change!(server): auth is now required for all routes

.github/workflows/markdown.yml

@@ -20,7 +20,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
-      - uses: DavidAnson/markdownlint-cli2-action@v21
+      - uses: DavidAnson/markdownlint-cli2-action@v20
         with:
           globs: "**.md"
           config: .markdownlint-cli2.jsonc

Dockerfile

@@ -167,6 +167,7 @@ ENV VPN_SERVICE_PROVIDER=pia \
     HEALTH_ICMP_TARGET_IP=1.1.1.1 \
     HEALTH_RESTART_VPN=on \
     # DNS
+    DNS_SERVER=on \
     DNS_UPSTREAM_RESOLVER_TYPE=DoT \
     DNS_UPSTREAM_RESOLVERS=cloudflare \
     DNS_BLOCK_IPS= \
@@ -179,7 +180,8 @@ ENV VPN_SERVICE_PROVIDER=pia \
     DNS_UNBLOCK_HOSTNAMES= \
     DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES= \
     DNS_UPDATE_PERIOD=24h \
-    DNS_UPSTREAM_PLAIN_ADDRESSES= \
+    DNS_ADDRESS=127.0.0.1 \
+    DNS_KEEP_NAMESERVER=off \
     # HTTP proxy
     HTTPPROXY= \
     HTTPPROXY_LOG=off \

README.md

@@ -1,7 +1,5 @@
 # Gluetun VPN client
 
-⚠️ This and [gluetun-wiki](https://github.com/qdm12/gluetun-wiki) are the only websites for Gluetun, other websites claiming to be official are scams ⚠️
-
 Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
 
 ![Title image](https://raw.githubusercontent.com/qdm12/gluetun/master/title.svg)

cmd/gluetun/main.go

@@ -175,7 +175,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		Version:      buildInfo.Version,
 		Commit:       buildInfo.Commit,
 		Created:      buildInfo.Created,
-		Announcement: "All control server routes will become private by default after the v3.41.0 release",
+		Announcement: "All control server routes are now private by default",
 		AnnounceExp:  announcementExp,
 		// Sponsor information
 		PaypalUser:    "qmcgaw",

internal/cli/nooplogger.go

@@ -7,4 +7,3 @@ func newNoopLogger() *noopLogger {
 }
 
 func (l *noopLogger) Info(string) {}
-func (l *noopLogger) Warn(string) {}

internal/cli/update.go

@@ -81,11 +81,7 @@ func (c *CLI) Update(ctx context.Context, args []string, logger UpdaterLogger) e
 		return fmt.Errorf("options validation failed: %w", err)
 	}
 
-	serversDataPath := constants.ServersData
-	if maintainerMode {
-		serversDataPath = ""
-	}
-	storage, err := storage.New(logger, serversDataPath)
+	storage, err := storage.New(logger, constants.ServersData)
 	if err != nil {
 		return fmt.Errorf("creating servers storage: %w", err)
 	}

internal/configuration/settings/deprecated.go

@@ -14,10 +14,6 @@ func readObsolete(r *reader.Reader) (warnings []string) {
 		"DOT_VALIDATION_LOGLEVEL":      "DOT_VALIDATION_LOGLEVEL is obsolete because DNSSEC validation is not implemented.",
 		"HEALTH_VPN_DURATION_INITIAL":  "HEALTH_VPN_DURATION_INITIAL is obsolete",
 		"HEALTH_VPN_DURATION_ADDITION": "HEALTH_VPN_DURATION_ADDITION is obsolete",
-		"DNS_SERVER":                   "DNS_SERVER is obsolete because the forwarding server is always enabled.",
-		"DOT":                          "DOT is obsolete because the forwarding server is always enabled.",
-		"DNS_KEEP_NAMESERVER": "DNS_KEEP_NAMESERVER is obsolete because the forwarding server is always used and " +
-			"forwards local names to private DNS resolvers found in /etc/resolv.conf",
 	}
 	sortedKeys := maps.Keys(keyToMessage)
 	slices.Sort(sortedKeys)

internal/configuration/settings/dns.go

@@ -4,7 +4,6 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
-	"slices"
 	"time"
 
 	"github.com/qdm12/dns/v2/pkg/provider"
@@ -14,25 +13,20 @@ import (
 	"github.com/qdm12/gotree"
 )
 
-const (
-	DNSUpstreamTypeDot   = "dot"
-	DNSUpstreamTypeDoh   = "doh"
-	DNSUpstreamTypePlain = "plain"
-)
-
 // DNS contains settings to configure DNS.
 type DNS struct {
-	// UpstreamType can be [dnsUpstreamTypeDot], [dnsUpstreamTypeDoh]
-	// or [dnsUpstreamTypePlain]. It defaults to [dnsUpstreamTypeDot].
+	// ServerEnabled is true if the server should be running
+	// and used. It defaults to true, and cannot be nil
+	// in the internal state.
+	ServerEnabled *bool
+	// UpstreamType can be dot or plain, and defaults to dot.
 	UpstreamType string `json:"upstream_type"`
 	// UpdatePeriod is the period to update DNS block lists.
 	// It can be set to 0 to disable the update.
 	// It defaults to 24h and cannot be nil in
 	// the internal state.
 	UpdatePeriod *time.Duration
-	// Providers is a list of DNS providers.
-	// It defaults to either ["cloudflare"] or [] if the
-	// UpstreamPlainAddresses field is set.
+	// Providers is a list of DNS providers
 	Providers []string `json:"providers"`
 	// Caching is true if the server should cache
 	// DNS responses.
@@ -42,23 +36,32 @@ type DNS struct {
 	// Blacklist contains settings to configure the filter
 	// block lists.
 	Blacklist DNSBlacklist
-	// UpstreamPlainAddresses are the upstream plaintext DNS resolver
-	// addresses to use by the built-in DNS server forwarder.
-	// Note, if the upstream type is [dnsUpstreamTypePlain] these are merged
-	// together with provider names set in the Providers field.
-	// If this field is set, the Providers field will default to the empty slice.
-	UpstreamPlainAddresses []netip.AddrPort
+	// ServerAddress is the DNS server to use inside
+	// the Go program and for the system.
+	// It defaults to '127.0.0.1' to be used with the
+	// local server. It cannot be the zero value in the internal
+	// state.
+	ServerAddress netip.Addr
+	// KeepNameserver is true if the existing DNS server
+	// found in /etc/resolv.conf should be used
+	// Note setting this to true will likely DNS traffic
+	// outside the VPN tunnel since it would go through
+	// the local DNS server of your Docker/Kubernetes
+	// configuration, which is likely not going through the tunnel.
+	// This will also disable the DNS forwarder server and the
+	// `ServerAddress` field will be ignored.
+	// It defaults to false and cannot be nil in the
+	// internal state.
+	KeepNameserver *bool
 }
 
