FigJam Diagram: ProtonVPN Gateway — Shared Cluster VPN Exit (expires 2026-04-13)
A shared cluster-internal VPN exit node using gluetun and a ProtonVPN WireGuard subscription. Any service in the cluster can route traffic through it without its own VPN credentials.
| Namespace | protonvpn |
| Image | ghcr.io/qdm12/gluetun:v3.40.0 |
| HTTP proxy | http://protonvpn-gateway.protonvpn.svc.cluster.local:8888 |
| SOCKS5 proxy | socks5://protonvpn-gateway.protonvpn.svc.cluster.local:8388 |
| Access | ClusterIP only — not exposed via Ingress or MetalLB |
| PSS level | privileged (gluetun requires NET_ADMIN for WireGuard tun device) |
Any cluster service can route traffic through the gateway by setting the HTTP_PROXY environment variable:
env:
- name: HTTP_PROXY
value: "http://protonvpn-gateway.protonvpn.svc.cluster.local:8888"
- name: HTTPS_PROXY
value: "http://protonvpn-gateway.protonvpn.svc.cluster.local:8888"
Or for SOCKS5:
env:
- name: ALL_PROXY
value: "socks5://protonvpn-gateway.protonvpn.svc.cluster.local:8388"
Note: The proxy is shared across all consumers. Heavy usage from one service affects all others. For bandwidth-intensive workloads, consider a dedicated gluetun sidecar instead (as used by qBittorrent in the
medianamespace).
Edit the protonvpn-country-config ConfigMap's SERVER_COUNTRIES value and restart:
kubectl edit configmap protonvpn-country-config -n protonvpn
kubectl rollout restart deployment/protonvpn-gateway -n protonvpn
Recommended countries for privacy (ProtonVPN infrastructure):
| Country | Notes |
|---|---|
| Switzerland | ProtonVPN HQ, strongest privacy laws |
| Iceland | No data retention directives |
| Netherlands | Fast, GDPR, good infrastructure |
| Sweden | Fast, privacy-respecting |
| United States | Lowest latency for US services |
# WireGuard private key from ProtonVPN account:
# 1. Log into account.proton.me → VPN → Downloads → WireGuard configuration
# 2. Select Linux, choose any server (gluetun picks server via SERVER_COUNTRIES)
# 3. Copy the PrivateKey= value from [Interface] section
kubectl create secret generic protonvpn-credentials -n protonvpn \
--from-literal=wireguard-private-key=<WireGuard-PrivateKey>
| Secret | Key | Purpose |
|---|---|---|
protonvpn-credentials |
wireguard-private-key |
WireGuard private key for ProtonVPN auth |
The gateway exposes a health endpoint at port 8000 (/v1/openvpn/status). A liveness probe checks this endpoint every 60s. No ServiceMonitor — ClusterIP-only service with no Prometheus metrics exposed.
The namespace has an egress NetworkPolicy allowing:
All other egress denied by default.
kubernetes/apps/protonvpn/
protonvpn-gateway.yaml -- Namespace (privileged PSS), ConfigMap (country selection),
Deployment (gluetun), Service (HTTP+SOCKS5), NetworkPolicy