How to put docker behind vpn not using privoxy?


mbc0

Recommended Posts

Hi,

 

I would like to put some containers behind a vpn that do not have a proxy option (like radarr,sonarr etc)

 

I have binhex-privoxy running which is great for those dockers but not for all.

 

I have a private internet access account available to me and use it for binhex-privoxy and some vm's but do not want to put everything behind a vpn just some dockers

 

I have pfsense running on another unraid server available to me but could not work out how to setup a VLAN, is this still my best option or is there another way?

 

Thanks in advance!

Link to comment

I did not explain that very well, I mean radarr and sonarr etc do have a proxy option and I can pass them through privoxy, other dockers do not have this option and I would like to pass them through a VPN and looking for the best way to do this.

 

Thanks

Link to comment

You can install the OpenVPN plugin that would put your entire server behind VPN.

Otherwise, you have to do it on your router (e.g. have each docker with its own IP and control the VPN access from the router) and/or router VM.

 

I used to have a VM that is connected to VPN and serves as a gateway for some dockers to route traffic through. I don't do that any more since I found it rather cumbersome.

 

Generally the dockers that I need to be behind VPN already have a "+VPN" version available on the app store.

Link to comment

Hi @testdasi,

 

Thanks so much for your time!

 

I think I "hopefully" am close! 

 

I have installed a VM running ubuntu server running as a virtual vpn server and it works great to devices that I can specify an IP/Gateway on, how did you route your dockers through a different gateway then you used to do that?

 

Thanks again

Link to comment
16 minutes ago, mbc0 said:

I have installed a VM running ubuntu server running as a virtual vpn server and it works great to devices that I can specify an IP/Gateway on, how did you route your dockers through a different gateway then you used to do that?

I used pipework docker (details below).

There is the proper Limetech-recommended method using docker native functionalities which I found too troublesome to even try since pipework just worked and took me less than 5 minutes to set up.

 

Nevertheless, I have now completely transitioned away from custom IP and into using +VPN dockers and VPN proxy dockers.

There isn't any docker that I want to be behind VPN which doesn't have either of those 2 options available.

 

Pipework docker.

 

Edited by testdasi
Link to comment

FYI you can put "--net=container:foo" in the extra params to make any docker container reuse the network of an existing container (example here is that "foo" is the docker container connected to the VPN).  the recently released 6.8.3 makes this work again without the need for workarounds.

Link to comment
On 3/8/2020 at 3:08 PM, bling said:

FYI you can put "--net=container:foo" in the extra params to make any docker container reuse the network of an existing container (example here is that "foo" is the docker container connected to the VPN).  the recently released 6.8.3 makes this work again without the need for workarounds.

Hi,

 

Do you mean instead of or as well as?

 

--net=container:foo

 

-e 'pipework_cmd=br0 @CONTAINER_NAME@ 192.168.0.138/[email protected]'

Link to comment
On 3/11/2020 at 7:11 PM, mbc0 said:

Hi,

 

Do you mean instead of or as well as?

 

--net=container:foo

 

-e 'pipework_cmd=br0 @CONTAINER_NAME@ 192.168.0.138/[email protected]'

instead of.

using --net replaces any existing method for achieving this.  you don't need to set up proxies or anything because any "child containers" will reuse the network of the parent.  so all you need to do is find a docker container (there are tons) that do openvpn + a kill switch as the parent and you're good.

Link to comment

Hi, @blingsorry for the delay in thanking/getting back to you! I have just tried this and it unfortunately fails?

 

This is the docker I wanted to use that uses a vpn and killswitch

 

image.png.9f123bc0fbfc6cf6940e34ec5888cfb0.png

 

These are the extra parameters I put in

 

--net=container:binhex-delugevpn

 

and this is the error I get?

 

/usr/bin/docker: Error response from daemon: Container cannot be connected to network endpoints: container:binhex-delugevpn, host.
See '/usr/bin/docker run --help'.
The command failed.

 

Am I missing something obvious?

 

Thank you

 

 

 

 

Edited by mbc0
Link to comment
1 hour ago, mbc0 said:

Hi, @blingsorry for the delay in thanking/getting back to you! I have just tried this and it unfortunately fails?

 

This is the docker I wanted to use that uses a vpn and killswitch

 

image.png.9f123bc0fbfc6cf6940e34ec5888cfb0.png

 

These are the extra parameters I put in

 

--net=container:binhex-delugevpn

 

and this is the error I get?

 

/usr/bin/docker: Error response from daemon: Container cannot be connected to network endpoints: container:binhex-delugevpn, host.
See '/usr/bin/docker run --help'.
The command failed.

 

Am I missing something obvious?

 

Thank you

 

 

 

 

you need to set the network type to 'none', so that the --net in the extra params will work.  also, if your child container has a port exposed you need this defined on the parent container instead otherwise you can't access it.

Link to comment

Thanks for the reply, I set network type to none at first but had no joy so tried all possible options, the error is probably because as you say "if your child container has a port exposed you need this defined on the parent container instead otherwise you can't access it." but unfortunately I have no idea what that means! 😞

Link to comment

I am in no way an expert, I've only been using unraid a few days, but if you edit the settings of the binhex-deluge container, there's an option at the bottom to add extra parameters/ports etc.

Think you need to do this, name it the name of the container which will be using it and the port it uses.

I'd maybe wait for someone else to confirm before you change anything based on what I've said though lol

Sent from my ONEPLUS A6003 using Tapatalk

Link to comment

ah!  just found this, so I know it won't work unfortunately as binhex himself said so 

 

  On 1/10/2020 at 6:04 AM, alturismo said:

i saw some readme´s about the --net=container:<vpn_dockername>

im not sure where you saw that but its not in any readme's for these vpn docker images as this will not work due to the highly tied down configuration using iptables. 

Link to comment
Just now, mbc0 said:

ah!  just found this, so I know it won't work unfortunately as binhex himself said so 

That's one of the reasons why I used pipework instead of the various official methods with dockers.

Pipework works in a transparent easy-to-understand way i.e. just like how you would set something up in your OS network settings.

Link to comment
  • 4 weeks later...

Space Invader, thank you for the great videos.

 

Gotta a question. Your video shows how to use the "curl ifconfig.io" command. I tried this command when bashing into delugevpn container and got an ip that represents my vpn working (ie looks like I am in France). I followed one of your older videos showing how to proxy sonarr and radarr (i am using linuxserver io) and have those proxy to port 8118 with my server IP. They work fine, but when I bashed into the container and tried the curl command, I am getting my real ip address. What am I doing wrong, or does this feature no longer work. This is true for sonarr, radarr and jacket.

 

Thanks for the help.

Link to comment

Sorry. I am an idiot..It works for http(s) so when I checked the proxy with a web browser., it is perfect...That explains why the curl command wouldnt reply with the vpn'd ip address. Sorry to bother you with stupid questions..Just goes to show, drag a fool to water and give him enough time, he may learn to drink on his own...lol

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.