HOWTO: Use single and central VPN container for all your other apps | PlexGuide.com

HOWTO: Use single and central VPN container for all your other apps

  • Stop using Chrome! Download the Brave Browser via >>> [Brave.com]
    It's a forked version of Chrome with native ad-blockers and Google's spyware stripped out! Download for Mac, Windows, Android, and Linux!
Welcome to the PlexGuide.com
Serving the Community since 2016!
Register Now

plex_noob

Elite
Original poster
Staff
Donor
Oct 1, 2018
224
113
This howto focuses on the creation of a VPN container that will be used as a Proxy/Hub for other containers needing to access internet in a secure way. The difference between this solution and all the other lies in the use of the same VPN connection for all your needs.
Your needs could be:

- Torrenting
- Private web browsing
- Private download
- ...

The advantages are:
- Use of a single VPN connection for all your needs (Some VPN providers are quite reluctant to provide more than x connections)
- Respect of the basic principle of a container: limit each container to one and only one function
- Reduce the server resources consumption by having only one VPN for all your need
- Manageability: ease of use and maintain by the fact that there is only one instance
- Evolution: no waste of time looking for an app with a VPN included. Take the standard application and add it to this method and you have it secured
- Ease of re-installation, if a Plexguide reinstall is required, no problem, you only need to re-execute a single file and everything is up and running
- ...

This method uses the docker-compose method.

The principle is quite simple:
  1. Install docker-compose
  2. Create a file with a yml extension
  3. Respect the coding principles which are quite touchy, not too many spaces, respect the position of some parts, ...
  4. Create all you containers within a single file
  5. Save the file
  6. Execute the docker-compose file
  7. Enjoy
1. Install docker-compose: sudo apt install docker-compose
2. Create a folder to put you future vpn container: mkdir -p /opt/appdata/vpn/
3. Create an empty file (docker-compose.yml) in the created directory: touch /opt/appdata/vpn/docker-compose.yml
4. Edit and paste the following code:
YAML:
version: '2'
services:
  vpn:
    image: bubuntux/nordvpn
    container_name: vpn
    cap_add:
      - NET_ADMIN
    volumes:
      - "/etc/localtime:/etc/localtime:ro"
    environment:
      - "USER=<Your_VPN_User>"
      - "PASS=<Your_VPN_Password>"
      - "country=germany"
      - "CATEGORY=P2P"
      - "PROTOCOL=openvpn_udp"
      - "LAN_NETWORK=172.18.0.0/24"
    devices:
      - "/dev/net/tun"
    ports:
      - "8112:8112"
      - "8118:8118"
      - "58846:58846"
      - "58946:58946"
  deluge:
    image: linuxserver/deluge
    container_name: deluge
    depends_on:
      - vpn
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=EUROPE/BRUSSELS
    network_mode: "service:vpn"
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:deluge.<yourdonamine.name>,"
      traefik.port: "8112"
    volumes:
      - "/opt/appdata/deluge/config:/config"
      - "/mnt/unionfs:/unionfs"
      - "/mnt/md0/mnt/deluge:/mydata"
    mem_limit: 4096m
    restart: unless-stopped
networks:
  default:
    external:
      name: plexguide
5. Quit and save the file
6. Run the following command: docker-compose -f /opt/appdata/vpn/docker-compose.yml -up -d
7. The docker-compose file is checked and container are created.

The ports definitions for each sub-container need to be specified at the vpn container level.
Each sub-container needs to refer the vpn container with:

This is to make sure that the vpn is started before the container:

depends_on:
- vpn


This is to route the trafic through the vpn:

network_mode: "service:vpn"


This is it !

Sined

03/01/2019 additions:

Ports Definition
The ports definition part is, in fact, the way the container communicate with the outside world.

For example, for a web site to be reachable outside of the docker network, it needs to publish the port 80 and optionally 443.

