Need advice on setting up an *arr stack with VPN

I would like to have my *arr apps on a single VM or LXC, all of which goes through a VPN. My end goal is to have this deployable via ansible so if something happens and I lose this setup, I can recreate it without much effort. What I don’t know is if I should do it all on a single VM, single LXC, or split them across multiple LXCs. If anyone can help me understand the pros and cons for each path that would be incredible!

Single VM: I believe this is straightforward in theory - I install an openVPN (or wireguard) client, install all the apps, map network drives and setup my network to always use VPN and if VPN is not available then turn on a kill switch.

Single LXC: Same as single VM? Is there anything to watch out for? I thought containers were to run a single process / app, so what I’m doing seems wrong.

Multiple LXC: Setting up the *arr is simple, but how do I ensure all of these go to through VPN? How do I enable a kill switch? Do I need another container that helps with this? Is there where gluetun comes into the picture?

I’m not the greatest at network engineering and I really only have basic understanding. I’m hoping that doing something like will teach me more because I don’t really know how to handle VPNs very well. Should I bother with tailscale? Will it help me in any way?

Any help is appreciated, and thank you for your time reading (and replying). Apologies in advance if any of my assumptions are incorrect, I’m learning a lot doing this setup!

Edit: I ended up with a VM, and installed docker and Portainer natively. Then I used gluetun and router sabnzbdplus and qbittorrent through that. I also added sonarr, radarr and prowlarr to it so far.

I tried with a Debian LXC with the AirVPN CLI, I got that to run on boot but I didn’t want to install docker here because it goes against Proxmox recommendation. Additionally, packages like sabnzbd is old and didn’t want to deal with installing from source. Also ran into iptables issues which only got resolved on reboot and proved intimidating.

I also tried creating a standalone VPN tunnel / LXC but I was unable to set this up because my networking skills aren’t that good, and I think that way required me to have two NICs but my NUC only has one.

Now I am stuck figuring out how to add traefik so I can access my network remotely. Might have to make a post asking for help on that front next…

BIG THANKS to every comment and suggestion! The weekend has me drained!!

Check out: https://yams.media/

Its an aio arr stack with built vpn via gluetun.
Real easy installation instructions and lots of help on discord.

I run my arr stack and qbittorent-nox in an LXC with nordvpn’s Linux client.
The LXC has an NFS mount to my TrueNAS VM
Each arr service is owned by its own user but is a member of the media group which is matched to a media group on the NAS to make perms easier.
I have the VPN client’s kill switch active so none of the services or qbittorrent will be able to get out if the VPN is down.

Once again, not an expert but here goes.

I have OpnSense virtualized in Proxmox; and setup Proton VPN using Wireguard. As part of the setup you can define IPs or Hosts that are permitted to use the VPN.

The above includes a Kill Switch and this is important, the use of a DNS Server provided by Proton to avoid DNS Leaks.

Within Proxmox, I have 4 separate LXCs with static IPs which itself are the hosts that connect to Proton. These include the main applications of the stack.

I’ve seen setups that use portainer and gluetun but I preferred to go this route, to avoid having one component brick the entire system.

I’ve gone an extra step and put all these apps in their own VLAN with segregation, to ensure they don’t talk to other apps on my network, and are connected to the outside world only via Proton .

Honestly there’s no right or wrong way; the one I use is simple to manage, and low in system resources.

Single service LXCs is how I run everything and definitely what I’d recommend. backups are so simple to automate thru GUI, so if you cock something up or an update goes sideways, you can easily revert or reinstall that service (say, sonarr for ex) without qbit, sabnzbd, Plex, radarr, …, etc being affected.

it may be a little more effort to set up that way, but not by much. the bulk of the effort of configuring everything to work as you want won’t really change no matter how you do it.

lastly - I assume vpn is for privacy/protection and not remote access. if it is the latter, install tailscale and within 5 mins you’ve got remote access to everything without opening a port.

if it is for privacy, then you should only need to configure it for your torrent client. the arrs won’t need it. nor Plex.

if you got questions feel free to ask away

• also, do it right. keeps those LXCs unprivileged

This tutorial seems to go over what you might want, but I haven’t tried it myself though: https://reddit.com/r/Proxmox/comments/p21zly/tutorial_how_to_set_up_a_watertight_openvpn/

1. Use Proxmox scripts to setup a Docker Alpine LXC (minimal overhead and resource use). Say yes when asked if you want to install Portainer.

