log out json from dns leak test

SERVER_DEDICATED option
PR feedback
2026-06-28 23:07:38 +02:00 · 2026-06-24 22:25:32 +00:00 · 2026-06-24 22:12:30 +00:00 · 2026-06-24 22:12:30 +00:00 · 2026-06-24 22:12:30 +00:00 · 2026-06-24 22:12:30 +00:00
84 changed files with 4365 additions and 599 deletions
@@ -4,12 +4,12 @@ Contributions are [released](https://help.github.com/articles/github-terms-of-se

 ## Submitting a pull request

-1. [Fork](https://github.com/qdm12/gluetun/fork) and clone the repository
+1. [Fork](https://github.com/passteque/gluetun/fork) and clone the repository
 1. Create a new branch `git checkout -b my-branch-name`
 1. Modify the code
 1. Ensure the docker build succeeds `docker build .` (you might need `export DOCKER_BUILDKIT=1`)
 1. Commit your modifications
-1. Push to your fork and [submit a pull request](https://github.com/qdm12/gluetun/compare)
+1. Push to your fork and [submit a pull request](https://github.com/passteque/gluetun/compare)

 ## Resources

@@ -56,6 +56,7 @@ body:
        - IVPN
        - Mullvad
        - NordVPN
+        - OVPN
        - Privado
        - Private Internet Access
        - PrivateVPN
@@ -4,8 +4,8 @@ contact_links:
    url: https://github.com/qdm12/gluetun-wiki/issues/new/choose
    about: Please create an issue on the gluetun-wiki repository.
  - name: Configuration help?
-    url: https://github.com/qdm12/gluetun/discussions/new/choose
+    url: https://github.com/passteque/gluetun/discussions/new/choose
    about: Please create a Github discussion.
  - name: Unraid template issue
-    url: https://github.com/qdm12/gluetun/discussions/550
+    url: https://github.com/passteque/gluetun/discussions/550
    about: Please read the relevant Github discussion.
@@ -4,12 +4,38 @@ updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      interval: "daily"
+      interval: "weekly"
  - package-ecosystem: docker
    directory: /
    schedule:
-      interval: "daily"
-  - package-ecosystem: gomod
-    directory: /
+      interval: "weekly"
+  - # Servers data dependency that should be updated as soon as
+    # possible when a new version is released, to have the latest
+    # servers available
+    package-ecosystem: "gomod"
+    directory: "/"
    schedule:
-      interval: "daily"
+      interval: "weekly"
+    ignore:
+      - # In particular avoid amneziawg-go which have v1.x.y versions available
+        # on the Go modules proxy, but are not in the Github repository tags
+        # and are not the latest releases either. Most likely a mistake from the
+        # maintainers, which is persisted on the Go proxy.
+        dependency-name: "github.com/amnezia-vpn/amneziawg-go"
+        versions: ["1.x"]
+    groups:
+      low-importance:
+        patterns:
+          - "github.com/breml/rootcerts"
+          - "github.com/fatih/color"
+          - "github.com/golang/mock"
+          - "github.com/klauspost/compress"
+          - "github.com/klauspost/pgzip"
+          - "github.com/pelletier/go-toml/v2"
+          - "github.com/qdm12/goshutdown"
+          - "github.com/qdm12/gosplash"
+          - "github.com/qdm12/gotree"
+          - "github.com/qdm12/log"
+          - "github.com/stretchr/testify"
+          - "github.com/ulikunitz/xz"
+          - "gopkg.in/ini.v1"
@@ -64,6 +64,8 @@
  color: "cfe8d4"
 - name: "☁️ NordVPN"
  color: "cfe8d4"
+- name: "☁️ OVPN"
+  color: "cfe8d4"
 - name: "☁️ Perfect Privacy"
  color: "cfe8d4"
 - name: "☁️ PIA"
@@ -140,6 +142,8 @@
  color: "ffc7ea"
 - name: "Category: Shadowsocks 🔁"
  color: "ffc7ea"
+- name: "Category: Socks5 proxy 🔁"
+  color: "ffc7ea"
 - name: "Category: control server ⚙️"
  color: "ffc7ea"
 - name: "Category: kernel 🧠"
@@ -8,5 +8,4 @@

 # Assertions

-* [ ] I am aware that we do not accept manual changes to the servers.json file <!-- If this is your goal, please consult https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-using-the-command-line -->
 * [ ] I am aware that any changes to settings should be reflected in the [wiki](https://github.com/qdm12/gluetun-wiki/)
@@ -28,6 +28,10 @@ on:
      - go.mod
      - go.sum

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
  verify:
    runs-on: ubuntu-latest
@@ -44,7 +48,6 @@ jobs:
          locale: "US"
          level: error
          exclude: |
-            ./internal/storage/servers.json
            ./.golangci.yml
            *.md

@@ -92,13 +95,13 @@ jobs:

  verify-private:
    if: |
-      github.repository == 'qdm12/gluetun' &&
+      github.repository == 'passteque/gluetun' &&
      (
        github.event_name == 'push' ||
        github.event_name == 'release' ||
        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
      )
-    needs: [ verify ]
+    needs: [verify]
    runs-on: ubuntu-latest
    environment: secrets
    steps:
@@ -120,7 +123,8 @@ jobs:

      - name: Run Gluetun container with ProtonVPN Wireguard and port forwarding
          configuration
-        run: echo -e "${{ secrets.PROTONVPN_WIREGUARD_PRIVATE_KEY }}" | ./ci/runner
+        run:
+          echo -e "${{ secrets.PROTONVPN_WIREGUARD_PRIVATE_KEY }}" | ./ci/runner
          protonvpn-wireguard-port-forwarding

      - name: Run Gluetun container with ProtonVPN OpenVPN and port forwarding
@@ -129,11 +133,12 @@ jobs:
          secrets.PROTONVPN_OPENVPN_PASSWORD }}" | ./ci/runner
          protonvpn-openvpn-port-forwarding

-      - name: Run Gluetun container with Private Internet Access OpenVPN and port
-          forwarding configuration
-        run: echo -e "${{ secrets.PRIVATEINTERNETACCESS_OPENVPN_USER }}\n${{
-          secrets.PRIVATEINTERNETACCESS_OPENVPN_PASSWORD }}" | ./ci/runner
-          private-internet-access-openvpn-port-forwarding
+      # - name:
+      #     Run Gluetun container with Private Internet Access OpenVPN and port
+      #     forwarding configuration
+      #   run: echo -e "${{ secrets.PRIVATEINTERNETACCESS_OPENVPN_USER }}\n${{
+      #     secrets.PRIVATEINTERNETACCESS_OPENVPN_PASSWORD }}" | ./ci/runner
+      #     private-internet-access-openvpn-port-forwarding

      - name: Run Gluetun container with AirVPN Wireguard configuration
        run: echo -e "${{ secrets.AIRVPN_WIREGUARD_PRIVATE_KEY }}\n${{
@@ -141,7 +146,8 @@ jobs:
          secrets.AIRVPN_WIREGUARD_ADDRESSES }}" | ./ci/runner airvpn-wireguard

      - name: Run Gluetun container with AirVPN OpenVPN configuration
-        run: echo -e "${{ secrets.AIRVPN_OPENVPN_KEY }}\n${{ secrets.AIRVPN_OPENVPN_CERT
+        run:
+          echo -e "${{ secrets.AIRVPN_OPENVPN_KEY }}\n${{ secrets.AIRVPN_OPENVPN_CERT
          }}" | ./ci/runner airvpn-openvpn

  codeql:
@@ -163,18 +169,19 @@ jobs:

  publish:
    if: |
-      github.repository == 'qdm12/gluetun' &&
+      github.repository == 'passteque/gluetun' &&
      (
        github.event_name == 'push' ||
        github.event_name == 'release' ||
        (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
      )
-    needs: [ verify, verify-private, codeql ]
+    needs: [verify, verify-private, codeql]
    permissions:
      actions: read
      contents: read
      packages: write
    runs-on: ubuntu-latest
+    environment: secrets
    steps:
      - uses: actions/checkout@v6

@@ -209,7 +216,7 @@ jobs:
        with:
          registry: ghcr.io
          username: qdm12
-          password: ${{ github.token }}
+          password: ${{ secrets.GHCR_PAT }}

      - name: Short commit
        id: shortcommit
@@ -11,12 +11,17 @@ on:
      - "**.md"
      - .github/workflows/markdown.yml

+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 jobs:
  markdown:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
+    environment: secrets
    steps:
      - uses: actions/checkout@v6

@@ -38,7 +43,7 @@ jobs:
          config-file: .github/workflows/configs/mlc-config.json

      - uses: peter-evans/dockerhub-description@v5
-        if: github.repository == 'qdm12/gluetun' && github.event_name == 'push'
+        if: github.repository == 'passteque/gluetun' && github.event_name == 'push'
        with:
          username: qmcgaw
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
@@ -1,98 +0,0 @@
-name: Update servers list
-on:
-  workflow_dispatch:
-    inputs:
-      provider:
-        description: "VPN Provider to update"
-        required: true
-        default: "all"
-        type: choice
-        options:
-          - all
-          - airvpn
-          - cyberghost
-          - expressvpn
-          - fastestvpn
-          - giganews
-          - hidemyass
-          - ipvanish
-          - ivpn
-          - mullvad
-          - nordvpn
-          - perfect privacy
-          - privado
-          - private internet access
-          - privatevpn
-          - protonvpn
-          - purevpn
-          - slickvpn
-          - surfshark
-          - torguard
-          - vpnsecure
-          - vpn unlimited
-          - vyprvpn
-          - windscribe
-  schedule:
-    - cron: "11 3 1 */2 *" # Run at 03:11 on the 1st of every 2nd month
-jobs:
-  update-servers-list:
-    if: github.repository == 'qdm12/gluetun'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: write
-      pull-requests: write
-    steps:
-      - uses: actions/checkout@v6
-
-      - uses: actions/setup-go@v6
-        with:
-          go-version-file: go.mod
-
-      - name: Update servers list
-        run: |
-          SELECTED_PROVIDER="${{ github.event.inputs.provider || 'all' }}"
-
-          if [ "$SELECTED_PROVIDER" = "all" ]; then
-            FLAGS="-all"
-          else
-            FLAGS="-providers $SELECTED_PROVIDER"
-          fi
-
-          go run ./cmd/gluetun/main.go update $FLAGS \
-            -maintainer \
-            -proton-email "${{ secrets.PROTON_EMAIL }}" \
-            -proton-password "${{ secrets.PROTON_PASSWORD }}"
-
-      - name: Check for changes
-        run: |
-          if git diff --exit-code internal/storage/servers.json >/dev/null; then
-            echo "Error: internal/storage/servers.json was not modified."
-            exit 1
-          fi
-
-      - name: Check no other file changes
-        run: |
-          if ! git diff --exit-code --quiet ':!internal/storage/servers.json'; then
-            echo "Error: Unexpected changes detected in files other than servers.json"
-            git status --short
-            exit 1
-          fi
-
-      - name: Create Pull Request
-        id: createpr
-        uses: peter-evans/create-pull-request@v8
-        with:
-          branch-suffix: timestamp
-          branch: bot/update-servers-list
-          base: master
-          delete-branch: true
-          title: "feat(providers/${{ github.event.inputs.provider || 'all' }}): servers data update"
-          body: |
-            This PR was automatically generated by the [Update servers list](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) workflow run.
-
-      # - name: Merge Pull Request
-      #   env:
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      #   run: |
-      #     gh pr merge ${{ steps.createpr.outputs.pull-request-number }} --auto -m -d
@@ -12,6 +12,10 @@ formatters:
      - builtin$
      - examples$

+run:
+  build-tags:
+    - integration
+
 linters:
  settings:
    misspell:
@@ -3,7 +3,7 @@
  // to develop this project.
  "files.eol": "\n",
  "editor.formatOnSave": true,
-  "go.buildTags": "linux",
+  "go.buildTags": "linux,integration",
  "go.toolsEnvVars": {
    "CGO_ENABLED": "0"
  },
@@ -72,9 +72,9 @@ LABEL \
    org.opencontainers.image.created=$CREATED \
    org.opencontainers.image.version=$VERSION \
    org.opencontainers.image.revision=$COMMIT \
-    org.opencontainers.image.url="https://github.com/qdm12/gluetun" \
-    org.opencontainers.image.documentation="https://github.com/qdm12/gluetun" \
-    org.opencontainers.image.source="https://github.com/qdm12/gluetun" \
+    org.opencontainers.image.url="https://github.com/passteque/gluetun" \
+    org.opencontainers.image.documentation="https://github.com/passteque/gluetun" \
+    org.opencontainers.image.source="https://github.com/passteque/gluetun" \
    org.opencontainers.image.title="VPN swiss-knife like client for multiple VPN providers" \
    org.opencontainers.image.description="VPN swiss-knife like client to tunnel to multiple VPN servers using OpenVPN, IPtables, DNS over TLS, Shadowsocks, an HTTP proxy and Alpine Linux"
 ENV VPN_SERVICE_PROVIDER=pia \
@@ -186,12 +186,14 @@ ENV VPN_SERVICE_PROVIDER=pia \
    # # ProtonVPN only:
    SECURE_CORE_ONLY= \
    TOR_ONLY= \
-    # # Surfshark only:
+    # # Surfshark and ovpn only:
    MULTIHOP_ONLY= \
    # # VPN Secure only:
    PREMIUM_ONLY= \
    # # PIA and ProtonVPN only:
    PORT_FORWARD_ONLY= \
+    # # Ovpn only:
+    SERVER_DEDICATED=no \
    # Firewall
    FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT=on \
    FIREWALL_VPN_INPUT_PORTS= \
@@ -240,6 +242,11 @@ ENV VPN_SERVICE_PROVIDER=pia \
    SHADOWSOCKS_PASSWORD= \
    SHADOWSOCKS_PASSWORD_SECRETFILE=/run/secrets/shadowsocks_password \
    SHADOWSOCKS_CIPHER=chacha20-ietf-poly1305 \
+    # Socks5
+    SOCKS5_ENABLED=off \
+    SOCKS5_LISTENING_ADDRESS=":1080" \
+    SOCKS5_USER= \
+    SOCKS5_PASSWORD= \
    # Control server
    HTTP_CONTROL_SERVER_LOG=on \
    HTTP_CONTROL_SERVER_ADDRESS=":8000" \
@@ -271,7 +278,7 @@ ENV VPN_SERVICE_PROVIDER=pia \
    PUID=1000 \
    PGID=1000
 ENTRYPOINT ["/gluetun-entrypoint"]
-EXPOSE 8000/tcp 8888/tcp 8388/tcp 8388/udp
+EXPOSE 8000/tcp 8888/tcp 8388/tcp 8388/udp 1080/tcp 1080/udp
 HEALTHCHECK --interval=5s --timeout=5s --start-period=10s --retries=3 CMD /gluetun-entrypoint healthcheck
 ARG TARGETPLATFORM
 RUN apk add --no-cache --update -l wget && \
@@ -6,9 +6,9 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers

 🗯️ this repository will be migrated to [github.com/passteque/gluetun](https://github.com/passteque/gluetun) on 2026-05-21, which is a Github organization under my sole control, so don't get alarmed if you get redirected in the coming days 😉 Reason being migrating Github sponsors to the Open source collective due to my personal situation, basically annoying paperwork. On the plus side, it will be more transparent and funds donated will only be used for the project. The Docker image names will remain the same.

-![Title image](https://raw.githubusercontent.com/qdm12/gluetun/master/title.svg)
+![Title image](https://raw.githubusercontent.com/passteque/gluetun/master/title.svg)

-[![Build status](https://github.com/qdm12/gluetun/actions/workflows/ci.yml/badge.svg)](https://github.com/qdm12/gluetun/actions/workflows/ci.yml)
+[![Build status](https://github.com/passteque/gluetun/actions/workflows/ci.yml/badge.svg)](https://github.com/passteque/gluetun/actions/workflows/ci.yml)

 [![Docker pulls qmcgaw/gluetun](https://img.shields.io/docker/pulls/qmcgaw/gluetun.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
 [![Docker pulls qmcgaw/private-internet-access](https://img.shields.io/docker/pulls/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
@@ -16,23 +16,23 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
 [![Docker stars qmcgaw/gluetun](https://img.shields.io/docker/stars/qmcgaw/gluetun.svg)](https://hub.docker.com/r/qmcgaw/gluetun)
 [![Docker stars qmcgaw/private-internet-access](https://img.shields.io/docker/stars/qmcgaw/private-internet-access.svg)](https://hub.docker.com/r/qmcgaw/gluetun)

-![Last release](https://img.shields.io/github/release/qdm12/gluetun?label=Last%20release)
+![Last release](https://img.shields.io/github/release/passteque/gluetun?label=Last%20release)
 ![Last Docker tag](https://img.shields.io/docker/v/qmcgaw/gluetun?sort=semver&label=Last%20Docker%20tag)
 [![Last release size](https://img.shields.io/docker/image-size/qmcgaw/gluetun?sort=semver&label=Last%20released%20image)](https://hub.docker.com/r/qmcgaw/gluetun/tags?page=1&ordering=last_updated)
-![GitHub last release date](https://img.shields.io/github/release-date/qdm12/gluetun?label=Last%20release%20date)
-![Commits since release](https://img.shields.io/github/commits-since/qdm12/gluetun/latest?sort=semver)
+![GitHub last release date](https://img.shields.io/github/release-date/passteque/gluetun?label=Last%20release%20date)
+![Commits since release](https://img.shields.io/github/commits-since/passteque/gluetun/latest?sort=semver)

 [![Latest size](https://img.shields.io/docker/image-size/qmcgaw/gluetun/latest?label=Latest%20image)](https://hub.docker.com/r/qmcgaw/gluetun/tags)

-[![GitHub last commit](https://img.shields.io/github/last-commit/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/commits/master)
-[![GitHub commit activity](https://img.shields.io/github/commit-activity/y/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/graphs/contributors)
-[![GitHub closed PRs](https://img.shields.io/github/issues-pr-closed/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/pulls?q=is%3Apr+is%3Aclosed)
-[![GitHub issues](https://img.shields.io/github/issues/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues)
-[![GitHub closed issues](https://img.shields.io/github/issues-closed/qdm12/gluetun.svg)](https://github.com/qdm12/gluetun/issues?q=is%3Aissue+is%3Aclosed)
+[![GitHub last commit](https://img.shields.io/github/last-commit/passteque/gluetun.svg)](https://github.com/passteque/gluetun/commits/master)
+[![GitHub commit activity](https://img.shields.io/github/commit-activity/y/passteque/gluetun.svg)](https://github.com/passteque/gluetun/graphs/contributors)
+[![GitHub closed PRs](https://img.shields.io/github/issues-pr-closed/passteque/gluetun.svg)](https://github.com/passteque/gluetun/pulls?q=is%3Apr+is%3Aclosed)
+[![GitHub issues](https://img.shields.io/github/issues/passteque/gluetun.svg)](https://github.com/passteque/gluetun/issues)
+[![GitHub closed issues](https://img.shields.io/github/issues-closed/passteque/gluetun.svg)](https://github.com/passteque/gluetun/issues?q=is%3Aissue+is%3Aclosed)

-![Code size](https://img.shields.io/github/languages/code-size/qdm12/gluetun)
-![GitHub repo size](https://img.shields.io/github/repo-size/qdm12/gluetun)
-![Go version](https://img.shields.io/github/go-mod/go-version/qdm12/gluetun)
+![Code size](https://img.shields.io/github/languages/code-size/passteque/gluetun)
+![GitHub repo size](https://img.shields.io/github/repo-size/passteque/gluetun)
+![Go version](https://img.shields.io/github/go-mod/go-version/passteque/gluetun)

 ![Visitors count](https://visitor-badge.laobi.icu/badge?page_id=gluetun.readme)

@@ -42,10 +42,10 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
 - [Features](#features)
 - Problem?
  - Check the Wiki [common errors](https://github.com/qdm12/gluetun-wiki/tree/main/errors) and [faq](https://github.com/qdm12/gluetun-wiki/tree/main/faq)
-  - [Start a discussion](https://github.com/qdm12/gluetun/discussions)
-  - [Fix the Unraid template](https://github.com/qdm12/gluetun/discussions/550)
+  - [Start a discussion](https://github.com/passteque/gluetun/discussions)
+  - [Fix the Unraid template](https://github.com/passteque/gluetun/discussions/550)
 - Suggestion?
-  - [Create an issue](https://github.com/qdm12/gluetun/issues)
+  - [Create an issue](https://github.com/passteque/gluetun/issues)
 - Happy?
  - Sponsor me on [github.com/sponsors/qdm12](https://github.com/sponsors/qdm12)
  - Donate to [paypal.me/qmcgaw](https://www.paypal.me/qmcgaw)
@@ -60,19 +60,20 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
 ## Features

 - Based on Alpine 3.23 for a small Docker image of 43.1MB
- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad** (Wireguard only), **NordVPN**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **Windscribe** servers
+- Supports: **AirVPN**, **Cyberghost**, **ExpressVPN**, **FastestVPN**, **Giganews**, **HideMyAss**, **IPVanish**, **IVPN**, **Mullvad** (Wireguard only), **NordVPN**, **Ovpn**, **Perfect Privacy**, **Privado**, **Private Internet Access**, **PrivateVPN**, **ProtonVPN**, **PureVPN**,  **SlickVPN**, **Surfshark**, **TorGuard**, **VPNSecure.me**, **VPNUnlimited**, **Vyprvpn**, **Windscribe** servers
 - Supports OpenVPN for all providers listed
 - Supports Wireguard both kernelspace and userspace
-  - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
+  - For **AirVPN**, **FastestVPN**, **Ivpn**, **Mullvad**, **NordVPN**, **Ovpn**, **Perfect privacy**, **ProtonVPN**, **Surfshark** and **Windscribe**
  - For **Cyberghost**, **Private Internet Access**, **PrivateVPN**, **PureVPN**, **Torguard**, **VPN Unlimited** and **VyprVPN** using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
  - For custom Wireguard configurations using [the custom provider](https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md)
-  - More in progress, see [#134](https://github.com/qdm12/gluetun/issues/134)
+  - More in progress, see [#134](https://github.com/passteque/gluetun/issues/134)
 - Supports AmneziaWG only with the custom provider for now
 - DNS over TLS baked in with service provider(s) of your choice
 - DNS fine blocking of malicious/ads/surveillance hostnames and IP addresses, with live update every 24 hours
 - Choose the vpn network protocol, `udp` or `tcp`
 - Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
 - Built in Shadowsocks proxy server (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
+- Built in Socks5 proxy server (tunnels TCP+UDP) - partial credits to @angelakis and @adjscent
 - Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
 - [Connect other containers to it](https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md)
 - [Connect LAN devices to it](https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-lan-device-to-gluetun.md)
@@ -130,8 +131,8 @@ services:

 ## Fun graphs

-[![Star History Chart](https://api.star-history.com/svg?repos=qdm12/gluetun&type=date&legend=top-left)](https://www.star-history.com/#qdm12/gluetun&type=date&legend=top-left)
+[![Star History Chart](https://api.star-history.com/svg?repos=passteque/gluetun&type=date&legend=top-left)](https://www.star-history.com/#passteque/gluetun&type=date&legend=top-left)

 ## License

-[![MIT](https://img.shields.io/github/license/qdm12/gluetun)](https://github.com/qdm12/gluetun/blob/master/LICENSE)
+[![MIT](https://img.shields.io/github/license/passteque/gluetun)](https://github.com/passteque/gluetun/blob/master/LICENSE)
@@ -41,6 +41,7 @@ import (
 	"github.com/qdm12/gluetun/internal/routing"
 	"github.com/qdm12/gluetun/internal/server"
 	"github.com/qdm12/gluetun/internal/shadowsocks"
+	"github.com/qdm12/gluetun/internal/socks5"
 	"github.com/qdm12/gluetun/internal/storage"
 	updater "github.com/qdm12/gluetun/internal/updater/loop"
 	"github.com/qdm12/gluetun/internal/updater/resolver"
@@ -411,6 +412,18 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		return fmt.Errorf("starting public ip loop: %w", err)
 	}

