binhex-official-gluetun

Overview

Gluetun is a lightweight swiss-knife-like VPN client to tunnel to Cyberghost, ExpressVPN, FastestVPN, HideMyAss, IPVanish, IVPN, Mullvad, NordVPN, Perfect Privacy, Privado, PrivateVPN, ProtonVPN, PureVPN, Surfshark, TorGuard, VyprVPN, Windscribe servers using OpenVPN or Wireguard, iptables killswitch, DNS over TLS, ShadowSocks, and an HTTP proxy server.

Runtime arguments

Web UI: http://[IP]:[PORT:8000]
Network: bridge
Shell: sh
Privileged: false
Extra Params: --cap-add=NET_ADMIN --device /dev/net/tun:/dev/net/tun

Template configuration

Path: /gluetunPathrw

This is the container path to store gluetun related configuration.

Target: /gluetun
Default: /mnt/cache/appdata/gluetun

Port: HTTP Control Server PortPorttcp

HTTP Control Server port

Target: 8000
Default: 8000

Port: HTTP Proxy PortPorttcp

HTTP Proxy port (when HTTPPROXY=on)

Target: 8888
Default: 8888

Port: Shadowsocks Port TCPPorttcp

Shadowsocks port TCP (when SHADOWSOCKS=on)

Target: 8388
Default: 8388

Port: Shadowsocks Port UDPPortudp

Shadowsocks port UDP (when SHADOWSOCKS=on)

Target: 8388
Default: 8388

Variable: VPN_SERVICE_PROVIDERVariable

Specify a supported VPN provider to use

Target: VPN_SERVICE_PROVIDER
Default: private internet access|airvpn|cyberghost|expressvpn|fastestvpn|hidemyass|ipvanish|ivpn|mullvad|nordvpn|perfect privacy|privado|privatevpn|protonvpn|purevpn|slickvpn|surfshark|torguard|vpnsecure|vpn unlimited|vyprvpn|wevpn|windscribe|custom

Variable: VPN_TYPEVariable

VPN protocol to use. Not all providers support Wireguard.

Target: VPN_TYPE
Default: openvpn|wireguard

Variable: VPN_INTERFACEVariable

Specify a custom network interface name to use

Target: VPN_INTERFACE
Default: tun0|en0

Variable: PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESETVariable

Encryption preset, 'none' disables the cipher and auth OpenVPN options (not recommended).

Target: PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET
Default: normal|strong|none

Variable: OPENVPN_USERVariable

OpenVPN username (required for OpenVPN)

Target: OPENVPN_USER

Variable: OPENVPN_PASSWORDVariable

OpenVPN password (required for OpenVPN)

Target: OPENVPN_PASSWORD

Variable: OPENVPN_PROTOCOLVariable

Network protocol to use for OpenVPN

Target: OPENVPN_PROTOCOL
Default: udp|tcp

Variable: OPENVPN_VERSIONVariable

Set the OpenVPN version to run

Target: OPENVPN_VERSION
Default: 2.6|2.5

Variable: OPENVPN_ENDPOINT_IPVariable

Specify a target VPN server IP address to use

Target: OPENVPN_ENDPOINT_IP

Variable: OPENVPN_ENDPOINT_PORTVariable

Specify a target VPN server port number to use

Target: OPENVPN_ENDPOINT_PORT

Variable: OPENVPN_VERBOSITYVariable

OpenVPN verbosity level (1-6)

Target: OPENVPN_VERBOSITY
Default: 1|2|3|4|5|6

Variable: OPENVPN_FLAGSVariable

Space delimited OpenVPN flags to pass to openvpn

Target: OPENVPN_FLAGS

Variable: OPENVPN_ROOTVariable

Run OpenVPN as root

Target: OPENVPN_ROOT
Default: no|yes

Variable: OPENVPN_CIPHERSVariable

Specify a custom cipher to use (e.g. aes-256-gcm)

Target: OPENVPN_CIPHERS

Variable: OPENVPN_AUTHVariable

Specify a custom auth algorithm to use (e.g. sha256)

Target: OPENVPN_AUTH

Variable: OPENVPN_MSSFIXVariable

Set the MSS fix parameter (0-9999, 0 to use defaults)

