Skip to content

engels74/overseerr-anime

GitHub ghcr.io

Maintained Replacement

Deprecated — do not use for new installs

engels74/overseerr-anime is deprecated and will not receive further updates. It is based on an old Overseerr anime-instance pull request and may contain unfixed CVEs inherited from the old Overseerr dependency stack.

Existing users should plan to migrate away from this image. Upstream Overseerr and Jellyseerr have merged into the maintained Seerr project, and new installs should use Seerr instead.

Read more: known CVE context

The final v1.34.0-era Overseerr Anime build contains axios 1.3.4. GitHub advisory GHSA-fvcv-3m26-pcqx tracks CVE-2026-40175, an Unrestricted Cloud Metadata Exfiltration vulnerability via a header injection chain. The advisory lists axios >=1.0.0 as vulnerable and >=1.15.0 as patched. This is separate from the axios package hijack incident.

Seerr patched this in v3.1.1 or later. The v3.1.1 release was published on 2026-04-13. This Docker image will not receive that dependency update.

What is this?

This was a fork of Hotio's overseerr Docker image that bundled the historical Anime Instance PR (#3664).

It was built using this fork of the PR. This page is kept for existing users who need to identify what they are running; it is not a recommendation to deploy the image.

Migration and alternatives

There is no exact drop-in replacement for this image today.

  • Recommended path: migrate to the official Seerr image and follow the Seerr migration guide.
  • Closest workaround: Redirecterr can route requests to different Sonarr/Radarr instances, but it is webhook-driven and can conflict with any existing Seerr/Overseerr webhook workflow.
  • Future built-in option: Seerr PR #2452 is intended to add routing-rule behavior. As of 2026-05-20, it is still open as a draft and has not been merged.

Branches and Tags

This project is no longer actively maintained.

Starting the container

Existing deployments only

The examples below are retained for existing users who need to identify or temporarily reproduce their current deployment. Do not use this image for new installs; use Seerr instead.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
docker run --rm \
    --name overseerr-anime \
    -p 5055:5055 \
    -e PUID=1000 \
    -e PGID=1000 \
    -e UMASK=002 \
    -e TZ="Etc/UTC" \
    -e WEBUI_PORTS="5055/tcp,5055/udp" \
    -v /<host_folder_config>:/config \
    ghcr.io/engels74/overseerr-anime

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
services:
  overseerr-anime:
    container_name: overseerr-anime
    image: ghcr.io/engels74/overseerr-anime
    ports:
      - "5055:5055"
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=Etc/UTC
      - WEBUI_PORTS=5055/tcp,5055/udp
    volumes:
      - /<host_folder_config>:/config

WireGuard

Info

This image includes VPN support. The cli/compose examples below are environment variables and settings complementary to the app image examples. This means you'll have to add/merge the stuff below with the stuff above, if you need VPN support (otherwise ignore). Don't forget to click the symbol for more info.

Useful website to check for open ports is portchecker.io and ipleak.net to leak test with a .torrent file.

In case you are still in need of a VPN, consider using my affiliate links for Proton VPN, Proton Unlimited or Private Internet Access.

Proton PIA

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
docker run --rm \
    --hostname="container-name.internal" \ #(18)!
    -e VPN_ENABLED="true" \ #(5)!
    -e VPN_CONF="wg0" \ #(8)!
    -e VPN_PROVIDER="generic" \ #(4)!
    -e VPN_LAN_NETWORK="192.168.1.0/24" \ #(1)!
    -e VPN_LAN_LEAK_ENABLED="false" \ #(10)!
    -e VPN_EXPOSE_PORTS_ON_LAN="" \ #(2)!
    -e VPN_AUTO_PORT_FORWARD="false" \ #(6)!
    -e VPN_PORT_REDIRECTS="" \ #(15)!
    -e VPN_HEALTHCHECK_ENABLED="false" \ #(20)!
    -e VPN_NAMESERVERS="" \ #(16)!
    -e VPN_INTERFACE_PREFIXES="" \ #(9)!
    -e PRIVOXY_ENABLED="false" \ #(19)!
    -e UNBOUND_ENABLED="false" \ #(21)!
    -e UNBOUND_NAMESERVERS="" \ #(22)!
    --cap-add="NET_ADMIN" \
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other ports from your LAN. If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]), you might also need to do -p 127.0.0.1:PORT:PORT (don't ask me why, Docker on Mac quirks I guess). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. By default the prefixes list eth,enp is used to determine what the local docker networks are. If your setup uses another prefix, you can override the list with this variable.

