Bug: New protonvpn server list update code which calls Proton API fails as Proton responds with a CAPTCHA

[gene1wood]

Is this urgent?

No

Host OS

Ubuntu 22.04

CPU arch

x86_64

VPN service provider

ProtonVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2025-11-26T13:47:08.821Z (commit c25c9f6)

What's the problem 🤔

The new update feature in 3.40.2 and 3.40.3 which calls the ProtonVPN API fails when run from the gluetun-entrypoint interface because Proton responds with a CAPTCHA challenge.

When running a command like this from within the gluetun container

./gluetun-entrypoint update -enduser -providers protonvpn -proton-email "example-user-name@proton.me" -proton-password "example-password-goes-here"

The update fails and this output is shown

025-11-29T02:15:14Z INFO merging by most recent 20962 hardcoded servers and 20962 servers read from /gluetun/servers.json
2025-11-29T02:15:14Z INFO updating Protonvpn servers...
2025-11-29T02:15:25Z ERROR updating server information: getting protonvpn servers: authentifying with Proton: authentifying: HTTP status code not OK: Unprocessable Entity: {"Code":9001,"Error":"For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/appeal-abuse","Details":{"HumanVerificationToken":"S-REDACTED-REDACTED-REDL","HumanVerificationMethods":["captcha"],"Direct":1,"Description":"","Title":"Human Verification","WebUrl":"https://verify.proton.me/?methods=captcha&token=S-REDACTED-REDACTED-REDL","ExpiresAt":1764384325}}
2025-11-29T02:15:25Z INFO Shutdown successful

The key line being

For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/appeal-abuse

I attempted copy pasting that WebUrl into a browser and solving the CAPTCHA and then attempted running the update again but it failed and provided a new CAPTCHA challenge.

I'm not sure how to solve for this given that it requires human interaction.

This relates to #2820 and the fix #2878

Share your logs (at least 10 lines)

