Overview

Gluetun VPN client

Lightweight swiss-knife-like VPN client to multiple VPN service providers

Quick links Features
  • Based on Alpine 3.18 for a small Docker image of 35.6MB
  • Supports: AirVPN, Cyberghost, ExpressVPN, FastestVPN, Giganews, HideMyAss, IPVanish, IVPN, Mullvad, NordVPN, Perfect Privacy, Privado, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, SlickVPN, Surfshark, TorGuard, VPNSecure.me, VPNUnlimited, Vyprvpn, WeVPN, Windscribe servers
  • Supports OpenVPN for all providers listed
  • Supports Wireguard both kernelspace and userspace
    • For Mullvad, Ivpn, Surfshark and Windscribe
    • For ProtonVPN, PureVPN, Torguard, VPN Unlimited and WeVPN using the custom provider
    • For custom Wireguard configurations using the custom provider
    • More in progress, see: https://github.com/qdm12/gluetun/issues/134
  • DNS over TLS baked in with service provider(s) of your choice
  • DNS fine blocking of malicious/ads/surveillance hostnames and IP addresses, with live update every 24 hours
  • Choose the vpn network protocol, udp or tcp
  • Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
  • Built in Shadowsocks proxy (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
  • Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
  • Connect other containers to it
  • Connect LAN devices to it
  • Compatible with amd64, i686 (32 bit), ARM 64 bit, ARM 32 bit v6 and v7, and even ppc64le 🎆
  • Custom VPN server side port forwarding for Private Internet Access
  • Possibility of split horizon DNS by selecting multiple DNS over TLS providers
  • Unbound subprogram drops root privileges once launched
  • Can work as a Kubernetes sidecar container, thanks @rorph
Setup

🎉 There are now instructions specific to each VPN provider with examples to help you get started as quickly as possible!

Go to the Wiki: https://github.com/qdm12/gluetun-wiki
🆕 Image also available as ghcr.io/qdm12/gluetun

License

MIT: https://github.com/qdm12/gluetun/master/LICENSE

Gluetun VPN client

Lightweight swiss-army-knife-like VPN client to multiple VPN service providers

⚠️ This and gluetun-wiki are the only websites for Gluetun, other websites claiming to be official are scams ⚠️

🗯️ this repository will be migrated to github.com/passteque/gluetun on 2026-05-21, which is a Github organization under my sole control, so don't get alarmed if you get redirected in the coming days 😉 Reason being migrating Github sponsors to the Open source collective due to my personal situation, basically annoying paperwork. On the plus side, it will be more transparent and funds donated will only be used for the project. The Docker image names will remain the same.

Title image

Build status

Docker pulls qmcgaw/gluetun Docker pulls qmcgaw/private-internet-access

Docker stars qmcgaw/gluetun Docker stars qmcgaw/private-internet-access

Last release Last Docker tag Last release size GitHub last release date Commits since release

Latest size

GitHub last commit GitHub commit activity GitHub closed PRs GitHub issues GitHub closed issues

