Bug: ProtonVPN free tier servers removed from servers.json by server data updater

[Blwrk]

Is this urgent?

No

Host OS

Synology DSM 7.2.2-72806 Update 1

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-11-18T09:49:16.711Z (commit 68ddbfc)

What's the problem 🤔

There seems to be an issue with the updater regarding the free tier protonvpn servers.
After the updater is run either by schedule, the command line or via the control server, none of the free tier servers remain in my "gluetun/servers.json"-file.
This results in no connection after the container becomes unhealthy or is restarted

When I remove the file and restart the container, connection is possible and the hardcoded free tier servers can be found by grepping them from the file e.g.:

cat gluetun/servers.json | grep -A3 'FREE#' | grep '.protonvpn.net'
        "hostname": "node-jp-13.protonvpn.net",
        "hostname": "node-jp-13.protonvpn.net",
        "hostname": "node-nl-149.protonvpn.net",
        "hostname": "node-nl-149.protonvpn.net",
        "hostname": "node-nl-150.protonvpn.net",
        "hostname": "node-nl-150.protonvpn.net",
        "hostname": "node-nl-05.protonvpn.net",
        "hostname": "node-nl-05.protonvpn.net",
        "hostname": "node-nl-74.protonvpn.net",
        "hostname": "node-nl-74.protonvpn.net",
        "hostname": "node-nl-108.protonvpn.net",
        "hostname": "node-nl-108.protonvpn.net",
        "hostname": "node-us-56.protonvpn.net",
        "hostname": "node-us-56.protonvpn.net",
        "hostname": "node-us-61.protonvpn.net",
        "hostname": "node-us-61.protonvpn.net",
        "hostname": "node-us-262.protonvpn.net",
        "hostname": "node-us-262.protonvpn.net",
        "hostname": "node-us-263.protonvpn.net",
        "hostname": "node-us-263.protonvpn.net",
        "hostname": "node-us-264.protonvpn.net",
        "hostname": "node-us-264.protonvpn.net",

For now I have disabled the server updater schedule and all is running well, but I would like to have it enabled in case the servers info changes in the future.

Also tested with following versions:
v0.39.1
v0.39.0

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2024-11-18T09:49:16.711Z (commit 68ddbfc)

📣 All control server routes will become private by default after the v3.41.0 release

