Skip to content

qBittorrent with GlueTUN VPN in Container Manager on a Synology NAS

Important or Recent Updates
Historic UpdatesDate
New DSM7.2 Container Manager Update (Beta/RC)26/04/2023
Added watchtower labels to the compose to allow updates and changed the proxies to off by default06/05/2023
Removed the Watchtower ‘Depends On’ Labels as they do not successfully update the GlueTUN container. Added an Exclusion label to the GlueTUN container, so it can just be manually updated.11/05/2023
Update includes: Firewall Input Ports for when your provider offers port forwarding, also a note in relation to volumes and added PUID/PGID settings for GlueTUN14/06/2023
Update for Wireguard Kernel Module Install which reduces overall CPU usage for Wireguard connections
Please note if you previously followed this guide you can follow the new section to update your existing set up.
21/09/2023
Added Health checks to dependent containers25/09/2023
Added an addition element to the compose to restrict the container from gaining additional privileges and umask environment variable25/10/2023
Updated with new steps to obtain and change WebUI password21/11/2023
Issue with passwords has been fixed in 4.6.2 so removed tty line from yaml29/11/2023
Swapped YAML to use Wireguard by default
(Thanks Bob)
Enhanced the TUN script to only run if the TUN is not detected
(Thanks Andy for the original suggestion)
22/01/2024
Amended the start-up script folders to align with the changes made late November (Apologies)25/01/2024
Added – UPDATER_PERIOD=24h variable in order to ensure the latest server lists for your provider all pulled once a day27/04/2024
Reworded the Port Forwarding section and added a new docker mod for those using ProtonVPN to update the qbit port forwarding (listening port) automatically 18/08/2024
NATMAP for Proton removed from the guide as GSP is the better choice now19/08/2024
Historic Updates

A small note to remember about updates in this guide I set GlueTUN to use the ‘latest’ version tag, sometimes it has updates which break things, so if you have an issue after an update roll back to the most recent full stable release from this page, so for example as of October 2024 that would be image: qmcgaw/gluetun:v3.39

What are qBittorrent and GlueTUN?

qBittorrent is a torrent downloader and GlueTUN is the Docker container that has pre-configured VPN connections for numerous VPN providers.

Before you start check the GlueTUN Wiki to see if your provider is on the supported list.

Also, if you are yet to choose a provider have a look at the Reddit list of recommended suppliers as could save you a headache when trying to seed. I currently use AirVPN which has nice easy port forwarding unlike some others. This is my affiliate link if you fancy signing up.

Let’s Begin

In this guide I will take you through the steps to get qBittorrent up and running in Docker and a separate GlueTUN VPN container. By having a separate container for the VPN connection we can use it in the future for other applications such as Prowlarr, this is useful if you have torrent indexers blocked in your country.

In order for you to successfully use this guide please complete the three preceding guides

Folder Setup

Let’s start by getting some folders set up for the containers to use. Open up File Station create the following.

Folders
/docker/projects/vpnproject-compose
/docker/gluetun
/docker/qbittorrent


Setting up the TUN start up script

In order for the VPN connection to work we need to make sure the TUN Interface is available to make the connection to a VPN provider. In order to ensure it is available even after a reboot we will set up a small ‘script’.

Open up Control Panel and then click on Task Scheduler


Next click on Create, Triggered Task then User Defined Script.


Enter the following:

SectionSetting
Task:VPNTUN
User:root
Event:Boot-up
EnabledTick


On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section. It will look like screenshot.

Bash
#!/bin/sh -e

insmod /lib/modules/tun.ko


You can now press OK and agree to the warning message. Next run the script which will enable the TUN device.

You can now move on to the next step.

Wireguard Kernel Module – Recommended for Performance & Reduced CPU Resource (not required for OpenVPN)

The default Gluetun Wireguard setup uses a ‘Userspace’ implementation of Wireguard which requires higher CPU resources. For example a 40MiB download via qBittorrent uses up to 176% in CPU (1.7 Cores) on my 1821+.

