Gluetun: VPN client for Docker containers
Lightweight Go VPN client for routing containerized traffic.
Learn more about gluetun
version: "3" services: gluetun: image: qmcgaw/gluetun container_name: gluetun cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 9091:9091/tcp # Transmission Web UI - 51413:51413 # Transmission torrent port environment: - VPN_SERVICE_PROVIDER=mullvad - VPN_TYPE=wireguard - WIREGUARD_PRIVATE_KEY=${MULLVAD_PRIVATE_KEY} - WIREGUARD_ADDRESSES=10.64.0.1/32 - SERVER_CITIES=New York restart: unless-stopped transmission: image: linuxserver/transmission container_name: transmission network_mode: "service:gluetun" environment: - PUID=1000 - PGID=1000 - TZ=America/New_York volumes: - ./config:/config - ./downloads:/downloads depends_on: - gluetun restart: unless-stopped
Multi-provider support
Supports 25+ VPN providers including NordVPN, Mullvad, Private Internet Access, Surfshark, and others. Each provider can be configured with either OpenVPN or Wireguard depending on provider support.
Minimal container footprint
Built on Alpine Linux 3.22 with a Docker image size of approximately 41MB, reducing resource consumption and deployment overhead compared to larger VPN client implementations.
Built-in proxy services
Includes HTTP proxy and SOCKS proxy servers within the container, allowing other services to route traffic through the VPN without requiring separate proxy containers or configuration.
import requests
# Query gluetun's control server for VPN status
response = requests.get('http://localhost:8000/v1/openvpn/status')
status = response.json()
if status['status'] == 'running':
print(f"Connected to VPN: {status['country']}")
else:
print("VPN not connected")Replaces Unbound DNS with qdm12/dns v2.0.0-rc8 for faster startup; default MTU drops from 1400 to 1320 for Wireguard and OpenVPN mssfix.
- –Set WIREGUARD_MTU=1400 explicitly if you require the old default; new default is 1320 to address MTU issues.
- –Use PUBLICIP_ENABLED (on/off) instead of PUBLICIP_PERIOD=0; old syntax still works but logs warnings.
Control server now requires authentication on vulnerable routes; firewall rule deletion and several provider fixes included.
- –Update control server clients to authenticate on previously open routes to avoid access issues.
- –ProtonVPN users cannot combine FREE_ONLY and PORT_FORWARD_ONLY flags; IVPN city/region parsing now handles commas correctly.
OpenVPN defaults to 2.6, Alpine 3.20, and iptables-nft; FIREWALL_ENABLED renamed to prevent misuse, old name now ignored.
- –Split VPN_ENDPOINT_IP and VPN_ENDPOINT_PORT into protocol-specific OPENVPN_* and WIREGUARD_* variables for clearer configuration.
- –Enable Wireguard for FastestVPN and ProtonVPN; Perfect Privacy now supports port forwarding with VPN_PORT_FORWARDING=on.
Top in Cloud & DevOps
Related Repositories
Discover similar tools and frameworks used by developers
OpenZFS
Production-ready, enterprise-grade filesystem combining volume management, data integrity protection, snapshots, and compression for Linux, FreeBSD, and illumos systems.
portainer
Web-based management platform for multi-orchestrator container environments.
renovate
Automated dependency updates via pull requests across 90+ package managers.
kaniko
Daemon-free Docker image builder for Kubernetes clusters.
node_exporter
Collects Unix system metrics for Prometheus monitoring.