Gluetun — Setup
NordVPN WireGuard gateway. Runs on a dedicated Debian LXC (110). Exposes an HTTP proxy for other services to route traffic through the VPN. Control UI at https://gluetun.eva-00.network (port 8000). HTTP proxy is internal only.
Infrastructure
| Host | LXC ID | HTTP Proxy |
|---|---|---|
| Debian LXC | 110 | 192.168.1.110:8888 |
Note: SOCKS5 is not supported in the current qmcgaw/gluetun image. Use HTTP proxy for all VPN-routed services.
Observability
Logs
Gluetun logs are collected via Grafana Alloy Docker discovery and shipped to Loki.
| Query | Purpose |
|---|---|
{container="gluetun"} |
All container output |
{container="gluetun"} \|= "error" |
Errors only |
{container="gluetun"} \|= "vpn" |
VPN connection issues |
Access: Grafana → Explore → Loki → Enter query
Metrics
Gluetun does not export Prometheus metrics by default. Use Loki logs to diagnose VPN connectivity issues.
IaC
| Artifact | Path |
|---|---|
| Playbook | ansible/playbooks/gluetun.yml |
| Workflow | .forgejo/workflows/gluetun.yml |
| Compose | services/gluetun/docker-compose.yml |
Secrets
secret/gluetun/nordvpn → wireguard_private_key
Using Gluetun from another service
Via HTTP proxy (standard environment variables)
Add to any docker-compose service that needs VPN routing:
environment:
- HTTP_PROXY=http://192.168.1.110:8888
- HTTPS_PROXY=http://192.168.1.110:8888
Via application proxy settings
Configure HTTP proxy in app settings: 192.168.1.110:8888 (HTTP type, not SOCKS5).
Changing VPN provider or country
Update environment vars in services/gluetun/docker-compose.yml and push to main. See Gluetun docs for other provider config.