hotio/cloudflareddns
Important Announcement
Due to scarf.sh
after all this time still being on various block lists used by PiHole or other ad blockers, the use of cr.hotio.dev
is halted. As you can see from the examples, ghcr.io
is the new default, but if you insist on needing an older tag, you might have to pull it from docker.io
(Docker Hub).
Starting the container¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
|
Possible values for DETECTION_MODE
are dig-google.com
, dig-opendns.com
, dig-whoami.cloudflare
, curl-icanhazip.com
, curl-wtfismyip.com
, curl-showmyip.ca
, curl-da.gd
, curl-seeip.org
, curl-ifconfig.co
and curl-ipw.cn
. If you want to get the local ip from a network interface, use something like local:eth0
as DETECTION_MODE
.
Notice that we give 3 values each time for CF_HOSTS
, CF_ZONES
and CF_RECORDTYPES
. In our example, the domain test.foobar.com
belonging to the zone foobar.com
will have its A record updated with an ipv4 ip. If you use CF_APITOKEN
, you can leave CF_USER
and CF_APIKEY
empty.
Important
All the domain names in CF_HOSTS
should have properly configured DNS records on Cloudflare, they will not be created.
Tags¶
Tags | Description | Last Updated | Age |
---|
Zone ID¶
Instead of the zone_name
, you can also fill in a zone_id
in CF_ZONES
. When using a zone_id
, you can use a scoped token (CF_APITOKEN
) that only needs the Zone - DNS - Edit
permissions. This improves security. The configuration could look like the example below.
-e CF_APITOKEN="azkqvJ86wEScojvSJC8DyY67TwqNwZCtomEVrHwt"
-e CF_HOSTS="example.com;test.foobar.com"
-e CF_ZONES="zbpsi9ceikrdnnym27s2xnp6s5dvj6ep;dccbe6grakumohwwd4amh4o46yupepn8"
-e CF_RECORDTYPES="A;A"
Seperate API Tokens¶
If you do not prefer to use a zone_id
, but prefer some more security, you can use 2 seperate tokens.
CF_APITOKEN
configured with:
Permissions
Zone - DNS - Edit
Zone Resources
Include - Specific zone - example.com
Include - Specific zone - foobar.com
CF_APITOKEN_ZONE
configured with:
Permissions
Zone - Zone - Read
Zone Resources
Include - All zones
Leaving CF_APITOKEN_ZONE
blank would mean that only CF_APITOKEN
will be used and thus that token should have all required permissions. Which usually means that the token could edit all zones or not be able to fetch the zone_id
from the zone_name
.
Configuration combination examples¶
Below are some example configuration combinations, ordered from most secure to least secure.
- We use a
zone_id
so that our token only needs the permissionsZone - DNS - Edit
.
-e CF_APITOKEN="azkqvJ86wEScojvSJC8DyY67TwqNwZCtomEVrHwt"
-e CF_HOSTS="vpn.example.com;test.foobar.com"
-e CF_ZONES="zbpsi9ceikrdnnym27s2xnp6s5dvj6ep;axozor886pyja7nmbcvu5kh7dp9557j4"
-e CF_RECORDTYPES="A;A"
- We use additionally a
CF_APITOKEN_ZONE
with the permissionsZone - Zone - Read
to query the zones and getting thezone_id
.
-e CF_APITOKEN="azkqvJ86wEScojvSJC8DyY67TwqNwZCtomEVrHwt"
-e CF_APITOKEN_ZONE="8m4TxzWb9QHXEpTwQDMugkKuHRavsxoK8qmJ4P7M"
-e CF_HOSTS="vpn.example.com;test.foobar.com"
-e CF_ZONES="example.com;axozor886pyja7nmbcvu5kh7dp9557j4"
-e CF_RECORDTYPES="A;A"
- We use only
CF_APITOKEN
, but with the permissionsZone - DNS - Edit
andZone - Zone - Read
.
