protonwire

#!/bin/bash
# SPDX-License-Identifier: GPL-3.0
# SPDX-FileCopyrightText: 2023 Prasad Tengse <tprasadtp@users.noreply.github.com>
# shellcheck disable=SC2317

set -o pipefail

if [[ ${BASH_VERSINFO[0]} -lt 4 ]]; then
    printf "protonwire requires Bash version >= 4.2" 1>&2
    exit 1
elif [[ ${BASH_VERSINFO[1]} -eq 4 ]] && [[ ${BASH_VERSINFO[1]} -lt 2 ]]; then
    printf "protonwire requires Bash version >= 4.2" 1>&2
    exit 1
fi

trap __cleanup_background_tasks EXIT
trap __sigterm_handler SIGTERM
trap __sigint_handler SIGINT

function __sigterm_handler() {
    log_warning "Received SIGTERM, exiting..."
    if __protonvpn_disconnect; then
        log_debug "Helathcheck errors - $__PROTONWIRE_HC_ERRORS"
        if [[ $__PROTONWIRE_HC_ERRORS == "0" ]]; then
            exit 0
        else
            exit 1
        fi
    fi
}

function __sigint_handler() {
    log_warning "Received SIGINT, exiting..."
    __protonvpn_disconnect
    exit 1
}

function __print_version() {
    #diana::dynamic:version:begin#
    local PROTONWIRE_VERSION="dev"
    local PROTONWIRE_COMMIT="HEAD"
    #diana::dynamic:version:end#
    printf "protonwire version %s(%s)\n" "$PROTONWIRE_VERSION" "$PROTONWIRE_COMMIT"
}

function __is_stdout_colorable() {
    if [[ -n ${CLICOLOR_FORCE} ]] && [[ ${CLICOLOR_FORCE} != "0" ]]; then
        return 0
    elif [[ -n ${NO_COLOR} ]] || [[ ${CLICOLOR} == "0" ]] || [[ ${TERM} == "dumb" ]] || [[ ${TERM} == "linux" ]]; then
        return 1
    fi
    if [[ -t 2 ]]; then return 0; fi
    return 1
}

function __logger_core_event_handler() {
    [[ $# -lt 2 ]] && return 1

    local lvl_caller="${1:-info}"
    case ${lvl_caller} in
    trace)
        level="0"
        ;;
    debug)
        level="10"
        ;;
    info)
        level="20"
        ;;
    success)
        level="20"
        ;;
    notice)
        level="25"
        ;;
    warning)
        level="30"
        ;;
    error)
        level="40"
        ;;
    *)
        level="100"
        ;;
    esac

    if [[ ${LOG_LVL:-20} -gt "${level}" ]]; then
        return
    fi

    shift
    local lvl_msg="$*"

    local lvl_color
    local lvl_colorized
    local lvl_reset

    if __is_stdout_colorable; then
        lvl_colorized="true"
        # shellcheck disable=SC2155
        lvl_reset="\e[0m"
    fi

    local lvl_prefix
    local lvl_string

    if [[ ${LOG_FMT:-pretty} == "pretty" ]] && [[ -n ${lvl_colorized} ]]; then
        lvl_string="[•]"
    elif [[ ${LOG_FMT} = "full" ]] || [[ ${LOG_FMT} = "long" ]]; then
        if [[ ${LOG_LVL:-20} -lt 20 ]]; then
            printf -v lvl_prefix "%(%FT%TZ)T (%-4s) " -1 "${BASH_LINENO[1]}"
        else
            printf -v lvl_prefix "%(%FT%TZ)T" -1
        fi
    elif [[ ${LOG_FMT} = "journald" ]] || [[ ${LOG_FMT} = "journal" ]]; then
        if [[ ${LOG_LVL:-20} -lt 20 ]]; then
            printf -v lvl_prefix "(%-4s) " "${BASH_LINENO[1]}"
        fi
    fi

    # Define level, color and timestamp. By default we do not show log level and timestamp.
    # However, if LOG_FMT is set to "full" or "long", we will enable long format with timestamps
    case "$lvl_caller" in
    trace)
        # if lvl_string is set earlier, that means LOG_FMT is default or pretty
        # skip timestamp & level. Otherwise append level name to lvl_prefix.
        [[ -z ${lvl_string} ]] && lvl_string="${lvl_prefix}[TRACE   ]"
        [[ -n "${lvl_colorized}" ]] && lvl_color="\e[38;5;246m"
        ;;
    debug)
        [[ -z ${lvl_string} ]] && lvl_string="${lvl_prefix}[DEBUG   ]"
        [[ -n "${lvl_colorized}" ]] && lvl_color="\e[38;5;250m"
        ;;
    info)
        [[ -z ${lvl_string} ]] && lvl_string="${lvl_prefix}[INFO    ]"
        [[ -n "${lvl_colorized}" ]] && lvl_reset=""
        ;;
    success)
        [[ -z ${lvl_string} ]] && lvl_string="${lvl_prefix}[SUCCESS ]"
        [[ -n "${lvl_colorized}" ]] && lvl_color="\e[38;5;83m"
        ;;
    notice)
        [[ -z ${lvl_string} ]] && lvl_string="${lvl_prefix}[NOTICE  ]"
        [[ -n "${lvl_colorized}" ]] && lvl_color="\e[38;5;81m"
        ;;
    warning)
        [[ -z ${lvl_string} ]] && lvl_string="${lvl_prefix}[WARNING ]"
        [[ -n "${lvl_colorized}" ]] && lvl_color="\e[38;5;214m"
        ;;
    error)
        [[ -z ${lvl_string} ]] && lvl_string="${lvl_prefix}[ERROR   ]"
        [[ -n "${lvl_colorized}" ]] && lvl_color="\e[38;5;197m"
        ;;
    *)
        [[ -z ${lvl_string} ]] && lvl_string="${lvl_prefix}[UNKNOWN ]"
        [[ -n "${lvl_colorized}" ]] && lvl_reset=""
        ;;
    esac
    printf "${lvl_color}%s %s ${lvl_reset}\n" "${lvl_string}" "$lvl_msg"
}

function log_trace() {
    __logger_core_event_handler "trace" "$@"
}

function log_debug() {
    __logger_core_event_handler "debug" "$@"
}

function log_info() {
    __logger_core_event_handler "info" "$@"
}

function log_success() {
    __logger_core_event_handler "success" "$@"
}

function log_warning() {
    __logger_core_event_handler "warning" "$@"
}

function log_notice() {
    __logger_core_event_handler "notice" "$@"
}

function log_error() {
    __logger_core_event_handler "error" "$@"
}

function log_variable() {
    local var="$1"
    local __msg_string
    printf -v __msg_string "%-${4:-35}s : %s" "${var}" "${!var:-NA}"
    __logger_core_event_handler "debug" "${__msg_string}"
}

function log_kv_pair() {
    local __msg_string
    printf -v __msg_string "%-${4:-25}s : %s" "${1:-NA}" "${2:-NA}"
    __logger_core_event_handler "debug" "${__msg_string}"
}

function log_tail() {
    local line prefix
    [[ -n $1 ]] && prefix="($1) "
    while read -r line; do
        __logger_core_event_handler "trace" "$prefix$line"
    done
}

function __cleanup_background_tasks() {
    declare -a pending_tasks
    readarray -t pending_tasks < <(jobs -p)
    if [[ ${#pending_tasks[@]} -gt 1 ]]; then
        log_debug "Cleaning up background tasks - ${pending_tasks[*]:-NONE}"
        for pid in "${pending_tasks[@]}"; do
            log_debug "Stopping PID - $pid with SIGTERM"
            if ! kill -s TERM "$pid" >/dev/null 2>&1; then
                log_warning "Failed to stop PID - $pid"
            fi
        done
    fi
}

function has_command() {
    if command -v "$1" >/dev/null; then return 0; else return 1; fi
}

function __is_valid_ipv4() {
    local IPV4_REGEX="(([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))\.){3}([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))"
    local IPV4_REGEX_SUBNET="([0-9]|[12][0-9]|3[012])"
    local address

    while [[ ${1} != "" ]]; do
        case $1 in
        --cidr | --subnet)
            IPV4_REGEX="${IPV4_REGEX}/${IPV4_REGEX_SUBNET}"
            ;;
        --ip) ;;
        -*)
            log_error "Unknown option: $1"
            return 1
            ;;
        *)
            address="$1"
            ;;
        esac
        shift
    done

    if [[ $address =~ ^$IPV4_REGEX$ ]]; then
        return 0
    fi
    return 1
}

function __is_valid_ipv6() {
    local IPV6_REGEX="(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))"
    local IPV6_REGEX_SUBNET="([0-9]{1,2}|1[01][0-9]|12[0-8])"

    local address

    while [[ ${1} != "" ]]; do
        case $1 in
        --cidr | --subnet)
            IPV6_REGEX="${IPV6_REGEX}/${IPV6_REGEX_SUBNET}"
            ;;
        --ip) ;;

        -*)
            log_error "Unknown option: $1"
            return 1
            ;;
        *)
            address="$1"
            ;;
        esac
        shift
    done

    if [[ $address =~ ^$IPV6_REGEX$ ]]; then
        return 0
    fi
    return 1
}

function __is_valid_ipcheck_url() {
    log_info "Verifying IPCHECK_URL - ${IPCHECK_URL}"
    if [[ -e ${__PROTONWIRE_HCR} ]]; then
        if ! rm -f "${__PROTONWIRE_HCR}" 2>&1 | log_tail "rm ipcheck-response"; then
            log_error "Failed to remove existing IP chck response file - ${__PROTONWIRE_HCR}"
            return 1
        fi
    fi

    case ${IPCHECK_URL} in
    http://*)
        log_error "IPCHECK_URL must be secure (https://)"
        return 1
        ;;
    https://*)
        local curl_rc="-1"
        local curl_opts="-sSfL"
        if __is_bool_true "${DEBUG}"; then
            curl_opts="-vfL"
        fi
        {
            curl "${curl_opts}" -m 20 -A 'protonwire/v7' -o "${__PROTONWIRE_HCR}" \
                "${IPCHECK_URL}" 2>&1 | log_tail "curl-ipcheck-url" &
        }
        wait $!
        curl_rc="$?"

        if [[ $curl_rc == "0" ]]; then
            declare -a ip_check_response
            readarray -t ip_check_response <"${__PROTONWIRE_HCR}"
            if __is_valid_ipv4 "${ip_check_response[0]}"; then
                log_debug "IP Check endpoint returned ${ip_check_response[0]}(IPv4)"
                return 0
            elif __is_valid_ipv6 "${ip_check_response[0]}"; then
                log_debug "IP Check endpoint returned ${ip_check_response[0]}(IPv6)"
                return 0
            else
                log_error "IP Check endpoint returned invalid IP address(${ip_check_response[0]})"
                return 1
            fi
        elif [[ $curl_rc == 6 ]]; then
            log_error "Failed to validate ipcheck endpoint ${IPCHECK_URL} (dns error)"
            return 1
        elif [[ $curl_rc == 28 ]]; then
            log_error "Failed to validate ipcheck endpoint ${IPCHECK_URL} (timeout)"
            return 1
        else
            log_error "Failed to validate ipcheck endpoint ${IPCHECK_URL} (curl exit code: ${curl_rc})"
            return 1
        fi
        ;;
    *)
        log_error "Invalid IPCHECK_URL - $IPCHECK_URL"
        return 1
        ;;
    esac
}

function __is_ipv6_disabled() {
    if [[ $(cat /sys/module/ipv6/parameters/disable) == "1" ]]; then
        return 0
    elif [[ $(cat /sys/module/ipv6/parameters/disable_ipv6) == "1" ]]; then
        return 0
    elif [[ $(sysctl -n net.ipv6.conf.all.disable_ipv6) == "1" ]]; then
        return 0
    elif [[ $(sysctl -n net.ipv6.conf.default.disable_ipv6) == "1" ]]; then
        return 0
    fi
    return 1
}

function __is_bool_true() {
    local bool="${1,,}"
    case "${bool,,}" in
    true | yes | enable | enabled | on | 1)
        return 0
        ;;
    esac
    return 1
}

function __is_skip_dns_config() {
    if __is_bool_true "${SKIP_DNS_CONFIG}"; then return 0; else return 1; fi
}

function __has_notify_socket() {
    if [[ -n $NOTIFY_SOCKET ]]; then
        if [[ -S ${NOTIFY_SOCKET} ]]; then
            return 0
        else
            log_warning "Notify socket '${NOTIFY_SOCKET}' is not a socket!"
        fi
    fi
    return 1
}

function __systemd_notify() {
    local status="${1}"
    if [[ -z ${1} ]]; then
        log_error "Notify message is not defined or empty!"
        return 1
    fi

