Running ProtonVPN in ZimaOS

Hi all,

I’m new to all this. Like really, really new. I bought a Zimacube with a very simple goal, to set up a media server with arr stacks on it. However, I quickly found I’m way over my head and have quickly found myself stuck at trying to set up a VPN to encrypt my internet data.

While I’m sure the answer is rather obvious, I’ve been struggling to piece it together.

My first guess was to install WireGuard-Easy, but I found that that isn’t exactly what I needed?

So I moved on to try and get things running through Gluetun first. I tried to import it through Docker compose, but in the end, I simply can’t get it to run. I’m sure there are things I need to change in the settings/compose file, but I’m a bit at a loss. The things I did try to change did not seem to work.

I did try to go down the path of using Portainer, but again, I can’t seem to understand what I need to be doing in it.

Even a nudge in the right direction would be insanely helpful! Thank you for your patience in advance!

I would love to be able to run ProtonVPN. I know proton supports WireGuard and OpenVPN. But my skills and knowledge are not at that level to setup a container yet.

Don’t stress, VPN + Docker is one of the most confusing first hurdles.

Quick clarity first:

• WireGuard-Easy = mainly for hosting your own VPN server (VPN into home)
• Gluetun = a VPN client container (routes apps like qBittorrent / arr stack through ProtonVPN)

So for your goal (ARR stack + encrypted outbound traffic), I believe Gluetun is the correct path

The simplest working approach

1. Get Gluetun running first (ProtonVPN credentials + server set)
2. Put apps you want behind VPN on the same Docker network
3. Route them via Gluetun using:

• network_mode: "service:gluetun" (most common + easiest)

About Portainer

On Portainer, don’t worry, you’re not missing anything obvious.

I believe the main confusion is that Portainer doesn’t make VPN easier, it’s just a UI that runs the same Docker Compose behind the scenes. So I suggest ignoring Portainer for now and getting Gluetun working first.

If you still want to use Portainer:

• go to Stacks
• paste your compose file
• click Deploy
• then check Containers > gluetun > Logs

If Gluetun won’t start

It’s usually one of these:

• ProtonVPN “VPN username/password” not the normal Proton login
• missing required env vars (country/server/protocol)
• missing permissions (CAP_NET_ADMIN)
• YAML indentation/spacing issues

If you paste your Gluetun compose + the first 30 lines of the logs, we can point to the exact issue and get you running fast.

Hi gelbuilding!

Thank you so much! Even your tips managed to get me just that little bit further to get this working!

Well, sort of. I used the below compose and for a time it made progress. It seeemed to be running in the background and doing something, but I uninstalled it to try and tweak a few things. However, when I try to install the same compose file, it no longer will allow me to import.

So at the moment, I do not have logs. I should have grabbed the logs when I got it running the first time, but I did not. I’m not sure what is going on?

However, a default compose with no edits will import. However, since it doesn’t have any edits, it obviously won’t run or work.

Yep, you were very close, and the fact it “worked once” is a huge clue: your compose is valid, but now ZimaOS is rejecting the import because of one of these common issues:

Why it won’t import now (most likely causes)

1. YAML indentation / formatting got broken

• ZimaOS’s compose importer is more strict than normal docker-compose.
• If you pasted it without proper spacing, it can reject it.

2. You included a raw WireGuard private key in a web UI

• Some platforms sanitize or reject values containing +, /, or =.
• Even though Docker would accept it, the UI import validator might fail.

3. Blank env vars

• You currently have:
  • - TZ=
  • - UPDATER_PERIOD=
• Some UIs fail validation when required fields are blank (even if Docker would allow it).

The fix: use the “safe” version of your compose

This version avoids UI-import issues, removes blank env vars, and uses the recommended Gluetun env names for ProtonVPN WireGuard.

Important: In a public forum post, you MUST remove the private key before posting.

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - "8888:8888/tcp"
      - "8388:8388/tcp"
      - "8388:8388/udp"
    volumes:
      - /DATA/AppData/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard

      # ProtonVPN WireGuard config
      - WIREGUARD_PRIVATE_KEY=PUT_YOUR_KEY_HERE
      - WIREGUARD_ADDRESSES=10.2.0.2/32

      # strongly recommended
      - TZ=Australia/Sydney
      - SERVER_COUNTRIES=Australia

Why this version imports reliably

• Quotes around ports (some validators require it)
• No empty values (TZ and UPDATER_PERIOD were blank)
• Uses a standard server selector so Gluetun actually connects

Most important ProtonVPN detail

ProtonVPN has two different logins:

What Gluetun needs:

• Proton “WireGuard config” private key (from Proton VPN app / dashboard)

What does NOT work:

• Your normal Proton account password
• Your “regular Proton login user/pass”

You’re doing WireGuard so you’re on the right track.

