Skip to content

qBittorrent with OpenVPN in Docker on a Synology NAS

New guide using DSM7.111/05/2022
Added how to extract .rar files upon completion11/06/2022
Tweaked Firewall section to take into account TCP VPN Providers05/07/2022

What are qBittorrent and OpenVPN?

qBittorrent is a torrent downloader and OpenVPN is the client application used to connect to your VPN provider.

Lets Begin

In this guide I will take you through the steps to get qBittorrent up and running in Docker and a separate OpenVPN container. By having a separate container for the VPN connection we can use it in the future for other applications such as Prowlarr, this is useful if you have torrent indexers blocked in your country.

As the Synology DSM Docker GUI does not support some of the functions we need for this tutorial we will be using Docker Compose. This is not as complicated as it might seem!

In order for you to successfully use this guide please complete the two preceding guides

Folder Setup

Let’s start by getting a couple of folders set up for the containers to use. Open up Filestation and within the /docker share create a folder called ‘qbittorrent’ and one called ‘vpn’

VPN Package / TUN Device

In a lot of guides you will see they require a script to run at the boot of the Diskstation in order to enable a TUN device. We are going to avoid this by using the Synology VPN Package, we won’t actually be using it, just using the TUN device it enables when turned on.

Head into the Package Center and download the Synology VPN Server package.

Once downloaded open up the VPN package and in the OpenVPN section enable the server.

Next click on Apply and you will receive this message regarding the Firewall and Router. We are not going to be forwarding any ports on our router, however if you do have the Firewall enabled on DSM we will be opening up an outbound port in a bit.

You can now disable the OpenVPN server by unchecking and Applying the change again, as this has enabled the TUN, keep the package installed and running.

Firewall (Optional Step if you have the Firewall Enabled)

If you have the Synology Firewall enabled you will need to do this step. Otherwise, you will have issues with the VPN connecting to your provider.

Go into Control Panel > Security > Firewall

Click on Edit Rules and in the screen that appears click on ‘Create’

In the first screen select ‘Custom’

On the next screen we select the Type as ‘Destination Port’ and Protocol as ‘All’. In this example I am going to open up both 1194 and 1195 as some providers use UDP and some TCP and these are the most commonly used ports.

Click on OK and Apply the rule, and leave the ‘Source IP’ and ‘Action’ to their defaults on the original screen.

Configuration Files

In order for OpenVPN to connect to your provider we need to give it some key information for the connection. Due to the sheer amount of providers out there the information below will likely need to be tweaked based on your provider.

To keep this guide OS-agnostic I will be using the Synology Text Editor that can be installed via the package center. You can use your own preferred method such as using Notepad++ on Windows.

Open up Text Editor and create a new file, within this first file we are going to add our username and password for connecting to the VPN provider.

Now save this file in the ‘/docker/vpn’ folder and name it ‘vpn.auth’

The second file requires information from your VPN provider, they should have a number of OpenVPN configuration files for you to download on their website, usually split up into countries. Obtain one of these files.

Open up Text Editor and paste in the content of your providers .ovpn config file. It should look something like below. The Certificate section will not always be present if your provider gives you separate files for it.

We need to edit or add some key sections of this file as per the table below.

Original SettingUpdated SettingComments
auth-user-passauth-user-pass /vpn/vpn.authTells the container to get your login details from the vpn.auth file
persist-tun# persist-tunThis will ensure the connection is automatically reset if it fails
crl-verifycrl-verify /vpn/crl.rsa.2048.pemProvider Dependent – If you didn’t get a .pem file in with your config files you do not need to add this. If it is you need to ensure the crl.rsa.2048.pem is saved in the /docker/vpn folder
caca /vpn/ca.rsa.2048.crtProvider Dependent – If you didn’t get a .crt file you do not need to add this. If it is you need to ensure the ca.rsa.2048.crt is saved in the /docker/vpn folder

You can now save this file into ‘/docker/vpn’ named ‘vpn.conf’

That’s the VPN settings done, let’s get onto the compose file.

Docker Compose

Next we are going to create a Docker Compose file, this is used to tell Docker how to set up our container with all the variables we require that are not available in the DSM GUI.

Open up Text Editor again and create a new file. Copy and paste the information below into the file.

version: "3.8"
    container_name: vpn
    image: dperson/openvpn-client:latest
      - net_admin # gives docker admin rights to amend network settings
      - /dev/net/tun #points to the tun device created by the syno VPN package
      - /volume1/docker/vpn:/vpn #The location of our config files
      - label:disable
      OPENVPN_OPTS: '--mute-replay-warnings'
      DNS: -- #this will override your default DNS and avoids connection issues you can change this value if you wish
    ports: #the port below allow the WebUI of any application connecting through the VPN to remain accessible locally
      - 8090:8090 # port for qBittorrent - Add a line for each application you want to use the VPN
    command: '-f "" -r ""'  # -r -f  # amend this in line with your local network settings
    restart: unless-stopped

    container_name: qbittorrent
      - WEBUI_PORT=8090
      - /volume1/docker/qbittorrent:/config
      - /volume1/data/torrents:/data/torrents
    network_mode: service:vpn # run on the vpn network
      - vpn
    restart: unless-stopped

You can change the formatting to YAML in the bottom right of the editor to make it easier to read.