+	socks5Loop := socks5.NewLoop(socks5.Settings{
+		Enabled:  *allSettings.Socks5.Enabled,
+		Username: *allSettings.Socks5.Username,
+		Password: *allSettings.Socks5.Password,
+		Address:  allSettings.Socks5.ListeningAddress,
+		Logger:   logger.New(log.SetComponent("socks5")),
+	})
+	socks5RunError, err := socks5Loop.Start(ctx)
+	if err != nil {
+		return fmt.Errorf("starting SOCKS5 server loop: %w", err)
+	}
+
 	healthLogger := logger.New(log.SetComponent("healthcheck"))
 	healthcheckServer := healthcheck.NewServer(allSettings.Health, healthLogger)
 	healthServerHandler, healthServerCtx, healthServerDone := goshutdown.NewGoRoutineHandler(
@@ -506,7 +519,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 			String() string
 			Stop() error
 		}{
-			portForwardLooper, publicIPLooper,
+			portForwardLooper, publicIPLooper, socks5Loop,
 		}
 		for _, stopper := range stoppers {
 			err := stopper.Stop()
@@ -518,6 +531,8 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		logger.Errorf("port forwarding loop crashed: %s", err)
 	case err := <-publicIPRunError:
 		logger.Errorf("public IP loop crashed: %s", err)
+	case err := <-socks5RunError:
+		logger.Errorf("SOCKS5 server loop crashed: %s", err)
 	}

 	return orderHandler.Shutdown(context.Background())
@@ -4,18 +4,20 @@ go 1.25.0

 require (
 	github.com/ProtonMail/go-srp v0.0.7
-	github.com/amnezia-vpn/amneziawg-go v0.2.16
+	github.com/amnezia-vpn/amneziawg-go v0.2.18
 	github.com/breml/rootcerts v0.3.4
 	github.com/fatih/color v1.18.0
 	github.com/golang/mock v1.6.0
 	github.com/jsimonetti/rtnetlink v1.4.2
 	github.com/klauspost/compress v1.18.4
 	github.com/klauspost/pgzip v1.2.6
-	github.com/mdlayher/genetlink v1.3.2
+	github.com/mdlayher/genetlink v1.4.0
 	github.com/mdlayher/netlink v1.9.0
+	github.com/miekg/dns v1.1.62
 	github.com/pelletier/go-toml/v2 v2.2.4
 	github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260421173011-9de8e7fdbe3a
-	github.com/qdm12/gluetun-servers v0.1.0
+	github.com/qdm12/gluetun-servers v0.1.1-0.20260522005421-14277e92ce82
+	github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978
 	github.com/qdm12/gosettings v0.4.4
 	github.com/qdm12/goshutdown v0.3.0
 	github.com/qdm12/gosplash v0.2.1-0.20260305164749-b713de4fee6c
@@ -26,11 +28,9 @@ require (
 	github.com/ti-mo/netfilter v0.5.3
 	github.com/ulikunitz/xz v0.5.15
 	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a
-	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c
-	golang.org/x/mod v0.33.0
-	golang.org/x/net v0.51.0
-	golang.org/x/sys v0.42.0
-	golang.org/x/text v0.35.0
+	golang.org/x/net v0.55.0
+	golang.org/x/sys v0.45.0
+	golang.org/x/text v0.38.0
 	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	gopkg.in/ini.v1 v1.67.1
@@ -47,8 +47,7 @@ require (
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mdlayher/socket v0.5.1 // indirect
-	github.com/miekg/dns v1.1.62 // indirect
+	github.com/mdlayher/socket v0.6.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -56,11 +55,12 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.60.1 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
-	golang.org/x/crypto v0.48.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/tools v0.42.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
+	golang.org/x/mod v0.36.0 // indirect
+	golang.org/x/sync v0.21.0 // indirect
+	golang.org/x/tools v0.45.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
@@ -6,8 +6,8 @@ github.com/ProtonMail/go-crypto v1.3.0-proton h1:tAQKQRZX/73VmzK6yHSCaRUOvS/3OYS
 github.com/ProtonMail/go-crypto v1.3.0-proton/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/ProtonMail/go-srp v0.0.7 h1:Sos3Qk+th4tQR64vsxGIxYpN3rdnG9Wf9K4ZloC1JrI=
 github.com/ProtonMail/go-srp v0.0.7/go.mod h1:giCp+7qRnMIcCvI6V6U3S1lDDXDQYx2ewJ6F/9wdlJk=
-github.com/amnezia-vpn/amneziawg-go v0.2.16 h1:XY6HOq/xtqH8ZXMncRWkjFs85EKdN10NLNnw23kTpE0=
-github.com/amnezia-vpn/amneziawg-go v0.2.16/go.mod h1:nRkPpIzjCxMW8pZKXTRkpqAQVlmFJdVOGkeQSC7wbms=
+github.com/amnezia-vpn/amneziawg-go v0.2.18 h1:pUn7/P8qdGmHd6JmE3bCQXPblZs3vruWR98nLODQLJg=
+github.com/amnezia-vpn/amneziawg-go v0.2.18/go.mod h1:aMgOk9MuX0xI7b5TKAYp8pLM54RlXcOPzDvYw3YEO5A=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/breml/rootcerts v0.3.4 h1:9i7WNl/ctd9OEAOaTfLy//Wrlfxq/tRQ7v4okYFN9Ys=
@@ -48,12 +48,12 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
-github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
+github.com/mdlayher/genetlink v1.4.0 h1:f/Xs7Y2T+GyX9b3dbiUhnLE9InGs5F9RxJ2JwBMl71o=
+github.com/mdlayher/genetlink v1.4.0/go.mod h1:d1hrKr8fwZU2JkcAtQUAzeTrI7nbgQSl+5k1cC0biSA=
 github.com/mdlayher/netlink v1.9.0 h1:G8+GLq2x3v4D4MVIqDdNUhTUC7TKiCy/6MDkmItfKco=
 github.com/mdlayher/netlink v1.9.0/go.mod h1:YBnl5BXsCoRuwBjKKlZ+aYmEoq0r12FDA/3JC+94KDg=
-github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
-github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
+github.com/mdlayher/socket v0.6.0 h1:ScZPaAGyO1icQnbFrhPM8mnXyMu9qukC1K4ZoM2IQKU=
+github.com/mdlayher/socket v0.6.0/go.mod h1:q7vozUAnxSqnjHc12Fik5yUKIzfZ8ITCfMkhOtE9z18=
 github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
 github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
@@ -76,8 +76,8 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260421173011-9de8e7fdbe3a h1:TE157yPQmAbVruH0MWCQzs0vTT/6t96DkoWUXd6PVuc=
 github.com/qdm12/dns/v2 v2.0.0-rc9.0.20260421173011-9de8e7fdbe3a/go.mod h1:98foWgXJZ+g8gJIuO+fdO+oWpFei5WShMFTeN4Im2lE=
-github.com/qdm12/gluetun-servers v0.1.0 h1:w9JLghKZwI0Gzpp9p5rNANgEYUUZ1dxdxsG6NKIojaY=
-github.com/qdm12/gluetun-servers v0.1.0/go.mod h1:acttuyHyoFDu6GTbf3kAV+QXeiX8oJeh0MBic67/9z8=
+github.com/qdm12/gluetun-servers v0.1.1-0.20260522005421-14277e92ce82 h1:tE44IEW7o9yPQaO8HBeoO9RxtTTxqhboIypegrQlVt8=
+github.com/qdm12/gluetun-servers v0.1.1-0.20260522005421-14277e92ce82/go.mod h1:acttuyHyoFDu6GTbf3kAV+QXeiX8oJeh0MBic67/9z8=
 github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978 h1:TRGpCU1l0lNwtogEUSs5U+RFceYxkAJUmrGabno7J5c=
 github.com/qdm12/goservices v0.1.1-0.20251104135713-6bee97bd4978/go.mod h1:D1Po4CRQLYjccnAR2JsVlN1sBMgQrcNLONbvyuzcdTg=
 github.com/qdm12/gosettings v0.4.4 h1:SM6tOZDf6k8qbjWU8KWyBF4mWIixfsKCfh9DGRLHlj4=
@@ -120,15 +120,15 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY=
 golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
-golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
+golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -136,14 +136,14 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
+golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
+golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -156,8 +156,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
+golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -167,8 +167,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/text v0.38.0 h1:sXmwo9DwP3OK9EZ7PqAdaooSGozfl/3a6/xJcbzPRhE=
+golang.org/x/text v0.38.0/go.mod h1:YXZt3QhHUKYT53r2lLKFIVi6Ao1jdzrTR/KQ09qyxF4=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -176,8 +176,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
-golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
+golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
+golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"net"
 	"net/http"
 	"slices"
 	"strings"
@@ -104,6 +105,10 @@ func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) e
 	if err != nil {
 		return fmt.Errorf("creating DoH dialer: %w", err)
 	}
+	net.DefaultResolver = &net.Resolver{
+		PreferGo: true,
+		Dial:     dnsDialer.Dial,
+	}

 	const clientTimeout = 10 * time.Second
 	httpClient := &http.Client{Timeout: clientTimeout}
@@ -9,8 +9,9 @@ import (
 )

 // Start launches a command and streams stdout and stderr to channels.
-// All the channels returned are ready only and won't be closed
-// if the command fails later.
+// stdoutLines and stderrLines channels will be closed when there is no more
+// output to read, in order for the caller to catch all lines even after the
+// command has finished. The waitError channel returned will never be closed.
 func (c *Cmder) Start(cmd *exec.Cmd) (
 	stdoutLines, stderrLines <-chan string,
 	waitError <-chan error, startErr error,
@@ -38,6 +39,7 @@ func start(cmd execCmd) (stdoutLines, stderrLines <-chan string,
 	if err != nil {
 		_ = stdout.Close()
 		<-stdoutDone
+		close(stdoutLinesCh)
 		return nil, nil, nil, err
 	}
 	go streamToChannel(stderrReady, stderrDone, stderr, stderrLinesCh)
@@ -45,9 +47,11 @@ func start(cmd execCmd) (stdoutLines, stderrLines <-chan string,
 	err = cmd.Start()
 	if err != nil {
 		_ = stdout.Close()
-		_ = stderr.Close()
 		<-stdoutDone
+		close(stdoutLinesCh)
+		_ = stderr.Close()
 		<-stderrDone
+		close(stderrLinesCh)
 		return nil, nil, nil, err
 	}

@@ -55,8 +59,10 @@ func start(cmd execCmd) (stdoutLines, stderrLines <-chan string,
 	go func() {
 		err := cmd.Wait()
 		<-stdoutDone
-		<-stderrDone
+		close(stdoutLinesCh)
 		_ = stdout.Close()
+		<-stderrDone
+		close(stderrLinesCh)
 		_ = stderr.Close()
 		waitErrorCh <- err
 	}()
@@ -89,30 +89,48 @@ func Test_start(t *testing.T) {

 			require.NoError(t, err)

-			var stdoutIndex, stderrIndex int
-
-			done := false
-			for !done {
-				select {
-				case line := <-stdoutLines:
-					assert.Equal(t, testCase.stdout[stdoutIndex], line)
-					stdoutIndex++
-				case line := <-stderrLines:
-					assert.Equal(t, testCase.stderr[stderrIndex], line)
-					stderrIndex++
-				case err := <-waitError:
-					if testCase.waitErr != nil {
-						require.Error(t, err)
-						assert.Equal(t, testCase.waitErr.Error(), err.Error())
-					} else {
-						assert.NoError(t, err)
-					}
-					done = true
-				}
-			}
-
-			assert.Equal(t, len(testCase.stdout), stdoutIndex)
-			assert.Equal(t, len(testCase.stderr), stderrIndex)
+			collectAndCheckChannels(t, stdoutLines, stderrLines, waitError,
+				testCase.stdout, testCase.stderr, testCase.waitErr)
 		})
 	}
 }
+
+func collectAndCheckChannels(t *testing.T, stdoutLines, stderrLines <-chan string,
+	waitError <-chan error, expectedStdout, expectedStderr []string, expectedWaitErr error,
+) {
+	t.Helper()
+
+	stdoutIndex := 0
+	stderrIndex := 0
+
+	done := false
+	for !done {
+		select {
+		case line, ok := <-stdoutLines:
+			if !ok {
+				stdoutLines = nil
+				continue
+			}
+			assert.Equal(t, expectedStdout[stdoutIndex], line)
+			stdoutIndex++
+		case line, ok := <-stderrLines:
+			if !ok {
+				stderrLines = nil
+				continue
+			}
+			assert.Equal(t, expectedStderr[stderrIndex], line)
+			stderrIndex++
+		case err := <-waitError:
+			if expectedWaitErr != nil {
+				require.Error(t, err)
+				assert.Equal(t, expectedWaitErr.Error(), err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+			done = true
+		}
+	}
+
+	assert.Equal(t, len(expectedStdout), stdoutIndex)
+	assert.Equal(t, len(expectedStderr), stderrIndex)
+}
@@ -18,31 +18,39 @@ func (c *Cmder) RunAndLog(ctx context.Context, command string, logger Logger) (e
 		return err
 	}

-	streamCtx, streamCancel := context.WithCancel(context.Background())
 	streamDone := make(chan struct{})
-	go streamLines(streamCtx, streamDone, logger, stdout, stderr)
+	go streamLines(streamDone, logger, stdout, stderr)

 	err = <-waitError
-	streamCancel()
 	<-streamDone
 	return err
 }

-func streamLines(ctx context.Context, done chan<- struct{},
-	logger Logger, stdout, stderr <-chan string,
+func streamLines(done chan<- struct{}, logger Logger,
+	stdout, stderr <-chan string,
 ) {
 	defer close(done)

-	var line string
-
 	for {
 		select {
-		case <-ctx.Done():
-			return
-		case line = <-stdout:
-			logger.Info(line)
-		case line = <-stderr:
-			logger.Error(line)
+		case line, ok := <-stdout:
+			if ok {
+				logger.Info(line)
+				break
+			}
+			if stderr == nil {
+				return
+			}
+			stdout = nil
+		case line, ok := <-stderr:
+			if ok {
+				logger.Error(line)
+				break
+			}
+			if stdout == nil {
+				return
+			}
+			stderr = nil
 		}
 	}
 }
@@ -1,10 +1,10 @@
 package settings

 import (
+	"maps"
 	"slices"

 	"github.com/qdm12/gosettings/reader"
-	"golang.org/x/exp/maps"
 )

 func readObsolete(r *reader.Reader) (warnings []string) {
@@ -17,7 +17,7 @@ func readObsolete(r *reader.Reader) (warnings []string) {
 		"DNS_KEEP_NAMESERVER": "DNS_KEEP_NAMESERVER is obsolete because you should use the built-in server which now " +
 			"forwards local names to private DNS resolvers found in /etc/resolv.conf at container start",
 	}
-	sortedKeys := maps.Keys(keyToMessage)
+	sortedKeys := slices.Collect(maps.Keys(keyToMessage))
 	slices.Sort(sortedKeys)
 	warnings = make([]string, 0, len(keyToMessage))
 	for _, key := range sortedKeys {
@@ -70,7 +70,7 @@ func (o OpenVPNSelection) validate(vpnProvider string) (err error) {
 		switch vpnProvider {
 		// no restriction on port
 		case providers.Custom, providers.Cyberghost, providers.HideMyAss,
-			providers.Privatevpn, providers.Torguard:
+			providers.Ovpn, providers.Privatevpn, providers.Torguard:
 		// no custom port allowed
 		case providers.Expressvpn, providers.Fastestvpn,
 			providers.Giganews, providers.Ipvanish,
@@ -95,7 +95,7 @@ func (p PortForwarding) Validate(vpnProvider string) (err error) {
 			return errors.New("port forwarding password is empty")
 		}
 	case providers.Protonvpn:
-		const maxPortsCount = 4
+		const maxPortsCount = 5
 		if p.PortsCount > maxPortsCount {
 			return fmt.Errorf("ports count too high: %d > %d", p.PortsCount, maxPortsCount)
 		}
@@ -49,6 +49,7 @@ func (p *Provider) validate(vpnType string, filterChoicesGetter FilterChoicesGet
 			providers.Ivpn,
 			providers.Mullvad,
 			providers.Nordvpn,
+			providers.Ovpn,
 			providers.Protonvpn,
 			providers.Surfshark,
 			providers.Windscribe,
@@ -63,6 +63,9 @@ type ServerSelection struct {
 	// TorOnly is true if VPN servers without tor should
 	// be filtered. This is used with ProtonVPN.
 	TorOnly *bool `json:"tor_only"`
+	// Dedicated is true if dedicated VPN servers should be chosen only.
+	// This is used with OVPN.
+	Dedicated *bool `json:"dedicated"`
 	// OpenVPN contains settings to select OpenVPN servers
 	// and the final connection.
 	OpenVPN OpenVPNSelection `json:"openvpn"`
@@ -272,6 +275,8 @@ func validateFeatureFilters(settings ServerSelection, vpnServiceProvider string)
 		return errors.New("secure core only filter is not supported")
 	case *settings.TorOnly && vpnServiceProvider != providers.Protonvpn:
 		return errors.New("tor only filter is not supported")
+	case *settings.Dedicated && vpnServiceProvider != providers.Ovpn:
+		return errors.New("dedicated filter is not supported")
 	default:
 		return nil
 	}
@@ -296,6 +301,7 @@ func (ss *ServerSelection) copy() (copied ServerSelection) {
 		TorOnly:         gosettings.CopyPointer(ss.TorOnly),
 		PortForwardOnly: gosettings.CopyPointer(ss.PortForwardOnly),
 		MultiHopOnly:    gosettings.CopyPointer(ss.MultiHopOnly),
+		Dedicated:       gosettings.CopyPointer(ss.Dedicated),
 		OpenVPN:         ss.OpenVPN.copy(),
 		Wireguard:       ss.Wireguard.copy(),
 	}
@@ -319,6 +325,7 @@ func (ss *ServerSelection) overrideWith(other ServerSelection) {
 	ss.TorOnly = gosettings.OverrideWithPointer(ss.TorOnly, other.TorOnly)
 	ss.MultiHopOnly = gosettings.OverrideWithPointer(ss.MultiHopOnly, other.MultiHopOnly)
 	ss.PortForwardOnly = gosettings.OverrideWithPointer(ss.PortForwardOnly, other.PortForwardOnly)
+	ss.Dedicated = gosettings.OverrideWithPointer(ss.Dedicated, other.Dedicated)
 	ss.OpenVPN.overrideWith(other.OpenVPN)
 	ss.Wireguard.overrideWith(other.Wireguard)
 }
@@ -335,6 +342,7 @@ func (ss *ServerSelection) setDefaults(vpnProvider string, portForwardingEnabled
 	defaultPortForwardOnly := portForwardingEnabled &&
 		helpers.IsOneOf(vpnProvider, providers.PrivateInternetAccess, providers.Protonvpn)
 	ss.PortForwardOnly = gosettings.DefaultPointer(ss.PortForwardOnly, defaultPortForwardOnly)
+	ss.Dedicated = gosettings.DefaultPointer(ss.Dedicated, false)
 	ss.OpenVPN.setDefaults(vpnProvider)
 	ss.Wireguard.setDefaults()
 }
@@ -410,6 +418,10 @@ func (ss ServerSelection) toLinesNode() (node *gotree.Node) {
 		node.Appendf("Multi-hop only servers: yes")
 	}

+	if *ss.Dedicated {
+		node.Appendf("Dedicated servers: yes")
+	}
+
 	if *ss.PortForwardOnly {
 		node.Appendf("Port forwarding only servers: yes")
 	}
@@ -501,6 +513,12 @@ func (ss *ServerSelection) read(r *reader.Reader,
 		return err
 	}

+	// Ovpn only
+	ss.Dedicated, err = r.BoolPtr("SERVER_DEDICATED")
+	if err != nil {
+		return err
+	}
+
 	err = ss.OpenVPN.read(r)
 	if err != nil {
 		return err
@@ -20,6 +20,7 @@ type Settings struct {
 	HTTPProxy     HTTPProxy
 	Log           Log
 	PublicIP      PublicIP
+	Socks5        Socks5
 	Shadowsocks   Shadowsocks
 	Storage       Storage
 	System        System
@@ -49,6 +50,7 @@ func (s *Settings) Validate(filterChoicesGetter FilterChoicesGetter, ipv6Support
 		"http proxy":      s.HTTPProxy.validate,
 		"log":             s.Log.validate,
 		"public ip check": s.PublicIP.validate,
+		"socks5":          s.Socks5.validate,
 		"shadowsocks":     s.Shadowsocks.validate,
 		"storage":         s.Storage.validate,
 		"system":          s.System.validate,
@@ -81,6 +83,7 @@ func (s *Settings) copy() (copied Settings) {
 		HTTPProxy:     s.HTTPProxy.copy(),
 		Log:           s.Log.copy(),
 		PublicIP:      s.PublicIP.copy(),
+		Socks5:        s.Socks5.copy(),
 		Shadowsocks:   s.Shadowsocks.copy(),
 		Storage:       s.Storage.copy(),
 		System:        s.System.copy(),
@@ -104,6 +107,7 @@ func (s *Settings) OverrideWith(other Settings,
 	patchedSettings.HTTPProxy.overrideWith(other.HTTPProxy)
 	patchedSettings.Log.overrideWith(other.Log)
 	patchedSettings.PublicIP.overrideWith(other.PublicIP)
+	patchedSettings.Socks5.overrideWith(other.Socks5)
 	patchedSettings.Shadowsocks.overrideWith(other.Shadowsocks)
 	patchedSettings.Storage.overrideWith(other.Storage)
 	patchedSettings.System.overrideWith(other.System)
@@ -131,6 +135,7 @@ func (s *Settings) SetDefaults() {
 	s.Log.setDefaults()
 	s.IPv6.setDefaults()
 	s.PublicIP.setDefaults()
+	s.Socks5.setDefaults()
 	s.Shadowsocks.setDefaults()
 	s.Storage.SetDefaults()
 	s.System.setDefaults()
@@ -154,6 +159,7 @@ func (s Settings) toLinesNode() (node *gotree.Node) {
 	node.AppendNode(s.Log.toLinesNode())
 	node.AppendNode(s.IPv6.toLinesNode())
 	node.AppendNode(s.Health.toLinesNode())
+	node.AppendNode(s.Socks5.toLinesNode())
 	node.AppendNode(s.Shadowsocks.toLinesNode())
 	node.AppendNode(s.HTTPProxy.toLinesNode())
 	node.AppendNode(s.ControlServer.toLinesNode())
@@ -212,6 +218,7 @@ func (s *Settings) Read(r *reader.Reader, warner Warner) (err error) {
 		"public ip": func(r *reader.Reader) error {
 			return s.PublicIP.read(r, warner)
 		},
+		"socks5":      s.Socks5.read,
 		"shadowsocks": s.Shadowsocks.read,
 		"storage":     s.Storage.Read,
 		"system":      s.System.read,
@@ -81,6 +81,8 @@ func Test_Settings_String(t *testing.T) {
 |   |       ├── 1.1.1.1
 |   |       └── 8.8.8.8
 |   └── Restart VPN on healthcheck failure: yes
+├── SOCKS5 proxy server settings:
+|   └── Enabled: no
 ├── Shadowsocks server settings:
 |   └── Enabled: no
 ├── HTTP proxy settings:
@@ -0,0 +1,91 @@
+package settings
+
+import (
+	"errors"
+	"fmt"
+	"os"
+
+	"github.com/qdm12/gosettings"
+	"github.com/qdm12/gosettings/reader"
+	"github.com/qdm12/gosettings/validate"
+	"github.com/qdm12/gotree"
+)
+
+// Socks5 contains settings to configure the Socks5 proxy server.
+type Socks5 struct {
+	Enabled          *bool
+	ListeningAddress string
+	Username         *string
+	Password         *string
+}
+
+func (s Socks5) validate() (err error) {
+	err = validate.ListeningAddress(s.ListeningAddress, os.Getuid())
+	if err != nil {
+		return fmt.Errorf("server listening address is not valid: %w", err)
+	}
+
+	switch {
+	case *s.Username != "" && *s.Password == "":
+		return errors.New("password must be set if username is set")
+	case *s.Username == "" && *s.Password != "":
+		return errors.New("username must be set if password is set")
+	}
+
+	return nil
+}
+
+func (s *Socks5) copy() (copied Socks5) {
+	return Socks5{
+		Enabled:          gosettings.CopyPointer(s.Enabled),
+		ListeningAddress: s.ListeningAddress,
+		Username:         gosettings.CopyPointer(s.Username),
+		Password:         gosettings.CopyPointer(s.Password),
+	}
+}
+
+func (s *Socks5) overrideWith(other Socks5) {
+	s.Enabled = gosettings.OverrideWithPointer(s.Enabled, other.Enabled)
+	s.ListeningAddress = gosettings.OverrideWithComparable(s.ListeningAddress, other.ListeningAddress)
+	s.Username = gosettings.OverrideWithPointer(s.Username, other.Username)
+	s.Password = gosettings.OverrideWithPointer(s.Password, other.Password)
+}
+
+func (s *Socks5) setDefaults() {
+	s.Enabled = gosettings.DefaultPointer(s.Enabled, false)
+	s.ListeningAddress = gosettings.DefaultComparable(s.ListeningAddress, ":1080")
+	s.Username = gosettings.DefaultPointer(s.Username, "")
+	s.Password = gosettings.DefaultPointer(s.Password, "")
+}
+
+func (s Socks5) String() string {
+	return s.toLinesNode().String()
+}
+
+func (s Socks5) toLinesNode() (node *gotree.Node) {
+	node = gotree.New("SOCKS5 proxy server settings:")
+	node.Appendf("Enabled: %s", gosettings.BoolToYesNo(s.Enabled))
+	if !*s.Enabled {
+		return node
+	}
+
+	node.Appendf("Listening address: %s", s.ListeningAddress)
+	if *s.Username != "" || *s.Password != "" {
+		node.Appendf("Username: %s", *s.Username)
+		node.Appendf("Password: %s", gosettings.ObfuscateKey(*s.Password))
+	}
+	return node
+}
+
+func (s *Socks5) read(r *reader.Reader) (err error) {
+	s.Enabled, err = r.BoolPtr("SOCKS5_ENABLED")
+	if err != nil {
+		return err
+	}
+
+	s.ListeningAddress = r.String("SOCKS5_LISTENING_ADDRESS")
+	s.Username = r.Get("SOCKS5_USER", reader.ForceLowercase(false))
+	s.Password = r.Get("SOCKS5_PASSWORD", reader.ForceLowercase(false))
+
+	return nil
+}
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/netip"