After it imports: the quickest way to confirm it’s working

Once deployed, check Gluetun logs.

You should see something like:

• “Wireguard connected”
• “Public IP: xxx.xxx.xxx.xxx”
• and no constant reconnect loops.

Next step (ARR stack routing)

Once Gluetun is stable, the easiest way to route an app through it is:

network_mode: "service:gluetun"

Example (qBittorrent behind VPN):

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent
    network_mode: "service:gluetun"
    depends_on:
      - gluetun
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Australia/Sydney
    volumes:
      - /DATA/AppData/qbittorrent:/config
      - /DATA/Downloads:/downloads

Final tip (very ZimaOS-specific)

If you “uninstalled” Gluetun but kept the old container name or network, the UI sometimes gets stuck.

Fix: change this:

container_name: gluetun

to:

container_name: gluetun2

Import again, if that works, it confirms ZimaOS had a name conflict.

If you want, paste what exact error ZimaOS shows during “import” (even just screenshot text), and I’ll write the exact corrected compose that will definitely deploy on ZimaOS.

Shoot. I didn’t realize that about the private key. Considering I can’t edit my previous post, I revoked the key from my account and got a new one.

But great news! Your solution worked! It seems like Gluetun is running now!

Before I progress to the next step of setting up a stack, I did have a question. How do I input the “network_mode: “service:gluetun”” into ZimaOS. Does it go as a seperate Compose file and installation of qBittorrent? Or would it go in the compose fine of gluetun (and does that mean I need to uninstall and reinstall?).

Where does network_mode: "service:gluetun" go?

It does NOT go inside the Gluetun container itself.

It goes inside the compose definition of the app you want routed through the VPN (qBittorrent, etc).

The key rule

To use:

network_mode: "service:gluetun"

Gluetun and qBittorrent must be in the SAME compose file (same stack).

Because service:gluetun only works when both services exist in the same Compose project.

So in ZimaOS, what should you do?

I suggest this approach:

Step 1, Keep Gluetun running (don’t break what’s working)

Since Gluetun is already running, you should not try to “bolt qBittorrent onto it separately”.

Step 2, Create ONE combined compose stack

In ZimaOS, you should create one Custom Compose app that contains:

• gluetun
• qbittorrent

in the same YAML file.

This is the cleanest and most reliable method.

Example: Gluetun + qBittorrent stack (copy/paste)

Use this exact structure:

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - "8080:8080"     # qBittorrent WebUI
      - "6881:6881/tcp" # qBittorrent incoming TCP
      - "6881:6881/udp" # qBittorrent incoming UDP
    volumes:
      - /DATA/AppData/gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=PUT_YOUR_KEY_HERE
      - WIREGUARD_ADDRESSES=10.2.0.2/32
      - SERVER_COUNTRIES=Australia
      - TZ=Australia/Sydney

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    network_mode: "service:gluetun"
    depends_on:
      - gluetun
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Australia/Sydney
      - WEBUI_PORT=8080
    volumes:
      - /DATA/AppData/qbittorrent:/config
      - /DATA/Downloads:/downloads
    restart: unless-stopped

Why are qBittorrent ports under Gluetun?

Because when you use:

network_mode: "service:gluetun"

qBittorrent no longer has its own network interface, so all qBittorrent ports must be exposed via Gluetun.

This is the #1 part that confuses people, but it’s normal.

Do you need to uninstall/reinstall?

If Gluetun is installed alone right now:

Yes, you should replace it with the combined stack.

Because qBittorrent must exist in the same stack for service:gluetun to work.

Safest upgrade path:

1. Stop/remove the existing Gluetun app (but keep /DATA/AppData/gluetun)
2. Deploy the combined compose stack above
3. It will reuse the same config volume and continue working

Quick verification (important)

After deploying:

• Open qBittorrent:
  http://<zimacube-ip>:8080

Then verify traffic is going through VPN (you can also add a small IP-check container later if you want).

Also: if Gluetun drops, qBittorrent should lose internet too, that’s the safety benefit.

