Skip to content

Deluge with OpenVPN in Docker on a Synology NAS

UpdateDate
New guide09/03/2022
Amendment to VPN Server section to disable the server.10/03/2022
Updated the compose file with DNS settings to avoid potential connection issues12/03/2022
Added an example compose file to the FAQs showing how to add additional services to the VPN 21/03/2022
Tweaked Firewall section to take into account TCP VPN Providers05/07/2022
Rewritten the TUN device section to now include script to enable at startup08/07/2022
Updated network settings you can now start the VPN via the UI, however you will need to stop and start associated containers at the same time.30/07/2022


What are Deluge and OpenVPN?

Deluge is a lightweight torrent downloader, it has a number of built-in plugins to help organise your downloads and a full web interface, and OpenVPN is the client application used to connect to your VPN provider.

Let’s Begin

In this guide I will take you through the steps to get Deluge up and running in Docker and a separate OpenVPN container. By having a separate container for the VPN connection we can use it in the future for other applications such as Prowlarr, this is useful if you have torrent indexers blocked in your country.

As the Synology DSM GUI does not support some of the functions we need for this tutorial we will be using Docker Compose. This is not as complicated as it might seem!

In order for you to successfully use this guide please complete the three preceding guides

Folder Setup

Let’s start by getting a couple of folders set up for the containers to use. Open up Filestation and within the /docker share create a folder called ‘deluge’ and one called ‘vpn’

VPN Package / TUN Device

We are now going to create the TUN device which allows the VPN connection to take place and then add a script to ensure it is automatically loaded whenever you reboot your NAS. Some people have not had to do the script part of the guide – your mileage may vary.

Synology VPN package

Head into the Package Center and download the Synology VPN Server package.

Once downloaded open up the VPN package and in the OpenVPN section enable the server.

Next click on Apply and you will receive this message regarding the Firewall and Router. We are not going to be forwarding any ports on our router, however if you do have the Firewall enabled on DSM we will be opening up an outbound port in a bit.

You can now disable the OpenVPN server by unchecking and applying the change again, as this has enabled the TUN, keep the package installed and running.

Setting up the start up script

First off credit to MemoryLeak.dev for this I am just using their code within this guide.

Open up Control Panel and then click on Task Scheduler

Next click on Create, Triggered Task then User Defined Script.

Now enter a name for the script – you can call it anything you like. The User must be ‘root’ and ‘Boot-up’ for the Event.

On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section. It will look like screenshot.

#!/bin/sh -e

insmod /lib/modules/tun.ko
EOF

You can now press OK and agree to the warning message. You can now move on to the next step.

Firewall (Optional Step if you have the Firewall Enabled)

If you have the Synology Firewall enabled and configured to block outgoing connections you will need to do this step. Otherwise, you will have issues with the VPN connecting to your provider. (please note the screenshot below does not show all the other rules you would normally have enabled)

Go into Control Panel > Security > Firewall

Click on Edit Rules and in the screen that appears click on ‘Create’

In the first screen select ‘Custom’

On the next screen we select the Type as ‘Destination Port’ and Protocol as ‘All’. In this example I am going to open up both 1194 and 1195 as some providers use UDP and some TCP and these are the most commonly used ports.

Click on OK and Apply the rule, and leave the ‘Source IP’ and ‘Action’ to their defaults on the original screen.

Configuration Files

In order for OpenVPN to connect to your provider we need to give it some key information for the connection. Due to the sheer amount of providers out there the information below will likely need to be tweaked based on your provider.

To keep this guide OS-agnostic I will be using the Synology Text Editor that can be installed via the package center. You can use your own preferred method such as using Notepad++ on Windows.

Open up Text Editor and create a new file, within this first file we are going to add our username and password for connecting to the VPN provider.

Now save this file in the ‘/docker/vpn’ folder and name it ‘vpn.auth’

The second file requires information from your VPN provider, they should have a number of OpenVPN configuration files for you to download on their website, usually split up into countries. Obtain one of these files.

Open up Text Editor and paste in the content of your providers .ovpn config file. It should look similar to the below however every provider is different!

We need to edit or add some key sections of this file as per the table below.

Original SettingUpdated SettingComments
auth-user-passauth-user-pass /vpn/vpn.authTells the container to get your login details from the vpn.auth file
persist-tun# persist-tunThis will ensure the connection is automatically reset if it fails
crl-verifycrl-verify /vpn/crl.rsa.2048.pemProvider Dependent – If you didn’t get a .pem file in with your config files you do not need to add this. If it is you need to ensure the crl.rsa.2048.pem is saved in the /docker/vpn folder
caca /vpn/ca.rsa.2048.crtProvider Dependent – If you didn’t get a .crt file you do not need to add this. If it is you need to ensure the ca.rsa.2048.crt is saved in the /docker/vpn folder

You can now save this file into ‘/docker/vpn’ named ‘vpn.conf’

If your provider uses certificate files these will also be saved here.

