alturismo Posted March 11, 2020 Share Posted March 11, 2020 Hi, may this helps in terms how to use the new function --net=container:Container_Name to use another dockers network, a nice feature to route traffic through a VPN docker when the client docker is not capable to use a proxy. sample usecase i use a VPN Docker container which provides a privoxy vpn or a socks vpn, but i have a docker like xteve which doesnt have the function to route traffic through a http or socks proxy, so when i want to use it through vpn i have to either set the whole mashine behind a vpn or build a docker which includes VPN AND xteve. Now with this feature enabled we can route any docker now through the VPN docker pretty easy. i describe 2 scenarios, 1. all dockers in custom:br0 with their own ip (nice feature which is working properly with host access since 6.8.2 as note) 2. VPN Docker like binhex privoxy, ovpn privoxy, ... on host in bridge mode (port mappings needed) to 1. basic situation before bridged to VPN ovpn_privoxy is my vpn docker connected to my vpn provider and providing as mentioned a http and socks proxy, xteve cant use this features. as mentioned, here my dockers are each on br0 with their own ip, now i ll bridge xteve to use the vpn docker todo so, simply remove the network from xteve and add the following line in this usecase to extra parameters --net=container:ovpn_privoxy now xteve will use the network stack from the vpn container, will look like this xteve docker now doesnt have a own ip anymore and using the container:ovpn_privoxy as network. to reach xteve webui now u enter the ip from ovpn_privoxy and the port from the client app, http://192.168.1.80:34400/web in this usecase, now the xteve external traffic will use the vpn connection from ovpn_privoxy, thats it here thanks to limetech now now when adding another container u can do so, just beware, as there is only one network stack left, its not possible to use apps which uses the same ports, sample here would be, i want a second instance of xteve run through the vpn docker, both listening on 34400, would NOT work, even they resist in their own dockers, the network stack is unique from the ovpn docker here ... so either the 2nd, 3rd, ... app can use different ports (like xteve can be switched to any port) or its just not possible cause ports are unique ... sample with a second working app like above, ovpn_privoxy is the docker providing the network, now for a 2nd "client" docker, to reach the clients now http://192.168.1.80:34400/web <- xteve app http://192.168.1.80:6555 <- emby app of course is the http proxy (port 8080) and socks proxy (port 1080) also still available, has no influence ... i hope this helps howto use the --net.... extra parameter now, to 2. (VPN docker is running on host unraid in bridge mode) only difference is now, u have to add the port mappings to the VPN docker, in this case i would add 34400:34400 and 6555:6555 to the VPN docker would result here in this (my unraid server has the ip 192.168.1.2 thats the only difference when using the VPN docker in bridge mode, now your vpn and apps are all accessed via 192.168.1.2:..... in both usecases there is another nice feature limetech added, as soon the VPN docker gets an update, the "client docker(s)" need to update too which is in the end a restart only to fetch the correct network stack ... u should see a update notification on all dockers relating to the VPN docker as soon that one received an update or u changed something on this docker, if so, please push update or restart the docker(s), shouldnt be too often (depending on update frequency of your VPN docker) in case i can do something better, let me know to correct it. 1 9 Quote Link to comment
sisren Posted March 11, 2020 Share Posted March 11, 2020 Super helpful. thank you for sharing. Quote Link to comment
Forusim Posted March 17, 2020 Share Posted March 17, 2020 (edited) Thanks for guide. Is there any minimalistic (alpine-based) openvpn-client docker, where I can drop my ovpn file (ofc with the login credentials) and it will just work? Edited March 17, 2020 by Forusim Quote Link to comment
AngleRacket Posted March 18, 2020 Share Posted March 18, 2020 I am working on a container stack using this one: https://github.com/ColinHebert/pia-openvpn Haven't gotten it all sorted yet, but I was able to connect with a test container and echo my IP. Returned the proper VPN IP, so I think it's going to be fine. Quote Link to comment
