Skip to content

Deluge with OpenVPN in Docker on a Synology NAS

New guide09/03/2022
Amendment to VPN Server section to disable the server.10/03/2022
Updated the compose file with DNS settings to avoid potential connection issues12/03/2022
Added an example compose file to the FAQs showing how to add additional services to the VPN 21/03/2022
Tweaked Firewall section to take into account TCP VPN Providers05/07/2022
Rewritten the TUN device section to now include script to enable at startup08/07/2022
Updated network settings you can now start the VPN via the UI, however you will need to stop and start associated containers at the same time.30/07/2022

What are Deluge and OpenVPN?

Deluge is a lightweight torrent downloader, it has a number of built-in plugins to help organise your downloads and a full web interface, and OpenVPN is the client application used to connect to your VPN provider.

Let’s Begin

In this guide I will take you through the steps to get Deluge up and running in Docker and a separate OpenVPN container. By having a separate container for the VPN connection we can use it in the future for other applications such as Prowlarr, this is useful if you have torrent indexers blocked in your country.

As the Synology DSM GUI does not support some of the functions we need for this tutorial we will be using Docker Compose. This is not as complicated as it might seem!

In order for you to successfully use this guide please complete the three preceding guides

Folder Setup

Let’s start by getting a couple of folders set up for the containers to use. Open up Filestation and within the /docker share create a folder called ‘deluge’ and one called ‘vpn’

VPN Package / TUN Device

We are now going to create the TUN device which allows the VPN connection to take place and then add a script to ensure it is automatically loaded whenever you reboot your NAS. Some people have not had to do the script part of the guide – your mileage may vary.

Synology VPN package

Head into the Package Center and download the Synology VPN Server package.

Once downloaded open up the VPN package and in the OpenVPN section enable the server.

Next click on Apply and you will receive this message regarding the Firewall and Router. We are not going to be forwarding any ports on our router, however if you do have the Firewall enabled on DSM we will be opening up an outbound port in a bit.

You can now disable the OpenVPN server by unchecking and applying the change again, as this has enabled the TUN, keep the package installed and running.

Setting up the start up script

First off credit to for this I am just using their code within this guide.

Open up Control Panel and then click on Task Scheduler

Next click on Create, Triggered Task then User Defined Script.

Now enter a name for the script – you can call it anything you like. The User must be ‘root’ and ‘Boot-up’ for the Event.

On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section. It will look like screenshot.

#!/bin/sh -e

insmod /lib/modules/tun.ko

You can now press OK and agree to the warning message. You can now move on to the next step.

Firewall (Optional Step if you have the Firewall Enabled)

If you have the Synology Firewall enabled and configured to block outgoing connections you will need to do this step. Otherwise, you will have issues with the VPN connecting to your provider. (please note the screenshot below does not show all the other rules you would normally have enabled)

Go into Control Panel > Security > Firewall

Click on Edit Rules and in the screen that appears click on ‘Create’

In the first screen select ‘Custom’

On the next screen we select the Type as ‘Destination Port’ and Protocol as ‘All’. In this example I am going to open up both 1194 and 1195 as some providers use UDP and some TCP and these are the most commonly used ports.

Click on OK and Apply the rule, and leave the ‘Source IP’ and ‘Action’ to their defaults on the original screen.

Configuration Files

In order for OpenVPN to connect to your provider we need to give it some key information for the connection. Due to the sheer amount of providers out there the information below will likely need to be tweaked based on your provider.

To keep this guide OS-agnostic I will be using the Synology Text Editor that can be installed via the package center. You can use your own preferred method such as using Notepad++ on Windows.

Open up Text Editor and create a new file, within this first file we are going to add our username and password for connecting to the VPN provider.

Now save this file in the ‘/docker/vpn’ folder and name it ‘vpn.auth’

The second file requires information from your VPN provider, they should have a number of OpenVPN configuration files for you to download on their website, usually split up into countries. Obtain one of these files.

Open up Text Editor and paste in the content of your providers .ovpn config file. It should look similar to the below however every provider is different!

We need to edit or add some key sections of this file as per the table below.

Original SettingUpdated SettingComments
auth-user-passauth-user-pass /vpn/vpn.authTells the container to get your login details from the vpn.auth file
persist-tun# persist-tunThis will ensure the connection is automatically reset if it fails
crl-verifycrl-verify /vpn/crl.rsa.2048.pemProvider Dependent – If you didn’t get a .pem file in with your config files you do not need to add this. If it is you need to ensure the crl.rsa.2048.pem is saved in the /docker/vpn folder
caca /vpn/ca.rsa.2048.crtProvider Dependent – If you didn’t get a .crt file you do not need to add this. If it is you need to ensure the ca.rsa.2048.crt is saved in the /docker/vpn folder

You can now save this file into ‘/docker/vpn’ named ‘vpn.conf’

If your provider uses certificate files these will also be saved here.