    if printf "%s" "${status}" |
        timeout 3s nc -w 0 -uU "$NOTIFY_SOCKET" 2>&1 | log_tail "nc-notify"; then
        return 0
    else
        log_debug "nc failed to send status ${status}"
    fi
    return 1
}

function __sd_notify_checks() {
    local errs=0
    if [[ -n $NOTIFY_SOCKET ]]; then
        if [[ -S $NOTIFY_SOCKET ]]; then
            log_debug "NOTIFY_SOCKET is set to $NOTIFY_SOCKET"
            if ! __systemd_notify "STATUS=Initializing"; then
                log_error "sd_notify socket is not working!"
                ((++errs))
            fi
        else
            log_warning "NOTIFY_SOCKET is set but not a socket"
        fi
    fi

    if [[ $errs -eq 0 ]]; then
        return 0
    fi
    return 1
}

function __check_caps() {
    if capsh --has-p=CAP_NET_ADMIN >/dev/null 2>&1; then
        log_debug "Can use CAP_NET_ADMIN capability"
        return 0
    else
        log_error "CAP_NET_ADMIN capability is not available!"
        log_error "If running as podman/docker use --cap-add=CAP_NET_ADMIN flag."
        log_error "If running in Kubernetes, See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container"
    fi
    return 1
}

function __check_tools() {
    local errs=0

    log_debug "Checking requirements"
    declare -a commands=(
        "curl"    # curl
        "jq"      # jq
        "ip"      # iproute2
        "capsh"   # libcap/libcap2-bin (pulled by iproute2)
        "timeout" # coreutils
        "wg"      # wireguard-tools | wireguard-tools-wg
        "sysctl"  # procps
        "flock"   # flock | linux-utils
    )

    declare -a missing_commands
    for command in "${commands[@]}"; do
        if ! has_command "$command"; then
            ((++errs))
            missing_commands+=("$command")
        fi
    done

    if [[ ${#missing_commands[@]} -gt 0 ]]; then
        log_error "Following commands are missing - ${missing_commands[*]}"
        ((++errs))
    fi

    if [[ $errs -gt 0 ]]; then
        return 1
    fi
}

function __run_checks() {
    local errs=0

    if ! __check_tools; then
        return 1
    fi

    __detect_paths

    if [[ $(sysctl -n net.ipv4.conf.all.rp_filter) != "2" ]]; then
        ((++errs))
        log_error "Invalid sysctl, net.ipv4.conf.all.rp_filter!=2"
        log_error "If using docker/podman add --sysctl net.ipv4.conf.all.rp_filter=2 flag to your run command"
        log_error "If using docker-compose add 'net.ipv4.conf.all.rp_filter: 2' under 'sysctls' section for protonvpn service."
        log_error "If using Kubernetes see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ to set sysctl values."
    fi

    # check if any interfaces have reserved ip addresses
    declare -a ip_on_ifaces
    readarray -t ip_on_ifaces < <(ip -4 --json addr show | jq -r '.[] | select(.ifname!="protonwire0") | .addr_info[] | .local' 2>/dev/null)
    if [[ ${#ip_on_ifaces[@]} -lt 1 ]]; then
        log_error "There are no interfaces with IP addresses"
        ((++errs))
    else
        for iface_ip in "${ip_on_ifaces[@]}"; do
            log_debug "Checking if IP on other interface is reserved - $iface_ip"
            if [[ $iface_ip == "10.2.0.1" ]]; then
                log_error "One of the interfaces has IP - 10.2.0.1, which is reserved for server"
                ((++errs))
            fi
            if [[ $iface_ip == "10.2.0.2" ]]; then
                log_error "One of the interfaces has IP - 10.2.0.2, which is reserved for client"
                ((++errs))
            fi
        done
    fi

    if [[ $IPCHECK_URL != "https://icanhazip.com/" ]]; then
        if ! __is_valid_ipcheck_url; then
            ((++errs))
        fi
    else
        log_notice "Skipped validating default IPCHECK_URL"
    fi

    if ! __check_caps; then
        ((++errs))
    fi

    if [[ $errs -eq 0 ]]; then
        return 0
    fi
    return 1
}

# resolvconf hook. openresolv cannot be used because it uses mv sematics
# and it is unsuitable for container management systems which bind mount /etc/resolv.conf.
function __resolvconf_up_hook() {
    local resolvconf_cur
    resolvconf_cur="$(cat /etc/resolv.conf 2>/dev/null)"
    if [[ $resolvconf_cur != *"nameserver 10.2.0.1"* ]]; then
        log_debug "Updating /etc/resolv.conf"
        if ! cp --force /etc/resolv.conf /etc/resolv.conf.protonwire 2>&1 | log_tail "resolvconf-backup"; then
            log_error "Failed to create backup of /etc/resolv.conf"
            return 1
        fi

        local resolv_conf_vpn
        printf -v resolv_conf_vpn "# This file is managed by protonwire. DO NOT EDIT.\n"
        printf -v resolv_conf_vpn "%s# If you do not wish to use ProtonVPN DNS servers,\n" "$resolv_conf_vpn"
        printf -v resolv_conf_vpn "%s# disable it via one of the following.\n" "$resolv_conf_vpn"
        printf -v resolv_conf_vpn "%s#  - Set 'SKIP_DNS_CONFIG' environment variable to '1'.\n" "$resolv_conf_vpn"
        printf -v resolv_conf_vpn "%s#  - Use '--skip-dns-config' CLI flag.\n" "$resolv_conf_vpn"
        printf -v resolv_conf_vpn "%s#\n" "$resolv_conf_vpn"
        printf -v resolv_conf_vpn "%s# Your old DNS configration has been backed up at /etc/resolv.conf.protonwire.\n" "$resolv_conf_vpn"
        printf -v resolv_conf_vpn "%s# Do not delete it, as it will cause issues when disconnecting.\n" "$resolv_conf_vpn"
        printf -v resolv_conf_vpn "%s# protonvpn will automatically restore your previous DNS config upon disconnect.\n" "$resolv_conf_vpn"
        printf -v resolv_conf_vpn "%s#\n" "$resolv_conf_vpn"
        printf -v resolv_conf_vpn "%s%s\n" "$resolv_conf_vpn" "nameserver 10.2.0.1"

        if printf "%s" "${resolv_conf_vpn}" >/etc/resolv.conf 2>/dev/null; then
            log_success "DNS is is set to 10.2.0.1 via /etc/resolv.conf"
            return 0
        else
            log_error "Failed to update /etc/resolv.conf"
            return 1
        fi
    else
        log_success "DNS is already set to 10.2.0.1 in /etc/resolv.conf"
        return 0
    fi
}

function __resolvconf_down_hook() {
    local resolvconf_cur
    local resolvconf_bak
    resolvconf_cur="$(cat /etc/resolv.conf 2>/dev/null)"
    resolvconf_bak="$(cat /etc/resolv.conf.protonwire 2>/dev/null)"
    if [[ $resolvconf_cur == *"nameserver 10.2.0.1"* ]]; then
        local errs=0
        if [[ $resolvconf_bak != *"nameserver"* ]]; then
            log_error "/etc/resolv.conf.protonwire is empty or invalid or does not exist"
            ((++errs))
        fi
        log_debug "Restoring /etc/resolv.conf"
        if cat /etc/resolv.conf.protonwire >/etc/resolv.conf 2>/dev/null; then
            log_success "Reverted DNS configuration"
        else
            log_error "Failed to revert /etc/resolv.conf"
            ((++errs))
        fi
        if [[ -f /etc/resolv.conf.protonwire ]]; then
            log_debug "Removing backup /etc/resolv.conf.protonwire"
            if ! rm -f /etc/resolv.conf.protonwire; then
                log_error "Failed to remove backup /etc/resolv.conf.protonwire"
                ((++errs))
            fi
        else
            log_error "Backup resolv.conf not found - /etc/resolv.conf.protonwire"
            ((++errs))
        fi

        if [[ $errs -eq 0 ]]; then
            return 0
        fi
        return 1
    else
        log_success "DNS is not configured to use 10.2.0.1 in /etc/resolv.conf"
    fi
}

function __detect_paths() {
    declare -g __PROTONWIRE_SRV_INFO_FILE="/tmp/protonwire.server.json"
    declare -g __PROTONWIRE_HCR="/tmp/protonwire.hc.response"
    declare -g __PROTONWIRE_HCS="/tmp/protonwire.hc.status"
    log_variable "__PROTONWIRE_SRV_INFO_FILE"
    log_variable "__PROTONWIRE_HCR"
    log_variable "__PROTONWIRE_HCS"
}

# looper command
function protonvpn_looper_cmd() {
    if ! __run_checks; then
        log_error "Please fix the errors above and try again!"
        return 1
    fi

    log_variable "IPCHECK_THRESHOLD"
    log_variable "IPCHECK_INTERVAL"

    if __protonvpn_connect; then
        if [[ $IPCHECK_INTERVAL != "0" ]]; then
            log_info "Verifying connection"
            local verify_attemps=0
            local max_verify_attemps="${IPCHECK_THRESHOLD:-5}"
            while [[ $verify_attemps -lt $max_verify_attemps ]]; do
                ((++verify_attemps))
                if __protonvpn_verify_connection; then
                    log_success "Connection verified!"
                    break
                else
                    log_error "Retry ($verify_attemps/$max_verify_attemps) after 2 seconds"
                    sleep 2 &
                    wait $!
                fi
            done

            if [[ $verify_attemps -ge $max_verify_attemps ]]; then
                log_error "Failed to verify connection!"
                if __has_notify_socket; then
                    __systemd_notify "STATUS=Failed to verify connection - ${PROTONVPN_SERVER}"
                fi
                __protonvpn_disconnect
                return 1
            fi
        else
            log_warning "Not verifying connection, as healthchecks are disabled"
        fi
    else
        log_error "Failed to connect to ${PROTONVPN_SERVER:-NA}"
        if [[ -z $(ip link show protonwire0 type wireguard 2>/dev/null) ]]; then
            log_debug "Wireguard interface for protonwire is not present."
            return 1
        fi
        if __has_notify_socket; then
            __systemd_notify "STATUS=Failed to connect to - ${PROTONVPN_SERVER:-NA}"
        fi
        __protonvpn_disconnect
        return 1
    fi

    local sleep_int=120

    # configure ping interval
    if [[ -n $IPCHECK_INTERVAL ]] && [[ $IPCHECK_INTERVAL != "0" ]]; then
        sleep_int="$IPCHECK_INTERVAL"
    else
        log_debug "Using default check interval ${sleep_int}s"
    fi

    # Initial ready notification.
    if __has_notify_socket; then
        log_notice "Notifying systemd that we are ready"
        if ! __systemd_notify "READY=1"; then
            log_error "Failed to notify systemd!"
            __protonvpn_disconnect
            return 1
        fi
    else
        log_debug "No systemd notify socket found, skiping READY=1 notification"
    fi

    if [[ $IPCHECK_INTERVAL == "0" ]]; then
        log_warning "Healthchecks are disabled"
        log_info "Listening for signals"
        __PROTONWIRE_HC_ERRORS=0
        while :; do
            if [[ $__PROTONWIRE_DISCONNECTING == "true" ]]; then
                log_debug "Disconnect handler is active, exiting loop"
                break
            fi
            sleep "${sleep_int:-120}" &
            wait $!
        done
    else
        log_info "Checking status - every ${sleep_int:-120} seconds"

        declare -g __PROTONWIRE_HC_ERRORS=0
        while :; do
            if [[ $__PROTONWIRE_DISCONNECTING == "true" ]]; then
                log_debug "Disconnect handler is active, exiting loop"
                break
            fi

            if [[ $__PROTONWIRE_HC_ERRORS -ge ${max_verify_attemps} ]]; then
                log_error "Connection verification (${__PROTONWIRE_HC_ERRORS}/${max_verify_attemps}) failed"
                if __has_notify_socket; then
                    __systemd_notify "Connection verification failed (${__PROTONWIRE_HC_ERRORS}/${max_verify_attemps}) "
                else
                    log_debug "No systemd notify socket found, skiping reconnect notification"
                fi
                break
            fi

            sleep "${sleep_int:-120}" &
            wait $!

