feat(nordvpn): new API endpoint and wireguard support (#1380)

Co-authored-by: Quentin McGaw <quentin.mcgaw@gmail.com>

internal/configuration/settings/provider.go

@@ -35,6 +35,7 @@ func (p *Provider) validate(vpnType string, storage Storage) (err error) {
 			providers.Custom,
 			providers.Ivpn,
 			providers.Mullvad,
+			providers.Nordvpn,
 			providers.Surfshark,
 			providers.Windscribe,
 		}

internal/configuration/settings/vpn.go

@@ -74,7 +74,7 @@ func (v *VPN) setDefaults() {
 	v.Type = gosettings.DefaultString(v.Type, vpn.OpenVPN)
 	v.Provider.setDefaults()
 	v.OpenVPN.setDefaults(*v.Provider.Name)
-	v.Wireguard.setDefaults()
+	v.Wireguard.setDefaults(*v.Provider.Name)
 }
 
 func (v VPN) String() string {

internal/configuration/settings/wireguard.go

@@ -51,6 +51,7 @@ func (w Wireguard) validate(vpnProvider string, ipv6Supported bool) (err error)
 		providers.Custom,
 		providers.Ivpn,
 		providers.Mullvad,
+		providers.Nordvpn,
 		providers.Surfshark,
 		providers.Windscribe,
 	) {
@@ -140,9 +141,14 @@ func (w *Wireguard) overrideWith(other Wireguard) {
 	w.Implementation = gosettings.OverrideWithString(w.Implementation, other.Implementation)
 }
 
-func (w *Wireguard) setDefaults() {
+func (w *Wireguard) setDefaults(vpnProvider string) {
 	w.PrivateKey = gosettings.DefaultPointer(w.PrivateKey, "")
 	w.PreSharedKey = gosettings.DefaultPointer(w.PreSharedKey, "")
+	if vpnProvider == providers.Nordvpn {
+		defaultNordVPNAddress := netip.AddrFrom4([4]byte{10, 5, 0, 2})
+		defaultNordVPNPrefix := netip.PrefixFrom(defaultNordVPNAddress, defaultNordVPNAddress.BitLen())
+		w.Addresses = gosettings.DefaultSlice(w.Addresses, []netip.Prefix{defaultNordVPNPrefix})
+	}
 	w.Interface = gosettings.DefaultString(w.Interface, "wg0")
 	w.MTU = gosettings.DefaultNumber(w.MTU, wireguarddevice.DefaultMTU)
 	w.Implementation = gosettings.DefaultString(w.Implementation, "auto")

internal/configuration/settings/wireguardselection.go

@@ -38,7 +38,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 	// Validate EndpointIP
 	switch vpnProvider {
 	case providers.Airvpn, providers.Ivpn, providers.Mullvad,
-		providers.Surfshark, providers.Windscribe:
+		providers.Nordvpn, providers.Surfshark, providers.Windscribe:
 		// endpoint IP addresses are baked in
 	case providers.Custom:
 		if !w.EndpointIP.IsValid() || w.EndpointIP.IsUnspecified() {
@@ -55,7 +55,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
 			return fmt.Errorf("%w", ErrWireguardEndpointPortNotSet)
 		}
 	// EndpointPort cannot be set
-	case providers.Surfshark:
+	case providers.Surfshark, providers.Nordvpn:
 		if *w.EndpointPort != 0 {
 			return fmt.Errorf("%w", ErrWireguardEndpointPortSet)
 		}

internal/provider/nordvpn/connection.go

@@ -8,7 +8,7 @@ import (
 
 func (p *Provider) GetConnection(selection settings.ServerSelection, ipv6Supported bool) (
 	connection models.Connection, err error) {
-	defaults := utils.NewConnectionDefaults(443, 1194, 0) //nolint:gomnd
+	defaults := utils.NewConnectionDefaults(443, 1194, 51820) //nolint:gomnd
 	return utils.GetConnection(p.Name(),
 		p.storage, selection, defaults, ipv6Supported, p.randSource)
 }

internal/provider/nordvpn/updater/api.go

@@ -12,19 +12,13 @@ var (
 	ErrHTTPStatusCodeNotOK = errors.New("HTTP status code not OK")
 )
 