By installing the appropriate Kernel Module this reduces down to 1 or 2% which frees up the CPU for other tasks.

BlackVoid.club have put together a Kernel Module for Synology which allows Gluetun to use the lower level Kernel to perform Wireguard duties make sure you drop them a thanks as this would not be possible without them!

While on first glances it looks like a long installation process the page details a number of methods. I recommend having a read taking note of warnings and also if you want to build your own module it tells you how.

The TLDR is below.

  1. Find your model of NAS under the correct DSM version section (If you are following this guide it will be 7.2) and download the pre compiled .spk file
  2. Head into Package Center and click ‘Manual Install’ on the top right and install the .spk file and untick the box to run after install
  3. Reboot
  4. SSH Into your NAS (Just like in the User Setup guide) and elevate yourself to root by typing sudo -i and entering your password
  5. Enter this command and press enter to start up the module /var/packages/WireGuard/scripts/start

You should now be able to see the WireGuard package running in Package Center. Please note while I will try my best to support in relation to this module I may have to refer you on if it is a specific technical issue.

When you have GlueTUN running check the log for this line [wireguard] Using available kernelspace implementation, and you know it is working. (Does not apply to OpenVPN)

On to the next part.

Container Manager

Next we are going to set up a ‘Project’ in Container Manager, a project is used when you want multiple containers to all be loaded together and often rely on each other to function. In our case we want qBittorrent to load and talk to the GlueTUN VPN container.

Open up Container Manager and click on Project then on the right-hand side click ‘Create’

In the next screen we will set up our General Settings, enter the following:

SectionSetting
Project Name:vpn-project
Path:/docker/projects/vpnproject-compose
Source:Create docker-compose.yml

Next we are going to drop in our docker compose configuration copy all the code in the box below and paste it into line ‘1’ just like the screenshot


YAML
services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8090:8090/tcp # port for qbittorrent
    volumes:
      - /volume1/docker/gluetun:/gluetun
    environment:
      - PUID=1234 #CHANGE_TO_YOUR_UID
      - PGID=65432 #CHANGE_TO_YOUR_GID
      - TZ=Europe/London #CHANGE_TO_YOUR_TZ
      - VPN_SERVICE_PROVIDER=NAMEOFYOURPROVIDER
      - VPN_TYPE=wireguard #change as per wiki 
      - WIREGUARD_PRIVATE_KEY=YOUR-PRIVATE-KEY #remove if using openvpn
      - WIREGUARD_PRESHARED_KEY #For AIRVPN remove if not required
      - WIREGUARD_ADDRESSES=10.x.x.x #IP V4 Only - remove if using openvpn
      - SERVER_COUNTRIES=VPNSERVERCOUNTRY #Change based on the Wiki
      - HTTPPROXY=off #change to on if you wish to enable
      - SHADOWSOCKS=off #change to on if you wish to enable
      - FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24 #change this in line with your subnet see note on guide.
#      - FIREWALL_VPN_INPUT_PORTS=12345 #uncomment or remove this line based on the notes below
      - UPDATER_PERIOD=24h
    network_mode: synobridge
    labels:
      - com.centurylinklabs.watchtower.enable=false
    security_opt:
      - no-new-privileges:true
    restart: always

  qbittorrent:
    image: linuxserver/qbittorrent:latest
    container_name: qbittorrent
    environment:
      - PUID=1234 #CHANGE_TO_YOUR_UID
      - PGID=65432 #CHANGE_TO_YOUR_GID
      - TZ=Europe/London #CHANGE_TO_YOUR_TZ
      - WEBUI_PORT=8090
      - UMASK=022
    volumes:
      - /volume1/docker/qbittorrent:/config
      - /volume1/data/torrents:/data/torrents
    network_mode: service:gluetun # run on the vpn network
    depends_on:
      gluetun:
        condition: service_healthy
    security_opt:
      - no-new-privileges:true
    restart: always


What is a Docker Compose?!