Target: OPENVPN_MSSFIX
Default: 0

Variable: OPENVPN_CUSTOM_CONFIGVariable

Path to custom OpenVPN configuration file for custom provider

Target: OPENVPN_CUSTOM_CONFIG

Variable: WIREGUARD_PRIVATE_KEYVariable

Wireguard client private key (required for Wireguard)

Target: WIREGUARD_PRIVATE_KEY

Variable: WIREGUARD_ADDRESSESVariable

Wireguard IP network interface address (xx.xx.xx.xx/xx)

Target: WIREGUARD_ADDRESSES

Variable: WIREGUARD_PUBLIC_KEYVariable

Wireguard server public key

Target: WIREGUARD_PUBLIC_KEY

Variable: WIREGUARD_ENDPOINT_IPVariable

Wireguard server endpoint IP address

Target: WIREGUARD_ENDPOINT_IP

Variable: WIREGUARD_ENDPOINT_PORTVariable

Wireguard server endpoint port number

Target: WIREGUARD_ENDPOINT_PORT

Variable: WIREGUARD_PRESHARED_KEYVariable

Wireguard pre-shared key

Target: WIREGUARD_PRESHARED_KEY

Variable: WIREGUARD_ALLOWED_IPSVariable

Wireguard peer allowed IPs (CSV format)

Target: WIREGUARD_ALLOWED_IPS
Default: 0.0.0.0/0,::/0

Variable: WIREGUARD_IMPLEMENTATIONVariable

Wireguard implementation to use

Target: WIREGUARD_IMPLEMENTATION
Default: auto|kernelspace|userspace

Variable: WIREGUARD_MTUVariable

Wireguard MTU (1-65535)

Target: WIREGUARD_MTU
Default: 1400

Variable: WIREGUARD_PERSISTENT_KEEPALIVE_INTERVALVariable

Wireguard persistent keepalive interval (e.g. 25s)

Target: WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL

Variable: SERVER_COUNTRIESVariable

Comma separated list of countries

Target: SERVER_COUNTRIES

Variable: SERVER_REGIONSVariable

Comma separated list of regions

Target: SERVER_REGIONS

Variable: SERVER_CITIESVariable

Comma separated list of cities

Target: SERVER_CITIES

Variable: SERVER_HOSTNAMESVariable

Comma separated list of server hostnames

Target: SERVER_HOSTNAMES

Variable: SERVER_NAMESVariable

Comma separated list of server names

Target: SERVER_NAMES

Variable: SERVER_CATEGORIESVariable

Comma separated list of server categories (NordVPN)

Target: SERVER_CATEGORIES

Variable: VPN_PORT_FORWARDINGVariable

Enable custom port forwarding code for supported providers

Target: VPN_PORT_FORWARDING
Default: off|on

Variable: VPN_PORT_FORWARDING_PROVIDERVariable

Choose the custom port forwarding code to use

Target: VPN_PORT_FORWARDING_PROVIDER

Variable: VPN_PORT_FORWARDING_STATUS_FILEVariable

File path to use for writing the forwarded port obtained

Target: VPN_PORT_FORWARDING_STATUS_FILE
Default: /gluetun/forwarded_port

Variable: VPN_PORT_FORWARDING_LISTENING_PORTVariable

Port redirection for the VPN server side port forwarded

Target: VPN_PORT_FORWARDING_LISTENING_PORT

Variable: FIREWALL_VPN_INPUT_PORTSVariable

Comma separated list of ports to allow from the VPN server side

Target: FIREWALL_VPN_INPUT_PORTS

Variable: FIREWALL_INPUT_PORTSVariable

Comma separated list of ports to allow through the default interface

Target: FIREWALL_INPUT_PORTS

Variable: FIREWALL_DEBUGVariable

Prints every firewall related command (debugging only)

Target: FIREWALL_DEBUG
Default: off|on

Variable: FIREWALL_OUTBOUND_SUBNETSVariable

Comma separated subnets that Gluetun is allowed to access

Target: FIREWALL_OUTBOUND_SUBNETS

Variable: DNS_SERVERVariable

Activate DNS over TLS with Unbound

Target: DNS_SERVER
Default: on

Variable: DNS_UPSTREAM_RESOLVER_TYPEVariable

How to connect to upstream DNS servers: dot (DNS over TLS), doh (DNS over HTTPS), plain (UDP DNS)

