Skip to content

Deluge with GlueTUN VPN in Container Manager on a Synology NAS

Important or Recent Updates
Historic UpdatesDate
New DSM7.2 Container Manager Update (Beta/RC)26/04/2023
Added watchtower labels to the compose to allow updates and changed the proxies to off by default06/05/2023
Removed the Watchtower ‘Depends On’ Labels as they do not successfully update the GlueTUN container. Added an Exclusion label to the GlueTUN container, so it can just be manually updated.11/05/2023
Update includes: Firewall Input Ports for when your provider offers port forwarding, also a note in relation to volumes and added PUID/PGID settings for GlueTUN14/06/2023
Update for Wireguard Kernel Module Install which reduces overall CPU usage for Wireguard connections
Please note if you previously followed this guide you can follow the new section to update your existing set up.
Added Health checks to dependent containers25/09/2023
Added an addition element to the compose to restrict the container from gaining additional privileges and umask environment variable25/10/2023
Swapped YAML to use Wireguard by default
(Thanks Bob)
Enhanced the TUN script to only run if the TUN is not detected
(Thanks Andy for the original suggestion)
Added – UPDATER_PERIOD=24h variable in order to ensure the latest server lists for your provider all pulled once a day27/04/2024
Historic Updates

What are Deluge and GlueTUN?

Deluge is a lightweight torrent downloader, it has a number of built-in plugins to help organise your downloads and a full web interface, GlueTUN is the Docker container that has pre-configured VPN connections for numerous VPN providers.

Before you start check the GlueTUN Wiki to see if your provider is on the supported list.

Also, if you are yet to choose a provider have a look at the Reddit list of recommended suppliers as could save you a headache when trying to seed. I currently use AirVPN which has nice easy port forwarding unlike some others. This is my affiliate link if you fancy signing up.

Let’s Begin

In this guide I will take you through the steps to get Deluge up and running in Docker and a separate GlueTUN VPN container. By having a separate container for the VPN connection we can use it in the future for other applications such as Prowlarr, this is useful if you have torrent indexers blocked in your country.

As the Synology DSM GUI does not support some of the functions we need for this tutorial we will be using Docker Compose. This is not as complicated as it might seem!

In order for you to successfully use this guide please complete the three preceding guides

Folder Setup

Let’s start by getting some folders set up for the containers to use. Open up File Station create the following.


Setting up the TUN start up script

In order for the VPN connection to work we need to make sure the TUN Interface is available to make the connection to a VPN provider. In order to ensure it is available even after a reboot we will set up a small ‘script’.

Open up Control Panel and then click on Task Scheduler

Next click on Create, Triggered Task then User Defined Script.

Enter the following:


On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section. It will look like screenshot.

#!/bin/sh -e

insmod /lib/modules/tun.ko

You can now press OK and agree to the warning message. Next run the script which will enable the TUN device.

You can now move on to the next step.

Wireguard Kernel Module
(Recommended for Performance & Reduced CPU Resource not required for OpenVPN)

The default Gluetun Wireguard setup uses a ‘Userspace’ implementation of Wireguard which requires higher CPU resources. For example a 40MiB download via qBittorrent uses up to 176% in CPU (1.7 Cores) on my 1821+.

By installing the appropriate Kernel Module this reduces down to 1 or 2% which frees up the CPU for other tasks. have put together a Kernel Module for Synology which allows Gluetun to use the lower level Kernel to perform Wireguard duties make sure you drop them a thanks as this would not be possible without them!

While on first glances it looks like a long installation process the page details a number of methods. I recommend having a read taking note of warnings and also if you want to build your own module it tells you how.

The TLDR is below.

  1. Find your model of NAS under the correct DSM version section (If you are following this guide it will be 7.2) and download the pre compiled .spk file
  2. Head into Package Manager and click ‘Manual Install’ on the top right and install the .spk file and untick the box to run after install
  3. Reboot
  4. SSH Into your NAS (Just like in the User Setup guide) and elevate yourself to root by typing sudo -i and entering your password
  5. Enter this command and press enter to start up the module /var/packages/WireGuard/scripts/start

You should now be able to see the WireGuard package running in Package Manager. Please note while I will try my best to support in relation to this module I may have to refer you on if it is a specific technical issue.

When you have GlueTUN running check the log for this line [wireguard] Using available kernelspace implementation, and you know it is working. (Does not apply to OpenVPN)

On to the next part.