Thank you so, so much! I followed your steps, and it seems to be up and running with qBittorrent now as well.

The logs seems to be doing an odd thing where they refresh, but it doesn’t seem to be interfering with the actual network, and each time it refreshes, it says the connection is successful.

Here’s the log

I ran a quick bash code check for the container IP (docker inspect -f ‘{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}’ Gluetun) and it returned an IP that isn’t shown in the log but also isn’t shown as my current IP address outside of the container. So I assume it’s working?

But yes, downloading on qBittorrent is now working!

I will now try and see if I can get an arr stack running through Gluetun as awell, and then I should be good to go, I think?

Again, thank you so much for your help.

Nice work, this log looks healthy and I believe your VPN is working correctly.

Why the logs “refresh”

That’s normal. ZimaOS log viewer often auto-refreshes/reconnects, and Gluetun also outputs periodic status lines. The key is you are not seeing constant disconnect/reconnect loops.

Proof the VPN is active

This line confirms it:
Public IP address is 180.149.228.71 (Australia, Sydney ...)

That means Gluetun is on ProtonVPN, and since qBittorrent is using:
network_mode: "service:gluetun"
qBittorrent is also routed through the VPN.

Why docker inspect shows a different IP

docker inspect shows the internal Docker IP (172.x.x.x), not your public VPN IP. So it won’t match the log, and that’s expected.

Next step

Yes, you can now build the ARR stack.

I suggest routing only these through Gluetun:

• qBittorrent (yes)
• Prowlarr (optional)

Keep these normal (no VPN needed):

• Sonarr / Radarr / Bazarr

You’re basically past the hardest part.

I’m sorry to bother you one more time, but it appears that I cannot get Sonarr or Radarr to see Prowlarr. Every time I try to get Prowlarr to connect to Sonarr, the connection times out.

More specifically, Prowlarr spits out: “Invalid request Validation failed: – BaseUrl: Unable to complete application test, cannot connect to Sonarr. Http request timed out”

What I’ve tried:

1. Installing Sonarr and Radarr as individual containers separate from each other and from the Gluetun Network Compose.
2. Integrating Sonarr and Radarr into the Gluetun Network compose, but keeping them independent from the Gluetun network service
3. Integrating Sonarr and Radarr into the Gluetun network compose and making them rely on Gluetun’s network.

None of these seem to work. It will consistently time out the connection, and occasionally Prowlar will timeout for an index test as well.

I have also tried to set the url to localhost and the container names (radarr:7878 for instance) and those immediately fail.

I’m sure there is something obvious I am missing here, but my research is coming up short.

I’m sorry to bother you one more time, but it appears that I cannot get Sonarr or Radarr to see Prowlarr. Every time I try to get Prowlarr to connect to Sonarr, the connection times out.

More specifically, Prowlarr spits out: “Invalid request Validation failed: – BaseUrl: Unable to complete application test, cannot connect to Sonarr. Http request timed out”

What I’ve tried:

1. Installing Sonarr and Radarr as individual containers separate from each other and from the Gluetun Network Compose.
2. Integrating Sonarr and Radarr into the Gluetun Network compose, but keeping them independent from the Gluetun network service
3. Integrating Sonarr and Radarr into the Gluetun network compose and making them rely on Gluetun’s network.

None of these seem to work. It will consistently time out the connection, and occasionally Prowlar will timeout for an index test as well.

I have also tried to set the url to localhost and the container names (radarr:7878 for instance) and those immediately fail.

I’m sure there is something obvious I am missing here, but my research is coming up short.

EDIT: I reloaded the entire ARR stack into the Gluetun network stack, including them into the VPN, and now it just works. For now. Hopefully. Although I know it’s not necessary to keep them in the VPN, I’m wondering if having them out of the VPN was keeping them from communicating.

No bother at all, we are here to help.

I believe what you’re seeing is the classic Docker networking gotcha: containers can only talk to each other by name when they share the same Docker network.

Why it timed out

• If Prowlarr is in the Gluetun stack/network, but Sonarr/Radarr are deployed as separate apps/stacks, they are often placed on a different Docker network.
• In that case, sonarr:8989 or radarr:7878 will never resolve, and you’ll get timeouts.
• localhost also won’t work (unless the apps share the same network namespace), because localhost inside a container refers to itself.

Why putting everything “inside Gluetun” suddenly worked

Because everything ended up on the same network, so they could finally see each other.

