What's new
PGBlitz.com

Register Now! Find useful tips, Interact /w Community Members and join the part the Best Community on the Internet!

Guides HOWTO: Use a single and central VPN container to secure all your apps

plex_noob

Blitz Legioner
Staff
Donor
This howto focuses on the creation of a VPN container that will be used as a Proxy/Hub for other containers needing to access internet in a secure way. The difference between this solution and all the other lies in the use of the same VPN connection for all your needs.
Your needs could be:

- Torrenting
- Private web browsing
- Private download
- ...

The advantages are:
- Use of a single VPN connection for all your needs (Some VPN providers are quite reluctant to provide more than x connections)
- Respect of the basic principle of a container: limit each container to one and only one function
- Reduce the server resources consumption by having only one VPN for all your need
- Manageability: ease of use and maintain by the fact that there is only one instance
- Evolution: no waste of time looking for an app with a VPN included. Take the standard application and add it to this method and you have it secured
- Ease of re-installation, if a Plexguide reinstall is required, no problem, you only need to re-execute a single file and everything is up and running
- ...

This method uses the docker-compose method.

The principle is quite simple:
  1. Install docker-compose
  2. Create a file with a yml extension
  3. Respect the coding principles which are quite touchy, not too many spaces, respect the position of some parts, ...
  4. Create all you containers within a single file
  5. Save the file
  6. Execute the docker-compose file
  7. Enjoy
1. Install docker-compose: sudo apt install docker-compose
2. Create a folder to put you future vpn container: mkdir -p /opt/appdata/vpn/
3. Create an empty file (docker-compose.yml) in the created directory: touch /opt/appdata/vpn/docker-compose.yml
4. Edit and paste the following code:

YAML:
version: '2'
services:
  vpn:
    image: bubuntux/nordvpn
    container_name: vpn
    cap_add:
      - NET_ADMIN
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
    environment:
      - "USER=<Your_VPN_User>"
      - "PASS=<Your_VPN_Password>"
      - "country=germany"
      - "CATEGORY=P2P"
      - "PROTOCOL=openvpn_udp"
      - "LAN_NETWORK=172.18.0.0/24"
    devices:
      - "/dev/net/tun"
    ports:
      - "8112:8112"
      - "8118:8118"
      - "58846:58846"
      - "58946:58946"
  deluge:
    image: linuxserver/deluge
    container_name: deluge
    depends_on:
      - vpn
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=EUROPE/BRUSSELS
    network_mode: "service:vpn"
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:deluge.<yourdonamine.name>,"
      traefik.port: "8112"
    volumes:
      - "/opt/appdata/deluge/config:/config"
      - "/mnt/unionfs:/unionfs"
      - "/mnt/md0/mnt/deluge:/mydata"
    mem_limit: 4096m
    restart: unless-stopped
networks:
  default:
    external:
      name: plexguide
5. Quit and save the file
6. Run the following command: docker-compose -f /opt/appdata/vpn/docker-compose.yml -up -d
7. The docker-compose file is checked and container are created.

The ports definitions for each sub-container need to be specified at the vpn container level.
Each sub-container needs to refer the vpn container with:

This is to make sure that the vpn is started before the container:

depends_on:
- vpn


This is to route the trafic through the vpn:

network_mode: "service:vpn"


Ports Definition
The ports definition part is, in fact, the way the container communicate with the outside world.

For example, for a web site to be reachable outside of the docker network, it needs to publish the port 80 and optionally 443.

In the "docker compose way", it will be done like this:
The port declaration appears inside the container declaration level.

Code:
version: '2'
services:
  webserver:
    image: xxxx/yyyyy
    container_name: webserver
    ports:
      - "80:80"
      - "443:443"
In the case of this vpn proxy solution, all the ports declaration needs to be put in the vpn section (service) part.

