DSM 6.2 running containers thru a VPN

Currently reading
DSM 6.2 running containers thru a VPN

295
32
NAS
DS1019+ DSM6
Operating system
  1. Windows
Mobile operating system
  1. iOS
so i've been running Jackett in a docker for a while now with no issues.
however, recently my ISP has started to block certain torrent sites that i use along with Jackett.

specifically Torrentleech, where the previous mirror i was using was the .cc version which has been blocked in the past few days. the .me version still works but i'm thinking that i should now just run jacket thru a VPN.

i don't want to run the whole NAS thru a VPN though, so is it possible to run just Jacket thru a VPN?
i've vaguely heard about a docker container that just connects to a VPN and then you run your other containers thru that? is that correct? if so, any suggestions?

I already have a surfshark account (although that is about to equire and may move over to PIA).

i currently have containers for the following
Jackett
Sonarr
Radarr
Sabnzbd
Deluge
 
In this article, I have a quick guide on how to use a VPN container as a gateway for all your other containers. This way you will only have them inside a tunnel and not your whole NAS.

that guide is based on the assumption of already using a qbittorrent container with VPN capabilities built-in?
I don't have a VPN container at all at the moment.

so i guess before using your guide i would need to firstly have a container with the VPN connnection.
 
that guide is based on the assumption of already using a qbittorrent container with VPN capabilities built-in?
I don't have a VPN container at all at the moment.

so i guess before using your guide i would need to firstly have a container with the VPN connnection.
Correct. Also covered in the same article (above) and on the bottom if you are in DSM7 already.
 
Also covered in the same article (above)

is it? all i can see if reference to using the qbitorrent container as a gateway.
i'd rather just have a container that solely does VPN and nothing else (ie no torrent clients etc). is that not possible?
 
i guess that was part of my original post question.
any suggestions of a suitable container?
 
Last edited:
any suggestions of a suitable container?

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.


To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.
 
as a side note. can anyone check if they are able to pull an image from linuxserver/jackett from the synology docker registry?when i try to pull the latest image, it thinks about it for a while (around 2 minutes) then eventually says "timeout, please try again"

don't seem to have any issues with any other images (even from the same source).
 
having looked into it further, i think the better solution would be to have each docker container have its own LAN IP address, that means i can then decide which containers i want to route thru a VPN (as my router has the capability to do this based on IP address).

so i guess i'll need to look into how to set up macvlan to get an IP address for each container.
 
Last edited:
Keep in mind that if those containers will need any communication with any other container on the same host that is under the bridged network, or to the host itself, you will not be able to communicate with them. Read up on limitations for macvlan.

ohhh... well yes they would need to communicate with each other.

Jacket needs to communicate with Radarr and Sonarr, and Radarr and Sonarr need to communicate with Deluge and Sabnzbd
and they would all (apart from jackett) need to be able to communicate with the host NAS to download to.

if they all are set up to have their own IP using macvlan then that wouldn't be an issue?

the problem is i only want to route certain traffic thru the VPN and the VPN setup on my router allows me to do that, but only via IP address.
 
if they all are set up to have their own IP using macvlan then that wouldn't be an issue?
They will yes.

Still think you are complicating things. Just setup a vpn container (with or without the client, as you don’t have to use it), and route the other containers through it. No macvlan need at all.
 
They will have an issue or they won’t?

My router already can route certain local IPs thru the vpn, so creating yet another container to do what the router can already do would seem the more cumbersome option?
 
Hi there,
I would love to see some further support on this:

My docker-compose is this:
YAML:
version: "3.5"

services:
  ovpn-gw:
    image: ubuntu:22.04
    stdin_open: true # docker run -i
    tty: true        # docker run -t
    networks:
      - bridge_vpn
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    container_name: ovpn-gw
    #volumes:
    #ports:
    environment:
      - TZ=Europe/Berlin
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun
    restart: unless-stopped

networks:
  bridge_vpn:
    external: true

The config about sysctls and cap_add was necessary to make the vpn-connection work.
Unfortunately after starting the ovpn-connection on this container succesfully, I am not able to access internet via this interface.
What configuration is needed?
 
Hi there,
I would love to see some further support on this:

My docker-compose is this:
YAML:
version: "3.5"

services:
  ovpn-gw:
    image: ubuntu:22.04
    stdin_open: true # docker run -i
    tty: true        # docker run -t
    networks:
      - bridge_vpn
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    container_name: ovpn-gw
    #volumes:
    #ports:
    environment:
      - TZ=Europe/Berlin
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun
    restart: unless-stopped

networks:
  bridge_vpn:
    external: true

The config about sysctls and cap_add was necessary to make the vpn-connection work.
Unfortunately after starting the ovpn-connection on this container succesfully, I am not able to access internet via this interface.
What configuration is needed?
Looks like a routing and/or DNS problem. How does the bridge_vpn container/compose looks like?
 
Hi @Rusty - thanks for the reply:
Since I am using Portainer to administrate my containers, the config for the new added bridge_vpn network looks like this:

1710327274538.png
 
My mistake I have misread the compose. I thought that you are running this ubuntu against an already running vpn contianer.

So whats the purpose of this container exactly?
I would love to use this container as gateway for other containers, but first of all I prepared the container and wanted to make sure, that VPN is connecting and VPN-Public-IP working for the connection.
But can't check if no internet after VPN connection is established :/
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

How did you create the Portainer container in first place? As in exact docker run commands or in case...
Replies
7
Views
1,243
Thank you for this - I'll give it a go and see where I get - worst case I learn something as I go!
Replies
6
Views
1,494
  • Question
1707646023 Old post!! But I have the same isue. To enable the portal, I go into Container Management...
Replies
7
Views
9,889
I have published result of my research as a blog at SVN для NAS под Synology DSM 7.2. Записки Linux...
Replies
48
Views
14,793
Have you tried to setup a rule for specific docker network subnet for that container and test internet access?
Replies
24
Views
9,181
@DeltaGolf Here’s my approach: Docker - NextCloud on Synology NAS using Docker compose (with Portainer)
Replies
18
Views
4,628

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top