+	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gosettings"
 	"github.com/qdm12/gosettings/reader"
@@ -22,7 +23,7 @@ type WireguardSelection struct {
 	// It can never be the zero value in the internal state.
 	EndpointIP netip.Addr `json:"endpoint_ip"`
 	// EndpointPort is a the server port to use for the VPN server.
-	// It is optional for VPN providers IVPN, Mullvad, Surfshark
+	// It is optional for VPN providers IVPN, Mullvad, Ovpn, Surfshark
 	// and Windscribe, and compulsory for the others.
 	// When optional, it can be set to 0 to indicate not use
 	// a custom endpoint port. It cannot be nil in the internal
@@ -40,8 +41,9 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate EndpointIP
 	switch vpnProvider {
 	case providers.Airvpn, providers.Fastestvpn, providers.Ivpn,
-		providers.Mullvad, providers.Nordvpn, providers.Protonvpn,
-		providers.Surfshark, providers.Windscribe:
+		providers.Mullvad, providers.Nordvpn, providers.Ovpn,
+		providers.Protonvpn, providers.Surfshark,
+		providers.Windscribe:
 		// endpoint IP addresses are baked in
 	case providers.Custom:
 		if !w.EndpointIP.IsValid() || w.EndpointIP.IsUnspecified() {
@@ -63,12 +65,16 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 		if *w.EndpointPort != 0 {
 			return errors.New("endpoint port is set")
 		}
-	case providers.Airvpn, providers.Ivpn, providers.Mullvad, providers.Windscribe:
+	case providers.Airvpn, providers.Ivpn, providers.Mullvad,
+		providers.Ovpn, providers.Windscribe:
 		// EndpointPort is optional and can be 0
 		if *w.EndpointPort == 0 {
 			break // no custom endpoint port set
 		}
-		if vpnProvider == providers.Mullvad {
+		if helpers.IsOneOf(vpnProvider,
+			providers.Mullvad,
+			providers.Ovpn,
+		) {
 			break // no restriction on custom endpoint port value
 		}
 		var allowed []uint16
@@ -92,7 +98,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate PublicKey
 	switch vpnProvider {
 	case providers.Fastestvpn, providers.Ivpn, providers.Mullvad,
-		providers.Surfshark, providers.Windscribe:
+		providers.Ovpn, providers.Surfshark, providers.Windscribe:
 		// public keys are baked in
 	case providers.Custom:
 		if w.PublicKey == "" {
@@ -15,6 +15,7 @@ const (
 	Ivpn                  = "ivpn"
 	Mullvad               = "mullvad"
 	Nordvpn               = "nordvpn"
+	Ovpn                  = "ovpn"
 	Perfectprivacy        = "perfect privacy"
 	Privado               = "privado"
 	PrivateInternetAccess = "private internet access"
@@ -43,6 +44,7 @@ func All() []string {
 		Ivpn,
 		Mullvad,
 		Nordvpn,
+		Ovpn,
 		Perfectprivacy,
 		Privado,
 		PrivateInternetAccess,
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"math"
 	"math/rand/v2"
 	"net/http"
@@ -84,11 +85,14 @@ func triggerDNSQuery(ctx context.Context, client *http.Client, session string) (
 		IP      map[string]uint `json:"ip"`
 	}

-	decoder := json.NewDecoder(response.Body)
-	var data ipLeakData
-	err = decoder.Decode(&data)
+	rawData, err := io.ReadAll(response.Body)
 	if err != nil {
-		return nil, fmt.Errorf("decoding response: %w", err)
+		return nil, fmt.Errorf("reading response body: %w", err)
+	}
+	var data ipLeakData
+	err = json.Unmarshal(rawData, &data)
+	if err != nil {
+		return nil, fmt.Errorf("decoding response %q: %w", rawData, err)
 	} else if data.Session != session {
 		return nil, fmt.Errorf("ipleak.net session mismatch: expected %s, got %s", session, data.Session)
 	}
@@ -1,7 +1,6 @@
 package iptables

 import (
-	"bufio"
 	"context"
 	"fmt"
 	"os/exec"
@@ -97,25 +96,24 @@ func saveData(ctx context.Context, binary string) (data string, err error) {
 		}
 		return "", fmt.Errorf("running %s-save: %w", binary, err)
 	}
-	err = checkData(string(output))
-	if err != nil {
-		return "", fmt.Errorf("checking saved data: %w", err)
-	}
-	return string(output), nil
+	return filterData(output)
 }

-func checkData(data string) error {
-	scanner := bufio.NewScanner(strings.NewReader(data))
-	i := 0
-	for scanner.Scan() {
-		line := scanner.Text()
-		if strings.HasPrefix(line, "[unsupported") {
-			return fmt.Errorf("unsupported revision marker found in line %d: %s", i+1, line)
+func filterData(cmdOutput []byte) (filtered string, err error) {
+	lines := strings.Split(string(cmdOutput), "\n")
+	filteredLines := make([]string, 0, len(lines))
+	for _, line := range lines {
+		switch {
+		case strings.HasPrefix(line, ":DOCKER_OUTPUT"),
+			strings.HasPrefix(line, ":DOCKER_POSTROUTING"),
+			strings.HasPrefix(line, "-A DOCKER_OUTPUT"),
+			strings.HasPrefix(line, "-A DOCKER_POSTROUTING"):
+			// Do not touch (aka save and restore) NAT rules added by Docker
+			continue
+		case strings.Contains(line, "[unsupported revision]"):
+			return "", fmt.Errorf("mismatch container iptables-save and kernel: %s", line)
 		}
-		i++
+		filteredLines = append(filteredLines, line)
 	}
-	if scanner.Err() != nil {
-		return fmt.Errorf("scanning data: %w", scanner.Err())
-	}
-	return nil
+	return strings.Join(filteredLines, "\n"), nil
 }
@@ -278,7 +278,6 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 			appendOrDelete(remove), interfaceFlag, destinationPort),
 	})
 	if err != nil {
-		restore(ctx) // just in case
 		errMessage := err.Error()
 		if strings.Contains(errMessage, "can't initialize ip6tables table `nat': Table does not exist") {
 			if !remove {
@@ -286,6 +285,7 @@ func (c *Config) RedirectPort(ctx context.Context, intf string,
 			}
 			return nil
 		}
+		restore(ctx)
 		return fmt.Errorf("redirecting IPv6 source port %d to destination port %d on interface %s: %w",
 			sourcePort, destinationPort, intf, err)
 	}
@@ -34,8 +34,11 @@ type Server struct {
 	SecureCore  bool         `json:"secure_core,omitempty"`
 	Tor         bool         `json:"tor,omitempty"`
 	PortForward bool         `json:"port_forward,omitempty"`
+	Dedicated   bool         `json:"dedicated,omitempty"`
 	Keep        bool         `json:"keep,omitempty"`
 	IPs         []netip.Addr `json:"ips,omitempty"`
+	PortsTCP    []uint16     `json:"ports_tcp,omitempty"`
+	PortsUDP    []uint16     `json:"ports_udp,omitempty"`
 }

 func (s *Server) HasMinimumInformation() (err error) {
@@ -29,19 +29,16 @@ func (r *Runner) Run(ctx context.Context, errCh chan<- error, ready chan<- struc
 		return
 	}

-	streamCtx, streamCancel := context.WithCancel(context.Background())
 	streamDone := make(chan struct{})
-	go streamLines(streamCtx, streamDone, r.logger,
+	go streamLines(streamDone, r.logger,
 		stdoutLines, stderrLines, ready)

 	select {
 	case <-ctx.Done():
 		<-waitError
-		streamCancel()
 		<-streamDone
 		errCh <- ctx.Err()
 	case err := <-waitError:
-		streamCancel()
 		<-streamDone
 		errCh <- err
 	}
@@ -1,26 +1,37 @@
 package openvpn

 import (
-	"context"
 	"strings"
 )

-func streamLines(ctx context.Context, done chan<- struct{},
+func streamLines(done chan<- struct{},
 	logger Logger, stdout, stderr <-chan string,
 	tunnelReady chan<- struct{},
 ) {
 	defer close(done)

-	var line string
-
 	for {
+		var line string
+		var ok bool
 		errLine := false
 		select {
-		case <-ctx.Done():
-			return
-		case line = <-stdout:
-		case line = <-stderr:
-			errLine = true
+		case line, ok = <-stdout:
+			if ok {
+				break
+			}
+			if stderr == nil {
+				return
+			}
+			stdout = nil
+		case line, ok = <-stderr:
+			if ok {
+				errLine = true
+				break
+			}
+			if stdout == nil {
+				return
+			}
+			stderr = nil
 		}
 		line, level := processLogLine(line)
 		if line == "" {
@@ -15,7 +15,11 @@ func runCommand(ctx context.Context, cmder Cmder, logger Logger,
 	}
 	portsString := strings.Join(portStrings, ",")
 	commandString := strings.ReplaceAll(commandTemplate, "{{PORTS}}", portsString)
-	commandString = strings.ReplaceAll(commandString, "{{PORT}}", portStrings[0])
+	var firstPort string
+	if len(portStrings) > 0 {
+		firstPort = portStrings[0]
+	}
+	commandString = strings.ReplaceAll(commandString, "{{PORT}}", firstPort)
 	commandString = strings.ReplaceAll(commandString, "{{VPN_INTERFACE}}", vpnInterface)
 	return cmder.RunAndLog(ctx, commandString, logger)
 }
@@ -2,6 +2,7 @@ package service

 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"slices"
@@ -59,6 +60,10 @@ func (s *Service) SetPortsForwarded(ctx context.Context, ports []uint16) (err er
 	s.portMutex.Lock()
 	defer s.portMutex.Unlock()

+	if s.settings.PortForwarder != nil {
+		return errors.New("setting port forwarded at runtime is not supported with internally running port forwarding code")
+	}
+
 	slices.Sort(ports)
 	if slices.Equal(s.ports, ports) {
 		return nil
@@ -78,7 +83,5 @@ func (s *Service) SetPortsForwarded(ctx context.Context, ports []uint16) (err er
 		return fmt.Errorf("handling new ports: %w", err)
 	}

-	s.logger.Info("updated: " + portsToString(s.ports))
-
 	return nil
 }
@@ -88,7 +88,7 @@ func (s *Settings) Validate(forStartup bool) (err error) {
 			return errors.New("password not set")
 		}
 	case providers.Protonvpn:
-		const maxPortsCount = 4
+		const maxPortsCount = 5
 		if s.PortsCount > maxPortsCount {
 			return fmt.Errorf("ports count too high: %d > %d", s.PortsCount, maxPortsCount)
 		}
@@ -92,13 +92,9 @@ func (s *Service) onNewPorts(ctx context.Context, internalToExternalPorts map[ui
 	s.logger.Info(portPairsToString(internalToExternalPorts))

 	externalPorts := slices.Collect(maps.Values(internalToExternalPorts))
-	autoRedirectionNeeded := false
 	externalToInternalPorts := make(map[uint16]uint16, len(internalToExternalPorts))
 	for internal, external := range internalToExternalPorts {
 		externalToInternalPorts[external] = internal
-		if internal != external {
-			autoRedirectionNeeded = true
-		}
 	}
 	slices.Sort(externalPorts)
 	userRedirectionEnabled := !slices.Equal(s.settings.ListeningPorts, []uint16{0})
@@ -109,23 +105,21 @@ func (s *Service) onNewPorts(ctx context.Context, internalToExternalPorts map[ui
 			return fmt.Errorf("allowing port in firewall: %w", err)
 		}

-		var sourcePort, destinationPort uint16
+		var destinationPort uint16
 		switch {
 		case userRedirectionEnabled: // precedence over auto redirection
-			sourcePort = externalToInternalPorts[port]
 			destinationPort = s.settings.ListeningPorts[i]
-		case autoRedirectionNeeded:
-			sourcePort = externalToInternalPorts[port]
+		case port != internalPort: // auto redirection needed, source and destination ports differ
 			destinationPort = port
 		default:
 			// No redirection needed, source and destination ports are the same.
 			continue
 		}

-		err = s.portAllower.RedirectPort(ctx, s.settings.Interface, sourcePort, destinationPort)
+		err = s.portAllower.RedirectPort(ctx, s.settings.Interface, internalPort, destinationPort)
 		if err != nil {
 			return fmt.Errorf("redirecting port %d to %d in firewall: %w",
-				sourcePort, destinationPort, err)
+				internalPort, destinationPort, err)
 		}
 	}

@@ -6,6 +6,7 @@ import (
 	"strings"

 	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/openvpn"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gluetun/internal/provider/utils"
@@ -65,7 +66,11 @@ func modifyConfig(lines []string, connection models.Connection,
 	}