Code:
version: '2'
services:
  vpn:
    image: aaa/bbb
    container_name: vpn
    ports:
      - "service1_external_port:service1_container_port"
      - "service2_external_port:service2_container_port"
  service1:
    image: service1_author/service1_image
    container_name: service1_name
  service2:
    image: service2_author/service2_image
    container_name: service2_name
This means that for each additional "service" (let's say service ax) you want to see proxied through the vpn tunnel, you will need to put its port declaration at the vpn service level

Code:
ports:
      - "service_ax_external_port:service_ax_container_port"
and not at the ax service level

Additional requirements:

To be sure the services will use appropriately the vpn tunnel, 2 additional requirements need to be added in eachservice declaration.
Code:
depends_on:
- vpn
AND

Code:
network_mode: "service:vpn"

depends_on simply instruct the proxied service to wait for the "vpn service" to be started and functional before starting itself.

network_mode instruct the proxied service to use the network of the vpn service to communicate with outside word.

To summarize

The main blocks you will have to foresee are:


Initiation declaration
+
VPN Declaration
+
Service 1 Declaration
+
Service 2 Declaration
+
Ending declaration


Initiation declaration:
Code:
version: '2'
services:
VPN declaration:
Code:
vpn:
    image: bubuntux/nordvpn
    container_name: vpn
    cap_add:
      - NET_ADMIN
    environment:
      - "USER=<Your_VPN_User>"
      - "PASS=<Your_VPN_Password>"
      - "country=germany"
      - "CATEGORY=P2P"
      - "PROTOCOL=openvpn_udp"
      - "LAN_NETWORK=172.18.0.0/24"
    devices:
      - "/dev/net/tun"
    ports:
      - "Service1_external:Service1_internal"
      - "Service2_external:Service2_internal"
Service 1 declaration:
Code:
service1:
    image: service1_author/service1_image
    container_name: service1
    depends_on:
      - vpn
    network_mode: "service:vpn"
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:service1.<yourdonamine.name>,"
      traefik.port: "Service1_internal"
Service 2 declaration:
Code:
service2:
    image: service2_author/service2_image
    container_name: service2
    depends_on:
      - vpn
    network_mode: "service:vpn"
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:service2.<yourdonamine.name>,"
      traefik.port: "Service1_internal"
Ending declaration:
Code:
networks:
  default:
    external:
      name: plexguide
 

plex_noob

Blitz Legioner
Staff
Donor
During download or upload?

To work effectively the torrent technology expects you are sharing what you are downloading. With a VPN this exchange does not occur so your download speed will be impacted. It will take more time but eventually you will be able to download the full file.
 

dinklegeta

Blitz 1st Class
During download, I have not even touched the default deluge config, I just tried to test it by adding a Linux distro torrent as they are usually well seeded. Usually the download speed starts alright (no upload at all) and then just gradually goes to nothing. But this is all within a 10-15 second period I would say so it's not like it's working again a minute later, I have left the torrent in the que for more than a day and it's still on 0%.
 

lowmach1ne

Blitz 3rd Class
Hi,
I have an issue, when watchtower is kick-in, my service lost the connection and doesn't find the vpn anymore.
Do you have away to avoid that ?

Thank you
 

plex_noob

Blitz Legioner
Staff
Donor
If for whatever reason the Vpn container is restarted all the other containers depending on it will also need to be restarted.

docker-compose does not monitor the containers it starts; setting depends_on is only used to determine the order in which the containers are started / created when doing docker-compose up.
Likewise, the depends_on is only known by docker-compose, and not a feature that the docker engine is aware of, so when restarting the docker daemon, so it will not take startup order into account.

The only way I see to manage this situation is to script it. Force the restart of the depending container when the main container is restarted.
 
Last edited:

MCP99999

Blitz 3rd Class
Is there a possibility to connect an exiting Docker with the vpn_container?
Maybe with "docker network connect"? I could only connect to a "real" network but not to network_mode: "container:vpn"
 

PlexFan

Blitz 3rd Class
Staff
Is there a possibility to connect an exiting Docker with the vpn_container?
Maybe with "docker network connect"? I could only connect to a "real" network but not to network_mode: "container:vpn"
Did you check through portainer?
 
Assists Greatly with Development Costs

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads


Development Donations

 

Top NZB NewsGroups!

Members - Up To a 58% Discount!

Trending

Top