Merge branch 'qdm12:main' into protonvpn-wireguard-support

README.md

@@ -25,6 +25,7 @@
 | Gluetun release tag | Corresponding wiki |
 | --- | --- |
 | `:latest` | [`main` branch](https://github.com/qdm12/gluetun-wiki) |
+| `:v3.39.0` | [`v3.39.0` tag](https://github.com/qdm12/gluetun-wiki/tree/v3.39.0) |
 | `:v3.38.0` | [`v3.38.0` tag](https://github.com/qdm12/gluetun-wiki/tree/v3.38.0) |
 | `:v3.35.0` | [`v3.35.0` tag](https://github.com/qdm12/gluetun-wiki/tree/v3.35.0) |
 

setup/advanced/control-server.md

@@ -4,6 +4,9 @@
 
 The HTTP control server allows to obtain and modify the state of the container without restarting it.
 
+⚠️ Make sure you trust whatever is accessing the control server, as it allows to access the settings,
+including credentials, and modify the settings of Gluetun 'on-the-fly'.
+
 ## Setup
 
 A built-in HTTP server listens on port `8000` to modify the state of the container.
@@ -12,14 +15,25 @@ To access it, simply publish this port for the container, for example: `-p 8000:
 
 We assume every request described in the following is run on `http://<your-docker-host-ip>:8000` as base.
 
+## Authentication
+
+There is no global authentication built-in for the server in Gluetun. Instead:
+
+1. Pick your favorite HTTP reverse proxy (Caddy, Caddy, Nginx, etc.)
+1. Pick the authentication of your choice (Basic Auth, OAuth, etc.) using your reverse proxy.
+    - You can usually pick an authentication per route, or globally.
+    - You might want to have TLS (HTTPS) enabled, to not leak credentials in the network.
+
+Per route token authentication may be added in the future, for local containers needing access to it.
+
 ## OpenVPN and Wireguard
 
 The HTTP control server allows to modify the state of OpenVPN and Wireguard.
 The path are in the root `/v1/openvpn/` due to historical reasons, and will be migrated in the future.
 
 - HTTP GET to `/v1/openvpn/status` to obtain the current status of Openvpn, such as `{"status":"running"}`
-- HTTP PUT to `/v1/openvpn/status` with a body `{"status":"running"}` to start Openvpn/Wireguard
-- HTTP PUT to `/v1/openvpn/status` with a body `{"status":"stopped"}` to stop Openvpn/Wireguard
+- HTTP PUT to `/v1/openvpn/status` with a body `{"status":"running"}` to start Openvpn (and stop Wireguard)
+- HTTP PUT to `/v1/openvpn/status` with a body `{"status":"stopped"}` to stop Openvpn if it's running
 - HTTP GET to `/v1/openvpn/portforwarded` to obtain the port forwarded such as `{"port":5914}`
 - HTTP GET to `/v1/openvpn/settings` to obtain the settings used by Openvpn (not Wireguard) in a JSON format
 

setup/advanced/docker-secrets.md

@@ -14,6 +14,10 @@ The following secrets can be used:
 - `openvpn_encrypted_key`
 - `openvpn_key_passphrase`
 - `openvpn_clientcrt`
+- `wireguard_conf`
+- `wireguard_private_key`
+- `wireguard_preshared_key`
+- `wireguard_addresses`
 - `httpproxy_user`
 - `httpproxy_password`
 - `shadowsocks_password`

setup/options/dns.md

@@ -11,9 +11,6 @@
 | `DOT_CACHING` | `on` | `on`, `off` | Unbound caching |
 | `DOT_IPV6` | `off` | `on`, `off` | DNS IPv6 resolution |
 | `DOT_PRIVATE_ADDRESS` | All private CIDRs ranges | | Comma separated list of CIDRs or single IP addresses Unbound won't resolve to. Note that the default setting prevents DNS rebinding |
-| `DOT_VERBOSITY` | `1` | `0` to `5` | Unbound verbosity level |
-| `DOT_VERBOSITY_DETAILS` | `0` | `0` to `4` | Unbound details verbosity level |
-| `DOT_VALIDATION_LOGLEVEL` | `0` | `0` to `2` | Unbound validation log level |
 | `DNS_UPDATE_PERIOD` | `24h` | i.e. `0`, `30s`, `5m`, `24h` | Period to update block lists and cryptographic files and restart Unbound. Set to `0` to deactivate updates |
 | `BLOCK_MALICIOUS` | `on` | `on`, `off` | Block malicious hostnames and IPs with Unbound |
 | `BLOCK_SURVEILLANCE` | `off` | `on`, `off` | Block surveillance hostnames and IPs with Unbound |

setup/options/storage.md

@@ -0,0 +1,9 @@
+# Storage options
+
+## Environment variables
+
+💁 The following environment variables are all optional.
+
+| Variable | Default | Choices | Description |
+| --- | --- | --- | --- |
+| `STORAGE_FILEPATH` | `/gluetun/servers.json` | Empty string ("") or valid file path | Path of servers.json file, or empty to disable caching servers |

setup/providers/fastestvpn.md

@@ -44,6 +44,9 @@ services:
 
 ### Wireguard only
 
+You can find both values below in the Wireguard configuration file provided by FastestVPN, which you can obtain by asking their support
+at [[email protected]](mailto:[email protected]).
+
 - `WIREGUARD_PRIVATE_KEY` is your 32 bytes key in base64 format. It corresponds to the `PrivateKey` field value in the Wireguard configuration file.
 - `WIREGUARD_ADDRESSES` is the IP prefix to assign to the Wireguard interface, corresponding to the `Address` field value in the Wireguard configuration file.
 

setup/providers/private-internet-access.md

@@ -48,7 +48,13 @@ services:
 
 In the meantime, [@Kieros](https://github.com/Kieros) proposes to use [kylegrantlucas/pia-wg-config](https://github.com/kylegrantlucas/pia-wg-config) to extract a Wireguard configuration file which you can then use with the [custom provider](custom.md#wireguard).
 
-For VPN server port fowarding with Wireguard, please subscribe to [gluetun/issues/2320](https://github.com/qdm12/gluetun/issues/2320) to be alerted when this is implemented and working. You would have to use `VPN_PORT_FORWARDING_USERNAME` and `VPN_PORT_FORWARDING_PASSWORD` to set your OpenVPN credentials, in order to authenticate with the port forwarding API.
+For VPN server port fowarding with Wireguard, you need to set:
+
+- `VPN_PORT_FORWARDING=on`
+- `VPN_PORT_FORWARDING_PROVIDER=private internet access`
+- `VPN_PORT_FORWARDING_USERNAME=yourusername`
+- `VPN_PORT_FORWARDING_PASSWORD=yourpassword`
+- `SERVER_NAMES=the-tls-server-name` for example `panama408`
 
 ## VPN server port forwarding
 

setup/providers/privatevpn.md

@@ -41,8 +41,7 @@ services:
 
 ## VPN server port forwarding
 
-PrivateVPN can assign you [a VPN server forwarded port](https://privatevpn.com/blog/guides/195/the-best-vpn-configuration-for-torrenting-fast-(and-safely)).
-In that case, allow the port in the firewall following [setup/advanced/vpn-port-forwarding](../advanced/vpn-port-forwarding.md#allow-a-forwarded-port-through-the-firewall)
+Set `VPN_PORT_FORWARDING=on` and the port forwarded will be logged out as well as available via the http control server.
 
 ## Servers