We need to make some small amendments to the default settings to ensure they work for you.

ports(optional) If you want to run any other containers through the VPN connection you will need to add their WebUI port numbers to this section. By default we are just passing qBittorrent through. – If you do add something like Prowlarr you will need to move it to this compose file and then set its network mode in line with the one qBittorrent is using. (see the FAQ’s on Page 2)
command(required) in the command section you will see you will need to amend this in line with your local IPv4 settings for your network.
For example if the IP of your NAS is you will use or if your IP is you will use
network_mode (optional) You can see that the qBittorrent container is being told to use the VPN, if you added any other containers such as Prowlarr you will need to change their config in line with this. (See the FAQ’s on Page 2)
PUID(required) The UID you obtained in the user setup guide
PGID(required) The GID you obtained in the user setup guide
TZ(required) Your timezone
If you are having any issues with adding extra containers head over to Discord for some help

You can now save this compose file in /docker/vpn and call it qbittorrentvpn.yml

SSH and Docker-Compose

It’s time to get logged into you Diskstation via SSH, you can do this in the same way as when you obtained your IDs in the ‘Setting up a restricted Docker user‘ guide.

Once you have logged in you will need to give 2 commands, you can copy and paste these one at a time — you will need to enter your password for the command starting with ‘sudo’

First we are going to change directory to where the qbittorrentvpn.yml is located, type the below and then press enter.

cd /volume1/docker/vpn

Then we are going to instruct Docker Compose to read the file we created and complete the set-up of the container. Again type the below and press enter.

sudo docker-compose -f qbittorrentvpn.yml up -d

When the command has completed you should be able to see both qBittorrent and the VPN container running in the list of containers in the Synology GUI.

Final steps

As we have used /data/torrents as the mount point for our downloads we need to make sure qBittorrent uses this same file path.

We need to change the file paths by editing the qBittorrent config file, before doing this stop both of the containers.

Go back into DSM and open Text Editor, browse to /docker/qbittorrent/qbittorrent and open the qBittorrent.conf then edit the file in line with the table below, once amended save the changes.

Original ValueNew Value

You can now bring the containers back up again by repeating the steps in the SSH and Docker Compose section above.

Once the containers are running you can log into the Web UI by going to the IP of your NAS followed by port 8090


qBittorrent has a default login of ‘admin’ followed by the password of ‘adminadmin’ you can change this in the settings or remove it altogether if you wish.

Now you are in the UI click on settings cog at the top of the screen, we are going to change one more directory which is the watched folder to /data/torrents/watch. You can also turn on the option ‘keep incomplete torrents in:’ which should already have /data/torrents/incoming’ prefilled.

Next we are going to set a command to run when each torrent finishes to automatically extract any .rar files

Scroll down in the options to the ‘Run external program on torrent completion’ and enter the below, it tells qbittorrent to run unrar and extract the file to the same save path as the original file. This will not delete anything, so you can continue seeding.

unrar x "%D/*.r*" "%D/"

I am not going to walk through all the other settings as you can customise these as you wish.

That’s it you are completely set up!

FAQs – See Page 2 of this guide

Throw me some bits or buy me a coffee?

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running the site, you can even buy me a coffee 🙂

Buy Me A Coffee
Doge / Ethereum / Bitcoin

Pages: 1 2

Published inDockerDownload ToolsSynology


  1. Tim Tim

    I’m getting this error.

    Creating qbittorrent … error

    ERROR: for qbittorrent Cannot create container for service qbittorrent: Conflict. The container name “/qbittorrent” is already in use by container “40e4ea2688c42dd76f27af20ec2b125c32cc60c78eaee7de20e0e2771cf0e1f1”. You have to remove (or rename) that container to be able to reuse that name.

    How do I remove that container? I don’t see it in the docker app.

    • Dr_Frankenstein Dr_Frankenstein

      Try running with this command

      sudo docker-compose -f /volume1/docker/vpn/qbittorrentvpn.yml up -d –remove-orphans

    • Tim Tim

      I managed to get rid of the original error, but now it’s saying:

      ERROR: for qbittorrent Cannot start service qbittorrent: Container 71c35a61827b 6be6b55435180ee3300e9f74707d462a7f669d6f9935442ffb9a is restarting, wait until t he container is running
      ERROR: Encountered errors while bringing up the project.

