services: vpn: container_name: plex-vpn image: jordanpotter/wireguard cap_add: - NET_ADMIN - SYS_MODULE sysctls: net.ipv4.conf.all.src_valid_mark: 1 net.ipv6.conf.all.disable_ipv6: 0 volumes: ## Your WireGuard configuration file. Can be from any provider that allows you to generate WireGuard configurations for connections (e.g. Mullvad, AirVPN). ## Or if you're running a server from another non-Hetzner provider, you can also set up WireGuard on that and use it as a VPN server. Something like this would work fine: https://github.com/Nyr/wireguard-install ## The VPN service does not need to support port forwarding. - ./my-vpn-provider.conf/etc/wireguard/vpn.conf ports: ## Expose the Plex port locally, so the host can reverse proxy it. In my case I have NGINX installed directly on the host, and I basically just: `proxy_pass http://127.0.0.1:32400;` ## If you run NGINX Proxy Manager or similar, you will likely have to figure out slightly different solution ## This will allow you to serve streaming traffic between your Plex server and your users, directly from the Hetzner server. It's only using the VPN for "calling home" from Plex media server (the software) to Plex.tv servers (the Plex company's servers). - "127.0.0.1:32400:32400" restart: unless-stopped plex: image: plexinc/pms-docker:latest container_name: plex depends_on: - vpn ## The important line, makes all network traffic for the Plex container go through the VPN container. network_mode: "service:vpn" environment: ## I don't actually remember if these are necessary lmao - PUID=1000 - PLEX_UID=1000 - PGID=1000 - PLEX_GID=1000 - VERSION=docker ## Claim token, if needed # - PLEX_CLAIM=claim-rr-blah-blah-blah volumes: ## Plex configuration/logs/etc. - ./config:/config ## Change this to where you have your media stored. - /data/media:/media restart: unless-stopped ## Expose the [i]GPU to the container. For hardware transcoding devices: - /dev/dri:/dev/dri