What's new
PGBlitz.com

Register Now! Find useful tips, Interact /w Community Members and join the part the Best Community on the Internet!

HOWTO: Use single and central VPN container for all your other apps

plex_noob

Blitz Legioner
Staff
Donor
This howto focuses on the creation of a VPN container that will be used as a Proxy/Hub for other containers needing to access internet in a secure way. The difference between this solution and all the other lies in the use of the same VPN connection for all your needs.
Your needs could be:

- Torrenting
- Private web browsing
- Private download
- ...

The advantages are:
- Use of a single VPN connection for all your needs (Some VPN providers are quite reluctant to provide more than x connections)
- Respect of the basic principle of a container: limit each container to one and only one function
- Reduce the server resources consumption by having only one VPN for all your need
- Manageability: ease of use and maintain by the fact that there is only one instance
- Evolution: no waste of time looking for an app with a VPN included. Take the standard application and add it to this method and you have it secured
- Ease of re-installation, if a Plexguide reinstall is required, no problem, you only need to re-execute a single file and everything is up and running
- ...

This method uses the docker-compose method.

The principle is quite simple:
  1. Install docker-compose
  2. Create a file with a yml extension
  3. Respect the coding principles which are quite touchy, not too many spaces, respect the position of some parts, ...
  4. Create all you containers within a single file
  5. Save the file
  6. Execute the docker-compose file
  7. Enjoy
1. Install docker-compose: sudo apt install docker-compose
2. Create a folder to put you future vpn container: mkdir -p /opt/appdata/vpn/
3. Create an empty file (docker-compose.yml) in the created directory: touch /opt/appdata/vpn/docker-compose.yml
4. Edit and paste the following code:
YAML:
version: '2'
services:
  vpn:
    image: bubuntux/nordvpn
    container_name: vpn
    cap_add:
      - NET_ADMIN
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
    environment:
      - "USER=<Your_VPN_User>"
      - "PASS=<Your_VPN_Password>"
      - "country=germany"
      - "CATEGORY=P2P"
      - "PROTOCOL=openvpn_udp"
      - "LAN_NETWORK=172.18.0.0/24"
    devices:
      - "/dev/net/tun"
    ports:
      - "8112:8112"
      - "8118:8118"
      - "58846:58846"
      - "58946:58946"
  deluge:
    image: linuxserver/deluge
    container_name: deluge
    depends_on:
      - vpn
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=EUROPE/BRUSSELS
    network_mode: "service:vpn"
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:deluge.<yourdonamine.name>,"
      traefik.port: "8112"
    volumes:
      - "/opt/appdata/deluge/config:/config"
      - "/mnt/unionfs:/unionfs"
      - "/mnt/md0/mnt/deluge:/mydata"
    mem_limit: 4096m
    restart: unless-stopped
networks:
  default:
    external:
      name: plexguide
5. Quit and save the file
6. Run the following command: docker-compose -f /opt/appdata/vpn/docker-compose.yml -up -d
7. The docker-compose file is checked and container are created.

The ports definitions for each sub-container need to be specified at the vpn container level.
Each sub-container needs to refer the vpn container with:

This is to make sure that the vpn is started before the container:

depends_on:
- vpn


This is to route the trafic through the vpn:

network_mode: "service:vpn"


This is it !

Sined

03/01/2019 additions:

Ports Definition
The ports definition part is, in fact, the way the container communicate with the outside world.

For example, for a web site to be reachable outside of the docker network, it needs to publish the port 80 and optionally 443.

In the "docker compose way", il will be done like this:
The port declaration appears inside the container declaration level.
Code:
version: '2'
services:
  webserver:
    image: xxxx/yyyyy
    container_name: webserver
    ports:
      - "80:80"
      - "443:443"
In the case of this vpn proxy solution, all the ports declaration needs to be put in the vpn section (service) part.
Code:
version: '2'
services:
  vpn:
    image: aaa/bbb
    container_name: vpn
    ports:
      - "service1_external_port:service1_container_port"
      - "service2_external_port:service2_container_port"
  service1:
    image: service1_author/service1_image
    container_name: service1_name
  service2:
    image: service2_author/service2_image
    container_name: service2_name
This means that for each additional "service" (let's say service ax) you want to see proxied through the vpn tunnel, you will need to put its port declaration at the vpn service level
Code:
ports:
      - "service_ax_external_port:service_ax_container_port"
and not at the ax service level

Additional requirements:

To be sure the services will use appropriately the vpn tunnel, 2 additional requirements need to be added in each service declaration.

