Do you think it's good to run gluetun, traefik, wg-easy, and have everything pass through the gluetun tunnel?

krodrig2 · September 25, 2025, 7:24pm

I hade a problem running Pangolin on my server at the house , not sure why…but I did want that kind of setup so i spined this up and it seem to work fine. What do you think about this setup?

compose file:

services:

WireGuard VPN Gateway

gluetun:
image: qmcgaw/gluetun
container_name: gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
restart: unless-stopped
volumes:
- ./gluetun/wireguard:/gluetun
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- WIREGUARD_PRIVATE_KEY=OF3BKQ6N7xxxxxxxx=
- WIREGUARD_ADDRESSES=10.8.0.6/24 # Changed back to /24
- WIREGUARD_ENDPOINT_IP=108.xx.xx.xx
- WIREGUARD_ENDPOINT_PORT=51820
- WIREGUARD_PUBLIC_KEY=2m8S/MDXRZ5xxxxxxxx=
- DNS_ADDRESS=8.8.8.8,8.8.4.4 # Changed to Google DNS
- BLOCK_MALICIOUS=off # Disable malicious IP blocking
- DOT=off # Disable DNS over TLS
ports:
- “8080:8080” # Gluetun admin interface (optional)
labels:
- “traefik.enable=false”
networks:
- proxy

Main Traefik (NO VPN - routes to all services)

traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
ports:
- “80:80”
- “443:443”
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/traefik.yml:/etc/traefik/traefik.yml:ro
- ./traefik/config:/etc/traefik/config:ro
- ./traefik/acme:/etc/traefik/acme:rw
- ./traefik/logs:/var/log/traefik
environment:
- DUCKDNS_TOKEN=62f00a92-3f47-4275-xxxxxxxx
labels:
- “traefik.enable=true”
- “traefik.http.routers.traefik.entrypoints=web”
- “traefik.http.routers.traefik.rule=Host(traefik.xxxxxx.duckdns.org)”
- “traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$2y$$xxxxxxxxxxxxxx”
- “traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https”
- “traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=websecure”
- “traefik.http.routers.traefik.middlewares=traefik-https-redirect”
- “traefik.http.routers.traefik-secure.entrypoints=websecure”
- “traefik.http.routers.traefik-secure.rule=Host(traefik.xxxxxxx.duckdns.org)”
- “traefik.http.routers.traefik-secure.middlewares=traefik-auth”
- “traefik.http.routers.traefik-secure.tls=true”
- “traefik.http.routers.traefik-secure.tls.certresolver=letsencrypt”
- “traefik.http.routers.traefik-secure.tls.domains[0].main=xxxxxx.duckdns.org”
- “traefik.http.routers.traefik-secure.tls.domains[0].sans=*.xxxxx.duckdns.org”
- “traefik.http.routers.traefik-secure.service=api@internal”
networks:
- proxy

Example: Service WITHOUT VPN (normal routing)

#whoami-normal:
#image: traefik/whoami
#container_name: whoami-normal
#restart: unless-stopped
#labels:
#- “traefik.enable=true”
#- “traefik.http.routers.whoami-normal.rule=Host(whoami-normal.xxxxx.duckdns.org)”
#- “traefik.http.routers.whoami-normal.entrypoints=websecure”
#- “traefik.http.routers.whoami-normal.tls.certresolver=letsencrypt”
#networks:
#- proxy

Example: Service WITH VPN (routed through Gluetun)

whoami-vpn:
image: traefik/whoami
container_name: whoami-vpn
restart: unless-stopped
network_mode: “service:gluetun” # This routes through VPN
depends_on:
- gluetun
labels:
- “traefik.enable=true”
- “traefik.http.routers.whoami-vpn.rule=Host(whoami-vpn.xxxxx.duckdns.org)”
- “traefik.http.routers.whoami-vpn.entrypoints=websecure”
- “traefik.http.routers.whoami-vpn.tls.certresolver=letsencrypt”
# Note: VPN services need to be discovered by container name since they share Gluetun’s network
- “traefik.http.services.whoami-vpn.loadbalancer.server.port=80”

