Docker containers with VPN

    • OMV 3.x
    • Docker containers with VPN

      I'm starting to set up various services with docker: SABnzbd, Radarr, Sonarr, rTorrent etc and would like at the very least to run SABnzbd and rTorrent through my VPN service.

      Am I better off figuring out how to do my own Dockers with the chosen services and an OpenVPN client, or can I use the OpenVPN plugin directly to OMV and run certain containers through that?

      I am very unaware of how Docker works, and so far am only using the images from the built in repo.
      OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
      Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
      5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO
    • Hi. It is possible, but it is a bit of a problem if you stop / start your openmediavault box frequently. My setup looks like this:

      - openvpn-client container (dperson/openvpn-client)
      - transmission container
      - jackett container
      - sonarr container
      - nginx container to provide access to transmission/jackett/sonarr

      1. setup of the openvpn-client (name vpn, networkmode: bridge)
      2. setup transmission with extra option: -net=container:vpn
        this means that transmission connects through the container vpn to the internet, but it also means that you cannot reach the container via your host
      3. setup nginx to get access to transmission (and others)
        to get access to transmission run the nginx container with extra option: -link:vpn:transmission, this basically means that your nginx container has access to the transmission container as localhost, now you just need to setup nginx to forward transmission web:
        [code]
        location /transmission {
        proxy_pass transmission:9091;
        [/code>


      Just setup all containers like that and forward the neccessary ports to locations of the nginx server, which itself needs to be forwarded to a port, eg: 9999. You are then able to access transmission through http://$omvip:9999/transmission
    • Thanks for this, I'm gonna give it a go and see how it works.

      How can I ensure that all traffic from the containers only goes via the VPN when it is up and running, is it possible to include a killswitch on the OpenVPN container?

      Is it better to run nginx in a container or via the official plug-in?
      OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
      Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
      5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO
    • It is possible to implement a killswitch inside the vpn container by using the up/down scripts for openvpn. By using these you can modify the firewall rules with iptables to enable/disable network connectivity for the container. I've done this quite long ago and don't remember the details :) If you want to have a look at my implementation it's merged in the linuxserver.io container here: github.com/linuxserver/docker-vpn I will not be able to support very much though...
    • Totally agree with @gaelic.
      Moreover, you can have a look at traefik if you don't like nginx.
      I'm a Docker Technical Sales Professional.

      1 NAS OMV 4 (Intel Pentium 4560 3.5 GHz, Asrock H110M-ITX, 24 Gb DDR4, 2*4 To Seagate Ironwolf Nas, 2*4 To WD red)
      1 RPI 3 seedbox with omv 3.X
      1 Backup Server omv 4 (core 2 quad q6600, 4 Gb DDR2, 2*4To WD blue)
    • gaelic wrote:

      Jonatron wrote:

      Is it better to run nginx in a container or via the official plug-in?
      You have to run nginx as a container to access the other containers using the vpn container ...
      That does make sense when you put it like that!
      OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
      Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
      5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO
    • gaelic wrote:

      Hi. It is possible, but it is a bit of a problem if you stop / start your openmediavault box frequently. My setup looks like this:

      - openvpn-client container (dperson/openvpn-client)
      - transmission container
      - jackett container
      - sonarr container
      - nginx container to provide access to transmission/jackett/sonarr

      1. setup of the openvpn-client (name vpn, networkmode: bridge)
      2. setup transmission with extra option: -net=container:vpn
        this means that transmission connects through the container vpn to the internet, but it also means that you cannot reach the container via your host
      3. setup nginx to get access to transmission (and others)
        to get access to transmission run the nginx container with extra option: -link:vpn:transmission, this basically means that your nginx container has access to the transmission container as localhost, now you just need to setup nginx to forward transmission web:
        [code]
        location /transmission {
        proxy_pass transmission:9091;
        [/code>


      Just setup all containers like that and forward the neccessary ports to locations of the nginx server, which itself needs to be forwarded to a port, eg: 9999. You are then able to access transmission through http://$omvip:9999/transmission
      Do you have a step-by-step guide for setting up the OpenVPN container using the OMV Plugin, I'm having trouble knowing what to put where!
      OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
      Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
      5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO
    • OpenVPN container don't use the OMV Plugin.
      OpenVPN container is a vpn CLIENT and OMV Plugin is a vpn SERVER.

      ps: Links are deprecated. It's better to use networks and depends_on.
      I'm a Docker Technical Sales Professional.