Code size GitHub repo size Go version

Visitors count

Quick links

Features

  • Based on Alpine 3.23 for a small Docker image of 43.1MB
  • Supports: AirVPN, Cyberghost, ExpressVPN, FastestVPN, Giganews, HideMyAss, IPVanish, IVPN, Mullvad (Wireguard only), NordVPN, Perfect Privacy, Privado, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, SlickVPN, Surfshark, TorGuard, VPNSecure.me, VPNUnlimited, Vyprvpn, Windscribe servers
  • Supports OpenVPN for all providers listed
  • Supports Wireguard both kernelspace and userspace
    • For AirVPN, FastestVPN, Ivpn, Mullvad, NordVPN, Perfect privacy, ProtonVPN, Surfshark and Windscribe
    • For Cyberghost, Private Internet Access, PrivateVPN, PureVPN, Torguard, VPN Unlimited and VyprVPN using the custom provider
    • For custom Wireguard configurations using the custom provider
    • More in progress, see #134
  • Supports AmneziaWG only with the custom provider for now
  • DNS over TLS baked in with service provider(s) of your choice
  • DNS fine blocking of malicious/ads hostnames and IP addresses, with live update every 24 hours
  • Choose the vpn network protocol, udp or tcp
  • Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices
  • Built in Shadowsocks proxy server (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP)
  • Built in Socks5 proxy server (tunnels TCP+UDP) - partial credits to @angelakis and @adjscent
  • Built in HTTP proxy (tunnels HTTP and HTTPS through TCP)
  • Connect other containers to it
  • Connect LAN devices to it
  • Compatible with amd64, i686 (32 bit), ARM 64 bit, ARM 32 bit v6 and v7, and even ppc64le 🎆
  • Custom VPN server side port forwarding for Perfect Privacy, Private Internet Access, PrivateVPN and ProtonVPN
  • Possibility of split horizon DNS by selecting multiple DNS over TLS providers
  • Can work as a Kubernetes sidecar container, thanks @rorph

Setup

🎉 There are now instructions specific to each VPN provider with examples to help you get started as quickly as possible!

Go to the Wiki!

🐛 Found a bug in the Wiki?!

Here's a docker-compose.yml for the laziest:

---
services:
  gluetun:
    image: qmcgaw/gluetun
    # container_name: gluetun
    # line above must be uncommented to allow external containers to connect.
    # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/connect-a-container-to-gluetun.md#external-container-to-gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    volumes:
      - /yourpath:/gluetun
    environment:
      # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
      - VPN_SERVICE_PROVIDER=ivpn
      - VPN_TYPE=openvpn
      # OpenVPN:
      - OPENVPN_USER=
      - OPENVPN_PASSWORD=
      # Wireguard:
      # - WIREGUARD_PRIVATE_KEY=wOEI9rqqbDwnN8/Bpp22sVz48T71vJ4fYmFWujulwUU=
      # - WIREGUARD_ADDRESSES=10.64.222.21/32
      # Timezone for accurate log times
      - TZ=
      # Server list updater
      # See https://github.com/qdm12/gluetun-wiki/blob/main/setup/servers.md#update-the-vpn-servers-list
      - UPDATER_PERIOD=

🆕 Image also available as ghcr.io/qdm12/gluetun

Fun graphs

Star History Chart

License

MIT

Install GluetunVPN on Unraid in a few clicks.

Find GluetunVPN in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.

Open the Apps tab on your Unraid server Search Community Apps for GluetunVPN Review the template variables and paths Click Install

Download Statistics

47,160,327
Total Downloads
3,143,230
This Month
2,638,912
Avg / Month

Total Downloads Over Time

Loading chart...

Related apps

Explore more like this

Explore all

Details

Repository
qmcgaw/gluetun
Last Updated2026-06-24
First Seen2021-07-24

Runtime arguments

Web UI
http://[IP]:[PORT:8000]
Network
bridge
Privileged
false
Extra Params
--cap-add=NET_ADMIN --restart=unless-stopped

Template configuration

TIMEZONEVariable

Specify a timezone to use to have correct log times. i.e. Europe/London

Target
TZ
configPathrw

Container Path: /gluetun

Target
/gluetun
Default
/mnt/user/appdata/gluetun
Value
/mnt/user/appdata/gluetun
VPN_SERVICE_PROVIDERVariable

VPN Service Provider

Default
private internet access|airvpn|cyberghost|expressvpn|fastestvpn|hidemyass|ipvanish|ivpn|mullvad|nordvpn|perfect privacy|privado|privatevpn|protonvpn|purevpn|slickvpn|surfshark|torguard|vpnsecure|vpn unlimited|vyprvpn|wevpn|windscribe|custom
Value
private internet access
VPN_TYPEVariable

VPN Type. Default is OpenVPN. Note not all providers support Wireguard.

