+	err := c.clientConn.Close()
+	if err != nil && ctxErr == nil {
+		c.logger.Warnf("closing client connection: %s", err)
+	}
+}
+
+func (c *socksConn) run(ctx context.Context) error {
+	// Monitoring context cancellation to close the connection and stop
+	// reading operations on clientConn.
+	done := make(chan struct{})
+	ctxWatcherDone := make(chan struct{})
+	go func() {
+		defer close(ctxWatcherDone)
+		select {
+		case <-done:
+		case <-ctx.Done():
+			// unblock read operations
+			c.closeClientConn(ctx.Err())
+		}
+	}()
+	defer func() {
+		close(done)
+		<-ctxWatcherDone
+	}()
+
+	authMethod := authNotRequired
+	if c.username != "" || c.password != "" {
+		authMethod = authUsernamePassword
+	}
+
+	err := verifyFirstNegotiation(c.clientConn, authMethod)
+	if err != nil {
+		replyMethod := authMethod
+		if errors.Is(err, errNoMethodIdentifiers) || errors.Is(err, errNoValidMethodIdentifier) {
+			replyMethod = authNotAcceptable
+		}
+		_, writeErr := c.clientConn.Write([]byte{socks5Version, byte(replyMethod)})
+		if writeErr != nil {
+			c.logger.Warnf("failed writing first negotiation reply: %s", writeErr)
+		}
+		c.closeClientConn(ctx.Err())
+		return fmt.Errorf("verifying first negotiation: %w", err)
+	}
+
+	_, err = c.clientConn.Write([]byte{socks5Version, byte(authMethod)})
+	if err != nil {
+		c.closeClientConn(ctx.Err())
+		return fmt.Errorf("writing first negotiation reply: %w", err)
+	}
+
+	switch authMethod {
+	case authNotRequired, authNotAcceptable:
+	case authGssapi:
+		panic("not implemented")
+	case authUsernamePassword:
+		// See https://datatracker.ietf.org/doc/html/rfc1929#section-2
+		err = usernamePasswordSubnegotiate(c.clientConn, c.username, c.password)
+		if err != nil {
+			// If the server returns a `failure' (STATUS value other than X'00') status,
+			// it MUST close the connection.
+			c.closeClientConn(ctx.Err())
+			return fmt.Errorf("subnegotiating username and password: %w", err)
+		}
+	default:
+		panic(fmt.Sprintf("unimplemented auth method %d", authMethod))
+	}
+
+	err = c.handleRequest(ctx)
+	c.closeClientConn(ctx.Err())
+	if err != nil {
+		return fmt.Errorf("handling request: %w", err)
+	}
+	return nil
+}
+
+func (c *socksConn) handleRequest(ctx context.Context) error {
+	const socksVersion = socks5Version
+	request, err := decodeRequest(c.clientConn, socksVersion)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return err
+	}
+
+	switch request.command {
+	case connect:
+		err = c.handleConnectRequest(ctx, socksVersion, request)
+		if err != nil {
+			return fmt.Errorf("handling %s request: %w", request.command, err)
+		}
+		return nil
+	case udpAssociate:
+		err = c.handleUDPAssociateRequest(ctx, socksVersion, request)
+		if err != nil {
+			return fmt.Errorf("handling %s request: %w", request.command, err)
+		}
+		return nil
+	default:
+		c.encodeFailedResponse(c.clientConn, socksVersion, commandNotSupported)
+		return fmt.Errorf("command %s is not supported", request.command)
+	}
+}
+
+func (c *socksConn) handleConnectRequest(ctx context.Context,
+	socksVersion byte, request request,
+) error {
+	destinationAddress := net.JoinHostPort(request.destination, fmt.Sprint(request.port))
+	destinationConn, err := c.dialer.DialContext(ctx, "tcp", destinationAddress)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return err
+	}
+	defer destinationConn.Close()
+
+	destinationServerAddress := destinationConn.LocalAddr().String()
+	destinationAddr, destinationPortStr, err := net.SplitHostPort(destinationServerAddress)
+	if err != nil {
+		return fmt.Errorf("splitting destination address: %w", err)
+	}
+	destinationPort, err := strconv.ParseUint(destinationPortStr, 10, 16)
+	if err != nil {
+		return fmt.Errorf("port is malformed: %q", destinationPortStr)
+	}
+
+	var bindAddrType addrType
+	if ip := net.ParseIP(destinationAddr); ip != nil {
+		if ip.To4() != nil {
+			bindAddrType = ipv4
+		} else {
+			bindAddrType = ipv6
+		}
+	} else {
+		bindAddrType = domainName
+	}
+
+	err = c.encodeSuccessResponse(c.clientConn, socksVersion, succeeded, bindAddrType,
+		destinationAddr, uint16(destinationPort))
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return fmt.Errorf("writing successful %s response: %w", request.command, err)
+	}
+
+	const capacity = 2 // if one goroutine fails, we don't want to leak the other one
+	errc := make(chan error, capacity)
+	go func() {
+		_, err := io.Copy(c.clientConn, destinationConn)
+		if err != nil {
+			err = fmt.Errorf("from backend to client: %w", err)
+		}
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(destinationConn, c.clientConn)
+		if err != nil {
+			err = fmt.Errorf("from client to backend: %w", err)
+		}
+		errc <- err
+	}()
+	select {
+	case err := <-errc:
+		return err
+	case <-ctx.Done():
+		_ = destinationConn.Close()
+		_ = c.clientConn.Close()
+		return nil
+	}
+}
+
+func (c *socksConn) handleUDPAssociateRequest(ctx context.Context,
+	socksVersion byte, request request,
+) error {
+	expectedAddrPort, err := udpAssociateExpectedClientEndpoint(request)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, addressTypeNotSupported)
