Gluetun VPN Service#

What Was Established#

• Gluetun is a lightweight Docker container acting as a dedicated VPN gateway for other containers.
• Implements the sidecar pattern: dependent containers (e.g., qBittorrent, nzbget, prowlarr) share Gluetun’s network namespace via network_mode: "service:gluetun".
• AirVPN selected as the provider over ProtonVPN/Mullvad due to superior port forwarding support required for P2P services.
• Container-level VPN on the servarr VM is architecturally separate from the network-level UniFi VPN on Helms Deep (VLAN 2).

Deployment Context#

Gluetun runs on the servarr VM (192.168.1.112) as part of the Servarr Docker Compose stack at /docker/servarr/. It is configured via .env file in that directory.

Full compose reference: Servarr Docker Compose Reference.

Key Decisions#

• Provider: AirVPN (WireGuard protocol) for reliable port forwarding.
• Architecture: Docker-level VPN isolation. The servarr VM routes through the default internet, while download/indexer containers are tunneled through Gluetun.
• LXC Requirements: When running in an LXC on Proxmox, the container requires NET_ADMIN capability or privileged mode to manage /dev/net/tun for WireGuard. (The servarr deployment runs in a full VM, so this is not a constraint.)

Current Configuration#

• Host: servarr VM (192.168.1.112) on Proxmox (Minas Tirith)
• Stack: /docker/servarr/compose.yaml
• Container: gluetun (image qmcgaw/gluetun), static IP 172.39.0.2
• Dependencies: qbittorrent, nzbget, prowlarr (via network_mode: "service:gluetun")
• Ports: 6789 (nzbget), 6881 (torrent), 8080 (qbittorrent WebUI), 9696 (prowlarr), plus VPN forwarded port from .env
• Healthcheck: ping -c 1 www.google.com every 20s

Historical Notes#

• Initial attempts with ProtonVPN failed due to lack of port forwarding.
• AirVPN configuration requires manual extraction of WireGuard keys and assigned ports from the AirVPN client area.
• AppArmor warnings (Could not check if docker-default AppArmor profile was loaded) in LXC are harmless and can be ignored.
• Docker Compose file naming: compose.yaml vs docker-compose.yml (Docker Compose V2 supports both, but consistency is key).

Open Questions#

• How to automate AirVPN port forwarding refresh if needed?
• Performance impact of WireGuard on the Proxmox host vs network-level UniFi VPN.

Related Pages#

• Servarr - Media Automation Stack
• Servarr Docker Compose Reference
• Servarr Stack - Gluetun VPN Troubleshooting
• Network Infrastructure & VLANs

Sources#

• ingested/chats/098-Gluetun: Secure VPN for Docker Containers.md
• Live system inspection on servarr VM (2026-05-01)