Default
openvpn|wireguard
Value
openvpn
VPN_INTERFACEVariable

OPTIONAL: Specify a custom network interface name to use. (e.g. tun0 or wg0)

Default
tun0
Value
tun0
VPN_ENDPOINT_PORTVariable

OPTIONAL: Custom OpenVPN/Wireguard server endpoint port to use

VPN_ENDPOINT_IPVariable

OPTIONAL: Specify a target VPN IP address to use

OPENVPN_PROTOCOLVariable

OPTIONAL: Container Variable: OPENVPN_PROTOCOL

Default
udp|tcp
Value
udp
OPENVPN_USERVariable

Container Variable: OPENVPN_USER

OPENVPN_PASSWORDVariable

Container Variable: OPENVPN_PASSWORD (Optional for Mullvad)

OPENVPN_VERSIONVariable

OPTIONAL: Set the OpenVPN version to run

Default
2.6|2.5
Value
2.6
OPENVPN_VERBOSITYVariable

OPTIONAL: OpenVPN verbosity level

Default
0|1|2|3|4|5|6
Value
1
OPENVPN_FLAGSVariable

OPTIONAL: Space delimited OpenVPN flags to pass to openvpn

OPENVPN_CIPHERSVariable

OPTIONAL: Specify one or more custom ciphers to use

OPENVPN_AUTHVariable

OPTIONAL: Specify a custom auth algorithm to use. i.e. sha256

OPENVPN_PROCESS_USERVariable

OPTIONAL: Run OpenVPN as root

Default
no|yes
Value
no
OPENVPN_IPV6Variable

OPTIONAL: Enable tunneling of IPv6 (only for Mullvad)

Default
off|on
Value
off
OPENVPN_CUSTOM_CONFIGVariable

OPTIONAL: The path to your OpenVPN configuration file. This implies VPN_SERVICE_PROVIDER=custom

WIREGUARD_IMPLEMENTATIONVariable

Implementation of Wireguard to use.

Default
auto|userspace|kernelspace
Value
auto
WIREGUARD_PRIVATE_KEYVariable

OPTINAL: 32 bytes private key in base64 format

WIREGUARD_PRESHARED_KEYVariable

OPTINAL: 32 bytes pre-shared key in base64 format

WIREGUARD_PUBLIC_KEYVariable

Only for VPN_SERVICE_PROVIDER=custom and VPN_TYPE=wireguard: Wireguard server public key

WIREGUARD_ADDRESSESVariable

Wireguard IP network in the format xx.xx.xx.xx/xx. Wireguard interface address, only required if VPN_TYPE=wireguard. Note this is usually specific by user and the same for all servers.

WIREGUARD_ALLOWED_IPSVariable

OPTIONAL: CSV of IP address ranges, only required if VPN_TYPE=wireguard. Note this is usually specific by user and the same for all servers.

Default
0.0.0.0/0,::/0
Value
0.0.0.0/0,::/0
WIREGUARD_MTUVariable

OPTIONAL: Any positive value up to 65535, only required if VPN_TYPE=wireguard.

Default
1320
Value
1320
WIREGUARD_PERSISTENT_KEEPALIVE_INTERVALVariable

OPTIONAL: Wireguard persistent keepalive interval. i.e. 25s.

SERVER_COUNTRIESVariable

OPTIONAL: Comma separated list of VPN countries. https://github.com/qdm12/gluetun-wiki

SERVER_CITIESVariable

OPTIONAL: Comma separated list of VPN cities. https://github.com/qdm12/gluetun-wiki

SERVER_NAMESVariable

OPTIONAL: (PIA ONLY) Single server hostname. https://github.com/qdm12/gluetun-wiki

SERVER_HOSTNAMESVariable

OPTIONAL: Comma separated list of server hostnames. https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDINGVariable

OPTIONAL: Enable custom port forwarding code for supported providers. https://github.com/qdm12/gluetun-wiki

Default
off|on
Value
off
VPN_PORT_FORWARDING_LISTENING_PORTVariable

OPTIONAL: Port redirection for the VPN server side port forwarded. https://github.com/qdm12/gluetun-wiki

FIREWALLVariable

Turn on or off the container built-in firewall. You should turn off for debugging purposes only.