The code we just dropped into Container Manager defines how we want each of the container’s setup. It is broken down into sections such as ports we want to access, which folders we want the container to use and what some variables to define where we live and settings for the container known as ‘Environment’ variables.

We will now make some important edits!

IDs and Timezone

First look for the lines below, they appear twice each, these control the containers access to our filesystem and also the user the containers run as.

VariableValue
PUID(required) The UID you obtained in the user setup guide
PGID(required) The GID you obtained in the user setup guide
TZ(required) Your timezone wikipedia.org/wiki/List_of_tz_database_time_zones

Ports and Proxies

In the top Gluetun section you will notice that we have some additional ports assigned for a http proxy and Shadowsocks Proxy – this means you can direct traffic from other devices or applications on your network through the container! If you want to use these change the following.

VariableValue
HTTPPROXYoff (default) on (enabled)
SHADOWSOCKSoff (default) on (enabled)

Firewall Outbound Subnet

This section controls your ability to access the UIs of any containers running through the GlueTUN containers network.

Default Value
      - FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24

The first part ‘172.20.0.0/16’ don’t edit as this is our ‘synobridge’ network and allows other containers such as Radarr to access the download client.

We need to change the second IP after the , this allows us to access the WebUI and containers via out local network.

This IP address (subnet) is easy to figure out. If you NAS IP is 192.168.0.27 your subnet is 192.168.0.0/24 (notice I just changed the last number before the /24 to 0)

Firewall Input Ports (Port Forwarding)

This line is #commented out by default, if your VPN provider offers port forwarding remove the # from the start of the line and change the port number(s) in line with the ones provided to you. Make sure you also manually update the ‘Listening Port’ in qbit once you are running.

If you use ProtonVPN see the FAQ for some port forwarding extra steps you need to do!

Default Value
      - FIREWALL_VPN_INPUT_PORTS=12345,56789

Volumes

By default, I have assumed you have your config files stored on /volume1 if these are located on another volume amend these lines accordingly.

Default Value
      - /volume1/docker/gluetun:/gluetun
      - /volume1/docker/qbittorrent:/config
      - /volume1/data/torrents:/data/torrents      

Watchtower Exclusion

You don’t need to change this, I added a label to avoid Watchtower automatically updating the GlueTUN container as it will always break the overall project which can be inconvenient if you are not around to fix it. You can update the container using the mini guide on the left menu of the site.

Default Value
    labels:
      - com.centurylinklabs.watchtower.enable=false


Important – Provider Specific Edits

This next bit is important and if you don’t pay attention to the details you will have a harder time connecting up to your VPN provider

Open up the GlueTun Wiki and in the list find your provider.

Let’s use AirVPN as our example.

On the page you will see a number of key sections highlighting the variables that work with AirVPN. This is important as they can vary per provider so read everything on your providers page. (See the FAQ for the steps to get AirVPN Wireguard Details)

Key differences are generally the SERVER_COUNTRIES / SERVER_CITIES etc as they will vary so use the correct setting, your provider should have a list of Countries and Cities they support.

I have provided some common defaults in the compose for you but you need to amend them in line with your providers page.

Default Value
      - VPN_SERVICE_PROVIDER=NAMEOFYOURPROVIDER
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=YOUR-PRIVATE-KEY
      - WIREGUARD_ADDRESSES=10.x.x.x
      - SERVER_COUNTRIES=VPNSERVERCOUNTRY

If your provider is not supported, you can make a request on GitHub to add it, or you can follow the custom providers guidance on GlueTUNs WIKI.

Once you have checked for your provider, make the appropriate edits to the compose accordingly.

That completes the edits to the compose!

Click ‘Next’

You do not need to enable anything on the ‘Web portal settings’ screen click ‘Next’ again

On the final screen click Done which will begin the download of the container images and once downloaded they will be launched!

The images will now be downloaded and extracted. You should see ‘Code 0’ when it has finished.

