GluetunVPN

Docker app from Diamond Precision Computing's Repository

Overview

Gluetun VPN client

Lightweight swiss-knife-like VPN client to multiple VPN service providers

Quick links

Setup
- https://github.com/qdm12/gluetun-wiki
Problem?
- Check the Wiki: https://github.com/qdm12/gluetun-wiki
- Start a discussion: https://github.com/qdm12/gluetun/discussions
- Fix the Unraid template: https://github.com/qdm12/gluetun/discussions/550
Suggestion?
- Create an issue: https://github.com/qdm12/gluetun/issues
- Join the Slack channel: https://join.slack.com/t/qdm12/shared_invite/enQtOTE0NjcxNTM1ODc5LTYyZmVlOTM3MGI4ZWU0YmJkMjUxNmQ4ODQ2OTAwYzMxMTlhY2Q1MWQyOWUyNjc2ODliNjFjMDUxNWNmNzk5MDk
Happy?
- Sponsor me: https://github.com/sponsors/qdm12
- Donate: https://www.paypal.me/qmcgaw
- Drop me an email: quentin.mcgaw@gmail.com
Want to add a VPN provider?
- Check development: https://github.com/qdm12/gluetun-wiki/blob/main/contributing/development.md
- Add a provider: https://github.com/qdm12/gluetun-wiki/blob/main/contributing/add-a-provider.md

Features

Based on Alpine 3.18 for a small Docker image of 35.6MB
Supports: AirVPN, Cyberghost, ExpressVPN, FastestVPN, Giganews, HideMyAss, IPVanish, IVPN, Mullvad, NordVPN, Perfect Privacy, Privado, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, SlickVPN, Surfshark, TorGuard, VPNSecure.me, VPNUnlimited, Vyprvpn, WeVPN, Windscribe servers
Supports OpenVPN for all providers listed
Supports Wireguard both kernelspace and userspace
- For Mullvad, Ivpn, Surfshark and Windscribe
- For ProtonVPN, PureVPN, Torguard, VPN Unlimited and WeVPN using the custom provider
- For custom Wireguard configurations using the custom provider
- More in progress, see: https://github.com/qdm12/gluetun/issues/134
DNS over TLS baked in with service provider(s) of your choice
DNS fine blocking of malicious/ads/surveillance hostnames and IP addresses, with live update every 24 hours
Choose the vpn network protocol, udp or tcp
Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
Built in Shadowsocks proxy (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
Connect other containers to it
Connect LAN devices to it
Compatible with amd64, i686 (32 bit), ARM 64 bit, ARM 32 bit v6 and v7, and even ppc64le 🎆
Custom VPN server side port forwarding for Private Internet Access
Possibility of split horizon DNS by selecting multiple DNS over TLS providers
Unbound subprogram drops root privileges once launched
Can work as a Kubernetes sidecar container, thanks @rorph

Setup

🎉 There are now instructions specific to each VPN provider with examples to help you get started as quickly as possible!

Go to the Wiki: https://github.com/qdm12/gluetun-wiki
🆕 Image also available as ghcr.io/qdm12/gluetun

License

MIT: https://github.com/qdm12/gluetun/master/LICENSE

Runtime arguments

Web UI: http://[IP]:[PORT:8000]
Network: bridge
Privileged: false
Extra Params: --cap-add=NET_ADMIN --restart=unless-stopped

Template configuration

TIMEZONEVariable

Specify a timezone to use to have correct log times. i.e. Europe/London

Target: TZ

configPathrw

Container Path: /gluetun

Target: /gluetun
Default: /mnt/user/appdata/gluetun
Value: /mnt/user/appdata/gluetun

VPN_SERVICE_PROVIDERVariable

VPN Service Provider

Default: private internet access|airvpn|cyberghost|expressvpn|fastestvpn|hidemyass|ipvanish|ivpn|mullvad|nordvpn|perfect privacy|privado|privatevpn|protonvpn|purevpn|slickvpn|surfshark|torguard|vpnsecure|vpn unlimited|vyprvpn|wevpn|windscribe|custom
Value: private internet access

VPN_TYPEVariable

VPN Type. Default is OpenVPN. Note not all providers support Wireguard.

