Hello everyone,
I'm the author/maintainer of gluetun (and others). I usually don't participate here due to lack of time and got plenty to answer on github already, but I was emailed saying the docker image had a trojan built-in.
Just to be clear, there is no trojan or virus or any malicious code put by me. Unless Github or Docker Hub got hacked I guess, which is unlikely.
Also theoretically I don't think a "trojan" could do anything more in a container than standard "non-trojan" code. If I would be malicious, I would code something custom without a trojan code signature.
We should still be careful with such reports since gluetun runs as root and has NET_ADMIN access (no way around due to VPNs), so if a distribution like Docker Hub gets compromised (and injects a trojan in every image), some malicious code could have some effect on your system since it's not a totally isolated container running without root.
You could always build the image yourself (docker build -t qmcgaw/gluetun https://github.com/qdm12/gluetun.git) and then import the xml from DiamondPrecisionComputing's repository if you can't wait and want to play it safe until this is resolved.