Question/Help: Expose containers using gluetun through traefik

[nithin-bose]

I have setup traefik on my server using docker compose. I am able to access services which are using the gluetun container. But my knowledge of IP tables/firewalls is pretty limited and wanted to know if what I am doing is secure or not.

I have traefik running with the following docker-compose.yml file:

version: "3.3"

services:
  traefik:
    image: "traefik:v2.5"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.http.tls.domains[0].main=your.domain.com"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.<your.domain.com>"
      - "--entrypoints.websecure.http.tls.certresolver=myresolver"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=duckdns"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=<your email address>"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    environment:
      - "DUCKDNS_TOKEN=<token>"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-dashboard.rule=Host(`traefik-dashboard.your.domain.com`)"
      - "traefik.http.routers.traefik-dashboard.service=traefik-dashboard"
      - "traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080"

Note:
I am using duck DNS and am getting a lets encrypt certificate using DNS verification as the server is not accessible from the internet.

I have gluetun running with the following docker-compose.yml file:

version: "3.7"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    # command:
    volumes:
      - ./config:/gluetun
    environment:
      # More variables are available, see the Wiki table
      - OPENVPN_USER=<user>
      - OPENVPN_PASSWORD=<password>
      - VPNSP=surfshark
      - VPN_TYPE=openvpn
      - REGION=Germany Frankfurt am Main
      - SERVER_HOSTNAME=de-fra.prod.surfshark.com
      # Timezone for accurate logs times
      - TZ=<time zone>
      - FIREWALL_DEBUG=on
    labels:
      - "traefik.enable=true"
      # Gluetun Built-in HTTP control server
      - "traefik.http.routers.gluetun.rule=Host(`gluetun.your.domain.com`)"
      - "traefik.http.routers.gluetun.service=gluetun"
      - "traefik.http.services.gluetun.loadbalancer.server.port=8000"
      # Applications
      # Deluge
      - "traefik.http.routers.deluge.rule=Host(`deluge.your.domain.com`)"
      - "traefik.http.routers.deluge.service=deluge"
      - "traefik.http.services.deluge.loadbalancer.server.port=8112"      
    networks:
      - traefik_default
    restart: unless-stopped

networks:
  traefik_default:
    external: true

It is same same as the one in gluetun docs except for the networks and labels sections. Also note that neither the gluetun control server nor the deluge container ports are exposed to the host machine through the ports section instead they are added to traefik in the labels section.

There is nothing special about the deluge container it just uses network_mode: "container:gluetun" :

version: "3.7"
services:
  deluge:
    image: ghcr.io/linuxserver/deluge
    container_name: deluge
    network_mode: "container:gluetun"
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=<TZ>
      - DELUGE_LOGLEVEL=error #optional
    volumes:
      - ./config:/config
      - ./downloads:/downloads
    restart: unless-stopped

As far as I can see everything is working as it should.

My question mainly is, whether adding the gluetun container to the traefik network will cause any leaks or security issues.
Thanks!!

[qdm12]

Hi there!

It won't leak any traffic through the docker network.

Gluetun's firewall and routing are configured to:

• allow inbound connections from (mostly) everything except the tunnel (so docker networks, LAN, NOT VPN internet)
• only allow outbound connections through the tunnel

Now security wise, just make sure to not expose the http control server on the internet for now. I have plans to add authentication but for now it's just dumb in that aspect. I think there are (undocumented and unused for now) routes exposing the vpn settings including your VPN credentials so it's better to keep it local until I add authentication (probably with a v4 breaking change release).

[nithin-bose]

Thanks for the clarification.

As for the gluetun API, this setup is not exposed to the internet. I generally tend to use Authelia wherever I need auth.