All apps · 0 apps
binhex-official-gluetun
Docker app from Binhex's Repository
Overview
Readme
View on GitHubGluetun VPN client
Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
⚠️ This and gluetun-wiki are the only websites for Gluetun, other websites claiming to be official are scams ⚠️
🗯️ this repository will be migrated to github.com/passteque/gluetun on 2026-05-21, which is a Github organization under my sole control, so don't get alarmed if you get redirected in the coming days 😉 Reason being migrating Github sponsors to the Open source collective due to my personal situation, basically annoying paperwork. On the plus side, it will be more transparent and funds donated will only be used for the project. The Docker image names will remain the same.
Quick links
Problem?
- Check the Wiki common errors and faq
- Start a discussion
- Fix the Unraid template
Suggestion?
Happy?
- Sponsor me on github.com/sponsors/qdm12
- Donate to paypal.me/qmcgaw
- Drop me an email
Want to add a VPN provider? check the development page and add a provider page
Video:
Features
- Based on Alpine 3.23 for a small Docker image of 43.1MB
- Supports: AirVPN, Cyberghost, ExpressVPN, FastestVPN, Giganews, HideMyAss, IPVanish, IVPN, Mullvad (Wireguard only), NordVPN, Perfect Privacy, Privado, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, SlickVPN, Surfshark, TorGuard, VPNSecure.me, VPNUnlimited, Vyprvpn, Windscribe servers
- Supports OpenVPN for all providers listed
- Supports Wireguard both kernelspace and userspace
- For AirVPN, FastestVPN, Ivpn, Mullvad, NordVPN, Perfect privacy, ProtonVPN, Surfshark and Windscribe
- For Cyberghost, Private Internet Access, PrivateVPN, PureVPN, Torguard, VPN Unlimited and VyprVPN using the custom provider
- For custom Wireguard configurations using the custom provider
- More in progress, see #134
- Supports AmneziaWG only with the custom provider for now
- DNS over TLS baked in with service provider(s) of your choice
- DNS fine blocking of malicious/ads hostnames and IP addresses, with live update every 24 hours
- Choose the vpn network protocol,
udportcp - Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
- Built in Shadowsocks proxy server (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
- Built in Socks5 proxy server (tunnels TCP+UDP) - partial credits to @angelakis and @adjscent
- Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
- Connect other containers to it
- Connect LAN devices to it
- Compatible with amd64, i686 (32 bit), ARM 64 bit, ARM 32 bit v6 and v7, and even ppc64le 🎆
- Custom VPN server side port forwarding for Perfect Privacy, Private Internet Access, PrivateVPN and ProtonVPN
- Possibility of split horizon DNS by selecting multiple DNS over TLS providers
- Can work as a Kubernetes sidecar container, thanks @rorph
Setup
🎉 There are now instructions specific to each VPN provider with examples to help you get started as quickly as possible!
Go to the Wiki!
Here's a docker-compose.yml for the laziest:
---
services:
gluetun:
image: qmcgaw/gluetun
# container_name: gluetun
# line above must be uncommented to allow external containers to connect.
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
volumes:
- /yourpath:/gluetun
environment:
# See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
- VPN_SERVICE_PROVIDER=ivpn
- VPN_TYPE=openvpn
# OpenVPN:
- OPENVPN_USER=
- OPENVPN_PASSWORD=
# Wireguard:
# - WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU=
# - WIREGUARD_ADDRESSES=10.64.222.21/32
# Timezone for accurate log times
- TZ=
# Server list updater
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
- UPDATER_PERIOD=
🆕 Image also available as ghcr.io/qdm12/gluetun
Fun graphs
License
Install binhex-official-gluetun on Unraid in a few clicks.
Find binhex-official-gluetun in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.
Categories
Download Statistics
Total Downloads Over Time
Related apps
Explore more like this
Explore allDetails
qmcgaw/gluetunRuntime arguments
- Web UI
http://[IP]:[PORT:8000]- Network
bridge- Shell
sh- Privileged
- false
- Extra Params
--cap-add=NET_ADMIN --device /dev/net/tun:/dev/net/tun
Template configuration
This is the container path to store gluetun related configuration.
- Target
- /gluetun
- Default
- /mnt/cache/appdata/gluetun
HTTP Control Server port
- Target
- 8000
- Default
- 8000
HTTP Proxy port (when HTTPPROXY=on)
- Target
- 8888
- Default
- 8888
Shadowsocks port TCP (when SHADOWSOCKS=on)
- Target
- 8388
- Default
- 8388
Shadowsocks port UDP (when SHADOWSOCKS=on)
- Target
- 8388
- Default
- 8388
Specify a supported VPN provider to use
- Target
- VPN_SERVICE_PROVIDER
- Default
- private internet access|airvpn|cyberghost|expressvpn|fastestvpn|hidemyass|ipvanish|ivpn|mullvad|nordvpn|perfect privacy|privado|privatevpn|protonvpn|purevpn|slickvpn|surfshark|torguard|vpnsecure|vpn unlimited|vyprvpn|wevpn|windscribe|custom
VPN protocol to use. Not all providers support Wireguard.