Container Manager

Next we are going to set up a ‘Project’ in Container Manager, a project is used when you want multiple containers to all be loaded together and often rely on each other to function. In our case we want Deluge to load and talk to the GlueTUN VPN container.

Open up Container Manager and click on Project then on the right-hand side click ‘Create’

In the next screen we will set up our General Settings, enter the following:

Project Name:vpn-project
Source:Create docker-compose.yml

Next we are going to drop in our docker compose configuration copy all the code in the box below and paste it into line ‘1’ just like the screenshot

    image: qmcgaw/gluetun:latest
    container_name: gluetun
      - NET_ADMIN
      - /dev/net/tun:/dev/net/tun
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8112:8112/tcp # port for deluge
      - /volume1/docker/gluetun:/gluetun
      - PGID=65432 #CHANGE_TO_YOUR_GID
      - TZ=Europe/London #CHANGE_TO_YOUR_TZ
      - VPN_TYPE=wireguard #change as per wiki
      - WIREGUARD_PRIVATE_KEY=YOUR-PRIVATE-KEY #remove if using openvpn
      - WIREGUARD_ADDRESSES=10.x.x.x #IP V4 Only - remove if using openvpn
      - SERVER_COUNTRIES=VPNSERVERCOUNTRY #Change based on the Wiki
      - HTTPPROXY=off #change to on if you wish to enable
      - SHADOWSOCKS=off #change to on if you wish to enable
      - FIREWALL_OUTBOUND_SUBNETS=, #change this in line with your subnet see note on guide.
#      - FIREWALL_VPN_INPUT_PORTS=12345 #uncomment this line and change the port as per the note on the guide
      - UPDATER_PERIOD=24h
    network_mode: synobridge
      - com.centurylinklabs.watchtower.enable=false
      - no-new-privileges:true
    restart: always
    image: linuxserver/deluge:latest
    container_name: deluge
      - PGID=65432 #CHANGE_TO_YOUR_GID
      - TZ=Europe/London #CHANGE_TO_YOUR_TZ
      - DELUGE_LOGLEVEL=error #optional
      - UMASK=022
      - /volume1/docker/deluge:/config
      - /volume1/data/torrents:/data/torrents
    network_mode: service:gluetun # run on the vpn network
        condition: service_healthy
      - no-new-privileges:true
    restart: always

What is a Docker Compose?!

The code we just dropped into Container Manager defines how we want each of the container’s setup. It is broken down into sections such as ports we want to access, which folders we want the container to use and what some variables to define where we live and settings for the container known as ‘Environment’ variables.

We will now make some important edits!

IDs and Timezone

First look for the lines below, they appear twice each, these control the containers access to our filesystem and also the user the containers run as.

PUID(required) The UID you obtained in the user setup guide
PGID(required) The GID you obtained in the user setup guide
TZ(required) Your timezone

Ports and Proxies

In the top Gluetun section you will notice that we have some additional ports assigned for a http proxy and Shadowsocks Proxy – this means you can direct traffic from other devices or applications on your network through the container! If you want to use these change the following.

HTTPPROXYoff (default) on (enabled)
SHADOWSOCKSoff (default) on (enabled)

Firewall Outbound Subnet

This section controls your ability to access the UIs of any containers running through the GlueTUN containers network.

Default Value

The first part ‘’ don’t edit as this is our ‘synobridge’ network and allows other containers such as Radarr to access the download client.

We need to change the second IP after the , this allows us to access the WebUI and containers via out local network.

This IP address (subnet) is easy to figure out. If you NAS IP is your subnet is (notice I just changed the last number before the /24 to 0)

Firewall Input Ports

This part is # commented out by default, if your VPN provider offers port forwarding remove the # from the start of the line and change the port number(s) in line with the ones provided to you. This will also be the port used within the download client and will help overall connectivity.

If you do update this make sure you change the Listening Port in Deluge when setting up.

Default Value
      - FIREWALL_VPN_INPUT_PORTS=12345,56789


By default, I have assumed you have your config files stored on /volume1 if these are located on another volume amend these lines accordingly.

Default Value
      - /volume1/docker/gluetun:/gluetun
      - /volume1/docker/deluge:/config
      - /volume1/data/torrents:/data/torrents      

Watchtower Exclusion

You don’t need to change this, I added a label to avoid Watchtower automatically updating the GlueTUN container as it will always break the overall project which can be inconvenient if you are not around to fix it. You can update the container using the mini guide on the left menu of the site.