-e CF_APITOKEN="azkqvJ86wEScojvSJC8DyY67TwqNwZCtomEVrHwt"
-e CF_HOSTS="vpn.example.com;test.foobar.com"
-e CF_ZONES="example.com;axozor886pyja7nmbcvu5kh7dp9557j4"
-e CF_RECORDTYPES="A;A"
- We use
CF_USER
andCF_APIKEY
, basically giving full control over our account.
-e CF_USER="your.cf.email@example.com"
-e CF_APIKEY="your.global.apikey"
-e CF_HOSTS="vpn.example.com;test.foobar.com"
-e CF_ZONES="example.com;axozor886pyja7nmbcvu5kh7dp9557j4"
-e CF_RECORDTYPES="A;A"
Example of the log output¶
2020-05-17 17:20:54 - INFO - IPv4 detected by [dig-whoami.cloudflare] is [1.1.1.1].
2020-05-17 17:20:54 - INFO - [1/1] [A] [vpn.example.com] Reading zone list from Cloudflare.
2020-05-17 17:20:54 - INFO - [1/1] [A] [vpn.example.com] Retrieved zone list from Cloudflare.
2020-05-17 17:20:54 - INFO - [1/1] [A] [vpn.example.com] Zone ID [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] found for zone [example.com].
2020-05-17 17:20:54 - INFO - [1/1] [A] [vpn.example.com] Reading DNS record from Cloudflare.
2020-05-17 17:20:55 - INFO - [1/1] [A] [vpn.example.com] Writing DNS record to cache file [/config/cf-ddns-A-vpn.example.com.cache].
2020-05-17 17:20:55 - INFO - [1/1] [A] [vpn.example.com] Checking if update is needed.
2020-05-17 17:20:55 - INFO - [1/1] [A] [vpn.example.com] No update needed.
2020-05-17 17:20:55 - INFO - Going to sleep for [300] seconds...
Log levels¶
For LOG_LEVEL
you can pick 0
, 1
, 2
or 3
.
-
0
will give no log output. It's not recommended to use. -
1
will give you the following output types. It's the recommended value when all things are configured and running as expected.
UPDATE, WARNING, ERROR
2
will give you the following output types. Use this if you always wanna see what's going on, but3
gives you too much output.
UPDATE, WARNING, ERROR, INFO
3
will give you the following output types. This is the default.
UPDATE, WARNING, ERROR, INFO, DEBUG
JSON log¶
Every IP update is also logged to /config/cf-ddns-updates.json
. This can be used with the Telegraf JSON parser and the tail
input, to get your domain updates into InfluxDB. Example output below.
{"domain":"vpn.example.com","recordtype":"A","ip":"1.1.1.1","timestamp":"2020-05-17T20:27:14Z"}
{"domain":"vpn.example.com","recordtype":"A","ip":"1.1.1.1","timestamp":"2020-05-17T20:29:26Z"}
Cached results from Cloudflare¶
The returned results from Cloudflare are cached. This means minimal api calls to Cloudflare. If you have made any manual changes to the IP on the Cloudflare webinterface, for instance when wanting to test an update, a container restart is needed to clear the cache.
The proxy setting (orange cloud) and TTL is also cached and re-set based on the previous value, so if you made any modifications to these settings, you should restart the container so that the script is aware of the new settings.
Sending notifications¶
You can send notifications when a DNS record gets updated with a new IP using Apprise. Use the environment variable APPRISE
to configure notifications, see below for some examples.
-e APPRISE="pover://user@token"
-e APPRISE="pover://user@token;discord://webhook_id/webhook_token"
WireGuard¶
Info
This image includes VPN support. The cli/compose examples below are environment variables and settings complementary to the app image examples. In case you are still in need of a VPN, consider using my affiliate link for Proton, Private Internet Access or TorGuard (50% Off: hotio.dev-50-all
).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.