//nbkelley /homelab

Gluetun VPN Service

Calendar May 1, 2026
Gluetun, Vpn, Docker, Airvpn, Wireguard, Proxmox

Gluetun VPN Service#

What Was Established#

  • Gluetun is a lightweight Docker container acting as a dedicated VPN gateway for other containers.
  • Implements the sidecar pattern: dependent containers (e.g., qBittorrent, nzbget, prowlarr) share Gluetun’s network namespace via network_mode: "service:gluetun".
  • AirVPN selected as the provider over ProtonVPN/Mullvad due to superior port forwarding support required for P2P services.
  • Container-level VPN on the servarr VM is architecturally separate from the network-level UniFi VPN on Helms Deep (VLAN 2).

Deployment Context#

Gluetun runs on the servarr VM (192.168.1.112) as part of the Servarr Docker Compose stack at /docker/servarr/. It is configured via .env file in that directory.

UniFi Express VPN & Network Management

Calendar April 30, 2026
Unifi, Protonvpn, Wireguard, Kill-Switch, Netgear, Networking

UniFi Express VPN & Network Management#

What Was Established#

  • Methodology for configuring ProtonVPN WireGuard on UniFi Express.
  • Kill switch implementation to prevent IP/DNS leaks when the VPN drops.
  • Best practices for managing Netgear managed switches via dedicated subnets and secure ports.

Key Decisions#

  • WireGuard Protocol: Selected over OpenVPN for superior speed and efficiency on UniFi Express.
  • Kill Switch Pattern: Default-deny WAN traffic; only allow forwarding through the wg0 interface.
  • Netgear Management: Restrict switch web GUI access to a dedicated management VLAN/subnet using HTTPS.

Current Configuration#

  • VPN Client: ProtonVPN (WireGuard)
  • Endpoint: us-123.protonvpn.net:51820 (example high-speed server)
  • ProtonVPN DNS: 10.2.0.1
  • Allowed IPs: 0.0.0.0/0 (full tunnel)
  • Netgear Switch Management Ports:
    • HTTP: 80 (insecure, avoid)
    • HTTPS: 443 (secure web GUI)
    • SSH: 22 (CLI access)
    • SNMP: 161 (monitoring)

Historical Notes#

  • Conversation dated 2025-04-14.
  • Gateway device referred to as UniFi Express (infrastructure list notes “UCG Express ‘Olorín’ at 192.168.1.1”).
  • Netgear MS308E is the managed switch in the homelab.
  • Kill switch and DNS leak prevention rely on iptables/nftables or UniFi OS firewall rules.

Open Questions#

  • Does UniFi Express support native WireGuard kill switch in the GUI, or is manual CLI firewall configuration required?
  • Specific UniFi OS version and exact GUI paths for VPN/kill switch implementation.
  • Whether split tunneling is needed for specific homelab services.

Uptime Kuma - Configuration & Integrations