+		return fmt.Errorf("deriving expected client address and port from request: %w", err)
+	}
+
+	bindAddress, bindPort, bindAddrType, err := c.udpAssociationAddresses()
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return fmt.Errorf("getting udp association addresses: %w", err)
+	}
+
+	association, err := c.udpRouter.registerAssociation(c.clientConn, expectedAddrPort)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return fmt.Errorf("registering udp association: %w", err)
+	}
+	defer c.udpRouter.unregisterAssociation(association)
+
+	err = c.encodeSuccessResponse(c.clientConn, socksVersion, succeeded,
+		bindAddrType, bindAddress, bindPort)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return fmt.Errorf("writing successful %s response: %w", udpAssociate, err)
+	}
+
+	associationCtx, associationCancel := context.WithCancel(ctx)
+	defer associationCancel()
+
+	var wg sync.WaitGroup
+
+	wg.Go(func() {
+		c.udpRouter.runAssociationHandler(associationCtx, association)
+	})
+
+	wg.Go(func() {
+		_, _ = io.Copy(io.Discard, c.clientConn)
+		associationCancel()
+	})
+	<-associationCtx.Done()
+	wg.Wait()
+	return nil
+}
+
+func udpAssociateExpectedClientEndpoint(request request) (expectedAddrPort netip.AddrPort, err error) {
+	switch request.addressType {
+	case ipv4, ipv6:
+		expectedClientAddress, parseErr := netip.ParseAddr(request.destination)
+		if parseErr != nil {
+			return netip.AddrPort{}, fmt.Errorf("parsing destination address: %w", parseErr)
+		}
+		expectedClientAddress = expectedClientAddress.Unmap()
+		if !expectedClientAddress.IsUnspecified() {
+			return netip.AddrPortFrom(expectedClientAddress, request.port), nil
+		}
+		return netip.AddrPortFrom(netip.Addr{}, request.port), nil
+	case domainName:
+		// For UDP associate, client endpoint matching is based on observed UDP source
+		// address/port. A hostname is not directly matchable at this stage, so we
+		// ignore the domain name request destination entirely.
+		return netip.AddrPortFrom(netip.Addr{}, request.port), nil
+	default:
+		return netip.AddrPort{}, fmt.Errorf("address type %d is not supported", request.addressType)
+	}
+}
+
+func (c *socksConn) udpAssociationAddresses() (bindAddress string,
+	bindPort uint16, bindAddrType addrType, err error,
+) {
+	localAddress := c.udpRouter.localAddress().String()
+	host, portString, err := net.SplitHostPort(localAddress)
+	if err != nil {
+		return "", 0, 0, fmt.Errorf("splitting local address: %w", err)
+	}
+	port, err := strconv.ParseUint(portString, 10, 16)
+	if err != nil {
+		return "", 0, 0, fmt.Errorf("parsing local port: %w", err)
+	}
+	bindAddress = host
+	bindPort = uint16(port)
+	if isUnspecifiedIPAddress(bindAddress) {
+		controlLocalAddress := c.clientConn.LocalAddr().String()
+		controlLocalHost, _, splitErr := net.SplitHostPort(controlLocalAddress)
+		if splitErr != nil {
+			return "", 0, 0, fmt.Errorf("splitting control connection local address: %w", splitErr)
+		}
+		bindAddress = controlLocalHost
+	}
+
+	ipAddress := net.ParseIP(bindAddress)
+	if ipAddress == nil {
+		bindAddrType = domainName
+		return bindAddress, bindPort, bindAddrType, nil
+	}
+
+	if ipAddress.To4() != nil {
+		bindAddrType = ipv4
+	} else {
+		bindAddrType = ipv6
+	}
+
+	return bindAddress, bindPort, bindAddrType, nil
+}
+
+func isUnspecifiedIPAddress(address string) bool {
+	ipAddress, err := netip.ParseAddr(address)
+	if err != nil {
+		return false
+	}
+	return ipAddress.IsUnspecified()
+}
+
+func decodeUDPDatagram(packet []byte) (destination string, payload []byte, err error) {
+	const minimumPacketLength = 4
+	if len(packet) < minimumPacketLength {
+		return "", nil, fmt.Errorf("packet is too short: %d", len(packet))
+	}
+	if packet[0] != 0 || packet[1] != 0 {
+		return "", nil, fmt.Errorf("reserved bytes are invalid: %x %x", packet[0], packet[1])
+	}
+	if packet[2] != 0 {
+		return "", nil, fmt.Errorf("fragmentation is not supported")
+	}
+
+	offset := 3
+	addressType := addrType(packet[offset])
+	offset++
+
+	switch addressType {
+	case ipv4:
+		const ipv4Length = 4
+		if len(packet) < offset+ipv4Length+2 {
+			return "", nil, fmt.Errorf("packet is too short for IPv4 address")
+		}
+		var ip [ipv4Length]byte
+		copy(ip[:], packet[offset:offset+ipv4Length])
+		destination = netip.AddrFrom4(ip).String()
+		offset += ipv4Length
+	case ipv6:
+		const ipv6Length = 16
+		if len(packet) < offset+ipv6Length+2 {
+			return "", nil, fmt.Errorf("packet is too short for IPv6 address")
+		}
+		var ip [ipv6Length]byte
+		copy(ip[:], packet[offset:offset+ipv6Length])
+		destination = netip.AddrFrom16(ip).String()
+		offset += ipv6Length
+	case domainName:
+		if len(packet) < offset+1 {
+			return "", nil, fmt.Errorf("packet is too short for domain name length")
+		}
+		domainNameLength := int(packet[offset])
+		offset++
+		if len(packet) < offset+domainNameLength+2 {
+			return "", nil, fmt.Errorf("packet is too short for domain name")
+		}
+		destination = string(packet[offset : offset+domainNameLength])