The correct clean setup (recommended)

I suggest this layout:

1. Keep Gluetun + qBittorrent routed through VPN using:
   network_mode: "service:gluetun"
2. Run Sonarr/Radarr/Prowlarr normally (not behind VPN), but make sure they all share the same Docker network.

Then in Prowlarr add apps using:

• http://sonarr:8989
• http://radarr:7878

If you want the quickest fix

Put Sonarr + Radarr + Prowlarr in the same compose stack (same YAML) so they share the same network automatically.

That will stop the timeouts immediately without needing to force everything through the VPN.

Hi @gelbuilding

I too have been trying to get Gluetun up and running (for the purpose of eventually trying qBittorrent). I am not importing a compose file but rather trying to setup the container app from the App Store. (Though I tried that too with the same results)

When I saved my container settings I was met with “container gluetun2 is unhealthy”

Not sure exactly sure where I’m going wrong. I use Surfshark and included my private key and VPN server IP address provided by Surfshark in my settings.

2026-05-23_19-04-22776×2367 144 KB

When I run the logs for Gluetun it says…
“Wireguard settings: private key is not set”

I have added the key but I seem unable to generate a key without the “=” character.
You mentioned earlier in this thread that this could be problematic?

Any suggestions or direction would be greatly appreciated.

Thank you

I tried yet another Private Key and I DO believe from the logs that it IS running…

Running version v3.41.1 built on 2026-02-11T14:22:29.184Z (commit 7f22fb3)

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2026-05-24T10:40:43+10:00 INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.6 and family v4
2026-05-24T10:40:43+10:00 INFO [routing] local ethernet link found: eth0
2026-05-24T10:40:43+10:00 INFO [routing] local ipnet found: 172.17.0.0/16
2026-05-24T10:40:43+10:00 INFO [firewall] enabling...
2026-05-24T10:40:43+10:00 INFO [firewall] enabled successfully
2026-05-24T10:40:44+10:00 INFO [storage] merging by most recent 20901 hardcoded servers and 20901 servers read from /gluetun/servers.json
2026-05-24T10:40:44+10:00 INFO Alpine version: 3.22.3
2026-05-24T10:40:44+10:00 INFO OpenVPN version: 2.6.16
2026-05-24T10:40:44+10:00 INFO IPtables version: v1.8.11
2026-05-24T10:40:44+10:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: surfshark
|   |   └── Server selection settings:
|   |       ├── VPN type: wireguard
|   |       ├── Countries: australia
|   |       └── Wireguard selection settings:
|   └── Wireguard settings:
|       ├── Private key: aNF...nc=
|       ├── Interface addresses:
|       |   └── 10.14.0.2/16
|       ├── Allowed IPs:
|       |   ├── 0.0.0.0/0
|       |   └── ::/0
|       └── Network interface: tun0
|           └── MTU: 1320
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   ├── DNS forwarder server enabled: yes
|   ├── Upstream resolver type: dot
|   ├── Upstream resolvers:
|   |   └── cloudflare
|   ├── Caching: yes
|   ├── IPv6: no
|   ├── Update period: every 24h0m0s
|   └── DNS filtering settings:
|       ├── Block malicious: yes
|       ├── Block ads: no
|       └── Block surveillance: no
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target addresses:
|   |   ├── cloudflare.com:443
|   |   └── github.com:443
|   ├── Small health check type: ICMP echo request
|   |   └── ICMP target IPs:
|   |       ├── 1.1.1.1
|   |       └── 8.8.8.8
|   └── Restart VPN on healthcheck failure: yes
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: australia/sydney
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2026-05-24T10:40:44+10:00 INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.6 and family v4
2026-05-24T10:40:44+10:00 INFO [routing] adding route for 0.0.0.0/0
2026-05-24T10:40:44+10:00 INFO [firewall] setting allowed subnets...
2026-05-24T10:40:44+10:00 INFO [routing] default route found: interface eth0, gateway 172.17.0.1, assigned IP 172.17.0.6 and family v4
2026-05-24T10:40:44+10:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2026-05-24T10:40:44+10:00 INFO [healthcheck] listening on 127.0.0.1:9999
2026-05-24T10:40:44+10:00 INFO [http server] http server listening on [::]:8000
2026-05-24T10:40:44+10:00 INFO [firewall] allowing VPN connection...
2026-05-24T10:40:44+10:00 INFO [wireguard] Using available kernelspace implementation
2026-05-24T10:40:44+10:00 INFO [wireguard] Connecting to 149.88.101.17:51820
2026-05-24T10:40:44+10:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2026-05-24T10:40:45+10:00 INFO [dns] downloading hostnames and IP block lists
2026-05-24T10:40:49+10:00 INFO [dns] DNS server listening on [::]:53
2026-05-24T10:40:50+10:00 INFO [dns] ready
2026-05-24T10:40:54+10:00 INFO [ip getter] Public IP address is 149.88.101.18 (Australia, New South Wales, Sydney - source: ipinfo+ifconfig.co+ip2location+cloudflare)
2026-05-24T10:40:56+10:00 INFO [vpn] You are running the latest release v3.41.1
Jon@ZimaOS:~ ➜ $