 var (
 	ErrDNSUpstreamTypeNotValid = errors.New("DNS upstream type is not valid")
 	ErrDNSUpdatePeriodTooShort = errors.New("update period is too short")
-	ErrDNSUpstreamPlainNoIPv6  = errors.New("upstream plain addresses do not contain any IPv6 address")
-	ErrDNSUpstreamPlainNoIPv4  = errors.New("upstream plain addresses do not contain any IPv4 address")
 )
 
 func (d DNS) validate() (err error) {
-	if !helpers.IsOneOf(d.UpstreamType, DNSUpstreamTypeDot, DNSUpstreamTypeDoh, DNSUpstreamTypePlain) {
+	if !helpers.IsOneOf(d.UpstreamType, "dot", "doh", "plain") {
 		return fmt.Errorf("%w: %s", ErrDNSUpstreamTypeNotValid, d.UpstreamType)
 	}
 
@@ -76,18 +79,6 @@ func (d DNS) validate() (err error) {
 		}
 	}
 
-	if d.UpstreamType == DNSUpstreamTypePlain {
-		if *d.IPv6 && !slices.ContainsFunc(d.UpstreamPlainAddresses, func(addrPort netip.AddrPort) bool {
-			return addrPort.Addr().Is6()
-		}) {
-			return fmt.Errorf("%w: in %d addresses", ErrDNSUpstreamPlainNoIPv6, len(d.UpstreamPlainAddresses))
-		} else if !slices.ContainsFunc(d.UpstreamPlainAddresses, func(addrPort netip.AddrPort) bool {
-			return addrPort.Addr().Is4()
-		}) {
-			return fmt.Errorf("%w: in %d addresses", ErrDNSUpstreamPlainNoIPv4, len(d.UpstreamPlainAddresses))
-		}
-	}
-
 	err = d.Blacklist.validate()
 	if err != nil {
 		return err
@@ -98,13 +89,15 @@ func (d DNS) validate() (err error) {
 
 func (d *DNS) Copy() (copied DNS) {
 	return DNS{
-		UpstreamType:           d.UpstreamType,
-		UpdatePeriod:           gosettings.CopyPointer(d.UpdatePeriod),
-		Providers:              gosettings.CopySlice(d.Providers),
-		Caching:                gosettings.CopyPointer(d.Caching),
-		IPv6:                   gosettings.CopyPointer(d.IPv6),
-		Blacklist:              d.Blacklist.copy(),
-		UpstreamPlainAddresses: d.UpstreamPlainAddresses,
+		ServerEnabled:  gosettings.CopyPointer(d.ServerEnabled),
+		UpstreamType:   d.UpstreamType,
+		UpdatePeriod:   gosettings.CopyPointer(d.UpdatePeriod),
+		Providers:      gosettings.CopySlice(d.Providers),
+		Caching:        gosettings.CopyPointer(d.Caching),
+		IPv6:           gosettings.CopyPointer(d.IPv6),
+		Blacklist:      d.Blacklist.copy(),
+		ServerAddress:  d.ServerAddress,
+		KeepNameserver: gosettings.CopyPointer(d.KeepNameserver),
 	}
 }
 
@@ -112,17 +105,20 @@ func (d *DNS) Copy() (copied DNS) {
 // settings object with any field set in the other
 // settings.
 func (d *DNS) overrideWith(other DNS) {
+	d.ServerEnabled = gosettings.OverrideWithPointer(d.ServerEnabled, other.ServerEnabled)
 	d.UpstreamType = gosettings.OverrideWithComparable(d.UpstreamType, other.UpstreamType)
 	d.UpdatePeriod = gosettings.OverrideWithPointer(d.UpdatePeriod, other.UpdatePeriod)
 	d.Providers = gosettings.OverrideWithSlice(d.Providers, other.Providers)
 	d.Caching = gosettings.OverrideWithPointer(d.Caching, other.Caching)
 	d.IPv6 = gosettings.OverrideWithPointer(d.IPv6, other.IPv6)
 	d.Blacklist.overrideWith(other.Blacklist)
-	d.UpstreamPlainAddresses = gosettings.OverrideWithSlice(d.UpstreamPlainAddresses, other.UpstreamPlainAddresses)
+	d.ServerAddress = gosettings.OverrideWithValidator(d.ServerAddress, other.ServerAddress)
+	d.KeepNameserver = gosettings.OverrideWithPointer(d.KeepNameserver, other.KeepNameserver)
 }
 