Target: DNS_UPSTREAM_RESOLVER_TYPE
Default: dot|doh|plain

Variable: DNS_UPSTREAM_RESOLVERSVariable

Comma delimited list of DNS over TLS providers, valid values are: 'google', 'quad9', 'quadrant', 'cleanbrowsing', 'libredns', 'opendns'

Target: DNS_UPSTREAM_RESOLVERS
Default: google

Variable: DNS_UNBLOCK_HOSTNAMESVariable

Comma separated list of domain names to leave unblocked from the filtering

Target: DNS_UNBLOCK_HOSTNAMES

Variable: DNS_CACHINGVariable

Unbound caching

Target: DNS_CACHING
Default: on|off

Variable: DNS_BLOCK_IP_PREFIXESVariable

All private CIDRs ranges. Comma separated list of CIDRs or single IP addresses Unbound won't resolve to. Note that the default setting prevents DNS rebinding

Target: DNS_BLOCK_IP_PREFIXES
Default: 127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112

Variable: DNS_UPSTREAM_IPV6Variable

DNS IPv6 resolution

Target: DNS_UPSTREAM_IPV6
Default: off|on

Variable: DNS_BLOCK_IPSVariable

Comma separated list of IP addresses to not resolve public domains to

Target: DNS_BLOCK_IPS

Variable: DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMESVariable

Comma separated list of public domain names to exclude from DNS rebinding protection

Target: DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES

Variable: DNS_UPDATE_PERIODVariable

Period to update block lists and restart Unbound (e.g. 24h, 0 to disable)

Target: DNS_UPDATE_PERIOD
Default: 24h

Variable: DNS_ADDRESSVariable

IP address to use as DNS resolver

Target: DNS_ADDRESS
Default: 127.0.0.1

Variable: DNS_KEEP_NAMESERVERVariable

Keep /etc/resolv.conf untouched

Target: DNS_KEEP_NAMESERVER
Default: off|on

Variable: BLOCK_MALICIOUSVariable

Block malicious hostnames and IPs with Unbound

Target: BLOCK_MALICIOUS
Default: on|off

Variable: BLOCK_SURVEILLANCEVariable

Block surveillance hostnames and IPs with Unbound

Target: BLOCK_SURVEILLANCE
Default: off|on

Variable: BLOCK_ADSVariable

Block ads hostnames and IPs with Unbound

Target: BLOCK_ADS
Default: off|on

Variable: HTTPPROXYVariable

Enable the internal HTTP proxy

Target: HTTPPROXY
Default: off|on

Variable: HTTPPROXY_LOGVariable

Logs every tunnel requests

Target: HTTPPROXY_LOG
Default: off|on

Variable: HTTPPROXY_LISTENING_ADDRESSVariable

Internal listening address for the HTTP proxy

Target: HTTPPROXY_LISTENING_ADDRESS
Default: :8888

Variable: HTTPPROXY_USERVariable

Username to use to connect to the HTTP proxy

Target: HTTPPROXY_USER

Variable: HTTPPROXY_PASSWORDVariable

Password to use to connect to the HTTP proxy

Target: HTTPPROXY_PASSWORD

Variable: HTTPPROXY_STEALTHVariable

Stealth mode means HTTP proxy headers are not added

Target: HTTPPROXY_STEALTH
Default: off|on

Variable: SHADOWSOCKSVariable

Enable the internal Shadowsocks proxy

Target: SHADOWSOCKS
Default: off|on

Variable: SHADOWSOCKS_LOGVariable

Enable Shadowsocks logging

Target: SHADOWSOCKS_LOG
Default: off|on

Variable: SHADOWSOCKS_LISTENING_ADDRESSVariable

Internal listening address for Shadowsocks

Target: SHADOWSOCKS_LISTENING_ADDRESS
Default: :8388

Variable: SHADOWSOCKS_PASSWORDVariable

Password to use to connect to Shadowsocks

Target: SHADOWSOCKS_PASSWORD

Variable: SHADOWSOCKS_CIPHERVariable

AEAD Cipher to use for Shadowsocks

Target: SHADOWSOCKS_CIPHER
Default: chacha20-ietf-poly1305|aes-128-gcm|aes-256-gcm

