Arr, my friends. I have an old laptop already running some servoces on docker 24/7 at home and looking to extend it’s functionalities to become torrent downloader with media server for TV. Need VPN for obvious reasons.
I was wondering if there are already all-in-one solutions to just run docler compose file and get 2 containers: one running torrent client with all traffic via VPN in another?
I plan to use Mullvad VPN.
Upd. Updated title to highlight it’s a request. Not sure why getting downvotes, please elaborate :)
Use gluetun, look up how to configure for your provider. Run a 2nd container for your torrent client, using
network_mode: “service:gluetun”
to run all your traffic though the vpn. Note that if you’re forwarding ports from your client to e.g. access the web UI, you’ll need to forward them from the gluetun container instead.This is definitely the way to do it long term. I’ve used a hybrid download + VPN client but in the end I moved to a split gluetun + client since it offers the best flexibility.
If you want to use transmission as your torrent client I recommend checking out https://github.com/haugene/docker-transmission-openvpn . There are some additional configuration changes needed for mullvad but it should be straightforward.
This is what I use and love it. Took a bit to get it configured properly with airvpn, but now it’s rock solid.
My (almost finished) script creates a setup like this. It doesn’t just do a client + VPN, but it can also set up radarr, sonarr, jellyfin, and a couple of other services
Trash guides say you shouldn’t run the *arr’s through a VPN because you’re likely to get blocked by metadata servers. I only run my download client through the VPN + also use gluetun’s HTTP proxy for Prowlarr’s indexers
I wish I could do that as well, but most of the big public trackers are blocked where I live. I need to run Sonarr and the like through the VPN because I can’t search through the trackers otherwise
I haven’t heard of prowlarr’s HTTP proxy. Do you have a link to more info about it?
Sure, the docs are pretty minimal though: https://wiki.servarr.com/prowlarr/settings (just click on Proxy)
Basically you can configure a proxy (from your VPN provider for example) for each indexer (or font add a tag to apply it to all of them), and queries to indexers will run through there. This avoids Sonarr making calls to TVDB or whatever through the VPN and getting blocked.
This is a great work! Documentation is clear to a person not familiar with the topic (me). Will try that out and provide feedback, thank you!
I’m currently in the process of a complete rewrite. Once the v2 tag is out I can actually go into deeper feedback :)
No one-stop-shop that I have seen or heard of, but check out Gluetun. https://github.com/qdm12/gluetun
Just google “gluetun + qbittorrent”. There are some examples, but in short you want
network_mode: "service:gluetun"
anddepends_on: -gluetun
under qbittorrent so it doesnt have connection if gluetun fails.Gluetun supports a lot of providers, documentation is decent and simple.
But consider airvpn or any other with port forwarding if you want to torrent. Mullvad ditched PF recently 😔
Thanks for recommendation, didn’t know Mullvad discontinued port forwarding. That was a reason I chose them a year ago.
Now will tale a look at ProtonVPN and AirVPN as alternatives.
Your answer is amazing, you covered it all and so concise, that should be on FAQ :)
Meaning no torrent downloads are possible? Or “just” no uploads?
Meaning both are possible, but its much better with port forwarding. You cant connect to everyone, but for well seeded torrents it shouldnt be an issue.
Don‘t use two images, just use qbittorrentvpn
I don’t do it all in one compose file out of preference, but as others have said Gluetun + your preferred torrent client with all networking going to Gluetun. I’ve been running this way with deluge for a while now and it’s been solid as a rock.
I use portainer for stacks so idk how you do it manually… But a stack with Gluetun and any apps that you use the VPN. I have Firefox(kasm) in my stack with the homepage set to ipleak to double check the VPN
I figured you wanted a 4th person telling you to use Gluetun. The biggest advantage is that it can run anything through the VPN. Not just the torrent client, but also radarr, sonarr, slskd, etc
I recently went through setting this up. I can give you a base compose.yaml based on the one I have
For the wireguard config, you would throw your .conf file to /path/to/wireguard/config, like so: /path/to/wireguard/config/wg0.conf
This setup assumes you have ipv6 working and enabled. The wg0.conf would also have the VPNs ipv6 address. I use Mullvad too btw.
You can access Qbittorrent’s web UI through http://localhost:8090.
I’d like to note that the image I use for Qbittorrent has support built in for VPN, but with the setup I have I basically have the wireguard container with its network, and multiple containers on that same network. In theory it should work with other bittorrent clients.
And the docker images for reference:
version: '3.7' services: wireguard: image: lscr.io/linuxserver/wireguard:latest container_name: wireguard cap_add: - NET_ADMIN - SYS_MODULE #optional networks: - wireguard_network environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC volumes: - /path/to/wireguard/config:/config - /lib/modules:/lib/modules #optional ports: - 51820:51820/udp # Wireguard - 8090:8090 # QBittorrent sysctls: - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0 restart: unless-stopped qbittorrentvpn: privileged: true container_name: qbtwg network_mode: service:wireguard depends_on: - wireguard volumes: - '/path/to/qbtconfig/:/config' - '/path/to/downloads/:/downloads' environment: - VPN_ENABLED=no - VPN_TYPE=wireguard - PUID=1000 - PGID=1000 - LAN_NETWORK=192.168.1.0/24 - 'NAME_SERVERS=1.1.1.1,1.0.0.1' restart: unless-stopped image: dyonr/qbittorrentvpn networks: wireguard_network: driver: bridge
Don‘t run privileged images! Drop all CAPS, enable no-new-privileged, use non-privileged users only.
Hey there, thanks for the tips. It seems I can’t get the wireguard container working without the NET_ADMIN CAP. I looked at the gluetun image and it has it too. Is it possible to run a docker wireguard client without that CAP?
Wireguard needs kernel access so needs to run privileged.