  10. DANGEROUS! Don't enable unless you know what you are doing! This will allow all traffic meant for VPN_LAN_NETWORK configured networks to leave, instead of just the exposed ports. Possible usecase is using your own nameserver.

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
services:
  app:
    hostname: container-name.internal #(18)!
    environment:
      - VPN_ENABLED=true #(5)!
      - VPN_CONF=wg0 #(8)!
      - VPN_PROVIDER=generic #(4)!
      - VPN_LAN_NETWORK=192.168.1.0/24 #(1)!
      - VPN_LAN_LEAK_ENABLED=false #(10)!
      - VPN_EXPOSE_PORTS_ON_LAN #(2)!
      - VPN_AUTO_PORT_FORWARD=false #(6)!
      - VPN_PORT_REDIRECTS #(15)!
      - VPN_HEALTHCHECK_ENABLED=false #(20)!
      - VPN_NAMESERVERS #(16)!
      - VPN_INTERFACE_PREFIXES #(9)!
      - PRIVOXY_ENABLED=false #(19)!
      - UNBOUND_ENABLED=false #(21)!
      - UNBOUND_NAMESERVERS #(22)!
    cap_add:
      - NET_ADMIN
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other ports from your LAN. If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]), you might also need to do -p 127.0.0.1:PORT:PORT (don't ask me why, Docker on Mac quirks I guess). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. By default the prefixes list eth,enp is used to determine what the local docker networks are. If your setup uses another prefix, you can override the list with this variable.

  10. DANGEROUS! Don't enable unless you know what you are doing! This will allow all traffic meant for VPN_LAN_NETWORK configured networks to leave, instead of just the exposed ports. Possible usecase is using your own nameserver.

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
docker run --rm \
    --hostname="container-name.internal" \ #(18)!
    -e VPN_ENABLED="true" \ #(5)!
    -e VPN_CONF="wg0" \ #(8)!
    -e VPN_PROVIDER="proton" \ #(4)!
    -e VPN_LAN_NETWORK="192.168.1.0/24" \ #(1)!
    -e VPN_LAN_LEAK_ENABLED="false" \ #(10)!
    -e VPN_EXPOSE_PORTS_ON_LAN="" \ #(2)!
    -e VPN_AUTO_PORT_FORWARD="true" \ #(6)!
    -e VPN_PORT_REDIRECTS="" \ #(15)!
    -e VPN_HEALTHCHECK_ENABLED="false" \ #(20)!
    -e VPN_NAMESERVERS="" \ #(16)!
    -e VPN_INTERFACE_PREFIXES="" \ #(9)!
    -e PRIVOXY_ENABLED="false" \ #(19)!
    -e UNBOUND_ENABLED="false" \ #(21)!
    -e UNBOUND_NAMESERVERS="" \ #(22)!
    --cap-add="NET_ADMIN" \
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other ports from your LAN. If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]), you might also need to do -p 127.0.0.1:PORT:PORT (don't ask me why, Docker on Mac quirks I guess). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. By default the prefixes list eth,enp is used to determine what the local docker networks are. If your setup uses another prefix, you can override the list with this variable.

  10. DANGEROUS! Don't enable unless you know what you are doing! This will allow all traffic meant for VPN_LAN_NETWORK configured networks to leave, instead of just the exposed ports. Possible usecase is using your own nameserver.

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
services:
  app:
    hostname: container-name.internal #(18)!
    environment:
      - VPN_ENABLED=true #(5)!
      - VPN_CONF=wg0 #(8)!
      - VPN_PROVIDER=proton #(4)!
      - VPN_LAN_NETWORK=192.168.1.0/24 #(1)!
      - VPN_LAN_LEAK_ENABLED=false #(10)!
      - VPN_EXPOSE_PORTS_ON_LAN #(2)!
      - VPN_AUTO_PORT_FORWARD=true #(6)!
      - VPN_PORT_REDIRECTS #(15)!
      - VPN_HEALTHCHECK_ENABLED=false #(20)!
      - VPN_NAMESERVERS #(16)!
      - VPN_INTERFACE_PREFIXES #(9)!
      - PRIVOXY_ENABLED=false #(19)!
      - UNBOUND_ENABLED=false #(21)!
      - UNBOUND_NAMESERVERS #(22)!
    cap_add:
      - NET_ADMIN
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other ports from your LAN. If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]), you might also need to do -p 127.0.0.1:PORT:PORT (don't ask me why, Docker on Mac quirks I guess). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. By default the prefixes list eth,enp is used to determine what the local docker networks are. If your setup uses another prefix, you can override the list with this variable.