-type serverData struct {
+func fetchAPI(ctx context.Context, client *http.Client,
-	Domain    string `json:"domain"`
+	recommended bool, limit uint) (data []serverData, err error) {
-	IPAddress string `json:"ip_address"`
+	url := "https://api.nordvpn.com/v1/servers/"
-	Name      string `json:"name"`
+	if recommended {
-	Country   string `json:"country"`
+		url += "recommendations"
-	Features  struct {
-		UDP bool `json:"openvpn_udp"`
-		TCP bool `json:"openvpn_tcp"`
-	} `json:"features"`
 	}
-
+	url += fmt.Sprintf("?limit=%d", limit) // 0 means no limit
-func fetchAPI(ctx context.Context, client *http.Client) (data []serverData, err error) {
-	const url = "https://nordvpn.com/api/server"
 
 	request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {

internal/provider/nordvpn/updater/ip.go

@@ -1,17 +0,0 @@
-package updater
-
-import (
-	"fmt"
-	"net/netip"
-)
-
-func parseIPv4(s string) (ipv4 netip.Addr, err error) {
-	ipv4, err = netip.ParseAddr(s)
-	if err != nil {
-		return ipv4, err
-	}
-	if !ipv4.Is4() {
-		return ipv4, fmt.Errorf("%w: %s", ErrNotIPv4, ipv4)
-	}
-	return ipv4, nil
-}

internal/provider/nordvpn/updater/models.go

@@ -0,0 +1,131 @@
+package updater
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/netip"
+)
+
+// Check out the JSON data from https://api.nordvpn.com/v1/servers?limit=10
+type serverData struct {
+	// Name is the server name, for example 'Poland #128'
+	Name string `json:"name"`
+	// Stations is, it seems, the entry IP address.
+	// However it is ignored in favor of the 'ips' entry field.
+	Station netip.Addr `json:"station"`
+	// IPv6Station is mostly empty, so we ignore it for now.
+	IPv6Station netip.Addr `json:"station_ipv6"`
+	// Hostname is the server hostname, for example 'pl128.nordvpn.com'
+	Hostname string
+	// Status is the server status, for example 'online'
+	Status string `json:"status"`
+	// Locations is the list of locations for the server.
+	// Only the first location is taken into account for now.
+	Locations []struct {
+		Country struct {
+			// Name is the country name, for example 'Poland'.
+			Name string `json:"name"`
+			City struct {
+				// Name is the city name, for example 'Warsaw'.
+				Name string `json:"name"`
+			} `json:"city"`
+		} `json:"country"`
+	} `json:"locations"`
+	Technologies []struct {
+		// Identifier is the technology id name, it can notably be:
+		// - openvpn_udp
+		// - openvpn_tcp
+		// - wireguard_udp
+		Identifier string `json:"identifier"`
+		// Metadata is notably useful for the Wireguard public key.
+		Metadata []struct {
+			// Name can notably be 'public_key'.
+			Name string `json:"name"`
+			// Value can notably the Wireguard public key value.
+			Value string `json:"value"`
+		} `json:"metadata"`
+	} `json:"technologies"`
+	Groups []struct {
+		// Title can notably be the region name, for example 'Europe',
+		// if the group's type/identifier is 'regions'.
+		Title string `json:"title"`
+		Type  struct {
+			// Identifier can be 'regions'.
+			Identifier string `json:"identifier"`
+		} `json:"type"`
+	} `json:"groups"`
+	// IPs is the list of IP addresses for the server.
+	IPs []struct {
+		// Type can notably be 'entry'.
+		Type string `json:"type"`
+		IP   struct {
+			IP netip.Addr `json:"ip"`
+		} `json:"ip"`
+	} `json:"ips"`
+}
+
+// country returns the country name of the server.
+func (s *serverData) country() (country string) {
+	if len(s.Locations) == 0 {
+		return ""
+	}
+	return s.Locations[0].Country.Name
+}
+
+// region returns the region name of the server.
+func (s *serverData) region() (region string) {
+	for _, group := range s.Groups {
+		if group.Type.Identifier == "regions" {
+			return group.Title
+		}
+	}
+	return ""
+}
+
+// city returns the city name of the server.
+func (s *serverData) city() (city string) {
+	if len(s.Locations) == 0 {
+		return ""
+	}
+	return s.Locations[0].Country.City.Name
+}
+
+// ips returns the list of IP addresses for the server.
+func (s *serverData) ips() (ips []netip.Addr) {
+	ips = make([]netip.Addr, 0, len(s.IPs))
+	for _, ipObject := range s.IPs {
+		if ipObject.Type != "entry" {
+			continue
+		}
+		ips = append(ips, ipObject.IP.IP)
+	}
+	return ips
+}
+
+var (
+	ErrWireguardPublicKeyMalformed = errors.New("wireguard public key is malformed")
+	ErrWireguardPublicKeyNotFound  = errors.New("wireguard public key not found")
+)
+
+// wireguardPublicKey returns the Wireguard public key for the server.
+func (s *serverData) wireguardPublicKey() (wgPubKey string, err error) {
+	for _, technology := range s.Technologies {
+		if technology.Identifier != "wireguard_udp" {
+			continue
+		}
+		for _, metadata := range technology.Metadata {
+			if metadata.Name != "public_key" {
+				continue
+			}
+			wgPubKey = metadata.Value
+			_, err = base64.StdEncoding.DecodeString(wgPubKey)
+			if err != nil {
+				return "", fmt.Errorf("%w: %s cannot be decoded: %s",
+					ErrWireguardPublicKeyMalformed, wgPubKey, err)
+			}
+			return metadata.Value, nil
+		}
+	}
+	return "", fmt.Errorf("%w", ErrWireguardPublicKeyNotFound)
+}