      1 NAS OMV 4 (Intel Pentium 4560 3.5 GHz, Asrock H110M-ITX, 24 Gb DDR4, 2*4 To Seagate Ironwolf Nas, 2*4 To WD red)
      1 RPI 3 seedbox with omv 3.X
      1 Backup Server omv 4 (core 2 quad q6600, 4 Gb DDR2, 2*4To WD blue)
    • I've managed to set OpenVPN up, but am now having trouble with nginx, it defaults to port 80 which is in use by OMV and I cant seem to find any way of changing this setting from Docker.

      Is it possible to change this default port, or should I bite the bullet and change OMVs port which is easier (but not my preference to avoid future complications)
      OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
      Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
      5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO
    • I managed to get it working with a bit of trial and error, but I ended up speaking to the maintaner of the OpenVPN package and he said if you only want to access WebUis on your local network then you can avoid nginx completely by using the ROUTE variable and 192.168.1.0/24 or whatever your local network is.


      One issue I am having now however is that whilst I can access the Deluge WebUI I cannot access the deluge daemon, this was possible to fix I believe using a special nginx configuration.
      OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
      Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
      5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO
    • Running ifconfig in the Deluge container returns the following:

      eth0 Link encap:Ethernet HWaddr 02:42:XX:XX:XX:XX
      inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
      inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:28817 errors:0 dropped:0 overruns:0 frame:0
      TX packets:31832 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:10213682 (9.7 MiB) TX bytes:5280841 (5.0 MiB)


      lo Link encap:Local Loopback
      inet addr:127.0.0.1 Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING MTU:65536 Metric:1
      RX packets:1211 errors:0 dropped:0 overruns:0 frame:0
      TX packets:1211 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1
      RX bytes:326247 (318.6 KiB) TX bytes:326247 (318.6 KiB)


      tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet addr:10.8.X.X P-t-P:10.8.X.X Mask:255.255.0.0
      inet6 addr: fe80::835f:c63b:728c:a08e/64 Scope:Link
      inet6 addr: fdda:XXXX:XXXX:XXXX::XXXX/64 Scope:Global
      UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
      RX packets:22552 errors:0 dropped:0 overruns:0 frame:0
      TX packets:26546 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:6840521 (6.5 MiB) TX bytes:2617750 (2.4 MiB)

      None of which are my external IP addresses.
      OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
      Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
      5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO
    • if you want to check if your container is using your vpn:

      In your OMV host:

      Source Code

      1. curl ifconfig.me

      Do the same command from your container (do a "docker exec" to connect to your container in SSH before).
      If the 2 IPs are the same, your container is not using your vpn.
      I'm a Docker Technical Sales Professional.

      1 NAS OMV 4 (Intel Pentium 4560 3.5 GHz, Asrock H110M-ITX, 24 Gb DDR4, 2*4 To Seagate Ironwolf Nas, 2*4 To WD red)
      1 RPI 3 seedbox with omv 3.X
      1 Backup Server omv 4 (core 2 quad q6600, 4 Gb DDR2, 2*4To WD blue)
    • Running the command in my OMV host shows my static IP as assigned by my ISP and running it in my containers shows a different IP which I believe to be assigned by my VPN provider.

      Should I be satisfied with these tests?
      OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
      Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
      5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO
    • Hi,

      I am wanting to do a video about VPN server containers. This is a fairly common question.

      I see that people have found several different ways to do it.