gluetun  | ========================================
gluetun  | ========================================
gluetun  | =============== gluetun ================
gluetun  | ========================================
gluetun  | =========== Made with ❤️ by ============
gluetun  | ======= https://github.com/qdm12 =======
gluetun  | ========================================
gluetun  | ========================================
gluetun  | 
gluetun  | Running version latest built on 2025-11-26T13:47:08.821Z (commit c25c9f6)
gluetun  | 
gluetun  | 🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
gluetun  | 🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
gluetun  | 💻 Email? quentin.mcgaw@gmail.com
gluetun  | 💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
gluetun  | 2025-11-29T02:11:04Z INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.4 and family v4
gluetun  | 2025-11-29T02:11:04Z INFO [routing] local ethernet link found: eth0
gluetun  | 2025-11-29T02:11:04Z INFO [routing] local ipnet found: 172.21.0.0/16
gluetun  | 2025-11-29T02:11:04Z INFO [firewall] enabling...
gluetun  | 2025-11-29T02:11:04Z INFO [firewall] enabled successfully
gluetun  | 2025-11-29T02:11:05Z INFO [storage] merging by most recent 20962 hardcoded servers and 20962 servers read from /gluetun/servers.json
gluetun  | 2025-11-29T02:11:06Z INFO Alpine version: 3.22.2
gluetun  | 2025-11-29T02:11:06Z INFO OpenVPN 2.5 version: 2.5.10
gluetun  | 2025-11-29T02:11:06Z INFO OpenVPN 2.6 version: 2.6.16
gluetun  | 2025-11-29T02:11:06Z INFO IPtables version: v1.8.11
gluetun  | 2025-11-29T02:11:06Z INFO Settings summary:
gluetun  | ├── VPN settings:
gluetun  | |   ├── VPN provider settings:
gluetun  | |   |   ├── Name: protonvpn
gluetun  | |   |   ├── Server selection settings:
gluetun  | |   |   |   ├── VPN type: wireguard
gluetun  | |   |   |   ├── Countries: sweden
gluetun  | |   |   |   ├── Port forwarding only servers: yes
gluetun  | |   |   |   └── Wireguard selection settings:
gluetun  | |   |   └── Automatic port forwarding settings:
gluetun  | |   |       ├── Redirection listening port: disabled
gluetun  | |   |       ├── Use code for provider: protonvpn
gluetun  | |   |       ├── Forwarded port file path: /tmp/gluetun/forwarded_port
gluetun  | |   |       └── Forwarded port up command: /bin/sh -c "REDACTED"
gluetun  | |   └── Wireguard settings:
gluetun  | |       ├── Private key: REDACTED
gluetun  | |       ├── Interface addresses:
gluetun  | |       |   └── 10.2.0.2/32
gluetun  | |       ├── Allowed IPs:
gluetun  | |       |   ├── 0.0.0.0/0
gluetun  | |       |   └── ::/0
gluetun  | |       └── Network interface: tun0
gluetun  | |           └── MTU: 1320
gluetun  | ├── DNS settings:
gluetun  | |   ├── Keep existing nameserver(s): no
gluetun  | |   ├── DNS server address to use: 127.0.0.1
gluetun  | |   ├── DNS forwarder server enabled: yes
gluetun  | |   ├── Upstream resolver type: dot
gluetun  | |   ├── Upstream resolvers:
gluetun  | |   |   └── cloudflare
gluetun  | |   ├── Caching: yes
gluetun  | |   ├── IPv6: no
gluetun  | |   ├── Update period: every 24h0m0s
gluetun  | |   └── DNS filtering settings:
gluetun  | |       ├── Block malicious: yes
gluetun  | |       ├── Block ads: no
gluetun  | |       └── Block surveillance: no
gluetun  | ├── Firewall settings:
gluetun  | |   └── Enabled: yes
gluetun  | ├── Log settings:
gluetun  | |   └── Log level: info
gluetun  | ├── Health settings:
gluetun  | |   ├── Server listening address: 127.0.0.1:9999
gluetun  | |   ├── Target addresses:
gluetun  | |   |   ├── cloudflare.com:443
gluetun  | |   |   └── github.com:443
gluetun  | |   ├── Small health check type: ICMP echo request
gluetun  | |   |   └── ICMP target IPs:
gluetun  | |   |       ├── 1.1.1.1
gluetun  | |   |       └── 8.8.8.8
gluetun  | |   └── Restart VPN on healthcheck failure: yes
gluetun  | ├── Shadowsocks server settings:
gluetun  | |   └── Enabled: no
gluetun  | ├── HTTP proxy settings:
gluetun  | |   └── Enabled: no
gluetun  | ├── Control server settings:
gluetun  | |   ├── Listening address: :8000
gluetun  | |   ├── Logging: yes
gluetun  | |   └── Authentication file path: /gluetun/auth/config.toml
gluetun  | ├── Storage settings:
gluetun  | |   └── Filepath: /gluetun/servers.json
gluetun  | ├── OS Alpine settings:
gluetun  | |   ├── Process UID: 1000
gluetun  | |   └── Process GID: 1000
gluetun  | ├── Public IP settings:
gluetun  | |   ├── IP file path: /tmp/gluetun/ip
gluetun  | |   ├── Public IP data base API: ipinfo
gluetun  | |   └── Public IP data backup APIs:
gluetun  | |       ├── ifconfigco
gluetun  | |       ├── ip2location
gluetun  | |       └── cloudflare
gluetun  | └── Version settings:
gluetun  |     └── Enabled: yes
gluetun  | 2025-11-29T02:11:06Z INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.4 and family v4
gluetun  | 2025-11-29T02:11:06Z INFO [routing] adding route for 0.0.0.0/0
gluetun  | 2025-11-29T02:11:06Z INFO [firewall] setting allowed subnets...
gluetun  | 2025-11-29T02:11:06Z INFO [routing] default route found: interface eth0, gateway 172.21.0.1, assigned IP 172.21.0.4 and family v4
gluetun  | 2025-11-29T02:11:06Z INFO [dns] using plaintext DNS at address 1.1.1.1
gluetun  | 2025-11-29T02:11:06Z INFO [healthcheck] listening on 127.0.0.1:9999
gluetun  | 2025-11-29T02:11:06Z INFO [http server] read 1 roles from authentication file
gluetun  | 2025-11-29T02:11:06Z INFO [http server] http server listening on [::]:8000
gluetun  | 2025-11-29T02:11:06Z INFO [firewall] allowing VPN connection...
gluetun  | 2025-11-29T02:11:06Z INFO [wireguard] Using available kernelspace implementation
gluetun  | 2025-11-29T02:11:06Z INFO [wireguard] Connecting to 192.0.2.1:12345
gluetun  | 2025-11-29T02:11:06Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
gluetun  | 2025-11-29T02:11:12Z INFO [dns] downloading hostnames and IP block lists
gluetun  | 2025-11-29T02:11:16Z INFO [dns] DNS server listening on [::]:53
gluetun  | 2025-11-29T02:11:17Z INFO [dns] ready
gluetun  | 2025-11-29T02:11:18Z INFO [ip getter] Public IP address is 192.0.2.2 (REDACTED - source: ipinfo)
gluetun  | 2025-11-29T02:11:20Z INFO [vpn] You are running on the bleeding edge of latest!
gluetun  | 2025-11-29T02:11:20Z INFO [port forwarding] starting
gluetun  | 2025-11-29T02:11:20Z INFO [port forwarding] gateway external IPv4 address is 192.0.2.2
gluetun  | 2025-11-29T02:11:20Z INFO [port forwarding] port forwarded is 23456
gluetun  | 2025-11-29T02:11:20Z INFO [firewall] setting allowed input port 23456 through interface tun0...
gluetun  | 2025-11-29T02:11:20Z INFO [port forwarding] writing port file /tmp/gluetun/forwarded_port
gluetun  | 2025-11-29T02:12:00Z ERROR [port forwarding] running up command: exit status 1