      The vpn and qBittorrent now show up in docker, but qbittorrent says “fail to run” and the vpn is stuck on restarting.

      When trying to run qbittorrent with the switch in docker, it says “container needs to be part of at least one network” (roughly translated from Dutch)

      • Dr_Frankenstein Dr_Frankenstein

        Your VPN is not connecting if the container is a restart loop, are you able to join Discord or contact me via the contact page please as its going to be difficult to trouble shoot via the comments

        • Tim Tim

          Thanks for the quick replies! Discord is not letting me login for some reason., where can I find the contact page?

          • Dr_Frankenstein Dr_Frankenstein

            Top left under the logo

  2. Gringoire Gringoire

    Thank you for this guide!

    One point (if I’m not mistaken):
    . I followed your guide (religiously), starting with step 1 (aka the folders)
    . at the end of this guide you point to /data/torrents/watched. Should it be /data/torrent/watch?

    • Dr_Frankenstein Dr_Frankenstein

      Well spotted, I will amend the guide, I think I must have named it differently on my personal setup!

  3. Matthew Bament Matthew Bament

    Thanks so much for the guide – I still have so much to learn but this was really helpful! I think I got it running (no errors) but is there any way to check if the VPN is actually connected/working? Also is it possible to create a task/job to run the SSH command that starts these containers, either on demand or on a restart for example?

    • Dr_Frankenstein Dr_Frankenstein

      The VPN is firewalled so if its downloading its connected. You can use this to double check, it will display the ip it sees

      The container should start automatically with your system, it is possible to run it as a script as root. I will add something to the FAQ.

      • Matthew Bament Matthew Bament

        Apologies, me again. Had to power off the NAS and move it to a new location. On reboot, neither container started. The VPN container couldn’t find device “/dev/net/tun” – fine, quickly remedied by turning on / off the built-in VPN server app as per guide and then the container starts. The qbittorrent container won’t start though, it says “it cannot join network of a non-running container” although the VPN container does appear to be running?

        • Matthew Bament Matthew Bament

          Just wondered if this is expected behaviour or just something odd with my setup. The /dev/net/tun device is not persistent after a reboot so the VPN container fails and does not come back on. I have to manually turn on the VPN server package again and turn it off (as shown in the guide) and can then manually start the containers again. I setup a simple task to run on demand “docker-compose -f /volume1/docker/vpn/qbittorrentvpn.yml up -d” that spins up the containers so saves a little bit of time having to log in with SSH but it would be great if I could somehow solve the /dev/net/tun device missing issue so it could be fully automatic – i.e. almost like running a script that would start the VPN server to get the /dev/net/tun loaded, then shut it down again and then load the containers.

          • Dr_Frankenstein Dr_Frankenstein

            Hey, I will have a look into a solution as this doesn’t happen for everyone, for my setup it always keeps the TUN device in place. I was trying to avoid scripts but may need to add one to the FAQ.

          • Dr_Frankenstein Dr_Frankenstein

            The behaviour is very weird. I did a shutdown today for a well needed dust of my NAS after 6 months, and everything just came back up as expected. Depending on your security appetite you could leave the openvpn server running, as long as the port is not exposed to the Internet no one can connect to it without credentials.

  4. I’m getting an error after compose

    ERROR: for vpn Cannot start service vpn: error gathering device information while adding custom device “/dev/net/tun”: no such file or directory
    ERROR: Encountered errors while bringing up the project.

    • Dr_Frankenstein Dr_Frankenstein

      Hi Vapez – Did you complete the step towards the start of the guide to enable the TUN device by turning on then off the VPN Server. Without this the device is not enabled for the VPN to use.

      • Thanks for the quick reply, I sure did, tried again just to be certain. Still throwing the same error

        • Dr_Frankenstein Dr_Frankenstein

          Can you try leaving the server turned on and running the compose file again please, also which DSM version are you running out of interest?

          • DSM 7.0.1-42218 Update 3
            Gave it a go with the server enabled, no joy.

          • Removing qbittorrent
            vpn is up-to-date
            Recreating 3b30a8b429e5_qbittorrent … error

            ERROR: for 3b30a8b429e5_qbittorrent Cannot start service qbittorrent: Bind mount failed: ‘/volume1/docker/qbittorrent’ does not exists

            ERROR: for qbittorrent Cannot start service qbittorrent: Bind mount failed: ‘/volume1/docker/qbittorrent’ does not exists
            ERROR: Encountered errors while bringing up the project.

            That’s what it threw with it enabled

          • I fixed the folder name, missing a t in qbittorrent.
            Looks all good now, happy days

          • Dr_Frankenstein Dr_Frankenstein

            Good stuff – glad it was just a typo!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed. – writing Synology Docker Guides since 2016 – Join My Discord!