Default: openvpn|wireguard
Value: openvpn

VPN_INTERFACEVariable

OPTIONAL: Specify a custom network interface name to use. (e.g. tun0 or wg0)

Default: tun0
Value: tun0

VPN_ENDPOINT_PORTVariable

OPTIONAL: Custom OpenVPN/Wireguard server endpoint port to use

VPN_ENDPOINT_IPVariable

OPTIONAL: Specify a target VPN IP address to use

OPENVPN_PROTOCOLVariable

OPTIONAL: Container Variable: OPENVPN_PROTOCOL

Default: udp|tcp
Value: udp

OPENVPN_USERVariable

Container Variable: OPENVPN_USER

OPENVPN_PASSWORDVariable

Container Variable: OPENVPN_PASSWORD (Optional for Mullvad)

OPENVPN_VERSIONVariable

OPTIONAL: Set the OpenVPN version to run

Default: 2.6|2.5
Value: 2.6

OPENVPN_VERBOSITYVariable

OPTIONAL: OpenVPN verbosity level

Default: 0|1|2|3|4|5|6
Value: 1

OPENVPN_FLAGSVariable

OPTIONAL: Space delimited OpenVPN flags to pass to openvpn

OPENVPN_CIPHERSVariable

OPTIONAL: Specify one or more custom ciphers to use

OPENVPN_AUTHVariable

OPTIONAL: Specify a custom auth algorithm to use. i.e. sha256

OPENVPN_PROCESS_USERVariable

OPTIONAL: Run OpenVPN as root

Default: no|yes
Value: no

OPENVPN_IPV6Variable

OPTIONAL: Enable tunneling of IPv6 (only for Mullvad)

Default: off|on
Value: off

OPENVPN_CUSTOM_CONFIGVariable

OPTIONAL: The path to your OpenVPN configuration file. This implies VPN_SERVICE_PROVIDER=custom

WIREGUARD_IMPLEMENTATIONVariable

Implementation of Wireguard to use.

Default: auto|userspace|kernelspace
Value: auto

WIREGUARD_PRIVATE_KEYVariable

OPTINAL: 32 bytes private key in base64 format

WIREGUARD_PRESHARED_KEYVariable

OPTINAL: 32 bytes pre-shared key in base64 format

WIREGUARD_PUBLIC_KEYVariable

Only for VPN_SERVICE_PROVIDER=custom and VPN_TYPE=wireguard: Wireguard server public key

WIREGUARD_ADDRESSESVariable

Wireguard IP network in the format xx.xx.xx.xx/xx. Wireguard interface address, only required if VPN_TYPE=wireguard. Note this is usually specific by user and the same for all servers.

WIREGUARD_ALLOWED_IPSVariable

OPTIONAL: CSV of IP address ranges, only required if VPN_TYPE=wireguard. Note this is usually specific by user and the same for all servers.

Default: 0.0.0.0/0,::/0
Value: 0.0.0.0/0,::/0

WIREGUARD_MTUVariable

OPTIONAL: Any positive value up to 65535, only required if VPN_TYPE=wireguard.

Default: 1320
Value: 1320

WIREGUARD_PERSISTENT_KEEPALIVE_INTERVALVariable

OPTIONAL: Wireguard persistent keepalive interval. i.e. 25s.

SERVER_COUNTRIESVariable

OPTIONAL: Comma separated list of VPN countries. https://github.com/qdm12/gluetun-wiki

SERVER_CITIESVariable

OPTIONAL: Comma separated list of VPN cities. https://github.com/qdm12/gluetun-wiki

SERVER_NAMESVariable

OPTIONAL: (PIA ONLY) Single server hostname. https://github.com/qdm12/gluetun-wiki

SERVER_HOSTNAMESVariable

OPTIONAL: Comma separated list of server hostnames. https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDINGVariable

OPTIONAL: Enable custom port forwarding code for supported providers. https://github.com/qdm12/gluetun-wiki

Default: off|on
Value: off

VPN_PORT_FORWARDING_LISTENING_PORTVariable

OPTIONAL: Port redirection for the VPN server side port forwarded. https://github.com/qdm12/gluetun-wiki

FIREWALLVariable

Turn on or off the container built-in firewall. You should turn off for debugging purposes only.

