VPN Solutions Tailored for RancherOS

RancherOS is a unique, container-centric distribution that strips away traditional package managers (no apt, yum or dnf). Every service runs as a Docker container, and configuration often happens through cloud-config.yml or direct docker commands. Users tend to be DevOps engineers or architects spinning up hosts in the cloud or on bare-metal, favouring minimal host footprint and immutable patterns. There’s no classic desktop environment—if you need an interface, you’ll spin up a container with X11 or a web UI. Given these constraints, a VPN client must:

• Run entirely in a Docker container (no host binary installation).
• Allow NET_ADMIN capabilities for network namespace modifications.
• Support easy persistence via Docker volumes for config and credentials.

Why These VPNs?

• WireGuard (linuxserver/wireguard) – A modern, lean protocol with minimal dependencies. LinuxServer’s image is battle-tested, auto-updates keys and handles peer configs via volumes.
• OpenVPN (qmcgaw/openvpn-client) – Ubiquitous, solid support for .ovpn profiles. This container entrypoint can consume any provider’s configuration files, making it provider-agnostic.
• ProtonVPN (bubuntux/protonvpn) – Officially supports Linux CLI this community image wraps the CLI in a container for easy RancherOS deployment.

Comparison Table

Installing Configuring on RancherOS

1. Deploying WireGuard via linuxserver/wireguard

This container handles peer management and key generation. We’ll mount two volumes: one for config and one for modules (if needed).

# 1. Create folders on the host for persistence
sudo mkdir -p /opt/wireguard/config
sudo chown 1000:1000 /opt/wireguard/config

# 2. Run the container with required capabilities
sudo docker run -d 
  --name=wireguard 
  --cap-add=NET_ADMIN 
  --cap-add=SYS_MODULE 
  -e PUID=1000 -e PGID=1000 
  -e TZ=Europe/London 
  -v /opt/wireguard/config:/config 
  -v /lib/modules:/lib/modules:ro 
  -p 51820:51820/udp 
  linuxserver/wireguard

# 3. Inspect generated config for peers
sudo ls /opt/wireguard/config

Now edit /opt/wireguard/config/wg0.conf (or add peer files) and restart:

sudo docker restart wireguard

2. Deploying OpenVPN via qmcgaw/openvpn-client

This image reads any .ovpn profile and environment-driven credentials. Here’s how to configure credentials as RancherOS secrets (or plain files).

# 1. Store your .ovpn and auth files in /opt/openvpn
sudo mkdir -p /opt/openvpn
# Copy your provider.ovpn and auth.txt into /opt/openvpn

# 2. Launch with NET_ADMIN
sudo docker run -d 
  --name=openvpn 
  --cap-add=NET_ADMIN 
  -e OPENVPN_PROVIDER=custom 
  -e OPENVPN_CONFIG=/opt/openvpn/provider.ovpn 
  -e OPENVPN_USERNAME=myuser 
  -e OPENVPN_PASSWORD=mypassword 
  -v /opt/openvpn/provider.ovpn:/etc/openvpn/provider.ovpn:ro 
  qmcgaw/openvpn-client

# 3. Verify connectivity
sudo docker logs -f openvpn

3. Quick Start with ProtonVPN (bubuntux/protonvpn)

ProtonVPN’s CLI container expects your CLI token and WireGuard config (if you choose WG). Example with OpenVPN:

sudo docker run -d 
  --name=protonvpn 
  --cap-add=NET_ADMIN 
  -e USERNAME=your@protonmail.com 
  -e PASSWORD=supersecret 
  -e PROTONVPN_PROTOCOL=openvpn 
  bubuntux/protonvpn

Then check status:

sudo docker exec -it protonvpn protonvpn status

Final Thoughts

On RancherOS, the best VPN solutions leverage containerised clients with minimal host-side dependencies. WireGuard via linuxserver/wireguard offers cutting-edge performance and simplicity. OpenVPN through qmcgaw/openvpn-client grants maximum compatibility with any provider’s .ovpn files. And if you’re tied to Proton’s ecosystem, the bubuntux/protonvpn image wraps the official CLI neatly. Whichever you choose, ensure you grant NET_ADMIN, mount config volumes for persistence, and integrate startup into your RancherOS cloud-config or init scripts for seamless, automated VPN connectivity.