All apps · 0 apps
GluetunVPN
Docker app from Diamond Precision Computing's Repository
Overview
Lightweight swiss-knife-like VPN client to multiple VPN service providers
Quick links- Setup
- Problem?
- Check the Wiki: https://github.com/qdm12/gluetun-wiki
- Start a discussion: https://github.com/qdm12/gluetun/discussions
- Fix the Unraid template: https://github.com/qdm12/gluetun/discussions/550
- Suggestion?
- Happy?
- Sponsor me: https://github.com/sponsors/qdm12
- Donate: https://www.paypal.me/qmcgaw
- Drop me an email: quentin.mcgaw@gmail.com
- Want to add a VPN provider?
- Based on Alpine 3.18 for a small Docker image of 35.6MB
- Supports: AirVPN, Cyberghost, ExpressVPN, FastestVPN, Giganews, HideMyAss, IPVanish, IVPN, Mullvad, NordVPN, Perfect Privacy, Privado, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, SlickVPN, Surfshark, TorGuard, VPNSecure.me, VPNUnlimited, Vyprvpn, WeVPN, Windscribe servers
- Supports OpenVPN for all providers listed
- Supports Wireguard both kernelspace and userspace
- For Mullvad, Ivpn, Surfshark and Windscribe
- For ProtonVPN, PureVPN, Torguard, VPN Unlimited and WeVPN using the custom provider
- For custom Wireguard configurations using the custom provider
- More in progress, see: https://github.com/qdm12/gluetun/issues/134
- DNS over TLS baked in with service provider(s) of your choice
- DNS fine blocking of malicious/ads/surveillance hostnames and IP addresses, with live update every 24 hours
- Choose the vpn network protocol,
udportcp - Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
- Built in Shadowsocks proxy (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
- Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
- Connect other containers to it
- Connect LAN devices to it
- Compatible with amd64, i686 (32 bit), ARM 64 bit, ARM 32 bit v6 and v7, and even ppc64le 🎆
- Custom VPN server side port forwarding for Private Internet Access
- Possibility of split horizon DNS by selecting multiple DNS over TLS providers
- Unbound subprogram drops root privileges once launched
- Can work as a Kubernetes sidecar container, thanks @rorph
🎉 There are now instructions specific to each VPN provider with examples to help you get started as quickly as possible!
Go to the Wiki: https://github.com/qdm12/gluetun-wiki
🆕 Image also available as ghcr.io/qdm12/gluetun
Readme
View on GitHubGluetun VPN client
Lightweight swiss-army-knife-like VPN client to multiple VPN service providers
⚠️ This and gluetun-wiki are the only websites for Gluetun, other websites claiming to be official are scams ⚠️
🗯️ this repository will be migrated to github.com/passteque/gluetun on 2026-05-21, which is a Github organization under my sole control, so don't get alarmed if you get redirected in the coming days 😉 Reason being migrating Github sponsors to the Open source collective due to my personal situation, basically annoying paperwork. On the plus side, it will be more transparent and funds donated will only be used for the project. The Docker image names will remain the same.
Quick links
Problem?
- Check the Wiki common errors and faq
- Start a discussion
- Fix the Unraid template
Suggestion?
Happy?