Default Value
      - com.centurylinklabs.watchtower.enable=false

Important – Provider Specific Edits

This next bit is important and if you don’t pay attention to the details you will have a harder time connecting up to your VPN provider

Open up the GlueTun Wiki and in the list find your provider.

Let’s use AirVPN as our example.

On the page you will see a number of key sections highlighting the variables that work with AirVPN. This is important as they can vary per provider so read everything on your providers page.

Key differences are generally the SERVER_COUNTRIES / SERVER_CITIES etc as they will vary so use the correct setting, your provider should have a list of Countries and Cities they support.

I have provided some common defaults in the compose for you, but you need to amend them in line with your providers page.

Default Value
      - VPN_TYPE=wireguard
      - WIREGUARD_ADDRESSES=10.x.x.x

If your provider is not supported, you can make a request on GitHub to add it, or you can follow the custom providers guidance on GlueTUNs WIKI.

Once you have checked for your provider, make the appropriate edits to the compose accordingly.

That completes the edits to the compose!

Click ‘Next

You do not need to enable anything on the ‘Web portal settings’ screen click ‘Next’ again

On the final screen click Done which will begin the download of the container images and once downloaded they will be launched!

The images will now be downloaded and extracted. You should see ‘Code 0’ when it has finished.

You will now see your vpn-project running both containers should have a green status on the left-hand side.

Error: “gluetun is unhealthy”

At this stage if you receive an error relating to GlueTUN being unhealthy there is likely an error in the config file, this usually relates to the provider specific elements. If you check the logs for the GlueTUN container it will tell you why it couldn’t connect. If you get stuck drop me a comment with a copy of the logs via

Firewall Exceptions

(Skip if you don’t have the Firewall configured)

If you have enabled and configured the Synology Firewall you will need to create exceptions for any containers that have a Web UI or have any incoming or outgoing connections. This section covers the basics of how to add these. (Please note this is a generic section and will not show the specific ports used in this guide however it applies in the same way)

Also, I would like to refer people to the great guide on getting the Firewall correctly configured over on WunderTechs site.

Head into the Control Panel> Security > Firewall, from here click Edit Rules for the profile you set up when you enabled the Firewall.

Next click on Create and you will see the screen below. Source IP and Action will be automatically selected to All and Allow, I will leave it up to you as to your own preference on whether you want to lock down specific Source IPs from having access. In this example we will leave as All.

You will now choose ‘Custom‘ and then the Custom button

Now select Destination from the drop-down menu, most web based containers require TCP access but check the guide as it will show the port and protocol. Then add comma separated ports. Then press OK.

Click OK a couple of times to get back to the main screen. You will see by default the new rule is added to the bottom of the list. You must always have your Block All rule last in the list as the rules are applied top down so move your container up.

You have now completed the Firewall changes and can continue with the guide.

Final Deluge Setup

As we have used /data/torrents as the mount point for our downloads we need to make sure Deluge uses this same file path.

We are going to do this by just changing the directory settings within Deluge.

Open a new browser tab and go to your NAS IP address on port 8112 (e.g.

Deluge by default has the password of ‘deluge’ to access the web UI, you can change or remove this later in the settings.

Next you will connect to the Deluge back end, just select the host and click connect, it will remember this going forward.

Now you are in the UI click on Preferences at the top of the screen, we are going to change the various folders to the settings shown in the screenshot/table below

Download to:/root/Downloads/data/torrents/incoming
Move complete to:/root/Downloads/data/torrents/completed


To be sure that Deluge only uses the TUN interface you next need to go to the Network options (second one down) and within the ‘Outgoing Interface’ enter ‘tun0’


There are a couple of plugins you will want to enable. (If you are looking for something to unpack torrents that are zipped then follow the Unpackerr guide)

  • Autoadd – This allows you to pull in any torrents in the watch directory
  • Label – This allows Radarr/Sonarr to assigned labels and pull downloads into subdirectories – no additional configuration required for this plugin
  • Auto Remove Plus – Download the ‘AutoRemovePlus-2.0.0-py3.8.egg’ version from the Deluge forums and place it in the Plugins’ folder in /docker/deluge/plugins. It allows you to fine tune when to remove torrents and their associated data once downloaded. (You may need to stop and start the container for this to appear)
Autoadd Plugin Settings

AutoremovePlus Settings

That’s it you are completely set up! I recommend having a quick read through the FAQ as it covers some questions you may have!


Q: How can I update the GlueTUN containers?