Default
on|off
Value
on
FIREWALL_VPN_INPUT_PORTSVariable

OPTIONAL: Comma separated list of ports to allow from the VPN server side (useful for vyprvpn port forwarding)

FIREWALL_INPUT_PORTSVariable

OPTIONAL: Comma separated list of ports to allow through the default interface. This seems needed for Unraid containers and Kubernetes sidecars.

FIREWALL_OUTBOUND_SUBNETSVariable

OPTIONAL: You first need to set your LAN CIDR in FIREWALL_OUTBOUND_SUBNETS. For example with FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24

FIREWALL_DEBUGVariable

OPTIONAL: Prints every firewall related command. You should use it for debugging purposes only.

Default
off|on
Value
off
LOG_LEVELVariable

OPTIONAL: Container Variable: LOG_LEVEL

Default
info
Value
info
DNS_SERVERVariable

(Recommended: on) Activate DNS over TLS (DOT) with Unbound

Default
on|off
Value
on
DNS_UPSTREAM_RESOLVERSVariable

Comma delimited list of DNS over TLS providers

Default
cira family|cira private|cira protected|cleanbrowsing adult|cleanbrowsing family|cleanbrowsing security|cloudflare|cloudflare family|cloudflare security|google|libredns|opendns|quad9|quad9 secured|quad9 unsecured|quadrant
Value
cloudflare
DNS_BLOCK_IP_PREFIXESVariable

All private CIDRs ranges. Comma separated list of CIDRs or single IP addresses Unbound won't resolve to. Note that the default setting prevents DNS rebinding

Default
127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112
Value
127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:7f00:1/104,::ffff:a00:0/104,::ffff:a9fe:0/112,::ffff:ac10:0/108,::ffff:c0a8:0/112
DNS_CACHINGVariable

OPTIONAL: Unbound caching

Default
on|off
Value
on
DNS_UPSTREAM_IPV6Variable

OPTIONAL: DNS IPv6 resolution

Default
on|off
Value
off
BLOCK_MALICIOUSVariable

OPTIONAL: Block malicious hostnames and IPs with Unbound

Default
on|off
Value
on
BLOCK_SURVEILLANCEVariable

OPTIONAL: Block surveillance hostnames and IPs with Unbound

Default
on|off
Value
off
BLOCK_ADSVariable

OPTIONAL: Block ads hostnames and IPs with Unbound

Default
on|off
Value
off
UNBLOCKVariable

OPTIONAL: Comma separated list of domain names to leave unblocked with Unbound. i.e. domain1.com,x.domain2.co.uk

DNS_UPDATE_PERIODVariable

OPTIONAL: Period to update block lists and cryptographic files and restart Unbound. Set to 0 to deactivate updates. i.e. 0, 30s, 5m, 24h

Default
24h
Value
24h
DNS_ADDRESSVariable

OPTIONAL: IP address to use as DNS resolver if DOT is off

DNS_KEEP_NAMESERVERVariable

OPTIONAL: Keep the nameservers in /etc/resolv.conf untouched, but disabled DNS blocking features