You will now see your vpn-project running both containers should have a green status on the left-hand side.

Error: “gluetun is unhealthy”

At this stage if you receive an error relating to GlueTUN being unhealthy there is likely an error in the config file, this usually relates to the provider specific elements. If you check the logs for the GlueTUN container it will tell you why it couldn’t connect. If you get stuck drop me a comment with a copy of the logs via https://paste.drfrankenstein.co.uk.

Firewall Exceptions

(Skip if you don’t have the Firewall configured)

If you have the Synology Firewall enabled please see this additional guide for further info on exceptions and correct set up.

Changing the default WebUI login and password

If you skip this step you won’t be able to log in.

Now the container has started open it in the Docker UI and go to the Log tab. Within the logs you will see the login details

Now before doing any more of the guide go to the Web UI by going to the IP of your NAS followed by port 8090 and log in. Then on the WebUI tab change the defaults to your own and save them.

Now continue on..

Final qBittorrent Setup

As we have used /data/torrents as the mount point for our downloads we need to make sure qBittorrent uses this same file path.

We need to change the file paths by editing the qBittorrent config file, before doing this stop both of the containers. Do this by selecting the Project from the main UI and under Action selecting ‘Stop’.

You can edit this file in a number of ways, but to keep the guide OS-agnostic we will be using the Synology Text Editor package which can be installed via Package Center.

Open Text Editor and browse to /docker/qbittorrent/qbittorrent and open the qBittorrent.conf then edit the file in line with the table below, once amended save the changes.

Original ValueNew Value
Session\DefaultSavePath=/downloads/Session\DefaultSavePath=/data/torrents/completed
Session\TempPath=/downloads/incomplete/Session\TempPath=/data/torrents/incoming/
Downloads\SavePath=/downloads/Downloads\SavePath=/data/torrents/completed
Downloads\TempPath=/downloads/incomplete/Downloads\TempPath=/data/torrents/incoming/

You can now bring the containers back up again by starting the project back up.

Once the containers are running you can log into the Web UI by going to the IP of your NAS followed by port 8090

e.g. 192.168.0.30:8090

Log in with the username and password you created earlier.

Now you are in the UI click on settings cog at the top of the screen, we are going to change one more directory which is the watched folder to /data/torrents/watch. You can also turn on the option ‘keep incomplete torrents in:’ which should already have /data/torrents/incoming’ prefilled.

Next we are going to set a command to run when each torrent finishes to automatically extract any .rar files (Note if you have any issues with this I would recommend using Unpackerr the guide is on the menu)

Scroll down in the options to the ‘Run external program on torrent completion’ and enter the below, it tells qbittorrent to run unrar and extract the file to the same save path as the original file. This will not delete anything, so you can continue seeding.

unrar x "%D/*.r*" "%D/"

Advanced Network Settings

The last step is to tell qBittorrent to only use the tun0 interface for its traffic, go to the Advanced tab then from the ‘Network Interfaces’ drop down select ‘tun0’ and click Apply, If this doesn’t appear the first time you may need to completely reboot your NAS.

I am not going to walk through all the other settings as you can customise these as you wish.

That’s it you are completely set up, you can now start up the Project again from the ‘Project’ tab.

I recommend having a quick read through the FAQ as it covers some questions you may have!


FAQs

Q: My GlueTUN is unhealthy what can I do?

A: The GlueTUN logs should be your first point of call, they will tell you if you have key issues with the configuration that are sometimes easily remedied. If you are still stuck leave a comment on this post, include the contents of your compose and also the log file (Use my PrivateBin https://paste.drfrankenstein.co.uk) remove passwords or WireGuard keys!

Or Join Discord for some more immediate help..

Q: How can I update the GlueTUN containers?

A: See the Updating Containers section on the menu.

Q: How do I get my AirVPN details?

