![r/Proxmox icon](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="256" height="256"><rect fill-opacity="0"/></svg>)
Need advice on setting up an *arr stack with VPN
I would like to have my *arr apps on a single VM or LXC, all of which goes through a VPN. My end goal is to have this deployable via ansible so if something happens and I lose this setup, I can recreate it without much effort. What I don’t know is if I should do it all on a single VM, single LXC, or split them across multiple LXCs. If anyone can help me understand the pros and cons for each path that would be incredible!
Single VM: I believe this is straightforward in theory - I install an openVPN (or wireguard) client, install all the apps, map network drives and setup my network to always use VPN and if VPN is not available then turn on a kill switch.
Single LXC: Same as single VM? Is there anything to watch out for? I thought containers were to run a single process / app, so what I’m doing seems wrong.
Multiple LXC: Setting up the *arr is simple, but how do I ensure all of these go to through VPN? How do I enable a kill switch? Do I need another container that helps with this? Is there where gluetun comes into the picture?
I’m not the greatest at network engineering and I really only have basic understanding. I’m hoping that doing something like will teach me more because I don’t really know how to handle VPNs very well. Should I bother with tailscale? Will it help me in any way?
Any help is appreciated, and thank you for your time reading (and replying). Apologies in advance if any of my assumptions are incorrect, I'm learning a lot doing this setup!
Edit: I ended up with a VM, and installed docker and Portainer natively. Then I used gluetun and router sabnzbdplus and qbittorrent through that. I also added sonarr, radarr and prowlarr to it so far.
I tried with a Debian LXC with the AirVPN CLI, I got that to run on boot but I didn’t want to install docker here because it goes against Proxmox recommendation. Additionally, packages like sabnzbd is old and didn’t want to deal with installing from source. Also ran into iptables issues which only got resolved on reboot and proved intimidating.
I also tried creating a standalone VPN tunnel / LXC but I was unable to set this up because my networking skills aren’t that good, and I think that way required me to have two NICs but my NUC only has one.
Now I am stuck figuring out how to add traefik so I can access my network remotely. Might have to make a post asking for help on that front next…
BIG THANKS to every comment and suggestion! The weekend has me drained!! 😮💨
Comments Section
Check out: https://yams.media/
Its an aio arr stack with built vpn via gluetun. Real easy installation instructions and lots of help on discord.
This is great to know! Maybe I'll spin up a different LXC for this, because I worry I won't learn much if I entirely rely on this. Unless I try to help with bugfixes and stuff, but I've historically rarely prioritized these things.
Once again, not an expert but here goes.
I have OpnSense virtualized in Proxmox; and setup Proton VPN using Wireguard. As part of the setup you can define IPs or Hosts that are permitted to use the VPN.
The above includes a Kill Switch and this is important, the use of a DNS Server provided by Proton to avoid DNS Leaks.
Within Proxmox, I have 4 separate LXCs with static IPs which itself are the hosts that connect to Proton. These include the main applications of the stack.
I’ve seen setups that use portainer and gluetun but I preferred to go this route, to avoid having one component brick the entire system.
I’ve gone an extra step and put all these apps in their own VLAN with segregation, to ensure they don’t talk to other apps on my network, and are connected to the outside world only via Proton .
Honestly there’s no right or wrong way; the one I use is simple to manage, and low in system resources.
How do I learn to do this? I have OPNSense on its own router and I tried to set it up as a wireguard network but it blew up in my face and I do need a working internet. So my idea is to move the VPN infrastructure to proxmox where I'll be using it the most, but I have no idea how to do this. If it's a single VM / LXC, I can install the AirVPN Suite and there are tools that let you have VPN enabled on boot with a kill switch by default.
I got that far, but whenever I try to install sabnzbd with podman on top of it, it doesn't work (either iptables issues or podman / network issues, AirVPN Suite takes over the DNS entirely and I don't know enough about networking to troubleshoot). Maybe I should use an Ubuntu LXC instead because sabnzbd on Ubuntu PPA is more up-to-date, or just install the older version natively and ditch podman (but it's tempting to have one compose file with the entire "stack").
That's a lot of rambling to request help, but that's where I am on my homelab journey.
Single service LXCs is how I run everything and definitely what I'd recommend. backups are so simple to automate thru GUI, so if you cock something up or an update goes sideways, you can easily revert or reinstall that service (say, sonarr for ex) without qbit, sabnzbd, Plex, radarr, ..., etc being affected.
it may be a little more effort to set up that way, but not by much. the bulk of the effort of configuring everything to work as you want won't really change no matter how you do it.
lastly - I assume vpn is for privacy/protection and not remote access. if it is the latter, install tailscale and within 5 mins you've got remote access to everything without opening a port.
if it is for privacy, then you should only need to configure it for your torrent client. the arrs won't need it. nor Plex.
if you got questions feel free to ask away
also, do it right. keeps those LXCs unprivileged 😉
I'm more than happy to go this route but this is the part I'm struggling with. Do I have a "VPN" LXC and is that gluetun? How do I tell Proxmox / another LXC to use this "VPN LXC" for all traffic? I just don't know how to connect the pipes if I were to go the multiple LXC route.
This tutorial seems to go over what you might want, but I haven’t tried it myself though: https://reddit.com/r/Proxmox/comments/p21zly/tutorial_how_to_set_up_a_watertight_openvpn/
Use Proxmox scripts to setup a Docker Alpine LXC (minimal overhead and resource use). Say yes when asked if you want to install Portainer.
Use Portainer "stacks" (a gui for docker compose files) to set up and run all the services in a single config (I can provide the config for mine if you're interested) and also setup watchtower separately to do updates for the containers.
The paths in the compose/stack file for data need to be set up first before starting the stack as it's super useful to have the same drives or folders available across the *arr stack.
If you're using jellyfin, emby, plex etc. with proxmox you might need a Privileged LXC if you want to use hardware transcoding.
It's possible in some configurations with VM or Unprivileged LXC but not all, and it's definitely going to be a lot more work.
Just the *arr stack though? Single VM or LXC will work. If your LXC setup is like mine you'll have to manually modify its .conf file in order for it to run VPNs. VMs don't have this issue.
Bind your BT client to your VPN adapter. You should only ever run a BT client this way for privacy.
Honestly can't think of a reason this would be useful. Gluetun is packaged as a docker, not LXC .