Docker containers with VPN

  • I'm starting to set up various services with docker: SABnzbd, Radarr, Sonarr, rTorrent etc and would like at the very least to run SABnzbd and rTorrent through my VPN service.


    Am I better off figuring out how to do my own Dockers with the chosen services and an OpenVPN client, or can I use the OpenVPN plugin directly to OMV and run certain containers through that?


    I am very unaware of how Docker works, and so far am only using the images from the built in repo.

    OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
    Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
    5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO

  • Hi. It is possible, but it is a bit of a problem if you stop / start your openmediavault box frequently. My setup looks like this:


    - openvpn-client container (dperson/openvpn-client)
    - transmission container
    - jackett container
    - sonarr container
    - nginx container to provide access to transmission/jackett/sonarr


    • setup of the openvpn-client (name vpn, networkmode: bridge)
    • setup transmission with extra option: -net=container:vpn
      this means that transmission connects through the container vpn to the internet, but it also means that you cannot reach the container via your host
    • setup nginx to get access to transmission (and others)
      to get access to transmission run the nginx container with extra option: -link:vpn:transmission, this basically means that your nginx container has access to the transmission container as localhost, now you just need to setup nginx to forward transmission web:
      [code]
      location /transmission {
      proxy_pass http://transmission:9091;
      [/code>


    Just setup all containers like that and forward the neccessary ports to locations of the nginx server, which itself needs to be forwarded to a port, eg: 9999. You are then able to access transmission through http://$omvip:9999/transmission

  • Thanks for this, I'm gonna give it a go and see how it works.


    How can I ensure that all traffic from the containers only goes via the VPN when it is up and running, is it possible to include a killswitch on the OpenVPN container?


    Is it better to run nginx in a container or via the official plug-in?

    OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
    Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
    5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO

  • It is possible to implement a killswitch inside the vpn container by using the up/down scripts for openvpn. By using these you can modify the firewall rules with iptables to enable/disable network connectivity for the container. I've done this quite long ago and don't remember the details :) If you want to have a look at my implementation it's merged in the linuxserver.io container here: https://github.com/linuxserver/docker-vpn I will not be able to support very much though...

  • You have to run nginx as a container to access the other containers using the vpn container ...

    That does make sense when you put it like that!

    OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
    Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
    5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO

  • Do you have a step-by-step guide for setting up the OpenVPN container using the OMV Plugin, I'm having trouble knowing what to put where!

    OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
    Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
    5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO

  • I've managed to set OpenVPN up, but am now having trouble with nginx, it defaults to port 80 which is in use by OMV and I cant seem to find any way of changing this setting from Docker.


    Is it possible to change this default port, or should I bite the bullet and change OMVs port which is easier (but not my preference to avoid future complications)

    OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
    Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
    5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO

  • I managed to get it working with a bit of trial and error, but I ended up speaking to the maintaner of the OpenVPN package and he said if you only want to access WebUis on your local network then you can avoid nginx completely by using the ROUTE variable and 192.168.1.0/24 or whatever your local network is.



    One issue I am having now however is that whilst I can access the Deluge WebUI I cannot access the deluge daemon, this was possible to fix I believe using a special nginx configuration.

    OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
    Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
    5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO

  • Running ifconfig in the Deluge container returns the following:


    eth0 Link encap:Ethernet HWaddr 02:42:XX:XX:XX:XX
    inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
    inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:28817 errors:0 dropped:0 overruns:0 frame:0
    TX packets:31832 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:10213682 (9.7 MiB) TX bytes:5280841 (5.0 MiB)



    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:1211 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1211 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1
    RX bytes:326247 (318.6 KiB) TX bytes:326247 (318.6 KiB)



    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.8.X.X P-t-P:10.8.X.X Mask:255.255.0.0
    inet6 addr: fe80::835f:c63b:728c:a08e/64 Scope:Link
    inet6 addr: fdda:XXXX:XXXX:XXXX::XXXX/64 Scope:Global
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:22552 errors:0 dropped:0 overruns:0 frame:0
    TX packets:26546 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:6840521 (6.5 MiB) TX bytes:2617750 (2.4 MiB)


    None of which are my external IP addresses.

    OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
    Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
    5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO

  • if you want to check if your container is using your vpn:


    In your OMV host:

    Code
    curl ifconfig.me


    Do the same command from your container (do a "docker exec" to connect to your container in SSH before).
    If the 2 IPs are the same, your container is not using your vpn.