 	// Add values
-	modified = append(modified, "proto "+connection.Protocol)
+	protocol := connection.Protocol
+	if protocol == constants.TCP {
+		protocol = "tcp-client"
+	}
+	modified = append(modified, "proto "+protocol)
 	modified = append(modified, fmt.Sprintf("remote %s %d", connection.IP, connection.Port))
 	modified = append(modified, "dev "+settings.Interface)
 	modified = append(modified, "mute-replay-warnings")
@@ -0,0 +1,15 @@
+package ovpn
+
+import (
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/utils"
+)
+
+func (p *Provider) GetConnection(selection settings.ServerSelection, ipv6Supported bool) (
+	connection models.Connection, err error,
+) {
+	defaults := utils.NewConnectionDefaults(443, 1194, 9929) //nolint:mnd
+	return utils.GetConnection(p.Name(),
+		p.storage, selection, defaults, ipv6Supported, p.connPicker)
+}
@@ -0,0 +1,126 @@
+package ovpn
+
+import (
+	"errors"
+	"net/http"
+	"net/netip"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/constants"
+	"github.com/qdm12/gluetun/internal/constants/providers"
+	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/common"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Provider_GetConnection(t *testing.T) {
+	t.Parallel()
+
+	const provider = providers.Ovpn
+
+	errTest := errors.New("test error")
+
+	testCases := map[string]struct {
+		filteredServers []models.Server
+		storageErr      error
+		selection       settings.ServerSelection
+		ipv6Supported   bool
+		connection      models.Connection
+		errWrapped      error
+		errMessage      string
+	}{
+		"error": {
+			storageErr: errTest,
+			errWrapped: errTest,
+			errMessage: "filtering servers: test error",
+		},
+		"default_openvpn_tcp_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}},
+			},
+			selection: settings.ServerSelection{
+				OpenVPN: settings.OpenVPNSelection{
+					Protocol: constants.TCP,
+				},
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.OpenVPN,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     443,
+				Protocol: constants.TCP,
+			},
+		},
+		"default_openvpn_udp_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}},
+			},
+			selection: settings.ServerSelection{
+				OpenVPN: settings.OpenVPNSelection{
+					Protocol: constants.UDP,
+				},
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.OpenVPN,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     1194,
+				Protocol: constants.UDP,
+			},
+		},
+		"default_wireguard_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}, WgPubKey: "x"},
+			},
+			selection: settings.ServerSelection{
+				VPN: vpn.Wireguard,
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.Wireguard,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     9929,
+				Protocol: constants.UDP,
+				PubKey:   "x",
+			},
+		},
+		"default_multihop_port": {
+			filteredServers: []models.Server{
+				{IPs: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})}, WgPubKey: "x", PortsUDP: []uint16{30044}},
+			},
+			selection: settings.ServerSelection{
+				VPN: vpn.Wireguard,
+			}.WithDefaults(provider),
+			connection: models.Connection{
+				Type:     vpn.Wireguard,
+				IP:       netip.AddrFrom4([4]byte{1, 1, 1, 1}),
+				Port:     30044,
+				Protocol: constants.UDP,
+				PubKey:   "x",
+			},
+		},
+	}
+
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			ctrl := gomock.NewController(t)
+
+			storage := common.NewMockStorage(ctrl)
+			storage.EXPECT().FilterServers(provider, testCase.selection).
+				Return(testCase.filteredServers, testCase.storageErr)
+
+			client := (*http.Client)(nil)
+			provider := New(storage, client)
+
+			connection, err := provider.GetConnection(testCase.selection, testCase.ipv6Supported)
+
+			assert.ErrorIs(t, err, testCase.errWrapped)
+			if testCase.errWrapped != nil {
+				assert.EqualError(t, err, testCase.errMessage)
+			}
+
+			assert.Equal(t, testCase.connection, connection)
+		})
+	}
+}
@@ -0,0 +1,38 @@
+package ovpn
+
+import (
+	"strings"
+
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+	"github.com/qdm12/gluetun/internal/constants/openvpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/utils"
+)
+
+func (p *Provider) OpenVPNConfig(connection models.Connection,
+	settings settings.OpenVPN, ipv6Supported bool,
+) (lines []string) {
+	providerSettings := utils.OpenVPNProviderSettings{
+		AuthUserPass:  true,
+		RemoteCertTLS: true,
+		Ciphers: []string{
+			openvpn.AES256gcm,
+			openvpn.AES256cbc,
+			openvpn.AES128gcm,
+			openvpn.Chacha20Poly1305,
+		},
+		CAs: []string{
+			"MIIEfTCCA2WgAwIBAgIJAK2aIWqpLj1/MA0GCSqGSIb3DQEBBQUAMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTAeFw0xNDA4MTcxODIxMjlaFw0zNDA4MTIxODIxMjlaMIGFMQswCQYDVQQGEwJTRTESMBAGA1UECBMJU3RvY2tob2xtMRIwEAYDVQQHEwlTdG9ja2hvbG0xHDAaBgNVBAsTE0Zpcm1hIERhdmlkIFdpYmVyZ2gxEzARBgNVBAMTCm92cG4uc2UgY2ExGzAZBgkqhkiG9w0BCQEWDGluZm9Ab3Zwbi5zZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMR+aP4GTuZwurZuOA2NYzMfqKyZi/TJcLEPlGTB/b4CWA9bTd8f0pHPrDAZsXIEayxxB58BIFNDNiybnbO15JN/QwlsqmA+aZX6mCSkScs/rRwasM6LDo8iGx+KmYEqAgzziONGbCMnlO+OaarXte7LhZ9X6Z/bryu4xq/i1v3raak13kXsrogtu4iDzxqJE/QhbNOi0yhCdlm5RYQjmlKGdPB9pNTgcakVI4HcngRYMzBlrGin0YkvWCdpx5FrDNeld7BSWrJMNYyvd+buaid0Fu1T9/P/Srj/8AiabKoaDyiGFbZdTnGfK+04lWRvwAmvazpqbUt5Omw634jJDuMCAwEAAaOB7TCB6jAdBgNVHQ4EFgQUEvJcHHcTiDtu7bAyZw+xaqg+xdIwgboGA1UdIwSBsjCBr4AUEvJcHHcTiDtu7bAyZw+xaqg+xdKhgYukgYgwgYUxCzAJBgNVBAYTAlNFMRIwEAYDVQQIEwlTdG9ja2hvbG0xEjAQBgNVBAcTCVN0b2NraG9sbTEcMBoGA1UECxMTRmlybWEgRGF2aWQgV2liZXJnaDETMBEGA1UEAxMKb3Zwbi5zZSBjYTEbMBkGCSqGSIb3DQEJARYMaW5mb0BvdnBuLnNlggkArZohaqkuPX8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAJmID6OyBJbV7ayPPgquojF+FICuDdOfGVKP828cyISxcbVA04VpD0QLYVb0k9pFUx0NbgX2SvRTiFhP7LcyS1HV9s+XLCb2WItPPsrdRTwtqU2n3TlCEzWA3WOcOCtT6JSkv1eelmx1JnP0gYJrDvDvRYBFctwWhtE0bineSQkZwN6980zkknADLAiHpeZSu/AMx7CGTwA6SmoFvpNBmHXDcfe/9ZqbbYfUfyPNe+0JbMrcv1elKi+6wlEkHFaEBphiZwGEbOX1CjUMcQFgW/cIp3n50Eiyx6ktuqimhyb59P4Nw8gqH452tTtE4MM/brA5y0Q0WFBRBojfZIbGWWQ==", //nolint:lll
+		},
+		TLSAuth:      "81782767e4d59c4464cc5d1896f1cf6015017d53ac62e2e3b94b889e00b2c69ddc01944fe1c6d895b4d80540502eb71910b8d785c9efa9e3182343532adffe1cfbb7bb6eae39c502da2748edf0fb89b8a20b0a1085cc1f06135037881bc0c4ad8f2c0f4f72d2ab466fb54af3d8264c5fddeb0f21aa0ca41863678f5fc4c44de4ca0926b36dfddc42c6f2fabd1694bdc8215b2d223b9c21dc6734c2c778093187afb8c33403b228b9af68b540c284f6d183bcc88bd41d47bd717996e499ce1cbbfa768a9723c19c58314c4d19cfed82e543ee92e73d38ad26d4fbec231c0f9f3b30773a5c87792e9bc7c34e8d7611002ebedd044e48a0f1f96527bfdcc940aa09", //nolint:lll
+		KeyDirection: "1",
+	}
+
+	if strings.HasSuffix(connection.Hostname, "singapore.ovpn.com") {
+		providerSettings.TLSCrypt = providerSettings.TLSAuth
+		providerSettings.TLSAuth = ""
+		providerSettings.KeyDirection = ""
+	}
+
+	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
+}
@@ -0,0 +1,28 @@
+package ovpn
+
+import (
+	"net/http"
+
+	"github.com/qdm12/gluetun/internal/constants/providers"
+	"github.com/qdm12/gluetun/internal/provider/common"
+	"github.com/qdm12/gluetun/internal/provider/ovpn/updater"
+	"github.com/qdm12/gluetun/internal/provider/utils"
+)
+
+type Provider struct {
+	storage    common.Storage
+	connPicker *utils.ConnectionPicker
+	common.Fetcher
+}
+
+func New(storage common.Storage, client *http.Client) *Provider {
+	return &Provider{
+		storage:    storage,
+		connPicker: utils.NewConnectionPicker(),
+		Fetcher:    updater.New(client),
+	}
+}
+
+func (p *Provider) Name() string {
+	return providers.Ovpn
+}
@@ -0,0 +1,153 @@
+package updater
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/http"
+	"net/netip"
+	"strings"
+)
+
+type apiData struct {
+	Success     bool            `json:"success"`
+	DataCenters []apiDataCenter `json:"datacenters"`
+}
+
+type apiDataCenter struct {
+	City        string      `json:"city"`
+	CountryName string      `json:"country_name"`
+	Servers     []apiServer `json:"servers"`
+}
+
+type apiServer struct {
+	IP     netip.Addr `json:"ip"`
+	Ptr    string     `json:"ptr"` // hostname
+	Online bool       `json:"online"`
+	// PublicKey is for the Standard Shared Entry Point
+	PublicKey string `json:"public_key"`
+	// PublicKeyIPv4 is for the Public / Dedicated IP Entry Point
+	PublicKeyIPv4         string   `json:"public_key_ipv4"`
+	WireguardPorts        []uint16 `json:"wireguard_ports"`
+	MultiHopOpenvpnPort   uint16   `json:"multihop_openvpn_port"`
+	MultiHopWireguardPort uint16   `json:"multihop_wireguard_port"`
+}
+
+func fetchAPI(ctx context.Context, client *http.Client) (
+	data apiData, err error,
+) {
+	const url = "https://www.ovpn.com/v2/api/client/entry"
+
+	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return data, err
+	}
+
+	response, err := client.Do(request)
+	if err != nil {
+		return data, err
+	}
+
+	if response.StatusCode != http.StatusOK {
+		_ = response.Body.Close()
+		return data, fmt.Errorf("HTTP response status code is not OK: %d %s",
+			response.StatusCode, response.Status)
+	}
+
+	decoder := json.NewDecoder(response.Body)
+	err = decoder.Decode(&data)
+	if err != nil {
+		_ = response.Body.Close()
+		return data, fmt.Errorf("decoding response body: %w", err)
+	}
+
+	err = response.Body.Close()
+	if err != nil {
+		return data, fmt.Errorf("closing response body: %w", err)
+	}
+
+	return data, nil
+}
+
+func (a *apiDataCenter) validate() (err error) {
+	conditionalErrors := []conditionalError{
+		{err: "city is not set", condition: a.City == ""},
+		{err: "country name is not set", condition: a.CountryName == ""},
+		{err: "servers array is not set", condition: len(a.Servers) == 0},
+	}
+	err = collectErrors(conditionalErrors)
+	if err != nil {
+		var dataCenterSetFields []string
+		if a.CountryName != "" {
+			dataCenterSetFields = append(dataCenterSetFields, a.CountryName)
+		}
+		if a.City != "" {
+			dataCenterSetFields = append(dataCenterSetFields, a.City)
+		}
+		if len(dataCenterSetFields) == 0 {
+			return err
+		}
+		return fmt.Errorf("data center %s: %w",
+			strings.Join(dataCenterSetFields, ", "), err)
+	}
+
+	for i, server := range a.Servers {
+		err = server.validate()
+		if err != nil {
+			return fmt.Errorf("datacenter %s, %s: server %d of %d: %w",
+				a.CountryName, a.City, i+1, len(a.Servers), err)
+		}
+	}
+
+	return nil
+}
+
+func (a *apiServer) validate() (err error) {
+	const defaultWireguardPort = 9929
+	conditionalErrors := []conditionalError{
+		{err: "ip address is not set", condition: !a.IP.IsValid()},
+		{err: "hostname field is not set", condition: a.Ptr == ""},
+		{err: "public key field is not set", condition: a.PublicKey == ""},
+		{err: "public key IPv4 field is not set", condition: a.PublicKeyIPv4 == ""},
+		{err: "wireguard ports array is not set", condition: len(a.WireguardPorts) == 0},
+		{
+			err:       "wireguard port is not the default 9929",
+			condition: len(a.WireguardPorts) != 1 || a.WireguardPorts[0] != defaultWireguardPort,
+		},
+		{err: "multihop OpenVPN port is not set", condition: a.MultiHopOpenvpnPort == 0},
+		{err: "multihop WireGuard port is not set", condition: a.MultiHopWireguardPort == 0},
+	}
+	err = collectErrors(conditionalErrors)
+	switch {
+	case err == nil:
+		return nil
+	case a.Ptr != "":
+		return fmt.Errorf("server %s: %w", a.Ptr, err)
+	case a.IP.IsValid():
+		return fmt.Errorf("server %s: %w", a.IP.String(), err)
+	default:
+		return err
+	}
+}
+
+type conditionalError struct {
+	err       string
+	condition bool
+}
+
+func collectErrors(conditionalErrors []conditionalError) (err error) {
+	errs := make([]string, 0, len(conditionalErrors))
+	for _, conditionalError := range conditionalErrors {
+		if !conditionalError.condition {
+			continue
+		}
+		errs = append(errs, conditionalError.err)
+	}
+
+	if len(errs) == 0 {
+		return nil
+	}
+
+	return errors.New(strings.Join(errs, "; "))
+}
@@ -0,0 +1,118 @@
+package updater
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net/http"
+	"net/netip"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_fetchAPI(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		responseStatus int
+		responseBody   io.ReadCloser
+		data           apiData
+		err            error
+	}{
+		"http response status not ok": {
+			responseStatus: http.StatusNoContent,
+			err:            errors.New("HTTP response status code is not OK: 204 No Content"),
+		},
+		"nil body": {
+			responseStatus: http.StatusOK,
+			err:            errors.New("decoding response body: EOF"),
+		},
+		"no server": {
+			responseStatus: http.StatusOK,
+			responseBody:   io.NopCloser(strings.NewReader(`{}`)),
+		},
+		"success": {
+			responseStatus: http.StatusOK,
+			responseBody: io.NopCloser(strings.NewReader(`{
+		  "success": true,
+		  "datacenters": [
+		    {
+		      "slug": "vienna",
+		      "city": "Vienna",
+		      "country": "AT",
+		      "country_name": "Austria",
+		      "pools": [
+		        "pool-1.prd.at.vienna.ovpn.com"
+		      ],
+		      "ping_address": "37.120.212.227",
+		      "servers": [
+		        {
+		          "ip": "37.120.212.227",
+		          "ptr": "vpn44.prd.vienna.ovpn.com",
+		          "name": "VPN44 - Vienna",
+		          "online": true,
+		          "load": 8,
+		          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+		          "public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+		          "wireguard_ports": [
+		            9929
+		          ],
+		          "multihop_openvpn_port": 20044,
+		          "multihop_wireguard_port": 30044
+		        }
+		      ]
+		    }
+		  ]
+		}`)),
+			data: apiData{
+				Success: true,
+				DataCenters: []apiDataCenter{
+					{CountryName: "Austria", City: "Vienna", Servers: []apiServer{
+						{
+							IP:                    netip.MustParseAddr("37.120.212.227"),
+							Ptr:                   "vpn44.prd.vienna.ovpn.com",
+							Online:                true,
+							PublicKey:             "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+							PublicKeyIPv4:         "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+							WireguardPorts:        []uint16{9929},
+							MultiHopOpenvpnPort:   20044,
+							MultiHopWireguardPort: 30044,
+						},
+					}},
+				},
+			},
+		},
+	}
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			ctx := context.Background()
+
+			client := &http.Client{
+				Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+					assert.Equal(t, http.MethodGet, r.Method)
+					assert.Equal(t, r.URL.String(), "https://www.ovpn.com/v2/api/client/entry")
+					return &http.Response{
+						StatusCode: testCase.responseStatus,
+						Status:     http.StatusText(testCase.responseStatus),
+						Body:       testCase.responseBody,
+					}, nil
+				}),
+			}
+
+			data, err := fetchAPI(ctx, client)
+
+			assert.Equal(t, testCase.data, data)
+			if testCase.err != nil {
+				require.Error(t, err)
+				assert.Equal(t, testCase.err.Error(), err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
@@ -0,0 +1,9 @@
+package updater
+
+import "net/http"
+
+type roundTripFunc func(r *http.Request) (*http.Response, error)
+
+func (f roundTripFunc) RoundTrip(r *http.Request) (*http.Response, error) {
+	return f(r)
+}
@@ -0,0 +1,82 @@
+package updater
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"sort"
+
+	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/common"
+)
+
+func (u *Updater) FetchServers(ctx context.Context, minServers int) (
+	servers []models.Server, err error,
+) {
+	data, err := fetchAPI(ctx, u.client)
+	if err != nil {
+		return nil, fmt.Errorf("fetching API: %w", err)
+	} else if !data.Success {
+		return nil, errors.New("response success field is false")
+	}
+
+	for dataCenterIndex, dataCenter := range data.DataCenters {
+		err = dataCenter.validate()
+		if err != nil {
+			return nil, fmt.Errorf("validating data center %d of %d: %w",
+				dataCenterIndex+1, len(data.DataCenters), err)
+		}
+
+		for _, apiServer := range dataCenter.Servers {
+			if !apiServer.Online {
+				continue
+			}
+
+			baseServer := models.Server{
+				Country:  dataCenter.CountryName,
+				City:     dataCenter.City,
+				Hostname: apiServer.Ptr,
+				IPs:      []netip.Addr{apiServer.IP},
+			}
+			openVPNServer := baseServer
+			openVPNServer.VPN = vpn.OpenVPN
+			openVPNServer.TCP = true
+			openVPNServer.UDP = true
+			multiHopOpenVPNServer := openVPNServer
+			multiHopOpenVPNServer.MultiHop = true
+			multiHopOpenVPNServer.PortsTCP = []uint16{apiServer.MultiHopOpenvpnPort}
+			multiHopOpenVPNServer.PortsUDP = []uint16{apiServer.MultiHopOpenvpnPort}
+			servers = append(servers, openVPNServer, multiHopOpenVPNServer)
+
+			wireguardServer := baseServer
+			wireguardServer.VPN = vpn.Wireguard
+			wireguardServer.WgPubKey = apiServer.PublicKey
+			multiHopWireguardServer := wireguardServer
+			multiHopWireguardServer.MultiHop = true
+			multiHopWireguardServer.PortsUDP = []uint16{apiServer.MultiHopWireguardPort}
+			dedicatedWireguardServer := wireguardServer
+			dedicatedWireguardServer.WgPubKey = apiServer.PublicKeyIPv4
+			dedicatedWireguardServer.Dedicated = true
+			dedicatedMultiHopWireguardServer := multiHopWireguardServer
+			dedicatedMultiHopWireguardServer.WgPubKey = apiServer.PublicKeyIPv4
+			dedicatedMultiHopWireguardServer.Dedicated = true
+			servers = append(servers,
+				wireguardServer,
+				multiHopWireguardServer,
+				dedicatedWireguardServer,
+				dedicatedMultiHopWireguardServer,
+			)
+		}
+	}
+
+	if len(servers) < minServers {
+		return nil, fmt.Errorf("%w: %d and expected at least %d",
+			common.ErrNotEnoughServers, len(servers), minServers)
+	}
+
+	sort.Sort(models.SortableServers(servers))
+
+	return servers, nil
+}
@@ -0,0 +1,228 @@
+package updater
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/netip"
+	"strings"
+	"testing"
+
+	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
+	"github.com/qdm12/gluetun/internal/provider/common"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Updater_FetchServers(t *testing.T) {
+	t.Parallel()
+
+	testCases := map[string]struct {
+		// Inputs
+		minServers int
+
+		// From API
+		responseStatus int
+		responseBody   string
+
+		// Output
+		servers    []models.Server
+		errWrapped error
+		errMessage string
+	}{
+		"http_response_error": {
+			responseStatus: http.StatusNoContent,
+			errMessage:     "fetching API: HTTP response status code is not OK: 204 No Content",
+		},
+		"success_field_false": {
+			responseStatus: http.StatusOK,
+			responseBody:   `{"success": false}`,
+			errMessage:     "response success field is false",
+		},
+		"validation_failed": {
+			responseStatus: http.StatusOK,
+			responseBody: `{
+  "success": true,
+  "datacenters": [
+    {
+      "city": "Vienna",
+      "servers": [
+        {}
+      ]
+    }
+  ]
+}`,
+			errMessage: "validating data center 1 of 1: data center Vienna: country name is not set",
+		},
+		"not_enough_servers": {
+			minServers:     7,
+			responseStatus: http.StatusOK,
+			responseBody: `{
+  "success": true,
+  "datacenters": [
+    {
+      "city": "Vienna",
+      "country_name": "Austria",
+      "servers": [
+        {
+          "ip": "37.120.212.227",
+          "ptr": "vpn44.prd.vienna.ovpn.com",
+          "online": true,
+          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+					"public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+          "wireguard_ports": [9929],
+          "multihop_openvpn_port": 20044,
+          "multihop_wireguard_port": 30044
+        }
+      ]
+    }
+  ]
+}`,
+			errWrapped: common.ErrNotEnoughServers,
+			// Wireguard + dedicated Wireguard + Wireguard multi-hop +
+			// dedicated Wireguard multi-hop + OpenVPN + OpenVPN multi-hop
+			errMessage: "not enough servers found: 6 and expected at least 7",
+		},
+		"success": {
+			minServers: 4,
+			responseBody: `{
+  "success": true,
+  "datacenters": [
+    {
+      "slug": "vienna",
+      "city": "Vienna",
+      "country": "AT",
+      "country_name": "Austria",
+      "pools": [
+        "pool-1.prd.at.vienna.ovpn.com"
+      ],
+      "ping_address": "37.120.212.227",
+      "servers": [
+        {
+          "ip": "37.120.212.227",
+          "ptr": "vpn44.prd.vienna.ovpn.com",
+          "name": "VPN44 - Vienna",
+          "online": true,
+          "load": 8,
+          "public_key": "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+          "public_key_ipv4": "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+          "wireguard_ports": [
+            9929
+          ],
+          "multihop_openvpn_port": 20044,
+          "multihop_wireguard_port": 30044
+        },
+        {
+          "ip": "37.120.212.228",
+          "ptr": "vpn45.prd.vienna.ovpn.com",
+          "online": false,
+          "public_key": "r93LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+					"public_key_ipv4": "wGbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+          "wireguard_ports": [9929],
+          "multihop_openvpn_port": 20045,
+          "multihop_wireguard_port": 30045
+        }
+      ]
+    }
+  ]
+}`,
+			responseStatus: http.StatusOK,
+			servers: []models.Server{
+				{
+					Country:  "Austria",
+					City:     "Vienna",
+					Hostname: "vpn44.prd.vienna.ovpn.com",
+					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:      vpn.OpenVPN,
+					UDP:      true,
+					TCP:      true,
+				},
+				{
+					Country:  "Austria",
+					City:     "Vienna",
+					Hostname: "vpn44.prd.vienna.ovpn.com",
+					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:      vpn.OpenVPN,
+					UDP:      true,
+					TCP:      true,
+					MultiHop: true,
+					PortsTCP: []uint16{20044},
+					PortsUDP: []uint16{20044},
+				},
+				{
+					Country:  "Austria",
+					City:     "Vienna",
+					Hostname: "vpn44.prd.vienna.ovpn.com",
+					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:      vpn.Wireguard,
+					WgPubKey: "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+				},
+				{
+					Country:  "Austria",
+					City:     "Vienna",
+					Hostname: "vpn44.prd.vienna.ovpn.com",
+					IPs:      []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:      vpn.Wireguard,
+					WgPubKey: "r83LIc0Q2F8s3dY9x5y17Yz8wTADJc7giW1t5eSmoXc=",
+					MultiHop: true,
+					PortsUDP: []uint16{30044},
+				},
+				{
+					Country:   "Austria",
+					City:      "Vienna",
+					Hostname:  "vpn44.prd.vienna.ovpn.com",
+					IPs:       []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:       vpn.Wireguard,
+					WgPubKey:  "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+					Dedicated: true,
+				},
+				{
+					Country:   "Austria",
+					City:      "Vienna",
+					Hostname:  "vpn44.prd.vienna.ovpn.com",
+					IPs:       []netip.Addr{netip.MustParseAddr("37.120.212.227")},
+					VPN:       vpn.Wireguard,
+					WgPubKey:  "wFbSRyjSXBmkjJodlqz7DoYn3WNDPYFUIXyIUS2QU2A=",
+					MultiHop:  true,
+					Dedicated: true,
+					PortsUDP:  []uint16{30044},
+				},
+			},
+		},
+	}
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			ctx := context.Background()
+
+			client := &http.Client{
+				Transport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+					assert.Equal(t, http.MethodGet, r.Method)
+					assert.Equal(t, r.URL.String(), "https://www.ovpn.com/v2/api/client/entry")
+					return &http.Response{
+						StatusCode: testCase.responseStatus,
+						Status:     http.StatusText(testCase.responseStatus),
+						Body:       io.NopCloser(strings.NewReader(testCase.responseBody)),
+					}, nil
+				}),
+			}
+
+			updater := &Updater{
+				client: client,
+			}
+
+			servers, err := updater.FetchServers(ctx, testCase.minServers)
+
+			assert.Equal(t, testCase.servers, servers)
+			if testCase.errMessage == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.Contains(t, err.Error(), testCase.errMessage)
+			}
+			if testCase.errWrapped != nil {
+				assert.ErrorIs(t, err, testCase.errWrapped)
+			}
+		})
+	}
+}
@@ -0,0 +1,15 @@
+package updater
+
+import (
+	"net/http"
+)
+
+type Updater struct {
+	client *http.Client
+}
+
+func New(client *http.Client) *Updater {
+	return &Updater{
+		client: client,
+	}
+}
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"maps"
+	"net/netip"
 	"strings"
 	"time"

@@ -12,14 +13,14 @@ import (
 	"github.com/qdm12/gluetun/internal/provider/utils"
 )

-const nonSymmetricPortStart uint16 = 56789
-
 // PortForward obtains a VPN server side port forwarded from ProtonVPN gateway.
 func (p *Provider) PortForward(ctx context.Context, objects utils.PortForwardObjects) (
 	internalToExternalPorts map[uint16]uint16, err error,
 ) {
 	if !objects.CanPortForward {
 		return nil, errors.New("server does not support port forwarding")
+	} else if objects.PortsCount == 0 {
+		return nil, nil //nolint:nilnil
 	}

 	client := natpmp.New()
@@ -39,38 +40,75 @@ func (p *Provider) PortForward(ctx context.Context, objects utils.PortForwardObj
 	logger := objects.Logger

 	logger.Debug("gateway external IPv4 address is " + externalIPv4Address.String())
-	const externalPort = 0
-	const lifetime = 60 * time.Second

 	p.internalToExternalPorts = make(map[uint16]uint16, objects.PortsCount)
-	for i := range objects.PortsCount {
-		internalPort := nonSymmetricPortStart + i
-		protoToInternalPort := map[string]uint16{
-			"udp": 0,
-			"tcp": 0,
-		}
-		protoToExternalPort := maps.Clone(protoToInternalPort)
-		for protocol := range protoToExternalPort {
-			_, assignedInternalPort, assignedExternalPort, assignedLifetime, err := client.AddPortMapping(
-				ctx, objects.Gateway, protocol, internalPort, externalPort, lifetime)
-			if err != nil {
-				return nil, fmt.Errorf("adding %d/%d %s port mapping: %w",
-					i+1, objects.PortsCount, strings.ToUpper(protocol), err)
-			}
-			checkLifetime(logger, strings.ToUpper(protocol), lifetime, assignedLifetime)
-			checkInternalPort(logger, internalPort, assignedInternalPort)
-			protoToInternalPort[protocol] = assignedInternalPort
-			protoToExternalPort[protocol] = assignedExternalPort
-		}
+	const lifetime = 60 * time.Second

-		checkInternalPorts(logger, protoToInternalPort["udp"], protoToInternalPort["tcp"])
-		checkExternalPorts(logger, protoToExternalPort["udp"], protoToExternalPort["tcp"])
-		p.internalToExternalPorts[protoToInternalPort["tcp"]] = protoToExternalPort["tcp"]
+	// Only one port can be a symmetric mapping
+	const internalPort, externalPort = 0, 1
+	_, assignedExternalPort, err := addPortMappingTCPUDP(ctx,
+		client, logger, objects.Gateway, internalPort, externalPort, lifetime)
+	// Note the returned assignedInternalPort is always 0 in this case
+	if err != nil {
+		return nil, fmt.Errorf("adding first port mapping: %w", err)
+	}
+	p.internalToExternalPorts[assignedExternalPort] = assignedExternalPort
+
+	// Extra ports must be non-symmetric, meaning that the internal port is
+	// different from the external port.
+	const nonSymmetricPortStart = uint16(56789)
+	nonSymmetricPortStartMinusOne := nonSymmetricPortStart - 1
+	if _, ok := p.internalToExternalPorts[nonSymmetricPortStart]; ok {
+		nonSymmetricPortStartMinusOne++
+	}
+	for i := uint16(1); i < objects.PortsCount; i++ {
+		internalPort := nonSymmetricPortStartMinusOne + i
+		const externalPort = 0
+		assignedInternalPort, assignedExternalPort, err := addPortMappingTCPUDP(ctx,
+			client, logger, objects.Gateway, internalPort, externalPort, lifetime)
+		if err != nil {
+			return nil, fmt.Errorf("adding %d/%d port mapping: %w", i+1, objects.PortsCount, err)
+		}
+		p.internalToExternalPorts[assignedInternalPort] = assignedExternalPort
 	}

 	return maps.Clone(p.internalToExternalPorts), nil
 }

+func addPortMappingTCPUDP(ctx context.Context, client *natpmp.Client, logger utils.Logger,
+	gateway netip.Addr, internalPort, externalPort uint16, lifetime time.Duration,
+) (assignedInternalPort, assignedExternalPort uint16, err error) {
+	var assignedLifetime time.Duration
+	protocolToExternalPort := map[string]uint16{
+		"tcp": 0,
+		"udp": 0,
+	}
+	for _, protocol := range [...]string{"udp", "tcp"} {
+		protocolStr := strings.ToUpper(protocol)
+		_, assignedInternalPort, assignedExternalPort, assignedLifetime, err = client.AddPortMapping(
+			ctx, gateway, protocol, internalPort, externalPort, lifetime)
+		if err != nil {
+			return 0, 0, fmt.Errorf("adding %s port mapping: %w", protocolStr, err)
+		}
+		protocolToExternalPort[protocol] = assignedExternalPort
+		checkLifetime(logger, protocolStr, lifetime, assignedLifetime)
+		if internalPort != assignedInternalPort {
+			return 0, 0, fmt.Errorf("%s internal port requested as %d but received %d",
+				protocolStr, internalPort, assignedInternalPort)
+		} else if externalPort != 0 && externalPort != 1 && externalPort != assignedExternalPort {
+			return 0, 0, fmt.Errorf("%s external port requested as %d but received %d",
+				protocolStr, externalPort, assignedExternalPort)
+		}
+	}
+
+	if protocolToExternalPort["tcp"] != protocolToExternalPort["udp"] {
+		return 0, 0, fmt.Errorf("TCP and UDP external ports differ: %d and %d",
+			protocolToExternalPort["tcp"], protocolToExternalPort["udp"])
+	}
+
+	return assignedInternalPort, assignedExternalPort, nil
+}
+
 func checkLifetime(logger utils.Logger, protocol string,
 	requested, actual time.Duration,
 ) {
@@ -81,27 +119,6 @@ func checkLifetime(logger utils.Logger, protocol string,
 	}
 }

