this post was submitted on 20 Sep 2024

26 points (93.3% liked)

Selfhosted

43045 readers

753 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]

If I already have a VPN always on on my system, do I need to set up a gluetun container? (lemmy.dbzer0.com)

submitted 5 months ago by [email protected] to c/[email protected]

20 comments fedilink hide all child comments

I honestly can't get my head around this. I have a machine with Linux (endeavouros), and docker with a few containers. Since I want all the traffic from this system to go through the VPN, do I need to set up gluetun? I think not, but I am not 100% sure...

all 23 comments

sorted by: hot top controversial new old

[+] [email protected] 13 points 5 months ago* (last edited 1 month ago) (2 children)

[deleted]

[–] [email protected] 5 points 5 months ago (1 children)

I simply enable the killswitch in mullvad settings and get all the Linux isos I need. But I'm thinking to keep gluetun enabled since I've already configured it

[–] [email protected] 4 points 5 months ago (1 children)

You can force all outgoing traffic to use the VPN interface via iptables/routes (meaning if it doesn’t exist or doesn’t work nothing will be able to access the internet) OR use systemd globally hide the non-VPN network interface from all services except for the VPN client.

[+] [email protected] 2 points 5 months ago* (last edited 1 month ago) (1 children)

[deleted]

[–] [email protected] 2 points 5 months ago* (last edited 5 months ago) (1 children)

but without nix it’s a pita to maintain through restores/rebuilds.

No it isn't. You can even define those routing polices in your systemd network unit alongside the network interface config and it will manage it all for you.

If you aren't comfortable with systemd, you can also use simple "ip" and "route" commands to accomplish that, add everything to a startup script and done.

major benefit to using a contained VPN or gluetun is that you can be selective on what apps use the VPN.

Systemd can do that for you as well, you can tell that a certain service only has access to the wg network interface while others can use eth0 or wtv.

More classic ip/route can also be used for that, you can create a routing table for programs that you want to force to be on the VPN and other for the ones you want to use your LAN directly. Set those to bind to the respective interface and the routing tables will take place and send the traffic to the right place.

You're using docker or similar, to make things simpler you can also create a network bridge for containers that you want to restrict to the VPN and another for everything else. Then you set the container to use one or the other bridge.

There are multiple ways to get this done, throwing more containers, like gluetun and dragging xyz dependencies and opinionated configurations from somewhere isn't the only one, nor the most performant for sure. Linux is designed to handle this cases.

[–] [email protected] 1 points 5 months ago* (last edited 5 months ago)

Yes, there's many ways to make programs unable to use other network interfaces. E.g. I'm creating a network namespace with a single wg0 interface, which I make services use through systemd NetworkNamespacePath.

That said, I'd argue gluetun is pretty much foolproof, especially with most people using docker which messes with iptables (edit: although I don't know if this'd be an issue for this use case).

[–] [email protected] 8 points 5 months ago* (last edited 5 months ago) (2 children)

It’s convenient if you want to see gluetun up as the only way a container (say, your torrenting container) can get to the open net, in the interest of avoiding getting directly pinged by DMCA rats. That way, if the VPN goes down, your torrent client isn’t just downloading stuff nakedly. Also, if you want to set up different VPN connections for different containers, it’s pretty easy to set a handful of replica containers for that too.

[–] [email protected] 3 points 5 months ago (1 children)

All of that can be achieved with simple systemd or iptables/routes tweaks. You can force all outgoing traffic to use the VPN interface via routes (meaning if it doesn't exist or doesn't work nothing will be able to access the internet) OR use systemd globally hide the non-VPN network interface from all software except for the VPN client.

[–] [email protected] 2 points 5 months ago (1 children)

Well sure, but the question was about gluetun, so I was trying to focus on that and the applications thereof. In terms of homelab stuff, I know a lot of people appreciate the containerized approach.

[–] [email protected] 1 points 5 months ago (1 children)

In terms of homelab stuff, I know a lot of people appreciate the containerized approach.

What I said applies to containerized setups as well. Same logic, just managed in a slightly different way.

[–] [email protected] 1 points 5 months ago

Fair; I blame target fixation

[–] [email protected] 3 points 5 months ago* (last edited 5 months ago) (1 children)

That way, if the VPN goes down, your torrent client isn’t just downloading stuff nakedly.

You always just bind the torrent client to the VPN adapter so this doesn't happen. Most modern clients have this (qBittorrent certainly does)

[–] [email protected] 5 points 5 months ago

Oh yeah you can do it that way too, but if you want it all containerized, that’s roughly how to do it. That’s all I meant.

[–] [email protected] 6 points 5 months ago (1 children)

Nope

[–] [email protected] 5 points 5 months ago (3 children)

Ok, thanks. So if I'm getting this right every container should return the VPN IP with curl ifconfig.me

[–] [email protected] 7 points 5 months ago

That's correct and a good way to test it out.

[–] [email protected] 4 points 5 months ago (1 children)

Yeah, when you have the VPN running all of your external traffic should go through it. It starts to get complicated when you only want a specific container/user to use/bypass the VPN.

[–] [email protected] 1 points 5 months ago

Perfect, thanks!

[–] [email protected] 1 points 5 months ago

Yes

[–] [email protected] 2 points 5 months ago (1 children)

I ran a Linux VM and just had Mullvad app installed and always on, and that was all I needed

[–] [email protected] 1 points 5 months ago (1 children)

And that works too. Containers are just a way to do it more efficiently. Better for weaker hardware and energy usage.

[–] [email protected] 1 points 5 months ago

Yeah I know, I use Gluetun now, I was just answering OPs question.