 func (d *DNS) setDefaults() {
-	d.UpstreamType = gosettings.DefaultComparable(d.UpstreamType, DNSUpstreamTypeDot)
+	d.ServerEnabled = gosettings.DefaultPointer(d.ServerEnabled, true)
+	d.UpstreamType = gosettings.DefaultComparable(d.UpstreamType, "dot")
 	const defaultUpdatePeriod = 24 * time.Hour
 	d.UpdatePeriod = gosettings.DefaultPointer(d.UpdatePeriod, defaultUpdatePeriod)
 	d.Providers = gosettings.DefaultSlice(d.Providers, []string{
@@ -131,53 +127,26 @@ func (d *DNS) setDefaults() {
 	d.Caching = gosettings.DefaultPointer(d.Caching, true)
 	d.IPv6 = gosettings.DefaultPointer(d.IPv6, false)
 	d.Blacklist.setDefaults()
-	d.UpstreamPlainAddresses = gosettings.DefaultSlice(d.UpstreamPlainAddresses, []netip.AddrPort{})
-}
-
-func defaultDNSProviders() []string {
-	return []string{
-		provider.Cloudflare().Name,
-	}
+	d.ServerAddress = gosettings.DefaultValidator(d.ServerAddress,
+		netip.AddrFrom4([4]byte{127, 0, 0, 1}))
+	d.KeepNameserver = gosettings.DefaultPointer(d.KeepNameserver, false)
 }
 
 func (d DNS) GetFirstPlaintextIPv4() (ipv4 netip.Addr) {
-	if d.UpstreamType == DNSUpstreamTypePlain {
-		for _, addrPort := range d.UpstreamPlainAddresses {
-			if addrPort.Addr().Is4() {
-				return addrPort.Addr()
-			}
-		}
+	localhost := netip.AddrFrom4([4]byte{127, 0, 0, 1})
+	if d.ServerAddress.Compare(localhost) != 0 && d.ServerAddress.Is4() {
+		return d.ServerAddress
 	}
 
-	ipv4 = findPlainIPv4InProviders(d.Providers)
-	if ipv4.IsValid() {
-		return ipv4
-	}
-
-	// Either:
-	// - all upstream plain addresses are IPv6 and no provider is set
-	// - all providers set do not have a plaintext IPv4 address
-	ipv4 = findPlainIPv4InProviders(defaultDNSProviders())
-	if !ipv4.IsValid() {
-		panic("no plaintext IPv4 address found in default DNS providers")
-	}
-	return ipv4
-}
-
-func findPlainIPv4InProviders(providerNames []string) netip.Addr {
 	providers := provider.NewProviders()
-	for _, name := range providerNames {
-		provider, err := providers.Get(name)
-		if err != nil {
-			// Settings should be validated before calling this function,
-			// so an error happening here is a programming error.
-			panic(err)
-		}
-		if len(provider.Plain.IPv4) > 0 {
-			return provider.Plain.IPv4[0].Addr()
-		}
+	provider, err := providers.Get(d.Providers[0])
+	if err != nil {
+		// Settings should be validated before calling this function,
+		// so an error happening here is a programming error.
+		panic(err)
 	}
-	return netip.Addr{}
+
+	return provider.Plain.IPv4[0].Addr()
 }
 
 func (d DNS) String() string {
@@ -186,22 +155,22 @@ func (d DNS) String() string {
 
 func (d DNS) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("DNS settings:")
+	node.Appendf("Keep existing nameserver(s): %s", gosettings.BoolToYesNo(d.KeepNameserver))
+	if *d.KeepNameserver {
+		return node
+	}
+	node.Appendf("DNS server address to use: %s", d.ServerAddress)
+
+	node.Appendf("DNS forwarder server enabled: %s", gosettings.BoolToYesNo(d.ServerEnabled))
+	if !*d.ServerEnabled {
+		return node
+	}
 
 	node.Appendf("Upstream resolver type: %s", d.UpstreamType)
 
 	upstreamResolvers := node.Append("Upstream resolvers:")
-	if len(d.UpstreamPlainAddresses) > 0 {
-		if d.UpstreamType == DNSUpstreamTypePlain {
-			for _, addr := range d.UpstreamPlainAddresses {
-				upstreamResolvers.Append(addr.String())
-			}
-		} else {
-			node.Appendf("Upstream plain addresses: ignored because upstream type is not plain")
-		}
-	} else {
-		for _, provider := range d.Providers {
-			upstreamResolvers.Append(provider)
-		}
+	for _, provider := range d.Providers {
+		upstreamResolvers.Append(provider)
 	}
 
 	node.Appendf("Caching: %s", gosettings.BoolToYesNo(d.Caching))
@@ -219,6 +188,11 @@ func (d DNS) toLinesNode() (node *gotree.Node) {
 }
 
 func (d *DNS) read(r *reader.Reader) (err error) {
+	d.ServerEnabled, err = r.BoolPtr("DNS_SERVER", reader.RetroKeys("DOT"))
+	if err != nil {
+		return err
+	}
+
 	d.UpstreamType = r.String("DNS_UPSTREAM_RESOLVER_TYPE")
 
 	d.UpdatePeriod, err = r.DurationPtr("DNS_UPDATE_PERIOD")
@@ -243,43 +217,15 @@ func (d *DNS) read(r *reader.Reader) (err error) {
 		return err
 	}
 
-	err = d.readUpstreamPlainAddresses(r)
+	d.ServerAddress, err = r.NetipAddr("DNS_ADDRESS", reader.RetroKeys("DNS_PLAINTEXT_ADDRESS"))
+	if err != nil {
+		return err
+	}
+
+	d.KeepNameserver, err = r.BoolPtr("DNS_KEEP_NAMESERVER")
 	if err != nil {
 		return err
 	}
 
