this post was submitted on 25 Jan 2024
28 points (86.8% liked)

Linux

48157 readers
644 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Hello! I have a free account at hide.me and would like to try to use it with my docker compose containers. The free plan does not give me the keys for openVPN of Wireguard configuration, but only through the official client. I'd like then to create a docker container that runs the official hide.me client inside, and exposes it to other docker containers (like gluetun does, for instance). I'd also like to implement a killswitch or something like that to prevent ip leakage. Is this something easy-medium hard or something very complex? I already have a script that installs and runs the client to enable vpn that should be run at startup, but I miss the "expose the network interface" and the "do not expose it if not connected" (this last part I think is pretty easy with a basic firewall configuration)

any tips/something already done?
thanks in advance!

EDIT: probably crazy idea, but would it be possible to do this in gluetun?

top 16 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 9 months ago

What are you running your containers on? I just put my VPN on the docker host so I could be sure I could use the firewall to block traffic from going out except over the VPN.

[–] [email protected] 2 points 9 months ago (1 children)

Have you had a look at binhex’s privoxyvpn docker container? Sounds similar to what you’re looking to do.

[–] [email protected] 2 points 9 months ago

I'll look into it, thanks!

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago)

Idk anything about those softwares, but I would bet if you set up the hide.me client in a container you could add it to the same network in compose then configure all the other containers to use it as their gateway... I'm probably missing some details and you may need to rebuild all of your containers, or maybe just change the network settings in your compose yaml?

[–] [email protected] 8 points 9 months ago

Each container, by default, runs in a separate network namespace. You can use docker CLI to create specific networks that can be shared with other containers, or use docker-compose for it. Technically, for processes outside containers you can still use the same network of that container by running the inside the network namespace of the 'VPN' container (for example running them with unshare). However, I wouldn't recommend this, as containers are supposed to run mostly isolated workload and not for this kind of use-case. But yeah, technically it's feasible.

[–] [email protected] 4 points 9 months ago (1 children)

Building images is easy enough. It's pretty similar to how you'd install or compile software directly on the host. Just write a Dockerfile that runs the hide.me install script. I found this repo and image which may work for you as is or as a starting point.

When you run the image as a container you can set it up as the network gateway, just find a tutorial on how to set up a Wireguard container and replace Wireguard with your hide.me container.

In terms of kill switches you'd have to see how other people have done it, but it's not impossible.

[–] [email protected] 4 points 9 months ago (1 children)

I found this repo and image which may work for you as is or as a starting point.

Wow I completely missed this one! This is exactly what I was planning to do! I actually installed the original repo because I'm not on arm, and it seem to work very well! I have to do a few tests to check if the killswitch actually works

thank you very very much!

[–] [email protected] 2 points 9 months ago

I didn't even look to see if the one I linked was a fork. I'm glad it works!

A cool thing about Dockerfiles is that they're usually architecture agnostic. I think the one I linked is as well, meaning that the architecture is only locked in when the image is built for a specific one. In this case the repo owner probably only built it for arm machines, but a build for x86_64 should work as well.

[–] [email protected] 5 points 9 months ago (1 children)

It sounds like you want Qubes

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (2 children)

isn't it an entire OS? I only need to bind the internet traffic of my container to the ones I want doing something like network_mode: container:myhidemecontainer in docker compose

[–] [email protected] 6 points 9 months ago* (last edited 9 months ago) (1 children)

I think something like gluetun is more suited than a whole OS.

But i don't know the specifics of hide.me

[–] [email protected] 3 points 9 months ago (1 children)

Hide.me free tier does not allow unofficial clients (they doesn't give you the wireguard keys) otherwise I'd use gluetun for sure!

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (1 children)

Fair enough. I got confused by their FAQ. They say Wireguard is supported on their free plan. But there is no config available with the keys, so you have to use their client to connect.

I recently registered an account and wanted to do something similar. Guess it isn't that easy then. Another possibility is to use protonvpn.com they also offer a free tier and you can connect any Wireguard client with that.

Or you switch protocols and use for example IKEv2 with strongswan or OpenVPN or whatever hide.me offers in addition to wireguard. I think gluetun also does OpenVPN. But hide.me isn't listed for some reason.

[–] [email protected] 2 points 9 months ago (1 children)

I used to use proton vpn but I recently learned that torrenting is not allowed on the free tier, so I had to look for alternatives, and none of them offers a free tier with openvpn or wireguard keys that allows torrenting :(

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago)

Ah, well I just learned about the existence of free vpn services. I'm going to use it to set up a free guest wifi, so the neighbors, guests (and I) can do whatever with it. But I also struggle with the setup. It's complicated to get the wireguard interface set up, the guest wifi isolated and set up the split routing and everything so the different wifis on the router forward the traffic over different services.

[–] [email protected] 2 points 9 months ago

The risk if human error is too high. Docker isn't designed for security. What you want is Qubes. Its destined to do these things.