      Can I see posts with your config files posted, so I can see how they are different?


      Thanks in advance!

      @gaelic
      @Jonatron
      @RPMan

      gaelic wrote:

      I will post an example configuration today (or maybe tomorrow).

      Jonatron wrote:

      I managed to get it working with a bit of trial and error, but I ended up speaking to the maintaner of the OpenVPN package and he said if you only want to access WebUis on your local network then you can avoid nginx completely by using the ROUTE variable and 192.168.1.0/24 or whatever your local network is.


      One issue I am having now however is that whilst I can access the Deluge WebUI I cannot access the deluge daemon, this was possible to fix I believe using a special nginx configuration.

      RPMan wrote:

      if you want to check if your container is using your vpn:

      In your OMV host:

      Source Code

      1. curl ifconfig.me
      Do the same command from your container (do a "docker exec" to connect to your container in SSH before).
      If the 2 IPs are the same, your container is not using your vpn.
      Build, Learn, Create.

      How to Videos for OMV

      Post any questions to the forum, so others can benefit from your curiosity. :thumbsup:

      The post was edited 1 time, last by TechnoDadLife ().

    • gaelic wrote:

      I will post an example configuration today (or maybe tomorrow).
      Hi @gaelic
      I'm running Ubuntu Server 16.04 atm, and have configured vpn split tunnel properly for selected services (based on user running the service).
      I'm thinking to migrate the whole home server to OMV 4, and start using Docker.
      I need to route Deluge and Oscam over VPN connection (PIA), and have a kill switch implemented. If the vpn connection goes down, then the before mentioned two services should have no access to internet at all. I'm new to docker (and OMV as well), but quite familiar with linux in general. Will use nginx reverse proxy to access routed services from local/outside network (it is the same configuration I use now, but not with docker).

      Could you post a how-to for this with using docker?

      If I understand this correctly, the mentioned two services will run using docker, and routed over a docker running OpenVPN client, correct?
      And there will a docker with nginx for reverse proxy, NextCloud, phpvirtualbox, etc?

      Which vpn docker do you use, and does it have a kill switch? It is actually quite easy to do it with iptables but I'm not sure how to get this together with docker. What happens if the connection in vpn docker goes down? Or the vpn docker is off/crashed? If the vpn docker is down, I think the other dockers routed over vpn docker will not have access to internet, correct? But if the connection in vpn docker is broken to the vpn server, then it is exposed to internet?
    • @TechnoDadLife sorry it has taken me a while to get back to you.

      I have my VPN up and running with the following settings, it works fine, the only issue I currently have is that I have to restart all connected containers if VPN goes down, and take them all down if need updating (Watchtower doesn't work).

      I run my OpenVPN container with the following command:

      Source Code

      1. sudo docker run -it -d --restart always --sysctl net.ipv6.conf.all.disable_ipv6=0 --cap-add=NET_ADMIN --device /dev/net/tun --name openvpn -v /home/docker/.config/openvpn:/vpn -e VPN='SERVER.IP;USERNAME;PASSWORD' -e ROUTE='192.168.1.0/24' -e VPNPORT='XXXX' -e DNS='XXX.XXX.XXX.XXX' -e FIREWALL="" -p 30895:30895 -p 30895:30895/udp -p 8080:8080 -p 9090:9090 -p 8989:8989 -p 7878:7878 -p 9117:9117 -p 58846:58846 -p 8112:8112 -p 58946:58946 -p 58946:58946/udp dperson/openvpn-client:latest

      Forwarded ports are for the relevant containers that connect to the internet using the VPN, in my case; SABnzbd, Deluge, Sonarr and Radarrr.

      I have an open port with my VPN provider and Deluge is configured to listen on this port.

      Containers are linked to the VPN container with the

      Source Code

      1. --net=container:openvpn
      Command and must be started after the VPN container has been started.

      I was also able to get the Deluge thin client to connect, if you would like details of how to do that then please let me know.
      OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
      Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
      5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO