Setup both a VPN and local access for your containers in just a few moments using Gluetun! You can even use Pihole as your DNS!
Gluetun
Gluetun is a VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
You can connect it to most popular VPN providers using openvpn, as well as your own self hosted wireguard server! We will go over both options.
Connecting to a VPN provider
OpenVPN
Requirements:
-
Create a new stack in Portainer
-
Get your OpenVPN username and password from your VPN provider. You can also use a wireguard configuration file if they provide it, but it is not as easy to change IPs
-
Verify the Environment Variables needed for your provider
- Usually you just need the name from there, and the username&password from before
-
Paste the following YAML in the web editor and edit it to your needs
YAMLversion: "3" services: gluetun-pia: container_name: gluetun-pia image: qmcgaw/gluetun:v3.38.0 devices: - /dev/net/tun:/dev/net/tun volumes: - /volumes/gluetun:/gluetun ports: - 42364:8000/tcp # API - 16544:8888/tcp # HTTP proxy - 45359:8388/tcp # Shadowsocks - 1242:8388/udp # Shadowsocks # - 3000:3000 # Add any ports your application needs here cap_add: - NET_ADMIN environment: - HTTP_CONTROL_SERVER_ADDRESS=:8000 #Change this if your application needs port 8000 - VPN_SERVICE_PROVIDER=private internet access - OPENVPN_USER=p12345 - OPENVPN_PASSWORD=abcdefg - SERVER_REGIONS=Netherlands,Switzerland,Cyprus - EXTRA_SUBNETS=192.168.1.0/24 # Adding the local subnet, change as needed # - DNS_ADDRESS=192.168.1.77 # Uncomment to set a specific DNS server such as Pihole or Adguard Home -
Deploy the stack and wait for the container to start up
If it complains about the servers.json being empty it should be enough to just delete it, but if you’re still having issues you can run
docker run -v /volumes/gluetun:/gluetun qmcgaw/gluetun format-servers -private-internet-accessReplacing pia with the provider you’re using. If you’re not certain how to spell it, just spell it wrong and it will show you a list of providers.
Wireguard
Setting this up is much easier, you only need to get your wireguard configuration file and mount it inside the container. Change the path, ports, and anything else you need then deploy the stack!
gluetun-wg:
image: qmcgaw/gluetun:v3.38.0
container_name: gluetun-wg
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- /volumes/gluetun:/gluetun
ports:
- 42364:8000/tcp # API
- 16544:8888/tcp # HTTP proxy
- 45359:8388/tcp # Shadowsocks
- 1242:8388/udp # Shadowsocks
# - 3000:3000 # Add any ports your application needs here
volumes:
- /path/to/your/wireguard.conf:/gluetun/wireguard/wg0.conf:ro
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- HTTP_CONTROL_SERVER_ADDRESS=:8000
- EXTRA_SUBNETS=192.168.1.0/24Connecting a container to Gluetun
Remove the ports from your application’s stack, and add the following network mode depending on your usecase:
network_mode: "container:gluetun-pia"network_mode: "service:gluetun-pia"Note
Changing IP
You can change the IP using the following bash script:
#!/bin/bash
curl localhost:42364/v1/openvpn/status -d '{"status":"stopped"}' -X PUT
curl localhost:42364/v1/openvpn/status -d '{"status":"running"}' -X PUTReplace the port with your own, and replace localhost with the correct IP if you want to change it from another system.
Automating the change
You can schedule this using cron, Home Assistant, Node Red or any other automation tool you want!
Here’s a quickstart to run it every hour using cron on the same system gluetun is installed:
wget -O /etc/cron.hourly/gluetun-change-ip 'https://gist.githubusercontent.com/barrelltitor/d67518533c1d34dcf158b0d5d1ca27e8/raw/6f45e6b803b73988b12ac26def11b6760833fd41/gluetun-change-ip'
chmod +x /etc/cron.hourly/gluetun-change-ipYou should edit the file and change the port if you did not use the same one as in this article, and change the IP if you are running this on a different system.
TL;DR
This example is for Private Internet Access, which I highly recommend, and Tube Archivist(star it on Github right now), which I also highly recommend. Not sponsored in any way by either of them
Requirements:
- Get the needed environment variables for your VPN provider
- For local access you will need to remove the port configurations from your existing docker container and set them on Gluetun. For Tube Archivist, this is port 8000
- You can get random ports quickly from here
- Both containers need to be on the same host
version: "3"
services:
gluetun-pia:
container_name: gluetun-pia
image: qmcgaw/gluetun
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- /volumes/gluetun:/gluetun
ports:
- 42364:8099/tcp # API
- 16544:8888/tcp # HTTP proxy
- 45359:8388/tcp # Shadowsocks
- 1242:8388/udp # Shadowsocks
- 9042:8000 # Tube Archivist
cap_add:
- NET_ADMIN
environment:
- HTTP_CONTROL_SERVER_ADDRESS=:8099
- VPN_SERVICE_PROVIDER=private internet access
- OPENVPN_USER=p12345
- OPENVPN_PASSWORD=abcdefg
- SERVER_REGIONS=Netherlands,Switzerland,Cyprus
- EXTRA_SUBNETS=192.168.1.0/24 # Adding the local subnet, change as needed
# - DNS_ADDRESS=192.168.1.77 # Uncomment to set a specific DNS server such as Pihole or Adguard HomeFor your Tube Archivist container(doesn’t need to be in the same compose) you will need to remove the ports and add
network_mode: "container:gluetun-pia"That’s it, your Tube Archivist container is now behind your Private Internet Access VPN using Gluetun!