How to connect from a local machine to the ip:port of a container that has network_mode: "container:pia"

[robflate]

If I use network_mode: "container:pia" or network_mode: "service:pia" to route a container through the pia container, I can no longer connect to the routed container using ip:port from other machines on the local network.

If I add the port of the routed container to the pia container, I am then able to connect to the routed container from the host machine using localhost:port but still not from other machines on the network.

In the rutorrent example in ymlfiles/pia.yml, is it possible to connect to rutorrent from other machines on the network using ip:port. If so, how? Thanks.

Edit: I realise what's happening now. The pia container has traefik labels for rutorrent and I can now connect from the local network using ip:port.

A few further questions;

1. Is there any other way to achieve the same thing but leave the traefik labels in the same block as their container in the compose file, just for ease of maintenance and readability?
2. If not, is it advisable, in the pia container, to add further traefik labels for other containers that use network_mode: "service:pia" or should I use separate pia containers for each other service?

[CVJoint]

You've got the right idea. When the pia container starts, it creates the container's network, exposing the ports and showing it's labels to the traefik container. This happens when the container is started, so any other containers which you want to use that network need to have the ports/labels already defined.

1. Because they need to be read at runtime, I don't think there's a way. Sometimes having them in the same compose file can be helpful, where you can use things like depends_on: and bring them up in a certain order. I've been using the container markusmcnugen/qbittorrentvpn which is the only service I really use with VPN.
2. It looks like PIA allows up to 10 connections if that link is still accurate, while others may be lower. I think it depends on your setup/workflow and what is most convenient. I don't see a benefit to having a separate pia container for each service vs having a vpn container running that you connect to, other than convenience.

Another note: I've found that connecting using network_mode: and ip:port works with openvpn setups. When I try to use wireguard in the same way I'm not able to connect.

[robflate]

1. Because they need to be read at runtime, I don't think there's a way.

Thanks. My current setup is a single compose file using depends_on in 4 containers going through the vpn container. This all works at runtime but if the vpn container reconnects or restarts or watchtower updates the vpn, the 4 depends_on containers become inaccessible because like you say, depends_on is only read at runtime. I'm currently trying out the following label to mitigate the failure when watchtower updates the vpn;

- "com.centurylinklabs.watchtower.depends-on=jackett,deemix,lidarr-amd,xteve"

Still waiting for the vpn container I'm using to be updated to see if it works.

I wonder if your setup, declaring all the labels in the vpn container will also stop this happening. What happens if you just restart your vpn container? Do the apps running through it continue to work when the vpn comes back up?