Default
off|on
Value
off
HTTPPROXYVariable

OPTIONAL: Enable the internal HTTP proxy

Default
off|on
Value
off
HTTPPROXY_LOGVariable

OPTIONAL: Logs every tunnel requests

Default
off|on
Value
off
HTTPPROXY_PORTPorttcp

Internal port number for the HTTP proxy to listen on

Target
8888
Default
8888
Value
8888
HTTPPROXY_USERVariable

OPTIONAL: Username to use to connect to the HTTP proxy

HTTPPROXY_PASSWORDVariable

OPTIONAL: Password to use to connect to the HTTP proxy

ENABLE_HTTPPROXY_STEALTHVariable

OPTIONAL: Stealth mode means HTTP proxy headers are not added to your requests

Target
HTTPPROXY_STEALTH
Default
off|on
Value
off
SHADOWSOCKSVariable

OPTIONAL: Enable the internal Shadowsocks proxy

Default
off|on
Value
off
SHADOWSOCKS_LOGVariable

OPTIONAL: Enable Shadowsocks logging

Default
off|on
Value
off
SHADOWSOCKS_LISTENING_ADDRESSVariable

OPTIONAL: Port number for the HTTP proxy to listen on

Target
:8388
Default
:8388
Value
:8388
SHADOWSOCKS_PASSWORDVariable

OPTIONAL: Password to use to connect to Shadowsocks

SHADOWSOCKS_CIPHERVariable

OPTIONAL: Cipher to use for Shadowsocks

Default
chacha20-ietf-poly1305|aes-128-gcm|aes-256-gcm
Value
chacha20-ietf-poly1305
UPDATER_PERIODVariable

OPTIONAL: Period to update all VPN servers information in memory and to /gluetun/servers.json. Set to 0 to disable. This does a burst of DNS over TLS requests, which may be blocked if you set BLOCK_MALICIOUS=on for example. Valid duration string such as 24h.

Default
0
Value
0
PORT_FORWARD_ONLYVariable

OPTIONAL: Filter only port-forwarding enabled (aka *p2p*) servers (pia and protonvpn only)

Default
off|on
Value
off
VPN_PORT_FORWARDING_STATUS_FILEVariable

OPTIONAL: File path to use for writing the forwarded port obtained. https://github.com/qdm12/gluetun-wiki

Default
/gluetun/forwarded_port
Value
/gluetun/forwarded_port
VPN_PORT_FORWARDING_UP_COMMANDVariable

OPTIONAL: Command to run when port forwarding has finished setting up (pia and protonvpn only). https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDING_DOWN_COMMANDVariable

OPTIONAL: Command to run when port forwarding has finished tearing down (pia and protonvpn only). https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDING_PROVIDERVariable

OPTIONAL: Choose the custom port forwarding code to use. This is useful when using the custom provider with Wireguard. For PIA, make sure you set SERVER_NAMES=xxxx. https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDING_USERNAMEVariable

OPTIONAL: This is needed when using the custom provider with Wireguard with PIA. https://github.com/qdm12/gluetun-wiki

VPN_PORT_FORWARDING_PASSWORDVariable

OPTIONAL: This is needed when using the custom provider with Wireguard with PIA. https://github.com/qdm12/gluetun-wiki

HEALTH_SERVER_ADDRESSVariable

OPTIONAL: Internal Health Server Listening Addroess

Default
127.0.0.1:9999
Value
127.0.0.1:9999
HEALTH_TARGET_ADDRESSVariable

OPTIONAL: Address used to check tunnel health

Default
cloudflare.com:443
Value
cloudflare.com:443
PUBLICIP_FILEVariable

OPTIONAL: Filepath to store the public IP address assigned

Default
/gluetun/ip
Value
/gluetun/ip
PUBLICIP_ENABLEDVariable

OPTIONAL: Check for public IP address information on VPN connection.

Default
true|false
Value
true
VERSION_INFORMATIONVariable

OPTIONAL: Filepath to store the public IP address assigned

Default
on|off
Value
on
HTTP_CONTROL_SERVER_PORTPorttcp

Container Port: 8000

Target
8000
Default
8000
Value
8000
HTTP_CONTROL_SERVER_LOGVariable

OPTIONAL: Enable logging of HTTP requests

Default
on|off
Value
on
PUIDVariable

Container Variable: PUID

Value
1000
PGIDVariable

Container Variable: PGID

Value
1000