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? [email protected]
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-11-24T09:08:52+01:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.128.11 and family v4
2024-11-24T09:08:52+01:00 INFO [routing] local ethernet link found: eth0
2024-11-24T09:08:52+01:00 INFO [routing] local ipnet found: 172.20.0.0/16
2024-11-24T09:08:52+01:00 INFO [firewall] enabling...
2024-11-24T09:08:52+01:00 INFO [firewall] enabled successfully
2024-11-24T09:08:54+01:00 INFO [storage] merging by most recent 20776 hardcoded servers and 20776 servers read from /gluetun/servers.json
2024-11-24T09:08:55+01:00 INFO Alpine version: 3.20.3
2024-11-24T09:08:55+01:00 INFO OpenVPN 2.5 version: 2.5.10
2024-11-24T09:08:55+01:00 INFO OpenVPN 2.6 version: 2.6.11
2024-11-24T09:08:55+01:00 INFO IPtables version: v1.8.10
2024-11-24T09:08:55+01:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: protonvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Free only servers: yes
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: <removed>
|       ├── Interface addresses:
|       |   └── 10.2.0.2/32
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1320
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── Outbound subnets:
|       ├── 172.20.0.0/16
|       └── 192.168.178.0/24
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: no
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: europe/berlin
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
├── Server data updater settings:
|   ├── Update period: 24h0m0s
|   ├── DNS address: 1.1.1.1:53
|   ├── Minimum ratio: 0.8
|   └── Providers to update: protonvpn
└── Version settings:
    └── Enabled: yes
2024-11-24T09:08:55+01:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.128.11 and family v4
2024-11-24T09:08:55+01:00 INFO [routing] adding route for 0.0.0.0/0
2024-11-24T09:08:55+01:00 INFO [firewall] setting allowed subnets...
2024-11-24T09:08:55+01:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.128.11 and family v4
2024-11-24T09:08:55+01:00 INFO [routing] adding route for 172.20.0.0/16
2024-11-24T09:08:55+01:00 INFO [routing] adding route for 192.168.178.0/24
2024-11-24T09:08:55+01:00 INFO [http server] http server listening on [::]:8000
2024-11-24T09:08:55+01:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-11-24T09:08:55+01:00 INFO [firewall] allowing VPN connection...
2024-11-24T09:08:55+01:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-11-24T09:08:55+01:00 INFO [wireguard] Using available kernelspace implementation
2024-11-24T09:08:55+01:00 INFO [wireguard] Connecting to 84.17.45.156:51820
2024-11-24T09:08:55+01:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-11-24T09:08:55+01:00 INFO [dns] downloading hostnames and IP block lists
2024-11-24T09:09:01+01:00 INFO [healthcheck] healthy!
2024-11-24T09:09:04+01:00 INFO [dns] DNS server listening on [::]:53
2024-11-24T09:09:05+01:00 INFO [dns] ready
2024-11-24T09:09:06+01:00 INFO [ip getter] Public IP address is 84.17.45.157 (United States, California, Los Angeles - source: ipinfo)
2024-11-24T09:09:08+01:00 INFO [vpn] You are running on the bleeding edge of latest!
2024-11-24T09:09:18+01:00 INFO [updater] updating Protonvpn servers...
2024-11-24T09:09:22+01:00 WARN [updater] ignoring server node-il-03.protonvpn.net with status 0
2024-11-24T09:09:22+01:00 WARN [updater] ignoring server node-il-03.protonvpn.net with status 0
2024-11-24T09:09:22+01:00 WARN [updater] ignoring server node-il-03.protonvpn.net with status 0
2024-11-24T09:09:22+01:00 WARN [updater] ignoring server node-il-03.protonvpn.net with status 0
2024-11-24T09:09:22+01:00 WARN [updater] ignoring server node-il-03.protonvpn.net with status 0
2024-11-24T09:09:31+01:00 INFO [vpn] stopping
2024-11-24T09:09:43+01:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4 104.16.132.229:443: i/o timeout)
2024-11-24T09:09:43+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-24T09:09:43+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-24T09:09:43+01:00 INFO [vpn] starting
2024-11-24T09:09:43+01:00 ERROR [vpn] finding a VPN server: filtering servers: no server found: for VPN wireguard; protocol udp; free tier only; target ip address 0.0.0.0
2024-11-24T09:09:43+01:00 INFO [vpn] retrying in 15s
2024-11-24T09:09:55+01:00 INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4 104.16.132.229:443: i/o timeout)
2024-11-24T09:09:55+01:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-11-24T09:09:55+01:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-11-24T09:09:58+01:00 ERROR [vpn] finding a VPN server: filtering servers: no server found: for VPN wireguard; protocol udp; free tier only; target ip address 0.0.0.0
2024-11-24T09:09:58+01:00 INFO [vpn] retrying in 30s

Share your configuration

version: "3.8"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    hostname: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - <removed>
      - (...)
      - <removed>
    volumes:
      - ./gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=<removed>
      - FREE_ONLY=on
      - TZ="Europe/Berlin"
      - HTTP_CONTROL_SERVER_LOG=off
      - HTTPPROXY=off
      - SHADOWSOCKS=off
      - FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.178.0/24
      - UPDATER_PERIOD=24h
    network_mode: synobridge
    restart: unless-stopped

networks:
  synobridge:
    external: true

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[Blwrk]

Little update on this:
I stumbled upon #1126 and to me it seems like the free tier servers are simply not listed at https://api.protonmail.ch/vpn/logicals hence they are removed by the updater.

I tried the suggested steps from that issue to provide the free servers in my own servers.json file with the custom field "keep": true (tried that on the top-level, provider-level and server-level of the servers.json) and bumping the timestamp but the updater still removes the free servers when it is run.