//nbkelley /homelab

Gluetun VPN Service

Calendar May 1, 2026
Gluetun, Vpn, Docker, Airvpn, Wireguard, Proxmox

Gluetun VPN Service#

What Was Established#

  • Gluetun is a lightweight Docker container acting as a dedicated VPN gateway for other containers.
  • Implements the sidecar pattern: dependent containers (e.g., qBittorrent, nzbget, prowlarr) share Gluetun’s network namespace via network_mode: "service:gluetun".
  • AirVPN selected as the provider over ProtonVPN/Mullvad due to superior port forwarding support required for P2P services.
  • Container-level VPN on the servarr VM is architecturally separate from the network-level UniFi VPN on Helms Deep (VLAN 2).

Deployment Context#

Gluetun runs on the servarr VM (192.168.1.112) as part of the Servarr Docker Compose stack at /docker/servarr/. It is configured via .env file in that directory.

Servarr Stack - Gluetun VPN Troubleshooting

Calendar May 1, 2026
Services, Docker, Gluetun, Vpn, Servarr, Troubleshooting

Servarr Stack - Gluetun VPN Troubleshooting#

Historical note: This session was conducted on a machine at 192.168.1.30 (hostname possibly “Varda” at the time, directory ~/home/nbkelley/docker/servarr). The current production Servarr stack lives on the servarr VM at 192.168.1.112, directory /docker/servarr/. See Servarr - Media Automation Stack for current configuration. The troubleshooting patterns documented here remain applicable.

What Was Established#

This session documents the deployment and troubleshooting of the Servarr media automation stack (Sonarr, Prowlarr, qBittorrent) behind a Gluetun VPN container. The stack relies on network_mode: service:gluetun to route all container traffic through AirVPN.

Network Infrastructure & VLANs

Calendar April 14, 2026
Unifi, Vlan, Vpn, Networking

Network Infrastructure & VLANs#

What Was Established#

The network uses a UniFi UCG Express with a multi-VLAN setup. A recent incident involving a VPN expiry caused a routing failure on specific VLANs due to policy-based routing (PBR) without a fallback mechanism.

Key Decisions#

  • VLAN Segmentation:
    • Gandalf: Server network (Always-on, stable, no VPN).
    • Mithrandir (VLAN 2): Client/AI network. Traffic is routed through ProtonVPN via WireGuard.
    • Harken (VLAN 3): General usage.
    • Tharkûn (DMZ): Restricted zone (DMZ $\rightarrow$ Internal is Blocked).
    • Rivendell (VLAN 4): Unused.
  • VPN Configuration: ProtonVPN WireGuard Client 1 is used for Mithrand/VLAN 2. Critical: Ensure “Block traffic if WireGuard is down” is enabled to prevent IP leaks.
  • IP Management: Use DHCP Reservations (Fixed IPs) in the UniFi Controller rather than configuring static IPs on individual hosts to prevent port-forward breakage during DHCP lease renewals.

Current Configuration#

Known Fixed IPs (DHCP Reservations):