-func checkInternalPort(logger utils.Logger, sent, received uint16) {
-	if sent != received {
-		logger.Warn(fmt.Sprintf("internal port assigned %d differs from requested internal port %d",
-			sent, received))
-	}
-}
-
-func checkInternalPorts(logger utils.Logger, udpPort, tcpPort uint16) {
-	if udpPort != tcpPort {
-		logger.Warn(fmt.Sprintf("UDP internal port %d differs from TCP internal port %d",
-			udpPort, tcpPort))
-	}
-}
-
-func checkExternalPorts(logger utils.Logger, udpPort, tcpPort uint16) {
-	if udpPort != tcpPort {
-		logger.Warn(fmt.Sprintf("UDP external port %d differs from TCP external port %d",
-			udpPort, tcpPort))
-	}
-}
-
 func (p *Provider) KeepPortForward(ctx context.Context,
 	objects utils.PortForwardObjects,
 ) (err error) {
@@ -117,22 +134,12 @@ func (p *Provider) KeepPortForward(ctx context.Context,
 		}

 		objects.Logger.Debug("refreshing forwarded ports since 45 seconds have elapsed")
-		networkProtocols := [...]string{"udp", "tcp"}
 		const lifetime = 60 * time.Second
 		for internalPort, externalPort := range p.internalToExternalPorts {
-			for _, networkProtocol := range networkProtocols {
-				_, assignedInternalPort, assignedExternalPort, assignedLiftetime, err := client.AddPortMapping(
-					ctx, objects.Gateway, networkProtocol, internalPort, externalPort, lifetime)
-				if err != nil {
-					return fmt.Errorf("adding port mapping: %w", err)
-				}
-				checkLifetime(logger, networkProtocol, lifetime, assignedLiftetime)
-				if externalPort != assignedExternalPort {
-					return fmt.Errorf("external port changed from %d to %d", externalPort, assignedExternalPort)
-				} else if internalPort != assignedInternalPort {
-					return fmt.Errorf("internal port changed from %d (for external port %d) to %d",
-						internalPort, externalPort, assignedInternalPort)
-				}
+			_, _, err := addPortMappingTCPUDP(ctx, client, logger, objects.Gateway, internalPort, externalPort, lifetime)
+			if err != nil {
+				return fmt.Errorf("refreshing port mapping for internal port %d and external port %d: %w",
+					internalPort, externalPort, err)
 			}
 			objects.Logger.Debug(fmt.Sprintf("port forwarded %d maintained", externalPort))
 		}
@@ -16,25 +16,22 @@ import (
 	"strings"

 	srp "github.com/ProtonMail/go-srp"
-	"github.com/qdm12/gluetun/internal/provider/common"
 )

 // apiClient is a minimal Proton v4 API client which can handle all the
 // oddities of Proton's authentication flow they want to keep hidden
 // from the public.
 type apiClient struct {
-	apiURLBase       string
-	httpClient       *http.Client
-	appVersion       string
-	vpnGtkAppVersion string
-	userAgent        string
-	generator        *rand.ChaCha8
-	warner           common.Warner
+	apiURLBase string
+	httpClient *http.Client
+	appVersion string
+	userAgent  string
+	generator  *rand.ChaCha8
 }

 // newAPIClient returns an [apiClient] with sane defaults matching Proton's
 // insane expectations.
-func newAPIClient(ctx context.Context, httpClient *http.Client, warner common.Warner) (client *apiClient, err error) {
+func newAPIClient(ctx context.Context, httpClient *http.Client) (client *apiClient, err error) {
 	var seed [32]byte
 	_, _ = crand.Read(seed[:])
 	generator := rand.NewChaCha8(seed)
@@ -49,23 +46,17 @@ func newAPIClient(ctx context.Context, httpClient *http.Client, warner common.Wa
 	}
 	userAgent := userAgents[generator.Uint64()%uint64(len(userAgents))]

-	appVersion, err := getMostRecentStableWebAccountTag(ctx, httpClient)
+	appVersion, err := getMostRecentStableTag(ctx, httpClient)
 	if err != nil {
-		return nil, fmt.Errorf("getting most recent version for web-account: %w", err)
-	}
-	vpnGtkAppVersion, err := getMostRecentStableVPNGtkAppTag(ctx, httpClient)
-	if err != nil {
-		return nil, fmt.Errorf("getting most recent version for linux VPN GTK app: %w", err)
+		return nil, fmt.Errorf("getting most recent version for proton app: %w", err)
 	}

 	return &apiClient{
-		apiURLBase:       "https://account.proton.me/api",
-		httpClient:       httpClient,
-		appVersion:       appVersion,
-		vpnGtkAppVersion: vpnGtkAppVersion,
-		userAgent:        userAgent,
-		generator:        generator,
-		warner:           warner,
+		apiURLBase: "https://account.proton.me/api",
+		httpClient: httpClient,
+		appVersion: appVersion,
+		userAgent:  userAgent,
+		generator:  generator,
 	}, nil
 }

@@ -73,10 +64,10 @@ func newAPIClient(ctx context.Context, httpClient *http.Client, warner common.Wa
 // to succeed without being blocked by their "security" measures.
 // See for example [getMostRecentStableTag] on how the app version must
 // be set to a recent version or they block your request. "SeCuRiTy"...
-func (c *apiClient) setHeaders(request *http.Request, cookie cookie, appVersion string) {
+func (c *apiClient) setHeaders(request *http.Request, cookie cookie) {
 	request.Header.Set("Cookie", cookie.String())
 	request.Header.Set("User-Agent", c.userAgent)
-	request.Header.Set("x-pm-appversion", appVersion)
+	request.Header.Set("x-pm-appversion", c.appVersion)
 	request.Header.Set("x-pm-locale", "en_US")
 	request.Header.Set("x-pm-uid", cookie.uid)
 }
@@ -107,11 +98,7 @@ func (c *apiClient) authenticate(ctx context.Context, email, password string,
 	}
 	username, modulusPGPClearSigned, serverEphemeralBase64, saltBase64,
 		srpSessionHex, version, err := c.authInfo(ctx, email, unauthCookie)
-	switch {
-	case errors.Is(err, errUsernameEmpty):
-		c.warner.Warn("Username is empty in auth info response, trying with email address instead")
-		username = email
-	case err != nil:
+	if err != nil {
 		return cookie{}, fmt.Errorf("getting auth information: %w", err)
 	}

@@ -172,7 +159,7 @@ func (c *apiClient) getUnauthSession(ctx context.Context, sessionID string) (
 	unauthCookie := cookie{
 		sessionID: sessionID,
 	}
-	c.setHeaders(request, unauthCookie, c.appVersion)
+	c.setHeaders(request, unauthCookie)

 	response, err := c.httpClient.Do(request)
 	if err != nil {
@@ -257,7 +244,7 @@ func (c *apiClient) cookieToken(ctx context.Context, sessionID, tokenType, acces
 		uid:       uid,
 		sessionID: sessionID,
 	}
-	c.setHeaders(request, unauthCookie, c.appVersion)
+	c.setHeaders(request, unauthCookie)
 	request.Header.Set("Authorization", tokenType+" "+accessToken)

 	response, err := c.httpClient.Do(request)
@@ -304,8 +291,6 @@ func (c *apiClient) cookieToken(ctx context.Context, sessionID, tokenType, acces
 	return "", errors.New("auth cookie not found")
 }

-var errUsernameEmpty = errors.New("username is empty in response")
-
 // authInfo fetches SRP parameters for the account.
 func (c *apiClient) authInfo(ctx context.Context, email string, unauthCookie cookie) (
 	username, modulusPGPClearSigned, serverEphemeralBase64, saltBase64, srpSessionHex string,
@@ -330,7 +315,7 @@ func (c *apiClient) authInfo(ctx context.Context, email string, unauthCookie coo
 	if err != nil {
 		return "", "", "", "", "", 0, fmt.Errorf("creating request: %w", err)
 	}
-	c.setHeaders(request, unauthCookie, c.appVersion)
+	c.setHeaders(request, unauthCookie)
 	request.Header.Set("Content-Type", "application/json")

 	response, err := c.httpClient.Do(request)
@@ -373,17 +358,15 @@ func (c *apiClient) authInfo(ctx context.Context, email string, unauthCookie coo
 		return "", "", "", "", "", 0, errors.New("salt is empty in response")
 	case info.SRPSession == "":
 		return "", "", "", "", "", 0, errors.New("SRP session is empty in response")
+	case info.Username == "":
+		return "", "", "", "", "", 0, errors.New("username is empty in response")
 	case info.Version == nil:
 		return "", "", "", "", "", 0, errors.New("version is missing in response")
-	case info.Username == "":
-		// Return a sentinel error the caller can handle to try with the email address instead of the username.
-		// Some accounts seem to have no username.
-		err = fmt.Errorf("%w", errUsernameEmpty)
 	}

 	version = int(*info.Version) //nolint:gosec
 	return info.Username, info.Modulus, info.ServerEphemeral, info.Salt,
-		info.SRPSession, version, err
+		info.SRPSession, version, nil
 }

 type cookie struct {
@@ -439,7 +422,7 @@ func (c *apiClient) auth(ctx context.Context, unauthCookie cookie,
 	if err != nil {
 		return cookie{}, fmt.Errorf("creating request: %w", err)
 	}
-	c.setHeaders(request, unauthCookie, c.appVersion)
+	c.setHeaders(request, unauthCookie)
 	request.Header.Set("Content-Type", "application/json")

 	response, err := c.httpClient.Do(request)
@@ -590,9 +573,7 @@ func (c *apiClient) fetchServers(ctx context.Context, cookie cookie) (
 	if err != nil {
 		return data, err
 	}
-	// Note we use the vpnGtkAppVersion field given it produces an output of more servers
-	c.setHeaders(request, cookie, c.vpnGtkAppVersion)
-	request.Header.Set("x-pm-appversion", "linux-vpn@4.15.2")
+	c.setHeaders(request, cookie)

 	response, err := c.httpClient.Do(request)
 	if err != nil {
@@ -20,7 +20,7 @@ func (u *Updater) FetchServers(ctx context.Context, minServers int) (
 		return nil, fmt.Errorf("%w: password is empty", common.ErrCredentialsMissing)
 	}

-	apiClient, err := newAPIClient(ctx, u.client, u.warner)
+	apiClient, err := newAPIClient(ctx, u.client)
 	if err != nil {
 		return nil, fmt.Errorf("creating API client: %w", err)
 	}
@@ -7,18 +7,15 @@ import (
 	"io"
 	"net/http"
 	"regexp"
-	"sort"
 	"strings"
 	"time"
-
-	"golang.org/x/mod/semver"
 )

-// getMostRecentStableWebAccountTag finds the most recent proton-account stable tag version,
+// getMostRecentStableTag finds the most recent proton-account stable tag version,
 // in order to use it in the x-pm-appversion http request header. Because if we do
 // fall behind on versioning, Proton doesn't like it because they like to create
 // complications where there is no need for it. Hence this function.
-func getMostRecentStableWebAccountTag(ctx context.Context, client *http.Client) (version string, err error) {
+func getMostRecentStableTag(ctx context.Context, client *http.Client) (version string, err error) {
 	page := 1
 	regexVersion := regexp.MustCompile(`^proton-account@(\d+\.\d+\.\d+\.\d+)$`)
 	for ctx.Err() == nil {
@@ -72,45 +69,3 @@ func getMostRecentStableWebAccountTag(ctx context.Context, client *http.Client)

 	return "", fmt.Errorf("%w (queried %d pages)", context.Canceled, page)
 }
-
-// getMostRecentStableVPNGtkAppTag finds the latest proton-vpn-gtk-app semver tag,
-// in order to use it in the x-pm-appversion http request header ONLY to fetch servers
-// data. Because if we do fall behind on versioning, Proton doesn't like it because they like
-// to create complications where there is no need for it. Hence this function.
-func getMostRecentStableVPNGtkAppTag(ctx context.Context, client *http.Client) (version string, err error) {
-	const url = "https://api.github.com/repos/ProtonVPN/proton-vpn-gtk-app/tags?per_page=30"
-
-	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
-	if err != nil {
-		return "", fmt.Errorf("creating request: %w", err)
-	}
-	request.Header.Set("Accept", "application/vnd.github.v3+json")
-
-	response, err := client.Do(request)
-	if err != nil {
-		return "", err
-	}
-	defer response.Body.Close()
-
-	if response.StatusCode != http.StatusOK {
-		return "", fmt.Errorf("HTTP status code not OK: %s", response.Status)
-	}
-
-	decoder := json.NewDecoder(response.Body)
-	var data []struct {
-		Name string `json:"name"`
-	}
-	err = decoder.Decode(&data)
-	if err != nil {
-		return "", fmt.Errorf("decoding JSON response: %w", err)
-	}
-
-	// Sort tags by semver. Invalid tags are placed at the end and we ignore them.
-	// Yes, proton does push invalid semver tag names sometimes. Good job yet again.
-	sort.Slice(data, func(i, j int) bool {
-		return semver.Compare(data[i].Name, data[j].Name) > 0
-	})
-
-	version = "linux-vpn@" + data[0].Name[1:] // remove leading v
-	return version, nil
-}
@@ -20,6 +20,7 @@ import (
 	"github.com/qdm12/gluetun/internal/provider/ivpn"
 	"github.com/qdm12/gluetun/internal/provider/mullvad"
 	"github.com/qdm12/gluetun/internal/provider/nordvpn"
+	"github.com/qdm12/gluetun/internal/provider/ovpn"
 	"github.com/qdm12/gluetun/internal/provider/perfectprivacy"
 	"github.com/qdm12/gluetun/internal/provider/privado"
 	"github.com/qdm12/gluetun/internal/provider/privateinternetaccess"
@@ -67,6 +68,7 @@ func NewProviders(storage Storage, timeNow func() time.Time,
 		providers.Ivpn:                  ivpn.New(storage, client, updaterWarner, parallelResolver),
 		providers.Mullvad:               mullvad.New(storage, client),
 		providers.Nordvpn:               nordvpn.New(storage, client, updaterWarner),
+		providers.Ovpn:                  ovpn.New(storage, client),
 		providers.Perfectprivacy:        perfectprivacy.New(storage, unzipper, updaterWarner),
 		providers.Privado:               privado.New(storage, client, updaterWarner),
 		providers.PrivateInternetAccess: privateinternetaccess.New(storage, timeNow, client),
@@ -52,8 +52,6 @@ func GetConnection(provider string,
 	})

 	protocol := getProtocol(selection)
-	port := getPort(selection, defaults.OpenVPNTCPPort,
-		defaults.OpenVPNUDPPort, defaults.WireguardPort)

 	connections := make([]models.Connection, 0, len(servers))
 	for _, server := range servers {
@@ -69,6 +67,9 @@ func GetConnection(provider string,
 				hostname = server.OvpnX509
 			}

+			port := getPort(selection, server, defaults.OpenVPNTCPPort,
+				defaults.OpenVPNUDPPort, defaults.WireguardPort)
+
 			connection := models.Connection{
 				Type:        selection.VPN,
 				IP:          ip,
@@ -6,29 +6,44 @@ import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
 )

-func getPort(selection settings.ServerSelection,
+func getPort(selection settings.ServerSelection, server models.Server,
 	defaultOpenVPNTCP, defaultOpenVPNUDP, defaultWireguard uint16,
 ) (port uint16) {
 	switch selection.VPN {
 	case vpn.Wireguard:
 		customPort := *selection.Wireguard.EndpointPort
 		if customPort > 0 {
+			// Note: servers filtering ensures the custom port is within the
+			// server ports defined if any is set.
 			return customPort
 		}
+
+		if len(server.PortsUDP) > 0 {
+			defaultWireguard = server.PortsUDP[0]
+		}
 		checkDefined("Wireguard", defaultWireguard)
 		return defaultWireguard
 	default: // OpenVPN
 		customPort := *selection.OpenVPN.CustomPort
 		if customPort > 0 {
+			// Note: servers filtering ensures the custom port is within the
+			// server ports defined if any is set.
 			return customPort
 		}
 		if selection.OpenVPN.Protocol == constants.TCP {
+			if len(server.PortsTCP) > 0 {
+				defaultOpenVPNTCP = server.PortsTCP[0]
+			}
 			checkDefined("OpenVPN TCP", defaultOpenVPNTCP)
 			return defaultOpenVPNTCP
 		}

+		if len(server.PortsUDP) > 0 {
+			defaultOpenVPNUDP = server.PortsUDP[0]
+		}
 		checkDefined("OpenVPN UDP", defaultOpenVPNUDP)
 		return defaultOpenVPNUDP
 	}
@@ -6,6 +6,7 @@ import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
+	"github.com/qdm12/gluetun/internal/models"
 	"github.com/stretchr/testify/assert"
 )

@@ -22,6 +23,7 @@ func Test_GetPort(t *testing.T) {

 	testCases := map[string]struct {
 		selection         settings.ServerSelection
+		server            models.Server
 		defaultOpenVPNTCP uint16
 		defaultOpenVPNUDP uint16
 		defaultWireguard  uint16
@@ -48,6 +50,20 @@ func Test_GetPort(t *testing.T) {
 			defaultWireguard:  defaultWireguard,
 			port:              defaultOpenVPNUDP,
 		},
+		"OpenVPN_server_port_udp": {
+			selection: settings.ServerSelection{
+				VPN: vpn.OpenVPN,
+				OpenVPN: settings.OpenVPNSelection{
+					CustomPort: uint16Ptr(0),
+					Protocol:   constants.UDP,
+				},
+			},
+			server: models.Server{
+				PortsUDP: []uint16{1234},
+			},
+			defaultOpenVPNUDP: defaultOpenVPNUDP,
+			port:              1234,
+		},
 		"OpenVPN UDP no default port defined": {
 			selection: settings.ServerSelection{
 				VPN: vpn.OpenVPN,
@@ -88,6 +104,20 @@ func Test_GetPort(t *testing.T) {
 			},
 			port: 1234,
 		},
+		"OpenVPN_server_port_tcp": {
+			selection: settings.ServerSelection{
+				VPN: vpn.OpenVPN,
+				OpenVPN: settings.OpenVPNSelection{
+					CustomPort: uint16Ptr(0),
+					Protocol:   constants.TCP,
+				},
+			},
+			server: models.Server{
+				PortsTCP: []uint16{1234},
+			},
+			defaultOpenVPNTCP: defaultOpenVPNTCP,
+			port:              1234,
+		},
 		"Wireguard": {
 			selection: settings.ServerSelection{
 				VPN: vpn.Wireguard,
@@ -105,6 +135,19 @@ func Test_GetPort(t *testing.T) {
 			defaultWireguard: defaultWireguard,
 			port:             1234,
 		},
+		"Wireguard_server_port": {
+			selection: settings.ServerSelection{
+				VPN: vpn.Wireguard,
+				Wireguard: settings.WireguardSelection{
+					EndpointPort: uint16Ptr(0),
+				},
+			},
+			server: models.Server{
+				PortsUDP: []uint16{1234},
+			},
+			defaultWireguard: defaultWireguard,
+			port:             1234,
+		},
 		"Wireguard no default port defined": {
 			selection: settings.ServerSelection{
 				VPN: vpn.Wireguard,
@@ -120,6 +163,7 @@ func Test_GetPort(t *testing.T) {
 			if testCase.panics != "" {
 				assert.PanicsWithValue(t, testCase.panics, func() {
 					_ = getPort(testCase.selection,
+						testCase.server,
 						testCase.defaultOpenVPNTCP,
 						testCase.defaultOpenVPNUDP,
 						testCase.defaultWireguard)
@@ -128,6 +172,7 @@ func Test_GetPort(t *testing.T) {
 			}