- Target
- VPN_TYPE
- Default
- openvpn|wireguard
Specify a custom network interface name to use
- Target
- VPN_INTERFACE
- Default
- tun0|en0
Encryption preset, 'none' disables the cipher and auth OpenVPN options (not recommended).
- Target
- PRIVATE_INTERNET_ACCESS_OPENVPN_ENCRYPTION_PRESET
- Default
- normal|strong|none
OpenVPN username (required for OpenVPN)
- Target
- OPENVPN_USER
OpenVPN password (required for OpenVPN)
- Target
- OPENVPN_PASSWORD
Network protocol to use for OpenVPN
- Target
- OPENVPN_PROTOCOL
- Default
- udp|tcp
Set the OpenVPN version to run
- Target
- OPENVPN_VERSION
- Default
- 2.6|2.5
Specify a target VPN server IP address to use
- Target
- OPENVPN_ENDPOINT_IP
Specify a target VPN server port number to use
- Target
- OPENVPN_ENDPOINT_PORT
OpenVPN verbosity level (1-6)
- Target
- OPENVPN_VERBOSITY
- Default
- 1|2|3|4|5|6
Space delimited OpenVPN flags to pass to openvpn
- Target
- OPENVPN_FLAGS
Run OpenVPN as root
- Target
- OPENVPN_ROOT
- Default
- no|yes
Specify a custom cipher to use (e.g. aes-256-gcm)
- Target
- OPENVPN_CIPHERS
Specify a custom auth algorithm to use (e.g. sha256)
- Target
- OPENVPN_AUTH
Set the MSS fix parameter (0-9999, 0 to use defaults)
- Target
- OPENVPN_MSSFIX
- Default
- 0
Path to custom OpenVPN configuration file for custom provider
- Target
- OPENVPN_CUSTOM_CONFIG
Wireguard client private key (required for Wireguard)
- Target
- WIREGUARD_PRIVATE_KEY
Wireguard IP network interface address (xx.xx.xx.xx/xx)
- Target
- WIREGUARD_ADDRESSES
Wireguard server public key
- Target
- WIREGUARD_PUBLIC_KEY
Wireguard server endpoint IP address
- Target
- WIREGUARD_ENDPOINT_IP
Wireguard server endpoint port number
- Target
- WIREGUARD_ENDPOINT_PORT
Wireguard pre-shared key
- Target
- WIREGUARD_PRESHARED_KEY
Wireguard peer allowed IPs (CSV format)
- Target
- WIREGUARD_ALLOWED_IPS
- Default
- 0.0.0.0/0,::/0
Wireguard implementation to use
- Target
- WIREGUARD_IMPLEMENTATION
- Default
- auto|kernelspace|userspace
Wireguard MTU (1-65535)
- Target
- WIREGUARD_MTU
- Default
- 1400
Wireguard persistent keepalive interval (e.g. 25s)
- Target
- WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL
Comma separated list of countries
- Target
- SERVER_COUNTRIES
Comma separated list of regions
- Target
- SERVER_REGIONS
Comma separated list of cities
- Target
- SERVER_CITIES
Comma separated list of server hostnames
- Target
- SERVER_HOSTNAMES
Comma separated list of server names
- Target
- SERVER_NAMES
Comma separated list of server categories (NordVPN)
- Target
- SERVER_CATEGORIES
Enable custom port forwarding code for supported providers
- Target
- VPN_PORT_FORWARDING
- Default
- off|on
Choose the custom port forwarding code to use
- Target
- VPN_PORT_FORWARDING_PROVIDER
File path to use for writing the forwarded port obtained
- Target
- VPN_PORT_FORWARDING_STATUS_FILE
- Default
- /gluetun/forwarded_port
Port redirection for the VPN server side port forwarded
- Target
- VPN_PORT_FORWARDING_LISTENING_PORT
Comma separated list of ports to allow from the VPN server side
- Target
- FIREWALL_VPN_INPUT_PORTS
Comma separated list of ports to allow through the default interface
- Target
- FIREWALL_INPUT_PORTS
Prints every firewall related command (debugging only)
- Target
- FIREWALL_DEBUG
- Default
- off|on
Comma separated subnets that Gluetun is allowed to access
- Target
- FIREWALL_OUTBOUND_SUBNETS
Activate DNS over TLS with Unbound
- Target
- DNS_SERVER
- Default
- on
How to connect to upstream DNS servers: dot (DNS over TLS), doh (DNS over HTTPS), plain (UDP DNS)
- Target
- DNS_UPSTREAM_RESOLVER_TYPE
- Default
- dot|doh|plain
Comma delimited list of DNS over TLS providers, valid values are: 'google', 'quad9', 'quadrant', 'cleanbrowsing', 'libredns', 'opendns'
- Target
- DNS_UPSTREAM_RESOLVERS
- Default
Comma separated list of domain names to leave unblocked from the filtering
- Target
- DNS_UNBLOCK_HOSTNAMES
Unbound caching
- Target
- DNS_CACHING
- Default
- on|off
All private CIDRs ranges. Comma separated list of CIDRs or single IP addresses Unbound won't resolve to. Note that the default setting prevents DNS rebinding