Plaintext
## Obtaining your WireGuard or OpenVPN details

- Login to your AirVPN account and go to the Client Area
- Click on `VPN Devices` and create a new device named `GlueTUN` (you can name this anything)
- Back in the Client Area select `Config Generator` and select the following:
  - Linux
  - Turn on either WireGuard or OpenVPN
  - Choose the newly created `GlueTUN` device
  - Select your preferred Server or Region
- Click Generate and download the config file.

### WireGuard Config
- In the config file you only require the following

Address = 10.141.x.x/32 #Nothing after this part
PrivateKey = uFdxxxxxxxxxxxxxxxx
PresharedKey = 4s2xxxxxxxxxxxxxxxxxxxx

Q: How can I be sure the VPN connection is working?

A: Go to the TorGuard Check My Torrent IP site, right-click on the Green banner and copy the link (it’s a Magnet link) Then add this link into qBittorrent and start the torrent. Keeping the site open after a few seconds the site will show the IP address of the connection it finds. This will be of the VPN provider not your home IP. (Please note the torrent doesn’t actually download anything it’s purely doing an IP check)

Q: I am getting the ‘errored’ status for all my torrents

This is very likely a permissions issue, go to the User and Group guide and see the permission fixes towards the bottom.

Q: Everything seems to be connected but nothing is downloading.

Try grabbing the Ubuntu torrent as that is a sure fire way of testing as generally it has over 3k seeds.

Are you using TorGuard – If so they block torrents on their US servers. Change to another country – Also while you are at it, you may need to configure port forwarding in your TorGuard account.

Q: My container doesn’t seem to start on a reboot even with the TUN script.

A: I have seen this a few times and usually relates to the VPN not completing its connection fast enough before containers using the VPN start. You can try setting an additional startup script by doing the following.

Head into Control Panel and go to Task Scheduler Click Create > Triggered Task > User Defined Task

SectionSetting
Task NameDockerVPNBootUp
UserRoot
EventBoot Up
Pre TaskSelect the VPNTUN script from the drop-down that you created at the start of the guide

In the ‘Task Settings’ tab enter the following and then click Save

Bash
sleep 120
docker-compose -f /volume1/docker/projects/vpnproject-compose/compose.yaml down 
wait
docker-compose -f /volume1/docker/projects/vpnproject-compose/compose.yaml up -d

Proton VPN Port Forwarding Extra Step

Proton doesn’t allow you to choose your own port for port forwarding, so we need to add another container or mod to the compose in order for this to be automatically updated for us.

(Q)GSP : Qbittorrent – Gluetun synchronised port mod

This is a newer method and requires less setup than old NATMAP container it just involves adding some extra lines to the qbit container environment variables section to enable the mod. Note you will need to circle back and update the username and password section after first setup of qbit.

Edits to the GlueTUN ‘environment variables’ section of the compose

YAML
#Remove this line from your compose
      - FIREWALL_VPN_INPUT_PORTS=12345,56789
#Add these lines to the GlueTUN Environment 
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=protonvpn     

Edits to the qBittorrent ‘environment variables’ section of the compose

YAML
      - DOCKER_MODS=ghcr.io/t-anc/gsp-qbittorent-gluetun-sync-port-mod:main
      - GSP_GTN_API_KEY= #SEE BELOW
      - GSP_SLEEP=120
      - GSP_MINIMAL_LOGS=false
      - GSP_GTN_ADDR=localhost:8000
      - GSP_QBT_ADDR=localhost:8090
      - GSP_QBT_USERNAME= #your qbit username
      - GSP_QBT_PASSWORD= #your qbit password

This is a new step as of 24/09 due to some changes with GSP

For the GSP_GTN_API_KEY we need to generate a key for the communication, you can find the methods here, for ease you can also generate an SSL key online using https://www.cryptool.org/en/cto/openssl/

Go to the site and paste in the command openssl rand -base64 50 copy the long key it generates and add it to the section in the yaml after the =

Q: I tried to start Deluge / qBittorrent manually, and it says ‘Container must join at least one network’

A: This is due to the Synology Container Manager GUI not understanding that the container will be on the GlueTUN ‘network’. You will need to start the container via the Project as it is part of the overall Project compose.