internal/provider/nordvpn/updater/servers.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net/netip"
 	"sort"
 
 	"github.com/qdm12/gluetun/internal/constants/vpn"
@@ -18,7 +17,9 @@ var (
 
 func (u *Updater) FetchServers(ctx context.Context, minServers int) (
 	servers []models.Server, err error) {
-	data, err := fetchAPI(ctx, u.client)
+	const recommended = true
+	const limit = 0
+	data, err := fetchAPI(ctx, u.client, recommended, limit)
 	if err != nil {
 		return nil, err
 	}
@@ -26,31 +27,64 @@ func (u *Updater) FetchServers(ctx context.Context, minServers int) (
 	servers = make([]models.Server, 0, len(data))
 
 	for _, jsonServer := range data {
-		if !jsonServer.Features.TCP && !jsonServer.Features.UDP {
+		if jsonServer.Status != "online" {
-			u.warner.Warn("server does not support TCP and UDP for openvpn: " + jsonServer.Name)
+			u.warner.Warn(fmt.Sprintf("ignoring offline server %s", jsonServer.Name))
 			continue
 		}
 
-		ip, err := parseIPv4(jsonServer.IPAddress)
+		server := models.Server{
-		if err != nil {
+			Country:  jsonServer.country(),
-			return nil, fmt.Errorf("%w for server %s", err, jsonServer.Name)
+			Region:   jsonServer.region(),
+			City:     jsonServer.city(),
+			Hostname: jsonServer.Hostname,
+			IPs:      jsonServer.ips(),
 		}
 
 		number, err := parseServerName(jsonServer.Name)
-		if err != nil {
+		switch {
-			return nil, err
+		case errors.Is(err, ErrNoIDInServerName):
+			u.warner.Warn(fmt.Sprintf("%s - leaving server number as 0", err))
+		case err != nil:
+			u.warner.Warn(fmt.Sprintf("failed parsing server name: %s", err))
+			continue
+		default: // no error
+			server.Number = number
 		}
 
-		server := models.Server{
+		var wireguardFound, openvpnFound bool
-			VPN:      vpn.OpenVPN,
+		wireguardServer := server
-			Region:   jsonServer.Country,
+		wireguardServer.VPN = vpn.Wireguard
-			Hostname: jsonServer.Domain,
+		openVPNServer := server // accumulate UDP+TCP technologies
-			Number:   number,
+		openVPNServer.VPN = vpn.OpenVPN
-			IPs:      []netip.Addr{ip},
+
-			TCP:      jsonServer.Features.TCP,
+		for _, technology := range jsonServer.Technologies {
-			UDP:      jsonServer.Features.UDP,
+			switch technology.Identifier {
+			case "openvpn_udp":
+				openvpnFound = true
+				openVPNServer.UDP = true
+			case "openvpn_tcp":
+				openvpnFound = true
+				openVPNServer.TCP = true
+			case "wireguard_udp":
+				wireguardFound = true
+				wireguardServer.WgPubKey, err = jsonServer.wireguardPublicKey()
+				if err != nil {
+					u.warner.Warn(fmt.Sprintf("ignoring Wireguard server %s: %s",
+						jsonServer.Name, err))
+					wireguardFound = false
+					continue
+				}
+			default: // Ignore other technologies
+				continue
+			}
+		}
+
+		if openvpnFound {
+			servers = append(servers, openVPNServer)
+		}
+		if wireguardFound {
+			servers = append(servers, wireguardServer)
 		}
-		servers = append(servers, server)
 	}
 
 	if len(servers) < minServers {