Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Help with running Docker containers behind a VPN

Featured Replies

I’ve been searching for an “updated” guide on configuring my UnRAID server to run my *arr, sabnzbd and qbittorent containers behind a vpn (preferably PIA as that’s what I currently use). I’m somewhat familiar with  some wireguard setups (ie using WG plus PIA in Binhex’s vpn containers currently) as well as recently configuring Tailscale for remote access (was previously using Wireguard for tunneled access but kept having intermittent issues like I have with the vpn configured containers).

 

Anyway, looking for some guidance on if there’s a better setup in 2024 with either UnRAID 6.12.14 or a 7 RC to simplify this setup and not have to worry if the vpn is working or not, speed issues etc? Thanks

  • 2 weeks later...
  • Author

Bumping this thread since I sent it right before holidays

  • Community Expert

 

Recommended Setup for 2024

Use Binhex or Gluetun for a simplified and centralized VPN container approach.

Install Tailscale for remote access to avoid the complexity of managing external VPN clients.

Regularly update your containers and plugins through UnRAID's UI.

 

 

 

Unraid 7 has a nice docker network option to set service you want running the PIA VPN docker...
you edit the docker you want behind the VPN and point them to container:

image.png.d0d6a6b87b1c469a730f51c122169f02.png

 

I assume your using this docker:

image.png.405be3457681bc40898347d14aa1956c.png

for PIA VPN setup and access.

 

step 1 Set up a dedicated VPN container (e.g., gluetun or qvpn) that other containers route through.

 

Option A: Simplifying Your Setup

Option A: Use Binhex's VPN-Enabled Containers

This is the easiest option since Binhex containers have built-in support for PIA. Here's the process:

 

Install the Container:

Go to UnRAID's Docker page and install a Binhex container (e.g., binhex-qbittorrentvpn, binhex-sabnzbdvpn).

 

Configure PIA VPN:

Download the PIA WireGuard or OpenVPN configuration files.

Place them in the config folder of your Docker container (usually /mnt/user/appdata/<container-name>).

Modify the VPN_USER and VPN_PASS in the container's environment variables.

 

Other Networking:

Set other *arr containers (e.g., Sonarr, Radarr) to use the network of the VPN container by setting Network: container:<vpn-container-name>

 

Option B: Use a Dedicated VPN Container

If you want to centralize VPN routing:

 

Install a Dedicated VPN Container:

Use gluetun or similar. Gluetun is actively maintained and supports WireGuard.

Configure PIA with WireGuard for optimal performance.

 

Route Containers Through VPN:

Set *arr, SABnzbd, and qBittorrent containers to use the network_mode of the VPN container.

 

Benefits:

Centralized VPN management.

Easier to switch VPN providers or protocols without reconfiguring every container.

 


Option C :

Use Tailscale for Remote Access

Tailscale simplifies secure remote access:

 

Install Tailscale Plugin:

Use the UnRAID Community Applications store to install the Tailscale plugin.

Log in and configure your UnRAID server as a Tailscale node.

 

Bypass VPN for Local Use:

Configure specific containers (e.g., your *arr apps) to bypass the VPN and use your Tailscale subnet router for remote access.

This avoids routing traffic through multiple tunnels, improving speed and reliability.

 

Combine with Gluetun:

Run Tailscale and Gluetun in parallel for complete flexibility.

 

  • Author

Wow, thanks for the detailed response. I’m not opposed to option A if it means I can run non-VPN dockers (eg the *arr dockers grabbing nzb’s and torrents) behind the vpn as well. I think that’s what you’re saying here:

 

Other Networking:

Set other *arr containers (e.g., Sonarr, Radarr) to use the network of the VPN container by setting Network: container:<vpn-container-name>

 

but I’m not 100% sure. Do you mean setting the network in each of the various docker container settings separately? If so, this seems pretty similar to B but doesn’t rely on a specific *vpn docker? I think I prefer that approach in the event I want to change dockers in the future.

 

I’ll check out gluetun (first time hearing about it) and report back here as I can conceptually understand this approach (and A as well).

 

Finally, is option C really doing the same thing as A and B? I just want the privacy/anonymity the VPN provides when those containers are doing their thing. Perhaps I need a little step by step instruction for this:

 

Configure specific containers (e.g., your *arr apps) to bypass the VPN and use your Tailscale subnet router for remote access.

 

Oh and for WireGuard, I was using built-in vpn functionality with UnRAID. For Tailscale I use the plug-in just for remote access.

 

Thanks again!

  • Community Expert

option a and b are essential the same just where the endpoint is running. as some PIA old form has PIA VPN runnignin a VM not a docker. but same setups different locations.

option c is use tail scale a different VPN that unraid partnered with.

  • Author
On 1/7/2025 at 6:34 PM, bmartino1 said:

option a and b are essential the same just where the endpoint is running. as some PIA old form has PIA VPN runnignin a VM not a docker. but same setups different locations.

option c is use tail scale a different VPN that unraid partnered with.

So for option C I would need to sign up for Tailscale VPN services? Like I said, my knowledge of Tailscale is limited to using it for remote access.

  • Community Expert

if not tailscale there is also twingate.

Both tailscale and twingate requires a vpn client to connect.

 

Correct.

https://docs.unraid.net/unraid-os/manual/security/tailscale/

 

I use the user script to make sure my subnet routes are in:
so, with tail scale i have my subnet exposed so i can access other things on my lan as if the device over the VPN were a pc next to unraid over the internet.

Other Docker setting...
image.thumb.png.9f4938b425c4aed6c07eff7385c0cbdd.png

 

Access your tailscale setting there. More for client side access and other advance settings like key expiry and dns settings...

https://login.tailscale.com/admin/machines

 

same with twingate.
https://auth.twingate.com/

 

For my use case, its for a VPN for phones to connect to a docker for picture backup services.


Tail scale is free 1-3 users max though.

https://tailscale.com/kb/1154/free-plans-discounts

 

twingate is 5 users free:

https://www.twingate.com/pricing


Found twingate faster and easier to implement then tailscale. VPN are endpoint changes and there's a different in making a tunnel and using the tunnel...

 

Step 1 is use docker/plugin to make a connection with your VPN provider of choice.
This creates a tunnel to use.
Step 2 is point a thing at that network to traverse it...

Usually its a choice between tailscale or twingate. Both are ok

for unriad tailscale is a plugin as unraid recently partnered with them.... and twingate runs a docker. Similar/same setup you would use with PIA VPN as with twingate...


with unraid 7 rc2 its a mater of telling other dockers to use them for the network

example v7 rc2 docker template setup for
twingate or talescale:
image.thumb.png.abdc68c0b44f6231edfb014b6fdadf2b.png

filling in tailscale settings if wanted/necessary...

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.