            if ! __protonvpn_verify_connection; then
                local xt=$((__PROTONWIRE_HC_ERRORS + 1))
                log_error "Failed to verify connection (${xt}/${max_verify_attemps})"
                ((++__PROTONWIRE_HC_ERRORS))
                log_warning "Attempting to re-connect to ${PROTONVPN_SERVER}"
                if __has_notify_socket; then
                    __systemd_notify "Attempting to re-connect to ${PROTONVPN_SERVER} (${xt}/${max_verify_attemps})"
                else
                    log_debug "No systemd notify socket found, skiping reconnect notification"
                fi

                if __protonvpn_connect; then
                    sleep 2 & # avoid transient errors
                    wait $!
                    if ! __protonvpn_verify_connection; then
                        log_error "Failed to verify after re-connect"
                    else
                        log_notice "Successfully reconnected to ${PROTONVPN_SERVER}"
                    fi
                else
                    log_error "Failed to re-connect to ${PROTONVPN_SERVER}"
                fi
            fi
        done
    fi
    return 1
}

function __load_srvinfo_json_to_var() {
    if [[ -f ${__PROTONWIRE_SRV_INFO_FILE} ]]; then
        local __json_tmp
        __json_tmp="$(<"${__PROTONWIRE_SRV_INFO_FILE}")"
        if jq --exit-status '.Nodes' <<<"$__json_tmp" >/dev/null 2>&1; then
            log_debug "__PROTONWIRE_SRV_INFO_FILE JSON valid"
            declare -g __PROTONWIRE_SRV_INFO="$__json_tmp"
            return 0
        else
            log_error "JSON file ${__PROTONWIRE_SRV_INFO_FILE:-NA} is invalid!"
        fi
    else
        log_error "Missing server info json file - ${__PROTONWIRE_SRV_INFO_FILE:-NA}"
        log_error "Either specify PROTONVPN_SERVER or connect first and try agian!"
    fi
    return 1
}

# when running as a service, script periodically refreshes the metadata.
function protonvpn_fetch_metadata() {
    local metadata_stale="true"
    local force_refresh="false"
    local wrapped_invocation="false"

    if __is_bool_true "${PROTONWIRE_FORCE}"; then
        force_refresh="true"
    fi

    while [[ ${1} != "" ]]; do
        case ${1} in
        --force-refresh | --force | -f)
            force_refresh="true"
            ;;
        --wrapper | -w)
            wrapped_invocation="true"
            ;;
        esac
        shift
    done

    # To avoid urlencoding as server names may contain '#' replace it with '-' as required by API.
    local api_server_name
    api_server_name="${PROTONVPN_SERVER//#/-}"

    # Check if __PROTONWIRE_SRV_INFO_FILE is present and corresponds to correct server.
    if [[ -f ${__PROTONWIRE_SRV_INFO_FILE} ]]; then
        local current_ts=0
        local metadata_ts=-1

        metadata_ts=$(stat -c %Y "${__PROTONWIRE_SRV_INFO_FILE}")
        printf -v current_ts '%(%s)T' -1

        if [[ $((current_ts - metadata_ts)) -lt 7200 ]]; then
            metadata_stale="false"
        else
            log_warning "Server info is stale - ${__PROTONWIRE_SRV_INFO_FILE}"
        fi

        # Check if existing metadata file belongs to correct server
        declare -a existing_server_endpoints
        local existing_server_name
        local existing_server_dns
        existing_server_name="$(jq -r '.Name' "${__PROTONWIRE_SRV_INFO_FILE}")"
        existing_server_dns="$(jq -r '.DNS' "${__PROTONWIRE_SRV_INFO_FILE}")"
        readarray -t existing_server_endpoints < <(jq -r \
            '.Nodes[].Endpoint' \
            <<<"${__PROTONWIRE_SRV_INFO_FILE}" 2>/dev/null)

        # If metadata is not stale, check if it belongs to the server.
        if [[ $metadata_stale == "false" ]]; then
            if [[ $existing_server_name == "$PROTONVPN_SERVER" ]] ||
                [[ $existing_server_dns == "$PROTONVPN_SERVER" ]] ||
                [[ ${existing_server_name//#/-} == "$api_server_name" ]]; then
                log_debug "Existing metadata belongs to ${PROTONVPN_SERVER}"
            else
                log_debug "Checking if server endpoints match ${PROTONVPN_SERVER}"
                local m="false"
                for endpoint in "${existing_server_endpoints[@]}"; do
                    if [[ ${PROTONVPN_SERVER,,} == "${endpoint,,}" ]]; then
                        m="true"
                        break
                    fi
                done

                if [[ $m != "true" ]]; then
                    log_debug "Existing metadata belongs to ${PROTONVPN_SERVER}"
                else
                    log_info "Existing metadata($existing_server_name/$existing_server_dns) does not belong to ${PROTONVPN_SERVER}"
                    metadata_stale="true"
                fi
            fi
        fi
    else
        log_debug "Server info file is missing - ${__PROTONWIRE_SRV_INFO_FILE}"
    fi

    # Fetch if file is stale or forced
    if [[ $metadata_stale != "false" ]] || [[ $force_refresh == "true" ]]; then
        log_info "Refresing server metadata (for $PROTONVPN_SERVER)"
        local api_call="${METADATA_URL}/${api_server_name}"
        log_debug "API - ${api_call}"
        local curl_rc="-1"
        local curl_opts="-sSfL"
        if __is_bool_true "${DEBUG}"; then
            curl_opts="-vfL"
        fi
        # we use wait to ensure the term signals can be handled properly
        { flock --timeout 30 --conflict-exit-code 32 "${__PROTONWIRE_SRV_INFO_FILE}.lock" \
            curl "${curl_opts}" -m 30 -A 'protonwire/v7' -o "${__PROTONWIRE_SRV_INFO_FILE}.bak" \
            "${api_call}" 2>&1 | log_tail "curl" & }
        wait $!
        curl_rc="$?"

        # Save to a backup file as download can fail or be corrupted
        if [[ $curl_rc == "0" ]]; then
            # Ensure file is json formatted and valid
            if jq --exit-status '.Nodes' "${__PROTONWIRE_SRV_INFO_FILE}.bak" >/dev/null 2>&1; then
                if mv --force "${__PROTONWIRE_SRV_INFO_FILE}.bak" "${__PROTONWIRE_SRV_INFO_FILE}"; then
                    log_success "Successfully refreshed server metadata"
                else
                    log_error "Refreshing server metadata failed (trampoline error)"
                    return 1
                fi
            else
                log_error "Refreshing server metadata failed (invalid json)"
                return 1
            fi
        elif [[ $curl_rc -eq 6 ]]; then
            log_error "Failed to refresh ProtonVPN server metadata (failed to resolve DNS)"
            log_error "See https://github.com/tprasadtp/protonvpn-docker/blob/master/docs/help.md for troubleshooting."
            return 1
        elif [[ $curl_rc -eq 28 ]]; then
            log_error "Failed to refresh ProtonVPN server metadata (curl timeout)"
            return 1
        elif [[ $curl_rc -eq 22 ]]; then
            log_error "Failed to refresh ProtonVPN server metadata (server name is invalid or not found)"
            log_error "Please verify that server ${PROTONVPN_SERVER:NA} is valid and available on ProtonVPN Website"
            log_error "See https://github.com/tprasadtp/protonvpn-docker/blob/master/docs/help.md for troubleshooting."
            return 1
        elif [[ $curl_rc -eq 32 ]]; then
            log_error "Failed to refresh ProtonVPN server metadata (flock timeout)"
            return 1
        else
            log_error "Failed to refresh ProtonVPN server metadata (curl exit code: ${curl_rc})"
            return 1
        fi
    else
        if [[ $wrapped_invocation == "true" ]]; then
            log_debug "Server metadata is already upto date"
        else
            log_success "Server metadata is already upto date"
        fi
    fi

    __load_srvinfo_json_to_var && return 0
    return 1
}

function protonvpn_healthcheck_status_file() {
    if [[ $IPCHECK_INTERVAL == "0" ]]; then
        log_warning "Healthchecks are disabled, cannot use status file!"
        return 0
    fi
    __detect_paths

    log_debug "Checking via file timestamp (${__PROTONWIRE_HCS})"
    if [[ -n $IPCHECK_INTERVAL ]]; then
        local check_interval="$IPCHECK_INTERVAL"
    else
        log_debug "No healthcheck interval defined, using default(120)"
        local check_interval="120"
    fi

    if [[ -f ${__PROTONWIRE_HCS} ]]; then
        local hc_time
        local current_ts
        printf -v current_ts '%(%s)T' -1
        hc_time="$(stat -c '%Y' "${__PROTONWIRE_HCS}")"
        local hc_diff="-1"
        hc_diff=$((current_ts - hc_time))
        if [[ $hc_diff -lt $((check_interval + 10)) ]]; then
            log_success "Healthcheck is up (via status file), last checked ${hc_diff}s ago"
            return 0
        else
            log_error "Healthcheck is down (via status file), last checked ${hc_diff}s ago"
            return 1
        fi
    else
        log_error "Healthcheck status file (${__PROTONWIRE_HCS}) does not exist!"
        return 1
    fi
}

function __protonvpn_verify_connection() {
    if [[ -z ${__PROTONWIRE_SRV_INFO} ]]; then
        declare -g __PROTONWIRE_SRV_INFO
        __PROTONWIRE_SRV_INFO="$(<"$__PROTONWIRE_SRV_INFO_FILE")"
    fi

    if [[ -z ${__PROTONWIRE_SRV_INFO} ]]; then
        log_debug "__PROTONWIRE_SRV_INFO is undefined!"
        return 1
    fi

    if [[ -z $(ip link show protonwire0 type wireguard 2>/dev/null) ]]; then
        log_error "WireGuard interface - protonwire0 is not present"
        return 1
    else
        log_debug "WireGuard interface - protonwire0 is present"
    fi

    declare -a configured_endpoints
    readarray -t configured_endpoints < <(wg show protonwire0 peers 2>/dev/null)
    if [[ ${#configured_endpoints[@]} -eq 0 ]]; then
        log_error "WireGuard interface 'protonwire0' is not connected to any peers"
        return 1
    elif [[ ${#configured_endpoints[@]} -gt 1 ]]; then
        log_debug "Connected peers - ${configured_endpoints[*]}"
        log_error "WireGuard interface 'protonwire0' is connected to multiple peers(${#configured_endpoints[@]})"
        return 1
    else
        log_debug "Connected to peer - ${configured_endpoints[*]}"
    fi

    declare -a allowed_exit_ips
    declare -a node_endpoints
    local node_name
    local node_dns

    node_name="$(jq -r --arg peer "${configured_endpoints[0]}" 'select(.Nodes[].PublicKey==$peer) | .Name' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
    node_dns="$(jq -r --arg peer "${configured_endpoints[0]}" 'select(.Nodes[].PublicKey==$peer) | .DNS' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
    readarray -t node_endpoints < <(jq -r \
        '.Nodes[].Endpoint' \
        <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)

    if [[ -n $PROTONVPN_SERVER ]]; then
        if [[ ${PROTONVPN_SERVER^^} == "${node_name^^}" ]] ||
            [[ ${PROTONVPN_SERVER^^//#/-} == "${node_name^^}" ]] ||
            [[ ${PROTONVPN_SERVER,,} == "${node_dns,,}" ]]; then
            log_debug "Connected to server: ${node_name:-NA}(${node_dns:-NA})"
            if ! __protonvpn_verify_server_attributes; then
                return 1
            fi
        else
            local m="false"
            for endpoint in "${node_endpoints[@]}"; do
                if [[ ${PROTONVPN_SERVER,,} == "${endpoint,,}" ]]; then
                    m="true"
                    break
                fi
            done

            if [[ $m != "true" ]]; then
                log_error "Expected to be connected to server $PROTONVPN_SERVER, but is connected to ${node_name:-NA}(${node_dns:-NA})"
                return 1
            else
                if ! __protonvpn_verify_server_attributes; then
                    return 1
                fi
            fi
        fi
    else
        log_debug "PROTONVPN_SERVER is not specified, only validating exit IPs"
    fi

    readarray -t allowed_exit_ips < <(jq -r ".ExitIPs[]" <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)
    log_debug "Allowed ExitIPs  - ${allowed_exit_ips[*]}"

    if [[ ${#allowed_exit_ips[@]} -eq 0 ]]; then
        log_error "Failed to parse allowed ExitIPs from - ${__PROTONWIRE_SRV_INFO_FILE}"
        return 1
    fi

    local hc_response_rc=-1
    local curl_opts="-sSfL"
    if __is_bool_true "${DEBUG}"; then
        curl_opts="-vfL"
    fi

    log_debug "Checking client IP via $IPCHECK_URL"
    {
        flock --timeout 30 --conflict-exit-code 32 "${__PROTONWIRE_HCR}.lock" \
            curl "${curl_opts}" -m 30 -A 'protonwire/v7' -o "${__PROTONWIRE_HCR}" \
            "$IPCHECK_URL" 2>&1 | log_tail "curl" &
    }
    wait $!
    hc_response_rc="$?"
    log_debug "Healthcheck curl exit code - ${hc_response_rc:-NA}"

    if [[ $hc_response_rc == 6 ]]; then
        log_error "Failed to resolve DNS domain ($IPCHECK_URL)"
        return 1
    elif [[ $hc_response_rc == 28 ]]; then
        log_error "Failed to connect to $IPCHECK_URL (timeout)"
        return 1
    elif [[ $curl_rc -eq 32 ]]; then
        log_error "Failed to check IP via $IPCHECK_URL (flock timeout)"
        return 1
    elif [[ $hc_response_rc != 0 ]]; then
        log_error "curl command exited with $hc_response_rc"
        return 1
    fi

