gluetun-wiki icon indicating copy to clipboard operation
gluetun-wiki copied to clipboard

Published 20 hours ago verified publisher icon qdm12

Tunnel all LAN traffic through Gluetun

Open nefremov1 opened this issue 2 years ago • 3 comments

added part related to accessing VPN via Gluetun container from another LAN

nefremov1 avatar Jul 05 '23 12:07 nefremov1

All this is quite interesting 💯 Do you think we could automate this with an option (env variable)? 🤔 Or is there some additional setup to be done on clients/routers etc.? 🤔

In total there are 2 steps to make whole setup working:

1. Make Gluetun docker to work as a gateway for LAN devices. Could be done via ENV like 'ROUTE=' with following logic:

  • If its not set, Gluetun is working as it is working in current version (connections from internal docker network (tun0) passed through to intenet via Gluetun, connections from LAN (eth0) dropped)
  • If its set to something like ROUTE=192.168.1.0/24;192.168.10.0/24, then docker should apply following rules in iptables:

This is needed for LAN networks to go through Gluetun:

iptables -A FORWARD -i eth0 -o tun0 -s 192.168.1.0/24 -d 0.0.0.0/0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -s 192.168.10.0/24 -d 0.0.0.0/0 -j ACCEPT

This is needed so already established connections could go between interfaces inside docker:

iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

And finally, this part is needed, so docker itself will be working as a gateway:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

2. Make LAN client to handle Gluetun docker as a gateway:

  • On router: for certain traffic (for certain destination IPs for example) it could be routed to Gluetun docker (docker will used as a gateway)
  • On client: gateway could be set to LAN IP address (which is assigned in docker to eth0) of Gluetun docker

nefremov1 avatar Aug 08 '23 12:08 nefremov1

Shouldn't there be a note that this also requires the gluetun container be bridged to the container host's physical network? I was able to replicate this, but I had to create a macvlan docker network on the host, and specify it in the run command.

jdimpson avatar Feb 09 '24 03:02 jdimpson

@qdm12 Does gluetun use iptables at all inside the container?

@jdimpson Yes, it does require a MacVLAN or IPVLAN Docker Network.

gaby avatar Mar 26 '24 03:03 gaby