+		offset += domainNameLength
+	default:
+		return "", nil, fmt.Errorf("address type is not supported: %d", addressType)
+	}
+
+	port := binary.BigEndian.Uint16(packet[offset : offset+2])
+	destination = net.JoinHostPort(destination, fmt.Sprint(port))
+	offset += 2
+	payload = packet[offset:]
+
+	return destination, payload, nil
+}
+
+func encodeUDPDatagramToBuffer(writer io.Writer, sourceAddrPort netip.AddrPort,
+	payload []byte,
+) error {
+	address := sourceAddrPort.Addr()
+	if !address.IsValid() {
+		return errors.New("source address is not valid")
+	}
+
+	err := writeUDPDatagramSourceAddress(writer, address)
+	if err != nil {
+		return fmt.Errorf("writing source address: %w", err)
+	}
+
+	var portBytes [2]byte
+	binary.BigEndian.PutUint16(portBytes[:], sourceAddrPort.Port())
+	_, err = writer.Write(portBytes[:])
+	if err != nil {
+		return fmt.Errorf("writing destination port: %w", err)
+	}
+
+	_, err = writer.Write(payload)
+	if err != nil {
+		return fmt.Errorf("writing payload: %w", err)
+	}
+
+	return nil
+}
+
+func writeUDPDatagramSourceAddress(writer io.Writer, address netip.Addr) error {
+	var addrType addrType
+	var addressBytes []byte
+	switch {
+	case address.Is4():
+		addrType = ipv4
+		array := address.As4()
+		addressBytes = array[:]
+	case address.Is6():
+		addrType = ipv6
+		array := address.As16()
+		addressBytes = array[:]
+	default:
+		return fmt.Errorf("address type is not supported: %v", address)
+	}
+
+	_, err := writer.Write([]byte{0, 0, 0, byte(addrType)})
+	if err != nil {
+		return fmt.Errorf("writing header: %w", err)
+	}
+	_, err = writer.Write(addressBytes)
+	if err != nil {
+		return fmt.Errorf("writing IP address: %w", err)
+	}
+	return nil
+}
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-3
+func verifyFirstNegotiation(reader io.Reader, requiredMethod authMethod) error {
+	const headerLength = 2 // version + nMethods bytes
+	header := make([]byte, headerLength)
+	_, err := io.ReadFull(reader, header)
+	if err != nil {
+		return fmt.Errorf("reading header: %w", err)
+	}
+
+	if header[0] != socks5Version {
+		return fmt.Errorf("version is not supported: %d", header[0])
+	}
+
+	nMethods := header[1]
+	if nMethods == 0 {
+		return fmt.Errorf("%w", errNoMethodIdentifiers)
+	}
+
+	methodIdentifiers := make([]byte, nMethods)
+	_, err = io.ReadFull(reader, methodIdentifiers)
+	if err != nil {
+		return fmt.Errorf("reading method identifiers: %w", err)
+	}
+	for _, methodIdentifier := range methodIdentifiers {
+		if methodIdentifier == byte(requiredMethod) {
+			return nil
+		}
+	}
+
+	return makeNoAcceptableMethodError(requiredMethod, methodIdentifiers)
+}
+
+func makeNoAcceptableMethodError(requiredAuthMethod authMethod, methodIdentifiers []byte) error {
+	methodNames := make([]string, len(methodIdentifiers))
+	for i, methodIdentifier := range methodIdentifiers {
+		methodNames[i] = fmt.Sprintf("%q", authMethod(methodIdentifier))
+	}
+
+	return fmt.Errorf("%w: none of %s matches %s",
+		errNoValidMethodIdentifier, strings.Join(methodNames, ", "),
+		requiredAuthMethod)
+}
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-4
+type request struct {
+	command     cmdType
+	destination string
+	port        uint16
+	addressType addrType
+}
+
+func decodeRequest(reader io.Reader, expectedVersion byte) (req request, err error) {
+	const headerLength = 4
+	header := [headerLength]byte{}
+	_, err = io.ReadFull(reader, header[:])
+	if err != nil {
+		return request{}, fmt.Errorf("reading header: %w", err)
+	}
+
+	version := header[0]
+	switch {
+	case version != expectedVersion:
+		return request{}, fmt.Errorf("version is not supported: expected %d and got %d",
+			expectedVersion, version)
+	case header[2] != 0:
+		return request{}, fmt.Errorf("reserved header byte must be 0 but got %d", header[2])
+	}
+
+	req.command = cmdType(header[1])
+	// header[2] is RSV byte
+	req.addressType = addrType(header[3])
+
+	switch req.addressType {
+	case ipv4:
+		var ip [4]byte
+		_, err = io.ReadFull(reader, ip[:])
+		if err != nil {
+			return request{}, fmt.Errorf("reading IPv4 address: %w", err)
+		}
+		req.destination = netip.AddrFrom4(ip).String()
+	case ipv6:
+		var ip [16]byte
+		_, err = io.ReadFull(reader, ip[:])
+		if err != nil {
+			return request{}, fmt.Errorf("reading IPv6 address: %w", err)
+		}
+		req.destination = netip.AddrFrom16(ip).String()
+	case domainName:
+		var header [1]byte
+		_, err = io.ReadFull(reader, header[:])
+		if err != nil {
+			return request{}, fmt.Errorf("reading domain name header: %w", err)
+		}
+		domainName := make([]byte, header[0])
+		_, err = io.ReadFull(reader, domainName)
+		if err != nil {
+			return request{}, fmt.Errorf("reading domain name bytes: %w", err)
+		}
+		req.destination = string(domainName)
+	default:
+		return request{}, fmt.Errorf("address type is not supported: %d", req.addressType)
+	}
+
+	var portBytes [2]byte
+	_, err = io.ReadFull(reader, portBytes[:])
+	if err != nil {
+		return request{}, fmt.Errorf("reading port: %w", err)
+	}
+	req.port = binary.BigEndian.Uint16(portBytes[:])
+
+	return req, nil
+}