In the "docker compose way", il will be done like this:
The port declaration appears inside the container declaration level.
Code:
version: '2'
services:
  webserver:
    image: xxxx/yyyyy
    container_name: webserver
    ports:
      - "80:80"
      - "443:443"
In the case of this vpn proxy solution, all the ports declaration needs to be put in the vpn section (service) part.
Code:
version: '2'
services:
  vpn:
    image: aaa/bbb
    container_name: vpn
    ports:
      - "service1_external_port:service1_container_port"
      - "service2_external_port:service2_container_port"
  service1:
    image: service1_author/service1_image
    container_name: service1_name
  service2:
    image: service2_author/service2_image
    container_name: service2_name
This means that for each additional "service" (let's say service ax) you want to see proxied through the vpn tunnel, you will need to put its port declaration at the vpn service level
Code:
ports:
      - "service_ax_external_port:service_ax_container_port"
and not at the ax service level

Additional requirements:

To be sure the services will use appropriately the vpn tunnel, 2 additional requirements need to be added in each service declaration.

Code:
depends_on:
- vpn
AND

Code:
network_mode: "service:vpn"
depends_on simply instruct the proxied service to wait for the "vpn service" to be started and functional before starting itself.

network_mode instruct the proxied service to use the network of the vpn service to communicate with outside word.

To summarize

The main blocks you will have to foresee are:

Initiation declaration
+
VPN Declaration
+
Service 1 Declaration
+
Service 2 Declaration
+
Ending declaration


Initiation declaration:
Code:
version: '2'
services:
VPN declaration:
Code:
vpn:
    image: bubuntux/nordvpn
    container_name: vpn
    cap_add:
      - NET_ADMIN
    environment:
      - "USER=<Your_VPN_User>"
      - "PASS=<Your_VPN_Password>"
      - "country=germany"
      - "CATEGORY=P2P"
      - "PROTOCOL=openvpn_udp"
      - "LAN_NETWORK=172.18.0.0/24"
    devices:
      - "/dev/net/tun"
    ports:
      - "Service1_external:Service1_internal"
      - "Service2_external:Service2_internal"
Service 1 declaration:
Code:
service1:
    image: service1_author/service1_image
    container_name: service1
    depends_on:
      - vpn
    network_mode: "service:vpn"
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:service1.<yourdonamine.name>,"
      traefik.port: "Service1_internal"
Service 2 declaration:
Code:
service2:
    image: service2_author/service2_image
    container_name: service2
    depends_on:
      - vpn
    network_mode: "service:vpn"
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:service2.<yourdonamine.name>,"
      traefik.port: "Service1_internal"
Ending declaration:
Code:
networks:
  default:
    external:
      name: plexguide
 
Last edited:
  • Like
  • Roast
Reactions: 6 users

dragonh1

Noobz
Apr 4, 2020
2
0
How can I get this configuration to work with multiple containers?

say, I have 2 sonarr containers that I want to listen on 2 separate ports. 9001, and 9002. They both internally listen to 8989. So, your example won't work in this case.

How can I get the vpn to redirect traffic from 9001 to sonarr_1 and 9002 to sonarr_2? I attempted to try using the traefik.frontend.rule using a specified port, which didn't work.

here's a sample of my docker-compose.yml

Code:
version: '3.4'

services:

  vpn:
    container_name: vpn
    image: azinchen/nordvpn
    network_mode: bridge
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - USER='USERNAME'
      - PASS='PASSWORD'
      - COUNTRY=Germany
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.1.0/24
      - TZ=${TZ}
      - GROUPID=${PGID}
    ports:
      - "8118:8118"
      - "58846:58846"
      - "58946:58946"
      - "9001:9001"
      - "9002:8989"
    restart: unless-stopped


    
  sonarr_1:
    container_name: sonarr_1
    image: linuxserver/sonarr:latest
    network_mode: service:vpn
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:sonarr_1.127.0.0.1:9001,"
      traefik.port: "8989"

      
  sonarr_2:
    container_name: sonarr_2
    image: linuxserver/sonarr:latest
    network_mode: service:vpn
    labels:
      traefik.enable: "true"
      traefik.frontend.headers.customResponseHeaders: "X-Robots-Tag:noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
      traefik.frontend.redirect.entryPoint: "https"
      traefik.frontend.rule: "Host:sonarr_2.127.0.0.1:9002,"
      traefik.port: "8989"
 

Appelsap

Citizen
Aug 30, 2018
4
0
Nice. I already tested this method with DelugeVPN, but I just tried it with SABnzbd (also from Binhex), changed a few lines here and there to replace deluge with SABnzb and it worked perfectly. Thank you very much.
 

