Welcome back to the command line connoisseurs and Docker devotees!
In today's digital dive, we're fortifying our containerized architecture with an added layer of security and privacy by leveraging the power of Gluetun within Docker-compose. WHAT?
Picture this: A nifty VPN tunnel nested inside a Docker own independend Docker container, ensuring that other containers communicate with the outside world solely through this secure channel.
Alright, let's simplify things: you've got different apps running on your home server and some you don't want visible to your ISP or nosy networks. We've all been there, where you might route one app through a VPN and leave another directly connected for speed. Sure, you could play around with complex routing rules, but who needs the headache? And your home router might not even support that level of tinkering.
So, imagine having an FTP client or something like JDownloader chugging away in a container. You know, the kind of traffic that might raise an eyebrow. We're talking hypotheticals, but let's keep it real – you want some apps wrapped up in a VPN, not exposed to the Clean Line of your ISP. Setting up individual VPNs is a pain and way too clunky.
That's where Gluetun steps into the spotlight. It's providing a sleek, container-friendly solution that streamlines the whole process. Instead of losing sleep over intricate routing schemes or deploying a battalion of VPN instances, Gluetun allows to selectively shield Dockerized apps. With a few lines in Docker-compose, I can route my privacy-sensitive containers through a VPN, while leaving the rest to enjoy the unhindered speed of a direct ISP connection.
This setup isn't just about ease of use; it's about precision control and performance, ensuring that only the containersI choose gets the VPN treatment. The rest? They're free to zip along the fast lane. Gluetun is the perfect tool for consolidating network management within Docker, making it a no-brainer for anyone running a mixed-traffic home server.
To start we setup gluetun with this docker-compose.yml:
version: "3"
services:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
volumes:
- /srv/gluetun:/gluetun
devices:
- /dev/net/tun:/dev/net/tun
cap_add:
- NET_ADMIN
environment:
- VPN_SERVICE_PROVIDER=airvpn
- VPN_TYPE=wireguard
- WIREGUARD_PRIVATE_KEY=123your-priv-key123
- WIREGUARD_ADDRESSES=123Assigned-by-wg-server123
- WIREGUARD_PRESHARED_KEY=123-PSK-goes-here-123
- SERVER_REGIONS=Europe
- TZ=Europe/Amsterdam
- UPDATER_PERIOD=24h
ports:
- 3129:3129
curl:
image: curlimages/curl
network_mode: "service:gluetun"
The curl Part is included to make a testing of it easy. After you deploy the container with docker-compose up -d you might first want to see the log output if there was any error by docker-compose logs. In my case it directly connected to the given Wireguard service.
Now our above specified curl sub comes handy with the command docker-compose run curl ipinfo.io you should get a output of which IP the container is using to get online. Ideally it is now the location of your VPN Host.
So now we've got our Gluetun container, serving as our trusty VPN gateway with WireGuard at the helm. But the real question is, how do we get our other containers to cozy up and use this secure tunnel? You might have seen setups where folks lump everything into the Gluetun container, but let's be honest—that's a bit messy for my taste. I prefer my containers like I prefer my tech—neat, tidy, and each with a clear purpose.
The elegant solution? Keep Gluetun in its own dedicated container and simply link up any existing or new containers to it. It might sound like you'd need to be some sort of Docker whisperer to pull this off, but it's surprisingly straightforward. Let's unravel this not-so-complicated process and get our containers talking the language of privacy through our Gluetun VPN setup.
All it takes is adding a single line to the `docker-compose.yml` of your existing containers. Just slip in `network_mode: "container:gluetun"`, and like magic, they're hitching a ride on your VPN connection.
Now, one heads-up for those VPNs that are still living in the IPv4 past—you'll probably want to turn off IPv6 to avoid any leaks. On the client container (not the Gluetun one), you'd do well to include `sysctls: -net.ipv6.conf.all.disable_ipv6=1` to keep things tight.
But let's move from talk to action. Below is an example `docker-compose.yml` that will show you exactly how a client container can be configured to securely communicate through Gluetun. Let's dive into the configuration details:
version: "3"
services:
testservice:
container_name: test
image: test/test2-headless:latest
environment:
TZ: 'Europe/Amsterdam'
volumes:
- /home/user/localfolder/:/opt/Downloade
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
network_mode: "container:gluetun"
restart: unless-stopped
sysctls:
- net.ipv6.conf.all.disable_ipv6=1
curl:
image: curlimages/curl
network_mode: "container:gluetun"
And there you have it! To tie it all together, let's recall the inclusion of `curl` in our example, exactly used as I've previously mentioned. Keep in mind, the configuration provided is simply a placeholder—a theoretical framework if you will—and isn't meant to be a working container right out of the box. But I trust you've grasped the concept.Gluetun generously extends support to a variety of popular VPN providers. But if you're the hands-on type, feel free to connect to your very own OpenVPN or WireGuard server. I highly encourage a visit to Gluetun's project page to find more details about this great Project and how to configure it in all its details.
We're at journey's end,– your containers are now sailing smoothly through the secure tunnels of Gluetun. VPN Wise I long time used PIA or Nord, but recently changed to AirVPN, their website doesnt have the nicest Userinterface but the things they offer are exactly what I need. Including OpenVPN over SSH or SSL obfuscation. Pretty handy in stoopid VPN blocking enviroments. So just in case you want to have a look, I put here my refferal link to AirVPN Service. No negative Impact on you. I just bought their 3yr Service for $99 which can be used on 5 Devices at the same time is a totally fair price in my eyes.