That’s the VPN settings done, let’s get onto the compose file.

Docker Compose

Next we are going to create a Docker Compose file, this is used to tell Docker how to set up our container with all the variables we require that are not available in the DSM GUI.

Open up Text Editor again and create a new file. Copy and paste the information below into the file.

version: "3.8"
services:
  vpn:
    container_name: vpn
    image: dperson/openvpn-client:latest
    cap_add:
      - net_admin # gives docker admin rights to amend network settings
    devices:
      - /dev/net/tun #points to the tun device created by the syno VPN package
    volumes:
      - /volume1/docker/vpn:/vpn #The location of our config files
    security_opt:
      - label:disable
    environment:
      OPENVPN_OPTS: '--mute-replay-warnings'
      DNS: --9.9.9.9 #quad9 DNS this is to help avoid connection issues
    ports: #uncomment ports below for additional applications
      - 8112:8112 # port for deluge
#      - 9696:9696 # port for prowlarr remove the # to use
#      - 8090:8090 # port for qbittorrent remove the # to use
    command: '-f "" -r "192.168.0.0/24"' # amend this in line with your local network settings
    network_mode: synobridge
    restart: unless-stopped
      
  linuxserver-deluge:
    image: ghcr.io/linuxserver/deluge
    container_name: deluge
    network_mode: service:vpn # run on the vpn network
    environment:
      - PUID=YOURPUID
      - PGID=YOURPGID
      - TZ=YOURTIMEZONE
      - DELUGE_LOGLEVEL=error #optional
    volumes:
      - /volume1/docker/deluge:/config
      - /volume1/data/torrents:/data/torrents
    depends_on:
      - vpn
    restart: unless-stopped

You can change the formatting to YAML in the bottom right of the editor to make it easier to read.

We need to make some small amendments to the default settings to ensure they work for you.

VariableValue
ports(optional) If you want to run any other containers through the VPN connection you will need to add their WebUI port numbers to this section. By default we are just passing Deluge through. – If you do add something like Prowlarr you will need to move it to this compose file and then set its network mode in line with the one Deluge is using. (see the FAQ’s on Page 2)
command(required) in the command section you will see 192.168.0.0/24 you will need to amend this in line with your local IPv4 settings for your network.
For example if the IP of your NAS is 192.168.0.123 you will use 192.168.0.0 or if your IP is 192.168.1.123 you will use 192.168.1.0
network_mode (optional) You can see that the Deluge container is being told to use the VPN, if you added any other containers such as Prowlarr you will need to change their config in line with this. (See the FAQ’s on Page 2)
PUID(required) The UID you obtained in the user setup guide
PGID(required) The GID you obtained in the user setup guide
TZ(required) Your timezone wikipedia.org/wiki/List_of_tz_database_time_zones
If you are having any issues with adding extra containers head over to Discord for some help

You can now save this compose file in /docker/vpn and call it delugevpn.yml

SSH and Docker-Compose

It’s time to get logged into you Diskstation via SSH, you can do this in the same way as when you obtained your IDs in the ‘Setting up a restricted Docker user‘ guide.

Once you have logged in you will need to give 2 commands, you can copy and paste these one at a time — you will need to enter your password for the command starting with ‘sudo’

First we are going to change directory to where the delugevpn.yml is located, type the below and then press enter.

cd /volume1/docker/vpn

Then we are going to instruct Docker Compose to read the file we created and complete the set-up of the container. Again type the below and press enter.

sudo docker-compose -f delugevpn.yml up -d

When the command has completed you should be able to see both Deluge and the VPN container running in the list of containers in the Synology GUI.

If you find the VPN container is in a restart loop it means something within the settings is not quite right. Feel free to reach out on Discord or via my contact page (top left of this site), take a look at the VPN container logs and see the FAQ on page 2 for some common issues.

Final steps

As we have used /data/torrents as the mount point for our downloads we need to make sure Deluge uses this same file path.

We are going to do this by just changing the directory settings within Deluge.

Open a new browser tab and go to your NAS IP address on port 8112 (e.g 192.168.0.46:8112)

Deluge by default has the password of ‘deluge’ to access the web UI, you can change or remove this later in the settings.

Next you will connect to the Deluge back end, just select the host and click connect, it will remember this going forward.

Now you are in the UI click on Preferences at the top of the screen, we are going to change the various folders to the settings shown in the screenshot/table below

OptionFromTo
Download to:/root/Downloads/data/torrents/incoming
Move complete to:/root/Downloads/data/torrents/completed

Plugins

There are a couple of plugins you will want to enable.

