What are you running your containers on? I just put my VPN on the docker host so I could be sure I could use the firewall to block traffic from going out except over the VPN.
Linux
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
Have you had a look at binhex’s privoxyvpn docker container? Sounds similar to what you’re looking to do.
I'll look into it, thanks!
Idk anything about those softwares, but I would bet if you set up the hide.me client in a container you could add it to the same network in compose then configure all the other containers to use it as their gateway... I'm probably missing some details and you may need to rebuild all of your containers, or maybe just change the network settings in your compose yaml?
Each container, by default, runs in a separate network namespace. You can use docker CLI to create specific networks that can be shared with other containers, or use docker-compose for it. Technically, for processes outside containers you can still use the same network of that container by running the inside the network namespace of the 'VPN' container (for example running them with unshare). However, I wouldn't recommend this, as containers are supposed to run mostly isolated workload and not for this kind of use-case. But yeah, technically it's feasible.
Building images is easy enough. It's pretty similar to how you'd install or compile software directly on the host. Just write a Dockerfile that runs the hide.me install script. I found this repo and image which may work for you as is or as a starting point.
When you run the image as a container you can set it up as the network gateway, just find a tutorial on how to set up a Wireguard container and replace Wireguard with your hide.me container.
In terms of kill switches you'd have to see how other people have done it, but it's not impossible.
I found this repo and image which may work for you as is or as a starting point.
Wow I completely missed this one! This is exactly what I was planning to do! I actually installed the original repo because I'm not on arm, and it seem to work very well! I have to do a few tests to check if the killswitch actually works
thank you very very much!
I didn't even look to see if the one I linked was a fork. I'm glad it works!
A cool thing about Dockerfiles is that they're usually architecture agnostic. I think the one I linked is as well, meaning that the architecture is only locked in when the image is built for a specific one. In this case the repo owner probably only built it for arm machines, but a build for x86_64 should work as well.
It sounds like you want Qubes
isn't it an entire OS? I only need to bind the internet traffic of my container to the ones I want doing something like network_mode: container:myhidemecontainer
in docker compose
I think something like gluetun is more suited than a whole OS.
But i don't know the specifics of hide.me
Hide.me free tier does not allow unofficial clients (they doesn't give you the wireguard keys) otherwise I'd use gluetun for sure!
Fair enough. I got confused by their FAQ. They say Wireguard is supported on their free plan. But there is no config available with the keys, so you have to use their client to connect.
I recently registered an account and wanted to do something similar. Guess it isn't that easy then. Another possibility is to use protonvpn.com they also offer a free tier and you can connect any Wireguard client with that.
Or you switch protocols and use for example IKEv2 with strongswan or OpenVPN or whatever hide.me offers in addition to wireguard. I think gluetun also does OpenVPN. But hide.me isn't listed for some reason.
I used to use proton vpn but I recently learned that torrenting is not allowed on the free tier, so I had to look for alternatives, and none of them offers a free tier with openvpn or wireguard keys that allows torrenting :(
Ah, well I just learned about the existence of free vpn services. I'm going to use it to set up a free guest wifi, so the neighbors, guests (and I) can do whatever with it. But I also struggle with the setup. It's complicated to get the wireguard interface set up, the guest wifi isolated and set up the split routing and everything so the different wifis on the router forward the traffic over different services.
The risk if human error is too high. Docker isn't designed for security. What you want is Qubes. Its destined to do these things.