  10. DANGEROUS! Don't enable unless you know what you are doing! This will allow all traffic meant for VPN_LAN_NETWORK configured networks to leave, instead of just the exposed ports. Possible usecase is using your own nameserver.

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
docker run --rm \
    --hostname="container-name.internal" \ #(18)!
    -e VPN_ENABLED="true" \ #(5)!
    -e VPN_CONF="wg0" \ #(8)!
    -e VPN_PROVIDER="pia" \ #(4)!
    -e VPN_LAN_NETWORK="192.168.1.0/24" \ #(1)!
    -e VPN_LAN_LEAK_ENABLED="false" \ #(10)!
    -e VPN_EXPOSE_PORTS_ON_LAN="" \ #(2)!
    -e VPN_AUTO_PORT_FORWARD="true" \ #(6)!
    -e VPN_PORT_REDIRECTS="" \ #(15)!
    -e VPN_HEALTHCHECK_ENABLED="false" \ #(20)!
    -e VPN_NAMESERVERS="" \ #(16)!
    -e VPN_INTERFACE_PREFIXES="" \ #(9)!
    -e VPN_PIA_USER="" \ #(11)!
    -e VPN_PIA_PASS="" \ #(11)!
    -e VPN_PIA_PREFERRED_REGION="" \ #(7)!
    -e VPN_PIA_DIP_TOKEN="" \ #(13)!
    -e VPN_PIA_PORT_FORWARD_PERSIST="false" \ #(14)!
    -e PRIVOXY_ENABLED="false" \ #(19)!
    -e UNBOUND_ENABLED="false" \ #(21)!
    -e UNBOUND_NAMESERVERS="" \ #(22)!
    --cap-add="NET_ADMIN" \
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other ports from your LAN. If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]), you might also need to do -p 127.0.0.1:PORT:PORT (don't ask me why, Docker on Mac quirks I guess). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. By default the prefixes list eth,enp is used to determine what the local docker networks are. If your setup uses another prefix, you can override the list with this variable.

  10. DANGEROUS! Don't enable unless you know what you are doing! This will allow all traffic meant for VPN_LAN_NETWORK configured networks to leave, instead of just the exposed ports. Possible usecase is using your own nameserver.

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
services:
  app:
    hostname: container-name.internal #(18)!
    environment:
      - VPN_ENABLED=true #(5)!
      - VPN_CONF=wg0 #(8)!
      - VPN_PROVIDER=pia #(4)!
      - VPN_LAN_NETWORK=192.168.1.0/24 #(1)!
      - VPN_LAN_LEAK_ENABLED=false #(10)!
      - VPN_EXPOSE_PORTS_ON_LAN #(2)!
      - VPN_AUTO_PORT_FORWARD=true #(6)!
      - VPN_PORT_REDIRECTS #(15)!
      - VPN_HEALTHCHECK_ENABLED=false #(20)!
      - VPN_NAMESERVERS #(16)!
      - VPN_INTERFACE_PREFIXES #(9)!
      - VPN_PIA_USER #(11)!
      - VPN_PIA_PASS #(11)!
      - VPN_PIA_PREFERRED_REGION #(7)!
      - VPN_PIA_DIP_TOKEN #(13)!
      - VPN_PIA_PORT_FORWARD_PERSIST=false #(14)!
      - PRIVOXY_ENABLED=false #(19)!
      - UNBOUND_ENABLED=false #(21)!
      - UNBOUND_NAMESERVERS #(22)!
    cap_add:
      - NET_ADMIN
    ...