AngleRacket Posted March 18, 2020 Share Posted March 18, 2020 (edited) 12 hours ago, AngleRacket said: I am working on a container stack using this one: https://github.com/ColinHebert/pia-openvpn Haven't gotten it all sorted yet, but I was able to connect with a test container and echo my IP. Returned the proper VPN IP, so I think it's going to be fine. Yep, this worked great, and was extremely easy to setup. EDIT: This worked great until it didn't - the openvpn container would loose the connection after a few hours and had to be restarted. I switched to https://github.com/alturismo/ovpn_privoxy [Updated] 1. Added the ovpn_privoxy container downloaded the PIA ovpn file from here: https://www.privateinternetaccess.com/openvpn/openvpn.zip started the container once, then stopped changed login, password in the file, per the github instructions renamed all my ovpn files to use underscore rather than space - ovpn files with spaces seemed to fail I DID change my network from bridge to Custom:BR0 because I wanted my apps to use a specific IP added static IP to vpn container 2. Opened my existing containers and set network to NONE, and added extra param of '--net=container:pia' 3. Confirmed by opening container console and using 'curl https://ipinfo.io/ip' 4. Because I can't seem to get the docker admin page to open the webui, I added a container for DashMachine to serve as a landing page Couple of notes: 1. I could no longer get it to redirect ports. Example, I wanted DashMachine mapped to port 80, but it ignored my mapping and used the default 5000. 2. Docker admin page no longer shows 'WebUI' option on these containers. Even when I hard coded the IP and port. 3. If you do what I did and forget to change network to none, it will fail to load and take your container out of the list. Just add it back manually using the 'add container' button. All your setting will still be there. At least mine were. Edited March 18, 2020 by AngleRacket Quote Link to comment
AngleRacket Posted March 18, 2020 Share Posted March 18, 2020 Another thought I had was that I would like to be able to run some kind of browser through the VPN. Obviously, I could setup some kind of proxy and point my browser at it, but that's not ideal for my use case. I just want to be able to pop on to the VPN and check out some web sites. This is what I found: https://hub.docker.com/r/jlesage/firefox Firefox in a container. Very simple setup, good to go. Quote Link to comment
ryanm91 Posted March 19, 2020 Share Posted March 19, 2020 thank you so much for this guide. I was looking for a way to use rutorrent and other containers running through VPN on my other server overseas. Quote Link to comment
alturismo Posted March 19, 2020 Author Share Posted March 19, 2020 On 3/17/2020 at 9:59 PM, Forusim said: Thanks for guide. Is there any minimalistic (alpine-based) openvpn-client docker, where I can drop my ovpn file (ofc with the login credentials) and it will just work? obviously im using mine and its pretty light and offeers privoxy and socks proxy ... On 3/18/2020 at 6:17 AM, AngleRacket said: Another thought I had was that I would like to be able to run some kind of browser through the VPN. Obviously, I could setup some kind of proxy and point my browser at it, but that's not ideal for my use case. I just want to be able to pop on to the VPN and check out some web sites. This is what I found: https://hub.docker.com/r/jlesage/firefox Firefox in a container. Very simple setup, good to go. yes, thats a way todo when u dont want a browser proxy if your usecase is similar to mine (only some sites shell use a proxy) i use chrome addon foxproxy, u can setup proxy useage only for some sites ... if u want a remote browser in browser, then this is the also my current best advice, firefox from @Djoss i hope someday he will make a chrome variant ... Quote Link to comment
AngleRacket Posted March 22, 2020 Share Posted March 22, 2020 I've been running a set of containers sharing their network as described here for a few days now, and I have had a few issues. Just wanted to post them here to see if you guys are getting the same problems: Using alturismo/ovpn_privoxy as my base container and vpn, the vpn seems to go down after a day or so. When I see everything is stopped - no vpn traffic - I restart the container and everything lights back up as expected. This could be the several things, but I feel like the VPN client is losing the connection and not reconnecting automatically. When I do have to restart the vpn, I can't just restart the main container. I have to restart every child container. That's a little tedious. The restarted child containers don't always start correctly, sometimes needing another restart. I seem to have better luck with this process: stop the children, restart the main container, start the children. But with eight-ish child containers, that's a real pain. Another challenge, that I haven't looked into yet, is that I need to allow traffic from my VPN container to a single IP on my normal LAN. My first thought is that maybe the route can be added in the OVPN files to have the VPN push the route to the network stack. If not, I don't know how else I might tackle this. Anyone else doing this? Quote Link to comment
