Use SOCKS5 with NordVPN WireGuard via Gluetun (Docker)

POST

If you need a SOCKS5 proxy from a NordVPN WireGuard configuration, Gluetun alone is not enough.
Gluetun does not provide built-in SOCKS5 support. It offers an HTTP proxy and Shadowsocks, so the correct approach is to run a dedicated SOCKS5 container and make it share Gluetun’s network stack.

1. Get your NordVPN token (<YOUR_NORDVPN_TOKEN>)

You can generate this token from your Nord Account:

  1. Sign in to your Nord Account dashboard.
  2. In the left menu, open NordVPN.
  3. Scroll to Advanced settings and click Get access token.
  4. Complete email verification (enter the code sent to your registered email).
  5. Click Generate new token.
  6. Choose one option:
    • Temporary token (expires in 30 days).
    • Non-expiring token (recommended for long-running setups; enable MFA for safety).
  7. Click Generate token and copy it immediately.

Important: the token is shown only once. If you close that window, generate a new token.

2. Get your NordVPN WireGuard private key

Run this once to retrieve the nordlynx_private_key:

curl -s -u token:<YOUR_NORDVPN_TOKEN> \
  https://api.nordvpn.com/v1/users/services/credentials \
  | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['nordlynx_private_key'])"

Use the returned value as WIREGUARD_PRIVATE_KEY.

3. Docker Compose setup

Use serjs/go-socks5-proxy with network_mode: "service:gluetun" so all SOCKS5 traffic goes out through the VPN tunnel managed by Gluetun.

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - "1080:1080"
    environment:
      - VPN_SERVICE_PROVIDER=nordvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=<YOUR_NORDVPN_WIREGUARD_PRIVATE_KEY>
      - SERVER_COUNTRIES=United States
    restart: unless-stopped

  socks5:
    image: serjs/go-socks5-proxy
    container_name: socks5
    network_mode: "service:gluetun"
    depends_on:
      - gluetun
    environment:
      - PROXY_PORT=1080
      - REQUIRE_AUTH=false
    restart: unless-stopped

Start services:

docker compose up -d

4. Verify the SOCKS5 proxy

curl -x socks5h://127.0.0.1:1080 ipinfo.io

If the setup is correct, the returned IP/location should match the NordVPN server instead of your local ISP IP.

Notes

  • Keep your NordVPN token and private key secret.
  • REQUIRE_AUTH=false is convenient for local use. For shared environments, enable authentication.
  • If your token is exposed, revoke it in Nord Account and generate a new one.