 	return nil
 }
-
-func (d *DNS) readUpstreamPlainAddresses(r *reader.Reader) (err error) {
-	// If DNS_UPSTREAM_PLAIN_ADDRESSES is set, the user must also set DNS_UPSTREAM_TYPE=plain
-	// for these to be used. This is an added safety measure to reduce misunderstandings, and
-	// reduce odd settings overrides.
-	d.UpstreamPlainAddresses, err = r.CSVNetipAddrPorts("DNS_UPSTREAM_PLAIN_ADDRESSES")
-	if err != nil {
-		return err
-	}
-
-	// Retro-compatibility - remove in v4
-	// If DNS_ADDRESS is set to a non-localhost address, append it to the other
-	// upstream plain addresses, assuming port 53, and force the upstream type to plain AND
-	// clear any user picked providers, to maintain retro-compatibility behavior.
-	serverAddress, err := r.NetipAddr("DNS_ADDRESS",
-		reader.RetroKeys("DNS_PLAINTEXT_ADDRESS"),
-		reader.IsRetro("DNS_UPSTREAM_PLAIN_ADDRESSES"))
-	if err != nil {
-		return err
-	} else if !serverAddress.IsValid() {
-		return nil
-	}
-	isLocalhost := serverAddress.Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) == 0
-	if isLocalhost {
-		return nil
-	}
-	const defaultPlainPort = 53
-	addrPort := netip.AddrPortFrom(serverAddress, defaultPlainPort)
-	d.UpstreamPlainAddresses = append(d.UpstreamPlainAddresses, addrPort)
-	d.UpstreamType = DNSUpstreamTypePlain
-	d.Providers = []string{}
-	return nil
-}

internal/configuration/settings/dns_test.go

@@ -1,26 +0,0 @@
-package settings
-
-import (
-	"testing"
-
-	"github.com/qdm12/dns/v2/pkg/provider"
-	"github.com/stretchr/testify/require"
-)
-
-func Test_defaultDNSProviders(t *testing.T) {
-	t.Parallel()
-
-	names := defaultDNSProviders()
-
-	found := false
-	providers := provider.NewProviders()
-	for _, name := range names {
-		provider, err := providers.Get(name)
-		require.NoError(t, err)
-		if len(provider.Plain.IPv4) > 0 {
-			found = true
-			break
-		}
-	}
-	require.True(t, found, "no default DNS provider has a plaintext IPv4 address")
-}

internal/configuration/settings/settings.go

@@ -2,6 +2,7 @@ package settings
 
 import (
 	"fmt"
+	"net/netip"
 
 	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
 	"github.com/qdm12/gluetun/internal/constants/providers"
@@ -173,11 +174,13 @@ func (s Settings) Warnings() (warnings []string) {
 			"by creating an issue, attaching the new certificate and we will update Gluetun.")
 	}
 
-	for _, upstreamAddress := range s.DNS.UpstreamPlainAddresses {
-		if upstreamAddress.Addr().IsPrivate() {
-			warnings = append(warnings, "DNS upstream address "+upstreamAddress.String()+" is private: "+
-				"DNS traffic might leak out of the VPN tunnel to that address.")
-		}
+	// TODO remove in v4
+	if s.DNS.ServerAddress.Unmap().Compare(netip.AddrFrom4([4]byte{127, 0, 0, 1})) != 0 {
+		warnings = append(warnings, "DNS address is set to "+s.DNS.ServerAddress.String()+
+			" so the local forwarding DNS server will not be used."+
+			" The default value changed to 127.0.0.1 so it uses the internal DNS server."+
+			" If this server fails to start, the IPv4 address of the first plaintext DNS server"+
+			" corresponding to the first DNS provider chosen is used.")
 	}
 
 	return warnings

internal/configuration/settings/settings_test.go

@@ -38,6 +38,9 @@ func Test_Settings_String(t *testing.T) {
 |       ├── Run OpenVPN as: root
 |       └── Verbosity level: 1
 ├── DNS settings:
+|   ├── Keep existing nameserver(s): no
+|   ├── DNS server address to use: 127.0.0.1
+|   ├── DNS forwarder server enabled: yes
 |   ├── Upstream resolver type: dot
 |   ├── Upstream resolvers:
 |   |   └── Cloudflare

internal/dns/run.go

@@ -18,8 +18,14 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 		return
 	}
 
-	const fallback = false
-	l.useUnencryptedDNS(fallback)
+	if *l.GetSettings().KeepNameserver {
+		l.logger.Warn("⚠️⚠️⚠️  keeping the default container nameservers, " +
+			"this will likely leak DNS traffic outside the VPN " +
+			"and go through your container network DNS outside the VPN tunnel!")
+	} else {
+		const fallback = false
+		l.useUnencryptedDNS(fallback)
+	}
 
 	select {
 	case <-l.start:
@@ -32,12 +38,14 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 		// Their values are to be used if DOT=off
 		var runError <-chan error
 
-		for {
+		settings := l.GetSettings()
+		for !*settings.KeepNameserver && *settings.ServerEnabled {
 			var err error
 			runError, err = l.setupServer(ctx)
 			if err == nil {
 				l.backoffTime = defaultBackoffTime
 				l.logger.Info("ready")
+				l.signalOrSetStatus(constants.Running)
 				break
 			}
 
@@ -52,11 +60,14 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 				l.useUnencryptedDNS(fallback)
 			}
 			l.logAndWait(ctx, err)
+			settings = l.GetSettings()
 		}
-		l.signalOrSetStatus(constants.Running)
 
-		const fallback = false
-		l.useUnencryptedDNS(fallback)
+		settings = l.GetSettings()
+		if !*settings.KeepNameserver && !*settings.ServerEnabled {
+			const fallback = false
+			l.useUnencryptedDNS(fallback)
+		}
 
 		l.userTrigger = false
 

internal/dns/settings.go

@@ -26,23 +26,31 @@ func (l *Loop) SetSettings(ctx context.Context, settings settings.DNS) (
 	return l.state.SetSettings(ctx, settings)
 }
 
-func buildServerSettings(userSettings settings.DNS,
+func buildServerSettings(settings settings.DNS,
 	filter *mapfilter.Filter, localResolvers []netip.Addr,
 	logger Logger) (
 	serverSettings server.Settings, err error,
 ) {
 	serverSettings.Logger = logger
 