Portainer - VPN:

portainer:
image: portainer/portainer-ce
container_name: portainer
restart: unless-stopped
network_mode: “service:gluetun”
depends_on:
- gluetun
security_opt:
- no-new-privileges:true
#networks:
#- proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./portainer/data:/data
labels:
- “traefik.enable=true”
- “traefik.http.routers.portainer.entrypoints=web”
- “traefik.http.routers.portainer.rule=Host(portainer.xxxxx.duckdns.org)”
- “traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https”
- “traefik.http.routers.portainer.middlewares=portainer-https-redirect”
- “traefik.http.routers.portainer-secure.entrypoints=websecure”
- “traefik.http.routers.portainer-secure.rule=Host(portainer.xxxxx.duckdns.org)”
- “traefik.http.routers.portainer-secure.tls=true”
- “traefik.http.routers.portainer-secure.service=portainer”
- “traefik.http.services.portainer.loadbalancer.server.port=9000”

networks:
name: proxy
external: true

And using this tag with existing containers.
network_mode: “container:gluetun”

rimelek · September 25, 2025, 8:22pm

Please, format your post according to the following guide using markdown mode in the composer: How to format your forum posts
In short: please, use </> button to share codes, terminal outputs, error messages or anything that can contain special characters which would be interpreted by the MarkDown filter. Use the preview feature to make sure your text is formatted as you would expect it and check your post after you have sent it so you can still fix it.

Example code block:

```
echo "I am a code."
echo "An athletic one, and I wanna run."
```

After fixing your post, please send a new comment so people are notified about the fixed content.

bluepuma77 · September 26, 2025, 11:00am

What are you trying to achieve? What’s your use case?

krodrig2 · September 26, 2025, 5:55pm

I had pangolin running on a vps and I tried to get it running on the home server but it just didn’t work so I wanted the same kind of set-up at home that worked and this seems to work just fine going through gluetun and wg-easy and traefik…I have it spined up at the house and it’s working great…now that pangolin has been updated maybe i will give it a try at the house again. I am not sure if the way it’s set up doesn’t work for me because all ports are blocked by isp that’s why i use traefik and doing it this way it works.

meyay · September 27, 2025, 10:42am

From what I understand, this is what you want to achieve:
internet → wireguard endpoint somewhere in the internet → gluetan → traefik → target service

The link gluetan → traefik does not exist in your config, and it can not exist, unless the gluetan contaiener forwards all incoming traffic to the traefik container && the traefik container uses the gluetan conatiners ip as gateway.

Your best bet is to let traefik join the network namespace of the gluetan service with network_mode: "service:gluetan", You would need to publish the traefik ports on the gluetan service. Since the gluetan service is attached to a bridge network, traefik should still be reachable from the host and through the gluetan vpn connection.

I am not sure how well the traefik configuration based on labels works, if all target serices are also using `network_mode: “service:glutan”, because they would all share the same ip and same localhost. I have never used it like that and wonder if it actualy can work like that.

bluepuma77 · September 27, 2025, 11:30am

I still don’t understand what you are trying to do. Create a VPN to your home server? Create a VPN mesh for your servers at home (and external)? Create a VPN for your server services to connect to Internet via different IP? All of it?

Topic		Replies	Views
Use VPN container as gateway Compose	2	4059	December 30, 2023
Accessing Container Ports/Services Behind VPN Docker Network From Local Network (container:gluetun) General docker-compose	4	10121	March 13, 2023
Having difficulty configuring Traefik 2 to proxy Portainer General	1	3059	November 15, 2019
VPN with Deluged Server General	0	1106	March 1, 2016
Help with macvlan network + vpn container where i cannot access service from outside the container General	3	3535	December 14, 2021