A: See the Updating Containers section on the menu.

Q: How do I get my AirVPN details?

## Obtaining your WireGuard or OpenVPN details

- Login to your AirVPN account and go to the Client Area
- Click on `VPN Devices` and create a new device named `GlueTUN` (you can name this anything)
- Back in the Client Area select `Config Generator` and select the following:
  - Linux
  - Turn on either WireGuard or OpenVPN
  - Choose the newly created `GlueTUN` device
  - Select your preferred Server or Region
- Click Generate and download the config file.

### WireGuard Config
- In the config file you only require the following

Address = 10.141.x.x/32 #Nothing after this part
PrivateKey = uFdxxxxxxxxxxxxxxxx
PresharedKey = 4s2xxxxxxxxxxxxxxxxxxxx

Q: How can I be sure the VPN connection is working?

A: Go to the TorGuard Check My Torrent IP site, right-click on the Green banner and copy the link (it’s a Magnet link) Then add this link into Deluge and start the torrent. Keeping the site open after a few seconds the site will show the IP address of the connection it finds. This will be of the VPN provider not your home IP. (Please note the torrent doesn’t actually download anything it’s purely doing an IP check)

Q: Everything seems to be connected but nothing is downloading.

Are you using TorGuard – If so they block torrents on their US servers. Change to another country – Also while you are at it, you may need to configure port forwarding in your TorGuard account.

Try grabbing the Ubuntu torrent as that is a sure fire way of testing as generally it has over 3k seeds.

Q: My container doesn’t seem to start on a reboot even with the TUN script.

A: I have seen this a few times and usually relates to the VPN not completing its connection fast enough before containers using the VPN start. You can try setting an additional startup script by doing the following.

Head into Control Panel and go to Task Scheduler Click Create > Triggered Task > User Defined Task

Task NameDockerVPNBootUp
EventBoot Up
Pre TaskSelect the VPNTUN script from the drop-down that you created at the start of the guide

In the ‘Task Settings’ tab enter the following and then click Save

sleep 120
docker-compose -f /volume1/docker/projects/vpnproject-compose/compose.yaml down 
docker-compose -f /volume1/docker/projects/vpnproject-compose/compose.yaml up -d

Q: How can I add additional services to the VPN container?

A: Adding additional containers to the VPN network is very easy. As you can see in the example below I have added Prowlarr to the bottom of the compose. The only amendments are that the ‘network_mode’ uses the Gluetun container and the ports for Prowlarr have been moved up to the Gluetun containers ports section.

Also see the separate Prowlarr guide on the left menu for setting up FlareSolver (In the Extras section)

      - 9696:9696 # add this to the ports section of GlueTUN
#add the below to the bottom of the compose
    image: linuxserver/prowlarr:latest
    container_name: prowlarr
      - PGID=65432 #CHANGE_TO_YOUR_GID
      - TZ=Europe/London #CHANGE_TO_YOUR_TZ
      - UMASK=022
      - /volume1/docker/prowlarr:/config
    network_mode: service:gluetun # run on the vpn network
        condition: service_healthy
      - no-new-privileges:true
    restart: always

More will be added as questions come up

Looking for some help, join our Discord community

If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!

Buy me a beverage!

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated. Plus 10% goes to the devs of the apps I do guides for every year.

Published inDockerDownload Tools 7.2Synology


  1. Sam Sam

    Setup the whole guide with Radarr/Sonarr/Deluge+Gluetun. I have an issue with Deluge and the watch folders. If I add a torrent via Radarr, it adds to deluge and tags it. Then it moves to the completed folder upon download. From there it sits and is not being moved. Radarr recognizes the file and tracks it in activity. It also shows that it is now in my movie library based on the path when looking at the movie in Radarr. But it is stil in the completed folder.

    • Dr_Frankenstein Dr_Frankenstein

      Is it seeding? If not make sure you configure the AutoRemovePlus add on (towards the end of the guide) so it removes the torrent and file post download.

      • sam sam

        yes. It seeds after the download. How long of a process should it be from download to incoming. Moving to completed. moving to watch. Radarr pulling from watched and moving to data/media/movies. Torrent stopped. Having trouble understanding that.

      • Sam Sam

        Yes it seeds. I guess my confusion is the watch folder. Looks like it is going from incoming to downloaded. Then being copied to my media/movies folder which is correct. So is nothing supposed to go into the watched folder?

        • Dr_Frankenstein Dr_Frankenstein

          OK I think you might be getting it a bit confused..

