feat(nordvpn): new API endpoint and wireguard support

internal/configuration/settings/provider.go

@@ -35,6 +35,7 @@ func (p *Provider) validate(vpnType string, storage Storage) (err error) {
  providers.Custom,
  providers.Ivpn,
  providers.Mullvad,
+ providers.Nordvpn,
  providers.Surfshark,
  providers.Windscribe,
  }

internal/configuration/settings/vpn.go

@@ -74,7 +74,7 @@ func (v *VPN) setDefaults() {
  v.Type = gosettings.DefaultString(v.Type, vpn.OpenVPN)
  v.Provider.setDefaults()
  v.OpenVPN.setDefaults(*v.Provider.Name)
- v.Wireguard.setDefaults()
+ v.Wireguard.setDefaults(*v.Provider.Name)
 }
 
 func (v VPN) String() string {

internal/configuration/settings/wireguard.go

@@ -51,6 +51,7 @@ func (w Wireguard) validate(vpnProvider string, ipv6Supported bool) (err error)
  providers.Custom,
  providers.Ivpn,
  providers.Mullvad,
+ providers.Nordvpn,
  providers.Surfshark,
  providers.Windscribe,
  ) {
@@ -140,9 +141,14 @@ func (w *Wireguard) overrideWith(other Wireguard) {
  w.Implementation = gosettings.OverrideWithString(w.Implementation, other.Implementation)
 }
 
-func (w *Wireguard) setDefaults() {
+func (w *Wireguard) setDefaults(vpnProvider string) {
  w.PrivateKey = gosettings.DefaultPointer(w.PrivateKey, "")
  w.PreSharedKey = gosettings.DefaultPointer(w.PreSharedKey, "")
+ if vpnProvider == providers.Nordvpn {
+ defaultNordVPNAddress := netip.AddrFrom4([4]byte{10, 5, 0, 2})
+ defaultNordVPNPrefix := netip.PrefixFrom(defaultNordVPNAddress, defaultNordVPNAddress.BitLen())
+ w.Addresses = gosettings.DefaultSlice(w.Addresses, []netip.Prefix{defaultNordVPNPrefix})
+ }
  w.Interface = gosettings.DefaultString(w.Interface, "wg0")
  w.MTU = gosettings.DefaultNumber(w.MTU, wireguarddevice.DefaultMTU)
  w.Implementation = gosettings.DefaultString(w.Implementation, "auto")

internal/configuration/settings/wireguardselection.go

@@ -38,7 +38,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
  // Validate EndpointIP
  switch vpnProvider {
  case providers.Airvpn, providers.Ivpn, providers.Mullvad,
- providers.Surfshark, providers.Windscribe:
+ providers.Nordvpn, providers.Surfshark, providers.Windscribe:
  // endpoint IP addresses are baked in
  case providers.Custom:
  if !w.EndpointIP.IsValid() || w.EndpointIP.IsUnspecified() {
@@ -55,7 +55,7 @@ func (w WireguardSelection) validate(vpnProvider string) (err error) {
  return fmt.Errorf("%w", ErrWireguardEndpointPortNotSet)
  }
  // EndpointPort cannot be set
- case providers.Surfshark:
+ case providers.Surfshark, providers.Nordvpn:
  if *w.EndpointPort != 0 {
  return fmt.Errorf("%w", ErrWireguardEndpointPortSet)
  }

internal/provider/nordvpn/connection.go

@@ -8,7 +8,7 @@ import (
 
 func (p *Provider) GetConnection(selection settings.ServerSelection, ipv6Supported bool) (
  connection models.Connection, err error) {
- defaults := utils.NewConnectionDefaults(443, 1194, 0) //nolint:gomnd
+ defaults := utils.NewConnectionDefaults(443, 1194, 51820) //nolint:gomnd
  return utils.GetConnection(p.Name(),
  p.storage, selection, defaults, ipv6Supported, p.randSource)
 }

internal/provider/nordvpn/updater/api.go

@@ -12,19 +12,13 @@ var (
  ErrHTTPStatusCodeNotOK = errors.New("HTTP status code not OK")
 )
 
