|New guide using DSM7.1||11/05/2022|
|Added how to extract .rar files upon completion||11/06/2022|
|Tweaked Firewall section to take into account TCP VPN Providers||05/07/2022|
|Rewritten the TUN device section to now include script to enable at startup||08/07/2022|
|Updated network settings you can now start the VPN via the DSM UI, however you will need to stop and start associated containers at the same time.||30/07/2022|
What are qBittorrent and OpenVPN?
qBittorrent is a torrent downloader and OpenVPN is the client application used to connect to your VPN provider.
In this guide I will take you through the steps to get qBittorrent up and running in Docker and a separate OpenVPN container. By having a separate container for the VPN connection we can use it in the future for other applications such as Prowlarr, this is useful if you have torrent indexers blocked in your country.
As the Synology DSM Docker GUI does not support some of the functions we need for this tutorial we will be using Docker Compose. This is not as complicated as it might seem!
In order for you to successfully use this guide please complete the three preceding guides
- Step 1: Directory Setup Guide
- Step 2: Setting up a restricted Docker user
- Step 3: Setting up a Docker Bridge Network
Let’s start by getting a couple of folders set up for the containers to use. Open up Filestation and within the /docker share create a folder called ‘qbittorrent’ and one called ‘vpn’
VPN Package / TUN Device
We are now going to create the TUN device which allows the VPN connection to take place and then add a script to ensure it is automatically loaded whenever you reboot your NAS. Some people have not had to do the script part of the guide – your mileage may vary.
Synology VPN package
Head into the Package Center and download the Synology VPN Server package.
Once downloaded open up the VPN package and in the OpenVPN section enable the server.
Next click on Apply and you will receive this message regarding the Firewall and Router. We are not going to be forwarding any ports on our router, however if you do have the Firewall enabled on DSM we will be opening up an outbound port in a bit.
You can now disable the OpenVPN server by unchecking and applying the change again, as this has enabled the TUN, keep the package installed and running.
Setting up the start up script
First off credit to MemoryLeak.dev for this I am just using their code within this guide.
Open up Control Panel and then click on Task Scheduler
Next click on Create, Triggered Task then User Defined Script.
Now enter a name for the script – you can call it anything you like. The User must be ‘root’ and ‘Boot-up’ for the Event.
On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section. It will look like screenshot.
#!/bin/sh -e insmod /lib/modules/tun.ko EOF
You can now press OK and agree to the warning message. You can now move on to the next step.
Firewall (Optional Step if you have the Firewall Enabled)
If you have the Synology Firewall enabled and configured to block outgoing connections you will need to do this step. Otherwise, you will have issues with the VPN connecting to your provider. (please note the screenshot below does not show all the other rules you would normally have enabled)
Go into Control Panel > Security > Firewall
Click on Edit Rules and in the screen that appears click on ‘Create’
In the first screen select ‘Custom’
On the next screen we select the Type as ‘Destination Port’ and Protocol as ‘All’. In this example I am going to open up both 1194 and 1195 as some providers use UDP and some TCP and these are the most commonly used ports.
Click on OK and Apply the rule, and leave the ‘Source IP’ and ‘Action’ to their defaults on the original screen.
In order for OpenVPN to connect to your provider we need to give it some key information for the connection. Due to the sheer amount of providers out there the information below will likely need to be tweaked based on your provider.
To keep this guide OS-agnostic I will be using the Synology Text Editor that can be installed via the package center. You can use your own preferred method such as using Notepad++ on Windows.
Open up Text Editor and create a new file, within this first file we are going to add our username and password for connecting to the VPN provider.
Now save this file in the ‘/docker/vpn’ folder and name it ‘vpn.auth’
The second file requires information from your VPN provider, they should have a number of OpenVPN configuration files for you to download on their website, usually split up into countries. Obtain one of these files.
Open up Text Editor and paste in the content of your providers .ovpn config file. It should look similar to the below however every provider is different!
We need to edit or add some key sections of this file as per the table below.
|Original Setting||Updated Setting||Comments|
|auth-user-pass||auth-user-pass /vpn/vpn.auth||Tells the container to get your login details from the vpn.auth file|
|persist-tun||# persist-tun||This will ensure the connection is automatically reset if it fails|
|crl-verify||crl-verify /vpn/crl.rsa.2048.pem||Provider Dependent – If you didn’t get a .pem file in with your config files you do not need to add this. If it is you need to ensure the crl.rsa.2048.pem is saved in the /docker/vpn folder|
|ca||ca /vpn/ca.rsa.2048.crt||Provider Dependent – If you didn’t get a .crt file you do not need to add this. If it is you need to ensure the ca.rsa.2048.crt is saved in the /docker/vpn folder|
You can now save this file into ‘/docker/vpn’ named ‘vpn.conf’
That’s the VPN settings done, let’s get onto the compose file.
Next we are going to create a Docker Compose file, this is used to tell Docker how to set up our container with all the variables we require that are not available in the DSM GUI.