 			port := getPort(testCase.selection,
+				testCase.server,
 				testCase.defaultOpenVPNTCP,
 				testCase.defaultOpenVPNUDP,
 				testCase.defaultWireguard)
@@ -0,0 +1,83 @@
+package socks5
+
+import "fmt"
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-3
+type authMethod byte
+
+const (
+	authNotRequired      authMethod = 0
+	authGssapi           authMethod = 1
+	authUsernamePassword authMethod = 2
+	authNotAcceptable    authMethod = 255
+)
+
+func (a authMethod) String() string {
+	switch a {
+	case authNotRequired:
+		return "no authentication required"
+	case authGssapi:
+		return "GSSAPI"
+	case authUsernamePassword:
+		return "username/password"
+	case authNotAcceptable:
+		return "no acceptable methods"
+	default:
+		return fmt.Sprintf("unknown method (%d)", a)
+	}
+}
+
+// Subnegotiation version
+// See https://datatracker.ietf.org/doc/html/rfc1929#section-2
+const (
+	authUsernamePasswordSubNegotiation1 byte = 1
+)
+
+// SOCKS versions.
+const (
+	socks5Version byte = 5
+)
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-4
+type cmdType byte
+
+const (
+	connect      cmdType = 1
+	udpAssociate cmdType = 3
+)
+
+func (c cmdType) String() string {
+	switch c {
+	case connect:
+		return "connect"
+	case udpAssociate:
+		return "UDP associate"
+	default:
+		return fmt.Sprintf("unknown command (%d)", c)
+	}
+}
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-4 and
+// https://datatracker.ietf.org/doc/html/rfc1928#section-5
+type addrType byte
+
+const (
+	ipv4       addrType = 1
+	domainName addrType = 3
+	ipv6       addrType = 4
+)
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-6
+type replyCode byte
+
+const (
+	succeeded replyCode = iota
+	generalServerFailure
+	connectionNotAllowedByRuleset
+	networkUnreachable
+	hostUnreachable
+	connectionRefused
+	ttlExpired
+	commandNotSupported
+	addressTypeNotSupported
+)
@@ -0,0 +1,6 @@
+package socks5
+
+type Logger interface {
+	Infof(format string, a ...interface{})
+	Warnf(format string, a ...interface{})
+}
@@ -0,0 +1,106 @@
+package socks5
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	"github.com/qdm12/goservices"
+)
+
+type Loop struct {
+	settings Settings
+
+	mutex     sync.Mutex
+	runCancel context.CancelFunc
+	runDone   <-chan error
+}
+
+func NewLoop(settings Settings) *Loop {
+	return &Loop{
+		settings: settings,
+	}
+}
+
+func (l *Loop) String() string {
+	return "SOCKS5 server loop"
+}
+
+func (l *Loop) Start(_ context.Context) (runError <-chan error, err error) {
+	l.mutex.Lock()
+	defer l.mutex.Unlock()
+
+	var runCtx context.Context
+	runCtx, l.runCancel = context.WithCancel(context.Background())
+
+	runDone := make(chan error)
+	l.runDone = runDone
+
+	go run(runCtx, runDone, l.settings)
+
+	return nil, nil //nolint:nilnil
+}
+
+func run(ctx context.Context, done chan<- error, settings Settings) {
+	defer close(done)
+	logger := settings.Logger
+
+	for ctx.Err() == nil {
+		var server goservices.Service
+		if settings.Enabled {
+			server = newServer(settings)
+		} else {
+			server = new(noopService)
+		}
+
+		errorCh, err := server.Start(ctx)
+		if err != nil {
+			logger.Warnf("failed starting SOCKS5 server: %s", err)
+			waitBeforeRetry(ctx)
+			continue
+		}
+
+		select {
+		case <-ctx.Done():
+			done <- server.Stop()
+			return
+		case err := <-errorCh:
+			if ctx.Err() != nil {
+				return
+			}
+			logger.Warnf("SOCKS5 server crashed: %s", err)
+			waitBeforeRetry(ctx)
+		}
+	}
+}
+
+func (l *Loop) Stop() (err error) {
+	l.mutex.Lock()
+	defer l.mutex.Unlock()
+
+	l.runCancel()
+	return <-l.runDone
+}
+
+func waitBeforeRetry(ctx context.Context) {
+	const retryDelay = 10 * time.Second
+	timer := time.NewTimer(retryDelay)
+	select {
+	case <-timer.C:
+	case <-ctx.Done():
+	}
+}
+
+type noopService struct{}
+
+func (s noopService) Start(_ context.Context) (runErr <-chan error, err error) {
+	return nil, nil //nolint:nilnil
+}
+
+func (s noopService) Stop() error {
+	return nil
+}
+
+func (s noopService) String() string {
+	return "noop service"
+}
@@ -0,0 +1,3 @@
+package socks5
+
+//go:generate mockgen -destination=mocks_test.go -package=$GOPACKAGE . Logger
@@ -0,0 +1,68 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/qdm12/gluetun/internal/socks5 (interfaces: Logger)
+
+// Package socks5 is a generated GoMock package.
+package socks5
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockLogger is a mock of Logger interface.
+type MockLogger struct {
+	ctrl     *gomock.Controller
+	recorder *MockLoggerMockRecorder
+}
+
+// MockLoggerMockRecorder is the mock recorder for MockLogger.
+type MockLoggerMockRecorder struct {
+	mock *MockLogger
+}
+
+// NewMockLogger creates a new mock instance.
+func NewMockLogger(ctrl *gomock.Controller) *MockLogger {
+	mock := &MockLogger{ctrl: ctrl}
+	mock.recorder = &MockLoggerMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockLogger) EXPECT() *MockLoggerMockRecorder {
+	return m.recorder
+}
+
+// Infof mocks base method.
+func (m *MockLogger) Infof(arg0 string, arg1 ...interface{}) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0}
+	for _, a := range arg1 {
+		varargs = append(varargs, a)
+	}
+	m.ctrl.Call(m, "Infof", varargs...)
+}
+
+// Infof indicates an expected call of Infof.
+func (mr *MockLoggerMockRecorder) Infof(arg0 interface{}, arg1 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0}, arg1...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Infof", reflect.TypeOf((*MockLogger)(nil).Infof), varargs...)
+}
+
+// Warnf mocks base method.
+func (m *MockLogger) Warnf(arg0 string, arg1 ...interface{}) {
+	m.ctrl.T.Helper()
+	varargs := []interface{}{arg0}
+	for _, a := range arg1 {
+		varargs = append(varargs, a)
+	}
+	m.ctrl.Call(m, "Warnf", varargs...)
+}
+
+// Warnf indicates an expected call of Warnf.
+func (mr *MockLoggerMockRecorder) Warnf(arg0 interface{}, arg1 ...interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	varargs := append([]interface{}{arg0}, arg1...)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Warnf", reflect.TypeOf((*MockLogger)(nil).Warnf), varargs...)
+}
@@ -0,0 +1,109 @@
+package socks5
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/netip"
+)
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-6
+func (c *socksConn) encodeFailedResponse(writer io.Writer, socksVersion byte, reply replyCode) {
+	_, err := writer.Write([]byte{
+		socksVersion,
+		byte(reply),
+		0, // RSV byte
+		// The RFC requires a full response frame even for failures.
+		// Use IPv4 address type with zeroed address and port.
+		byte(ipv4), // ATYP
+		0, 0, 0, 0, // BND.ADDR (zeroed)
+		0, 0, // BND.PORT (zeroed)
+	})
+	if err != nil {
+		c.logger.Warnf("failed writing failed response: %s", err)
+	}
+}
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-6
+func (c *socksConn) encodeSuccessResponse(writer io.Writer, socksVersion byte,
+	reply replyCode, bindAddrType addrType, bindAddress string,
+	bindPort uint16,
+) (err error) {
+	bindData, err := encodeBindData(bindAddrType, bindAddress, bindPort)
+	if err != nil {
+		return fmt.Errorf("encoding bind data: %w", err)
+	}
+
+	const initialPacketLength = 3
+	capacity := initialPacketLength + len(bindData)
+	packet := make([]byte, initialPacketLength, capacity)
+	packet[0] = socksVersion
+	packet[1] = byte(reply)
+	packet[2] = 0 // RSV byte
+	packet = append(packet, bindData...)
+
+	_, err = writer.Write(packet)
+	if err != nil {
+		return fmt.Errorf("writing packet: %w", err)
+	}
+	return nil
+}
+
+var (
+	ErrIPVersionUnexpected = errors.New("ip version is unexpected")
+	ErrDomainNameTooLong   = errors.New("domain name is too long")
+)
+
+func encodeBindData(addrType addrType, address string, port uint16) (
+	data []byte, err error,
+) {
+	capacity := bindDataLength(addrType, address)
+	data = make([]byte, 0, capacity)
+
+	data = append(data, byte(addrType))
+	switch addrType {
+	case ipv4, ipv6:
+		ip, err := netip.ParseAddr(address)
+		if err != nil {
+			return nil, fmt.Errorf("parsing IP address: %w", err)
+		}
+
+		switch {
+		case addrType == ipv4 && !ip.Is4():
+			return nil, fmt.Errorf("%w: expected IPv4 for %s", ErrIPVersionUnexpected, ip)
+		case addrType == ipv6 && !ip.Is6():
+			return nil, fmt.Errorf("%w: expected IPv6 for %s", ErrIPVersionUnexpected, ip)
+		}
+		data = append(data, ip.AsSlice()...)
+	case domainName:
+		const maxDomainNameLength = 255
+		if len(address) > maxDomainNameLength {
+			return nil, fmt.Errorf("%w: %s", ErrDomainNameTooLong, address)
+		}
+		data = append(data, byte(len(address)))
+		data = append(data, []byte(address)...)
+	default:
+		panic(fmt.Sprintf("unsupported address type %d", addrType))
+	}
+	data = binary.BigEndian.AppendUint16(data, port)
+	return data, nil
+}
+
+func bindDataLength(addrType addrType, address string) (maxLength uint) {
+	maxLength++ // address type
+	switch addrType {
+	case ipv4:
+		maxLength += net.IPv4len
+	case domainName:
+		maxLength++ // domain name length
+		maxLength += uint(len([]byte(address)))
+	case ipv6:
+		maxLength += net.IPv6len
+	default:
+		panic("unsupported address type: " + fmt.Sprint(addrType))
+	}
+	maxLength += 2 // port
+	return maxLength
+}
@@ -0,0 +1,162 @@
+package socks5
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"sync"
+	"sync/atomic"
+)
+
+type server struct {
+	username string
+	password string
+	address  string
+	logger   Logger
+
+	// internal fields
+	tcpListener     net.Listener
+	udpRouter       *udpRouter
+	listening       atomic.Bool
+	socksConnCtx    context.Context //nolint:containedctx
+	socksConnCancel context.CancelFunc
+	done            <-chan error
+	stopCh          chan<- struct{}
+}
+
+func newServer(settings Settings) *server {
+	return &server{
+		username: settings.Username,
+		password: settings.Password,
+		address:  settings.Address,
+		logger:   settings.Logger,
+	}
+}
+
+func (s *server) String() string {
+	return "SOCKS5 server"
+}
+
+func (s *server) Start(ctx context.Context) (runErr <-chan error, err error) {
+	s.socksConnCtx, s.socksConnCancel = context.WithCancel(context.Background())
+	config := &net.ListenConfig{}
+	s.tcpListener, err = config.Listen(ctx, "tcp", s.address)
+	if err != nil {
+		return nil, fmt.Errorf("TCP listening on %s: %w", s.address, err)
+	}
+
+	s.udpRouter, err = newUDPRouter(ctx, s.address, s.logger)
+	if err != nil {
+		_ = s.tcpListener.Close()
+		return nil, fmt.Errorf("creating UDP router: %w", err)
+	}
+	s.listening.Store(true)
+	s.logger.Infof("SOCKS5 TCP server listening on %s", s.tcpListener.Addr())
+	s.logger.Infof("SOCKS5 UDP server listening on %s", s.udpRouter.localAddress())
+
+	ready := make(chan struct{})
+	runErrCh := make(chan error)
+	runErr = runErrCh
+	done := make(chan error)
+	s.done = done
+	stop := make(chan struct{})
+	s.stopCh = stop
+	go s.runServer(ready, runErrCh, stop, done)
+	select {
+	case <-ready:
+	case <-ctx.Done():
+		_ = s.Stop()
+		return nil, fmt.Errorf("starting server: %w", ctx.Err())
+	}
+	return runErr, nil
+}
+
+func (s *server) runServer(ready chan<- struct{},
+	runErrCh chan<- error, stop <-chan struct{}, done chan<- error,
+) {
+	close(ready)
+	defer close(done)
+
+	udpErrCh := make(chan error)
+	go func() {
+		udpErrCh <- s.udpRouter.run(s.socksConnCtx)
+	}()
+
+	tcpErrCh := make(chan error)
+	go func() {
+		var wg sync.WaitGroup
+		defer wg.Wait()
+
+		dialer := &net.Dialer{}
+		for {
+			connection, err := s.tcpListener.Accept()
+			if err != nil {
+				s.socksConnCancel() // stop ongoing TCP socks connections - no impact on UDP
+				tcpErrCh <- fmt.Errorf("accepting connection: %w", err)
+				return
+			}
+			wg.Go(func() {
+				connection := connection // capture loop variable
+				socksConn := &socksConn{
+					dialer:     dialer,
+					username:   s.username,
+					password:   s.password,
+					clientConn: connection,
+					udpRouter:  s.udpRouter,
+					logger:     s.logger,
+				}
+				err := socksConn.run(s.socksConnCtx)
+				if err != nil {
+					s.logger.Infof("running socks connection: %s", err)
+				}
+			})
+		}
+	}()
+
+	select {
+	case <-stop:
+		s.listening.Store(false)
+		var errs []error
+		err := s.tcpListener.Close()
+		if err != nil {
+			errs = append(errs, fmt.Errorf("closing TCP listener: %w", err))
+		}
+		// stop ongoing TCP socks connections. This impacts the udpRouter run error when it is being closed.
+		s.socksConnCancel()
+		<-tcpErrCh // wait for TCP server to stop
+		err = s.udpRouter.close()
+		if err != nil {
+			errs = append(errs, fmt.Errorf("closing UDP router: %w", err))
+		}
+		<-udpErrCh // wait for UDP router to stop
+		if len(errs) > 0 {
+			// Only write to the done channel if the [server.Stop] method is waiting to read from it
+			done <- errors.Join(errs...)
+		}
+		// If no error, the done channel is closed so the error is effectively `nil`
+		// Note: do NOT write an error the runError channel, since we are stopping the server gracefully.
+	case err := <-udpErrCh:
+		_ = s.tcpListener.Close() // stop accepting new TCP connections
+		s.socksConnCancel()       // stop ongoing TCP socks connections
+		<-tcpErrCh                // wait for TCP server to stop
+		runErrCh <- fmt.Errorf("running UDP router: %w", err)
+	case err := <-tcpErrCh:
+		s.socksConnCancel()
+		_ = s.udpRouter.close() // stop UDP router
+		<-udpErrCh              // wait for UDP router to stop
+		runErrCh <- fmt.Errorf("running TCP server: %w", err)
+	}
+}
+
+func (s *server) Stop() (err error) {
+	close(s.stopCh)
+	return <-s.done
+}
+
+func (s *server) listeningAddress() net.Addr {
+	if s.listening.Load() {
+		return s.tcpListener.Addr()
+	}
+	return nil
+}
@@ -0,0 +1,112 @@
+//go:build integration
+
+package socks5
+
+import (
+	"math/rand/v2"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_Server_UDPResolution(t *testing.T) {
+	t.Parallel()
+	ctx := t.Context()
+
+	server := newServer(Settings{
+		Address: "127.0.0.1:0",
+		Logger:  noopLogger{},
+	})
+	runErr, err := server.Start(ctx)
+	require.NoError(t, err, "starting SOCKS5 server")
+
+	const timeout = 3 * time.Second
+
+	// Connect to the SOCKS5 server via TCP to negotiate UDP associate
+	dialer := &net.Dialer{Timeout: timeout}
+	tcpConn, err := dialer.DialContext(ctx, "tcp", server.listeningAddress().String())
+	require.NoError(t, err, "tcp connecting to SOCKS5 server")
+	t.Cleanup(func() { tcpConn.Close() })
+
+	negotiateSOCKS5(t, tcpConn, "", "")
+
+	// UDP Associate Command: [VERSION (5), CMD (3 = UDP ASSOC), RSV (0), ATYP (1 = IPv4), ADDR (0.0.0.0), PORT (0)]
+	_, err = tcpConn.Write([]byte{5, 3, 0, 1, 0, 0, 0, 0, 0, 0})
+	require.NoError(t, err, "sending UDP ASSOC request")
+
+	relayAddressString, err := readSOCKS5ResponseAddress(t, tcpConn)
+	require.NoError(t, err, "reading UDP ASSOC reply")
+	relayAddress, err := net.ResolveUDPAddr("udp", relayAddressString)
+	require.NoError(t, err, "resolving udp relay address")
+
+	// Dial the relay using IPv4 so source IP family matches the control connection.
+	udpConn, err := net.DialUDP("udp4", nil, relayAddress)
+	require.NoError(t, err, "dialing UDP relay")
+	t.Cleanup(func() { _ = udpConn.Close() })
+
+	queryID := uint16(rand.Uint32()) //nolint:gosec
+	dnsRequest := &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Id:               queryID,
+			RecursionDesired: true,
+		},
+		Question: []dns.Question{{
+			Name:   dns.Fqdn("github.com"),
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}},
+	}
+	dnsQuery, err := dnsRequest.Pack()
+	require.NoError(t, err)
+
+	// Encapsulate DNS payload into SOCKS5 UDP Request Header
+	// [RSV (0,0), FRAG (0), ATYP (1 = IPv4), DST.ADDR (1.1.1.1), DST.PORT (53)]
+	packet := append([]byte{0, 0, 0, 1, 1, 1, 1, 1, 0, 53}, dnsQuery...)
+
+	// Send encapsulated packet to the proxy's UDP relay address
+	_, err = udpConn.Write(packet)
+	require.NoError(t, err, "sending UDP packet to relay")
+
+	// Read response from the proxy relay
+	err = udpConn.SetReadDeadline(time.Now().Add(timeout))
+	require.NoError(t, err, "setting read deadline on UDP connection")
+	buffer := make([]byte, 2048)
+	n, err := udpConn.Read(buffer)
+	require.NoError(t, err, "receiving UDP response from relay")
+	const minimumHeaderSize = 10
+	require.GreaterOrEqual(t, n, minimumHeaderSize, "received UDP packet too short to contain valid SOCKS5 header")
+
+	// Verify header layout and slice out the raw DNS response
+	// Header format: RSV(2) FRAG(1) ATYP(1) DST.ADDR(variable) DST.PORT(2)
+	atyp := buffer[3]
+	var headerSize int
+	switch atyp {
+	case 1: // IPv4
+		headerSize = 10
+	case 3: // Domain name
+		headerSize = 4 + 1 + int(buffer[4]) + 2
+	case 4: // IPv6
+		headerSize = 22
+	default:
+		t.Fatalf("Unknown ATYP in SOCKS5 UDP header: %d", atyp)
+	}
+
+	dnsResponse := new(dns.Msg)
+	err = dnsResponse.Unpack(buffer[headerSize:n])
+	require.NoError(t, err, "unpacking DNS response from SOCKS5 UDP packet")
+
+	assert.Equal(t, queryID, dnsResponse.Id, "DNS response ID should match query ID")
+
+	select {
+	case err := <-runErr:
+		require.NoError(t, err, "SOCKS5 server run error")
+	default:
+	}
+
+	err = server.Stop()
+	require.NoError(t, err, "stopping SOCKS5 server")
+}
@@ -0,0 +1,9 @@
+package socks5
+
+type Settings struct {
+	Enabled  bool
+	Username string
+	Password string
+	Address  string
+	Logger   Logger
+}
@@ -0,0 +1,538 @@
+package socks5
+
+import (
+	"context"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/netip"
+	"strconv"
+	"strings"
+	"sync"
+)
+
+var (
+	errNoMethodIdentifiers     = errors.New("no method identifiers")
+	errNoValidMethodIdentifier = errors.New("no valid method identifier")
+)
+
+type socksConn struct {
+	// Injected fields
+	dialer     *net.Dialer
+	username   string
+	password   string
+	clientConn net.Conn
+	udpRouter  *udpRouter
+	logger     Logger
+}
+
+func (c *socksConn) closeClientConn(ctxErr error) {
+	err := c.clientConn.Close()
+	if err != nil && ctxErr == nil {
+		c.logger.Warnf("closing client connection: %s", err)
+	}
+}
+
+func (c *socksConn) run(ctx context.Context) error {
+	// Monitoring context cancellation to close the connection and stop
+	// reading operations on clientConn.
+	done := make(chan struct{})
+	ctxWatcherDone := make(chan struct{})
+	go func() {
+		defer close(ctxWatcherDone)
+		select {
+		case <-done:
+		case <-ctx.Done():
+			// unblock read operations
+			c.closeClientConn(ctx.Err())
+		}
+	}()
+	defer func() {
+		close(done)
+		<-ctxWatcherDone
+	}()
+
+	authMethod := authNotRequired
+	if c.username != "" || c.password != "" {
+		authMethod = authUsernamePassword
+	}
+
+	err := verifyFirstNegotiation(c.clientConn, authMethod)
+	if err != nil {
+		replyMethod := authMethod
+		if errors.Is(err, errNoMethodIdentifiers) || errors.Is(err, errNoValidMethodIdentifier) {
+			replyMethod = authNotAcceptable
+		}
+		_, writeErr := c.clientConn.Write([]byte{socks5Version, byte(replyMethod)})
+		if writeErr != nil {
+			c.logger.Warnf("failed writing first negotiation reply: %s", writeErr)
+		}
+		c.closeClientConn(ctx.Err())
+		return fmt.Errorf("verifying first negotiation: %w", err)
+	}
+
+	_, err = c.clientConn.Write([]byte{socks5Version, byte(authMethod)})
+	if err != nil {
+		c.closeClientConn(ctx.Err())
+		return fmt.Errorf("writing first negotiation reply: %w", err)
+	}
+
+	switch authMethod {
+	case authNotRequired, authNotAcceptable:
+	case authGssapi:
+		panic("not implemented")
+	case authUsernamePassword:
+		// See https://datatracker.ietf.org/doc/html/rfc1929#section-2
+		err = usernamePasswordSubnegotiate(c.clientConn, c.username, c.password)
+		if err != nil {
+			// If the server returns a `failure' (STATUS value other than X'00') status,
+			// it MUST close the connection.
+			c.closeClientConn(ctx.Err())
+			return fmt.Errorf("subnegotiating username and password: %w", err)
+		}
+	default:
+		panic(fmt.Sprintf("unimplemented auth method %d", authMethod))
+	}
+
+	err = c.handleRequest(ctx)
+	c.closeClientConn(ctx.Err())
+	if err != nil {
+		return fmt.Errorf("handling request: %w", err)
+	}
+	return nil
+}
+
+func (c *socksConn) handleRequest(ctx context.Context) error {
+	const socksVersion = socks5Version
+	request, err := decodeRequest(c.clientConn, socksVersion)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return err
+	}
+
+	switch request.command {
+	case connect:
+		err = c.handleConnectRequest(ctx, socksVersion, request)
+		if err != nil {
+			return fmt.Errorf("handling %s request: %w", request.command, err)
+		}
+		return nil
+	case udpAssociate:
+		err = c.handleUDPAssociateRequest(ctx, socksVersion, request)
+		if err != nil {
+			return fmt.Errorf("handling %s request: %w", request.command, err)
+		}
+		return nil
+	default:
+		c.encodeFailedResponse(c.clientConn, socksVersion, commandNotSupported)
+		return fmt.Errorf("command %s is not supported", request.command)
+	}
+}
+
+func (c *socksConn) handleConnectRequest(ctx context.Context,
+	socksVersion byte, request request,
+) error {
+	destinationAddress := net.JoinHostPort(request.destination, fmt.Sprint(request.port))
+	destinationConn, err := c.dialer.DialContext(ctx, "tcp", destinationAddress)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return err
+	}
+	defer destinationConn.Close()
+
+	destinationServerAddress := destinationConn.LocalAddr().String()
+	destinationAddr, destinationPortStr, err := net.SplitHostPort(destinationServerAddress)
+	if err != nil {
+		return fmt.Errorf("splitting destination address: %w", err)
+	}
+	destinationPort, err := strconv.ParseUint(destinationPortStr, 10, 16)
+	if err != nil {
+		return fmt.Errorf("port is malformed: %q", destinationPortStr)
+	}
+
+	var bindAddrType addrType
+	if ip := net.ParseIP(destinationAddr); ip != nil {
+		if ip.To4() != nil {
+			bindAddrType = ipv4
+		} else {
+			bindAddrType = ipv6
+		}
+	} else {
+		bindAddrType = domainName
+	}
+
+	err = c.encodeSuccessResponse(c.clientConn, socksVersion, succeeded, bindAddrType,
+		destinationAddr, uint16(destinationPort))
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return fmt.Errorf("writing successful %s response: %w", request.command, err)
+	}
+
+	const capacity = 2 // if one goroutine fails, we don't want to leak the other one
+	errc := make(chan error, capacity)
+	go func() {
+		_, err := io.Copy(c.clientConn, destinationConn)
+		if err != nil {
+			err = fmt.Errorf("from backend to client: %w", err)
+		}
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(destinationConn, c.clientConn)
+		if err != nil {
+			err = fmt.Errorf("from client to backend: %w", err)
+		}
+		errc <- err
+	}()
+	select {
+	case err := <-errc:
+		return err
+	case <-ctx.Done():
+		_ = destinationConn.Close()
+		_ = c.clientConn.Close()
+		return nil
+	}
+}
+
+func (c *socksConn) handleUDPAssociateRequest(ctx context.Context,
+	socksVersion byte, request request,
+) error {
+	expectedAddrPort, err := udpAssociateExpectedClientEndpoint(request)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, addressTypeNotSupported)
+		return fmt.Errorf("deriving expected client address and port from request: %w", err)
+	}
+
+	bindAddress, bindPort, bindAddrType, err := c.udpAssociationAddresses()
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return fmt.Errorf("getting udp association addresses: %w", err)
+	}
+
+	association, err := c.udpRouter.registerAssociation(c.clientConn, expectedAddrPort)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return fmt.Errorf("registering udp association: %w", err)
+	}
+	defer c.udpRouter.unregisterAssociation(association)
+
+	err = c.encodeSuccessResponse(c.clientConn, socksVersion, succeeded,
+		bindAddrType, bindAddress, bindPort)
+	if err != nil {
+		c.encodeFailedResponse(c.clientConn, socksVersion, generalServerFailure)
+		return fmt.Errorf("writing successful %s response: %w", udpAssociate, err)
+	}
+
+	associationCtx, associationCancel := context.WithCancel(ctx)
+	defer associationCancel()
+
+	var wg sync.WaitGroup
+
+	wg.Go(func() {
+		c.udpRouter.runAssociationHandler(associationCtx, association)
+	})
+
+	wg.Go(func() {
+		_, _ = io.Copy(io.Discard, c.clientConn)
+		associationCancel()
+	})
+	<-associationCtx.Done()
+	wg.Wait()
+	return nil
+}
+
+func udpAssociateExpectedClientEndpoint(request request) (expectedAddrPort netip.AddrPort, err error) {
+	switch request.addressType {
+	case ipv4, ipv6:
+		expectedClientAddress, parseErr := netip.ParseAddr(request.destination)
+		if parseErr != nil {
+			return netip.AddrPort{}, fmt.Errorf("parsing destination address: %w", parseErr)
+		}
+		expectedClientAddress = expectedClientAddress.Unmap()
+		if !expectedClientAddress.IsUnspecified() {
+			return netip.AddrPortFrom(expectedClientAddress, request.port), nil
+		}
+		return netip.AddrPortFrom(netip.Addr{}, request.port), nil
+	case domainName:
+		// For UDP associate, client endpoint matching is based on observed UDP source
+		// address/port. A hostname is not directly matchable at this stage, so we
+		// ignore the domain name request destination entirely.
+		return netip.AddrPortFrom(netip.Addr{}, request.port), nil
+	default:
+		return netip.AddrPort{}, fmt.Errorf("address type %d is not supported", request.addressType)
+	}
+}
+
+func (c *socksConn) udpAssociationAddresses() (bindAddress string,
+	bindPort uint16, bindAddrType addrType, err error,
+) {
+	localAddress := c.udpRouter.localAddress().String()
