Skip to content

Gluetun — Runbook

Routine Tasks

Check VPN status and public IP

curl http://192.168.1.110:8000/v1/vpn/status
curl http://192.168.1.110:8000/v1/publicip/ip
Or open gluetun.eva-00.network for the control UI.

Test proxy routing

# Should return a NordVPN Netherlands IP, not your home IP
curl --proxy http://192.168.1.110:8888 https://ifconfig.co

Rotate NordVPN WireGuard key

  1. Get a new key via NordVPN API with a fresh access token
  2. Store via vault-write workflow: path gluetun/nordvpn, patch true, data {"wireguard_private_key": "<new-key>"}
  3. Trigger Deploy Gluetun workflow to redeploy

Killswitch & VPN leak protection

Gluetun itself blocks all traffic from its container if the VPN drops.

Both qBittorrent instances on LXC 110 (dlbox) use network_mode: "service:gluetun", which forces all traffic through the VPN tunnel at the Docker network level. No iptables killswitch needed — if the VPN drops, the containers have no internet.

Additionally, FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24 allows LAN access (WebUI, Samba) from inside the VPN namespace.

Alerting

Gatus monitors GET /v1/vpn/status every minute and alerts via n8n if the VPN status is not running.

Logs

Log Contents Location Loki query Format
Gluetun VPN connection status, WireGuard handshakes, DNS, errors Docker (LXC 110) stdout {job="gluetun", container="gluetun"} Plain text

Notes: - SSH fallback: ssh [email protected] "docker logs gluetun"

Troubleshooting

Services routing through Gluetun can't reach the internet

  1. Check VPN status: curl http://192.168.1.110:8000/v1/vpn/status
  2. Check logs for WireGuard connection errors or authentication failures
  3. Verify the WireGuard private key in Vault is still valid (secret/gluetun/nordvpn)
  4. If the key has been rotated in NordVPN, update via vault-write workflow and redeploy

Seedbox (qBittorrent) not connecting to peers

Gluetun (LXC 110) must be running. Check VPN status first, then restart qBittorrent if needed.