Route Docker Container traffic through a VPN container
I run radarr, sonarr, lidarr, bazarr, pyload, deluge, jellyfin, jackett, airsonic containers behind PIA vpn through https://github.com/qdm12/gluetun (on amd64, but images for arm64 are provided as well).
It's well documented and actively maintained. It supports Private Internet Access, Mullvad, Windscribe, Surfshark, Cyberghost, Vyprvpn, NordVPN, PureVPN and Privado at the moment of writing this.
for gluetun container I use this to expose the ports:
version: '3.7'services: gluetun: image: qmcgaw/private-internet-access container_name: gluetun cap_add: - NET_ADMIN network_mode: bridge ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks - 8000:8000/tcp # Built-in HTTP control server# other containers ports - 8112:8112 # deluge webui - 58846:58846 # deluge daemon - 6767:6767 # bazarr - 8989:8989 # sonarr - 7878:7878 # radarr - 8686:8686 # lidarr - 9117:9117 # jackett - 4040:4040 # airsonic - 8096:8096 # jellyfin/emby - 8227:8227 # pyload volumes: - ./data_gluetun:/gluetun - ./data_gluetun/port_forward:/tmp/gluetun/forwarded_port environment: - VPNSP=private internet access - TZ=Europe/London - USER=${PIA_USER} - PASSWORD=${PIA_PASS} - REGION=${PIA_REGION} - PORT_FORWARDING=on - FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24 - HTTPPROXY=on - SHADOWSOCKS=on - SHADOWSOCKS_PASSWORD=${SHADOW_PASS} restart: unless-stopped
and then in the containers I wish to route via the above container I commented any existing network settings and replaced them with network_mode: "container:gluetun"
.
For automated letsencrypt certificates and reverse proxy to access from outside local network I use https://github.com/jc21/nginx-proxy-manager with arm compatible mariadb yobasystems/alpine-mariadb:latest
running on a RPi4b with 64bit ubuntu server.
This looks like what you need for the containers to secure the outgoing connections: https://jordanelver.co.uk/blog/2019/06/03/routing-docker-traffic-through-a-vpn-connection/. You want to start the container with the --net container:name-of-vpn-container
.
I imagine that if you want the incoming container to be through the VPN you will need to ensure that the VPN provider gives you a static IP/hostname and forward the ports. I suspect that you will not want to go down this road as it will be complex. The best bet is to continue to access them through the domain name, just make sure it's over https* and make sure the device–your phone/tablet/laptop whatever–you're using is on a VPN.
* Look no further than linuxserver.io's excellent work for more on this: https://blog.linuxserver.io/2020/08/21/introducing-swag/