-type serverData struct {
- Domain string `json:"domain"`
- IPAddress string `json:"ip_address"`
- Name string `json:"name"`
- Country string `json:"country"`
- Features struct {
- UDP bool `json:"openvpn_udp"`
- TCP bool `json:"openvpn_tcp"`
- } `json:"features"`
-}
-
-func fetchAPI(ctx context.Context, client *http.Client) (data []serverData, err error) {
- const url = "https://nordvpn.com/api/server"
+func fetchAPI(ctx context.Context, client *http.Client,
+ recommended bool, limit uint) (data []serverData, err error) {
+ url := "https://api.nordvpn.com/v1/servers/"
+ if recommended {
+ url += "recommendations"
+ }
+ url += fmt.Sprintf("?limit=%d", limit) // 0 means no limit
 
  request, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
  if err != nil {

internal/provider/nordvpn/updater/models.go

@@ -0,0 +1,131 @@
+package updater
+
+import (
+ "encoding/base64"
+ "errors"
+ "fmt"
+ "net/netip"
+)
+
+// Check out the JSON data from https://api.nordvpn.com/v1/servers?limit=10
+type serverData struct {
+ // Name is the server name, for example 'Poland #128'
+ Name string `json:"name"`
+ // Stations is, it seems, the entry IP address.
+ // However it is ignored in favor of the 'ips' entry field.
+ Station netip.Addr `json:"station"`
+ // IPv6Station is mostly empty, so we ignore it for now.
+ IPv6Station netip.Addr `json:"station_ipv6"`
+ // Hostname is the server hostname, for example 'pl128.nordvpn.com'
+ Hostname string
+ // Status is the server status, for example 'online'
+ Status string `json:"status"`
+ // Locations is the list of locations for the server.
+ // Only the first location is taken into account for now.
+ Locations []struct {
+ Country struct {
+ // Name is the country name, for example 'Poland'.
+ Name string `json:"name"`
+ City struct {
+ // Name is the city name, for example 'Warsaw'.
+ Name string `json:"name"`
+ } `json:"city"`
+ } `json:"country"`
+ } `json:"locations"`
+ Technologies []struct {
+ // Identifier is the technology id name, it can notably be:
+ // - openvpn_udp
+ // - openvpn_tcp
+ // - wireguard_udp
+ Identifier string `json:"identifier"`
+ // Metadata is notably useful for the Wireguard public key.
+ Metadata []struct {
+ // Name can notably be 'public_key'.
+ Name string `json:"name"`
+ // Value can notably the Wireguard public key value.
+ Value string `json:"value"`
+ } `json:"metadata"`
+ } `json:"technologies"`
+ Groups []struct {
+ // Title can notably be the region name, for example 'Europe',
+ // if the group's type/identifier is 'regions'.
+ Title string `json:"title"`
+ Type struct {
+ // Identifier can be 'regions'.
+ Identifier string `json:"identifier"`
+ } `json:"type"`
+ } `json:"groups"`
+ // IPs is the list of IP addresses for the server.
+ IPs []struct {
+ // Type can notably be 'entry'.
+ Type string `json:"type"`
+ IP struct {
+ IP netip.Addr `json:"ip"`
+ } `json:"ip"`
+ } `json:"ips"`
+}
+
+// country returns the country name of the server.
+func (s *serverData) country() (country string) {
+ if len(s.Locations) == 0 {
+ return ""
+ }
+ return s.Locations[0].Country.Name
+}
+
+// region returns the region name of the server.
+func (s *serverData) region() (region string) {
+ for _, group := range s.Groups {
+ if group.Type.Identifier == "regions" {
+ return group.Title
+ }
+ }
+ return ""
+}
+
+// city returns the city name of the server.
+func (s *serverData) city() (city string) {
+ if len(s.Locations) == 0 {
+ return ""
+ }
+ return s.Locations[0].Country.City.Name
+}
+
+// ips returns the list of IP addresses for the server.
+func (s *serverData) ips() (ips []netip.Addr) {
+ ips = make([]netip.Addr, 0, len(s.IPs))
+ for _, ipObject := range s.IPs {
+ if ipObject.Type != "entry" {
+ continue
+ }
+ ips = append(ips, ipObject.IP.IP)
+ }
+ return ips
+}
+
+var (
+ ErrWireguardPublicKeyMalformed = errors.New("wireguard public key is malformed")
+ ErrWireguardPublicKeyNotFound = errors.New("wireguard public key not found")
+)
+
+// wireguardPublicKey returns the Wireguard public key for the server.
+func (s *serverData) wireguardPublicKey() (wgPubKey string, err error) {
+ for _, technology := range s.Technologies {
+ if technology.Identifier != "wireguard_udp" {
+ continue
+ }
+ for _, metadata := range technology.Metadata {
+ if metadata.Name != "public_key" {
+ continue
+ }
+ wgPubKey = metadata.Value
+ _, err = base64.StdEncoding.DecodeString(wgPubKey)
+ if err != nil {
+ return "", fmt.Errorf("%w: %s cannot be decoded: %s",
+ ErrWireguardPublicKeyMalformed, wgPubKey, err)
+ }
+ return metadata.Value, nil
+ }
+ }
+ return "", fmt.Errorf("%w", ErrWireguardPublicKeyNotFound)
+}