          Incoming is the temporary folder used while the torrent is downloading
          Completed is an instant move as soon as the torrent moves to Seeding.
          Watch is purely a folder you can drop random .torrent files into that get imported for download.
          Radarr waits 1 minute (default setting) post the item moving to Seeding before moving the file to the final /data/media folder

          • Sam Sam

            That clears it up. Guess I had the wrong idea. And kept thinking files weren’t moving immediately because Jellyfin is not auto-updating when media is added by sonarr/radarr. Thanks for the guide and all the help.

  2. Ger Ger

    Hi Doc,

    I updated several of the containers manually via container manager and now the Deluge, Flaresolverr and Prowlarr containers are not able to start when I execute the “vpn-project” : error response from daemon: no such container: 5126ea5904…..

    Do you have any idea how can fix this?

    • Dr_Frankenstein Dr_Frankenstein

      You just need to do the final step in the update guide. Stop the overall project and then click Action > Build

  3. lastchance lastchance

    Hiya Doc! Being a noob at the synology vpn setup and especially the differences between Openvpn and Wireguard, it took me a bit to figure out something you might mention here. With the Wireguard option enabled, a user-unique private key needs to be in the YAML, along with the server address for the vpn provider. I kept getting ‘container unhealthy’ messages without it, when setting up surfshark. Some of the TLDRs on gluetun-wiki have this as being required, and yeah I could’ve read your “be sure to read the comments for your provider” a little closer. Surfshark’s entry was not as clear as the Nordvpn example in this dependency. Reading my log file showed the error of course.
    The airvpn does look to be a cheaper option, thanks for that tip too!
    Thanks again for the great work!

    • Dr_Frankenstein Dr_Frankenstein

      We have been talking about the wiki on Discord. Been thinking about doing some pull requests to help make them be a bit more explicit in the instructions.

      Can you drop me a copy of your yaml without the keys I can see if it looks right. My Help Me page is on the left.

  4. Jonathan Jonathan

    I have the DS224+ that isn’t listed on blackvoid yet, though I’m assuming the Geminilake file should work.

    My only doubt is how safe it is to install a kernel module. Could it cause permanent harm to the DS224+ or perhaps void warrenty in some way? Do you happen to know?

    • Dr_Frankenstein Dr_Frankenstein

      It won’t void the warranty as that’s on your hardware itself. The kernel module is installed to the system volume/partition which exists on your drives, so should you have a hardware issue it won’t cause issues with a RMA as you won’t send drives.

      The geminilake will be fine as the architecture is the key

      • Jonathan Jonathan

        Thank you!
        I didn’t realize the kernel is isntalled on the system volume, so it’s not even directly on the NAS hardware itself. That puts my mind at easy and I’ll go ahead with setting this up!

        Thanks again for your guides and for your help. I hope the coffee tastes good!

  5. Matt Matt

    Hi, thanks for the incredibly helpful guides! I’m getting an issue when trying to build the vpn-project:

    dependency failed to start: container for service “gluetun” is unhealthy”
    Exit Code: 1

    I’m using expressvpn and have followed the documentation at the Gluetun github page you linked. I’m using my username and password provided by expressvpn for use on OpenVPN applications (i assume this is intended to bypass the usual activation code that’s needed to be supplied and is not mentioned on the expressvpn gluetun wiki). According to Expressvpn’s installation guide, normally an .ovpn file is downloaded and used for setup, which isn’t noted in the gluetun wiki. I’ve also tried my normal expressvpn login information (i.e. email and password), with the same results.

    I believe the issue could be related to wireguard. When i SSH into my NAS, i get the message “WireGuard has been successfully started”, however when i go into the package center it isn’t running. I click on run and it will immediately start and stop. I check the logs and it shows it stopped ~2 seconds before it started, however started is the latest status in the log.

    For troubleshooting, I’ve tried connecting to different expressvpn endpoints, but no luck. I’ve also deleted the docker folders and recreated them so it would be a clean build.

    Any other tips? Thanks again for the great guides

    • Dr_Frankenstein Dr_Frankenstein

      Hey they key info as to why the connection is unhealthy will be in the Gluetun logs, have a look and it should give some clue as to what is going on.

      • Matt Matt

        Thanks for the quick reply. It turns out it didn’t like the city or hostname variable i specified. At least the country variable was accepted. I’m all set now! Appreciate it

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed. – writing Synology Docker Guides since 2016 – Join My Discord!