Hello. Im a newbie when it comes to docker, self-hosting and networking.
Im setting up a media server. So far i managed to set up all the docker containers i need without issues. What im missing now is only a VPN. As far as i managed to understand, there are two ways i can run a VPN: as a docker container or as a normal system applications.
I still havent chosen a VPN, but for the sake of it lets assume it has either a CLI native application (.deb, .rpm etc) and/or the possibility of exporting OpenVPN/WG profiles.
At first i tried, just to test, to run via a wireguard config file with Proton VPN. It worked, but now it came the problem: since the network was on the machine and not on docker, i couldnt bind my qbittorent container to it and that is a must. The second issue was that i wasnt using the VPN’s DNS service, but my ISP’s. Probably all i need is to add a line of text or two in the .conf and thats it, but it is still something i need to figure out.
My idea is to run a standalone application outside docker, dont run qbittorent as a docker container but as a .deb and then make it talk to the containers via common folders. Now comes the second problem: directories. Since i have the *arr suite setup, it needs to manage folders. As long as qbit was a container, all i had to do was set up the correct paths in the compose file, but now i had qbit talking to the actual path (/home/…/media/…) while the containers where seeing another thing (/media/…) so i had to recreate the complete path in its entirety for the containers. It should work, but i have no way of testing it.
I know you can run wireguard containers and then route all the containers that need a VPN through that, but it is something i would need to look up and frankly i cant see the benefits of doing it via docker instead of the system’s wireguard manager.
How do you suggest i go forward? I dont need the absolute best solution, just one that works and is safe (i must bind qbit to the VPN connection, kill switch is not enough) keeping in mind my very limited knowledge so easier is better. If one day i decide to go for something better but for sophisticated, there is always time.
I know you can run wireguard containers and then route all the containers that need a VPN through that, but it is something i would need to look up and frankly i cant see the benefits of doing it via docker instead of the system’s wireguard manager.
This is what I do and the biggest benefit is that if anything happens to the VPN container, then qbittorrent loses any ability to connect. Which prevents it from exposing your actual IP. You can setup a kill switch for a system install of wireguard, but I just find this as a more elegant and full prof way of doing it. Plus if you try to use qbittorrent and can’t connect, then you know your VPN is down and you need to look into it.
I’m not sure I’m understanding what you are trying to achieve.
If it’s only qbittorent you want behind a VPN, try qbittorrentvpn, it’s crazy easy. If you also want to access your server from outside your lan, try tailscale alongside it. It’s pretty easy to setup.
Create 2 virtual machines.
One Virtual Machine with OpnSense Firewall, where you setup the ProtonVPN WireGuard connection.
One Virtual Machine with your Docker-VM.
Connect both machines via a virtual network, and setup the OpnSense-Firewall so that only internet-traffic through the WireGuard-Gateway is allowed.
That’s the most bullet proofed solution, as any connection of your Docker-VM is secured, independent of the VM’s configuration.
Once you’ve chosen a VPN take a look at gluetun as a dockerised VPN gateway
Give qbit container a separate IP ( Mac vlan ) and route that ip through WireGuard