  • Autoadd – This allows you to pull in any torrents in the watch directory
  • Label – This allows Radarr/Sonarr to assigned labels and pull downloads into subdirectories – no additional configuration required for this plugin
  • Auto Remove Plus – Download the ‘AutoRemovePlus-2.0.0-py3.8.egg’ version from the Deluge forums and place it in the Plugins’ folder in /docker/deluge/plugins. It allows you to fine tune when to remove torrents and their associated data once downloaded. (You may need to stop and re-up the container for this to appear)
Autoadd Plugin Settings
AutoremovePlus Settings

That’s it you are completely set up!

Something not working – See the FAQs



Throw me some bits or buy me a coffee?

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running the site, you can even buy me a coffee 🙂

Buy Me A Coffee
Doge / Ethereum / Bitcoin

Pages: 1 2

Published inDockerDownload ToolsSynology

75 Comments

  1. Jeffrey Jeffrey

    First of all, great work with the tutorials!
    I have just a lot of them successfully, but this one is giving me trouble.
    I hope you can help me pinpoint the problem and help me resolve it.
    I followed your guide step by step but the docker compose is unsuccessful.
    It looks like creating vpn is okay, but deluge is not working for me.

    Below you can see the error message I get through SSH.

    Creating vpn … done
    Creating deluge … error

    ERROR: for deluge Cannot start service linuxserver-deluge: OCI runtime create failed: container_linux.go:363: creating new parent process caused: container_linux.go:1946: running lstat on namespace path “/proc/21122/ns/net” caused: lstat /proc/21122/ns/net: no such file or directory: unknown

    I hope you find the time to help me, thanks in advance!

    • Dr_Frankenstein Dr_Frankenstein

      Hey, if the VPN connection is not being established Deluge will not start up, and the VPN will usually be in a restart loop, first have a look at the vpn container logs for clues. However I have seen most errors at this point so you can always ping me the log via the contact page on the top left of the site and I can take a look.

      • Jeffrey Jeffrey

        Thanks for your quick reply!
        How can I check if the connection is established?
        The VPN container is created and running…

        • Jeffrey Jeffrey

          I will look into this further, vpn is not running anymore and constantly restarting. Thanks for the hint!!

          • Dr_Frankenstein Dr_Frankenstein

            Feel free to ping me, usually a fairly easy fix.

  2. Louis Louis

    Thank you very much for all your hard work. I appreciate your efforts to make all these guides.
    I just finally installed deluge with vpn. It s working ok. However, checking the log through Portainer, there are few warnings that I would like you to take a look and see if there is anything I can do about them. Thank you in advance.
    Here the logs:
    /usr/lib/python3.10/site-packages/pkg_resources/init.py:1235: UserWarning: Extraction path is writable by group/others and vulnerable to attack when used with get_resource_filename (/config/plugins/.python-eggs). Consider a more secure location (set with .set_extraction_path or the PYTHON_EGG_CACHE environment variable).

    • Dr_Frankenstein Dr_Frankenstein

      Hey no problem glad they are helping – That is a pretty standard warning, it’s saying that other users have access to the same folders. Essentially your normal admin user has access as well as the dockerlimited user. On a standard Linux install the configs are stored in the users /home directory which only that user has access too, so it’s throwing the warning as it doesn’t know its in Docker. Nothing to be concerned about.

    • Louis Didier Louis Didier

      Thank you very much again for taking time to address and clarify the logs. That makes sense now. Cheers!

  3. Hi Dr. I’m new to all this and your guide is very helpful. Really saving my bacon! I’ve got deluge set up but nothing is downloading. My Tracker status says ‘Error: Host not found (non-authoritative), try again later” any ideas?

    • Dr_Frankenstein Dr_Frankenstein

      Hey Fred, I am going to assume that the VPN container is connected. Double check the logs to be sure as this sounds like a DNS issue and the Deluge container is actually being blocked as it should be when no VPN is connecting. Might be worth reaching out to be via Discord or the Contact me page. Top left of this site under my logo.

  4. Mike Mike

    Wonderful guide! I seem to be running into the same issue as Stevvy above – my VPN container is on a constant “restarting” loop. In looking at the logs, it seems perhaps this line item is the culprit:

    ip6tables v1.8.4 (legacy): can’t initialize ip6tables table `nat’: Table does not exist (do you need to insmod?)

    Thanks for any assistance you can offer!

    • Dr_Frankenstein Dr_Frankenstein

      Hey, that warning is actually normal can you reach out on Discord or ping me an email via the contact form.. Top left under the site logo. I can take a look at the full log and give you a fix.

  5. digzi digzi

    Is there a way to have multiple LAN’s under the “command:” part? The LAN on my WiFi, and wired networks are different.

    • Dr_Frankenstein Dr_Frankenstein

      Hey, yes I believe you can change the line to…

      command: ‘-f “” -r “192.168.0.0/24″‘ -r 192.168.254.0/24 -f # route local network traffic

      Replace the IPs with your own.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

drfrankenstein.co.uk – writing Synology Docker Guides since 2016 – Join My Discord!