Q: How can I add additional services to the VPN container?

A: Adding additional containers to the VPN network is very easy. As you can see in the example below I have added Prowlarr to the bottom of the compose. The only amendments are that the ‘network_mode’ uses the Gluetun container and the ports for Prowlarr have been moved up to the Gluetun containers ports section.

Also see the separate Prowlarr guide on the left menu for setting up FlareSolver (In the Extras section)

YAML
      - 9696:9696 # add this to the ports section of GlueTUN
#add the below to the bottom of the compose
  linuxserver-prowlarr:
    image: linuxserver/prowlarr:latest
    container_name: prowlarr
    environment:
      - PUID=1234 #CHANGE_TO_YOUR_UID
      - PGID=65432 #CHANGE_TO_YOUR_GID
      - TZ=Europe/London #CHANGE_TO_YOUR_TZ
      - UMASK=022
    volumes:
      - /volume1/docker/prowlarr:/config
    network_mode: service:gluetun # run on the vpn network
    depends_on:
      gluetun:
        condition: service_healthy
    security_opt:
      - no-new-privileges:true
    restart: always

More will be added as questions come up


Looking for some help, join our Discord community

If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!

Buy me a beverage!

If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated. Plus 10% goes to the devs of the apps I do guides for every year.

Published inDockerDownload Tools 7.2Synology

627 Comments

    • Dr_Frankenstein Dr_Frankenstein

      You may have a typo on this line.

      – SERVER_Cities=Seattle qmcgaw/gluetun #Change based on the Wiki

      – SERVER_CITIES=Seattle

      • I cannot seem to get this to work, I keep getting this in the log:
        2024/08/12 10:25:37 stdout 2024-08-12T17:25:37Z ERROR [vpn] getting public IP address information: fetching information: Get “https://api.ip2location.io/”: dial tcp: lookup api.ip2location.io on 1.1.1.1:53: read udp 10.0.0.0:54696->1.1.1.1:53: i/o timeout

        2024/08/12 10:25:34 stdout 2024-08-12T17:25:34Z INFO [dns] attempting restart in 20s
        2024/08/12 10:25:34 stdout 2024-08-12T17:25:34Z WARN [dns] cannot update files: Get “https://www.internic.net/domain/named.root”: dial tcp: lookup http://www.internic.net on 1.1.1.1:53: read udp 10.0.0.0:56122->1.1.1.1:53: i/o timeout

        2024/08/12 10:25:27 stdout 2024-08-12T17:25:27Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.

        I’ve tried multiple versions of glueton, with the same resluts. If you have any ideas I would greatly appreciate your help.
        Thanks in advance

            • Dr_Frankenstein Dr_Frankenstein

              If you are using Wireguard there are a few hoops to jump through to get your keys… Annoyingly so… I would use OpenVPN or hop onto Discord to check in on a couple of the threads we have with others trying to get their keys etc.

              This is what people have used in conjunction with a linux VM.
              https://gist.github.com/bluewalk/7b3db071c488c82c604baf76a42eaad3

              OpenVPN will just require you log in and password created in your Service Credentials in your account.

              • Luke Luke

                I already obtained the key, using the virtual machine. Yes, I agree that was most annoying. I regretfully just paid for two years of nord as well…. had I known.. oh well. I don’t think that that is the issue though.

                • Dr_Frankenstein Dr_Frankenstein

                  Oh man – they suck you in with their cheap price lol, good you managed to get the key though!

                  It looks like it’s not getting a network connection, try these

                  1) Do a reboot of the whole NAS before spending hours chasing what could be fixed by this
                  2) If you have the Firewall enabled on the NAS disable it for testing
                  3) reply to this comment with your compose information https://paste.drfrankenstein.co.uk (remove the keys) and post the link it gives you, so I can have a look… I will remove the link when I approve the reply..

