Route Docker Container traffic through a VPN container

I run radarr, sonarr, lidarr, bazarr, pyload, deluge, jellyfin, jackett, airsonic containers behind PIA vpn through https://github.com/qdm12/gluetun (on amd64, but images for arm64 are provided as well).

It's well documented and actively maintained. It supports Private Internet Access, Mullvad, Windscribe, Surfshark, Cyberghost, Vyprvpn, NordVPN, PureVPN and Privado at the moment of writing this.

for gluetun container I use this to expose the ports:

version: '3.7'services:  gluetun:    image: qmcgaw/private-internet-access    container_name: gluetun    cap_add:      - NET_ADMIN    network_mode: bridge    ports:      - 8888:8888/tcp # HTTP proxy      - 8388:8388/tcp # Shadowsocks      - 8388:8388/udp # Shadowsocks      - 8000:8000/tcp # Built-in HTTP control server# other containers ports      - 8112:8112     # deluge webui      - 58846:58846   # deluge daemon      - 6767:6767     # bazarr      - 8989:8989     # sonarr      - 7878:7878     # radarr      - 8686:8686     # lidarr      - 9117:9117     # jackett      - 4040:4040     # airsonic      - 8096:8096     # jellyfin/emby      - 8227:8227     # pyload    volumes:      - ./data_gluetun:/gluetun      - ./data_gluetun/port_forward:/tmp/gluetun/forwarded_port    environment:      - VPNSP=private internet access      - TZ=Europe/London      - USER=${PIA_USER}      - PASSWORD=${PIA_PASS}      - REGION=${PIA_REGION}      - PORT_FORWARDING=on      - FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24      - HTTPPROXY=on      - SHADOWSOCKS=on      - SHADOWSOCKS_PASSWORD=${SHADOW_PASS}    restart: unless-stopped

and then in the containers I wish to route via the above container I commented any existing network settings and replaced them with network_mode: "container:gluetun".

For automated letsencrypt certificates and reverse proxy to access from outside local network I use https://github.com/jc21/nginx-proxy-manager with arm compatible mariadb yobasystems/alpine-mariadb:latest running on a RPi4b with 64bit ubuntu server.

This looks like what you need for the containers to secure the outgoing connections: https://jordanelver.co.uk/blog/2019/06/03/routing-docker-traffic-through-a-vpn-connection/. You want to start the container with the --net container:name-of-vpn-container.

I imagine that if you want the incoming container to be through the VPN you will need to ensure that the VPN provider gives you a static IP/hostname and forward the ports. I suspect that you will not want to go down this road as it will be complex. The best bet is to continue to access them through the domain name, just make sure it's over https* and make sure the device–your phone/tablet/laptop whatever–you're using is on a VPN.

* Look no further than linuxserver.io's excellent work for more on this: https://blog.linuxserver.io/2020/08/21/introducing-swag/