Feature request: Option to act as Router or set default gateway for MultiHop vpn

[5andr0]

What's the feature 🧐

First of all, thanks for gluetun, it's awesome!

So the idea is to enable a multi-hop chain using multiple Gluetun containers.

The cleanest approach is to:

• Make the final (root/exit) hop act as a router
• Configure the entry hop(s) to use the exit hop as their default gateway

With 3+ hops, any intermediate hops must also function as routers while simultaneously using the next hop as their gateway. This means both routing modes need to work at the same time.

For router containers, this would involve:

• Enabling IP forwarding (sysctl -w net.ipv4.ip_forward=1)
• NAT postrouting masquerade
• Appropriate forwarding rules
• Leak protection / a kill switch for forwarded traffic
• Rules need to adapt dynamically to wg / tun interfaces

For entry hops:

• GATEWAY env var can be set as container name (resolved on startup with retries) or static IP
• ip route replace default via exit hop gateway
• Some magic rerouting rules once VPN iface comes up, including a working kill switch

Another advantage of using Gluetun as a router and attaching other containers to it via a default gateway is improved resilience during restarts:

• If Gluetun needs to be restarted, containers that share its network namespace will lose networking and must also be restarted.
• Containers that route traffic through Gluetun via a gateway will temporarily lose connectivity during the restart, but their network automatically recovers once Gluetun is back up, without requiring a restart.
  (The main caveat is container recreation when the router container comes back with a different IP. This setup only keeps working if the router uses a static IP, or if we detect changed router hostname<->IP and update the default route. Docker’s internal DNS keeps resolving container names even if the gateway container itself is down)

Tunneled VPNs require a lower MTU, but I just noticed you recently added automated MTU discovery — nice work!

If this feature ever gets added, I’ll happily make a big donation.

Extra information and references

No response

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image