2. Use Portainer “stacks” (a gui for docker compose files) to set up and run all the services in a single config (I can provide the config for mine if you’re interested) and also setup watchtower separately to do updates for the containers.

The paths in the compose/stack file for data need to be set up first before starting the stack as it’s super useful to have the same drives or folders available across the *arr stack.

I don’t use a VPN, but I do the multiple LXC approach for my stack. Quick question, isn’t VPN only for torrenting? If so you can install the client on the qBittorrent LXC and bind the torrent client to the VPN interface (if the VPN is down, the client won’t work).

You could use a VPN on your router

I have 11 apps for arrs and other plex server apps in one LXC in Docker Compose. Vpn/qbit in another.

Just use docker inside one vm or lcx. Every *arr app has it’s own official docker container. For download just use any docker container for your desired download source like SABnzbd for usenet or qbittorrent for torrents. For secure vpn use the docker container gluetun, it even has it’s own kill switch integrated.

reddit can eat shit

free luigi

Ttecksters has a wire guard script doesn’t he?

Also tailscale makes it really easy

https://ibramenu.io Is a script that will basically install everything to a VM or LXC. I used an Ubuntu LXC and installed all the apps to it. Works great

I wouldn’t recommend open vpn over wireguard these days. The performance and overhead are terrible in comparison. You can use tailscale to set up the tunnel for you if it’s for personal use.

I have this setup in a VM with nordvpn, all on autoboot/autoconnect and backed up via PBS daily as it would be pure pain setting all the interconnections up again, works great.

If you’re using jellyfin, emby, plex etc. with proxmox you might need a Privileged LXC if you want to use hardware transcoding.

It’s possible in some configurations with VM or Unprivileged LXC but not all, and it’s definitely going to be a lot more work.

Just the *arr stack though? Single VM or LXC will work. If your LXC setup is like mine you’ll have to manually modify its .conf file in order for it to run VPNs. VMs don’t have this issue.

How do I enable a kill switch?

Bind your BT client to your VPN adapter. You should only ever run a BT client this way for privacy.

Multiple LXC:

Honestly can’t think of a reason this would be useful. Gluetun is packaged as a docker, not LXC .

This is great to know! Maybe I’ll spin up a different LXC for this, because I worry I won’t learn much if I entirely rely on this. Unless I try to help with bugfixes and stuff, but I’ve historically rarely prioritized these things.

I have OpnSense virtualized in Proxmox; and setup Proton VPN using Wireguard. As part of the setup you can define IPs or Hosts that are permitted to use the VPN.

The above includes a Kill Switch and this is important, the use of a DNS Server provided by Proton to avoid DNS Leaks.

How do I learn to do this? I have OPNSense on its own router and I tried to set it up as a wireguard network but it blew up in my face and I do need a working internet. So my idea is to move the VPN infrastructure to proxmox where I’ll be using it the most, but I have no idea how to do this. If it’s a single VM / LXC, I can install the AirVPN Suite and there are tools that let you have VPN enabled on boot with a kill switch by default.

I got that far, but whenever I try to install sabnzbd with podman on top of it, it doesn’t work (either iptables issues or podman / network issues, AirVPN Suite takes over the DNS entirely and I don’t know enough about networking to troubleshoot). Maybe I should use an Ubuntu LXC instead because sabnzbd on Ubuntu PPA is more up-to-date, or just install the older version natively and ditch podman (but it’s tempting to have one compose file with the entire “stack”).

That’s a lot of rambling to request help, but that’s where I am on my homelab journey.

Are you accessing the service from the internet or only from your local network? If yes then how did you handle the DNS registration.