But when I try to open Gluetun I get the following…

2026-05-23_19-45-35833×530 62.7 KB

Is this normal?

From the logs you’ve posted, I actually think Gluetun is working correctly now.

The important lines are:

Private key: aNF...nc=

and:

Public IP address is 149.88.101.18 (Australia, New South Wales, Sydney)

That tells us Gluetun is reading your WireGuard key and has successfully connected to Surfshark.

The = character is normal in WireGuard keys, so that doesn’t appear to be causing a problem.

As for the “Service Unavailable” page, I believe that’s expected. Gluetun is primarily a VPN container and doesn’t provide a normal web UI like qBittorrent, Sonarr or Radarr. The ZimaOS tile can still show an “Open” button, but there isn’t really a user interface behind it.

Based on the logs, I would focus on whether applications routed through Gluetun can access the internet rather than whether the Gluetun tile opens successfully.

From what you’ve posted so far, I believe the VPN tunnel itself is up and running correctly.

Thanks for the info @gelbuilding .

As far as routing applications through Gluetun, take qBittorrent for instance, is it just a matter of selecting “gluetun” in the Network dropdown of the qBittorrent container settings?

2026-05-24_0-43-38785×2191 71.1 KB

I have qBittorrent setup and running, but not quite sure how to test what IP address its using (VPN or ISP)
Would also like to test downloading a torrent file, but one step at a time.

Thanks again.

You’re welcome

Yes, based on your screenshot, selecting “gluetun” in the Network dropdown is exactly what I’d expect if you want qBittorrent to share Gluetun’s network stack.

An easy way to verify it’s working is to use qBittorrent’s built-in IP checker:

Settings > Advanced > Network Interface

If tun0 appears, that’s usually a good sign the VPN interface is available.

You can also add a Linux ISO torrent and watch the Gluetun logs while it’s active. If Gluetun remains connected and qBittorrent can download, then traffic is almost certainly flowing through the VPN.

Looking at your latest Gluetun logs, I believe the VPN tunnel itself is already established successfully, so you’re very close to having the full setup working.

The Gluetun logs look good.

But when I run the qBittorrent logs it says “VPN_ENABLED=false”

2026-05-24_1-24-21613×467 7.79 KB

When I check
Settings > Advanced > Network Interface
There are only 2 choices lo and eth0
No tun0

I feel like I am really close and, as usual, there is something I may be overlooking.

You’re definitely close

The clue is here:

VPN_ENABLED=false

and the fact that qBittorrent only sees:

• lo
• eth0

with no tun0.

That suggests qBittorrent is not actually using Gluetun’s network stack yet, even though you’ve selected “gluetun” in the Network dropdown.

Looking at your screenshot, can you confirm:

1. qBittorrent was completely restarted after changing the network to Gluetun?
2. The Gluetun container was already running and healthy before qBittorrent started?
3. In Docker/ZimaOS, does qBittorrent show it is attached to the gluetun network, or is it still attached to the default bridge network as well?

If qBittorrent is truly sharing Gluetun’s network stack, I’d expect to see the VPN interface available inside the container. Right now the logs suggest qBittorrent is still using its own normal network namespace.

Can you post a screenshot of the qBittorrent network settings page and the container summary page after saving the network change? That should reveal what’s being missed.

Yes for both 1 and 2.
Not entirely sure about 3. Other than the qBittorrent settings I posted earlier, I’m not sure where else to look and check to see if it is actually attached to the Gluetun network or not.

The logs for qBittorrent show that Wireguard successfully started…

2026-05-24_2-12-431841×559 52.5 KB