-	upstreamResolvers := buildProviders(userSettings)
+	providersData := provider.NewProviders()
+	upstreamResolvers := make([]provider.Provider, len(settings.Providers))
+	for i := range settings.Providers {
+		var err error
+		upstreamResolvers[i], err = providersData.Get(settings.Providers[i])
+		if err != nil {
+			panic(err) // this should already had been checked
+		}
+	}
 
 	ipVersion := "ipv4"
-	if *userSettings.IPv6 {
+	if *settings.IPv6 {
 		ipVersion = "ipv6"
 	}
 
 	var dialer server.Dialer
-	switch userSettings.UpstreamType {
-	case settings.DNSUpstreamTypeDot:
+	switch settings.UpstreamType {
+	case "dot":
 		dialerSettings := dot.Settings{
 			UpstreamResolvers: upstreamResolvers,
 			IPVersion:         ipVersion,
@@ -51,7 +59,7 @@ func buildServerSettings(userSettings settings.DNS,
 		if err != nil {
 			return server.Settings{}, fmt.Errorf("creating DNS over TLS dialer: %w", err)
 		}
-	case settings.DNSUpstreamTypeDoh:
+	case "doh":
 		dialerSettings := doh.Settings{
 			UpstreamResolvers: upstreamResolvers,
 			IPVersion:         ipVersion,
@@ -60,7 +68,7 @@ func buildServerSettings(userSettings settings.DNS,
 		if err != nil {
 			return server.Settings{}, fmt.Errorf("creating DNS over HTTPS dialer: %w", err)
 		}
-	case settings.DNSUpstreamTypePlain:
+	case "plain":
 		dialerSettings := plain.Settings{
 			UpstreamResolvers: upstreamResolvers,
 			IPVersion:         ipVersion,
@@ -70,11 +78,11 @@ func buildServerSettings(userSettings settings.DNS,
 			return server.Settings{}, fmt.Errorf("creating plain DNS dialer: %w", err)
 		}
 	default:
-		panic("unknown upstream type: " + userSettings.UpstreamType)
+		panic("unknown upstream type: " + settings.UpstreamType)
 	}
 	serverSettings.Dialer = dialer
 
-	if *userSettings.Caching {
+	if *settings.Caching {
 		lruCache, err := lru.New(lru.Settings{})
 		if err != nil {
 			return server.Settings{}, fmt.Errorf("creating LRU cache: %w", err)
@@ -115,48 +123,3 @@ func buildServerSettings(userSettings settings.DNS,
 
 	return serverSettings, nil
 }
-
-func buildProviders(userSettings settings.DNS) []provider.Provider {
-	if userSettings.UpstreamType == settings.DNSUpstreamTypePlain &&
-		len(userSettings.UpstreamPlainAddresses) > 0 {
-		providers := make([]provider.Provider, len(userSettings.UpstreamPlainAddresses))
-		for i, addrPort := range userSettings.UpstreamPlainAddresses {
-			providers[i] = provider.Provider{
-				Name: addrPort.String(),
-			}
-			if addrPort.Addr().Is4() {
-				providers[i].Plain.IPv4 = []netip.AddrPort{addrPort}
-			} else {
-				providers[i].Plain.IPv6 = []netip.AddrPort{addrPort}
-			}
-		}
-	}
-
-	providersData := provider.NewProviders()
-	providers := make([]provider.Provider, 0, len(userSettings.Providers)+len(userSettings.UpstreamPlainAddresses))
-	for _, providerName := range userSettings.Providers {
-		provider, err := providersData.Get(providerName)
-		if err != nil {
-			panic(err) // this should already had been checked
-		}
-		providers = append(providers, provider)
-	}
-
-	if userSettings.UpstreamType != settings.DNSUpstreamTypePlain {
-		return providers
-	}
-
-	for _, addrPort := range userSettings.UpstreamPlainAddresses {
-		newProvider := provider.Provider{
-			Name: addrPort.String(),
-		}
-		if addrPort.Addr().Is4() {
-			newProvider.Plain.IPv4 = []netip.AddrPort{addrPort}
-		} else {
-			newProvider.Plain.IPv6 = []netip.AddrPort{addrPort}
-		}
-		providers = append(providers, newProvider)
-	}
-
-	return providers
-}

internal/dns/setup.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/netip"
 
 	"github.com/qdm12/dns/v2/pkg/check"
 	"github.com/qdm12/dns/v2/pkg/nameserver"
@@ -37,8 +38,12 @@ func (l *Loop) setupServer(ctx context.Context) (runError <-chan error, err erro
 	l.server = server
 
 	// use internal DNS server
-	nameserver.UseDNSInternally(nameserver.SettingsInternalDNS{})
+	const defaultDNSPort = 53
+	nameserver.UseDNSInternally(nameserver.SettingsInternalDNS{
+		AddrPort: netip.AddrPortFrom(settings.ServerAddress, defaultDNSPort),
+	})
 	err = nameserver.UseDNSSystemWide(nameserver.SettingsSystemDNS{
+		IPs:        []netip.Addr{settings.ServerAddress},
 		ResolvPath: l.resolvConf,
 	})
 	if err != nil {

internal/dns/state/settings.go

@@ -40,6 +40,8 @@ func (s *State) SetSettings(ctx context.Context, settings settings.DNS) (
 
