stashapp VPN proxy setup

feederbox826 · June 11, 2025, 11:11pm

tl;dr

find your provider and set up your docker-compose.yml accordingly

do NOT use network_mode: "service: gluetun"

services:
  stash:
    environment:
      - HTTP_PROXY="http://gluetun:8888"
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=STASHAPP_GLUETUN_WIREGUARD_PRIVATE_KEY_0000=
      - SERVER_COUNTRIES=Netherlands
      - HTTPPROXY=on
      - HTTPPROXY_STALTH=on

Shut down stash and add proxy: http://gluetun:8888 to your stash’s config.yml

Detailed Guide

[!TIP]
ProtonVPN free is not actually recommended since it only has servers in the Netherlands, Japan, Romania, Poland and the US.
Canada is recommended for people in the US since it’s geographically close and lacks most geo-blocks

Follow the steps in the gluetun wiki for your provider of choice
Set up gluetue accordingly but add support for the HTTP proxy (docs)

services:
...
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=protonvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=STASHAPP_GLUETUN_WIREGUARD_PRIVATE_KEY_0000=
      - SERVER_COUNTRIES=Netherlands
      - HTTPPROXY=on
      - HTTPPROXY_STALTH=on
...

a. We do not add network_mode: "service: gluetun" since it uses port 9999 for healthchecks. This complicates the networking in general.

Shut down your stash instance and add proxy: http://gluetun:8888 to your config.yml file. This is unfortunately not supported in environment variables
As an extra precaution, add HTTP_PROXY="http://gluetun:8888" to your environment variables so that any script that respects it also uses gluetun

a mirror of github

angrytoenail · June 13, 2025, 9:44am

Thanks for putting together these guides @feederbox826

Sorry if this comes across as hijacking your thread, but I thought I’d share an alternative (but comparable) approach for using Stash with a VPN via Tailscale.

What is Tailscale?

Tailscale is a service that connects all your devices (servers, routers, your phone, Apple TV, etc) to a private network that’s accessible only to you (or those you explicitly grant access to). For our purposes, what this means In practice is that you can access your Stash instance wherever you happen to be without needing to mess around with port forwarding, firewall rules, etc. It just works.

Their website will do a better job of explaining what they do and how than I can: tailscale.com

Tailscale Stash

Although I wouldn’t describe Tailscale as a VPN, they offer similar functionality via what they call “exit nodes”.

Exit nodes allow you to proxy your traffic via another device that’s connected to your Tailscale network. For example, I have Tailscale installed on my mother’s Apple TV halfway across the world that acts as an exit node, so from my laptop, phone (or Stash server!) I can choose to proxy all my traffic via her home internet connection (kinda like a VPN, huh). Tailscale also have a partnership/integration with Mullvad, so even if you don’t have any distant family members with Apple TVs, you can use Mullvad’s VPN servers as exit nodes (of which they have many, in different countries).

So, with that all in mind. Here’s a Docker compose.yml file that configures Stash with Tailscale, allowing you to set an exit node (optional) to one of your devices or one provided by Mullvad. Stash will use whatever you configure for its scraping tasks - Tailscale exposes an HTTP proxy exactly like the one from @feederbox826’s example.

But wait, there’s more!

An added bonus of using Tailscale is that it can also act as a reverse proxy (of sorts), so you can access Stash over HTTPS (valid TLS certificate and everything). So instead of using http://192.168.0.1:9999 to access Stash, you can use something like https://stash.something-something.ts.net.

… I don’t work for Tailscale, I’m just a big fan

Anyway, here’s the code:

Configuration Files

compose.yaml

services:
  stash:
    image: ghcr.io/feederbox826/stash-s6:alpine
    depends_on:
      - tailscale
    environment:
      - PUID=1000
      - PGID=1000
      - HTTP_PROXY=http://tailscale:8888
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - pip:/pip-install
      - config:/config

  tailscale:
    image: tailscale/tailscale:latest
    hostname: tailscale
    restart: unless-stopped
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin
    environment:
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_AUTH_ONCE=true
      - TS_EXTRA_ARGS=--exit-node-allow-lan-access --exit-node=${TS_EXIT_NODE}
      - TS_HOSTNAME=stash-demo
      - TS_SERVE_CONFIG=/config/serve-config.json
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_OUTBOUND_HTTP_PROXY_LISTEN=:8888
      - TS_USERSPACE=false
    volumes:
      - ${PWD}/config:/config
      - ts-state:/var/lib/tailscale

volumes:
  pip:
  config:
  ts-state:

serve-config.json

(this configures Tailscale to act as a reverse proxy for Stash)

{
    "TCP": {
      "443": {
        "HTTPS": true
      }
    },
    "Web": {
      "${TS_CERT_DOMAIN}:443": {
        "Handlers": {
          "/": {
            "Proxy": "http://stash:9999"
          }
        }
      }
    },
    "AllowFunnel": {
      "${TS_CERT_DOMAIN}:443": false
    }
}

feederbox826 · June 23, 2025, 12:08am

Thanks! I don’t use tailscale so I didn’t realize exit nodes could work like that