Open up Text Editor again and create a new file. Copy and paste the information below into the file.
version: "3.8" services: vpn: container_name: vpn image: dperson/openvpn-client:latest cap_add: - net_admin # gives docker admin rights to amend network settings devices: - /dev/net/tun #points to the tun device created by the syno VPN package volumes: - /volume1/docker/vpn:/vpn #The location of our config files security_opt: - label:disable environment: OPENVPN_OPTS: '--mute-replay-warnings' DNS: --22.214.171.124 #quad9 DNS this is to help avoid connection issues ports: #uncomment ports below for additional applications # - 8112:8112 # port for deluge remove the # to use # - 9696:9696 # port for prowlarr remove the # to use - 8090:8090 # port for qbittorrent command: '-f "" -r "192.168.0.0/24"' # amend this in line with your local network settings network_mode: synobridge restart: unless-stopped qbittorrent: image: lscr.io/linuxserver/qbittorrent container_name: qbittorrent environment: - PUID=YOURPUID - PGID=YOURPGID - TZ=YOURTIMEZONE - WEBUI_PORT=8090 volumes: - /volume1/docker/qbittorrent:/config - /volume1/data/torrents:/data/torrents network_mode: service:vpn # run on the vpn network depends_on: - vpn restart: unless-stopped
You can change the formatting to YAML in the bottom right of the editor to make it easier to read.
We need to make some small amendments to the default settings to ensure they work for you.
|ports||(optional) If you want to run any other containers through the VPN connection you will need to add their WebUI port numbers to this section. By default we are just passing qBittorrent through. – If you do add something like Prowlarr you will need to move it to this compose file and then set its network mode in line with the one qBittorrent is using. (see the FAQ’s on Page 2)|
|command||(required) in the command section you will see 192.168.0.0/24 you will need to amend this in line with your local IPv4 settings for your network.|
For example if the IP of your NAS is 192.168.0.123 you will use 192.168.0.0 or if your IP is 192.168.1.123 you will use 192.168.1.0
|network_mode||(optional) You can see that the qBittorrent container is being told to use the VPN, if you added any other containers such as Prowlarr you will need to change their config in line with this. (See the FAQ’s on Page 2)|
|PUID||(required) The UID you obtained in the user setup guide|
|PGID||(required) The GID you obtained in the user setup guide|
|TZ||(required) Your timezone wikipedia.org/wiki/List_of_tz_database_time_zones|
You can now save this compose file in /docker/vpn and call it qbittorrentvpn.yml
SSH and Docker-Compose
It’s time to get logged into you Diskstation via SSH, you can do this in the same way as when you obtained your IDs in the ‘Setting up a restricted Docker user‘ guide.
Once you have logged in you will need to give 2 commands, you can copy and paste these one at a time — you will need to enter your password for the command starting with ‘sudo’
First we are going to change directory to where the qbittorrentvpn.yml is located, type the below and then press enter.
Then we are going to instruct Docker Compose to read the file we created and complete the set-up of the container. Again type the below and press enter.
sudo docker-compose -f qbittorrentvpn.yml up -d
When the command has completed you should be able to see both qBittorrent and the VPN container running in the list of containers in the Synology GUI.
If you find the VPN container is in a restart loop it means something within the settings is not quite right. Feel free to reach out on Discord or via my contact page (top left of this site), take a look at the VPN container logs and see the FAQ on page 2 for some common issues.
As we have used /data/torrents as the mount point for our downloads we need to make sure qBittorrent uses this same file path.
We need to change the file paths by editing the qBittorrent config file, before doing this stop both of the containers.
Go back into DSM and open Text Editor, browse to /docker/qbittorrent/qbittorrent and open the qBittorrent.conf then edit the file in line with the table below, once amended save the changes.
|Original Value||New Value|
You can now bring the containers back up again by repeating the steps in the SSH and Docker Compose section above.
Once the containers are running you can log into the Web UI by going to the IP of your NAS followed by port 8090
qBittorrent has a default login of ‘admin’ followed by the password of ‘adminadmin’ you can change this in the settings or remove it altogether if you wish.
Now you are in the UI click on settings cog at the top of the screen, we are going to change one more directory which is the watched folder to /data/torrents/watch. You can also turn on the option ‘keep incomplete torrents in:’ which should already have /data/torrents/incoming’ prefilled.
Next we are going to set a command to run when each torrent finishes to automatically extract any .rar files
Scroll down in the options to the ‘Run external program on torrent completion’ and enter the below, it tells qbittorrent to run unrar and extract the file to the same save path as the original file. This will not delete anything, so you can continue seeding.
unrar x "%D/*.r*" "%D/"
I am not going to walk through all the other settings as you can customise these as you wish.
That’s it you are completely set up!
Throw me some bits or buy me a coffee?
If you have found my site useful please consider pinging me a tip as it helps cover the cost of running the site, you can even buy me a coffee 🙂
Pages: 1 2