This is an annoying quirk in the way docker handles networking between containers and I couldn’t find a good solution for this issue when I was trying out network_mode. I just couldn’t find a way to set docker up to automatically restart the dependent container. You can achieve this with services defined in the same stack (using depends_on), but I don’t know if it’s possible with your current setup.

That’s why I mentioned manual routing in my other reply. It’s annoying to set up, but more convenient because you avoid having to manage restarts (or figuring out how to get docker to do it, which may not be possible in this case).

Uhh, I think you might be confused. Let me explain a bit more:

1. Services and Containers aren’t the same thing. The distinction usually doesn’t matter in typical self-hosting scenarios, but in this case it does.

In short: Services are what you define in a compose file; Containers are what you spin up based on those service definitions.

2. network_mode is a service attribute and it can be defined for each service separately.
3. network_mode: "service:{name}" requires the service being referenced to be part of the same stack. This is probably what you were thinking of when you wrote this reply.
4. network_mode: "container:{name}" can freely reference any preexisting container. This helps you achieve what you want. You can define your gluetun container independently, along with any services you might want to be part of the same stack, and give it a unique identifier using container_name: myIndependentGluetun. After spinning it up, run your Qbittorrent container or whatever service you want to route through the gluetun container after adding network_mode: "container:myIndependentGluetun".

You could also route it manually. That’s a more advanced solution, but it’s more convenient than the network_mode approach. More on this here: https://discuss.tchncs.de/post/19039498

You could use network_mode: "container:{name}" instead of service:{name}. See here https://docs.docker.com/reference/compose-file/services/#network_mode

Service definitions have to be defined in the same compose file or merged into one file at some point in order to be able to reference each other. Containers don’t have that restriction.

I’ve had to bypass DPI several times in the past. V2Ray has never failed me, but I had to set it up myself on my own VPS. It wasn’t being offered commercially by any VPN providers back when I needed it. More info here: https://www.v2fly.org/en_US/

Edit: Forgot to mention, for those interested in setting this up an easier option is to let Amnezia VPN set it up for you. It’s FOSS, can be found here https://github.com/amnezia-vpn/amnezia-client

You’ll need to have your own VPS or home server though, and if you want to use V2Ray at home and do some advanced routing to enable local LAN access for example, then it’s better to set things up from scratch than to use Amnezia.

They do block Wireguard. They use DPI (Deep Packet Inspection) at the national level (it’s as expensive as it sounds). They filter and monitor all traffic. Once you have something as invasive as DPI in place, Wireguard becomes rather easy to detect, because it doesn’t hide the fact that you’re establishing a tunnel (its purpose is just to obscure the data being tunneled).

According to the specification, a specific sequence of bytes (Handshake Initiation packet) is sent by the “client” to negotiate a connection, and a Handshake Response is sent back by the “server”. The handshake packets used to negotiate a connection are basically a recognizable signature of the Wireguard protocol, so if you are able to analyze all outgoing and incoming packets (which DPI enables you to do), you can monitor for these signature packets and block the connection attempt.

There are variants of the Wireguard protocol that can circumvent this method of censorship (Amnezia Wireguard is one example), but they only work as long as they stay under the radar and don’t see mass adoption. Their own “signatures” would also just get blocked in that case.

Ultimately, bypassing this level of censorship just isn’t something Wireguard was created for. Wireguard assumes you are only concerned with obscuring your traffic, not hiding the fact that you’re using a VPN. There are better tools for this job, like this: https://www.v2fly.org/en_US/

Edit: Better link with the language set to English

Soulseek, among others. Putting my ~400 GB classical music collection out there.