I've installed a couple of containers on my RockPro64 (ARMv8 Processor rev 2(v8|) running openmediavault (version 4.1.27-1 Arrakis). Everything is working like a charm.

Containers that I use include Transmission, Jellyfin, Radarr, Sonarr, Jackett... et cetera. I would like to be able to connect those containers through a VPN, so that the connection is more private.

The ideal scenario would be that I have one 'VPN-container' that connects with my VPN provider (at the moment this is PIA, but I would like to have a flexible solution). My other containers will connect to the internet through this container so that they have a VPN-connection.

Maybe it is worth mentioning that I have two containers (Jellyfin & Nextcloud) that I can reach from outside through the internet on a domain name. Maybe it will be different to connect those through a VPN.

I could not find any clear guides that provide a solution for my set-up. I hope someone can give some ideas on where to start or share a guide that could work for me.

I run radarr, sonarr, lidarr, bazarr, pyload, deluge, jellyfin, jackett, airsonic containers behind PIA vpn through https://github.com/qdm12/gluetun (on amd64, but images for arm64 are provided as well).

It's well documented and actively maintained. It supports Private Internet Access, Mullvad, Windscribe, Surfshark, Cyberghost, Vyprvpn, NordVPN, PureVPN and Privado at the moment of writing this.

for gluetun container I use this to expose the ports:

version: '3.7'
services:
  gluetun:
    image: qmcgaw/private-internet-access
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    network_mode: bridge
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8000:8000/tcp # Built-in HTTP control server
# other containers ports
      - 8112:8112     # deluge webui
      - 58846:58846   # deluge daemon
      - 6767:6767     # bazarr
      - 8989:8989     # sonarr
      - 7878:7878     # radarr
      - 8686:8686     # lidarr
      - 9117:9117     # jackett
      - 4040:4040     # airsonic
      - 8096:8096     # jellyfin/emby
      - 8227:8227     # pyload
    volumes:
      - ./data_gluetun:/gluetun
      - ./data_gluetun/port_forward:/tmp/gluetun/forwarded_port
    environment:
      - VPNSP=private internet access
      - TZ=Europe/London
      - USER=${PIA_USER}
      - PASSWORD=${PIA_PASS}
      - REGION=${PIA_REGION}
      - PORT_FORWARDING=on
      - FIREWALL_OUTBOUND_SUBNETS=192.168.1.0/24
      - HTTPPROXY=on
      - SHADOWSOCKS=on
      - SHADOWSOCKS_PASSWORD=${SHADOW_PASS}
    restart: unless-stopped

and then in the containers I wish to route via the above container I commented any existing network settings and replaced them with network_mode: "container:gluetun".

For automated letsencrypt certificates and reverse proxy to access from outside local network I use https://github.com/jc21/nginx-proxy-manager with arm compatible mariadb yobasystems/alpine-mariadb:latest running on a RPi4b with 64bit ubuntu server.

This looks like what you need for the containers to secure the outgoing connections: https://jordanelver.co.uk/blog/2019/06/03/routing-docker-traffic-through-a-vpn-connection/. You want to start the container with the --net container:name-of-vpn-container.

I imagine that if you want the incoming container to be through the VPN you will need to ensure that the VPN provider gives you a static IP/hostname and forward the ports. I suspect that you will not want to go down this road as it will be complex. The best bet is to continue to access them through the domain name, just make sure it's over https* and make sure the device–your phone/tablet/laptop whatever–you're using is on a VPN.

* Look no further than linuxserver.io's excellent work for more on this: https://blog.linuxserver.io/2020/08/21/introducing-swag/