    local client_ip
    client_ip="$(<"$__PROTONWIRE_HCR")"
    log_debug "Client IP address - $client_ip"

    if [[ -z $client_ip ]]; then
        log_error "Failed to get client IP from - ${__PROTONWIRE_HCR}"
        return 1
    fi

    for exit_ip in "${allowed_exit_ips[@]}"; do
        if [[ $exit_ip == "${client_ip}" ]]; then
            if __has_notify_socket; then
                local status_msg
                if __is_bool_true "${KILL_SWITCH}"; then
                    status_msg="Connected to ${PROTONVPN_SERVER} (as $client_ip, with KillSwitch)"
                else
                    status_msg="Connected to ${PROTONVPN_SERVER} (as $client_ip)"
                fi
                log_debug "$status_msg"
                if ! __systemd_notify "STATUS=$status_msg"; then
                    log_error "Failed to notify status to systemd"
                fi
            else
                log_success "Connected to ${PROTONVPN_SERVER:-NA} (as $client_ip)"
            fi
            if ! touch "${__PROTONWIRE_HCS}" 2>&1 | log_tail "touch-status-cache"; then
                log_warning "Failed to touch healthcheck status cache file"
            fi
            return 0
        fi
    done
    log_error "Your current IP address - ${client_ip} is not in the list for server ${PROTONVPN_SERVER:-NA}"
    log_error "Your current IP address - ${client_ip} must belong to set (${allowed_exit_ips[*]})"

    if __has_notify_socket; then
        if ! __systemd_notify "STATUS=ExitIP mismatch for server ${PROTONVPN_SERVER:-NA} (as $client_ip)"; then
            log_error "Failed to notify error status to systemd"
        fi
    fi

    return 20
}

function protonvpn_verify_cmd() {
    __detect_paths

    if ! __check_tools; then
        return 1
    fi

    if ! __check_caps; then
        return 1
    fi

    if [[ -n ${PROTONVPN_SERVER} ]]; then
        if ! __fetch_metadata_with_retries; then
            return 1
        fi
    else
        if ! __load_srvinfo_json_to_var; then
            return 1
        fi
    fi

    local verify_rc=-1
    __protonvpn_verify_connection
    verify_rc="$?"
    if [[ $verify_rc -eq 0 ]]; then
        return 0
    elif [[ $verify_rc -eq 20 ]]; then
        return 20
    fi
    return 1
}

function __is_usable_keyfile() {
    local file_path="$1"
    if [[ -z ${file_path} ]]; then
        log_error "__is_usable_keyfile() requires a file path"
        return 1
    fi

    if [[ -L ${file_path} ]]; then
        log_debug "File - ${file_path} is a symbolic link following it"
        file_path="$(readlink -f "${file_path}")"
    fi

    if [[ -f $file_path ]]; then
        if [[ -r $file_path ]] && [[ -s $file_path ]]; then
            local fp_perms="stat-error"
            fp_perms="$(stat -c '%a' "${file_path}")"
            case $fp_perms in
            400 | 600 | 440 | 640 | 660)
                log_debug "File - ${file_path} has correct permissions (${fp_perms})"
                return 0
                ;;
            *)
                log_warning "File - $file_path has insecure permissions ($fp_perms)"
                return 1
                ;;
            esac
        else
            log_warning "$file_path is not readable or empty!"
        fi
    else
        log_warning "$file_path is not a file!"
    fi
    return 1
}

function __build_subnets() {
    local errs

    declare -a invalid_ipv4_routes=()
    declare -a invalid_ipv6_routes=()

    if [[ -z $PROTONVPN_ALLOWED_SUBNETS_IPV4 ]]; then
        log_debug "Excluding RFC-1918 subnets(IPv4) except DNS sever from WireGuard table"
        declare -ga __PROTONWIRE_SUBNET_4=(
            "10.2.0.1/32" # DNS server
            "0.0.0.0/5"
            "8.0.0.0/7"
            "11.0.0.0/8"
            "12.0.0.0/6"
            "16.0.0.0/4"
            "32.0.0.0/3"
            "64.0.0.0/3"
            "96.0.0.0/6"
            "100.0.0.0/10"
            "100.128.0.0/9"
            "101.0.0.0/8"
            "102.0.0.0/7"
            "104.0.0.0/5"
            "112.0.0.0/5"
            "120.0.0.0/6"
            "124.0.0.0/7"
            "126.0.0.0/8"
            "128.0.0.0/3"
            "160.0.0.0/5"
            "168.0.0.0/8"
            "169.0.0.0/9"
            "169.128.0.0/10"
            "169.192.0.0/11"
            "169.224.0.0/12"
            "169.240.0.0/13"
            "169.248.0.0/14"
            "169.252.0.0/15"
            "169.255.0.0/16"
            "170.0.0.0/7"
            "172.0.0.0/12"
            "172.32.0.0/11"
            "172.64.0.0/10"
            "172.128.0.0/9"
            "173.0.0.0/8"
            "174.0.0.0/7"
            "176.0.0.0/4"
            "192.0.0.0/9"
            "192.128.0.0/11"
            "192.160.0.0/13"
            "192.169.0.0/16"
            "192.170.0.0/15"
            "192.172.0.0/14"
            "192.176.0.0/12"
            "192.192.0.0/10"
            "193.0.0.0/8"
            "194.0.0.0/7"
            "196.0.0.0/6"
            "200.0.0.0/5"
            "208.0.0.0/4"
            "224.0.1.0/24"
            "224.0.2.0/23"
            "224.0.4.0/22"
            "224.0.8.0/21"
            "224.0.16.0/20"
            "224.0.32.0/19"
            "224.0.64.0/18"
            "224.0.128.0/17"
            "224.1.0.0/16"
            "224.2.0.0/15"
            "224.4.0.0/14"
            "224.8.0.0/13"
            "224.16.0.0/12"
            "224.32.0.0/11"
            "224.64.0.0/10"
            "224.128.0.0/9"
            "225.0.0.0/8"
            "226.0.0.0/7"
            "228.0.0.0/6"
            "232.0.0.0/5"
        )
    else
        log_debug "ALLOWED_SUBNETS_IPV4 - ${PROTONVPN_ALLOWED_SUBNETS_IPV4}"
        # shellcheck disable=SC2206
        declare -ga __PROTONWIRE_SUBNET_4=(${PROTONVPN_ALLOWED_SUBNETS_IPV4//,/ })
        if [[ ${#__PROTONWIRE_SUBNET_4[@]} -eq 0 ]]; then
            log_error "No allowed IPv4 routes specified"
            ((++errs))
        else
            for ipv4_route in "${__PROTONWIRE_SUBNET_4[@]}"; do
                if ! __is_valid_ipv4 --subnet "$ipv4_route"; then
                    ((++errs))
                    invalid_ipv4_routes+=("$ipv4_route")
                fi
            done
        fi
    fi

    if [[ -z $PROTONVPN_ALLOWED_SUBNETS_IPV6 ]]; then
        log_debug "Excluding ULA subnets(IPv6) from WireGuard table"
        declare -ga __PROTONWIRE_SUBNET_6=("2000::/3") #"fd54:20a4:d33b:b10c:0:0:2:1/128"
    else
        log_debug "ALLOWED_SUBNETS_IPV6 - ${PROTONVPN_ALLOWED_SUBNETS_IPV6}"
        declare -a __PROTONWIRE_SUBNET_6=()
        # shellcheck disable=SC2206
        declare -ga __PROTONWIRE_SUBNET_6=(${PROTONVPN_ALLOWED_SUBNETS_IPV6//,/ })
        if [[ ${#__PROTONWIRE_SUBNET_6[@]} -eq 0 ]]; then
            log_error "No allowed IPv6 routes specified"
            ((++errs))
        else
            for ipv6_route in "${__PROTONWIRE_SUBNET_6[@]}"; do
                if ! __is_valid_ipv6 --subnet "$ipv6_route"; then
                    ((++errs))
                    invalid_ipv6_routes+=("$ipv6_route")
                fi
            done
        fi
    fi

    if [[ ${#invalid_ipv4_routes[@]} -gt 0 ]]; then
        log_error "Invalid IPv4 routes specified: ${invalid_ipv4_routes[*]}"
        ((++errs))
    fi

    if [[ ${#invalid_ipv6_routes[@]} -gt 0 ]]; then
        log_error "Invalid IPv6 routes specified: ${invalid_ipv6_routes[*]}"
        ((++errs))
    fi

    if [[ $errs -gt 0 ]]; then
        return 1
    fi
}

function __build_route_table() {
    local table_id="51821"
    if __is_ipv6_disabled; then
        declare -ar __rt_protos=("4")
    else
        declare -ar __rt_protos=("4" "6")
    fi

    local errs=0
    for proto in "${__rt_protos[@]}"; do
        if [[ $proto == "4" ]]; then
            declare -a desired_routes=("${__PROTONWIRE_SUBNET_4[@]}")
        elif [[ $proto == "6" ]]; then
            declare -a desired_routes=("${__PROTONWIRE_SUBNET_6[@]}")
        fi

        local create_wg_routes="true"
        local create_ks_routes="true"

        local routes_rt
        log_debug "Collecting existing routes if any (IPv$proto)"
        routes_rt="$(ip "-${proto}" --json route show table "${table_id}" 2>/dev/null)"

        if [[ -z ${routes_rt} ]]; then
            log_debug "Not found table $table_id (IPv$proto)"
        else
            if [[ $errs -gt 0 ]]; then
                return 1
            fi

            local routes_ks
            routes_ks="$(jq -r '.[] | select((.metric==900) and (.type=="prohibit")) | .dst' <<<"${routes_rt}" 2>/dev/null)"
            if [[ -n ${routes_ks} ]]; then
                if ! __is_bool_true "${KILL_SWITCH}"; then
                    log_warning "Existing killswitch routes found! but killswitch is not enabled! (IPv$proto)"
                else
                    log_debug "Validating Killswitch routes (IPv$proto)"
                fi

                local ksr_mismatch=0
                for route in "${desired_routes[@]}"; do
                    __route_regex="(${route}|${route///32/})" # special handling of /32 route
                    if [[ "$routes_ks" =~ ${__route_regex} ]]; then
                        log_debug "Prohibit route - $route already present in table $table_id (IPv$proto)"
                    else
                        log_error "Prohibit route - $route is not present in table $table_id (IPv$proto)"
                        ((++ksr_mismatch))
                    fi
                done

                if [[ $ksr_mismatch -gt 0 ]]; then
                    log_error "You SHOULD NOT manually change route table managed by protonwire (IPv$proto)"
                    log_error "KillSwitch is in un-managable state (IPv$proto)"
                    log_error "Run 'protonwire disable-ks' and try again (IPv$proto)"
                    return 1
                else
                    create_ks_routes=false
                fi
            else
                log_debug "No existing killswitch routes found"
            fi

            declare -a routes_wg
            readarray -t routes_wg < <(jq -r '.[] | select((.metric==500) and (.dev=="protonwire0")) | .dst' <<<"${routes_rt}" 2>/dev/null)
            if [[ ${#routes_wg[@]} -gt 0 ]]; then
                local wgr_mismatch=0
                for route in "${desired_routes[@]}"; do
                    __route_regex="(${route}|${route///32/})" # special handling of /32 route
                    if [[ "${routes_wg[*]}" =~ ${__route_regex} ]]; then
                        log_debug "Route - $route already present in table $table_id (IPv$proto)"
                    else
                        log_error "Route - $route is not present in table $table_id (IPv$proto)"
                        ((++wgr_mismatch))
                    fi
                done

                if [[ $wgr_mismatch -gt 0 ]]; then
                    log_error "You SHOULD NOT manually change route table $table_id managed by protonwire (IPv$proto)"
                    for item in "${routes_wg[@]}"; do
                        log_warning "Removing route - $item in table $table_id (IPv$proto)"
                        if ! ip "-${proto}" route del table "$table_id" dev protonwire0 metric 500 2>&1 | log_tail "ip-route-del-wg"; then
                            log_error "Failed to delete route $item with metric 500 in table $table_id (IPv$proto)"
                            ((++errs))
                        fi
                    done
                else
                    create_wg_routes=false
                fi

                if [[ $errs -gt 0 ]]; then
                    log_error "Route table $table_id is in unknown state! (IPv$proto)"
                    return 1
                fi
            else
                log_debug "No existing routes found (IPv$proto)"
            fi

        fi

        if [[ $create_wg_routes == "true" ]]; then
            log_notice "Creating routes (IPv$proto)"
            for route in "${desired_routes[@]}"; do
                if ip "-${proto}" route add table "$table_id" metric 500 dev protonwire0 "${route}" 2>&1 | log_tail "ip-route-add-ks"; then
                    log_debug "Added route - ${route} to table $table_id (IPv$proto)"
                else
                    log_error "Failed to add route - ${route} to table $table_id (IPv$proto)"
                    ((++errs))
                fi
            done
        else
            log_success "Routes are algrady configured (IPv$proto)"
        fi

