I’m using Gluetun via Docker Compose as well right now and can happily say all the ports exposed via the ports: setting are local network only. I could port forward them via the router probably (haven’t tried) but I only use them for access via LAN. To expose ports over the VPN connection you use the FIREWALL_VPN_INPUT_PORTS environment variable. A stripped version of my current compose (example port numbers, not real) with LAN access to 6000 and WAN access to 1234 and 5678:
services:
gluetun:
image: qmcgaw/gluetun:latest
restart: unless-stopped
container_name: gluetun
cap_add:
- NET_ADMIN # in the default compose file i dunno what this does tbh
environment:
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=openvpn
- OPENVPN_VERSION=<redacted>
- OPENVPN_USER=<redacted>
- OPENVPN_PASSWORD=<redacted>
- OPENVPN_CUSTOM_CONFIG=/gluetun/custom.ovpn
- FIREWALL_VPN_INPUT_PORTS=1234,5678 # allows ports through VPN connection
- FIREWALL_OUTBOUND_SUBNETS=192.168.0.0/24 # I found that I needed this for certain LAN access
ports:
- 6000:6000 # port i access via LAN
I’ve been happily using Windscribe for a while now, they have port forwarding with a dedicated IP. Averaging out the separate charges, it’s about $4 USD/month for a custom plan (1 location + unlimited data) + dedicated IP. Technically their Pro tier includes ephemeral port forwarding, but I don’t like how it works.