 	// Restart
 	_, _ = s.statusApplier.ApplyStatus(ctx, constants.Stopped)
-	outcome, _ = s.statusApplier.ApplyStatus(ctx, constants.Running)
+	if *settings.ServerEnabled {
+		outcome, _ = s.statusApplier.ApplyStatus(ctx, constants.Running)
+	}
 	return outcome
 }

internal/healthcheck/checker.go

@@ -131,18 +131,9 @@ func (c *Checker) smallPeriodicCheck(ctx context.Context) error {
 	c.configMutex.Lock()
 	ip := c.icmpTarget
 	c.configMutex.Unlock()
-	tryTimeouts := []time.Duration{
-		5 * time.Second,
-		5 * time.Second,
-		5 * time.Second,
-		10 * time.Second,
-		10 * time.Second,
-		10 * time.Second,
-		15 * time.Second,
-		15 * time.Second,
-		15 * time.Second,
-		30 * time.Second,
-	}
+	const maxTries = 3
+	const timeout = 10 * time.Second
+	const extraTryTime = 10 * time.Second // 10s added for each subsequent retry
 	check := func(ctx context.Context) error {
 		if c.icmpNotPermitted {
 			return c.dnsClient.Check(ctx)
@@ -156,17 +147,19 @@ func (c *Checker) smallPeriodicCheck(ctx context.Context) error {
 		}
 		return err
 	}
-	return withRetries(ctx, tryTimeouts, c.logger, c.smallCheckName, check)
+	return withRetries(ctx, maxTries, timeout, extraTryTime, c.logger, c.smallCheckName, check)
 }
 
 func (c *Checker) fullPeriodicCheck(ctx context.Context) error {
+	const maxTries = 2
 	// 20s timeout in case the connection is under stress
 	// See https://github.com/qdm12/gluetun/issues/2270
-	tryTimeouts := []time.Duration{10 * time.Second, 15 * time.Second, 30 * time.Second}
+	const timeout = 20 * time.Second
+	const extraTryTime = 10 * time.Second // 10s added for each subsequent retry
 	check := func(ctx context.Context) error {
 		return tcpTLSCheck(ctx, c.dialer, c.tlsDialAddr)
 	}
-	return withRetries(ctx, tryTimeouts, c.logger, "TCP+TLS dial", check)
+	return withRetries(ctx, maxTries, timeout, extraTryTime, c.logger, "TCP+TLS dial", check)
 }
 
 func tcpTLSCheck(ctx context.Context, dialer *net.Dialer, targetAddress string) error {
@@ -225,17 +218,13 @@ func makeAddressToDial(address string) (addressToDial string, err error) {
 
 var ErrAllCheckTriesFailed = errors.New("all check tries failed")
 
-func withRetries(ctx context.Context, tryTimeouts []time.Duration,
+func withRetries(ctx context.Context, maxTries uint, tryTimeout, extraTryTime time.Duration,
 	logger Logger, checkName string, check func(ctx context.Context) error,
 ) error {
-	maxTries := len(tryTimeouts)
-	type errData struct {
-		err      error
-		duration time.Duration
-	}
-	errs := make([]errData, maxTries)
-	for i, timeout := range tryTimeouts {
-		start := time.Now()
+	try := uint(0)
+	var errs []error
+	for {
+		timeout := tryTimeout + time.Duration(try)*extraTryTime //nolint:gosec
 		checkCtx, cancel := context.WithTimeout(ctx, timeout)
 		err := check(checkCtx)
 		cancel()
@@ -245,14 +234,17 @@ func withRetries(ctx context.Context, tryTimeouts []time.Duration,
 		case ctx.Err() != nil:
 			return fmt.Errorf("%s: %w", checkName, ctx.Err())
 		}
-		logger.Debugf("%s attempt %d/%d failed: %s", checkName, i+1, maxTries, err)
-		errs[i].err = err
-		errs[i].duration = time.Since(start)
+		logger.Debugf("%s attempt %d/%d failed: %s", checkName, try+1, maxTries, err)
+		errs = append(errs, err)
+		try++
+		if try < maxTries {
+			continue
+		}
+		errStrings := make([]string, len(errs))
+		for i, err := range errs {
+			errStrings[i] = fmt.Sprintf("attempt %d: %s", i+1, err.Error())
+		}
+		return fmt.Errorf("%w: after %d %s attempts (%s)",
+			ErrAllCheckTriesFailed, maxTries, checkName, strings.Join(errStrings, "; "))
 	}
-
-	errStrings := make([]string, len(errs))
-	for i, err := range errs {
-		errStrings[i] = fmt.Sprintf("attempt %d (%s): %s", i+1, err.duration, err.err)
-	}
-	return fmt.Errorf("%w: %s", ErrAllCheckTriesFailed, strings.Join(errStrings, ", "))
 }

internal/portforward/service/command.go

@@ -18,7 +18,6 @@ func runCommand(ctx context.Context, cmder Cmder, logger Logger,
 	}
 	portsString := strings.Join(portStrings, ",")
 	commandString := strings.ReplaceAll(commandTemplate, "{{PORTS}}", portsString)
-	commandString = strings.ReplaceAll(commandString, "{{PORT}}", portStrings[0])
 	args, err := command.Split(commandString)
 	if err != nil {
 		return fmt.Errorf("parsing command: %w", err)

internal/provider/protonvpn/updater/api.go

@@ -371,7 +371,7 @@ func (c *apiClient) authInfo(ctx context.Context, username string, unauthCookie
 	case info.SRPSession == "":
 		return "", "", "", "", 0, fmt.Errorf("%w: SRP session is empty", ErrDataFieldMissing)
 
-	case !strings.EqualFold(info.Username, username):
+	case info.Username != username:
 		return "", "", "", "", 0, fmt.Errorf("%w: expected %s got %s",
 			ErrUsernameMismatch, username, info.Username)
 	case info.Version == nil:

internal/server/middlewares/auth/middleware.go

@@ -18,37 +18,15 @@ func New(settings Settings, debugLogger DebugLogger) (
 		return &authHandler{
 			childHandler: handler,
 			routeToRoles: routeToRoles,
-			unprotectedRoutes: map[string]struct{}{
-				http.MethodGet + " /openvpn/actions/restart": {},
-				http.MethodGet + " /openvpn/portforwarded":   {},
-				http.MethodGet + " /unbound/actions/restart": {},
-				http.MethodGet + " /updater/restart":         {},
-				http.MethodGet + " /v1/version":              {},
-				http.MethodGet + " /v1/vpn/status":           {},
-				http.MethodPut + " /v1/vpn/status":           {},
-				// GET /v1/vpn/settings is protected by default
-				// PUT /v1/vpn/settings is protected by default
-				http.MethodGet + " /v1/openvpn/status":        {},
-				http.MethodPut + " /v1/openvpn/status":        {},
-				http.MethodGet + " /v1/openvpn/portforwarded": {},
-				// GET /v1/openvpn/settings is protected by default
-				http.MethodGet + " /v1/dns/status":     {},
-				http.MethodPut + " /v1/dns/status":     {},
-				http.MethodGet + " /v1/updater/status": {},
-				http.MethodPut + " /v1/updater/status": {},
-				http.MethodGet + " /v1/publicip/ip":    {},
-				http.MethodGet + " /v1/portforward":    {},
-			},
-			logger: debugLogger,
+			logger:       debugLogger,
 		}
 	}, nil
 }
 