internal/socks5/udp_router.go

@@ -0,0 +1,370 @@
+package socks5
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+)
+
+type udpAssociation struct {
+	id               uint64
+	clientAddrPort   netip.AddrPort
+	expectedAddrPort netip.AddrPort
+	controlConnAddr  netip.Addr
+	packetCh         chan *bytes.Buffer
+}
+
+type udpRouter struct {
+	logger Logger
+
+	listener                      net.PacketConn
+	mutex                         sync.Mutex
+	bufferPool                    sync.Pool
+	nextAssociationID             uint64
+	clientAddrPortToAssociation   map[netip.AddrPort]udpAssociation
+	clientIPToPendingAssociations map[netip.Addr][]udpAssociation
+	associationIDToClientAddrPort map[uint64]netip.AddrPort
+}
+
+const (
+	maxUDPPacketLength            = 65535
+	maxSOCKS5UDPDatagramOverhead  = 3 + 1 + 16 + 2
+	pooledUDPPacketBufferCapacity = maxUDPPacketLength + maxSOCKS5UDPDatagramOverhead
+)
+
+func newUDPRouter(ctx context.Context, address string, logger Logger) (router *udpRouter, err error) {
+	config := &net.ListenConfig{}
+	listener, err := config.ListenPacket(ctx, "udp", address)
+	if err != nil {
+		return nil, fmt.Errorf("UDP listening: %w", err)
+	}
+
+	return &udpRouter{
+		logger:   logger,
+		listener: listener,
+		bufferPool: sync.Pool{
+			New: func() any {
+				return bytes.NewBuffer(make([]byte, 0, pooledUDPPacketBufferCapacity))
+			},
+		},
+		nextAssociationID:             1,
+		clientAddrPortToAssociation:   make(map[netip.AddrPort]udpAssociation),
+		clientIPToPendingAssociations: make(map[netip.Addr][]udpAssociation),
+		associationIDToClientAddrPort: make(map[uint64]netip.AddrPort),
+	}, nil
+}
+
+func (r *udpRouter) localAddress() net.Addr {
+	return r.listener.LocalAddr()
+}
+
+func (r *udpRouter) close() error {
+	return r.listener.Close()
+}
+
+func (r *udpRouter) registerAssociation(controlConn net.Conn, expectedAddrPort netip.AddrPort) (udpAssociation, error) {
+	controlConnAddrPort, err := netip.ParseAddrPort(controlConn.RemoteAddr().String())
+	if err != nil {
+		return udpAssociation{}, fmt.Errorf("parsing control connection address: %w", err)
+	}
+	controlConnAddr := controlConnAddrPort.Addr().Unmap()
+
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+
+	const udpPacketChannelBuffer = 2
+	associationID := r.nextAssociationID
+	r.nextAssociationID++
+
+	association := udpAssociation{
+		id:               associationID,
+		expectedAddrPort: expectedAddrPort,
+		controlConnAddr:  controlConnAddr,
+		packetCh:         make(chan *bytes.Buffer, udpPacketChannelBuffer),
+	}
+
+	if expectedAddrPort.Addr().IsValid() && expectedAddrPort.Port() != 0 {
+		association.clientAddrPort = expectedAddrPort
+		r.clientAddrPortToAssociation[association.clientAddrPort] = association
+		r.associationIDToClientAddrPort[association.id] = association.clientAddrPort
+		return association, nil
+	}
+
+	pendingAssociations := r.clientIPToPendingAssociations[controlConnAddr]
+	pendingAssociations = append(pendingAssociations, association)
+	r.clientIPToPendingAssociations[controlConnAddr] = pendingAssociations
+
+	return association, nil
+}
+
+func (r *udpRouter) unregisterAssociation(association udpAssociation) {
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+
+	clientAddrPort, hasClientAddress := r.associationIDToClientAddrPort[association.id]
+	if hasClientAddress {
+		delete(r.associationIDToClientAddrPort, association.id)
+		delete(r.clientAddrPortToAssociation, clientAddrPort)
+	}
+
+	pendingAssociations := r.clientIPToPendingAssociations[association.controlConnAddr]
+	for i, pendingAssociation := range pendingAssociations {
+		if pendingAssociation.id == association.id {
+			pendingAssociations = append(pendingAssociations[:i], pendingAssociations[i+1:]...)
+			break
+		}
+	}
+	if len(pendingAssociations) == 0 {
+		delete(r.clientIPToPendingAssociations, association.controlConnAddr)
+	} else {
+		r.clientIPToPendingAssociations[association.controlConnAddr] = pendingAssociations
+	}
+}
+
+func (r *udpRouter) run(ctx context.Context) error {
+	packetBuffer := make([]byte, maxUDPPacketLength)
+
+	for {
+		packetLength, sourceAddress, err := r.listener.ReadFrom(packetBuffer)
+		if err != nil {
+			if ctx.Err() != nil && errors.Is(err, net.ErrClosed) {
+				return nil
+			}
+			return fmt.Errorf("reading UDP packet: %w", err)
+		}
+
+		sourceAddrPort, err := netAddrToNetipAddrPort(sourceAddress)
+		if err != nil {
+			r.logger.Warnf("parsing source address: %s", err)
+			continue
+		}
+		buffer := r.bufferPool.Get().(*bytes.Buffer) //nolint:forcetypeassert
+		buffer.Reset()
+		_, err = buffer.Write(packetBuffer[:packetLength])
+		if err != nil {
+			r.bufferPool.Put(buffer)
+			r.logger.Warnf("buffering packet: %s", err)
+			continue
+		}
+		err = r.routePacket(sourceAddrPort, buffer)
+		if err != nil {
+			r.logger.Warnf("failed routing UDP packet: %s", err)
+		}
+	}
+}
+
+func (r *udpRouter) routePacket(sourceAddrPort netip.AddrPort, packet *bytes.Buffer) error {
+	r.mutex.Lock()
+	association, packetFromClient := r.findClientAssociation(sourceAddrPort)
+	r.mutex.Unlock()
+
+	if !packetFromClient {
+		r.bufferPool.Put(packet)
+		return nil
+	}
+
+	select {
+	case association.packetCh <- packet:
+		return nil
+	default:
+		r.bufferPool.Put(packet)
+		return errors.New("association packet queue full")
+	}
+}
+
+func (r *udpRouter) findClientAssociation(sourceAddrPort netip.AddrPort) (
+	association udpAssociation, ok bool,
+) {
+	association, ok = r.clientAddrPortToAssociation[sourceAddrPort]