plex_noob

Elite
Original poster
Staff
Donor
Oct 1, 2018
224
113
Of course, you could use a more generic openvpn container and apply the same principle.
 

fr0sty

Veteran
Staff
Donor
Jul 8, 2018
184
54
The ports definitions for each sub-container need to be specified at the vpn container level.
Each sub-container needs to refer the vpn container with:

This is to make sure that the vpn is started before the container:

depends_on:
- vpn


This is to route the trafic through the vpn:

network_mode: "service:vpn"
I got lost here. can you please break it down more for the simple people?
 

plex_noob

Elite
Original poster
Staff
Donor
Oct 1, 2018
224
113
Please see the initial post for further explanation.
Hope this will help.
 

ogtimmiller

Citizen
Dec 25, 2018
14
4
How do we extend the NordVPN .yaml config to tunnel the traffic from jackett, Sonarr, and Radarr through this single vpn config?

Maybe extend this line with the ports used by the programs desired? What about dependencies on boot up, we need these programs to wait until the vpn is connected before starting?

ports:
- "8112:8112"
- "8118:8118"
- "58846:58846"
- "58946:58946"
 
Last edited:

dinklegeta

Experienced
Aug 9, 2018
73
28
I am getting the following errors when running docker-compose -f /opt/appdata/vpn/docker-compose.yml -up -d

Code:
Traceback (most recent call last):
  File "/usr/bin/docker-compose", line 9, in <module>
    load_entry_point('docker-compose==1.8.0', 'console_scripts', 'docker-compose')()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 487, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2728, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2346, in load
    return self.resolve()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2352, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/dist-packages/compose/cli/main.py", line 14, in <module>
    from . import errors
  File "/usr/lib/python2.7/dist-packages/compose/cli/errors.py", line 9, in <module>
    from docker.errors import APIError
  File "/usr/local/lib/python2.7/dist-packages/docker/__init__.py", line 2, in <module>
    from .api import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/__init__.py", line 2, in <module>
    from .client import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/client.py", line 5, in <module>
    import requests
  File "/usr/local/lib/python2.7/dist-packages/requests/__init__.py", line 95, in <module>
    from urllib3.contrib import pyopenssl
  File "/usr/local/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
    import OpenSSL.SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 118, in <module>
    SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
Any ideas?
 

dinklegeta

Experienced
Aug 9, 2018
73
28
I am getting the following errors when running docker-compose -f /opt/appdata/vpn/docker-compose.yml -up -d

Code:
Traceback (most recent call last):
  File "/usr/bin/docker-compose", line 9, in <module>
    load_entry_point('docker-compose==1.8.0', 'console_scripts', 'docker-compose')()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 487, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2728, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2346, in load
    return self.resolve()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2352, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/dist-packages/compose/cli/main.py", line 14, in <module>
    from . import errors
  File "/usr/lib/python2.7/dist-packages/compose/cli/errors.py", line 9, in <module>
    from docker.errors import APIError
  File "/usr/local/lib/python2.7/dist-packages/docker/__init__.py", line 2, in <module>
    from .api import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/__init__.py", line 2, in <module>
    from .client import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/client.py", line 5, in <module>
    import requests
  File "/usr/local/lib/python2.7/dist-packages/requests/__init__.py", line 95, in <module>
    from urllib3.contrib import pyopenssl
  File "/usr/local/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
    import OpenSSL.SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 118, in <module>
    SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
Any ideas?
Ok so I resolved this issue, seems to be an issue with the docker version that was installed. Now my problem is when i add a torrent the speed tanks to a standstill for some reason.
 

ogtimmiller

Citizen
Dec 25, 2018
14
4
I am getting the following errors when running docker-compose -f /opt/appdata/vpn/docker-compose.yml -up -d