  1. JJK JJK

    Great guides. I’m a complete beginner at Linux and NAS, and I was able to get Qbittorrent setup with ProtonVPN via OpenVPN. Tested via Torguard site, and getting a different IP.

    I believe I’ve setup everything I need to for the port Forwarding to work, as I’ve read that this is important, even though my brain has been unable to wrap around the concept of how/why that helps. Is there a way to test that the port forwarding is working? Do I have to setup a firewall rule to allow the port forwarding to work?

    Finally, at the bottom of this guide you show having a Deny All rule at the bottom of your firewall. I must have missed that part in your initial setup guides. When I go to create a deny all rule, and make sure it’s at the bottom, it fails stating that “Your computer has been blocked by the new firewall configuration. The firewall configuration has been reset…”

    • Dr_Frankenstein Dr_Frankenstein

      Hey, glad they are helpful 🙂

      So if you have ProtonVPN have a look at the ‘Proton VPN Port Forwarding Extra Step’ in the FAQ at the bottom of the guide. The NATMAP container will find your open port and update qbittorrent with it (listening port), ensuring you are direct connectable from other peers – so you get better speeds as others can connect directly.

      Firewall wise have a look at the guide on Wundertechs site, it sounds like you have configured the exceptions, but the firewall is not doing anything until you add the block all rule.. You must be missing an exception and it is stopping you from getting locked out!

      • JJK JJK

        I looked at Wudertechs site and added a line for my local IP and it now works.

        Originally after following your guides I had the following that did not work:
        Ports Protocol Source IP Action
        all all 172.20.0.1 to 172.20.255.254 Allow
        1234,9876 TCP ALL Allow
        all all United States of America Allow
        All all all Deny

        After Wondertech I got the following settings that was working
        Ports Protocol Source IP Action
        all all 192.168.50.1/255.255.255.0 Allow
        all all 172.20.0.1 to 172.20.255.254 Allow
        all all United States of America Allow
        All all all Deny

        As I type this out, I realize that my noob issue was probably not realizing to change the 1234,9876 to my actual ports. As a result, I’ve tried the following….

        all all 172.20.0.1 to 172.20.255.254 Allow
        8090,5001 TCP ALL Allow
        all all United States of America Allow
        All all all Deny

        This works for my Qbit torrent over VPN and I can stay connected to the synology WebUI, but I lost my ability to browse files from a local windows PC, presumably because I need to open up a port for that.

        Thoughts on using the wondertech solution of having this line on the firewall
        all all 192.168.50.1/255.255.255.0 Allow
        vs opening up individual TCP ports using the below instead.
        8090,5001 TCP ALL Allow

        • Dr_Frankenstein Dr_Frankenstein

          You essentially need to work through and add an exception for each service you use.. if you go into the Applications section you can tick the ones you are using for DSM itself..

          It’s why I keep the Firewall bit generic as there are so many combo’s people could be using. I am tempted to strip it right back to a one line which links to Wundertech on how to do it.

            • Dr_Frankenstein Dr_Frankenstein

              Is that the NAS, you could change the last 1 to 0 and it will effectively allow all local traffic.

  2. Dictate Dictate

    Thanks for the fantastic guide!

    I have run through it an d have everything up and working, but am having a lot of trouble getting qbitorrent to be connectable via proton VPN port forwarding.

    My YAML config is as follows:


    – VPN_SERVICE_PROVIDER=protonvpn
    – VPN_PORT_FORWARDING=on
    – VPN_TYPE=openvpn #change as per wiki
    – OPENVPN_USER=[redacted]+pmp
    – OPENVPN_PASSWORD=[redacted]
    – SERVER_HOSTNAMES:node-nl-01.protonvpn.net, node-nl-05.protonvpn.net, node-nl-108.protonvpn.net, node-nl-13.protonvpn.net

    I have set up natmap exactly as described in your guide above.

