Trying to get VPN working on both host and in a Docker container

[GuidableMulch 0]

Hi, hope everyone's good.

I'm looking for some help allowing docker container VPNs to run while my host VPN is connected. I've hit the limit of my networking knowledge, internet sleuthing and LLM advice.

Basically, my container VPNs work until I connect the host VPN. I can't get both working at the same time.

Apologies for the huge dump of info below, I thought I'd include anything possibly useful.
 

Reason

I want a host VPN running for general use by all my non-Docker applications, and to be able to easily switch servers using a UI (Eddie). I want different Docker VPNs for use by specific containers.
 

Setup

Host: Debian 12 connected to AirVPN with Eddie
Containers: Docker-compose Gluetun containers running NordVPN and AirVPN

 

Current State

The container VPNs work when the host VPN is disconnected (and Network Lock is off). I've been focusing on the NordVPN one (called 'gluetun_nordvpn') to avoid possible conflicts with running AirVPN on both host and container muddying the waters.
As soon as I connect using Eddie, the containers lose their connection. If I start with Eddie connected then start the containers, they can't connect.

My approach:

• Gluetun connects to various places when it starts:
• • The configured DNS server (9.9.9.9)
  • cloudflare.com as a healthcheck
  • ipinfo.io to get public IP info
  • github.com to get the container version info
  • githubusercontent.com to update lists like malicious IPs
• Rather than try to unblock all these, I thought if I can get ping 9.9.9.9 from the container working I'll know how to manage the rest

Things I've Tried

 

Changing DNS Server

 

The default DNS Server in gluetun_nordvpn is 127.0.0.1. I've changed it to 9.9.9.9 (it wasn't working with 127.0.0.1).

I can ping 9.9.9.9 from the host at any time:

ping 9.9.9.9

and from the container when the host isn't running:

docker exec -it gluetun_nordvpn ping 9.9.9.9

The ping fails on the container when the host VPN is connected.

I'm using NextDNS DNS servers on the host (45.90.30.195, 45.90.28.195). I can also ping them from the containers when the host VPN is disconnected, but not when it's connected.

 

Checking resolv.conf

I can see that /etc/resolv.conf changes when I connect the host VPN.

cat /etc/resolv.conf

Host VPN disconnected:

search fritz.box
nameserver 45.90.30.195
nameserver 45.90.28.195
nameserver 192.168.178.1
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 2a07:a8c1::da:9d1b
nameserver 2a07:a8c0::da:9d1b
nameserver fd00::3e37:12ff:febb:5094
nameserver 2404:4400:4102:b900:3e37:12ff:febb:5094

Host VPN connected:

#
# Created by Eddie. Do not edit.
#
# Your resolv.conf file is temporarily backed up in /etc/resolv.conf.eddievpn
# To restore your resolv.conf file you need to log in as root
# and execute the below command from the shell:
#
# mv /etc/resolv.conf.eddievpn /etc/resolv.conf
#
nameserver 45.90.28.195
nameserver 45.90.30.195

 

Checking IP Routes

I can also see that the routes on the host change when I connect the host VPN.

ip route show

Host VPN disconnected:

default via 192.168.178.1 dev enp7s0 proto dhcp src 192.168.178.12 metric 100  
169.254.0.0/16 dev enp7s0 scope link metric 1000  
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1  
172.18.0.0/16 dev br-67a7ee83a597 proto kernel scope link src 172.18.0.1  
172.19.0.0/16 dev br-b445b86664f2 proto kernel scope link src 172.19.0.1  
172.20.0.0/16 dev br-f5d2cb0cbe30 proto kernel scope link src 172.20.0.1 linkdown  
172.21.0.0/16 dev br-7b8960023437 proto kernel scope link src 172.21.0.1 linkdown  
172.22.0.0/16 dev br-05148a66581e proto kernel scope link src 172.22.0.1 linkdown  
172.23.0.0/16 dev br-62a348210f35 proto kernel scope link src 172.23.0.1 linkdown  
172.24.0.0/16 dev br-059d747ec26e proto kernel scope link src 172.24.0.1 linkdown  
192.168.178.0/24 dev enp7s0 proto kernel scope link src 192.168.178.12 metric 100

Host VPN connected:

0.0.0.0/1 dev Eddie scope link  
default via 192.168.178.1 dev enp7s0 proto dhcp src 192.168.178.12 metric 100  
128.0.0.0/1 dev Eddie scope link  
169.254.0.0/16 dev enp7s0 scope link metric 1000  
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1  
172.18.0.0/16 dev br-67a7ee83a597 proto kernel scope link src 172.18.0.1  
172.19.0.0/16 dev br-b445b86664f2 proto kernel scope link src 172.19.0.1  
172.20.0.0/16 dev br-f5d2cb0cbe30 proto kernel scope link src 172.20.0.1 linkdown  
172.21.0.0/16 dev br-7b8960023437 proto kernel scope link src 172.21.0.1 linkdown  
172.22.0.0/16 dev br-05148a66581e proto kernel scope link src 172.22.0.1 linkdown  
172.23.0.0/16 dev br-62a348210f35 proto kernel scope link src 172.23.0.1 linkdown  
172.24.0.0/16 dev br-059d747ec26e proto kernel scope link src 172.24.0.1 linkdown  
192.168.178.0/24 dev enp7s0 proto kernel scope link src 192.168.178.12 metric 100  
198.54.129.52 dev Eddie scope link  
198.54.129.54 via 192.168.178.1 dev enp7s0

 

Setting Routes in Eddie

 