 type authHandler struct {
-	childHandler      http.Handler
-	routeToRoles      map[string][]internalRole
-	unprotectedRoutes map[string]struct{} // TODO v3.41.0 remove
-	logger            DebugLogger
+	childHandler http.Handler
+	routeToRoles map[string][]internalRole
+	logger       DebugLogger
 }
 
 func (h *authHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
@@ -66,8 +44,6 @@ func (h *authHandler) ServeHTTP(writer http.ResponseWriter, request *http.Reques
 			continue
 		}
 
-		h.warnIfUnprotectedByDefault(role, route) // TODO v3.41.0 remove
-
 		h.logger.Debugf("access to route %s authorized for role %s", route, role.name)
 		h.childHandler.ServeHTTP(writer, request)
 		return
@@ -88,26 +64,3 @@ func (h *authHandler) ServeHTTP(writer http.ResponseWriter, request *http.Reques
 		route, andStrings(allRoleNames))
 	http.Error(writer, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 }
-
-func (h *authHandler) warnIfUnprotectedByDefault(role internalRole, route string) {
-	// TODO v3.41.0 remove
-	if role.name != "public" {
-		// custom role name, allow none authentication to be specified
-		return
-	}
-	_, isNoneChecker := role.checker.(*noneMethod)
-	if !isNoneChecker {
-		// not the none authentication method
-		return
-	}
-	_, isUnprotectedByDefault := h.unprotectedRoutes[route]
-	if !isUnprotectedByDefault {
-		// route is not unprotected by default, so this is a user decision
-		return
-	}
-	h.logger.Warnf("route %s is unprotected by default, "+
-		"please set up authentication following the documentation at "+
-		"https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/control-server.md#authentication "+
-		"since this will become no longer publicly accessible after release v3.40.",
-		route)
-}

internal/server/middlewares/auth/middleware_test.go

@@ -40,27 +40,6 @@ func Test_authHandler_ServeHTTP(t *testing.T) {
 			statusCode:    http.StatusUnauthorized,
 			responseBody:  "Unauthorized\n",
 		},
-		"authorized_unprotected_by_default": {
-			settings: Settings{
-				Roles: []Role{
-					{Name: "public", Auth: AuthNone, Routes: []string{"GET /v1/vpn/status"}},
-				},
-			},
-			makeLogger: func(ctrl *gomock.Controller) *MockDebugLogger {
-				logger := NewMockDebugLogger(ctrl)
-				logger.EXPECT().Warnf("route %s is unprotected by default, "+
-					"please set up authentication following the documentation at "+
-					"https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/control-server.md#authentication "+
-					"since this will become no longer publicly accessible after release v3.40.",
-					"GET /v1/vpn/status")
-				logger.EXPECT().Debugf("access to route %s authorized for role %s",
-					"GET /v1/vpn/status", "public")
-				return logger
-			},
-			requestMethod: http.MethodGet,
-			requestPath:   "/v1/vpn/status",
-			statusCode:    http.StatusOK,
-		},
 		"authorized_none": {
 			settings: Settings{
 				Roles: []Role{

internal/server/middlewares/auth/settings.go

@@ -63,31 +63,6 @@ func (s *Settings) SetDefaultRole(jsonRole string) error {
 	return nil
 }
 
-func (s *Settings) SetDefaults() {
-	s.Roles = gosettings.DefaultSlice(s.Roles, []Role{{ // TODO v3.41.0 leave empty
-		Name: "public",
-		Auth: "none",
-		Routes: []string{
-			http.MethodGet + " /openvpn/actions/restart",
-			http.MethodGet + " /unbound/actions/restart",
-			http.MethodGet + " /openvpn/portforwarded",
-			http.MethodGet + " /updater/restart",
-			http.MethodGet + " /v1/version",
-			http.MethodGet + " /v1/vpn/status",
-			http.MethodPut + " /v1/vpn/status",
-			http.MethodGet + " /v1/openvpn/status",
-			http.MethodPut + " /v1/openvpn/status",
-			http.MethodGet + " /v1/openvpn/portforwarded",
-			http.MethodGet + " /v1/dns/status",
-			http.MethodPut + " /v1/dns/status",
-			http.MethodGet + " /v1/updater/status",
-			http.MethodPut + " /v1/updater/status",
-			http.MethodGet + " /v1/publicip/ip",
-			http.MethodGet + " /v1/portforward",
-		},
-	}})
-}
-
 func (s Settings) Validate() (err error) {
 	for i, role := range s.Roles {
 		err = role.Validate()

internal/server/server.go

@@ -60,7 +60,6 @@ func setupAuthMiddleware(authPath, jsonDefaultRole string, logger Logger) (
 	if err != nil {
 		return auth.Settings{}, fmt.Errorf("setting default role: %w", err)
 	}
-	authSettings.SetDefaults()
 	err = authSettings.Validate()
 	if err != nil {
 		return auth.Settings{}, fmt.Errorf("validating auth settings: %w", err)

internal/storage/mocks_generate_test.go

@@ -1,3 +1,3 @@
 package storage
 
-//go:generate mockgen -destination=mocks_test.go -package $GOPACKAGE . Logger
+//go:generate mockgen -destination=mocks_test.go -package $GOPACKAGE . Infoer

internal/storage/mocks_test.go

@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/qdm12/gluetun/internal/storage (interfaces: Logger)
+// Source: github.com/qdm12/gluetun/internal/storage (interfaces: Infoer)
 
