Hey everyone! I'm currently setting up a Docker environment using Compose, and I'm really focusing on the networking part. I want to ensure that my containers are isolated from my home network, allowing them only to communicate with each other. However, a couple of them need to access virtual machines on my local LAN, and I also have one container that should establish a WireGuard VPN connection (with a killswitch) to a provider.
Right now, I'm thinking about running everything on a dedicated Docker network and having one container serve as a firewall/router/VPN gateway for the rest. Is there something like this available on Docker Hub, or would I need to create a solution with multiple containers? I'm eager to hear how you all have managed similar setups!
6 Answers
The gluetun Docker container is great for setting up a VPN connection with your provider. You can route all the other containers using the network_mode option for gluetun—it's pretty effective!
How do you plan to handle the killswitch? That’s crucial for ensuring your traffic is secure.
Using an internal Docker network for backends and creating a separate VLAN for standard access might be a good option as well. It keeps your sensitive containers separate while allowing necessary access.
One straightforward approach is to use internal networks for your backend services and reserve external networks only for containers that need internet access. This keeps things tidy and isolated where you need it.
Thanks for the helpful tip! That sounds like a good start. My main worry is solving the VPN tunnel and killswitch issue, and I also want to control the specific ports that get forwarded.
Have you considered using OpenVSwitch with its vLANs and tunnel features? It could give you that isolation while still allowing the necessary connections when set up properly.
I appreciate the suggestion! I’ll definitely check out OpenVSwitch more closely.
If you haven't explored it yet, Docker's macvlan networks could enable your containers to get IPs from your local network, allowing direct LAN communication. Your idea of a dedicated firewall/router container sounds solid too; Nginx Proxy Manager might be useful for managing traffic rules.
Currently, I'm using one network with Nginx Proxy Manager for my services and another network for admin tasks, mostly tied to Tailscale. I've created onion services for some users, segregating inbound and outbound traffic using different onion connections.