+	if ok {
+		return association, true
+	}
+	sourceAddr := sourceAddrPort.Addr()
+
+	pendingAssociations := r.clientIPToPendingAssociations[sourceAddr]
+	if len(pendingAssociations) == 0 {
+		return udpAssociation{}, false
+	}
+
+	index := -1
+	for i, pendingAssociation := range pendingAssociations {
+		if matchesExpectedClientEndpoint(pendingAssociation, sourceAddrPort) {
+			association = pendingAssociation
+			index = i
+			break
+		}
+	}
+	if index == -1 {
+		return udpAssociation{}, false
+	}
+
+	r.clientIPToPendingAssociations[sourceAddr] = append(pendingAssociations[:index], pendingAssociations[index+1:]...)
+	if len(r.clientIPToPendingAssociations[sourceAddr]) == 0 {
+		delete(r.clientIPToPendingAssociations, sourceAddr)
+	}
+
+	association.clientAddrPort = sourceAddrPort
+	r.clientAddrPortToAssociation[sourceAddrPort] = association
+	r.associationIDToClientAddrPort[association.id] = sourceAddrPort
+
+	return association, true
+}
+
+func matchesExpectedClientEndpoint(association udpAssociation, sourceAddrPort netip.AddrPort) bool {
+	switch {
+	case association.expectedAddrPort.Addr().IsValid() && sourceAddrPort.Addr() != association.expectedAddrPort.Addr():
+		return false
+	case association.expectedAddrPort.Port() != 0 && sourceAddrPort.Port() != association.expectedAddrPort.Port():
+		return false
+	}
+	return true
+}
+
+func (r *udpRouter) clientAddrPortForAssociation(associationID uint64) (
+	clientAddrPort netip.AddrPort, ok bool,
+) {
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+
+	clientAddrPort, ok = r.associationIDToClientAddrPort[associationID]
+	return clientAddrPort, ok
+}
+
+func (r *udpRouter) runAssociationHandler(ctx context.Context, association udpAssociation) {
+	config := &net.ListenConfig{}
+	socket, err := config.ListenPacket(ctx, "udp", ":0")
+	if err != nil {
+		r.logger.Warnf("creating per-association UDP socket: %s", err)
+		return
+	}
+	defer socket.Close()
+
+	go closeSocketOnContextDone(ctx, socket)
+
+	packetBuffer := make([]byte, maxUDPPacketLength)
+
+	forwardDoneCh := make(chan struct{})
+	go r.forwardClientPackets(ctx, socket, association.packetCh, forwardDoneCh)
+
+	for {
+		packetLength, sourceAddress, err := socket.ReadFrom(packetBuffer)
+		if err != nil {
+			if ctx.Err() != nil || errors.Is(err, net.ErrClosed) {
+				<-forwardDoneCh
+				return
+			}
+			r.logger.Warnf("reading from per-association UDP socket: %s", err)
+			continue
+		}
+
+		sourceAddrPort, err := netAddrToNetipAddrPort(sourceAddress)
+		if err != nil {
+			r.logger.Warnf("parsing source address from destination: %s", err)
+			continue
+		}
+
+		buffer := r.bufferPool.Get().(*bytes.Buffer) //nolint:forcetypeassert
+		buffer.Reset()
+		err = encodeUDPDatagramToBuffer(buffer, sourceAddrPort, packetBuffer[:packetLength])
+		if err != nil {
+			r.bufferPool.Put(buffer)
+			r.logger.Warnf("encoding response datagram: %s", err)
+			continue
+		}
+
+		clientAddrPort, found := r.clientAddrPortForAssociation(association.id)
+		if !found {
+			r.bufferPool.Put(buffer)
+			r.logger.Warnf("client address not found for association id %d", association.id)
+			continue
+		}
+
+		clientUDPAddress := &net.UDPAddr{
+			IP:   clientAddrPort.Addr().AsSlice(),
+			Port: int(clientAddrPort.Port()),
+		}
+		_, err = r.listener.WriteTo(buffer.Bytes(), clientUDPAddress)
+		r.bufferPool.Put(buffer)
+		if err != nil {
+			r.logger.Warnf("writing response to client: %s", err)
+		}
+	}
+}
+
+func closeSocketOnContextDone(ctx context.Context, socket net.PacketConn) {
+	<-ctx.Done()
+	_ = socket.Close()
+}
+
+func (r *udpRouter) forwardClientPackets(ctx context.Context, socket net.PacketConn,
+	packetCh <-chan *bytes.Buffer, done chan<- struct{},
+) {
+	defer close(done)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case buffer, ok := <-packetCh:
+			if !ok {
+				return
+			}
+
+			err := r.writeClientPacketToDestination(ctx, socket, buffer)
+			r.bufferPool.Put(buffer)
+			if err != nil {
+				r.logger.Warnf("forwarding client packet to destination: %s", err)
+			}
+		}
+	}
+}
+
+func (r *udpRouter) writeClientPacketToDestination(ctx context.Context,
+	socket net.PacketConn, packet *bytes.Buffer,
+) error {
+	destination, payload, err := decodeUDPDatagram(packet.Bytes())
+	if err != nil {
+		return fmt.Errorf("decoding UDP datagram: %w", err)
+	}
+
+	host, portStr, err := net.SplitHostPort(destination)
+	if err != nil {
+		return fmt.Errorf("splitting destination host and port: %w", err)
+	}
+
+	if _, err := netip.ParseAddr(host); err != nil { // domain name
+		addrs, err := net.DefaultResolver.LookupHost(ctx, host)
+		if err != nil {
+			return fmt.Errorf("resolving destination host: %w", err)
+		}
+		if len(addrs) == 0 {
+			return fmt.Errorf("resolving destination host: no addresses found for %q", host)
+		}
+
+		destination = net.JoinHostPort(addrs[0], portStr)
+	}
+
+	resolvedDestinationUDPAddress, err := net.ResolveUDPAddr("udp", destination)
+	if err != nil {
+		return fmt.Errorf("resolving destination UDP address: %w", err)
+	}
+
+	_, err = socket.WriteTo(payload, resolvedDestinationUDPAddress)
+	if err != nil && ctx.Err() == nil {
+		return fmt.Errorf("writing payload to destination: %w", err)
+	}
+
+	return nil
+}
+
+func netAddrToNetipAddrPort(addr net.Addr) (netip.AddrPort, error) {
+	addrPort, err := netip.ParseAddrPort(addr.String())
+	if err != nil {
+		return netip.AddrPort{}, fmt.Errorf("parsing address: %w", err)
+	}
+	return netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port()), nil
+}