        if __is_bool_true "${KILL_SWITCH}"; then
            if [[ $create_ks_routes == "true" ]]; then
                log_notice "Creating Killswitch routes (IPv$proto)"
                for route in "${desired_routes[@]}"; do
                    if ip "-${proto}" route add table "$table_id" metric 900 prohibit "${route}" 2>&1 | log_tail "ip-route-add-ks"; then
                        log_debug "Added prohibit route - ${route} to table $table_id (IPv$proto)"
                    else
                        log_error "Failed to add prohibit route - ${route} to table $table_id (IPv$proto)"
                        ((++errs))
                    fi
                done
            else
                log_success "Killswitch is algrady configured (IPv$proto)"
            fi
        else
            log_debug "KillSwitch is disabled (IPv$proto)"
        fi
    done
    if [[ $errs -eq 0 ]]; then
        return 0
    fi
    return 1
}

function __build_route_rules() {
    if __is_ipv6_disabled; then
        declare -ar __rt_protos=("4")
    else
        declare -ar __rt_protos=("4" "6")
    fi

    local errs=0
    for proto in "${__rt_protos[@]}"; do
        log_debug "Configuring IP rules (IPv$proto)"
        declare -a _routes_json
        declare -a wg_rule_p
        local config_rules="true"
        readarray -t _routes_json < <(ip "-${proto}" --json rule)
        if [[ ${#_routes_json[@]} -gt 0 ]]; then
            readarray -t wg_rule_p < <(jq -r '.[] | select((.fwmark=="0xca6d") and (.table=="51821") and (.src=="all")) | .priority' <<<"${_routes_json[*]}" 2>/dev/null)
            if [[ ${#wg_rule_p[@]} -gt 1 ]]; then
                log_error "More than one routing rule found! (IPv$proto)"
                log_error "Cannot reliably connect to server without leaking connection! (IPv$proto)"
                return 1
            elif [[ ${#wg_rule_p[@]} -eq 1 ]]; then
                log_success "Routing policy rule is already configured (IPv$proto)"
                config_rules="false"
            fi
        else
            log_debug "No routing rules present (IPv$proto)"
        fi

        if [[ $config_rules != "false" ]]; then
            # from all not fwmark 0xca6d lookup 51821
            log_debug "Adding IP rule for Table 51821 (IPv$proto)"
            if ! ip "-${proto}" rule add not fwmark 0xca6d table 51821 2>&1 | log_tail "ip-rule"; then
                log_error "Failed to add rule to route traffic via table 51821 (IPv$proto)"
                ((++errs))
            fi
        fi
    done

    if [[ $errs -eq 0 ]]; then
        return 0
    fi
    return 1
}

function __fetch_metadata_with_retries() {
    local metadata_fetch_tries=0
    local metadata_fetch_max_tries=3
    while [[ $metadata_fetch_tries -lt $metadata_fetch_max_tries ]]; do
        ((++metadata_fetch_tries))
        if protonvpn_fetch_metadata --wrapper; then
            break
        else
            if [[ $metadata_fetch_tries -lt $metadata_fetch_max_tries ]]; then
                log_error "Retrying after $((2 ** metadata_fetch_tries)) seconds ($metadata_fetch_tries/$metadata_fetch_max_tries)"
                sleep "$((2 ** metadata_fetch_tries))" &
                wait $!
            fi
        fi
    done

    # Use cached file if failed to fetch metadata, this is most likely due to a network issue
    log_debug "metadata_fetch_tries=${metadata_fetch_tries}"
    log_debug "metadata_fetch_max_tries=${metadata_fetch_max_tries}"
    if [[ $metadata_fetch_tries -ge $metadata_fetch_max_tries ]]; then
        if [[ ! -f ${__PROTONWIRE_SRV_INFO_FILE} ]]; then
            log_error "Failed to fetch server metadata after $metadata_fetch_max_tries tries!"
            log_error "Please check your internet connection and try again!"
            log_error "If you have killswitch enabled please disable it and try again!"
            return 1
        else
            log_warning "Failed to fetch server metadata after ${metadata_fetch_max_tries} tries, using cached file (might be stale)"
        fi
    fi
}

# Get Wireguard endpoint IPs and public keys. This also verifies server is online.
function __protonvpn_pre_connect_get_endpoints_and_keys() {
    # Ensure __PROTONWIRE_SRV_INFO is defined
    if [[ -z ${__PROTONWIRE_SRV_INFO} ]]; then
        log_debug "__PROTONWIRE_SRV_INFO is undefined!"
        return 1
    fi

    # Check if server is offline
    local _server_online
    _server_online="$(jq -r '.Status' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
    if [[ $_server_online == "ONLINE" ]]; then
        log_success "Server ${PROTONVPN_SERVER} is online"
    else
        log_error "Server ${PROTONVPN_SERVER} is ${_server_online:-UNKNOWN_STATE}!"
        return 1
    fi

    # Extract Endpoint IPs (including offline ones)
    declare -a -g __PROTONWIRE_ENDPOINT_IPS_ALL
    # Extract Endpoint IPs (only online ones)
    declare -a -g __PROTONWIRE_ENDPOINT_IPS_ONLINE

    # Get all Endpoint IPs which are online.
    log_debug "Selecting all ONLINE endpoints"
    readarray -t __PROTONWIRE_ENDPOINT_IPS_ONLINE < <(jq -r \
        '[.Nodes[] | select(.Status=="ONLINE")] | sort_by(.Endpoint) | .[].Endpoint' \
        <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)

    # check if we have atleast one online endpoint server
    # this should not happen as the entire logical node itself should be offline
    # but we include it here to avoid any bugs in API.
    if [[ ${#__PROTONWIRE_ENDPOINT_IPS_ONLINE[@]} -lt 1 ]]; then
        log_error "No online endpoints found for - PROTONVPN_SERVER=${PROTONVPN_SERVER}"
        return 1
    else
        log_variable "__PROTONWIRE_ENDPOINT_IPS_ONLINE"
    fi

    # Get all Endpoint IPs (including offline)
    log_debug "Selecting all endpoints for building keymap"
    readarray -t __PROTONWIRE_ENDPOINT_IPS_ALL < <(jq -r \
        '[.Nodes[]] | sort_by(.Endpoint) | .[].Endpoint' \
        <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)

    # Check if we have atleast endpoint server
    if [[ ${#__PROTONWIRE_ENDPOINT_IPS_ALL[@]} -lt 1 ]]; then
        log_error "No endpoints found for - PROTONVPN_SERVER=${PROTONVPN_SERVER}"
        return 1
    else
        log_variable "__PROTONWIRE_ENDPOINT_IPS_ALL"
    fi

    # Associative array to map endpoint ip to keys.
    declare -A -g __PROTONWIRE_KEY_MAP

    # Loop over all __PROTONWIRE_ENDPOINT_IPS_ALL and get their public key.
    # and save it in an associative array mapping endpoint to public keys.
    # we also consider all nodes as they may not be actually "offline"
    # though non-online nodes are not considered while connecting, only for verification.
    for endpoint in "${__PROTONWIRE_ENDPOINT_IPS_ALL[@]}"; do
        declare -a endpoint_keys
        readarray -t endpoint_keys < <(jq -r \
            --arg endpoint "$endpoint" \
            '[.Nodes[] | select(.Endpoint==$endpoint)] | .[].PublicKey' \
            <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)
        if [[ ${#endpoint_keys[@]} -gt 1 ]]; then
            log_warning "Endpoint($endpoint) has multiple pub keys, only using first key"
            __PROTONWIRE_KEY_MAP["${endpoint}"]="${endpoint_keys[0]}"
        elif [[ ${#endpoint_keys[@]} -eq 1 ]]; then
            if [[ -z ${endpoint} ]]; then
                log_error "Endpoint IP is empty!"
            else
                log_debug "Endpoint($endpoint) has pubkey - ${endpoint_keys[0]}"
            fi
            __PROTONWIRE_KEY_MAP["${endpoint}"]="${endpoint_keys[0]}"
        else
            log_error "Endpoint(${endpoint}) for server ${PROTONVPN_SERVER} returned no pubkeys"
            return 1
        fi
    done

    # Collect all exit IPs
    local err=0
    readarray -t __PROTONVPN_EXIT_IP_LIST < <(jq -r \
        '.ExitIPs[]' \
        <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)
    if [[ ${#__PROTONVPN_EXIT_IP_LIST[@]} -lt 1 ]]; then
        log_error "No exit ips found for ${PROTONVPN_SERVER}"
        return 1
    fi

    # As metadata API endpoint is customizable, verify all returned IP addresseses are valid.
    for _server_exit_ip in "${__PROTONVPN_EXIT_IP_LIST[@]}"; do
        if __is_valid_ipv4 "${_server_exit_ip}"; then
            log_debug "Valid Exit IP for ${PROTONVPN_SERVER} - ${_server_exit_ip}(IPv4)"
        elif __is_valid_ipv6 "${ip_check_response[0]}"; then
            log_debug "Valid Exit IP for ${PROTONVPN_SERVER} - ${_server_exit_ip}(IPv6)"
            return 0
        else
            log_error "Metadata endpoint returned invalid exit IP address($_server_exit_ip)"
            ((++err))
        fi
    done

    if [[ $err -eq 0 ]]; then
        return 0
    fi

    return 1
}

function __protonvpn_verify_server_attributes() {
    # Ensure __PROTONWIRE_SRV_INFO is defined
    if [[ -z ${__PROTONWIRE_SRV_INFO} ]]; then
        log_debug "__PROTONWIRE_SRV_INFO is undefined!"
        return 1
    fi

    local errs=0

    local server_country
    local server_feature_p2p
    local server_feature_streaming
    local server_feature_tor
    local server_feature_secure_core

    if [[ -n $__PROTONWIRE_FEATURE_COUNTRY ]]; then
        server_country="$(jq -r '.ExitCountry' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
        if [[ ${server_country^^} != "${__PROTONWIRE_FEATURE_COUNTRY^^}" ]]; then
            log_error "Expects server's ExitCoutry to be ${__PROTONWIRE_FEATURE_COUNTRY}"
            log_error "But Currently selected server(${PROTONVPN_SERVER^^}) is ${server_country^^}"
            ((++errs))
        else
            log_success "Server ExitCountry is ${__PROTONWIRE_FEATURE_COUNTRY}"
        fi
    else
        log_debug "Not validating country"
    fi

    if [[ $__PROTONWIRE_FEATURE_P2P == "true" ]]; then
        server_feature_p2p="$(jq -r '.P2P' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
        if [[ ${server_feature_p2p,,} != "true" ]]; then
            log_error "Selected server(${PROTONVPN_SERVER}) does not supprt P2P"
            ((++errs))
        else
            log_success "Server supports P2P"
        fi
    else
        log_debug "Not validating if server supports P2P"
    fi

    if [[ $__PROTONWIRE_FEATURE_STREAMING == "true" ]]; then
        server_feature_streaming="$(jq -r '.Streaming' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
        if [[ ${server_feature_streaming,,} != "true" ]]; then
            log_error "Selected server(${PROTONVPN_SERVER}) does not supprt Streaming"
            ((++errs))
        else
            log_success "Server supports Streaming"
        fi
    else
        log_debug "Not validating if server supports Stremaing"
    fi

    if [[ $__PROTONWIRE_FEATURE_TOR == "true" ]]; then
        server_feature_tor="$(jq -r '.Tor' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
        if [[ ${server_feature_tor,,} != "true" ]]; then
            log_error "Selected server(${PROTONVPN_SERVER}) does not supprt Tor"
            ((++errs))
        else
            log_success "Server supports Tor"
        fi
    else
        log_debug "Not validating if server supports Tor"
    fi

    if [[ $__PROTONWIRE_FEATURE_SECURE_CORE == "true" ]]; then
        server_feature_secure_core="$(jq -r '.SecureCore' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
        if [[ ${server_feature_secure_core,,} != "true" ]]; then
            log_error "Selected server(${PROTONVPN_SERVER}) does not supprt SecureCore"
            ((++errs))
        else
            log_success "Server supports SecureCore"
        fi
    else
        log_debug "Not validating if server supports SecureCore"
    fi

    if [[ $errs -eq 0 ]]; then
        return 0
    fi

    return 1
}

function __protonvpn_connect() {
    local errs=0

    if [[ -z ${PROTONVPN_SERVER} ]]; then
        log_error "PROTONVPN_SERVER not specified"
        return 1
    fi

    if __has_notify_socket; then
        __systemd_notify "STATUS=Connecting to ${PROTONVPN_SERVER}"
    fi

    if ! __fetch_metadata_with_retries; then
        return 1
    fi

    if ! __protonvpn_pre_connect_get_endpoints_and_keys; then
        return 1
    fi

    if ! __protonvpn_verify_server_attributes; then
        return 1
    fi

    # Lookup private key
    local wg_client_pubkey
    local WIREGUARD_PRIVATE_KEY_FILE

    if [[ -n $WIREGUARD_PRIVATE_KEY ]]; then
        local __wg_client_pubkey

        # check if WIREGUARD_PRIVATE_KEY is a file
        if [[ -e $WIREGUARD_PRIVATE_KEY ]]; then
            if __is_usable_keyfile "${WIREGUARD_PRIVATE_KEY}"; then
                __wg_client_pubkey=$(wg pubkey <"${WIREGUARD_PRIVATE_KEY}" 2>/dev/null)
                if [[ -n $__wg_client_pubkey ]]; then
                    WIREGUARD_PRIVATE_KEY_FILE="${WIREGUARD_PRIVATE_KEY}"
                    log_success "Using PrivateKeyFile - ${WIREGUARD_PRIVATE_KEY}"
                    wg_client_pubkey="$__wg_client_pubkey"
                else
                    log_error "PrivateKeyFile - $WIREGUARD_PRIVATE_KEY is invalid!"
                    return 1
                fi
            else
                log_error "PrivateKeyFile - $WIREGUARD_PRIVATE_KEY cannot be used!"
                return 1
            fi
        else
            __wg_client_pubkey=$(wg pubkey <<<"${WIREGUARD_PRIVATE_KEY}" 2>/dev/null)
            if [[ -n $__wg_client_pubkey ]]; then
                log_success "WIREGUARD_PRIVATE_KEY(${WIREGUARD_PRIVATE_KEY:0:5}**********) is a valid key"
            else
                log_error "WIREGUARD_PRIVATE_KEY(${WIREGUARD_PRIVATE_KEY:0:5}**********) is not a valid key"
                return 1
            fi
        fi
    else
        log_debug "WIREGUARD_PRIVATE_KEY is not set"
        declare -a lookup_paths=(
            "/etc/protonwire/protonwire-private-key"
            "/etc/protonwire/protonvpn-private-key"
            "/etc/protonwire/wireguard-private-key"
            "/etc/protonwire/private-key"

            "/run/secrets/protonwire-private-key"
            "/run/secrets/protonvpn-private-key"
            "/run/secrets/wireguard-private-key"
            "/run/secrets/private-key"

            "/run/secrets/protonwire/protonwire-private-key"
            "/run/secrets/protonwire/protonvpn-private-key"
            "/run/secrets/protonwire/wireguard-private-key"
            "/run/secrets/protonwire/private-key"
        )

        # If CREDENTIALS_DIRECTORY is defined, use it (for systemd-creds)
        if [[ -n $CREDENTIALS_DIRECTORY ]]; then
            lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonwire-private-key")
            lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonvpn-private-key")
            lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/wireguard-private-key")
            lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/private-key")
        fi

        for lookup_path in "${lookup_paths[@]}"; do
            if [[ -f ${lookup_path} ]]; then
                if __is_usable_keyfile "${lookup_path}"; then
                    local __wg_client_pubkey
                    __wg_client_pubkey=$(wg pubkey <"${lookup_path}" 2>/dev/null)
                    if [[ -n $__wg_client_pubkey ]]; then
                        WIREGUARD_PRIVATE_KEY_FILE="${lookup_path}"
                        log_success "Using PrivateKeyFile - $lookup_path"
                        wg_client_pubkey="$__wg_client_pubkey"
                        break
                    else
                        log_error "PrivateKeyFile - $lookup_path is invalid!"
                    fi
                else
                    log_error "PrivateKeyFile - $lookup_path cannot be used!"
                fi
            elif [[ -e ${lookup_path} ]]; then
                log_debug "File not found - ${lookup_path} (path is not a file)"
            else
                log_debug "File not found - ${lookup_path}"
            fi
        done
    fi

    if [[ -z $WIREGUARD_PRIVATE_KEY_FILE ]] && [[ -z $WIREGUARD_PRIVATE_KEY ]]; then
        log_error "No usable private key found!"
        return 1
    fi

    # sysctl checks
    if [[ $(sysctl -n net.ipv4.conf.all.rp_filter) == "2" ]]; then
        log_success "net.ipv4.conf.all.rp_filter is already set to 2"
    elif [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) == "1" ]]; then
        log_success "net.ipv4.conf.all.src_valid_mark is already set to 1"
    else
        log_info "Setting net.ipv4.conf.all.rp_filter to 2"
        if ! sysctl -w net.ipv4.conf.all.rp_filter=2 2>&1 | log_tail "sysctl-net-rp_filter"; then
            log_error "Failed to set net.ipv4.conf.all.rp_filter to 2"
            return 1
        fi
    fi

    # Wireguard interface
    local wg_existing_ip
    local wg_exiting_prefixlen
    local wg_exiting_mtu
    local wg_existing_link_state
    declare -a configured_endpoints

    if [[ -n $(ip link show protonwire0 type wireguard 2>/dev/null) ]]; then
        log_notice "WireGuard interface 'protonwire0' already exists"
        local _ipjson
        _ipjson=$(ip --json addr show dev protonwire0)
        if [[ -z $_ipjson ]]; then
            log_error "Failed to get link properties for 'protonwire0'"
            return 1
        fi

        wg_existing_ip="$(jq -r '.[].addr_info[] | select(.family=="inet") | .local' <<<"${_ipjson}" 2>/dev/null)"
        wg_exiting_prefixlen="$(jq -r '.[].addr_info[] | select(.family=="inet") | .prefixlen' <<<"${_ipjson}" 2>/dev/null)"
        wg_exiting_mtu="$(jq -r '.[].mtu' <<<"${_ipjson}" 2>/dev/null)"
        wg_existing_link_state="$(jq -r '.[].operstate' <<<"${_ipjson}" 2>/dev/null)"
        readarray -t configured_endpoints < <(wg show protonwire0 endpoints 2>/dev/null)

        log_debug "Current IPAddress  (protonwire0) : $wg_existing_ip"
        log_debug "Current Prefix     (protonwire0) : $wg_exiting_prefixlen"
        log_debug "Current Link MTU   (protonwire0) : $wg_exiting_mtu"
        log_debug "Current Link State (protonwire0) : $wg_existing_link_state"
        log_debug "Current Endpoints  (protonwire0) : ${configured_endpoints[*]}"
    elif [[ -n $(ip link show protonwire0 2>/dev/null) ]]; then
        log_error "Existing interface 'protonwire0' is not a WireGuard interface"
        return 1
    else
        log_notice "Creating WireGuard Interface - protonwire0"
        if ! ip link add protonwire0 type wireguard 2>&1 | log_tail "ip-link"; then
            log_error "WireGuard interface creation failed!"
            log_error "Please install WireGuard. For more info see https://www.wireguard.com/install/"
            return 1
        fi
    fi

    # Protonvpn has static ip same for all clients
    if [[ $wg_existing_ip == "10.2.0.2" ]] && [[ $wg_exiting_prefixlen == "32" ]]; then
        log_success "WireGuard interface already has address - 10.2.0.2/32"
    else
        if [[ -n $wg_existing_ip ]]; then
            log_info "Flushing all exiting addresses on WireGuard Interface"
            if ! ip address flush "protonwire0" 2>&1 | log_tail "ip-addr"; then
                log_error "Failed to flush addresses ip -4on WireGuard interface 'protowire0'"
                return 1
            fi
        fi
        log_info "Setting WireGuard interface address - 10.2.0.2"
        if ! ip -4 address add 10.2.0.2/32 dev protonwire0 2>&1 | log_tail "ip-addr"; then
            log_error "Setting address on 'protonwire0' failed!"
            return 1
        fi
    fi

    # MTU
    if [[ $wg_exiting_mtu == "1480" ]]; then
        log_success "WireGuard interface MTU is already set to - 1480"
    else
        log_info "Setting WireGuard interface MTU to 1480"
        if ! ip link set protonwire0 mtu 1480 2>&1 | log_tail "ip-link"; then
            log_error "Setting protonwire0 MTU failed"
            return 1
        fi
    fi

    # Private key, check via public key
    if [[ $(wg show protonwire0 public-key) == "${wg_client_pubkey:-none}" ]]; then
        log_success "WireGuard interface already has private key configured"
    else
        if [[ -n $WIREGUARD_PRIVATE_KEY ]]; then
            if printf "%s" "${WIREGUARD_PRIVATE_KEY}" | wg set protonwire0 private-key /dev/stdin 2>&1 | log_tail "wg-set-key"; then
                log_success "Configured WireGuard private key"
            else
                log_error "Setting WireGuard private key failed!"
                return 1
            fi
        elif [[ -n $WIREGUARD_PRIVATE_KEY_FILE ]]; then
            if wg set protonwire0 private-key "${WIREGUARD_PRIVATE_KEY_FILE}" 2>&1 | log_tail "wg-set-key"; then
                log_success "Configured WireGuard private key from $WIREGUARD_PRIVATE_KEY_FILE"
            else
                log_error "Setting WireGuard private key from $WIREGUARD_PRIVATE_KEY_FILE failed!"
                return 1
            fi
        else
            log_error "Private key is not defined or not found!"
            return 1
        fi
    fi

    # peers and endpoints
    # If interface already has a peer,
    # check if its in the available endpoints
    # if yes, continue to use it. if not, select a random endpoint from list of endpoints.
    local selected_endpoint
    local ep_reconfigure="true"
    if [[ ${#configured_endpoints[@]} -eq 0 ]]; then
        log_debug "No configured endpoints on the interface 'protonwire0'"
    elif [[ ${#configured_endpoints[@]} -eq 1 ]]; then
        log_debug "Single peer configured with ${configured_endpoints[0]}"
        # check if configured endpoint is in the list of online endpoints
        if [[ ${configured_endpoints[0]} == *"${__PROTONWIRE_ENDPOINT_IPS_ONLINE[*]}"* ]]; then
            selected_endpoint="${configured_endpoints[0]}"
            ep_reconfigure="false"
        else
            log_warning "WireGuard interface is configured wrong peer - ${configured_endpoints[0]}"
        fi
    else
        log_warning "WireGuard interface 'protonwire0' is connected to multiple peers(${#configured_endpoints[@]})"
    fi

    # select peer
    if [[ $ep_reconfigure == "true" ]]; then
        local selected_endpoint_index
        log_variable "__PROTONWIRE_ENDPOINT_IPS_ONLINE"
        if [[ ${#__PROTONWIRE_ENDPOINT_IPS_ONLINE[@]} -gt 1 ]]; then
            selected_endpoint_index="$(((RANDOM % ${#__PROTONWIRE_ENDPOINT_IPS_ONLINE[@]}) + 1))"
            selected_endpoint="${__PROTONWIRE_ENDPOINT_IPS_ONLINE["${selected_endpoint_index}"]}"
            log_debug "Selected endpoint($selected_endpoint_index) $selected_endpoint"
        elif [[ ${#__PROTONWIRE_ENDPOINT_IPS_ONLINE[@]} -eq 1 ]]; then
            selected_endpoint="${__PROTONWIRE_ENDPOINT_IPS_ONLINE[0]}"
            log_debug "Selected endpoint $selected_endpoint"
        else
            log_error "No endpoints to select"
            return 1
        fi
    fi

    # Cleanup peers on interfaces
    local errs=0
    if [[ $ep_reconfigure != "false" ]]; then
        for stale_peer in "${configured_endpoints[@]}"; do
            if wg set protonwire0 peer "${stale_peer%%	*}" remove 2>&1 | log_tail "wg-peer-remove"; then
                log_warning "Removed peer - $stale_peer"
            else
                log_error "Failed to remove peer - $stale_peer"
                ((++errs))
            fi
        done
    fi

    if [[ $errs -gt 0 ]]; then
        return 1
    fi

    # Configure peers
    if [[ $ep_reconfigure != "false" ]]; then
        local peer_pub_key
        peer_pub_key="${__PROTONWIRE_KEY_MAP["${selected_endpoint}"]}"
        log_debug "Peer public key - $peer_pub_key"

        if wg set protonwire0 peer "$peer_pub_key" \
            allowed-ips 0.0.0.0/0,::/0 \
            endpoint "${selected_endpoint}:51820" \
            persistent-keepalive 25 \
            2>&1 | log_tail "wg-set-peer"; then
            log_info "WireGuard interface is configured with peer - $peer_pub_key(${selected_endpoint})"
        else
            log_error "Setting WireGuard peer $peer_pub_key(${selected_endpoint}) on interface failed!"
            return 1
        fi
    else
        log_success "WireGuard interface already has peer - ${selected_endpoint%%	*}(${selected_endpoint##*	})"
    fi

