Skip to content

hotio/sabnzbd

GitHub
ghcr.io

Starting the container

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
docker run --rm \
    --name sabnzbd \
    -p 8080:8080 \
    -e PUID=1000 \
    -e PGID=1000 \
    -e UMASK=002 \
    -e WEBUI_PORTS="8080/tcp,8080/udp" \
    -e ARGS="" \
    -e TZ="Etc/UTC" \
    -v /<host_folder_config>:/config \
    -v /<host_folder_data>:/data \
    ghcr.io/hotio/sabnzbd

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
services:
  sabnzbd:
    container_name: sabnzbd
    image: ghcr.io/hotio/sabnzbd
    ports:
      - "8080:8080"
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=Etc/UTC
      - WEBUI_PORTS=8080/tcp,8080/udp
      - ARGS
    volumes:
      - /<host_folder_config>:/config
      - /<host_folder_data>:/data

Tags

Tags Description Last Updated Age

WireGuard

Info

This image includes VPN support. The cli/compose examples below are environment variables and settings complementary to the app image examples, this means you'll have to add/merge the stuff below with the stuff above. Don't forget to click the + symbol. In case you are still in need of a VPN, consider using my affiliate links for Proton VPN, Proton Unlimited or Private Internet Access.

ProtonVPN PiaVPN 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
docker run --rm \
    --hostname container-name.internal \ #(18)
    -e VPN_ENABLED="true" \ #(5)
    -e VPN_CONF="wg0" \ #(8)
    -e VPN_PROVIDER="generic" \ #(4)
    -e VPN_LAN_NETWORK="192.168.1.0/24" \ #(1)
    -e VPN_LAN_LEAK_ENABLED="false" \ #(10)
    -e VPN_EXPOSE_PORTS_ON_LAN="" \ #(2)
    -e VPN_AUTO_PORT_FORWARD="false" \ #(6)
    -e VPN_PORT_REDIRECTS="" \ #(15)
    -e VPN_HEALTHCHECK_ENABLED="false" \ #(20)
    -e VPN_NAMESERVERS="" \ #(16)
    -e PRIVOXY_ENABLED="false" \ #(19)
    -e UNBOUND_ENABLED="false" \ #(21)
    -e UNBOUND_NAMESERVERS="" \ #(22)
    --cap-add=NET_ADMIN \
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. NOT USED

  10. DANGEROUS! Don't enable unless you know what you are doing!

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
services:
  app:
    hostname: container-name.internal #(18)
    environment:
      - VPN_ENABLED=true #(5)
      - VPN_CONF=wg0 #(8)
      - VPN_PROVIDER=generic #(4)
      - VPN_LAN_NETWORK=192.168.1.0/24 #(1)
      - VPN_LAN_LEAK_ENABLED=false #(10)
      - VPN_EXPOSE_PORTS_ON_LAN #(2)
      - VPN_AUTO_PORT_FORWARD=false #(6)
      - VPN_PORT_REDIRECTS= #(15)
      - VPN_HEALTHCHECK_ENABLED=false #(20)
      - VPN_NAMESERVERS= #(16)
      - PRIVOXY_ENABLED=false #(19)
      - UNBOUND_ENABLED=false #(21)
      - UNBOUND_NAMESERVERS #(22)
    cap_add:
      - NET_ADMIN
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. NOT USED

  10. DANGEROUS! Don't enable unless you know what you are doing!

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
docker run --rm \
    --hostname container-name.internal \ #(18)
    -e VPN_ENABLED="true" \ #(5)
    -e VPN_CONF="wg0" \ #(8)
    -e VPN_PROVIDER="proton" \ #(4)
    -e VPN_LAN_NETWORK="192.168.1.0/24" \ #(1)
    -e VPN_LAN_LEAK_ENABLED="false" \ #(10)
    -e VPN_EXPOSE_PORTS_ON_LAN="" \ #(2)
    -e VPN_AUTO_PORT_FORWARD="true" \ #(6)
    -e VPN_PORT_REDIRECTS="" \ #(15)
    -e VPN_HEALTHCHECK_ENABLED="false" \ #(20)
    -e VPN_NAMESERVERS="" \ #(16)
    -e PRIVOXY_ENABLED="false" \ #(19)
    -e UNBOUND_ENABLED="false" \ #(21)
    -e UNBOUND_NAMESERVERS="" \ #(22)
    --cap-add=NET_ADMIN \
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. NOT USED

