Menu
I've installed a couple of containers on my RockPro64 (ARMv8 Processor rev 2(v8|) running openmediavault (version 4.1.27-1 Arrakis). Everything is working like a charm.
Containers that I use include Transmission, Jellyfin, Radarr, Sonarr, Jackett... et cetera. I would like to be able to connect those containers through a VPN, so that the connection is more private.
The ideal scenario would be that I have one 'VPN-container' that connects with my VPN provider (at the moment this is PIA, but I would like to have a flexible solution). My other containers will connect to the internet through this container so that they have a VPN-connection.
Maybe it is worth mentioning that I have two containers (Jellyfin & Nextcloud) that I can reach from outside through the internet on a domain name. Maybe it will be different to connect those through a VPN.
I could not find any clear guides that provide a solution for my set-up. I hope someone can give some ideas on where to start or share a guide that could work for me.
517
VPN PassthroughDocker Desktop networking can work when attached to a VPN. To do this, Docker Desktop intercepts traffic from the containers and injects it into the host as if it originated from the Docker application.
To get started, add the Tailscale extension in Docker Desktop and log in to your tailnet. This will expose your running containers' public ports to your tailnet. From there, you can share and manage access to these containers just like any other nodes in your tailnet.
Dockerizing is the process of packing, deploying, and running applications using Docker containers. Docker is an open source tool that ships your application with all the necessary functionalities as one package.
If you are running more than one container, you can let your containers communicate with each other by attaching them to the same network. Docker creates virtual networks which let your containers talk to each other. In a network, a container has an IP address, and optionally a hostname.
For example, add port 7878 as both the host and container port if you wanted to route Radarr. You can now start the OpenVPN-Client Docker container, wait for it to connect, and then start the to-be-routed container. You can once again use the curl ifconfig.io command mentioned above to check whether the container is using the VPN or not.
The ports of the Docker containers you want to be routed through it have to be mapped. Without this step, you would have no way of accessing the application’s web dashboard. Open the to-be-routed container’s settings and take note of the mapped ports. Open the OpenVPN-Client settings and map every port you just took note of.
Routing Docker traffic through a VPN connection Docker, Linux, Vpn I've recently taken to using Docker to install and run various software on my home server. Something that so far, it excels at - the people at linuxserver.ioare doing great work!
Open the to-be-routed container’s settings and take note of the mapped ports. Open the OpenVPN-Client settings and map every port you just took note of. For example, add port 7878 as both the host and container port if you wanted to route Radarr.
I run radarr, sonarr, lidarr, bazarr, pyload, deluge, jellyfin, jackett, airsonic containers behind PIA vpn through https://github.com/qdm12/gluetun (on amd64, but images for arm64 are provided as well).
It's well documented and actively maintained. It supports Private Internet Access, Mullvad, Windscribe, Surfshark, Cyberghost, Vyprvpn, NordVPN, PureVPN and Privado at the moment of writing this.
for gluetun container I use this to expose the ports:
version: '3.7'
services:
gluetun:
image: qmcgaw/private-internet-access
container_name: gluetun
cap_add:
- NET_ADMIN
network_mode: bridge
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
- 8000:8000/tcp # Built-in HTTP control server
# other containers ports
- 8112:8112 # deluge webui
- 58846:58846 # deluge daemon
- 6767:6767 # bazarr
- 8989:8989 # sonarr
- 7878:7878 # radarr
- 8686:8686 # lidarr
- 9117:9117 # jackett
- 4040:4040 # airsonic
- 8096:8096 # jellyfin/emby
- 8227:8227 # pyload
volumes:
- ./data_gluetun:/gluetun
- ./data_gluetun/port_forward:/tmp/gluetun/forwarded_port
environment:
- VPNSP=private internet access
- TZ=Europe/London
- USER=${PIA_USER}
- PASSWORD=${PIA_PASS}
- REGION=${PIA_REGION}
- PORT_FORWARDING=on
- FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
- HTTPPROXY=on
- SHADOWSOCKS=on
- SHADOWSOCKS_PASSWORD=${SHADOW_PASS}
restart: unless-stopped
and then in the containers I wish to route via the above container I commented any existing network settings and replaced them with network_mode: "container:gluetun".
For automated letsencrypt certificates and reverse proxy to access from outside local network I use https://github.com/jc21/nginx-proxy-manager with arm compatible mariadb yobasystems/alpine-mariadb:latest running on a RPi4b with 64bit ubuntu server.
98
This looks like what you need for the containers to secure the outgoing connections: https://jordanelver.co.uk/blog/2019/06/03/routing-docker-traffic-through-a-vpn-connection/. You want to start the container with the --net container:name-of-vpn-container.
I imagine that if you want the incoming container to be through the VPN you will need to ensure that the VPN provider gives you a static IP/hostname and forward the ports. I suspect that you will not want to go down this road as it will be complex. The best bet is to continue to access them through the domain name, just make sure it's over https* and make sure the device–your phone/tablet/laptop whatever–you're using is on a VPN.
* Look no further than linuxserver.io's excellent work for more on this: https://blog.linuxserver.io/2020/08/21/introducing-swag/
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