  • Running the command in my OMV host shows my static IP as assigned by my ISP and running it in my containers shows a different IP which I believe to be assigned by my VPN provider.


    Should I be satisfied with these tests?

    OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
    Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
    5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO

  • Hi,


    I am wanting to do a video about VPN server containers. This is a fairly common question.


    I see that people have found several different ways to do it.


    Can I see posts with your config files posted, so I can see how they are different?



    Thanks in advance!


    @gaelic
    @Jonatron
    @RPMan

    I will post an example configuration today (or maybe tomorrow).

    I managed to get it working with a bit of trial and error, but I ended up speaking to the maintaner of the OpenVPN package and he said if you only want to access WebUis on your local network then you can avoid nginx completely by using the ROUTE variable and 192.168.1.0/24 or whatever your local network is.



    One issue I am having now however is that whilst I can access the Deluge WebUI I cannot access the deluge daemon, this was possible to fix I believe using a special nginx configuration.

    if you want to check if your container is using your vpn:


    In your OMV host:

    Code
    curl ifconfig.me

    Do the same command from your container (do a "docker exec" to connect to your container in SSH before).
    If the 2 IPs are the same, your container is not using your vpn.

  • I will post an example configuration today (or maybe tomorrow).

    Hi @gaelic
    I'm running Ubuntu Server 16.04 atm, and have configured vpn split tunnel properly for selected services (based on user running the service).
    I'm thinking to migrate the whole home server to OMV 4, and start using Docker.
    I need to route Deluge and Oscam over VPN connection (PIA), and have a kill switch implemented. If the vpn connection goes down, then the before mentioned two services should have no access to internet at all. I'm new to docker (and OMV as well), but quite familiar with linux in general. Will use nginx reverse proxy to access routed services from local/outside network (it is the same configuration I use now, but not with docker).


    Could you post a how-to for this with using docker?


    If I understand this correctly, the mentioned two services will run using docker, and routed over a docker running OpenVPN client, correct?
    And there will a docker with nginx for reverse proxy, NextCloud, phpvirtualbox, etc?


    Which vpn docker do you use, and does it have a kill switch? It is actually quite easy to do it with iptables but I'm not sure how to get this together with docker. What happens if the connection in vpn docker goes down? Or the vpn docker is off/crashed? If the vpn docker is down, I think the other dockers routed over vpn docker will not have access to internet, correct? But if the connection in vpn docker is broken to the vpn server, then it is exposed to internet?

  • @TechnoDadLife sorry it has taken me a while to get back to you.


    I have my VPN up and running with the following settings, it works fine, the only issue I currently have is that I have to restart all connected containers if VPN goes down, and take them all down if need updating (Watchtower doesn't work).


    I run my OpenVPN container with the following command:


    Code
    sudo docker run -it -d --restart always --sysctl net.ipv6.conf.all.disable_ipv6=0 --cap-add=NET_ADMIN --device /dev/net/tun --name openvpn -v /home/docker/.config/openvpn:/vpn -e VPN='SERVER.IP;USERNAME;PASSWORD' -e ROUTE='192.168.1.0/24' -e VPNPORT='XXXX' -e DNS='XXX.XXX.XXX.XXX' -e FIREWALL="" -p 30895:30895 -p 30895:30895/udp -p 8080:8080 -p 9090:9090 -p 8989:8989 -p 7878:7878 -p 9117:9117 -p 58846:58846 -p 8112:8112 -p 58946:58946 -p 58946:58946/udp dperson/openvpn-client:latest


    Forwarded ports are for the relevant containers that connect to the internet using the VPN, in my case; SABnzbd, Deluge, Sonarr and Radarrr.


    I have an open port with my VPN provider and Deluge is configured to listen on this port.


    Containers are linked to the VPN container with the

    Code
    --net=container:openvpn

    Command and must be started after the VPN container has been started.


    I was also able to get the Deluge thin client to connect, if you would like details of how to do that then please let me know.

    OMV 4.1.4 Arrakis | 34TB SnapRAID+MergerFS
    Supermicro X10SLM+-F| Xeon E3-1285L | 16gb ECC Ram | LSI SAS9220-8i
    5 x 8TB WD Red | 2x 3TB WD Red | 128gb Samsung 830 EVO

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!