Default: on|off
Value: on

FIREWALL_VPN_INPUT_PORTSVariable

OPTIONAL: Comma separated list of ports to allow from the VPN server side (useful for vyprvpn port forwarding)

FIREWALL_INPUT_PORTSVariable

OPTIONAL: Comma separated list of ports to allow through the default interface. This seems needed for Unraid containers and Kubernetes sidecars.

FIREWALL_OUTBOUND_SUBNETSVariable

OPTIONAL: You first need to set your LAN CIDR in FIREWALL_OUTBOUND_SUBNETS. For example with FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24

FIREWALL_DEBUGVariable

OPTIONAL: Prints every firewall related command. You should use it for debugging purposes only.

Default: off|on
Value: off

LOG_LEVELVariable

OPTIONAL: Container Variable: LOG_LEVEL

Default: info
Value: info

DNS_SERVERVariable

(Recommended: on) Activate DNS over TLS (DOT) with Unbound

Default: on|off
Value: on

DNS_UPSTREAM_RESOLVERSVariable

Comma delimited list of DNS over TLS providers

Default: cira family|cira private|cira protected|cleanbrowsing adult|cleanbrowsing family|cleanbrowsing security|cloudflare|cloudflare family|cloudflare security|google|libredns|opendns|quad9|quad9 secured|quad9 unsecured|quadrant
Value: cloudflare

DNS_BLOCK_IP_PREFIXESVariable

All private CIDRs ranges. Comma separated list of CIDRs or single IP addresses Unbound won't resolve to. Note that the default setting prevents DNS rebinding

Default: 127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112
Value: 127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112

DNS_CACHINGVariable

OPTIONAL: Unbound caching

Default: on|off
Value: on

DNS_UPSTREAM_IPV6Variable

OPTIONAL: DNS IPv6 resolution

Default: on|off
Value: off

BLOCK_MALICIOUSVariable

OPTIONAL: Block malicious hostnames and IPs with Unbound

Default: on|off
Value: on

BLOCK_SURVEILLANCEVariable

OPTIONAL: Block surveillance hostnames and IPs with Unbound

Default: on|off
Value: off

BLOCK_ADSVariable

OPTIONAL: Block ads hostnames and IPs with Unbound

Default: on|off
Value: off

UNBLOCKVariable

OPTIONAL: Comma separated list of domain names to leave unblocked with Unbound. i.e. domain1.com,x.domain2.co.uk

DNS_UPDATE_PERIODVariable

OPTIONAL: Period to update block lists and cryptographic files and restart Unbound. Set to 0 to deactivate updates. i.e. 0, 30s, 5m, 24h

Default: 24h
Value: 24h

DNS_ADDRESSVariable

OPTIONAL: IP address to use as DNS resolver if DOT is off

DNS_KEEP_NAMESERVERVariable

OPTIONAL: Keep the nameservers in /etc/resolv.conf untouched, but disabled DNS blocking features