    # Check if link is down if so, bring it up
    if [[ $wg_existing_link_state == "DOWN" ]] || [[ -z $wg_existing_link_state ]]; then
        log_info "Bringing WireGuard interface up"
        if ! ip link set protonwire0 up 2>&1 | log_tail "ip-link"; then
            log_error "Bringing WireGuard interface up failed"
            return 1
        fi
    else
        log_success "WireGuard interface is already UP"
    fi

    # fw mark 0xca6d(51821)
    if [[ $(wg show protonwire0 fwmark) == "0xca6d" ]]; then
        log_success "WireGuard interface fwmark is already set to - 0xca6d"
    else
        if wg set protonwire0 fwmark 0xca6d 2>&1 | log_tail "wg-set-fwmark"; then
            log_success "Configured fwmark on WireGuard interface to - 0xca6d"
        else
            log_error "Setting fwmark on WireGuard interface to - 0xca6d failed!"
            return 1
        fi
    fi

    if ! __build_subnets; then
        return 1
    fi

    if ! __build_route_table; then
        log_error "Failed to build route table!"
        return 1
    fi

    if ! __build_route_rules; then
        log_error "Failed to configure routing rules!"
        return 1
    fi

    # DNS
    if __is_skip_dns_config; then
        log_info "Skipping DNS configuration"
    else
        if __resolvconf_up_hook; then
            log_success "Successfully configured DNS (protonwire)"
        else
            log_error "Failed to configure DNS (protonwire)"
            return 1
        fi
    fi

    if __has_notify_socket; then
        __systemd_notify "STATUS=Connected to ${PROTONVPN_SERVER}"
    fi
}

function protonvpn_connect_cmd() {
    if ! __run_checks; then
        log_error "Please fix the errors and try again!"
        return 1
    fi

    if __protonvpn_connect; then
        return 0
    fi
    return 1
}

function __protonvpn_disable_ks() {
    local table_id="51821"
    log_notice "Disabling killswitch (if any)"

    if __is_ipv6_disabled; then
        declare -ar __rt_protos=("4")
    else
        declare -ar __rt_protos=("4" "6")
    fi
    local errs=0
    for proto in "${__rt_protos[@]}"; do
        if [[ $proto == "4" ]]; then
            declare -a desired_routes=("${__PROTONWIRE_SUBNET_4[@]}")
        elif [[ $proto == "6" ]]; then
            declare -a desired_routes=("${__PROTONWIRE_SUBNET_6[@]}")
        fi
        local routes_ks
        local routes_json
        routes_json="$(ip "-${proto}" --json route show table "${table_id}" 2>/dev/null)"
        routes_ks="$(jq -r '.[] | select((.metric==900) and (.type=="prohibit")) | .dst' <<<"${routes_json}" 2>/dev/null)"
        if [[ -n ${routes_ks} ]]; then
            log_debug "Existing killswitch routes found (IPv$proto)"
            for route in "${desired_routes[@]}"; do
                __route_regex="(${route}|${route///32/})" # special handling of /32 route
                if [[ "$routes_ks" =~ ${__route_regex} ]]; then
                    log_debug "Deleting prohibit route - $route in table $table_id (IPv$proto)"
                    if ! ip "-${proto}" route del table "$table_id" metric 900 prohibit "${route}" 2>&1 | log_tail "ip-route-del-ks"; then
                        log_error "Failed to delete prohibit route - ${route} to table $table_id (IPv$proto)"
                        ((++errs))
                    fi
                else
                    log_debug "Prohibit route - $route is not present in table $table_id (IPv$proto)"
                fi
            done
        else
            log_info "No existing killswitch routes found in table $table_id (IPv$proto)"
        fi
        # if wg routes are present, leave the ip rule as is otherwise delete the ip rule.
        local wg_rt
        wg_rt="$(ip "-${proto}" --json route show table "${table_id}" 2>/dev/null | jq -r '.[] | select((.metric==500) and (.dev=="protonwire0")) | .dst' 2>/dev/null)"
        if [[ -z ${wg_rt} ]]; then
            while [[ $(ip "-${proto}" rule show 2>/dev/null) == *"lookup 51821"* ]]; do
                log_notice "Removing IP rule (IPv$proto)"
                if ! ip "-${proto}" rule del not fwmark 0xca6d table 51821 2>&1 | log_tail "ip-rule"; then
                    log_error "Failed to remove IP rule (IPv$proto) "
                    ((++errs))
                fi
            done
        else
            log_notice "Not deleting IP routng rule as wg routes are is active"
        fi
    done
    if [[ $errs -eq 0 ]]; then
        return 0
    fi
    return 1
}

function __protonvpn_delete_wg_routes() {
    local table_id="51821"
    if __is_ipv6_disabled; then
        declare -ar __rt_protos=("4")
    else
        declare -ar __rt_protos=("4" "6")
    fi
    local errs=0
    for proto in "${__rt_protos[@]}"; do
        if [[ $proto == "4" ]]; then
            declare -a desired_routes=("${__PROTONWIRE_SUBNET_4[@]}")
        elif [[ $proto == "6" ]]; then
            declare -a desired_routes=("${__PROTONWIRE_SUBNET_6[@]}")
        fi
        local routes_json
        local routes_wg
        routes_json="$(ip "-${proto}" --json route show table "${table_id}" 2>/dev/null)"
        routes_wg="$(jq -r '.[] | select((.metric==500) and (.dev=="protonwire0")) | .dst' <<<"${routes_json}" 2>/dev/null)"
        if [[ -n ${routes_wg} ]]; then
            log_debug "Existing wireguard routes found (IPv$proto)"
            for route in "${desired_routes[@]}"; do
                __route_regex="(${route}|${route///32/})" # special handling of /32 route
                if [[ "$routes_wg" =~ ${__route_regex} ]]; then
                    log_debug "Deleting route - $route in table $table_id (IPv$proto)"
                    if ! ip "-${proto}" route del table "$table_id" metric 500 dev protonwire0 "${route}" 2>&1 | log_tail "ip-route-del-ks"; then
                        log_error "Failed to delete route - ${route} to table $table_id (IPv$proto)"
                        ((++errs))
                    fi
                else
                    log_debug "Route - $route is not present in table $table_id (IPv$proto)"
                fi
            done
        else
            log_info "No existing routes found in table $table_id (IPv$proto)"
        fi
    done
    if [[ $errs -eq 0 ]]; then
        return 0
    fi
    return 1
}

function __protonvpn_disconnect() {
    __PROTONWIRE_DISCONNECTING="true"
    local table_id="51821"
    local errs=0

    if __has_notify_socket; then
        log_debug "Notify to systemd that vpn is disconnecting"
        __systemd_notify "Disconnecting from ${PROTONVPN_SERVER:-NA}"
        __systemd_notify "STOPPING=1"
    else
        log_debug "No systemd notify socket found, skiping stopping notification"
    fi
    local errs=0

    if __is_skip_dns_config; then
        log_info "Skipping DNS configuration"
        if __resolvconf_down_hook; then
            log_success "Successfully restored DNS(resolvconf)"
        else
            log_error "Failed to restore DNS"
            ((++errs))
        fi
    fi

    if ! __protonvpn_delete_wg_routes; then
        ((++errs))
    fi

    # if kill-switch routes are present, leave the ip rule as is
    # otherwise delete the ip rule.
    if __is_ipv6_disabled; then
        declare -ar __rt_protos=("4")
    else
        declare -ar __rt_protos=("4" "6")
    fi
    local errs=0
    for proto in "${__rt_protos[@]}"; do
        local ks_rt
        local routes_json
        routes_json="$(ip "-${proto}" --json route show table "${table_id}" 2>/dev/null)"
        ks_rt="$(jq -r '.[] | select((.metric==900) and (.type=="prohibit")) | .dst' <<<"${routes_json}" 2>/dev/null)"
        if [[ -z ${ks_rt} ]]; then
            while [[ $(ip "-${proto}" rule show 2>/dev/null) == *"lookup 51821"* ]]; do
                log_notice "Removing IP rule (IPv$proto)"
                if ! ip "-${proto}" rule del not fwmark 0xca6d table 51821 2>&1 | log_tail "ip-rule"; then
                    log_error "Failed to remove IP rule (IPv$proto) "
                    ((++errs))
                fi
            done
        else
            log_notice "Not deleting IP routng rule as kill-switch is active"
        fi
    done

    if [[ -n $(ip link show protonwire0 type wireguard 2>/dev/null) ]]; then
        log_info "Removing WireGuard interface"
        if ! ip link del protonwire0 2>&1 | log_tail "ip link"; then
            log_error "Failed to remove WireGuard interface"
            ((++errs))
        fi
    else
        log_notice "WireGuard interface 'protonwire0' does not exist"
    fi

    if [[ $errs -eq 0 ]]; then
        if __has_notify_socket; then
            log_debug "Notify to systemd that vpn has disconnected"
            __systemd_notify "Disconnected"
        fi
        return 0
    fi

    if __has_notify_socket; then
        log_debug "Notify to systemd that vpn disconnection errored"
        __systemd_notify "Failed to disconnect"
    fi
    return 1
}

function protonvpn_disable_ks_cmd() {
    __detect_paths
    if ! __check_tools; then
        return 1
    fi

    if ! __check_caps; then
        log_error "Run as root and/or add CAP_NET_ADMIN capability"
        return 1
    fi

    if ! __build_subnets; then
        return 1
    fi

    if __protonvpn_disable_ks; then
        return 0
    fi
    return 1
}

function protonvpn_disconnect_cmd() {
    __detect_paths
    local errs=0

    if ! __check_tools; then
        return 1
    fi

    if ! __check_caps; then
        log_error "Run as root and/or add CAP_NET_ADMIN capability"
        return 1
    fi

    if ! __build_subnets; then
        return 1
    fi

    if __protonvpn_disconnect; then
        ((++errs))
    fi

    log_variable "__PROTONWIRE_DISCONNECT_DISABLE_KILL_SWITCH"
    if __is_bool_true "${__PROTONWIRE_DISCONNECT_DISABLE_KILL_SWITCH}"; then
        if ! __protonvpn_disable_ks; then
            ((++errs))
        fi
    else
        log_info "Killswitch state is left unchanged"
    fi

    if [[ $errs -eq 0 ]]; then
        return 0
    fi
    return 1
}

function __automatic_server_selection_error_msg() {
    log_error "Automatic server selection for (${PROTONVPN_SERVER}) is not supported due to upstream API changes."
    log_error "Specify a valid server DNS name like node-nl-01.protonvpn.net or server name like NL-1."
    log_error "See - https://github.com/tprasadtp/protonvpn-docker/blob/master/docs/faq.md#overriding-entrypointcommand"
}

function server_lookup_cmd() {
    if [[ -z ${PROTONVPN_SERVER} ]]; then
        log_error "PROTONVPN_SERVER not specified"
        return 1
    fi

    __detect_paths

    local errs=0

    log_debug "Checking tools"

    declare -a commands=(
        "curl"    # curl
        "jq"      # jq
        "timeout" # coreutils
        "flock"   # flock | linux-utils
    )

    # Check if all commands are available
    declare -a missing_commands
    for command in "${commands[@]}"; do
        if ! has_command "$command"; then
            ((++errs))
            missing_commands+=("$command")
        fi
    done

    if [[ ${#missing_commands[@]} -gt 0 ]]; then
        log_error "Following commands are missing - ${missing_commands[*]}"
        ((++errs))
    fi

    if [[ $errs -gt 0 ]]; then
        return 1
    fi

    if ! protonvpn_fetch_metadata; then
        return 1
    fi

    if [[ -z ${__PROTONWIRE_SRV_INFO} ]]; then
        log_debug "__PROTONWIRE_SRV_INFO is undefined!"
        return 1
    fi

    # Get server status.
    _server_status="$(jq -r '.Status' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
    log_info "Server Status        : ${_server_status:-NA}"

    _server_name="$(jq -r '.Name' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
    log_info "Server Name          : ${_server_name:-NA}"

    _server_dns="$(jq -r '.DNS' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
    log_info "Server DNS Name      : ${_server_dns:-NA}"

    _server_streaming="$(jq -r '.Streaming' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
    log_info "Feature (Streaming)  : ${_server_streaming:-NA}"

    _server_p2p="$(jq -r '.P2P' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
    log_info "Feature (P2P)        : ${_server_p2p:-NA}"

    _secure_core="$(jq -r '.SecureCore' <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)"
    log_info "Feature (SecureCore) : ${_secure_core:-NA}"

    # Get all Endpoint IPs which are online.
    log_debug "Selecting all ONLINE endpoints"
    readarray -t __PROTONWIRE_ENDPOINT_IPS_ONLINE < <(jq -r \
        '[.Nodes[] | select(.Status=="ONLINE")] | sort_by(.Endpoint) | .[].Endpoint' \
        <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)

