nsfwpls

joined 9 months ago
[–] nsfwpls@lemdro.id 2 points 1 month ago (1 children)

I'm pretty sure OP is asking about forcing containers to use the VPN through gluetun.

"If I set up qBittorrent and the Arrs as Docker containers, can I use Gluetun to bind just them to the VPN?"

[–] nsfwpls@lemdro.id 17 points 1 month ago (5 children)

Yes, that's what Gluetun is for. You create a Gluetun container and specify which containers should use it as the gateway in the compose file with:

network_mode: "service:gluetun"

Then you can open a shell in the container and run this to see if the container's IP is different from your own:

curl ifconfig.io

Make sure to try stopping the gluetun container and confirm your other containers lose network access.

There are plenty of guides about this if you search for "gluetun arr stack", like this random one I picked: https://www.smarthomebeginner.com/gluetun-docker-guide/

That has some steps outlining the basic gluetun configuration, how to put specific containers behind it, and test it.

[–] nsfwpls@lemdro.id 2 points 2 months ago* (last edited 2 months ago)

Are you using a *.duckdns.com domain or is that only for Dynamic DNS pointed to something like jelly.domain.com? I'm not sure if you'll be able to get a cert in the former scenario.

Your router won't let you access it because you're trying to connect from your internal network to your external network, so you're just connecting in a loop and not getting routed properly. This could work if you had a firewall that would let you set up a loopback NAT, but my guess is your router won't let you setup NAT rules like that.

You won't be able to get a certificate using a local domain from a public certificate authority (like Let's Encrypt). You would want to define the FQDN you want to use, like jelly.domain.com, and generate the certificate for this domain. You can do this manually with certbot and import the certificate to jellyfin, or put jellyfin behind a reverse proxy like Caddy or Nginx and let it handle automatic renewal for you.

The local DNS entries would then redirect internal requests for jelly.domain.com to your local server, which presents the same certificate for jelly.domain.com regardless of whether you're accessing it via the private or public IP.

A bonus of using something like Caddy is being able to open a single port on your router for every service. I have multiple services all accessed via the same port, and Caddy just reads the requested subdomain (jelly.domain.com, nextcloud.domain.com, etc) to route the traffic to the corresponding local server. This lets it handle every cert for all services with no manual steps needed for any of them after the initial setup, and reduces your attack surface by only having one port open.