Code:
depends_on:
- vpn
AND

Code:
network_mode: "service:vpn"
depends_on simply instruct the proxied service to wait for the "vpn service" to be started and functional before starting itself.

network_mode instruct the proxied service to use the network of the vpn service to communicate with outside word.

To summarize

The main blocks you will have to foresee are:

Initiation declaration
+
VPN Declaration
+
Service 1 Declaration
+
Service 2 Declaration
+
Ending declaration


Initiation declaration:
Code:
version: '2'
services:
VPN declaration:
Code:
vpn:
    image: bubuntux/nordvpn
    container_name: vpn
    cap_add:
      - NET_ADMIN
    environment:
      - "USER=<Your_VPN_User>"
      - "PASS=<Your_VPN_Password>"
      - "country=germany"
      - "CATEGORY=P2P"
      - "PROTOCOL=openvpn_udp"
      - "LAN_NETWORK=172.18.0.0/24"
    devices:
      - "/dev/net/tun"
    ports:
      - "Service1_external:Service1_internal"
      - "Service2_external:Service2_internal"
Service 1 declaration:
Code:
service1:
    image: service1_author/service1_image
    container_name: service1
    depends_on:
      - vpn
    network_mode: "service:vpn"
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:service1.<yourdonamine.name>,"
      traefik.port: "Service1_internal"
Service 2 declaration:
Code:
service2:
    image: service2_author/service2_image
    container_name: service2
    depends_on:
      - vpn
    network_mode: "service:vpn"
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:service2.<yourdonamine.name>,"
      traefik.port: "Service1_internal"
Ending declaration:
Code:
networks:
  default:
    external:
      name: plexguide
 
Last edited:

Appelsap

Blitz 3rd Class
Nice. I already tested this method with DelugeVPN, but I just tried it with SABnzbd (also from Binhex), changed a few lines here and there to replace deluge with SABnzb and it worked perfectly. Thank you very much.
 

plex_noob

Blitz Legioner
Staff
Donor
Of course, you could use a more generic openvpn container and apply the same principle.
 
Assists Greatly with Development Costs

fr0sty

Blitz Sergeant
Staff
Donor
The ports definitions for each sub-container need to be specified at the vpn container level.
Each sub-container needs to refer the vpn container with:

This is to make sure that the vpn is started before the container:

depends_on:
- vpn


This is to route the trafic through the vpn:

network_mode: "service:vpn"
I got lost here. can you please break it down more for the simple people?
 

plex_noob

Blitz Legioner
Staff
Donor
Please see the initial post for further explanation.
Hope this will help.
 

ogtimmiller

Blitz 3rd Class
How do we extend the NordVPN .yaml config to tunnel the traffic from jackett, Sonarr, and Radarr through this single vpn config?

Maybe extend this line with the ports used by the programs desired? What about dependencies on boot up, we need these programs to wait until the vpn is connected before starting?

ports:
- "8112:8112"
- "8118:8118"
- "58846:58846"
- "58946:58946"
 
Last edited:

dinklegeta

Blitz 1st Class
I am getting the following errors when running docker-compose -f /opt/appdata/vpn/docker-compose.yml -up -d

Code:
Traceback (most recent call last):
  File "/usr/bin/docker-compose", line 9, in <module>
    load_entry_point('docker-compose==1.8.0', 'console_scripts', 'docker-compose')()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 487, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2728, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2346, in load
    return self.resolve()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2352, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/dist-packages/compose/cli/main.py", line 14, in <module>
    from . import errors
  File "/usr/lib/python2.7/dist-packages/compose/cli/errors.py", line 9, in <module>
    from docker.errors import APIError
  File "/usr/local/lib/python2.7/dist-packages/docker/__init__.py", line 2, in <module>
    from .api import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/__init__.py", line 2, in <module>
    from .client import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/client.py", line 5, in <module>
    import requests
  File "/usr/local/lib/python2.7/dist-packages/requests/__init__.py", line 95, in <module>
    from urllib3.contrib import pyopenssl
  File "/usr/local/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
    import OpenSSL.SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 118, in <module>
    SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
Any ideas?
 

dinklegeta

Blitz 1st Class
I am getting the following errors when running docker-compose -f /opt/appdata/vpn/docker-compose.yml -up -d