    Logs from natmap are as follows:

    2024/07/28 18:38:03 stdout 2024-07-28 16:38:03 | Sleeping for 5 minutes
    2024/07/28 18:38:03 stderr iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
    2024/07/28 18:38:03 stderr Warning: Extension udp revision 0 not supported, missing kernel module?
    2024/07/28 18:38:03 stderr iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
    2024/07/28 18:38:03 stderr Warning: Extension tcp revision 0 not supported, missing kernel module?
    2024/07/28 18:38:03 stderr iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument
    2024/07/28 18:38:03 stderr # Warning: iptables-legacy tables present, use iptables-legacy to see them
    2024/07/28 18:38:03 stdout 2024-07-28 16:38:03 | NAT-PMP/UPnP Ok!
    2024/07/28 18:38:03 stdout 2024-07-28 16:38:03 | IPTables rule added for port 25185 on gluetun container
    2024/07/28 18:38:03 stdout 2024-07-28 16:38:02 | Port OK (Act: 25185 Cfg: 25185)
    2024/07/28 18:38:03 stdout 2024-07-28 16:38:02 | Active Port: 25185
    2024/07/28 18:38:03 stdout 2024-07-28 16:38:02 | Configured Port: 25185
    2024/07/28 18:38:02 stdout 2024-07-28 16:38:02 | Public IP: [REDACTED]
    2024/07/28 18:38:00 stdout 2024-07-28 16:38:00 | qBittorrent SessionID Ok!

    My tracker websites all have me as not being fully connectable so I am fairly certain that the above configuration is not forwarding my ports correctly.

    Any ideas?

    • Dr_Frankenstein Dr_Frankenstein

      Hey all seems OK config wise, are the hostnames you chose all P2P I assume they are due to them being in the Netherlands. In QBIT is the listening port set to 25185? If it is you can use a port checker site using your public IP and port to see if it’s connectable.

    • Dr_Frankenstein Dr_Frankenstein

      Crap also – been talking about this on Discord – See my note at the top of the guide about rolling back to v3.38 of gluetun as it busted something on latest

  3. max max

    First of all, thank you very much for your guides. I really love them.

    I encountered a problem and I’m not sure how to fix it.

    I have put an external SSD drive (via usb-port) on my synology. I want to use it for the incomplete torrents, i only want the complete torrents to move on the volume 1 (could help with the wear on the harddrives? , and it’s less noisy….)

    incomplete: -> /volumeUSB1/usbshare/incoming
    complete -> /data/torrents/completed

    I have also modified the docker compose file:
    volumes:
    – /volume1/docker/qbittorrent:/config
    – /volume1/data/torrents:/data/torrents
    – /volumeUSB1/usbshare/incoming

    If i try to download a torrent i get an error: “error: Permission denied””

    – I have followed your guide: “Setting up a restricted Docker user and group then obtaining IDs” -> and i gave the permissions to volumeUSB1 but it still doesn’t work
    – If i change to your suggested path /data/torrents/incoming it works very well!

    Do you have any ideas or suggestions that could fix it? (or is it not possible to access the external USB drives via docker?)

    Sorry for the noob question and thanks in advance for your help

    • Dr_Frankenstein Dr_Frankenstein

      Hey setup makes sense for noise!

      Just tweak this line in your compose as you need to tell the container where to map the drive to inside the container

      – /volumeUSB1/usbshare/incoming:/incoming

  4. Dragos Dragos

    It seems like WIREGUARD_ADDRESSES=10.x.x.x is causing my gluetun to be unhealthy. I had to comment it out line by line, and that’s the only one that makes it fail. I’m using synology DS923+, arch r1000, wireguard, nordvpn (found private key through https://www.youtube.com/watch?v=-szt1lCHc5k). The other things I changed was add prowlarr per FAQs, add SERVER_CATEGORIES=P2P, and remove FIREWALL_VPN_INPUT_PORTS.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

drfrankenstein.co.uk – writing Synology Docker Guides since 2016 – Join My Discord!