- Sponsor me on github.com/sponsors/qdm12
- Donate to paypal.me/qmcgaw
- Drop me an email
Want to add a VPN provider? check the development page and add a provider page
Video:
Features
- Based on Alpine 3.23 for a small Docker image of 43.1MB
- Supports: AirVPN, Cyberghost, ExpressVPN, FastestVPN, Giganews, HideMyAss, IPVanish, IVPN, Mullvad (Wireguard only), NordVPN, Perfect Privacy, Privado, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, SlickVPN, Surfshark, TorGuard, VPNSecure.me, VPNUnlimited, Vyprvpn, Windscribe servers
- Supports OpenVPN for all providers listed
- Supports Wireguard both kernelspace and userspace
- For AirVPN, FastestVPN, Ivpn, Mullvad, NordVPN, Perfect privacy, ProtonVPN, Surfshark and Windscribe
- For Cyberghost, Private Internet Access, PrivateVPN, PureVPN, Torguard, VPN Unlimited and VyprVPN using the custom provider
- For custom Wireguard configurations using the custom provider
- More in progress, see #134
- Supports AmneziaWG only with the custom provider for now
- DNS over TLS baked in with service provider(s) of your choice
- DNS fine blocking of malicious/ads hostnames and IP addresses, with live update every 24 hours
- Choose the vpn network protocol,
udportcp - Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
- Built in Shadowsocks proxy server (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
- Built in Socks5 proxy server (tunnels TCP+UDP) - partial credits to @angelakis and @adjscent
- Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
- Connect other containers to it
- Connect LAN devices to it
- Compatible with amd64, i686 (32 bit), ARM 64 bit, ARM 32 bit v6 and v7, and even ppc64le 🎆
- Custom VPN server side port forwarding for Perfect Privacy, Private Internet Access, PrivateVPN and ProtonVPN
- Possibility of split horizon DNS by selecting multiple DNS over TLS providers
- Can work as a Kubernetes sidecar container, thanks @rorph
Setup
🎉 There are now instructions specific to each VPN provider with examples to help you get started as quickly as possible!
Go to the Wiki!
Here's a docker-compose.yml for the laziest:
---
services:
gluetun:
image: qmcgaw/gluetun
# container_name: gluetun
# line above must be uncommented to allow external containers to connect.
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
volumes:
- /yourpath:/gluetun
environment:
# See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
- VPN_SERVICE_PROVIDER=ivpn
- VPN_TYPE=openvpn
# OpenVPN:
- OPENVPN_USER=
- OPENVPN_PASSWORD=
# Wireguard:
# - WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU=
# - WIREGUARD_ADDRESSES=10.64.222.21/32
# Timezone for accurate log times
- TZ=
# Server list updater
# See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
- UPDATER_PERIOD=
🆕 Image also available as ghcr.io/qdm12/gluetun
Fun graphs
License
Install GluetunVPN on Unraid in a few clicks.
Find GluetunVPN in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.
Categories
Download Statistics
Total Downloads Over Time
Related apps
Explore more like this
Explore allLinks
Details
qmcgaw/gluetunRuntime arguments
- Web UI
http://[IP]:[PORT:8000]- Network
bridge- Privileged
- false
- Extra Params
--cap-add=NET_ADMIN --restart=unless-stopped
Template configuration
Specify a timezone to use to have correct log times. i.e. Europe/London
- Target
- TZ
Container Path: /gluetun
- Target
- /gluetun
- Default
- /mnt/user/appdata/gluetun
- Value
- /mnt/user/appdata/gluetun
VPN Service Provider
- Default
- private internet access|airvpn|cyberghost|expressvpn|fastestvpn|hidemyass|ipvanish|ivpn|mullvad|nordvpn|perfect privacy|privado|privatevpn|protonvpn|purevpn|slickvpn|surfshark|torguard|vpnsecure|vpn unlimited|vyprvpn|wevpn|windscribe|custom
- Value
- private internet access
VPN Type. Default is OpenVPN. Note not all providers support Wireguard.
- Default
- openvpn|wireguard
- Value
- openvpn
OPTIONAL: Specify a custom network interface name to use. (e.g. tun0 or wg0)
- Default
- tun0
- Value
- tun0
OPTIONAL: Custom OpenVPN/Wireguard server endpoint port to use
OPTIONAL: Specify a target VPN IP address to use
OPTIONAL: Container Variable: OPENVPN_PROTOCOL
- Default
- udp|tcp
- Value
- udp
Container Variable: OPENVPN_USER
Container Variable: OPENVPN_PASSWORD (Optional for Mullvad)
OPTIONAL: Set the OpenVPN version to run
- Default
- 2.6|2.5
- Value
- 2.6
OPTIONAL: OpenVPN verbosity level
- Default
- 0|1|2|3|4|5|6
- Value
- 1
OPTIONAL: Space delimited OpenVPN flags to pass to openvpn
OPTIONAL: Specify one or more custom ciphers to use
OPTIONAL: Specify a custom auth algorithm to use. i.e. sha256
OPTIONAL: Run OpenVPN as root
- Default
- no|yes
- Value
- no
OPTIONAL: Enable tunneling of IPv6 (only for Mullvad)
- Default
- off|on
- Value
- off
OPTIONAL: The path to your OpenVPN configuration file. This implies VPN_SERVICE_PROVIDER=custom
Implementation of Wireguard to use.