  10. DANGEROUS! Don't enable unless you know what you are doing!

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
services:
  app:
    hostname: container-name.internal #(18)
    environment:
      - VPN_ENABLED=true #(5)
      - VPN_CONF=wg0 #(8)
      - VPN_PROVIDER=proton #(4)
      - VPN_LAN_NETWORK=192.168.1.0/24 #(1)
      - VPN_LAN_LEAK_ENABLED=false #(10)
      - VPN_EXPOSE_PORTS_ON_LAN #(2)
      - VPN_AUTO_PORT_FORWARD=true #(6)
      - VPN_PORT_REDIRECTS= #(15)
      - VPN_HEALTHCHECK_ENABLED=false #(20)
      - VPN_NAMESERVERS= #(16)
      - PRIVOXY_ENABLED=false #(19)
      - UNBOUND_ENABLED=false #(21)
      - UNBOUND_NAMESERVERS #(22)
    cap_add:
      - NET_ADMIN
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. NOT USED

  10. DANGEROUS! Don't enable unless you know what you are doing!

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
docker run --rm \
    --hostname container-name.internal \ #(18)
    -e VPN_ENABLED="true" \ #(5)
    -e VPN_CONF="wg0" \ #(8)
    -e VPN_PROVIDER="pia" \ #(4)
    -e VPN_LAN_NETWORK="192.168.1.0/24" \ #(1)
    -e VPN_LAN_LEAK_ENABLED="false" \ #(10)
    -e VPN_EXPOSE_PORTS_ON_LAN="" \ #(2)
    -e VPN_AUTO_PORT_FORWARD="true" \ #(6)
    -e VPN_PORT_REDIRECTS="" \ #(15)
    -e VPN_HEALTHCHECK_ENABLED="false" \ #(20)
    -e VPN_NAMESERVERS="" \ #(16)
    -e VPN_PIA_USER="" \ #(11)
    -e VPN_PIA_PASS="" \ #(11)
    -e VPN_PIA_PREFERRED_REGION="" \ #(7)
    -e VPN_PIA_DIP_TOKEN="no" \ #(13)
    -e VPN_PIA_PORT_FORWARD_PERSIST="false" \ #(14)
    -e PRIVOXY_ENABLED="false" \ #(19)
    -e UNBOUND_ENABLED="false" \ #(21)
    -e UNBOUND_NAMESERVERS="" \ #(22)
    --cap-add=NET_ADMIN \
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. NOT USED

  10. DANGEROUS! Don't enable unless you know what you are doing!

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
services:
  app:
    hostname: container-name.internal #(18)
    environment:
      - VPN_ENABLED=true #(5)
      - VPN_CONF=wg0 #(8)
      - VPN_PROVIDER=pia #(4)
      - VPN_LAN_NETWORK=192.168.1.0/24 #(1)
      - VPN_LAN_LEAK_ENABLED=false #(10)
      - VPN_EXPOSE_PORTS_ON_LAN #(2)
      - VPN_AUTO_PORT_FORWARD=true #(6)
      - VPN_PORT_REDIRECTS= #(15)
      - VPN_HEALTHCHECK_ENABLED=false #(20)
      - VPN_NAMESERVERS= #(16)
      - VPN_PIA_USER #(11)
      - VPN_PIA_PASS #(11)
      - VPN_PIA_PREFERRED_REGION #(7)
      - VPN_PIA_DIP_TOKEN=no #(13)
      - VPN_PIA_PORT_FORWARD_PERSIST=false #(14)
      - PRIVOXY_ENABLED=false #(19)
      - UNBOUND_ENABLED=false #(21)
      - UNBOUND_NAMESERVERS #(22)
    cap_add:
      - NET_ADMIN
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below). If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with .torrent file.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. NOT USED

  10. DANGEROUS! Don't enable unless you know what you are doing!

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.