That’s the VPN settings done, let’s get onto the compose file.

Docker Compose

Next we are going to create a Docker Compose file, this is used to tell Docker how to set up our container with all the variables we require that are not available in the DSM GUI.

Open up Text Editor again and create a new file. Copy and paste the information below into the file.

version: "3.8"
    container_name: vpn
    image: dperson/openvpn-client:latest
      - net_admin # gives docker admin rights to amend network settings
      - /dev/net/tun #points to the tun device created by the syno VPN package
      - /volume1/docker/vpn:/vpn #The location of our config files
      - label:disable
      OPENVPN_OPTS: '--mute-replay-warnings'
      DNS: -- #quad9 DNS this is to help avoid connection issues
    ports: #uncomment ports below for additional applications
      - 8112:8112 # port for deluge
#      - 9696:9696 # port for prowlarr remove the # to use
#      - 8090:8090 # port for qbittorrent remove the # to use
    command: '-f "" -r ""' # amend this in line with your local network settings
    network_mode: synobridge
    restart: unless-stopped
    container_name: deluge
    network_mode: service:vpn # run on the vpn network
      - DELUGE_LOGLEVEL=error #optional
      - /volume1/docker/deluge:/config
      - /volume1/data/torrents:/data/torrents
      - vpn
    restart: unless-stopped

You can change the formatting to YAML in the bottom right of the editor to make it easier to read.

We need to make some small amendments to the default settings to ensure they work for you.

ports(optional) If you want to run any other containers through the VPN connection you will need to add their WebUI port numbers to this section. By default we are just passing Deluge through. – If you do add something like Prowlarr you will need to move it to this compose file and then set its network mode in line with the one Deluge is using. (see the FAQ’s on Page 2)
command(required) in the command section you will see you will need to amend this in line with your local IPv4 settings for your network.
For example if the IP of your NAS is you will use or if your IP is you will use
network_mode (optional) You can see that the Deluge container is being told to use the VPN, if you added any other containers such as Prowlarr you will need to change their config in line with this. (See the FAQ’s on Page 2)
PUID(required) The UID you obtained in the user setup guide
PGID(required) The GID you obtained in the user setup guide
TZ(required) Your timezone
If you are having any issues with adding extra containers head over to Discord for some help

You can now save this compose file in /docker/vpn and call it delugevpn.yml

SSH and Docker-Compose

It’s time to get logged into you Diskstation via SSH, you can do this in the same way as when you obtained your IDs in the ‘Setting up a restricted Docker user‘ guide.

Once you have logged in you will need to give 2 commands, you can copy and paste these one at a time — you will need to enter your password for the command starting with ‘sudo’

First we are going to change directory to where the delugevpn.yml is located, type the below and then press enter.

cd /volume1/docker/vpn

Then we are going to instruct Docker Compose to read the file we created and complete the set-up of the container. Again type the below and press enter.

sudo docker-compose -f delugevpn.yml up -d

When the command has completed you should be able to see both Deluge and the VPN container running in the list of containers in the Synology GUI.

If you find the VPN container is in a restart loop it means something within the settings is not quite right. Feel free to reach out on Discord or via my contact page (top left of this site), take a look at the VPN container logs and see the FAQ on page 2 for some common issues.

Final steps

As we have used /data/torrents as the mount point for our downloads we need to make sure Deluge uses this same file path.

We are going to do this by just changing the directory settings within Deluge.

Open a new browser tab and go to your NAS IP address on port 8112 (e.g

Deluge by default has the password of ‘deluge’ to access the web UI, you can change or remove this later in the settings.

Next you will connect to the Deluge back end, just select the host and click connect, it will remember this going forward.

Now you are in the UI click on Preferences at the top of the screen, we are going to change the various folders to the settings shown in the screenshot/table below

Download to:/root/Downloads/data/torrents/incoming
Move complete to:/root/Downloads/data/torrents/completed


There are a couple of plugins you will want to enable.

  • Autoadd – This allows you to pull in any torrents in the watch directory
  • Label – This allows Radarr/Sonarr to assigned labels and pull downloads into subdirectories – no additional configuration required for this plugin
  • Auto Remove Plus – Download the ‘AutoRemovePlus-2.0.0-py3.8.egg’ version from the Deluge forums and place it in the Plugins’ folder in /docker/deluge/plugins. It allows you to fine tune when to remove torrents and their associated data once downloaded. (You may need to stop and re-up the container for this to appear)
Autoadd Plugin Settings
AutoremovePlus Settings

That’s it you are completely set up!

Something not working – See the FAQs

Throw me some bits or buy me a coffee?

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running the site, you can even buy me a coffee 🙂

Buy Me A Coffee
Doge / Ethereum / Bitcoin

Pages: 1 2

Published inDockerDownload ToolsSynology


  1. Roger Roger

    Hi Dr.,

    Deluge (with VPN) and Prowlarr working beautifully, however they will not start up automatically after a restart of my NAS. Any ideas?