+	host, portString, err := net.SplitHostPort(localAddress)
+	if err != nil {
+		return "", 0, 0, fmt.Errorf("splitting local address: %w", err)
+	}
+	port, err := strconv.ParseUint(portString, 10, 16)
+	if err != nil {
+		return "", 0, 0, fmt.Errorf("parsing local port: %w", err)
+	}
+	bindAddress = host
+	bindPort = uint16(port)
+	if isUnspecifiedIPAddress(bindAddress) {
+		controlLocalAddress := c.clientConn.LocalAddr().String()
+		controlLocalHost, _, splitErr := net.SplitHostPort(controlLocalAddress)
+		if splitErr != nil {
+			return "", 0, 0, fmt.Errorf("splitting control connection local address: %w", splitErr)
+		}
+		bindAddress = controlLocalHost
+	}
+
+	ipAddress := net.ParseIP(bindAddress)
+	if ipAddress == nil {
+		bindAddrType = domainName
+		return bindAddress, bindPort, bindAddrType, nil
+	}
+
+	if ipAddress.To4() != nil {
+		bindAddrType = ipv4
+	} else {
+		bindAddrType = ipv6
+	}
+
+	return bindAddress, bindPort, bindAddrType, nil
+}
+
+func isUnspecifiedIPAddress(address string) bool {
+	ipAddress, err := netip.ParseAddr(address)
+	if err != nil {
+		return false
+	}
+	return ipAddress.IsUnspecified()
+}
+
+func decodeUDPDatagram(packet []byte) (destination string, payload []byte, err error) {
+	const minimumPacketLength = 4
+	if len(packet) < minimumPacketLength {
+		return "", nil, fmt.Errorf("packet is too short: %d", len(packet))
+	}
+	if packet[0] != 0 || packet[1] != 0 {
+		return "", nil, fmt.Errorf("reserved bytes are invalid: %x %x", packet[0], packet[1])
+	}
+	if packet[2] != 0 {
+		return "", nil, fmt.Errorf("fragmentation is not supported")
+	}
+
+	offset := 3
+	addressType := addrType(packet[offset])
+	offset++
+
+	switch addressType {
+	case ipv4:
+		const ipv4Length = 4
+		if len(packet) < offset+ipv4Length+2 {
+			return "", nil, fmt.Errorf("packet is too short for IPv4 address")
+		}
+		var ip [ipv4Length]byte
+		copy(ip[:], packet[offset:offset+ipv4Length])
+		destination = netip.AddrFrom4(ip).String()
+		offset += ipv4Length
+	case ipv6:
+		const ipv6Length = 16
+		if len(packet) < offset+ipv6Length+2 {
+			return "", nil, fmt.Errorf("packet is too short for IPv6 address")
+		}
+		var ip [ipv6Length]byte
+		copy(ip[:], packet[offset:offset+ipv6Length])
+		destination = netip.AddrFrom16(ip).String()
+		offset += ipv6Length
+	case domainName:
+		if len(packet) < offset+1 {
+			return "", nil, fmt.Errorf("packet is too short for domain name length")
+		}
+		domainNameLength := int(packet[offset])
+		offset++
+		if len(packet) < offset+domainNameLength+2 {
+			return "", nil, fmt.Errorf("packet is too short for domain name")
+		}
+		destination = string(packet[offset : offset+domainNameLength])
+		offset += domainNameLength
+	default:
+		return "", nil, fmt.Errorf("address type is not supported: %d", addressType)
+	}
+
+	port := binary.BigEndian.Uint16(packet[offset : offset+2])
+	destination = net.JoinHostPort(destination, fmt.Sprint(port))
+	offset += 2
+	payload = packet[offset:]
+
+	return destination, payload, nil
+}
+
+func encodeUDPDatagramToBuffer(writer io.Writer, sourceAddrPort netip.AddrPort,
+	payload []byte,
+) error {
+	address := sourceAddrPort.Addr()
+	if !address.IsValid() {
+		return errors.New("source address is not valid")
+	}
+
+	err := writeUDPDatagramSourceAddress(writer, address)
+	if err != nil {
+		return fmt.Errorf("writing source address: %w", err)
+	}
+
+	var portBytes [2]byte
+	binary.BigEndian.PutUint16(portBytes[:], sourceAddrPort.Port())
+	_, err = writer.Write(portBytes[:])
+	if err != nil {
+		return fmt.Errorf("writing destination port: %w", err)
+	}
+
+	_, err = writer.Write(payload)
+	if err != nil {
+		return fmt.Errorf("writing payload: %w", err)
+	}
+
+	return nil
+}
+
+func writeUDPDatagramSourceAddress(writer io.Writer, address netip.Addr) error {
+	var addrType addrType
+	var addressBytes []byte
+	switch {
+	case address.Is4():
+		addrType = ipv4
+		array := address.As4()
+		addressBytes = array[:]
+	case address.Is6():
+		addrType = ipv6
+		array := address.As16()
+		addressBytes = array[:]
+	default:
+		return fmt.Errorf("address type is not supported: %v", address)
+	}
+
+	_, err := writer.Write([]byte{0, 0, 0, byte(addrType)})
+	if err != nil {
+		return fmt.Errorf("writing header: %w", err)
+	}
+	_, err = writer.Write(addressBytes)
+	if err != nil {
+		return fmt.Errorf("writing IP address: %w", err)
+	}
+	return nil
+}
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-3
+func verifyFirstNegotiation(reader io.Reader, requiredMethod authMethod) error {
+	const headerLength = 2 // version + nMethods bytes
+	header := make([]byte, headerLength)
+	_, err := io.ReadFull(reader, header)
+	if err != nil {
+		return fmt.Errorf("reading header: %w", err)
+	}
+
+	if header[0] != socks5Version {
+		return fmt.Errorf("version is not supported: %d", header[0])
+	}
+
+	nMethods := header[1]
+	if nMethods == 0 {
+		return fmt.Errorf("%w", errNoMethodIdentifiers)
+	}
+
+	methodIdentifiers := make([]byte, nMethods)
+	_, err = io.ReadFull(reader, methodIdentifiers)
+	if err != nil {
+		return fmt.Errorf("reading method identifiers: %w", err)
+	}
+	for _, methodIdentifier := range methodIdentifiers {
+		if methodIdentifier == byte(requiredMethod) {
+			return nil
+		}
+	}
+
+	return makeNoAcceptableMethodError(requiredMethod, methodIdentifiers)
+}
+
+func makeNoAcceptableMethodError(requiredAuthMethod authMethod, methodIdentifiers []byte) error {
+	methodNames := make([]string, len(methodIdentifiers))
+	for i, methodIdentifier := range methodIdentifiers {
+		methodNames[i] = fmt.Sprintf("%q", authMethod(methodIdentifier))
+	}
+
+	return fmt.Errorf("%w: none of %s matches %s",
+		errNoValidMethodIdentifier, strings.Join(methodNames, ", "),
+		requiredAuthMethod)
+}
+
+// See https://datatracker.ietf.org/doc/html/rfc1928#section-4
+type request struct {
+	command     cmdType
+	destination string
+	port        uint16
+	addressType addrType
+}
+
+func decodeRequest(reader io.Reader, expectedVersion byte) (req request, err error) {
+	const headerLength = 4
+	header := [headerLength]byte{}
+	_, err = io.ReadFull(reader, header[:])
+	if err != nil {
+		return request{}, fmt.Errorf("reading header: %w", err)
+	}
+
+	version := header[0]
+	switch {
+	case version != expectedVersion:
+		return request{}, fmt.Errorf("version is not supported: expected %d and got %d",
+			expectedVersion, version)
+	case header[2] != 0:
+		return request{}, fmt.Errorf("reserved header byte must be 0 but got %d", header[2])
+	}
+
+	req.command = cmdType(header[1])
+	// header[2] is RSV byte
+	req.addressType = addrType(header[3])
+
+	switch req.addressType {
+	case ipv4:
+		var ip [4]byte
+		_, err = io.ReadFull(reader, ip[:])
+		if err != nil {
+			return request{}, fmt.Errorf("reading IPv4 address: %w", err)
+		}
+		req.destination = netip.AddrFrom4(ip).String()
+	case ipv6:
+		var ip [16]byte
+		_, err = io.ReadFull(reader, ip[:])
+		if err != nil {
+			return request{}, fmt.Errorf("reading IPv6 address: %w", err)
+		}
+		req.destination = netip.AddrFrom16(ip).String()
+	case domainName:
+		var header [1]byte
+		_, err = io.ReadFull(reader, header[:])
+		if err != nil {
+			return request{}, fmt.Errorf("reading domain name header: %w", err)
+		}
+		domainName := make([]byte, header[0])
+		_, err = io.ReadFull(reader, domainName)
+		if err != nil {
+			return request{}, fmt.Errorf("reading domain name bytes: %w", err)
+		}
+		req.destination = string(domainName)
+	default:
+		return request{}, fmt.Errorf("address type is not supported: %d", req.addressType)
+	}
+
+	var portBytes [2]byte
+	_, err = io.ReadFull(reader, portBytes[:])
+	if err != nil {
+		return request{}, fmt.Errorf("reading port: %w", err)
+	}
+	req.port = binary.BigEndian.Uint16(portBytes[:])
+
+	return req, nil
+}
@@ -0,0 +1,370 @@
+package socks5
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+)
+
+type udpAssociation struct {
+	id               uint64
+	clientAddrPort   netip.AddrPort
+	expectedAddrPort netip.AddrPort
+	controlConnAddr  netip.Addr
+	packetCh         chan *bytes.Buffer
+}
+
+type udpRouter struct {
+	logger Logger
+
+	listener                      net.PacketConn
+	mutex                         sync.Mutex
+	bufferPool                    sync.Pool
+	nextAssociationID             uint64
+	clientAddrPortToAssociation   map[netip.AddrPort]udpAssociation
+	clientIPToPendingAssociations map[netip.Addr][]udpAssociation
+	associationIDToClientAddrPort map[uint64]netip.AddrPort
+}
+
+const (
+	maxUDPPacketLength            = 65535
+	maxSOCKS5UDPDatagramOverhead  = 3 + 1 + 16 + 2
+	pooledUDPPacketBufferCapacity = maxUDPPacketLength + maxSOCKS5UDPDatagramOverhead
+)
+
+func newUDPRouter(ctx context.Context, address string, logger Logger) (router *udpRouter, err error) {
+	config := &net.ListenConfig{}
+	listener, err := config.ListenPacket(ctx, "udp", address)
+	if err != nil {
+		return nil, fmt.Errorf("UDP listening: %w", err)
+	}
+
+	return &udpRouter{
+		logger:   logger,
+		listener: listener,
+		bufferPool: sync.Pool{
+			New: func() any {
+				return bytes.NewBuffer(make([]byte, 0, pooledUDPPacketBufferCapacity))
+			},
+		},
+		nextAssociationID:             1,
+		clientAddrPortToAssociation:   make(map[netip.AddrPort]udpAssociation),
+		clientIPToPendingAssociations: make(map[netip.Addr][]udpAssociation),
+		associationIDToClientAddrPort: make(map[uint64]netip.AddrPort),
+	}, nil
+}
+
+func (r *udpRouter) localAddress() net.Addr {
+	return r.listener.LocalAddr()
+}
+
+func (r *udpRouter) close() error {
+	return r.listener.Close()
+}
+
+func (r *udpRouter) registerAssociation(controlConn net.Conn, expectedAddrPort netip.AddrPort) (udpAssociation, error) {
+	controlConnAddrPort, err := netip.ParseAddrPort(controlConn.RemoteAddr().String())
+	if err != nil {
+		return udpAssociation{}, fmt.Errorf("parsing control connection address: %w", err)
+	}
+	controlConnAddr := controlConnAddrPort.Addr().Unmap()
+
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+
+	const udpPacketChannelBuffer = 64
+	associationID := r.nextAssociationID
+	r.nextAssociationID++
+
+	association := udpAssociation{
+		id:               associationID,
+		expectedAddrPort: expectedAddrPort,
+		controlConnAddr:  controlConnAddr,
+		packetCh:         make(chan *bytes.Buffer, udpPacketChannelBuffer),
+	}
+
+	if expectedAddrPort.Addr().IsValid() && expectedAddrPort.Port() != 0 {
+		association.clientAddrPort = expectedAddrPort
+		r.clientAddrPortToAssociation[association.clientAddrPort] = association
+		r.associationIDToClientAddrPort[association.id] = association.clientAddrPort
+		return association, nil
+	}
+
+	pendingAssociations := r.clientIPToPendingAssociations[controlConnAddr]
+	pendingAssociations = append(pendingAssociations, association)
+	r.clientIPToPendingAssociations[controlConnAddr] = pendingAssociations
+
+	return association, nil
+}
+
+func (r *udpRouter) unregisterAssociation(association udpAssociation) {
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+
+	clientAddrPort, hasClientAddress := r.associationIDToClientAddrPort[association.id]
+	if hasClientAddress {
+		delete(r.associationIDToClientAddrPort, association.id)
+		delete(r.clientAddrPortToAssociation, clientAddrPort)
+	}
+
+	pendingAssociations := r.clientIPToPendingAssociations[association.controlConnAddr]
+	for i, pendingAssociation := range pendingAssociations {
+		if pendingAssociation.id == association.id {
+			pendingAssociations = append(pendingAssociations[:i], pendingAssociations[i+1:]...)
+			break
+		}
+	}
+	if len(pendingAssociations) == 0 {
+		delete(r.clientIPToPendingAssociations, association.controlConnAddr)
+	} else {
+		r.clientIPToPendingAssociations[association.controlConnAddr] = pendingAssociations
+	}
+}
+
+func (r *udpRouter) run(ctx context.Context) error {
+	packetBuffer := make([]byte, maxUDPPacketLength)
+
+	for {
+		packetLength, sourceAddress, err := r.listener.ReadFrom(packetBuffer)
+		if err != nil {
+			if ctx.Err() != nil && errors.Is(err, net.ErrClosed) {
+				return nil
+			}
+			return fmt.Errorf("reading UDP packet: %w", err)
+		}
+
+		sourceAddrPort, err := netAddrToNetipAddrPort(sourceAddress)
+		if err != nil {
+			r.logger.Warnf("parsing source address: %s", err)
+			continue
+		}
+		buffer := r.bufferPool.Get().(*bytes.Buffer) //nolint:forcetypeassert
+		buffer.Reset()
+		_, err = buffer.Write(packetBuffer[:packetLength])
+		if err != nil {
+			r.bufferPool.Put(buffer)
+			r.logger.Warnf("buffering packet: %s", err)
+			continue
+		}
+		err = r.routePacket(sourceAddrPort, buffer)
+		if err != nil {
+			r.logger.Warnf("failed routing UDP packet: %s", err)
+		}
+	}
+}
+
+func (r *udpRouter) routePacket(sourceAddrPort netip.AddrPort, packet *bytes.Buffer) error {
+	r.mutex.Lock()
+	association, packetFromClient := r.findClientAssociation(sourceAddrPort)
+	r.mutex.Unlock()
+
+	if !packetFromClient {
+		r.bufferPool.Put(packet)
+		return nil
+	}
+
+	select {
+	case association.packetCh <- packet:
+		return nil
+	default:
+		r.bufferPool.Put(packet)
+		return errors.New("association packet queue full")
+	}
+}
+
+func (r *udpRouter) findClientAssociation(sourceAddrPort netip.AddrPort) (
+	association udpAssociation, ok bool,
+) {
+	association, ok = r.clientAddrPortToAssociation[sourceAddrPort]
+	if ok {
+		return association, true
+	}
+	sourceAddr := sourceAddrPort.Addr()
+
+	pendingAssociations := r.clientIPToPendingAssociations[sourceAddr]
+	if len(pendingAssociations) == 0 {
+		return udpAssociation{}, false
+	}
+
+	index := -1
+	for i, pendingAssociation := range pendingAssociations {
+		if matchesExpectedClientEndpoint(pendingAssociation, sourceAddrPort) {
+			association = pendingAssociation
+			index = i
+			break
+		}
+	}
+	if index == -1 {
+		return udpAssociation{}, false
+	}
+
+	r.clientIPToPendingAssociations[sourceAddr] = append(pendingAssociations[:index], pendingAssociations[index+1:]...)
+	if len(r.clientIPToPendingAssociations[sourceAddr]) == 0 {
+		delete(r.clientIPToPendingAssociations, sourceAddr)
+	}
+
+	association.clientAddrPort = sourceAddrPort
+	r.clientAddrPortToAssociation[sourceAddrPort] = association
+	r.associationIDToClientAddrPort[association.id] = sourceAddrPort
+
+	return association, true
+}
+
+func matchesExpectedClientEndpoint(association udpAssociation, sourceAddrPort netip.AddrPort) bool {
+	switch {
+	case association.expectedAddrPort.Addr().IsValid() && sourceAddrPort.Addr() != association.expectedAddrPort.Addr():
+		return false
+	case association.expectedAddrPort.Port() != 0 && sourceAddrPort.Port() != association.expectedAddrPort.Port():
+		return false
+	}
+	return true
+}
+
+func (r *udpRouter) clientAddrPortForAssociation(associationID uint64) (
+	clientAddrPort netip.AddrPort, ok bool,
+) {
+	r.mutex.Lock()
+	defer r.mutex.Unlock()
+
+	clientAddrPort, ok = r.associationIDToClientAddrPort[associationID]
+	return clientAddrPort, ok
+}
+
+func (r *udpRouter) runAssociationHandler(ctx context.Context, association udpAssociation) {
+	config := &net.ListenConfig{}
+	socket, err := config.ListenPacket(ctx, "udp", ":0")
+	if err != nil {
+		r.logger.Warnf("creating per-association UDP socket: %s", err)
+		return
+	}
+	defer socket.Close()
+
+	go closeSocketOnContextDone(ctx, socket)
+
+	packetBuffer := make([]byte, maxUDPPacketLength)
+
+	forwardDoneCh := make(chan struct{})
+	go r.forwardClientPackets(ctx, socket, association.packetCh, forwardDoneCh)
+
+	for {
+		packetLength, sourceAddress, err := socket.ReadFrom(packetBuffer)
+		if err != nil {
+			if ctx.Err() != nil || errors.Is(err, net.ErrClosed) {
+				<-forwardDoneCh
+				return
+			}
+			r.logger.Warnf("reading from per-association UDP socket: %s", err)
+			continue
+		}
+
+		sourceAddrPort, err := netAddrToNetipAddrPort(sourceAddress)
+		if err != nil {
+			r.logger.Warnf("parsing source address from destination: %s", err)
+			continue
+		}
+
+		buffer := r.bufferPool.Get().(*bytes.Buffer) //nolint:forcetypeassert
+		buffer.Reset()
+		err = encodeUDPDatagramToBuffer(buffer, sourceAddrPort, packetBuffer[:packetLength])
+		if err != nil {
+			r.bufferPool.Put(buffer)
+			r.logger.Warnf("encoding response datagram: %s", err)
+			continue
+		}
+
+		clientAddrPort, found := r.clientAddrPortForAssociation(association.id)
+		if !found {
+			r.bufferPool.Put(buffer)
+			r.logger.Warnf("client address not found for association id %d", association.id)
+			continue
+		}
+
+		clientUDPAddress := &net.UDPAddr{
+			IP:   clientAddrPort.Addr().AsSlice(),
+			Port: int(clientAddrPort.Port()),
+		}
+		_, err = r.listener.WriteTo(buffer.Bytes(), clientUDPAddress)
+		r.bufferPool.Put(buffer)
+		if err != nil {
+			r.logger.Warnf("writing response to client: %s", err)
+		}
+	}
+}
+
+func closeSocketOnContextDone(ctx context.Context, socket net.PacketConn) {
+	<-ctx.Done()
+	_ = socket.Close()
+}
+
+func (r *udpRouter) forwardClientPackets(ctx context.Context, socket net.PacketConn,
+	packetCh <-chan *bytes.Buffer, done chan<- struct{},
+) {
+	defer close(done)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case buffer, ok := <-packetCh:
+			if !ok {
+				return
+			}
+
+			err := r.writeClientPacketToDestination(ctx, socket, buffer)
+			r.bufferPool.Put(buffer)
+			if err != nil {
+				r.logger.Warnf("forwarding client packet to destination: %s", err)
+			}
+		}
+	}
+}
+
+func (r *udpRouter) writeClientPacketToDestination(ctx context.Context,
+	socket net.PacketConn, packet *bytes.Buffer,
+) error {
+	destination, payload, err := decodeUDPDatagram(packet.Bytes())
+	if err != nil {
+		return fmt.Errorf("decoding UDP datagram: %w", err)
+	}
+
+	host, portStr, err := net.SplitHostPort(destination)
+	if err != nil {
+		return fmt.Errorf("splitting destination host and port: %w", err)
+	}
+
+	if _, err := netip.ParseAddr(host); err != nil { // domain name
+		addrs, err := net.DefaultResolver.LookupHost(ctx, host)
+		if err != nil {
+			return fmt.Errorf("resolving destination host: %w", err)
+		}
+		if len(addrs) == 0 {
+			return fmt.Errorf("resolving destination host: no addresses found for %q", host)
+		}
+
+		destination = net.JoinHostPort(addrs[0], portStr)
+	}
+
+	resolvedDestinationUDPAddress, err := net.ResolveUDPAddr("udp", destination)
+	if err != nil {
+		return fmt.Errorf("resolving destination UDP address: %w", err)
+	}
+
+	_, err = socket.WriteTo(payload, resolvedDestinationUDPAddress)
+	if err != nil && ctx.Err() == nil {
+		return fmt.Errorf("writing payload to destination: %w", err)
+	}
+
+	return nil
+}
+
+func netAddrToNetipAddrPort(addr net.Addr) (netip.AddrPort, error) {
+	addrPort, err := netip.ParseAddrPort(addr.String())
+	if err != nil {
+		return netip.AddrPort{}, fmt.Errorf("parsing address: %w", err)
+	}
+	return netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port()), nil
+}
@@ -0,0 +1,164 @@
+//go:build integration
+
+package socks5
+
+import (
+	"bytes"
+	"context"
+	"math/rand/v2"
+	"net"
+	"net/netip"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/golang/mock/gomock"
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_udpRouter_ResolveGithubFromCloudflareDNS(t *testing.T) {
+	t.Parallel()
+
+	ctx := t.Context()
+	var cancel context.CancelFunc
+	deadline, hasDeadline := ctx.Deadline()
+	if hasDeadline {
+		const deadlineBuffer = 500 * time.Millisecond
+		deadline = deadline.Add(-deadlineBuffer)
+	} else {
+		const defaultTimeout = 10 * time.Second
+		deadline = time.Now().Add(defaultTimeout)
+	}
+	ctx, cancel = context.WithDeadline(ctx, deadline)
+
+	ctrl := gomock.NewController(t)
+	logger := NewMockLogger(ctrl)
+
+	router, err := newUDPRouter(ctx, "127.0.0.1:0", logger)
+	require.NoError(t, err)
+
+	routerRunErrCh := make(chan error)
+	go func() {
+		routerRunErrCh <- router.run(ctx)
+	}()
+
+	t.Cleanup(func() {
+		cancel()
+		err := router.close()
+		assert.NoError(t, err, "closing router")
+		runErr := <-routerRunErrCh
+		assert.NoError(t, runErr)
+	})
+
+	controlListener, err := (&net.ListenConfig{}).Listen(ctx, "tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err := controlListener.Close()
+		assert.NoError(t, err, "closing control listener")
+	})
+
+	acceptedConnCh := make(chan net.Conn)
+	go func() {
+		acceptedConn, acceptErr := controlListener.Accept()
+		assert.NoError(t, acceptErr, "accepting control connection")
+		if acceptErr != nil {
+			return
+		}
+		acceptedConnCh <- acceptedConn
+	}()
+
+	clientControlConn, err := (&net.Dialer{}).DialContext(ctx, "tcp", controlListener.Addr().String())
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err = clientControlConn.Close()
+		assert.NoError(t, err, "closing client control connection")
+	})
+
+	serverControlConn := <-acceptedConnCh
+	t.Cleanup(func() {
+		err := serverControlConn.Close()
+		assert.NoError(t, err, "closing server control connection")
+	})
+
+	association, err := router.registerAssociation(serverControlConn, netip.AddrPort{})
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		router.unregisterAssociation(association)
+	})
+
+	associationCtx, associationCancel := context.WithCancel(ctx)
+	handlerDoneCh := make(chan struct{})
+	go func() {
+		router.runAssociationHandler(associationCtx, association)
+		close(handlerDoneCh)
+	}()
+	t.Cleanup(func() {
+		associationCancel()
+		<-handlerDoneCh
+	})
+
+	udpRouterAddress, err := net.ResolveUDPAddr("udp", router.localAddress().String())
+	require.NoError(t, err)
+
+	clientUDPConn, err := net.DialUDP("udp", nil, udpRouterAddress)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err := clientUDPConn.Close()
+		assert.NoError(t, err, "closing client UDP connection")
+	})
+
+	queryID := uint16(rand.Uint32()) //nolint:gosec
+	dnsRequest := &dns.Msg{
+		MsgHdr: dns.MsgHdr{
+			Id:               queryID,
+			RecursionDesired: true,
+		},
+		Question: []dns.Question{{
+			Name:   dns.Fqdn("github.com"),
+			Qtype:  dns.TypeA,
+			Qclass: dns.ClassINET,
+		}},
+	}
+	dnsQuery, err := dnsRequest.Pack()
+	require.NoError(t, err)
+
+	targetAddrPort := netip.MustParseAddrPort("1.1.1.1:53")
+	socksDatagramBuffer := bytes.NewBuffer(nil)
+	err = encodeUDPDatagramToBuffer(socksDatagramBuffer, targetAddrPort, dnsQuery)
+	require.NoError(t, err)
+	socksDatagram := socksDatagramBuffer.Bytes()
+
+	err = clientUDPConn.SetDeadline(deadline)
+	require.NoError(t, err)
+
+	_, err = clientUDPConn.Write(socksDatagram)
+	require.NoError(t, err)
+
+	responseBuffer := make([]byte, maxUDPPacketLength)
+	responseLength, err := clientUDPConn.Read(responseBuffer)
+	require.NoError(t, err)
+
+	responseDestination, responsePayload, err := decodeUDPDatagram(responseBuffer[:responseLength])
+	require.NoError(t, err)
+
+	responseHost, responsePortString, err := net.SplitHostPort(responseDestination)
+	require.NoError(t, err)
+	responsePort, err := strconv.ParseUint(responsePortString, 10, 16)
+	require.NoError(t, err)
+	assert.Equal(t, uint64(53), responsePort)
+	assert.NotEmpty(t, responseHost)
+
+	dnsResponse := new(dns.Msg)
+	err = dnsResponse.Unpack(responsePayload)
+	require.NoError(t, err)
+	assert.Equal(t, queryID, dnsResponse.Id)
+	assert.True(t, dnsResponse.Response)
+	assert.Equal(t, dns.RcodeSuccess, dnsResponse.Rcode)
+	require.NotEmpty(t, dnsResponse.Question)
+	assert.Equal(t, dns.Fqdn("github.com"), dnsResponse.Question[0].Name)
+	assert.Equal(t, dns.TypeA, dnsResponse.Question[0].Qtype)
+	assert.NotEmpty(t, dnsResponse.Answer)
+	require.NoError(t, err)
+}
@@ -0,0 +1,62 @@
+package socks5
+
+import (
+	"fmt"
+	"io"
+)
+
+// See https://datatracker.ietf.org/doc/html/rfc1929#section-2
+func usernamePasswordSubnegotiate(conn io.ReadWriter, username, password string) (err error) {
+	status := byte(1)
+	const defaultVersion = byte(1)
+
+	const headerLength = 2
+	var header [headerLength]byte
+	_, err = io.ReadFull(conn, header[:])
+	if err != nil {
+		_, _ = conn.Write([]byte{defaultVersion, status})
+		return fmt.Errorf("reading header: %w", err)
+	}
+
+	if header[0] != authUsernamePasswordSubNegotiation1 {
+		_, _ = conn.Write([]byte{defaultVersion, status})
+		return fmt.Errorf("subnegotiation version not supported: %d", header[0])
+	}
+	version := header[0]
+
+	usernameBytes := make([]byte, header[1])
+	_, err = io.ReadFull(conn, usernameBytes)
+	if err != nil {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("reading username bytes: %w", err)
+	} else if username != string(usernameBytes) {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("username received is not valid")
+	}
+
+	const passwordHeaderLength = 1
+	passwordHeader := make([]byte, passwordHeaderLength)
+	_, err = io.ReadFull(conn, passwordHeader)
+	if err != nil {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("reading password length: %w", err)
+	}
+
+	passwordBytes := make([]byte, passwordHeader[0])
+	_, err = io.ReadFull(conn, passwordBytes)
+	if err != nil {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("reading password bytes: %w", err)
+	} else if password != string(passwordBytes) {
+		_, _ = conn.Write([]byte{version, status})
+		return fmt.Errorf("password not valid for username %q", string(usernameBytes))
+	}
+
+	status = 0
+	_, err = conn.Write([]byte{version, status})
+	if err != nil {
+		return fmt.Errorf("writing success status: %w", err)
+	}
+
+	return nil
+}
@@ -1,23 +1,15 @@
 package storage

