Back to appsSubmit
vpn-gateway

vpn-gateway

Docker app from ProphetSe7en's Repository

Overview

VPN gateway with nftables bandwidth limiting, scheduling, hot-reload, and web UI. Built on hotio/base:alpinevpn — all hotio VPN features (WireGuard, PIA, Proton) work out of the box. Route containers through WireGuard with per-service rate limits, time-based rules, and real-time traffic monitoring. First boot redirects to /setup to create an admin account — Radarr/Sonarr-style auth with API key for Homepage/scripts.

Requirements

Click Show more settings for all VPN variables. Generic provider requires a WireGuard config in /config/wireguard/wg0.conf. PIA/Proton auto-configure with credentials. First container start redirects to /setup — set a strong admin password (≥10 chars, 2+ of upper/lower/digit/symbol). Homepage widget uses /api/stats/widget (public, no auth needed); other /api/ endpoints need X-Api-Key header from Settings → Security.

Runtime arguments

Web UI
http://[IP]:[PORT:6050]
Network
bridge
Shell
bash
Privileged
false
Extra Params
--hostname=vpn-gateway.internal --cap-add=NET_ADMIN

Template configuration

Traffic Monitor Web UIPorttcp

Traffic monitor and bandwidth management web UI

Target
6050
Default
6050
Container Web UIPorttcp

Web UI port for a container routed through the gateway (e.g. qBittorrent, Deluge, IPTV). Must match the listening port on that container and be included in VPN_EXPOSE_PORTS_ON_LAN. Add additional port mappings for more containers.

Target
7075
Default
7075
Config PathPathrw

Config directory (WireGuard conf, traffic.conf, stats)

Target
/config
Default
/mnt/user/appdata/vpn-gateway
VPN_ENABLEDVariable

Container Variable: VPN_ENABLED

Default
true|false
VPN_CONFVariable

Container Variable: VPN_CONF

Default
wg0
VPN_PROVIDERVariable

Container Variable: VPN_PROVIDER

Default
generic|proton|pia
VPN_LAN_NETWORKVariable

Container Variable: VPN_LAN_NETWORK

Default
192.168.1.0/24
VPN_LAN_LEAK_ENABLEDVariable

Container Variable: VPN_LAN_LEAK_ENABLED

Default
false|true
VPN_EXPOSE_PORTS_ON_LANVariable

Container Variable: VPN_EXPOSE_PORTS_ON_LAN

VPN_AUTO_PORT_FORWARDVariable

Container Variable: VPN_AUTO_PORT_FORWARD

Default
false|true
VPN_PORT_REDIRECTSVariable

Container Variable: VPN_PORT_REDIRECTS

VPN_HEALTHCHECK_ENABLEDVariable

Container Variable: VPN_HEALTHCHECK_ENABLED

Default
true|false
VPN_NAMESERVERSVariable

Container Variable: VPN_NAMESERVERS

Default
1.1.1.1,8.8.8.8
VPN_PIA_USERVariable

Container Variable: VPN_PIA_USER

VPN_PIA_PASSVariable

Container Variable: VPN_PIA_PASS

VPN_PIA_PREFERRED_REGIONVariable

Container Variable: VPN_PIA_PREFERRED_REGION

VPN_PIA_DIP_TOKENVariable

Container Variable: VPN_PIA_DIP_TOKEN

VPN_PIA_PORT_FORWARD_PERSISTVariable

Container Variable: VPN_PIA_PORT_FORWARD_PERSIST

Default
false|true
TZVariable

Container Variable: TZ

Default
America/New_York
PUIDVariable

Container Variable: PUID

Default
99
PGIDVariable

Container Variable: PGID

Default
100
UMASKVariable

Container Variable: UMASK

Default
002
TRUSTED_NETWORKSVariable

Optional: pin the Trusted Networks CIDR list at host level. Comma-separated list (e.g. 192.168.0.0/24, 192.168.0.5/32). When set, overrides the UI value and the UI field is locked. Leave empty to manage from the Security panel.

TRUSTED_PROXIESVariable

Optional: pin the Trusted Proxies list at host level for reverse-proxy deployments (SWAG, Authelia). Comma-separated list of proxy IPs that are allowed to set X-Forwarded-For. When set, overrides the UI value and the UI field is locked.

Categories

Network

Links

TemplateSupportRegistryProject

Details

Repository
ghcr.io/prophetse7en/vpn-gateway:v1.4.2
Registry
https://github.com/prophetse7en/vpn-gateway/pkgs/container/vpn-gateway
Last Updated2026-05-31
First Seen2026-04-24

Run vpn-gateway on Unraid.

vpn-gateway is listed in Community Apps for Unraid OS. Explore Unraid to build a flexible home server, NAS, or homelab.

Explore Unraid OS