internal/provider/nordvpn/updater/servers.go

@@ -4,7 +4,6 @@ import (
  "context"
  "errors"
  "fmt"
- "net/netip"
  "sort"
 
  "github.com/qdm12/gluetun/internal/constants/vpn"
@@ -18,39 +17,74 @@ var (
 
 func (u *Updater) FetchServers(ctx context.Context, minServers int) (
  servers []models.Server, err error) {
- data, err := fetchAPI(ctx, u.client)
+ const recommended = true
+ const limit = 0
+ data, err := fetchAPI(ctx, u.client, recommended, limit)
  if err != nil {
  return nil, err
  }
 
  servers = make([]models.Server, 0, len(data))
 
  for _, jsonServer := range data {
- if !jsonServer.Features.TCP && !jsonServer.Features.UDP {
- u.warner.Warn("server does not support TCP and UDP for openvpn: " + jsonServer.Name)
+ if jsonServer.Status != "online" {
+ u.warner.Warn(fmt.Sprintf("ignoring offline server %s", jsonServer.Name))
  continue
  }
 
- ip, err := parseIPv4(jsonServer.IPAddress)
- if err != nil {
- return nil, fmt.Errorf("%w for server %s", err, jsonServer.Name)
+ server := models.Server{
+ Country: jsonServer.country(),
+ Region: jsonServer.region(),
+ City: jsonServer.city(),
+ Hostname: jsonServer.Hostname,
+ IPs: jsonServer.ips(),
  }
 
  number, err := parseServerName(jsonServer.Name)
- if err != nil {
- return nil, err
+ switch {
+ case errors.Is(err, ErrNoIDInServerName):
+ u.warner.Warn(fmt.Sprintf("%s - leaving server number as 0", err))
+ case err != nil:
+ u.warner.Warn(fmt.Sprintf("failed parsing server name: %s", err))
+ continue
+ default: // no error
+ server.Number = number
  }
 
- server := models.Server{
- VPN: vpn.OpenVPN,
- Region: jsonServer.Country,
- Hostname: jsonServer.Domain,
- Number: number,
- IPs: []netip.Addr{ip},
- TCP: jsonServer.Features.TCP,
- UDP: jsonServer.Features.UDP,
+ var wireguardFound, openvpnFound bool
+ wireguardServer := server
+ wireguardServer.VPN = vpn.Wireguard
+ openVPNServer := server // accumulate UDP+TCP technologies
+ openVPNServer.VPN = vpn.OpenVPN
+
+ for _, technology := range jsonServer.Technologies {
+ switch technology.Identifier {
+ case "openvpn_udp":
+ openvpnFound = true
+ openVPNServer.UDP = true
+ case "openvpn_tcp":
+ openvpnFound = true
+ openVPNServer.TCP = true
+ case "wireguard_udp":
+ wireguardFound = true
+ wireguardServer.WgPubKey, err = jsonServer.wireguardPublicKey()
+ if err != nil {
+ u.warner.Warn(fmt.Sprintf("ignoring Wireguard server %s: %s",
+ jsonServer.Name, err))
+ wireguardFound = false
+ continue
+ }
+ default: // Ignore other technologies
+ continue
+ }
+ }
+
+ if openvpnFound {
+ servers = append(servers, openVPNServer)
+ }
+ if wireguardFound {
+ servers = append(servers, wireguardServer)
  }
- servers = append(servers, server)
  }
 
  if len(servers) < minServers {