 import (
-	"net/netip"
+	"slices"

 	"github.com/qdm12/gluetun/internal/models"
 )

 func copyServer(server models.Server) (serverCopy models.Server) {
 	serverCopy = server
-	serverCopy.IPs = copyIPs(server.IPs)
+	serverCopy.IPs = slices.Clone(server.IPs)
+	serverCopy.PortsTCP = slices.Clone(server.PortsTCP)
+	serverCopy.PortsUDP = slices.Clone(server.PortsUDP)
 	return serverCopy
 }
-
-func copyIPs(toCopy []netip.Addr) (copied []netip.Addr) {
-	if toCopy == nil {
-		return nil
-	}
-
-	copied = make([]netip.Addr, len(toCopy))
-	copy(copied, toCopy)
-	return copied
-}
@@ -21,43 +21,9 @@ func Test_copyServer(t *testing.T) {
 	assert.Equal(t, server, serverCopy)
 	// Check for mutation
 	serverCopy.IPs[0] = netip.AddrFrom4([4]byte{9, 9, 9, 9})
-	assert.NotEqual(t, server, serverCopy)
-}
-
-func Test_copyIPs(t *testing.T) {
-	t.Parallel()
-
-	testCases := map[string]struct {
-		toCopy []netip.Addr
-		copied []netip.Addr
-	}{
-		"nil": {},
-		"empty": {
-			toCopy: []netip.Addr{},
-			copied: []netip.Addr{},
-		},
-		"single IP": {
-			toCopy: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})},
-			copied: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1})},
-		},
-		"two IPs": {
-			toCopy: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1}), netip.AddrFrom4([4]byte{2, 2, 2, 2})},
-			copied: []netip.Addr{netip.AddrFrom4([4]byte{1, 1, 1, 1}), netip.AddrFrom4([4]byte{2, 2, 2, 2})},
-		},
-	}
-
-	for name, testCase := range testCases {
-		t.Run(name, func(t *testing.T) {
-			t.Parallel()
-
-			copied := copyIPs(testCase.toCopy)
-
-			assert.Equal(t, testCase.copied, copied)
-
-			if len(copied) > 0 {
-				testCase.toCopy[0] = netip.AddrFrom4([4]byte{9, 9, 9, 9})
-				assert.NotEqual(t, testCase.toCopy[0], testCase.copied[0])
-			}
-		})
-	}
+	serverCopy.PortsTCP = []uint16{80}
+	serverCopy.PortsUDP = []uint16{53}
+	assert.NotEqual(t, server.IPs, serverCopy.IPs)
+	assert.NotEqual(t, server.PortsTCP, serverCopy.PortsTCP)
+	assert.NotEqual(t, server.PortsUDP, serverCopy.PortsUDP)
 }
@@ -3,6 +3,7 @@ package storage
 import (
 	"errors"
 	"fmt"
+	"slices"
 	"strings"

 	"github.com/qdm12/gluetun/internal/configuration/settings"
@@ -48,6 +49,7 @@ func (s *Storage) FilterServers(provider string, selection settings.ServerSelect
 	return servers, nil
 }

+//nolint:gocognit,gocyclo
 func filterServer(server models.Server,
 	selection settings.ServerSelection,
 ) (filtered bool) {
@@ -90,6 +92,11 @@ func filterServer(server models.Server,
 		return true
 	}

+	if (*selection.Dedicated && !server.Dedicated) ||
+		(!*selection.Dedicated && server.Dedicated) {
+		return false
+	}
+
 	if filterByPossibilities(server.Country, selection.Countries) {
 		return true
 	}
@@ -122,6 +129,14 @@ func filterServer(server models.Server,
 		return true
 	}

+	serverPorts := server.PortsUDP
+	if server.VPN == vpn.OpenVPN && server.TCP {
+		serverPorts = server.PortsTCP
+	}
+	if filterByPorts(selection, serverPorts) {
+		return true
+	}
+
 	// TODO filter port forward server for PIA

 	return false
@@ -165,3 +180,21 @@ func filterByProtocol(selection settings.ServerSelection,
 		return (wantTCP && !serverTCP) || (wantUDP && !serverUDP)
 	}
 }
+
+func filterByPorts(selection settings.ServerSelection,
+	serverPorts []uint16,
+) (filtered bool) {
+	if len(serverPorts) == 0 {
+		return false
+	}
+
+	customPort := *selection.OpenVPN.CustomPort
+	if selection.VPN == vpn.Wireguard {
+		customPort = *selection.Wireguard.EndpointPort
+	}
+	if customPort == 0 {
+		return false
+	}
+
+	return !slices.Contains(serverPorts, customPort)
+}
@@ -14,7 +14,7 @@ func commaJoin(slice []string) string {
 	return strings.Join(slice, ", ")
 }

-func noServerFoundError(selection settings.ServerSelection) (err error) {
+func noServerFoundError(selection settings.ServerSelection) (err error) { //nolint:gocyclo
 	var messageParts []string

 	messageParts = append(messageParts, "VPN "+selection.VPN)
@@ -155,6 +155,15 @@ func noServerFoundError(selection settings.ServerSelection) (err error) {
 			"target ip address "+targetIP.String())
 	}

+	customPort := *selection.OpenVPN.CustomPort
+	if selection.VPN == vpn.Wireguard {
+		customPort = *selection.Wireguard.EndpointPort
+	}
+	if customPort > 0 {
+		messageParts = append(messageParts,
+			fmt.Sprintf("%s endpoint port %d", selection.VPN, customPort))
+	}
+
 	message := "for " + strings.Join(messageParts, "; ")

 	return fmt.Errorf("no server found: %s", message)
@@ -1,35 +1,27 @@
 package storage

 import (
-	"embed"
 	"encoding/json"
 	"fmt"
-	"path"
+	"path/filepath"

 	serversmodule "github.com/qdm12/gluetun-servers/pkg/servers"
+	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/models"
 )

-//go:embed servers.json
-var allServersEmbedFS embed.FS
-
 func parseHardcodedServers() (allServers models.AllServers) {
-	f, err := allServersEmbedFS.Open("servers.json")
-	if err != nil {
-		panic(err)
-	}
-	defer f.Close() // no-op
-	decoder := json.NewDecoder(f)
-	err = decoder.Decode(&allServers)
-	if err != nil {
-		panic("decoding servers.json: " + err.Error())
-	}
+	allProviders := providers.All()

-	for provider, metadata := range allServers.ProviderToServers {
-		filename := path.Base(metadata.Filepath)
+	const version = 1
+	allServers.ProviderToServers = make(map[string]models.Servers, len(allProviders))
+	allServers.Version = version
+	for _, provider := range allProviders {
+		filename := provider + ".json"
 		providerFile, err := serversmodule.Files.Open(filename)
 		if err != nil {
-			panic(fmt.Sprintf("reading embedded provider file %s for %s: %s", filename, provider, err))
+			const rootURL = "https://github.com/qdm12/gluetun-servers/blob/main/pkg/servers"
+			panic(fmt.Sprintf("reading embedded provider file defined at %s/%s: %s", rootURL, filename, err))
 		}
 		defer providerFile.Close() // no-op

@@ -44,7 +36,8 @@ func parseHardcodedServers() (allServers models.AllServers) {
 				filename, provider))
 		}

-		providerServers.Filepath = metadata.Filepath // inherit filepath from servers.json
+		const serversPath = "/gluetun/servers/"
+		providerServers.Filepath = filepath.Join(serversPath, filename)
 		allServers.ProviderToServers[provider] = providerServers
 	}

@@ -33,7 +33,10 @@ func Test_parseHardcodedServers(t *testing.T) {
 func Test_parseHardcodedServers_filepathsAndEmbeddedProviderFiles(t *testing.T) {
 	t.Parallel()

-	hardcodedServers := parseHardcodedServers()
+	var hardcodedServers models.AllServers
+	require.NotPanics(t, func() {
+		hardcodedServers = parseHardcodedServers()
+	})

 	allProviders := providers.All()
 	for _, provider := range allProviders {
@@ -3,6 +3,5 @@ package storage
 import "fmt"

 func panicOnProviderMissingHardcoded(provider string) {
-	panic(fmt.Sprintf("provider %s not found in hardcoded servers map; "+
-		"did you add the provider key in the embedded servers.json?", provider))
+	panic(fmt.Sprintf("provider %s not found in hardcoded servers map", provider))
 }
@@ -152,8 +152,7 @@ func Test_extractServersFromBytes(t *testing.T) {
 			allProviders[0]: 1,
 			// Missing provider allProviders[1]
 		}
-		expectedPanicValue := fmt.Sprintf("provider %s not found in hardcoded servers map; "+
-			"did you add the provider key in the embedded servers.json?", allProviders[1])
+		expectedPanicValue := fmt.Sprintf("provider %s not found in hardcoded servers map", allProviders[1])
 		assert.PanicsWithValue(t, expectedPanicValue, func() {
 			_, _ = s.extractServersFromBytes(b, hardcodedVersions)
 		})
@@ -1,72 +0,0 @@
-{
-  "version": 1,
-  "airvpn": {
-    "filepath": "/gluetun/servers/airvpn.json"
-  },
-  "cyberghost": {
-    "filepath": "/gluetun/servers/cyberghost.json"
-  },
-  "expressvpn": {
-    "filepath": "/gluetun/servers/expressvpn.json"
-  },
-  "fastestvpn": {
-    "filepath": "/gluetun/servers/fastestvpn.json"
-  },
-  "giganews": {
-    "filepath": "/gluetun/servers/giganews.json"
-  },
-  "hidemyass": {
-    "filepath": "/gluetun/servers/hidemyass.json"
-  },
-  "ipvanish": {
-    "filepath": "/gluetun/servers/ipvanish.json"
-  },
-  "ivpn": {
-    "filepath": "/gluetun/servers/ivpn.json"
-  },
-  "mullvad": {
-    "filepath": "/gluetun/servers/mullvad.json"
-  },
-  "nordvpn": {
-    "filepath": "/gluetun/servers/nordvpn.json"
-  },
-  "perfect privacy": {
-    "filepath": "/gluetun/servers/perfect privacy.json"
-  },
-  "privado": {
-    "filepath": "/gluetun/servers/privado.json"
-  },
-  "private internet access": {
-    "filepath": "/gluetun/servers/private internet access.json"
-  },
-  "privatevpn": {
-    "filepath": "/gluetun/servers/privatevpn.json"
-  },
-  "protonvpn": {
-    "filepath": "/gluetun/servers/protonvpn.json"
-  },
-  "purevpn": {
-    "filepath": "/gluetun/servers/purevpn.json"
-  },
-  "slickvpn": {
-    "filepath": "/gluetun/servers/slickvpn.json"
-  },
-  "surfshark": {
-    "filepath": "/gluetun/servers/surfshark.json"
-  },
-  "torguard": {
-    "filepath": "/gluetun/servers/torguard.json"
-  },
-  "vpn unlimited": {
-    "filepath": "/gluetun/servers/vpn unlimited.json"
-  },
-  "vpnsecure": {
-    "filepath": "/gluetun/servers/vpnsecure.json"
-  },
-  "vyprvpn": {
-    "filepath": "/gluetun/servers/vyprvpn.json"
-  },
-  "windscribe": {
-    "filepath": "/gluetun/servers/windscribe.json"
-  }
-}
@@ -31,7 +31,7 @@ func getGithubReleases(ctx context.Context, client *http.Client) (releases []git
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()

-	const url = "https://api.github.com/repos/qdm12/gluetun/releases"
+	const url = "https://api.github.com/repos/passteque/gluetun/releases"
 	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
@@ -62,7 +62,7 @@ func getGithubCommits(ctx context.Context, client *http.Client) (commits []githu
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()

-	const url = "https://api.github.com/repos/qdm12/gluetun/commits"
+	const url = "https://api.github.com/repos/passteque/gluetun/commits"
 	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
@@ -1,19 +1,13 @@
 # Maintenance

 - Change `Run` methods to `Start`+`Stop`, returning channels rather than injecting them
- Go 1.18
-  - gofumpt
-  - Use netip
- Split servers.json
 - Common slice of Wireguard providers in config settings
 - DNS block lists as LFS and built in image
 - Add HTTP server v3 as json rpc
 - Use `github.com/qdm12/ddns-updater/pkg/publicip`
- Windows and Darwin development support

 ## Features

- Authentication with the control server
 - Get announcement from Github file
 - Support multiple connections in custom ovpn
 - Automate IPv6 detection for OpenVPN
Author	SHA1	Message	Date
Quentin McGaw	4a670635c4	log out json from dns leak test	2026-06-24 22:25:32 +00:00
Quentin McGaw	b5f815640e	SERVER_DEDICATED option	2026-06-24 22:12:30 +00:00
Quentin McGaw	506c9140ba	PR feedback	2026-06-24 22:12:30 +00:00
Quentin McGaw	80763145dc	Remove unneeded `allow-compression asym`	2026-06-24 22:12:30 +00:00
Quentin McGaw	cfb8fcf00f	Add missing "key-direction 1"	2026-06-24 22:12:30 +00:00
Quentin McGaw	b9421221da	Set TLS crypt for Singapore hostnames only	2026-06-24 22:12:30 +00:00
Quentin McGaw	83feb533de	Add missing openvpn options - CA - TLS auth - TLS crypt (for singapore) - `allow-compression asym` - `replay-window 256` - remote-cert-tls server - move aes256gcm as preferred cipher	2026-06-24 22:12:30 +00:00
Quentin McGaw	1b12dcb5b4	initial code	2026-06-24 22:12:29 +00:00
dependabot[bot]	a17591dcdb	Chore(deps): Bump github.com/mdlayher/genetlink from 1.3.2 to 1.4.0 (#3348 )	2026-06-24 21:51:14 +02:00
dependabot[bot]	c31c566282	Chore(deps): Bump golang.org/x/text from 0.37.0 to 0.38.0 (#3362 )	2026-06-24 21:50:47 +02:00
dependabot[bot]	496458ca4e	Chore(deps): Bump github.com/amnezia-vpn/amneziawg-go from 0.2.16 to 0.2.18 (#3347 )	2026-06-24 21:50:27 +02:00
Quentin McGaw	52a41cb891	hotfix(command): fix `streamLines` behavior - Fix #3365	2026-06-14 14:43:50 +00:00
Quentin McGaw	6c76273ef6	hotfix(socks5): bump UDP association packet queue channel capacity from 2 to 64 - Fix #3368	2026-06-14 14:24:17 +00:00
Quentin McGaw	366062dc12	chore(socks5): add server integration test for UDP	2026-06-11 16:55:39 +00:00
Quentin McGaw	8abb05567c	hotfix(command): fix unit test	2026-06-11 14:06:26 +00:00
Quentin McGaw	a53a0267e4	hotfix(socks5): support domain name udp association	2026-06-11 13:50:50 +00:00
Quentin McGaw	4e986c8af7	chore(socks5): fix lint errors on integration test	2026-06-11 13:37:58 +00:00
Quentin McGaw	6d84462f00	feat(socks5): UDP proxying (#3353 )	2026-06-11 15:32:38 +02:00
Quentin McGaw	acab89b91a	fix(command): wait for all stdout and stderr streams to complete correctly	2026-06-11 13:30:59 +00:00
Quentin McGaw	48c1f2bf6a	chore(lint): run linter on integration tests	2026-06-11 13:29:57 +00:00
Quentin McGaw	c599e7fd2c	chore(ci): disabe workflow concurrency by `workflow-[pr\|ref]`	2026-06-05 15:50:01 +00:00
Quentin McGaw	ff6e45fae0	chore(ci): disable PIA end to end testing due to expired credentials	2026-06-04 16:52:53 +00:00
ligistx	17f24343d6	fix(providers/custom): use `proto tcp-client` instead of `proto tcp` (#3350 )	2026-05-25 18:07:35 +02:00
Quentin McGaw	ebbc630b31	chore(storage): remove servers.json in favor of just code at runtime	2026-05-24 22:22:41 +00:00
Quentin McGaw	39ac8b3432	hotfix(updater): use DoH for all updating operations, not just resolving server hostnames	2026-05-24 21:46:22 +00:00
Quentin McGaw	f65ee3dcb1	hotfix(github): fix dependabot config (AI at it again)	2026-05-24 21:22:18 +00:00
dependabot[bot]	7e8d81b161	Chore(deps): Bump golang.org/x/net from 0.51.0 to 0.55.0 (#3338 )	2026-05-24 23:09:52 +02:00
Quentin McGaw	21e868c89c	hotfix(protonvpn): small port forwarding fixes for edge cases	2026-05-24 21:08:56 +00:00
Quentin McGaw	2e20e2df66	feat(protonvpn): use symmetric port forwarding for first port then asymmetric for next ports (#3345 )	2026-05-24 22:47:58 +02:00
Quentin McGaw	6f5f518d1d	chore(github): finer grain schedules for dependency checking - default to weekly instead of daily - check gluetun-servers daily - check some Go modules only quartely since they are not important	2026-05-24 20:34:57 +00:00
Quentin McGaw	1998e0d04f	chore(deps): remove direct dependency on golang.org/x/exp	2026-05-24 20:28:54 +00:00
Quentin McGaw	14f30bc641	docs(maintenance): clear up some finished items	2026-05-24 20:18:27 +00:00
Quentin McGaw	f89e55b8ff	chore(storage): remove outdated servers.json CI and documentation	2026-05-24 20:18:07 +00:00
Quentin McGaw	7ad6af0947	docs(github): remove servers.json checkbox from PR template	2026-05-24 20:13:07 +00:00
Quentin McGaw	d3e089ccd7	hotfix(firewall/iptables): filter out `DOCKER*` chains from nat table when saving/restoring	2026-05-23 21:44:22 +00:00
Quentin McGaw	3eebbf65a8	hotfix(firewall/iptables): only restore firewall if IPv6 port redirection failed but NAT is supported	2026-05-23 21:26:08 +00:00
Quentin McGaw	a1ef736b0f	hotfix(portforwarding): disallow setting ports when running port forwarding code	2026-05-23 13:20:20 +00:00
Quentin McGaw	46edfe49e3	fix(portforwarding): handle empty ports without panicing	2026-05-23 13:19:37 +00:00
Quentin McGaw	7f9cd0fd0c	chore(ci): update markdown workflow to use docker hub password from secrets environment	2026-05-21 20:33:28 +00:00
Quentin McGaw	1a25f7377a	chore(ci): update CI to work with passteque/gluetun - push to ghcr.io/qdm12/gluetun using qdm12 GHCR_PAT secret - change 'qdm12/gluetun' to 'passteque/gluetun' in CI files	2026-05-21 18:32:28 +00:00
Quentin McGaw	691dc3b0bf	docs: update url from qdm12/gluetun to passteque/gluetun	2026-05-21 17:54:07 +00:00
Quentin McGaw	5fed7f70ed	docs: add socks5 to readme and labels	2026-05-21 17:25:21 +00:00
Quentin McGaw	eb9916f0ac	feat: socks5 proxy server (#3336 ) - `SOCKS5_ENABLED=off` - `SOCKS5_LISTENING_ADDRESS=":1080"` - `SOCKS5_USER=` - `SOCKS5_PASSWORD=`	2026-05-21 19:18:55 +02:00