Default: off|on
Value: off

HTTPPROXYVariable

OPTIONAL: Enable the internal HTTP proxy

Default: off|on
Value: off

HTTPPROXY_LOGVariable

OPTIONAL: Logs every tunnel requests

Default: off|on
Value: off

HTTPPROXY_PORTPorttcp

Internal port number for the HTTP proxy to listen on

Target: 8888
Default: 8888
Value: 8888

HTTPPROXY_USERVariable

OPTIONAL: Username to use to connect to the HTTP proxy

HTTPPROXY_PASSWORDVariable

OPTIONAL: Password to use to connect to the HTTP proxy

ENABLE_HTTPPROXY_STEALTHVariable

OPTIONAL: Stealth mode means HTTP proxy headers are not added to your requests

Target: HTTPPROXY_STEALTH
Default: off|on
Value: off

SHADOWSOCKSVariable

OPTIONAL: Enable the internal Shadowsocks proxy

Default: off|on
Value: off

SHADOWSOCKS_LOGVariable

OPTIONAL: Enable Shadowsocks logging

Default: off|on
Value: off

SHADOWSOCKS_LISTENING_ADDRESSVariable

OPTIONAL: Port number for the HTTP proxy to listen on

Target: :8388
Default: :8388
Value: :8388

SHADOWSOCKS_PASSWORDVariable

OPTIONAL: Password to use to connect to Shadowsocks

SHADOWSOCKS_CIPHERVariable

OPTIONAL: Cipher to use for Shadowsocks

Default: chacha20-ietf-poly1305|aes-128-gcm|aes-256-gcm
Value: chacha20-ietf-poly1305

UPDATER_PERIODVariable

OPTIONAL: Period to update all VPN servers information in memory and to /gluetun/servers.json. Set to 0 to disable. This does a burst of DNS over TLS requests, which may be blocked if you set BLOCK_MALICIOUS=on for example. Valid duration string such as 24h.

Default: 0
Value: 0

PORT_FORWARD_ONLYVariable

OPTIONAL: Filter only port-forwarding enabled (aka *p2p*) servers (pia and protonvpn only)

Default: off|on
Value: off

VPN_PORT_FORWARDING_STATUS_FILEVariable

OPTIONAL: File path to use for writing the forwarded port obtained. https://github.com/qdm12/gluetun-wiki

Default: /gluetun/forwarded_port
Value: /gluetun/forwarded_port

VPN_PORT_FORWARDING_UP_COMMANDVariable

OPTIONAL: Command to run when port forwarding has finished setting up (pia and protonvpn only). https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDING_DOWN_COMMANDVariable

OPTIONAL: Command to run when port forwarding has finished tearing down (pia and protonvpn only). https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDING_PROVIDERVariable

OPTIONAL: Choose the custom port forwarding code to use. This is useful when using the custom provider with Wireguard. For PIA, make sure you set SERVER_NAMES=xxxx. https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDING_USERNAMEVariable

OPTIONAL: This is needed when using the custom provider with Wireguard with PIA. https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDING_PASSWORDVariable

OPTIONAL: This is needed when using the custom provider with Wireguard with PIA. https://github.com/qdm12/gluetun-wiki

HEALTH_SERVER_ADDRESSVariable

OPTIONAL: Internal Health Server Listening Addroess

Default: 127.0.0.1:9999
Value: 127.0.0.1:9999

HEALTH_TARGET_ADDRESSVariable

OPTIONAL: Address used to check tunnel health

Default: cloudflare.com:443
Value: cloudflare.com:443

PUBLICIP_FILEVariable

OPTIONAL: Filepath to store the public IP address assigned

Default: /gluetun/ip
Value: /gluetun/ip

PUBLICIP_ENABLEDVariable

OPTIONAL: Check for public IP address information on VPN connection.

Default: true|false
Value: true

VERSION_INFORMATIONVariable

OPTIONAL: Filepath to store the public IP address assigned

Default: on|off
Value: on

HTTP_CONTROL_SERVER_PORTPorttcp

Container Port: 8000

Target: 8000
Default: 8000
Value: 8000

HTTP_CONTROL_SERVER_LOGVariable

OPTIONAL: Enable logging of HTTP requests

Default: on|off
Value: on

PUIDVariable

Container Variable: PUID

Value: 1000

PGIDVariable

Container Variable: PGID

Value: 1000

Links

Template Support Docker Hub Project

Details

Repository

qmcgaw/gluetun

Registry

https://hub.docker.com/r/qmcgaw/gluetun

Last Updated2026-05-05

First Seen2021-07-24

Run GluetunVPN on Unraid.

GluetunVPN is listed in Community Apps for Unraid OS. Explore Unraid to build a flexible home server, NAS, or homelab.

Explore Unraid OS