- Target
- DNS_BLOCK_IP_PREFIXES
- Default
- 127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112
DNS IPv6 resolution
- Target
- DNS_UPSTREAM_IPV6
- Default
- off|on
Comma separated list of IP addresses to not resolve public domains to
- Target
- DNS_BLOCK_IPS
Comma separated list of public domain names to exclude from DNS rebinding protection
- Target
- DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES
Period to update block lists and restart Unbound (e.g. 24h, 0 to disable)
- Target
- DNS_UPDATE_PERIOD
- Default
- 24h
IP address to use as DNS resolver
- Target
- DNS_ADDRESS
- Default
- 127.0.0.1
Keep /etc/resolv.conf untouched
- Target
- DNS_KEEP_NAMESERVER
- Default
- off|on
Block malicious hostnames and IPs with Unbound
- Target
- BLOCK_MALICIOUS
- Default
- on|off
Block surveillance hostnames and IPs with Unbound
- Target
- BLOCK_SURVEILLANCE
- Default
- off|on
Block ads hostnames and IPs with Unbound
- Target
- BLOCK_ADS
- Default
- off|on
Enable the internal HTTP proxy
- Target
- HTTPPROXY
- Default
- off|on
Logs every tunnel requests
- Target
- HTTPPROXY_LOG
- Default
- off|on
Internal listening address for the HTTP proxy
- Target
- HTTPPROXY_LISTENING_ADDRESS
- Default
- :8888
Username to use to connect to the HTTP proxy
- Target
- HTTPPROXY_USER
Password to use to connect to the HTTP proxy
- Target
- HTTPPROXY_PASSWORD
Stealth mode means HTTP proxy headers are not added
- Target
- HTTPPROXY_STEALTH
- Default
- off|on
Enable the internal Shadowsocks proxy
- Target
- SHADOWSOCKS
- Default
- off|on
Enable Shadowsocks logging
- Target
- SHADOWSOCKS_LOG
- Default
- off|on
Internal listening address for Shadowsocks
- Target
- SHADOWSOCKS_LISTENING_ADDRESS
- Default
- :8388
Password to use to connect to Shadowsocks
- Target
- SHADOWSOCKS_PASSWORD
AEAD Cipher to use for Shadowsocks
- Target
- SHADOWSOCKS_CIPHER
- Default
- chacha20-ietf-poly1305|aes-128-gcm|aes-256-gcm
Authentication configuration for the HTTP Control Server
- Target
- HTTP_CONTROL_SERVER_AUTH_DEFAULT_ROLE
- Default
- {"auth":"basic","username":"controlserver","password":"controlserver"}
Listening address for the HTTP Control Server
- Target
- HTTP_CONTROL_SERVER_ADDRESS
- Default
- :8000
Enable logging of requests for the HTTP Control Server
- Target
- HTTP_CONTROL_SERVER_LOG
- Default
- on|off
Path to a TOML file containing authentication configuration for the HTTP Control Server
- Target
- HTTP_CONTROL_SERVER_AUTH_CONFIG_FILEPATH
Comma-separated addresses to ping on every internal health check (replaces HEALTH_TARGET_ADDRESS)
- Target
- HEALTH_TARGET_ADDRESSES
- Default
- google.com:443
Initial duration to wait for the VPN to be ready
- Target
- HEALTH_VPN_DURATION_INITIAL
- Default
- 6s
Additional duration to add for each consecutive VPN failure
- Target
- HEALTH_VPN_DURATION_ADDITION
- Default
- 5s
Duration to wait after a success check
- Target
- HEALTH_SUCCESS_WAIT_DURATION
- Default
- 5s
Internal health check server listening address
- Target
- HEALTH_SERVER_ADDRESS
- Default
- 127.0.0.1:9999
Period to update VPN servers data e.g. '24h' (0 to disable)
- Target
- UPDATER_PERIOD
- Default
- 0
Ratio of servers to be found for update to succeed
- Target
- UPDATER_MIN_RATIO
- Default
- 0.8
List of providers to update servers data for
- Target
- UPDATER_VPN_SERVICE_PROVIDERS
Path of servers.json file (empty to disable caching)
- Target
- STORAGE_FILEPATH
- Default
- /gluetun/servers.json
Specify a timezone to use to have correct log times. i.e. Europe/London
- Target
- TZ
User ID to run as non root
- Target
- PUID
- Default
- 99
Group ID to run as non root
- Target
- PGID
- Default
- 100
Check for public IP address information on VPN connection
- Target
- PUBLICIP_ENABLED
- Default
- true
Public IP echo service API to use
- Target
- PUBLICIP_API
- Default
- ipinfo
Optional API token for the public IP echo service
- Target
- PUBLICIP_API_TOKEN
Filepath to store the public IP address assigned
- Target
- PUBLICIP_FILE
- Default
- /gluetun/ip
Logs a message indicating if a newer version is available
- Target
- VERSION_INFORMATION
- Default
- on