Variable: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLEVariable

Authentication configuration for the HTTP Control Server

Target: HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE
Default: {"auth":"basic","username":"controlserver","password":"controlserver"}

Variable: HTTP_CONTROL_SERVER_ADDRESSVariable

Listening address for the HTTP Control Server

Target: HTTP_CONTROL_SERVER_ADDRESS
Default: :8000

Variable: HTTP_CONTROL_SERVER_LOGVariable

Enable logging of requests for the HTTP Control Server

Target: HTTP_CONTROL_SERVER_LOG
Default: on|off

Variable: HTTP_CONTROL_SERVER_AUTH_CONFIG_FILEPATHVariable

Path to a TOML file containing authentication configuration for the HTTP Control Server

Target: HTTP_CONTROL_SERVER_AUTH_CONFIG_FILEPATH

Variable: HEALTH_TARGET_ADDRESSESVariable

Comma-separated addresses to ping on every internal health check (replaces HEALTH_TARGET_ADDRESS)

Target: HEALTH_TARGET_ADDRESSES
Default: google.com:443

Variable: HEALTH_VPN_DURATION_INITIALVariable

Initial duration to wait for the VPN to be ready

Target: HEALTH_VPN_DURATION_INITIAL
Default: 6s

Variable: HEALTH_VPN_DURATION_ADDITIONVariable

Additional duration to add for each consecutive VPN failure

Target: HEALTH_VPN_DURATION_ADDITION
Default: 5s

Variable: HEALTH_SUCCESS_WAIT_DURATIONVariable

Duration to wait after a success check

Target: HEALTH_SUCCESS_WAIT_DURATION
Default: 5s

Variable: HEALTH_SERVER_ADDRESSVariable

Internal health check server listening address

Target: HEALTH_SERVER_ADDRESS
Default: 127.0.0.1:9999

Variable: UPDATER_PERIODVariable

Period to update VPN servers data e.g. '24h' (0 to disable)

Target: UPDATER_PERIOD
Default: 0

Variable: UPDATER_MIN_RATIOVariable

Ratio of servers to be found for update to succeed

Target: UPDATER_MIN_RATIO
Default: 0.8

Variable: UPDATER_VPN_SERVICE_PROVIDERSVariable

List of providers to update servers data for

Target: UPDATER_VPN_SERVICE_PROVIDERS

Variable: STORAGE_FILEPATHVariable

Path of servers.json file (empty to disable caching)

Target: STORAGE_FILEPATH
Default: /gluetun/servers.json

Variable: TZVariable

Specify a timezone to use to have correct log times. i.e. Europe/London

Target: TZ

Variable: PUIDVariable

User ID to run as non root

Target: PUID
Default: 99

Variable: PGIDVariable

Group ID to run as non root

Target: PGID
Default: 100

Variable: PUBLICIP_ENABLEDVariable

Check for public IP address information on VPN connection

Target: PUBLICIP_ENABLED
Default: true

Variable: PUBLICIP_APIVariable

Public IP echo service API to use

Target: PUBLICIP_API
Default: ipinfo

Variable: PUBLICIP_API_TOKENVariable

Optional API token for the public IP echo service

Target: PUBLICIP_API_TOKEN

Variable: PUBLICIP_FILEVariable

Filepath to store the public IP address assigned

Target: PUBLICIP_FILE
Default: /gluetun/ip

Variable: VERSION_INFORMATIONVariable

Logs a message indicating if a newer version is available

Target: VERSION_INFORMATION
Default: on

Links

Template Support Registry Project

Details

Repository

qmcgaw/gluetun

Registry

https://github.com/qdm12/gluetun/pkgs/container/gluetun

Last Updated2026-05-05

First Seen2021-07-24

Run binhex-official-gluetun on Unraid.

binhex-official-gluetun is listed in Community Apps for Unraid OS. Explore Unraid to build a flexible home server, NAS, or homelab.

Explore Unraid OS