- Default
- auto|userspace|kernelspace
- Value
- auto
OPTINAL: 32 bytes private key in base64 format
OPTINAL: 32 bytes pre-shared key in base64 format
Only for VPN_SERVICE_PROVIDER=custom and VPN_TYPE=wireguard: Wireguard server public key
Wireguard IP network in the format xx.xx.xx.xx/xx. Wireguard interface address, only required if VPN_TYPE=wireguard. Note this is usually specific by user and the same for all servers.
OPTIONAL: CSV of IP address ranges, only required if VPN_TYPE=wireguard. Note this is usually specific by user and the same for all servers.
- Default
- 0.0.0.0/0,::/0
- Value
- 0.0.0.0/0,::/0
OPTIONAL: Any positive value up to 65535, only required if VPN_TYPE=wireguard.
- Default
- 1320
- Value
- 1320
OPTIONAL: Wireguard persistent keepalive interval. i.e. 25s.
OPTIONAL: Comma separated list of VPN countries. https://github.com/qdm12/gluetun-wiki
OPTIONAL: Comma separated list of VPN cities. https://github.com/qdm12/gluetun-wiki
OPTIONAL: (PIA ONLY) Single server hostname. https://github.com/qdm12/gluetun-wiki
OPTIONAL: Comma separated list of server hostnames. https://github.com/qdm12/gluetun-wiki
OPTIONAL: Enable custom port forwarding code for supported providers. https://github.com/qdm12/gluetun-wiki
- Default
- off|on
- Value
- off
OPTIONAL: Port redirection for the VPN server side port forwarded. https://github.com/qdm12/gluetun-wiki
Turn on or off the container built-in firewall. You should turn off for debugging purposes only.
- Default
- on|off
- Value
- on
OPTIONAL: Comma separated list of ports to allow from the VPN server side (useful for vyprvpn port forwarding)
OPTIONAL: Comma separated list of ports to allow through the default interface. This seems needed for Unraid containers and Kubernetes sidecars.
OPTIONAL: You first need to set your LAN CIDR in FIREWALL_OUTBOUND_SUBNETS. For example with FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
OPTIONAL: Prints every firewall related command. You should use it for debugging purposes only.
- Default
- off|on
- Value
- off
OPTIONAL: Container Variable: LOG_LEVEL
- Default
- info
- Value
- info
(Recommended: on) Activate DNS over TLS (DOT) with Unbound
- Default
- on|off
- Value
- on
Comma delimited list of DNS over TLS providers
- Default
- cira family|cira private|cira protected|cleanbrowsing adult|cleanbrowsing family|cleanbrowsing security|cloudflare|cloudflare family|cloudflare security|google|libredns|opendns|quad9|quad9 secured|quad9 unsecured|quadrant
- Value
- cloudflare
All private CIDRs ranges. Comma separated list of CIDRs or single IP addresses Unbound won't resolve to. Note that the default setting prevents DNS rebinding
- Default
- 127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112
- Value
- 127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112
OPTIONAL: Unbound caching
- Default
- on|off
- Value
- on
OPTIONAL: DNS IPv6 resolution
- Default
- on|off
- Value
- off
OPTIONAL: Block malicious hostnames and IPs with Unbound
- Default
- on|off
- Value
- on
OPTIONAL: Block surveillance hostnames and IPs with Unbound
- Default
- on|off
- Value
- off
OPTIONAL: Block ads hostnames and IPs with Unbound
- Default
- on|off
- Value
- off
OPTIONAL: Comma separated list of domain names to leave unblocked with Unbound. i.e. domain1.com,x.domain2.co.uk