internal/socks5/udp_router_integration_test.go

@@ -0,0 +1,164 @@
+//go:build integration
+
+package socks5
+
+import (
+	"bytes"
+	"context"
+	"math/rand/v2"
+	"net"
+	"net/netip"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_udpRouter_ResolveGithubFromCloudflareDNS(t *testing.T) {
+	t.Parallel()
+
+	ctx := t.Context()
+	var cancel context.CancelFunc
+	deadline, hasDeadline := ctx.Deadline()
+	if hasDeadline {
+		const deadlineBuffer = 500 * time.Millisecond
+		deadline = deadline.Add(-deadlineBuffer)
+	} else {
+		const defaultTimeout = 10 * time.Second
+		deadline = time.Now().Add(defaultTimeout)
+	}
+	ctx, cancel = context.WithDeadline(ctx, deadline)
+
+	ctrl := gomock.NewController(t)
+	logger := NewMockLogger(ctrl)
+
+	router, err := newUDPRouter(ctx, "127.0.0.1:0", logger)
+	require.NoError(t, err)
+
+	routerRunErrCh := make(chan error)
+	go func() {
+		routerRunErrCh <- router.run(ctx)
+	}()
+
+	t.Cleanup(func() {
+		cancel()
+		err := router.close()
+		assert.NoError(t, err, "closing router")
+		runErr := <-routerRunErrCh
+		assert.NoError(t, runErr)
+	})
+
+	controlListener, err := (&net.ListenConfig{}).Listen(ctx, "tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err := controlListener.Close()
+		assert.NoError(t, err, "closing control listener")
+	})
+
+	acceptedConnCh := make(chan net.Conn)
+	go func() {
+		acceptedConn, acceptErr := controlListener.Accept()
+		assert.NoError(t, acceptErr, "accepting control connection")
+		if acceptErr != nil {
+			return
+		}
+		acceptedConnCh <- acceptedConn
+	}()
+
+	clientControlConn, err := (&net.Dialer{}).DialContext(ctx, "tcp", controlListener.Addr().String())
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err = clientControlConn.Close()
+		assert.NoError(t, err, "closing client control connection")
+	})
+
+	serverControlConn := <-acceptedConnCh
+	t.Cleanup(func() {
+		err := serverControlConn.Close()
+		assert.NoError(t, err, "closing server control connection")
+	})
+
+	association, err := router.registerAssociation(serverControlConn, netip.AddrPort{})
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		router.unregisterAssociation(association)
+	})
+
+	associationCtx, associationCancel := context.WithCancel(ctx)
+	handlerDoneCh := make(chan struct{})
+	go func() {
+		router.runAssociationHandler(associationCtx, association)
+		close(handlerDoneCh)
+	}()
+	t.Cleanup(func() {
+		associationCancel()
+		<-handlerDoneCh
+	})
+
+	udpRouterAddress, err := net.ResolveUDPAddr("udp", router.localAddress().String())
+	require.NoError(t, err)
+
+	clientUDPConn, err := net.DialUDP("udp", nil, udpRouterAddress)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err := clientUDPConn.Close()
+		assert.NoError(t, err, "closing client UDP connection")
+	})
+
+	queryID := uint16(rand.Uint32()) //nolint:gosec
+	dnsRequest := &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Id:               queryID,
+			RecursionDesired: true,
+		},
+		Question: []dns.Question{{
+			Name:   dns.Fqdn("github.com"),
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}},
+	}
+	dnsQuery, err := dnsRequest.Pack()
+	require.NoError(t, err)
+
+	targetAddrPort := netip.MustParseAddrPort("1.1.1.1:53")
+	socksDatagramBuffer := bytes.NewBuffer(nil)
+	err = encodeUDPDatagramToBuffer(socksDatagramBuffer, targetAddrPort, dnsQuery)
+	require.NoError(t, err)
+	socksDatagram := socksDatagramBuffer.Bytes()
+
+	err = clientUDPConn.SetDeadline(deadline)
+	require.NoError(t, err)
+
+	_, err = clientUDPConn.Write(socksDatagram)
+	require.NoError(t, err)
+