    # Collect all exit IPs
    readarray -t __PROTONVPN_EXIT_IP_LIST < <(jq -r \
        '.ExitIPs[]' \
        <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)
    log_info "Exit IPs             : ${__PROTONVPN_EXIT_IP_LIST[*]}"

    # Extract Endpoint IPs (only online ones)
    declare -a -g __PROTONWIRE_ENDPOINT_IPS_ONLINE

    # Associative array to map endpoint ip to keys.
    declare -A -g __PROTONWIRE_KEY_MAP

    # Loop over all __PROTONWIRE_ENDPOINT_IPS_ONLINE and get their public key.
    # and save it in an associative array mapping endpoint to public keys.
    # we also consider all nodes as they may not be actually "offline"
    # though non-online nodes are not considered while connecting, only for verification.
    for endpoint in "${__PROTONWIRE_ENDPOINT_IPS_ONLINE[@]}"; do
        declare -a endpoint_keys
        readarray -t endpoint_keys < <(jq -r \
            --arg endpoint "$endpoint" \
            '[.Nodes[] | select(.Endpoint==$endpoint)] | .[].PublicKey' \
            <<<"${__PROTONWIRE_SRV_INFO}" 2>/dev/null)
        if [[ ${#endpoint_keys[@]} -gt 1 ]]; then
            log_warning "Endpoint(${endpoint}) has multiple pub keys, only using first key"
            __PROTONWIRE_KEY_MAP["${endpoint}"]="${endpoint_keys[0]}"
        elif [[ ${#endpoint_keys[@]} -eq 1 ]]; then
            if [[ -z ${endpoint} ]]; then
                log_error "Endpoint IP is empty!"
            else
                log_debug "Endpoint($endpoint) has pubkey - ${endpoint_keys[0]}"
            fi
            __PROTONWIRE_KEY_MAP["${endpoint}"]="${endpoint_keys[0]}"
        else
            log_error "Endpoint(${endpoint}) for server ${PROTONVPN_SERVER} returned no pubkeys"
            return 1
        fi
    done

    for index in "${!__PROTONWIRE_KEY_MAP[@]}"; do
        local endpoint_pubkey_printf=""
        printf -v endpoint_pubkey_printf "%-20s : %s (Public Key)" "$index" "${__PROTONWIRE_KEY_MAP[$index]}"
        log_info "$endpoint_pubkey_printf"
    done
}

function display_usage() {
    cat <<EOF

ProtonVPN WireGuard Client

Usage: protonwire [OPTIONS...]
or: protonwire [OPTIONS...] c|connect [SERVER]
or: protonwire [OPTIONS...] d|disconnect
or: protonwire [OPTIONS...] check
or: protonwire [OPTIONS...] disable-killswitch
or: protonwire [OPTIONS...] server-info [SERVER]

Options:
  -k, --private-key FILE|KEY    Wireguard private key or
                                file containing private key
      --service                 Run as service
      --service-status-file     Use status file created by --service
                                for healthchecks. Only valid when both process
                                are running within the same container.
      --metadata-url URL        Server metadata endpoint URL
      --check-interval INT      IP check interval in seconds (default 60)
      --check-url URL           IP check endpoint URL
      --skip-dns-config         Skip configuring DNS.
                                (Useful for Kubernetes and Consul)
      --kill-switch             Enable killswitch (Experimental)
      --p2p                     Verify if specified server supports P2P
      --streaming               Verify if specified server supports streaming
      --tor                     Verify if specified server supports Tor
      --secure-core             Verify if specified server supports secure core
  -q, --quiet                   Show only errors
  -v, --verbose                 Show debug logs
  -h, --help                    Display this help and exit
      --version                 Display version and exit

Examples:
  protonwire connect nl-1       Connect to server nl-1
  protonwire d --kill-switch    Disconnect from current server and disable kill-switch
  protonwire verify [SERVER]    Check if connected to a server

Files:
  /etc/protonwire/private-key   WireGuard private key

Environment:
  WIREGUARD_PRIVATE_KEY         WireGuard private key or file
  PROTONVPN_SERVER              ProtonVPN server
  IPCHECK_INTERVAL              Custom IP check interval in seconds (default 60)
  IPCHECK_URL                   IP check endpoint URL (must be https://)
  SKIP_DNS_CONFIG               Set to '1' to skip configuring DNS
  KILL_SWITCH                   Set to '1' to enable killswitch (Experimental)
  DEBUG                         Set to '1' to enable debug logs
EOF
}

function main() {
    declare -i log_lvl_v_lock=0
    declare -i log_lvl_q_lock=0
    declare -i cmd_lock=0
    local color_mode="auto"
    local looper_flag="false"
    local healthcheck_service_status_file="false"
    local cmd_mode=""

    # cmd mode needs to be handled differently
    # as user may invoke just the script without arguments expecting a help
    # or with unknown/malformed arguments which needs to be handled gracefully.
    # so, set cmd_mode to HELP only if no other arguments are specified.
    # also keep a copy or arguments as it will be nuked via shift.
    # See https://github.com/tprasadtp/protonvpn-docker/issues/312.
    declare -a args_copy
    args_copy=("$@")
    if [[ $# -eq 0 ]]; then
        cmd_mode="HELP"
    fi

    if __is_bool_true "${DEBUG}"; then
        LOG_LVL="0"
    fi

    while [[ ${1} != "" ]]; do
        case ${1} in
        -h | --help | help)
            cmd_mode="HELP"
            ;;
        --version | version)
            cmd_mode="VERSION"
            ;;
        --verbose | --debug | -v)
            DEBUG="1"
            LOG_LVL="0"
            ((++log_lvl_v_lock))
            ;;
        --quiet | --silent | -q)
            DEBUG="0"
            LOG_LVL=40
            ((++log_lvl_q_lock))
            ;;
        --force)
            PROTONWIRE_FORCE="1"
            ;;
        --color)
            shift
            color_mode="${1}"
            ;;
        --metadata-url | --metadata-endpoint)
            shift
            METADATA_URL="$1"
            ;;
        --logfmt | --logformat | --log-fmt | --log-format)
            shift
            LOG_FMT="${1}"
            ;;
        --check-interval | --ipcheck-interval)
            shift
            IPCHECK_INTERVAL="${1}"
            ;;
        --check-url | --check-endpoint | --ipcheck-url | --ipcheck-endpoint)
            shift
            IPCHECK_URL="${1}"
            ;;
        --skip-dns | --skip-dns-config)
            SKIP_DNS_CONFIG="true"
            ;;
        -k | --key | --private-key)
            shift
            WIREGUARD_PRIVATE_KEY="$1"
            ;;
        --killswitch | --kill-switch | --ks | -ks)
            KILL_SWITCH="true"
            __PROTONWIRE_DISCONNECT_DISABLE_KILL_SWITCH="true"
            ;;
        --p2p)
            __PROTONWIRE_FEATURE_P2P="true"
            ;;
        --streaming)
            __PROTONWIRE_FEATURE_STREAMING="true"
            ;;
        --tor)
            __PROTONWIRE_FEATURE_TOR="true"
            ;;
        --secure-core)
            __PROTONWIRE_FEATURE_SECURE_CORE="true"
            ;;
        --cc | --country)
            shift
            __PROTONWIRE_FEATURE_COUNTRY="$1"
            ;;
        # --container flag is deprecated, but is left here for
        # CLI compatibility reasons.
        --container | --service)
            looper_flag="true"
            ;;
        --service-status-file)
            healthcheck_service_status_file="true"
            ;;
        connect | c)
            ((++cmd_lock))
            cmd_mode="CONNECT"
            ;;
        disconnect | d)
            cmd_mode="DISCONNECT"
            ((++cmd_lock))
            ;;
        check | healthcheck | health-check | status | s | verify)
            cmd_mode="HEALTHCHECK"
            ((++cmd_lock))
            ;;
        lookup | server-info | server-lookup | lookup-server)
            cmd_mode="SERVER_LOOKUP"
            ((++cmd_lock))
            ;;
        disable-ks | disable-killswitch | disable-kill-switch)
            cmd_mode="DISABLE_KILLSWITCH"
            ((++cmd_lock))
            ;;
        -*)
            log_error "Invalid argument - $1. See usage below."
            display_usage
            exit 1
            ;;
        *)
            PROTONVPN_SERVER="$1"
            ;;
        esac
        shift
    done

    local args_errors=0

    case ${color_mode,,} in
    force | always)
        CLICOLOR_FORCE="1"
        ;;
    never)
        CLICOLOR="0"
        ;;
    auto) ;;
    *)
        log_error "Invalid --color mode specified - ${color_mode}"
        ((++args_errors))
        ;;
    esac

    if [[ ${log_lvl_q_lock} -gt 0 ]] && [[ ${log_lvl_v_lock} -gt 0 ]]; then
        log_error "Cannot use --debug/-v and --quiet/-q at the same time."
        ((++args_errors))
    fi

    if [[ $cmd_lock -gt 1 ]]; then
        log_error "More than one exclusive command specified!"
        ((++args_errors))
    fi

    if [[ ${cmd_mode} == "CONNECT" ]]; then
        if [[ -z $PROTONVPN_SERVER ]]; then
            log_error "PROTONVPN_SERVER is not defined!"
            ((++args_errors))
        else
            log_variable "PROTONVPN_SERVER"
        fi
    fi

    if [[ -n $__PROTONWIRE_FEATURE_COUNTRY ]]; then
        if [[ $__PROTONWIRE_FEATURE_COUNTRY =~ ^[a-zA-Z]{2}$ ]]; then
            log_variable "__PROTONWIRE_FEATURE_COUNTRY"
        else
            log_error "Invalid Country code specified - ${__PROTONWIRE_FEATURE_COUNTRY}"
            ((++args_errors))
        fi
    fi

    if [[ $cmd_mode == "HEALTHCHECK" ]]; then
        if [[ $looper_flag == "true" ]]; then
            cmd_mode="HEALTHCHECK_SERVICE_STATUS_FILE"
        fi
        if [[ $healthcheck_service_status_file == "true" ]]; then
            cmd_mode="HEALTHCHECK_SERVICE_STATUS_FILE"
        fi
    fi

    if [[ $cmd_mode == "CONNECT" ]] && [[ $looper_flag == "true" ]]; then
        cmd_mode="LOOPER"
    fi

    if [[ -n ${IPCHECK_INTERVAL} ]]; then
        log_variable "IPCHECK_INTERVAL"
        if [[ $IPCHECK_INTERVAL =~ ^[0-9]+$ ]]; then
            if [[ ${IPCHECK_INTERVAL} -eq 0 ]]; then
                :
            elif [[ ${IPCHECK_INTERVAL} -lt 10 ]]; then
                log_error "IPCHECK_INTERVAL must be at-least 10s."
                ((++args_errors))
            fi
        else
            log_error "IPCHECK_INTERVAL must be a positive integer."
            ((++args_errors))
        fi
    fi

    if [[ -z ${IPCHECK_URL} ]]; then
        IPCHECK_URL="https://icanhazip.com/"
        log_variable "IPCHECK_URL"
    fi

    if [[ -z ${METADATA_URL} ]]; then
        METADATA_URL="https://protonwire-api.vercel.app/v1/server"
        log_variable "METADATA_URL"
    fi

    case "${PROTONVPN_SERVER,,}" in
    free | *-free | pro | p2p | random | secure-core | secure_core | sc | tor | streaming)
        __automatic_server_selection_error_msg
        ((++args_errors))
        ;;
    esac
    if [[ ${PROTONVPN_SERVER,,} =~ ^[a-z]{2}$ ]]; then
        __automatic_server_selection_error_msg
        ((++args_errors))
    fi

    if [[ $args_errors -gt 0 ]]; then
        log_error "See protonwire(1) or protonwire --help for more information."
        exit 1
    fi

    case "${cmd_mode^^}" in
    HEALTHCHECK)
        protonvpn_verify_cmd
        exit $?
        ;;
    HEALTHCHECK_SERVICE_STATUS_FILE)
        protonvpn_healthcheck_status_file
        exit $?
        ;;
    LOOPER)
        protonvpn_looper_cmd
        exit $?
        ;;
    CONNECT)
        protonvpn_connect_cmd
        exit $?
        ;;
    DISCONNECT)
        protonvpn_disconnect_cmd
        exit $?
        ;;
    DISABLE_KILLSWITCH)
        protonvpn_disable_ks_cmd
        exit $?
        ;;
    HELP)
        display_usage
        exit $?
        ;;
    SERVER_LOOKUP)
        server_lookup_cmd
        exit $?
        ;;
    VERSION)
        __print_version
        exit $?
        ;;
    *)
        log_error "Unknown COMMAND - ${args_copy[*]} See usage below."
        log_error "If overriding entrypoint/cmd specify it in array form."
        log_error "See FAQ - https://github.com/tprasadtp/protonvpn-docker/blob/master/docs/faq.md for more info."
        display_usage
        exit 10
        ;;
    esac
}

main "$@"