OPTIONAL: Period to update block lists and cryptographic files and restart Unbound. Set to 0 to deactivate updates. i.e. 0, 30s, 5m, 24h
- Default
- 24h
- Value
- 24h
OPTIONAL: IP address to use as DNS resolver if DOT is off
OPTIONAL: Keep the nameservers in /etc/resolv.conf untouched, but disabled DNS blocking features
- Default
- off|on
- Value
- off
OPTIONAL: Enable the internal HTTP proxy
- Default
- off|on
- Value
- off
OPTIONAL: Logs every tunnel requests
- Default
- off|on
- Value
- off
Internal port number for the HTTP proxy to listen on
- Target
- 8888
- Default
- 8888
- Value
- 8888
OPTIONAL: Username to use to connect to the HTTP proxy
OPTIONAL: Password to use to connect to the HTTP proxy
OPTIONAL: Stealth mode means HTTP proxy headers are not added to your requests
- Target
- HTTPPROXY_STEALTH
- Default
- off|on
- Value
- off
OPTIONAL: Enable the internal Shadowsocks proxy
- Default
- off|on
- Value
- off
OPTIONAL: Enable Shadowsocks logging
- Default
- off|on
- Value
- off
OPTIONAL: Port number for the HTTP proxy to listen on
- Target
- :8388
- Default
- :8388
- Value
- :8388
OPTIONAL: Password to use to connect to Shadowsocks
OPTIONAL: Cipher to use for Shadowsocks
- Default
- chacha20-ietf-poly1305|aes-128-gcm|aes-256-gcm
- Value
- chacha20-ietf-poly1305
OPTIONAL: Period to update all VPN servers information in memory and to /gluetun/servers.json. Set to 0 to disable. This does a burst of DNS over TLS requests, which may be blocked if you set BLOCK_MALICIOUS=on for example. Valid duration string such as 24h.
- Default
- 0
- Value
- 0
OPTIONAL: Filter only port-forwarding enabled (aka *p2p*) servers (pia and protonvpn only)
- Default
- off|on
- Value
- off
OPTIONAL: File path to use for writing the forwarded port obtained. https://github.com/qdm12/gluetun-wiki
- Default
- /gluetun/forwarded_port
- Value
- /gluetun/forwarded_port
OPTIONAL: Command to run when port forwarding has finished setting up (pia and protonvpn only). https://github.com/qdm12/gluetun-wiki
OPTIONAL: Command to run when port forwarding has finished tearing down (pia and protonvpn only). https://github.com/qdm12/gluetun-wiki
OPTIONAL: Choose the custom port forwarding code to use. This is useful when using the custom provider with Wireguard. For PIA, make sure you set SERVER_NAMES=xxxx. https://github.com/qdm12/gluetun-wiki
OPTIONAL: This is needed when using the custom provider with Wireguard with PIA. https://github.com/qdm12/gluetun-wiki
OPTIONAL: This is needed when using the custom provider with Wireguard with PIA. https://github.com/qdm12/gluetun-wiki
OPTIONAL: Internal Health Server Listening Addroess
- Default
- 127.0.0.1:9999
- Value
- 127.0.0.1:9999
OPTIONAL: Address used to check tunnel health
- Default
- cloudflare.com:443
- Value
- cloudflare.com:443
OPTIONAL: Filepath to store the public IP address assigned
- Default
- /gluetun/ip
- Value
- /gluetun/ip
OPTIONAL: Check for public IP address information on VPN connection.
- Default
- true|false
- Value
- true
OPTIONAL: Filepath to store the public IP address assigned
- Default
- on|off
- Value
- on
Container Port: 8000
- Target
- 8000
- Default
- 8000
- Value
- 8000
OPTIONAL: Enable logging of HTTP requests
- Default
- on|off
- Value
- on
Container Variable: PUID
- Value
- 1000
Container Variable: PGID
- Value
- 1000
