Docker container for setting up a Privoxy proxy that pushes traffic over a ProtonVPN connection.
Build Docker image:
docker build -t walt3rl/proton-privoxy .Run Docker container:
docker run -d \
--device=/dev/net/tun --cap-add=NET_ADMIN \
-v /etc/localtime:/etc/localtime:ro \
-p 8888:8080 \
-e PVPN_USERNAME=my_protonvpn_openvpn_username \
-e PVPN_PASSWORD=my_protonvpn_openvpn_password \
--name proton-privoxy walt3rl/proton-privoxyOr with this docker-compose.yml:
---
version: "3"
services:
proton-privoxy:
image: walt3rl/proton-privoxy
container_name: proton-privoxy
environment:
- PVPN_USERNAME=xxxxxxxxxxxxxxxxxxxxxxxx
- PVPN_PASSWORD=xxxxxxxxxxxxxxxxxxxxxxxx
volumes:
- /etc/localtime:/etc/localtime:ro
ports:
- 8888:8080
restart: unless-stopped
devices:
- /dev/net/tun
cap_add:
- NET_ADMINThis will start a Docker container that
protonvpn CLI configurationTest:
curl --proxy http://127.0.0.1:8888 https://ipinfo.io/ipWhile not impossible, it is quite the networking feat to route traffic over specific VPN connections. With this Docker image you can run multiple containers, each setting up a different VPN connection which doesn't affect your host's networking. Routing traffic over a specific VPN connection is then as simple as configuring a target application's proxy server.
Run a container on one machine, and configure multiple devices on your network to connect to its proxy server. All connections that use that proxy server will be routed over the same VPN connection.
Why did I choose Privoxy? Mostly because it's the simplest HTTP proxy to configure, that I've used before.
UPDATE: This is no longer an issue, because Docker now allows
/etc/resolv.conf to be updated while a container is running. It's recreated
by Docker on container restart, but that doesn't matter, since ProtonVPN (and
DNS_SERVERS_OVERRIDE) will modify it during startup.
~Docker prevents containers from changing the servers used for DNS lookups, after startup. This prevents ProtonVPN from using its own leak protecting DNS server. In fact, at the moment it causes a non-fatal error in protonvpn.~
~Ensure that you're using privacy respecting DNS servers on your Docker host, or manually specify secure servers for the container via --dns options.~
You can set any of the following container environment variables with
docker run's -e options.
PVPN_USERNAME and PVPN_PASSWORDRequired. This is your ProtonVPN OpenVPN username and password. It's the
username and password you would normally provide to protonvpn init.
If you're using Docker Secrets, you can use PVPN_USERNAME_FILE and
PVPN_PASSWORD_FILE instead.
PVPN_TIERYour ProtonVPN account tier, called "your ProtonVPN Plan" in protonvpn init.
The value must be the number corresponding to your tier from the following
list (from protonvpn init):
0) Free
1) Basic
2) Plus
3) VisionaryDefault: 2
PVPN_PROTOCOLThe protocol that the OpenVPN tunnel will use. Corresponds to the -p flag of
the protonvpn CLI tool, and the "default OpenVPN protocol" prompt in the
protonvpn init process.
Default: udp
PVPN_CMD_ARGSAny arguments you want to pass to protonvpn. For example, if you want
protonvpn to connect to a random server, set this to "connect --random".
Remember the quotes.
See the protonvpn docs for supported commands and arguments.
Default: "connect --fastest" (Select the fastest ProtonVPN server.)
PVPN_DEBUGSet to 1 to log debugging details from protonvpn to the container's stdout.
Default: empty (debug logging disabled)
HOST_NETWORKIf you want to expose your proxy server to your local network, you need to
specify that network in HOST_NETWORK, so that it can be routed back through
your Docker network. E.g. if your LAN uses the 10.0.0.0/8 network, add
-e HOST_NETWORK=10.0.0.0/8 to your docker run command.
Default: empty (no network is routed)
DNS_SERVERS_OVERRIDEComma-separated list of DNS servers to use, overriding whatever was set by
ProtonVPN. For example, to use Quad9 DNS servers, set
DNS_SERVERS_OVERRIDE=9.9.9.9,149.112.112.112.
Default: empty (ProtonVPN's DNS server is used)