alturismo Posted March 22, 2020 Author Share Posted March 22, 2020 @AngleRacket 1. the container does check every 3 minutes the online state (should check in the logs), may take a look what is in there, sample ping ok or we seem to be offline, restarting openvpn that should be your major point cause 2. is by design like described in first post ... when "master is edited, restarted, ..." all "slaves" need a restart ... may give another vpn container like binhex ovpn container a try as master if mine aint working properly in your setup, or take a look at logs and leave a message here what is happening when checkup failed. Quote Link to comment
melmurp Posted April 18, 2020 Share Posted April 18, 2020 I've been using https://github.com/binhex/arch-privoxyvpn as a socks style proxy for a VM for quite some time now as I wanted all traffic from that VM routed through the vpn. I just setup Firefox docker using what you described above... I'll leave it on and see if it ever drops Quote Link to comment
Nelinski Posted May 26, 2020 Share Posted May 26, 2020 What's the best way to run two of the same docker through a docker with a VPN? E.g. two Radarr via qBittorrentVPN? Quote Link to comment
steve1977 Posted May 30, 2020 Share Posted May 30, 2020 On 3/19/2020 at 1:48 PM, alturismo said: obviously im using mine and its pretty light and offeers privoxy and socks proxy ... Your docker? How does it work. I am subscribed to Express VPN, which is running on my router. I'd prefer though to run it on Unraid rather than the Router. Would this work with your solution? Ideally all dockers would then be funneled through the VPN. In an ideal world, I may want to exclude some URLs, which are excluded from the VPN, but that's a bonus. Quote Link to comment
alturismo Posted May 30, 2020 Author Share Posted May 30, 2020 @steve1977 this was pointed to a small solution. if it works with express i cant tell, u can try it if you want or may try the more complex but also more variable one from binhex privoxy-vpn which i also used before. the procedure to run "client" containers is described above, doesnt matter which vpn docker u use, should be always the same. i dont have any exclusion url management buildin (not my usecase). Quote Link to comment
tshorts Posted February 8 Share Posted February 8 Is it possible to use the VPN only for outgoing traffic? Like not having the web interface VPN:ed, but the other traffic. Eg, Torrent-program. No VPN for the interface, but VPN for all torrent traffic. Or TheLounge. Let's use my instance of irc-client TheLounge. Locally I use port 9000 for the WebUI, and a subdomain which is reversed-proxied to 9000 when used externally. So I don't want to VPN that part. 9000 is the only port mentioned in the docker settings and under Port Mappings column. TheLounge connects to an external IRC-server on port 6697, that server see my personal public IP. THIS is the part I'd like to VPN. Is that possible with similair method? Or is it a whole different thing? Quote Link to comment
alturismo Posted February 8 Author Share Posted February 8 1 hour ago, tshorts said: TheLounge connects to an external IRC-server on port 6697, that server see my personal public IP. THIS is the part I'd like to VPN. thats whats happening 1 hour ago, tshorts said: Locally I use port 9000 for the WebUI, and a subdomain which is reversed-proxied to 9000 when used externally. So I don't want to VPN that part. 9000 is the only port mentioned in the docker settings and under Port Mappings column. this traffic (web client browser <> reverse proxy <> TheLounge) is NOT running through VPN as its directly connected. so i assume its already by default like you wish Quote Link to comment
tshorts Posted February 13 Share Posted February 13 On 2/8/2024 at 6:26 PM, alturismo said: thats whats happening this traffic (web client browser <> reverse proxy <> TheLounge) is NOT running through VPN as its directly connected. so i assume its already by default like you wish I see my public (none-vpn) IP on the IRC server. But found the built in VPN Wireguard thing, so I'll look into that. Understand that's where VPN for outbound traffic is supposed to go. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.