I thought I could use the Routes setting in Eddie to allow containers to contact specified IP addresses/domains. I:

• Added a route for 9.9.9.9/32, Outside the VPN tunnel. I can then see this route on the host:

0.0.0.0/1 dev Eddie scope link  
default via 192.168.178.1 dev enp7s0 proto dhcp src 192.168.178.12 metric 100  
9.9.9.9 via 192.168.178.1 dev enp7s0  
128.0.0.0/1 dev Eddie scope link  
169.254.0.0/16 dev enp7s0 scope link metric 1000  
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1  
172.18.0.0/16 dev br-67a7ee83a597 proto kernel scope link src 172.18.0.1  
172.19.0.0/16 dev br-b445b86664f2 proto kernel scope link src 172.19.0.1  
172.20.0.0/16 dev br-f5d2cb0cbe30 proto kernel scope link src 172.20.0.1 linkdown  
172.21.0.0/16 dev br-7b8960023437 proto kernel scope link src 172.21.0.1 linkdown  
172.22.0.0/16 dev br-05148a66581e proto kernel scope link src 172.22.0.1 linkdown  
172.23.0.0/16 dev br-62a348210f35 proto kernel scope link src 172.23.0.1 linkdown  
172.24.0.0/16 dev br-059d747ec26e proto kernel scope link src 172.24.0.1 linkdown  
192.168.178.0/24 dev enp7s0 proto kernel scope link src 192.168.178.12 metric 100  
198.54.129.52 dev Eddie scope link  
198.54.129.54 via 192.168.178.1 dev enp7s0

• Tried pinging 9.9.9.9 from the container:

docker exec -it gluetun_nordvpn ping 9.9.9.9

The ping failed.

 

Other Details

gluetun_nordvpn container network:

docker inspect gluetun_nordvpn

NetworkSettings section:

       "NetworkSettings": {
           "Bridge": "",
           "SandboxID": "7bc94ec06cc82710802e2ed1e209b9a377f4d190343da6eaaeb6cb97c3b0fa55",
           "HairpinMode": false,
           "LinkLocalIPv6Address": "",
           "LinkLocalIPv6PrefixLen": 0,
           "Ports": {
               "8000/tcp": null,
               "8388/tcp": null,
               "8388/udp": null,
               "8888/tcp": null
           },
           "SandboxKey": "/var/run/docker/netns/7bc94ec06cc8",
           "SecondaryIPAddresses": null,
           "SecondaryIPv6Addresses": null,
           "EndpointID": "",
           "Gateway": "",
           "GlobalIPv6Address": "",
           "GlobalIPv6PrefixLen": 0,
           "IPAddress": "",
           "IPPrefixLen": 0,
           "IPv6Gateway": "",
           "MacAddress": "",
           "Networks": {
               "gluetunnordvpn_default": {
                   "IPAMConfig": null,
                   "Links": null,
                   "Aliases": [
                       "gluetun",
                       "38a1b6a8fb01"
                   ],
                   "NetworkID": "67a7ee83a5971105d324af1233cc8d986a3d83844447d95bfee06c8606e9549c",
                   "EndpointID": "ce01a45234a639d6ab7c8eca0c99fc559e962bb3627e9655e4fe919107f5a69d",
                   "Gateway": "172.18.0.1",
                   "IPAddress": "172.18.0.2",
                   "IPPrefixLen": 16,
                   "IPv6Gateway": "",
                   "GlobalIPv6Address": "",
                   "GlobalIPv6PrefixLen": 0,
                   "MacAddress": "02:42:ac:12:00:02",
                   "DriverOpts": null
               }
           }
       }

 

gluetunnordvpn_default network details:

docker network inspect gluetunnordvpn_default

 

[
   {
       "Name": "gluetunnordvpn_default",
       "Id": "67a7ee83a5971105d324af1233cc8d986a3d83844447d95bfee06c8606e9549c",
       "Created": "2025-08-08T11:34:57.239149312+12:00",
       "Scope": "local",
       "Driver": "bridge",
       "EnableIPv6": false,
       "IPAM": {
           "Driver": "default",
           "Options": {},
           "Config": [
               {
                   "Subnet": "172.18.0.0/16",
                   "Gateway": "172.18.0.1"
               }
           ]
       },
       "Internal": false,
       "Attachable": false,
       "Ingress": false,
       "ConfigFrom": {
           "Network": ""
       },
       "ConfigOnly": false,
       "Containers": {
           "38a1b6a8fb015c0d5f9d3a5b1c343724110fa11636b271dac41986770306405a": {
               "Name": "gluetun_nordvpn",
               "EndpointID": "ce01a45234a639d6ab7c8eca0c99fc559e962bb3627e9655e4fe919107f5a69d",
               "MacAddress": "02:42:ac:12:00:02",
               "IPv4Address": "172.18.0.2/16",
               "IPv6Address": ""
           }
       },
       "Options": {},
       "Labels": {}
   }
]

 

So, questions:

• Am I right in thinking the Routes in Eddie should be the right way to set this up? If so, any idea why it's not working?
• What else can I try?

Thanks in advance for any pointers.

[Tech Jedi Alex 1489]

I cannot really help you with the contents as I don't use Docker privately, so no experience with Gluetun, sorry about that; but let me just say: If you structured this yourself, not with AI, RESPECT+ from me. Wish all issue reports were like that.

[GuidableMulch 0]

Thanks, can you tell I work in IT?

Thought I'd make it as easy as possible for someone to help me without having to do a long back-and-forth.