+	responseBuffer := make([]byte, maxUDPPacketLength)
+	responseLength, err := clientUDPConn.Read(responseBuffer)
+	require.NoError(t, err)
+
+	responseDestination, responsePayload, err := decodeUDPDatagram(responseBuffer[:responseLength])
+	require.NoError(t, err)
+
+	responseHost, responsePortString, err := net.SplitHostPort(responseDestination)
+	require.NoError(t, err)
+	responsePort, err := strconv.ParseUint(responsePortString, 10, 16)
+	require.NoError(t, err)
+	assert.Equal(t, uint64(53), responsePort)
+	assert.NotEmpty(t, responseHost)
+
+	dnsResponse := new(dns.Msg)
+	err = dnsResponse.Unpack(responsePayload)
+	require.NoError(t, err)
+	assert.Equal(t, queryID, dnsResponse.Id)
+	assert.True(t, dnsResponse.Response)
+	assert.Equal(t, dns.RcodeSuccess, dnsResponse.Rcode)
+	require.NotEmpty(t, dnsResponse.Question)
+	assert.Equal(t, dns.Fqdn("github.com"), dnsResponse.Question[0].Name)
+	assert.Equal(t, dns.TypeA, dnsResponse.Question[0].Qtype)
+	assert.NotEmpty(t, dnsResponse.Answer)
+	require.NoError(t, err)
+}

internal/socks5/usernamepassword.go

@@ -0,0 +1,62 @@
+package socks5
+
+import (
+	"fmt"
+	"io"
+)
+
+// See https://datatracker.ietf.org/doc/html/rfc1929#section-2
+func usernamePasswordSubnegotiate(conn io.ReadWriter, username, password string) (err error) {
+	status := byte(1)
+	const defaultVersion = byte(1)
+
+	const headerLength = 2
+	var header [headerLength]byte
+	_, err = io.ReadFull(conn, header[:])
+	if err != nil {
+		_, _ = conn.Write([]byte{defaultVersion, status})
+		return fmt.Errorf("reading header: %w", err)
+	}
+
+	if header[0] != authUsernamePasswordSubNegotiation1 {
+		_, _ = conn.Write([]byte{defaultVersion, status})
+		return fmt.Errorf("subnegotiation version not supported: %d", header[0])
+	}
+	version := header[0]
+
+	usernameBytes := make([]byte, header[1])
+	_, err = io.ReadFull(conn, usernameBytes)
+	if err != nil {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("reading username bytes: %w", err)
+	} else if username != string(usernameBytes) {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("username received is not valid")
+	}
+
+	const passwordHeaderLength = 1
+	passwordHeader := make([]byte, passwordHeaderLength)
+	_, err = io.ReadFull(conn, passwordHeader)
+	if err != nil {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("reading password length: %w", err)
+	}
+
+	passwordBytes := make([]byte, passwordHeader[0])
+	_, err = io.ReadFull(conn, passwordBytes)
+	if err != nil {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("reading password bytes: %w", err)
+	} else if password != string(passwordBytes) {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("password not valid for username %q", string(usernameBytes))
+	}
+
+	status = 0
+	_, err = conn.Write([]byte{version, status})
+	if err != nil {
+		return fmt.Errorf("writing success status: %w", err)
+	}
+
+	return nil
+}

internal/storage/hardcoded.go

@@ -1,32 +1,23 @@
 package storage
 
 import (
-	"embed"
 	"encoding/json"
 	"fmt"
-	"path"
+	"path/filepath"
 
 	serversmodule "github.com/qdm12/gluetun-servers/pkg/servers"
+	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/models"
 )
 
-//go:embed servers.json
-var allServersEmbedFS embed.FS
-
 func parseHardcodedServers() (allServers models.AllServers) {
-	f, err := allServersEmbedFS.Open("servers.json")
-	if err != nil {
-		panic(err)
-	}
-	defer f.Close() // no-op
-	decoder := json.NewDecoder(f)
-	err = decoder.Decode(&allServers)
-	if err != nil {
-		panic("decoding servers.json: " + err.Error())
-	}
+	allProviders := providers.All()
 