Share your configuration

services:
  gluetun:
    image: ghcr.io/qdm12/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    env_file:
      # see .env file for environment variables
      - .env
    volumes:
      - /etc/gluetun:/gluetun
    devices:
      - /dev/net/tun:/dev/net/tun
    networks:
      - web_custom  # This network is created manually, not in a docker compose file
networks:
  web_custom:
    external: true

The .env

VPN_SERVICE_PROVIDER=protonvpn
VPN_TYPE=wireguard
VPN_PORT_FORWARDING=on
VPN_PORT_FORWARDING_UP_COMMAND=REDACTED
VPN_PORT_FORWARDING_PROVIDER=protonvpn
WIREGUARD_PRIVATE_KEY=REDACTED
SERVER_COUNTRIES=Sweden
PORT_FORWARD_ONLY=on

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[flueflacks]

Can confirm I can reproduce.

I was able to update earlier today. I didn't get a captcha.
but I can't now. I get the captcha
I solve the captcha from the same ip and it doesn't take effect. then got blocked by ratelimit after about 4 tests.
I vaguely recall I solved the captcha a week or two ago and it worked tho.

docker run --rm -v gluetun-config:/gluetun  ghcr.io/qdm12/gluetun:latest update -enduser -providers protonvpn  -proton-email  emailaddy  -proton-password password

docker run --rm --entrypoint '' ghcr.io/qdm12/gluetun:latest wget -O- -nv http://ifconfig.info  

As a workaround for you here's the /glutun/servers.json I generated earlier today.

https://github.com/flueflacks/gluetun-proton-servers-json/blob/main/servers.json

[qdm12]

It's a pain in the ass to reverse engineer the captcha system of proton. Reach out to their support and maybe you're lucky and someone will help you (unlikely), or feel free to reverse-engineer the networking for it. I'll eventually get to it, but I already sank weeks of work on reverse engineering their authentication system, and don't really want to waste more resources on this yet.
Also servers were updated 2 weeks ago, you don't need to update servers data every day either. Soon #3010 will get merged to automate servers data updates.

[snarfok]

who can we bug at proton? better if by name