Dead simple container VPN: Gluetun, Portainer, and Private Internet Access
Need to set up a VPN for containers? I got you.
I've seen an increase in people asking about container VPNs, and at one point I had the same questions. Hopefully this blog post can help answer those questions and get you up and running with a VPN for your containers.
In my situation I have a few containers that I want connecting to a VPN, but not all of them. So, I can't just put a VPN client on my Docker host machine and call it done. What's the best method to route select containers to a VPN while keeping others off it?
Well, I don't know if it's the best, but Gluetun is perfect for just that.
What is Gluetun?
qdm12If you haven't heard of Gluetun before, let me explain.
It's simply a container that you configure to use your VPN provider. Once the Gluetun container is connected to your VPN service you can then connect other containers to it and those containers will be utilizing a VPN connection.
Anyways, let's get started. If you'd like to follow along, it's important to note I'll be using Portainer to do my container configs, but you can do this all through the CLI if you want. I use Private Internet Access as my VPN, so that's what I'll be showing in my examples. Check this link to see all of the supported VPN options.
qdm12First, let's get Gluetun deployed with some PIA options.
Deploying Gluetun
On the documentation page there is a very simple docker-compose file to get started with. In general for these self-hosted services it's a good idea to understand what they're doing before you just haul off and run the command. We'll need to input a few details like our PIA username and pw, the region we'd like to connect to, etc. Below is a template you could use, make sure to fill your details in before you use the file.
version: "3"
services:
gluetun:
image: qmcgaw/gluetun
cap_add:
- NET_ADMIN
volumes:
- /yourpath:/gluetun
environment:
- VPN_SERVICE_PROVIDER=private internet access
- OPENVPN_USER=PIA_USER
- OPENVPN_PASSWORD=PIA_PW
- SERVER_REGIONS=PIA_REGIONUsing this file, we're going to create a stack in Portainer like so:
Deploy the stack.
Test if the VPN is up
"But how will I know if the Gluetun container is actually using the VPN?"
Well, good question. Let's test that. Exec into a container that is not Gluetun and run this, if you have curl, curl ifconfig.me. Below is an example output (your not getting my public IP, nerds)
If you don't have curl, this also works. wget http://ipecho.net/plain -O - -q ; echo and here's an example.
After that, exec into your Gluetun container and use this command to grab the public IP that the container is using for it's connection to the internet. Note: this should be different than the IP you just saw.
As you can see my Gluetun IP address is different than the container above, which confirms it's using the VPN we set up earlier.
Connect containers to Gluetun
We have Gluetun up and running, but let's connect a service to it.
In Portainer pick a container and scroll to the bottom where it shows the networking options. Unless you've edited things in the past, it will likely say "bridge" under "Connected networks". Click "Leave network".
If there are published ports for your container, you'll need to remove those before continuing.
Then, at the top select "Duplicate/Edit" and scroll to the bottom of the page to look for the "Advanced container settings".
Select the network tab, and change the Network from "bridge" to "container". Then, under "Container", select the Gluetun container.
Now select "Deploy the container". Once the container deploys it's time to confirm the IP of the container and we should see it using the VPN through Glutetun!
If you enjoyed this or it helped you, consider subscribing or buying me a coffee. Even if not, you're still welcome to come on by anytime.