  1. The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other ports from your LAN. If for example you were to pick 192.168.0.0/24, every device with an ip in the range 192.168.0.0 - 192.168.0.255 on your LAN is allowed access to the webui. On MacOS set it to 192.168.65.0/24 (Verify with your settings [Resources > Network > Docker subnet]), you might also need to do -p 127.0.0.1:PORT:PORT (don't ask me why, Docker on Mac quirks I guess). Do not add the docker bridge networks in this variable!

  2. If you need to expose ports on your LAN you can use VPN_EXPOSE_PORTS_ON_LAN. For example VPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp, will allow access to them from your LAN. Most images also have a WEBUI_PORTS environment variable that does basically the same thing already pre-filled with the default ports. Use WEBUI_PORTS if you need to change those defaults. The variable VPN_EXPOSE_PORTS_ON_LAN is mostly for extra ports, likely used when routing additional containers through this container's VPN connection.

  3. NOT USED

  4. Possible values are generic, proton and pia.
    Affiliate links:
    Proton VPN
    Proton Unlimited
    Private Internet Access

  5. There needs to be a file wg0.conf (for PIA this is done automatically, see VPN_PROVIDER variable) located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start. If you'd like to execute some of your own bash scripts you can place the scripts alongside your wg0.conf file, called wg0-pre.sh (before vpn is up), wg0-post.sh (after vpn is up) or wg0-port.sh (after forwarded port change).

  6. Auto retrieve a forwarded port and configure the supported app if set to true and VPN_PROVIDER=proton or VPN_PROVIDER=pia. If you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). If you set it to true and you've got VPN_PROVIDER=generic, you can manually create and manipulate the file /config/wireguard/forwarded_port.

  7. By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in /config/wireguard after the first start. If you're seeing an error message shuf: getrandom: Function not implemented, you can't let it pick one randomly and are forced to fill in a region id.

  8. With VPN_CONF you can set the name used for your WireGuard config.

  9. By default the prefixes list eth,enp is used to determine what the local docker networks are. If your setup uses another prefix, you can override the list with this variable.

  10. DANGEROUS! Don't enable unless you know what you are doing! This will allow all traffic meant for VPN_LAN_NETWORK configured networks to leave, instead of just the exposed ports. Possible usecase is using your own nameserver.

  11. When using VPN_PROVIDER=pia, fill in your username and password. A wg0.conf will be automatically downloaded.

  12. NOT USED

  13. Fill in your DIP token here, if you've bought the dedicated ip option.

  14. If you'd like to keep using the same forwarded port until it expires, set this to true.

  15. Adds a redirect from the port before @ to the port after, with udp or tcp after the /. Ports in this list are also exposed on the wireguard interface. Values like 32400/tcp without the @ will use the port from VPN_AUTO_PORT_FORWARD for the redirect or if set to true the forwarded port received from pia/proton (In more detail: it'll use the port from /config/wireguard/forwarded_port if VPN_AUTO_PORT_FORWARD is not set to false). Use 3000@3001/tcp,3002@3003/tcp syntax for static redirects. If you do 6677@6677/tcp (same port), a redirect won't be added, but it'll just expose the port. A known usecase as of right now is Plex and exposing it on the VPN (if you can't get 32400 from your VPN provider), because it's not possible to run Plex on anything else but 32400.

  16. Some of the possible values are for example wg, 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. The value wg will use the nameservers from the wg0.conf file. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.

  17. NOT USED

  18. If you want to use container hostnames to connect to other containers within a bridge network, you'll have to use --hostname and use container-name.internal or container-name.vpn. Currently .vpn is a non existing TLD, but that can change in the future. The TLD .internal should become the standard for internal networks, so it's the safest choice.

  19. This will start Privoxy on the default port 8118 when set to true. By default Privoxy is not exposed on the LAN, so if you need that, you'll have to add VPN_EXPOSE_PORTS_ON_LAN=8118/tcp.

  20. Enabling this will bring down the container if the connectivity tests fail at the end of the Wireguard init process or for an extended period during the container runtime.

  21. Enable Unbound by setting to true when VPN is not active.

  22. Some of the possible values are for example 8.8.8.8 or 1.1.1.1@853#cloudflare-dns.com seperated by a ,. A value in the format 8.8.8.8 is to use a plain old nameserver. A value in the format 1.1.1.1@853#cloudflare-dns.com will add a DNS over TLS nameserver, this will override all other regular nameservers. Leaving the variable empty will allow Unbound to work in recursive mode.