Code:
Traceback (most recent call last):
  File "/usr/bin/docker-compose", line 9, in <module>
    load_entry_point('docker-compose==1.8.0', 'console_scripts', 'docker-compose')()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 487, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2728, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2346, in load
    return self.resolve()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2352, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/dist-packages/compose/cli/main.py", line 14, in <module>
    from . import errors
  File "/usr/lib/python2.7/dist-packages/compose/cli/errors.py", line 9, in <module>
    from docker.errors import APIError
  File "/usr/local/lib/python2.7/dist-packages/docker/__init__.py", line 2, in <module>
    from .api import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/__init__.py", line 2, in <module>
    from .client import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/client.py", line 5, in <module>
    import requests
  File "/usr/local/lib/python2.7/dist-packages/requests/__init__.py", line 95, in <module>
    from urllib3.contrib import pyopenssl
  File "/usr/local/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
    import OpenSSL.SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 118, in <module>
    SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
Any ideas?
Ok so I resolved this issue, seems to be an issue with the docker version that was installed. Now my problem is when i add a torrent the speed tanks to a standstill for some reason.
 

ogtimmiller

Blitz 3rd Class
I am getting the following errors when running docker-compose -f /opt/appdata/vpn/docker-compose.yml -up -d

Code:
Traceback (most recent call last):
  File "/usr/bin/docker-compose", line 9, in <module>
    load_entry_point('docker-compose==1.8.0', 'console_scripts', 'docker-compose')()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 487, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2728, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2346, in load
    return self.resolve()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2352, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/dist-packages/compose/cli/main.py", line 14, in <module>
    from . import errors
  File "/usr/lib/python2.7/dist-packages/compose/cli/errors.py", line 9, in <module>
    from docker.errors import APIError
  File "/usr/local/lib/python2.7/dist-packages/docker/__init__.py", line 2, in <module>
    from .api import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/__init__.py", line 2, in <module>
    from .client import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/client.py", line 5, in <module>
    import requests
  File "/usr/local/lib/python2.7/dist-packages/requests/__init__.py", line 95, in <module>
    from urllib3.contrib import pyopenssl
  File "/usr/local/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
    import OpenSSL.SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 118, in <module>
    SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
Any ideas?
I solved this problem by navigating to the root directory of the vpn container and running docker-compose up

These two links are relevant:
https://github.com/andresriancho/w3af/issues/15260
https://github.com/docker/compose/issues/1567
 
Last edited:

dinklegeta

Blitz 1st Class
I solved this problem by navigating to the root directory of the vpn container and running docker-compose up
Yeah I got past that error anyway as I mentioned in my follow up post. Now though my torrents keep slowing down to a stand still after just a few seconds of adding them within deluge, have you had this issue by any chance?
 

ogtimmiller

Blitz 3rd Class
Yeah I got past that error anyway as I mentioned in my follow up post. Now though my torrents keep slowing down to a stand still after just a few seconds of adding them within deluge, have you had this issue by any chance?
I haven't. Did you enter your vpn credentials in the vpn container correctly?
 
Assists Greatly with Development Costs

noname

Blitz 3rd Class
You can use this container to setup for PIA vpn.
https://hub.docker.com/r/colinhebert/pia-openvpn/
Looking at the instructions for this, lets say I am able to create the PIA image as described, how do I then get existing containers created with PG to run through this one? The articles makes reference to creating a PIA network and then creating containers inside of it. Is there a way to modify a config file somewhere of an existing VPN that will allow this work? Has anyone successfully done this? I currently use a separate machine as a torrent client to avoid VPN issues with PLEX but would like to consolidate without breaking what I already have
 

ogtimmiller

Blitz 3rd Class
Yes I did, the torrent even starts downloading but then gradually slows down to 0.
Try setting the permissions for the deluge downlaods folder. Try chmod 777 <path to downloads> or chown 1001:1001 <path to downloads> or whatever the deluge/plex username is.
 

dinklegeta

Blitz 1st Class
Try setting the permissions for the deluge downlaods folder. Try chmod 777 <path to downloads> or chown 1001:1001 <path to downloads> or whatever the deluge/plex username is.
I think that might have solved it (although I did a bunch of other things as well), appreciate your assistance in that matter.
 

plex_noob

Blitz Legioner
Staff
Donor
How do we extend the NordVPN .yaml config to tunnel the traffic from jackett, Sonarr, and Radarr through this single vpn config?

Maybe extend this line with the ports used by the programs desired? What about dependencies on boot up, we need these programs to wait until the vpn is connected before starting?

ports:
- "8112:8112"
- "8118:8118"
- "58846:58846"
- "58946:58946"
To route the traffic through the VPN, add the following lines
In the vpn docker-compose file:
ports:
-"8989:8989" (ports used by the new service for sonarr)

In the new service docker-compose file:

network_mode: "service:vpn" (This forces sonarr to use the network exposed by the vpn)

depends_on: (Tells sonarr to wait for the vpn to be up before starting)
- vpn
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.


Development Donations

 

Top NZB NewsGroups!

Members - Up To a 58% Discount!

Trending

Top