Code:
Traceback (most recent call last):
  File "/usr/bin/docker-compose", line 9, in <module>
    load_entry_point('docker-compose==1.8.0', 'console_scripts', 'docker-compose')()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 487, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2728, in load_entry_point
    return ep.load()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2346, in load
    return self.resolve()
  File "/usr/local/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 2352, in resolve
    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/lib/python2.7/dist-packages/compose/cli/main.py", line 14, in <module>
    from . import errors
  File "/usr/lib/python2.7/dist-packages/compose/cli/errors.py", line 9, in <module>
    from docker.errors import APIError
  File "/usr/local/lib/python2.7/dist-packages/docker/__init__.py", line 2, in <module>
    from .api import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/__init__.py", line 2, in <module>
    from .client import APIClient
  File "/usr/local/lib/python2.7/dist-packages/docker/api/client.py", line 5, in <module>
    import requests
  File "/usr/local/lib/python2.7/dist-packages/requests/__init__.py", line 95, in <module>
    from urllib3.contrib import pyopenssl
  File "/usr/local/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
    import OpenSSL.SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 118, in <module>
    SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
Any ideas?
I solved this problem by navigating to the root directory of the vpn container and running docker-compose up

These two links are relevant:
https://github.com/andresriancho/w3af/issues/15260
https://github.com/docker/compose/issues/1567
 
Last edited:

dinklegeta

Experienced
Aug 9, 2018
73
28
I solved this problem by navigating to the root directory of the vpn container and running docker-compose up
Yeah I got past that error anyway as I mentioned in my follow up post. Now though my torrents keep slowing down to a stand still after just a few seconds of adding them within deluge, have you had this issue by any chance?
 

ogtimmiller

Citizen
Dec 25, 2018
14
4
Yeah I got past that error anyway as I mentioned in my follow up post. Now though my torrents keep slowing down to a stand still after just a few seconds of adding them within deluge, have you had this issue by any chance?
I haven't. Did you enter your vpn credentials in the vpn container correctly?
 

noname

Citizen+
Jan 18, 2019
26
2
You can use this container to setup for PIA vpn.
https://hub.docker.com/r/colinhebert/pia-openvpn/
Looking at the instructions for this, lets say I am able to create the PIA image as described, how do I then get existing containers created with PG to run through this one? The articles makes reference to creating a PIA network and then creating containers inside of it. Is there a way to modify a config file somewhere of an existing VPN that will allow this work? Has anyone successfully done this? I currently use a separate machine as a torrent client to avoid VPN issues with PLEX but would like to consolidate without breaking what I already have
 

ogtimmiller

Citizen
Dec 25, 2018
14
4
Yes I did, the torrent even starts downloading but then gradually slows down to 0.
Try setting the permissions for the deluge downlaods folder. Try chmod 777 <path to downloads> or chown 1001:1001 <path to downloads> or whatever the deluge/plex username is.
 

dinklegeta

Experienced
Aug 9, 2018
73
28
Try setting the permissions for the deluge downlaods folder. Try chmod 777 <path to downloads> or chown 1001:1001 <path to downloads> or whatever the deluge/plex username is.
I think that might have solved it (although I did a bunch of other things as well), appreciate your assistance in that matter.
 

plex_noob

Elite
Original poster
Staff
Donor
Oct 1, 2018
224
113
How do we extend the NordVPN .yaml config to tunnel the traffic from jackett, Sonarr, and Radarr through this single vpn config?

Maybe extend this line with the ports used by the programs desired? What about dependencies on boot up, we need these programs to wait until the vpn is connected before starting?

ports:
- "8112:8112"
- "8118:8118"
- "58846:58846"
- "58946:58946"
To route the traffic through the VPN, add the following lines
In the vpn docker-compose file:
ports:
-"8989:8989" (ports used by the new service for sonarr)

In the new service docker-compose file:

network_mode: "service:vpn" (This forces sonarr to use the network exposed by the vpn)

depends_on: (Tells sonarr to wait for the vpn to be up before starting)
- vpn
 

dinklegeta

Experienced
Aug 9, 2018
73
28
To route the traffic through the VPN, add the following lines
In the vpn docker-compose file:
ports:
-"8989:8989" (ports used by the new service for sonarr)

In the new service docker-compose file:

network_mode: "service:vpn" (This forces sonarr to use the network exposed by the vpn)

depends_on: (Tells sonarr to wait for the vpn to be up before starting)
- vpn
Would this be the only way for containers like Sonarr and Radarr to communicate with deluge?
 

Recommend NewsGroups

      Up To a 58% Discount!

Trending