-	for provider, metadata := range allServers.ProviderToServers {
-		filename := path.Base(metadata.Filepath)
+	const version = 1
+	allServers.ProviderToServers = make(map[string]models.Servers, len(allProviders))
+	allServers.Version = version
+	for _, provider := range allProviders {
+		filename := provider + ".json"
 		providerFile, err := serversmodule.Files.Open(filename)
 		if err != nil {
 			panic(fmt.Sprintf("reading embedded provider file %s for %s: %s", filename, provider, err))
@@ -44,7 +35,8 @@ func parseHardcodedServers() (allServers models.AllServers) {
 				filename, provider))
 		}
 
-		providerServers.Filepath = metadata.Filepath // inherit filepath from servers.json
+		const serversPath = "/gluetun/servers/"
+		providerServers.Filepath = filepath.Join(serversPath, filename)
 		allServers.ProviderToServers[provider] = providerServers
 	}
 

internal/storage/helpers.go

@@ -3,6 +3,5 @@ package storage
 import "fmt"
 
 func panicOnProviderMissingHardcoded(provider string) {
-	panic(fmt.Sprintf("provider %s not found in hardcoded servers map; "+
-		"did you add the provider key in the embedded servers.json?", provider))
+	panic(fmt.Sprintf("provider %s not found in hardcoded servers map", provider))
 }

internal/storage/read_test.go

@@ -152,8 +152,7 @@ func Test_extractServersFromBytes(t *testing.T) {
 			allProviders[0]: 1,
 			// Missing provider allProviders[1]
 		}
-		expectedPanicValue := fmt.Sprintf("provider %s not found in hardcoded servers map; "+
-			"did you add the provider key in the embedded servers.json?", allProviders[1])
+		expectedPanicValue := fmt.Sprintf("provider %s not found in hardcoded servers map", allProviders[1])
 		assert.PanicsWithValue(t, expectedPanicValue, func() {
 			_, _ = s.extractServersFromBytes(b, hardcodedVersions)
 		})

internal/storage/servers.json

@@ -1,72 +0,0 @@
-{
-  "version": 1,
-  "airvpn": {
-    "filepath": "/gluetun/servers/airvpn.json"
-  },
-  "cyberghost": {
-    "filepath": "/gluetun/servers/cyberghost.json"
-  },
-  "expressvpn": {
-    "filepath": "/gluetun/servers/expressvpn.json"
-  },
-  "fastestvpn": {
-    "filepath": "/gluetun/servers/fastestvpn.json"
-  },
-  "giganews": {
-    "filepath": "/gluetun/servers/giganews.json"
-  },
-  "hidemyass": {
-    "filepath": "/gluetun/servers/hidemyass.json"
-  },
-  "ipvanish": {
-    "filepath": "/gluetun/servers/ipvanish.json"
-  },
-  "ivpn": {
-    "filepath": "/gluetun/servers/ivpn.json"
-  },
-  "mullvad": {
-    "filepath": "/gluetun/servers/mullvad.json"
-  },
-  "nordvpn": {
-    "filepath": "/gluetun/servers/nordvpn.json"
-  },
-  "perfect privacy": {
-    "filepath": "/gluetun/servers/perfect privacy.json"
-  },
-  "privado": {
-    "filepath": "/gluetun/servers/privado.json"
-  },
-  "private internet access": {
-    "filepath": "/gluetun/servers/private internet access.json"
-  },
-  "privatevpn": {
-    "filepath": "/gluetun/servers/privatevpn.json"
-  },
-  "protonvpn": {
-    "filepath": "/gluetun/servers/protonvpn.json"
-  },
-  "purevpn": {
-    "filepath": "/gluetun/servers/purevpn.json"
-  },
-  "slickvpn": {
-    "filepath": "/gluetun/servers/slickvpn.json"
-  },
-  "surfshark": {
-    "filepath": "/gluetun/servers/surfshark.json"
-  },
-  "torguard": {
-    "filepath": "/gluetun/servers/torguard.json"
-  },
-  "vpn unlimited": {
-    "filepath": "/gluetun/servers/vpn unlimited.json"
-  },
-  "vpnsecure": {
-    "filepath": "/gluetun/servers/vpnsecure.json"
-  },
-  "vyprvpn": {
-    "filepath": "/gluetun/servers/vyprvpn.json"
-  },
-  "windscribe": {
-    "filepath": "/gluetun/servers/windscribe.json"
-  }
-}

internal/version/github.go

@@ -31,7 +31,7 @@ func getGithubReleases(ctx context.Context, client *http.Client) (releases []git
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 
-	const url = "https://api.github.com/repos/qdm12/gluetun/releases"
+	const url = "https://api.github.com/repos/passteque/gluetun/releases"
 	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
@@ -62,7 +62,7 @@ func getGithubCommits(ctx context.Context, client *http.Client) (commits []githu
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 
-	const url = "https://api.github.com/repos/qdm12/gluetun/commits"
+	const url = "https://api.github.com/repos/passteque/gluetun/commits"
 	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err

maintenance.md

@@ -1,19 +1,13 @@
 # Maintenance
 
 - Change `Run` methods to `Start`+`Stop`, returning channels rather than injecting them
-- Go 1.18
-  - gofumpt
-  - Use netip
-- Split servers.json
 - Common slice of Wireguard providers in config settings
 - DNS block lists as LFS and built in image
 - Add HTTP server v3 as json rpc
 - Use `github.com/qdm12/ddns-updater/pkg/publicip`
-- Windows and Darwin development support
 
 ## Features
 
-- Authentication with the control server
 - Get announcement from Github file
 - Support multiple connections in custom ovpn
 - Automate IPv6 detection for OpenVPN