vanja/gluetun
1
0
Fork 0
mirror of https://github.com/qdm12/gluetun.git synced 2026-05-06 20:10:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

Setup section

Quentin McGaw
2020-09-24 22:10:40 -04:00
parent d0608f6e36
commit 5afd35dc91
5 changed files with 100 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Home.md
+1
@@ -1,4 +1,5 @@
# Home
1. [Setup](Setup)
1. [HTTP Control server](HTTP-Control-server)
1. [Contributing](Contributing)
Setup/Advanced.md
+20
@@ -0,0 +1,20 @@
# Advanced setup
## Custom iptables rules
If you need to specify additional iptables rules to be run after the built-in iptables rules, you can use the file at `/iptables/post-rules.txt` with one iptables command per line and these will automatically be run on container start.
For example the `/iptables/post-rules.txt` file could contain:
```sh
iptables -A INPUT -i eth0 -s 0.0.0.0/0 -d 192.168.2.0/24 -p udp --sport 1197 -j ACCEPT
iptables -A INPUT -i eth0 -s 0.0.0.0/0 -d 192.168.2.0/24 -p tcp --sport 1197 -j ACCEPT
```
## Disable the healthcheck
If the Docker healthcheck (not running in Kubernetes) is bothering you because it accesses ip echo websites periodically, you can disable with `--no-healthcheck` or for docker-compose.yml:
```yml
healthcheck:
disable: true
```
Setup/External firewall.md
+42
@@ -0,0 +1,42 @@
# External firewall
If you have a strict firewall setup (host level or router level), you will need to let some ports through for this container to work.
## VPN connections
You need the following to allow communicating with the VPN servers
### Private Internet Access
- If `PIA_ENCRYPTION=strong` and `PROTOCOL=udp`: allow outbound UDP 1197 to the corresponding VPN server IPs
- If `PIA_ENCRYPTION=normal` and `PROTOCOL=udp`: allow outbound UDP 1198 to the corresponding VPN server IPs
- If `PIA_ENCRYPTION=strong` and `PROTOCOL=tcp`: allow outbound TCP 501 to the corresponding VPN server IPs
- If `PIA_ENCRYPTION=normal` and `PROTOCOL=tcp`: allow outbound TCP 502 to the corresponding VPN server IPs
### Mullvad
- If `PORT=`, please refer to the mapping of Mullvad servers in [these source code lines](../internal/constants/mullvad.go#L64-L667) to find the corresponding UDP port number and IP address(es) of your choice
- If `PORT=53`, allow outbound UDP 53 to the corresponding VPN server IPs, which you can fine in [the mapping of Mullvad servers](../internal/constants/mullvad.go#L64-L667)
- If `PORT=80`, allow outbound TCP 80 to the corresponding VPN server IPs, which you can fine in [the mapping of Mullvad servers](../internal/constants/mullvad.go#L64-L667)
- If `PORT=443`, allow outbound TCP 443 to the corresponding VPN server IPs, which you can fine in [the mapping of Mullvad servers](../internal/constants/mullvad.go#L64-L667)
### Windscribe
- If `PROTOCOL=udp`: allow outbound UDP 443 to the corresponding VPN server IPs
- If `PROTOCOL=tcp`: allow outbound TCP 1194 to the corresponding VPN server IPs
### Surfshark
- If `PROTOCOL=udp`: allow outbound UDP 1194 to the corresponding VPN server IPs
- If `PROTOCOL=tcp`: allow outbound TCP 1443 to the corresponding VPN server IPs
### Cyberghost
- If `PROTOCOL=udp`: allow outbound UDP 1443 to the corresponding VPN server IPs
- If `PROTOCOL=tcp`: allow outbound TCP 1443 to the corresponding VPN server IPs
## Inbound connections
- If `SHADOWSOCKS=on`, allow inbound TCP 8388 and UDP 8388 from your LAN
- If `TINYPROXY=on`, allow inbound TCP 8888 from your LAN
- If you want access to the built-in HTTP control server, allow inbound TCP 8000 from your LAN
Setup/Synology.md
+16
@@ -0,0 +1,16 @@
# Synology
On some Synology devices, it is required to re-install the `tun` kernel module on your host **at every boot**.
To do so, open a terminal and enter:
```sh
sudo insmod /lib/modules/tun.ko
```
You might want to [write a shell script to run as root at boot](https://help.synology.com/developer-guide/integrate_dsm/run_with_system_boot.html) with for example:
```sh
#!/bin/sh
insmod /lib/modules/tun.ko
```
Setup/Testing.md
+21
@@ -0,0 +1,21 @@
# Testing
Once your container is up and running, you may want to test your connection is correct and secured.
## Check your IP address
Assuming your container is called `gluetun`, run:
```sh
docker run --rm --network=container:gluetun alpine:3.12 wget -qO- https://ipinfo.io
```
in order to obtain the VPN IP address and ensure the connection is working.
## Check DNS over TLS
Ideally, use a computer and connect to `gluetun` using a Shadowsocks client tunneling UDP (for DNS) to test the following:
- Check DNSSEC using [internet.nl/connection](https://www.internet.nl/connection/)
- Check DNS leaks with [https://www.dnsleaktest.com](https://www.dnsleaktest.com)
- Some other DNS leaks tests might not work because of [this](https://github.com/qdm12/cloudflare-dns-server#verify-dns-connection) (*TLDR*: Unbound DNS server is a local caching intermediary)