 // Package storage is a generated GoMock package.
 package storage
@@ -10,49 +10,37 @@ import (
 	gomock "github.com/golang/mock/gomock"
 )
 
-// MockLogger is a mock of Logger interface.
-type MockLogger struct {
+// MockInfoer is a mock of Infoer interface.
+type MockInfoer struct {
 	ctrl     *gomock.Controller
-	recorder *MockLoggerMockRecorder
+	recorder *MockInfoerMockRecorder
 }
 
-// MockLoggerMockRecorder is the mock recorder for MockLogger.
-type MockLoggerMockRecorder struct {
-	mock *MockLogger
+// MockInfoerMockRecorder is the mock recorder for MockInfoer.
+type MockInfoerMockRecorder struct {
+	mock *MockInfoer
 }
 
-// NewMockLogger creates a new mock instance.
-func NewMockLogger(ctrl *gomock.Controller) *MockLogger {
-	mock := &MockLogger{ctrl: ctrl}
-	mock.recorder = &MockLoggerMockRecorder{mock}
+// NewMockInfoer creates a new mock instance.
+func NewMockInfoer(ctrl *gomock.Controller) *MockInfoer {
+	mock := &MockInfoer{ctrl: ctrl}
+	mock.recorder = &MockInfoerMockRecorder{mock}
 	return mock
 }
 
 // EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockLogger) EXPECT() *MockLoggerMockRecorder {
+func (m *MockInfoer) EXPECT() *MockInfoerMockRecorder {
 	return m.recorder
 }
 
 // Info mocks base method.
-func (m *MockLogger) Info(arg0 string) {
+func (m *MockInfoer) Info(arg0 string) {
 	m.ctrl.T.Helper()
 	m.ctrl.Call(m, "Info", arg0)
 }
 
 // Info indicates an expected call of Info.
-func (mr *MockLoggerMockRecorder) Info(arg0 interface{}) *gomock.Call {
+func (mr *MockInfoerMockRecorder) Info(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Info", reflect.TypeOf((*MockLogger)(nil).Info), arg0)
-}
-
-// Warn mocks base method.
-func (m *MockLogger) Warn(arg0 string) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "Warn", arg0)
-}
-
-// Warn indicates an expected call of Warn.
-func (mr *MockLoggerMockRecorder) Warn(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Warn", reflect.TypeOf((*MockLogger)(nil).Warn), arg0)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Info", reflect.TypeOf((*MockInfoer)(nil).Info), arg0)
 }

internal/storage/read_test.go

@@ -95,7 +95,7 @@ func Test_extractServersFromBytes(t *testing.T) {
 			t.Parallel()
 			ctrl := gomock.NewController(t)
 
-			logger := NewMockLogger(ctrl)
+			logger := NewMockInfoer(ctrl)
 			var previousLogCall *gomock.Call
 			for _, logged := range testCase.logged {
 				call := logger.EXPECT().Info(logged)

internal/storage/storage.go

@@ -13,35 +13,30 @@ type Storage struct {
 	// the embedded JSON file on every call to the
 	// SyncServers method.
 	hardcodedServers models.AllServers
-	logger           Logger
+	logger           Infoer
 	filepath         string
 }
 
-type Logger interface {
+type Infoer interface {
 	Info(s string)
-	Warn(s string)
 }
 
 // New creates a new storage and reads the servers from the
 // embedded servers file and the file on disk.
-// Passing an empty filepath disables the reading and writing of
-// servers.
-func New(logger Logger, filepath string) (storage *Storage, err error) {
+// Passing an empty filepath disables writing servers to a file.
+func New(logger Infoer, filepath string) (storage *Storage, err error) {
 	// A unit test prevents any error from being returned
 	// and ensures all providers are part of the servers returned.
 	hardcodedServers, _ := parseHardcodedServers()
 
 	storage = &Storage{
 		hardcodedServers: hardcodedServers,
-		mergedServers:    hardcodedServers,
 		logger:           logger,
 		filepath:         filepath,
 	}
 
-	if filepath != "" {
-		if err := storage.syncServers(); err != nil {
-			return nil, err
-		}
+	if err := storage.syncServers(); err != nil {
+		return nil, err
 	}
 
 	return storage, nil

internal/storage/sync.go

@@ -46,13 +46,13 @@ func (s *Storage) syncServers() (err error) {
 	}
 
 	// Eventually write file
-	if reflect.DeepEqual(serversOnFile, s.mergedServers) {
+	if s.filepath == "" || reflect.DeepEqual(serversOnFile, s.mergedServers) {
 		return nil
 	}
 
 	err = s.flushToFile(s.filepath)
 	if err != nil {
-		s.logger.Warn("failed writing servers to file: " + err.Error())
+		return fmt.Errorf("writing servers to file: %w", err)
 	}
 	return nil
 }

internal/vpn/tunnelup.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/netip"
 
+	"github.com/qdm12/dns/v2/pkg/check"
 	"github.com/qdm12/gluetun/internal/constants"
 	"github.com/qdm12/gluetun/internal/version"
 )
@@ -45,7 +46,14 @@ func (l *Loop) onTunnelUp(ctx, loopCtx context.Context, data tunnelUpData) {
 		return
 	}
 
-	_, _ = l.dnsLooper.ApplyStatus(ctx, constants.Running)
+	if *l.dnsLooper.GetSettings().ServerEnabled {
+		_, _ = l.dnsLooper.ApplyStatus(ctx, constants.Running)
+	} else {
+		err := check.WaitForDNS(ctx, check.Settings{})
+		if err != nil {
+			l.logger.Error("waiting for DNS to be ready: " + err.Error())
+		}
+	}
 
 	err = l.publicip.RunOnce(ctx)
 	if err != nil {