    I have to open SSH and use Putty to give the command (sudo docker-compose -f delugevpn.yml up -d) manually each time after a restart.

    Can this be automated? Or perhaps the container should start automatically after restart, but something is not configured correctly?

    Also, my download speeds are quite low (tried with the Ubuntu torrent-file) I get up to 5 MiB/s maximum. While without VPN through for example NZBget I get up to 100 MiB/s. I tried several *.ovpn files from my VPN provider (NordVPN). Any ideas, tips or hints on this?

    Warm regards, Roger

    • Dr_Frankenstein Dr_Frankenstein

      Hey Roger – Very odd they didn’t start up with the NAS as the script enables the TUN device meaning they should start up just like any other container. See if it happens again, failing that you could setup another script to run the compose command at start up.

      On the speed side of things you may wan’t to ensure you have configured any port forwarding on your Nord account to make sure everyone can see you Deluge instance as slow speeds could be a sign of a port being blocked.

  2. hi Dr_Frankenstein,
    thanks a lot for this very useful and well-writen guide !
    everything seemed to work pretty well but I can’t see the containers running in the docker app.
    And yet deluge IS running as I can reach the UI.
    Any idea how I could fix this ?

    Additionnaly, I already had a similar configuration with DSM 6 and I wanted a clean start after upgrading to DSM 7. Deluge does not catch up with my previous torrents and files, any idea how I could force this ? I would like to restart deluge… but I can’t access the “invisible” container ^_^

    Thanks a lot

    • Dr_Frankenstein Dr_Frankenstein

      Hey, very odd that it would not appear, try stopping the Docker package and starting it again as this container should appear just like any others.

      With regards matching up Torrents if your settings and files match up folders wise then you should pick up where left off. If not you may need to grab the torrent file or magnet again and do a ‘check’ of the files to allow you to begin seeding them again.

      • Pastix Pastix

        Hi, thanks, restarting docker made the containers reappear.

        I noticed that I can’t restart the deluge container as an error message tells me that it needs to join a network. Is this expected ?
        Does it mean that theres no auto-restart ?

        For the resuming of previous torrents, I could not fix the problem but I redownloaded my main torrent files and the checking process worked fine.

        Otherwise this is all running flawess now, thanks again.

        • Dr_Frankenstein Dr_Frankenstein

          You will need to bring Deluge up via SSH if you want to do a manual restart, however it will start automatically on a reboot, it’s just the Docker UI doesn’t recognise the type of network we have used.

  3. Chano Chano

    linuxserver-deluge is missing “restart: unless-stopped” from the Docker Compose sample above. At first, I thought this might have been by design. Now I’m not sure.

    • Dr_Frankenstein Dr_Frankenstein

      Hey Chano – Yes it was missing! – I have updated the compose, not sure how I missed it, thanks.

  4. Looking at the log it appears to be the same across the board. For instance, this is from the Radarr log with the only thing set up being the deluge, both generated from your guides, outside of the addition of Radarr being added within the delugevpn.ymt:

    System.Net.Http.HttpRequestException: Connection refused (localhost:8112)
    —> System.Net.Sockets.SocketException (111): Connection refused
    at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
    at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
    at System.Net.Sockets.Socket.g__WaitForConnectWithCancellation|277_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken)

    • Dr_Frankenstein Dr_Frankenstein

      OK – Can you try the following to see if it connects

      Go into the network section in Docker and see which bridge the VPN and Radarr etc reside. Then instead of using the IP of your NAS use the IP shown for the gateway.

      • You’re a legend Dr. Thank you kindly, that seemed to have been the missing piece.

  5. Fantastic guide, Dr! Issue I appear to be having currently is the step after additional containers have been added to the delugevpn file, such that say Prowlarr, Radarr and Sonarr are all covered by the vpn, however cannot seem to see the other containers, despite correctly filling out the command: ‘-f “” -r “″‘ appropriately and being able to ensure they are all otherwise online.

    • Dr_Frankenstein Dr_Frankenstein

      Hey, make sure you also add their corresponding ports to the yaml under the one for Deluge. This will ensure they are passed into your local network.

      • Thank you for the quick response. Unfortunately these have already been added in with the method used in the deluge/prowlarr example with the appropriate default ports for the arr containers in question. Despite the container images installing through, and the specific container ports being specified within the delugevpn.yml, they still cannot see one another locally.

        • Dr_Frankenstein Dr_Frankenstein

          I see – I think I got the wrong end of the stick, so the containers are all running, and you can connect to each of them individually (get to the Web UI) but they cannot communicate?

          • Correct, the containers cannot communicate between one another through the delugevpn.yml

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed. – writing Synology Docker Guides since 2016 – Join My Discord!