Last updated on 7 April 2025
Important or Recent Updates
| Historic Updates | Date |
|---|---|
| New DSM7.2 Container Manager Update (Beta/RC) | 26/04/2023 |
| Added watchtower labels to the compose to allow updates and changed the proxies to off by default | 06/05/2023 |
| Removed the Watchtower ‘Depends On’ Labels as they do not successfully update the GlueTUN container. Added an Exclusion label to the GlueTUN container, so it can just be manually updated. | 11/05/2023 |
| Update includes: Firewall Input Ports for when your provider offers port forwarding, also a note in relation to volumes and added PUID/PGID settings for GlueTUN | 14/06/2023 |
| Update for WireGuard Kernel Module Install which reduces overall CPU usage for WireGuard connections Please note if you previously followed this guide you can follow the new section to update your existing set-up. | 21/09/2023 |
| Added Health checks to dependent containers | 25/09/2023 |
| Added an addition element to the compose to restrict the container from gaining additional privileges and umask environment variable | 25/10/2023 |
| Updated with new steps to obtain and change WebUI password | 21/11/2023 |
| Issue with passwords has been fixed in 4.6.2 so removed tty line from yaml | 29/11/2023 |
| Swapped YAML to use WireGuard by default (Thanks Bob) (Thanks Andy for the original suggestion) | 22/01/2024 |
| Amended the start-up script folders to align with the changes made late November (Apologies) | 25/01/2024 |
| Added – UPDATER_PERIOD=24h variable in order to ensure the latest server lists for your provider all pulled once a day | 27/04/2024 |
| Reworded the Port Forwarding section and added a new docker mod for those using ProtonVPN to update the qBit port forwarding (listening port) automatically | 18/08/2024 |
| NATMAP for Proton removed from the guide as GSP is the better choice now | 19/08/2024 |
| Adjusted the GSP Mod for Proton (removed un-needed for the addresses) | 04/12/2024 |
| Added pre-configured settings for AirVPN and Proton VPN including steps to get the details for these providers | 21/12/2024 |
| General bits of re-write, added generic WireGuard and OpenVPN compose removed the qBittorrent path edits as its no longer required and working via the UI! | 27/12/2024 |
| Edited the ProtonVPN compose as I had the wrong lines for WireGuard in it, apologies. | 29/12/2024 |
| – Removed the depends_on for GlueTUN as it’s not required – Added GSP Mod directly into the ProtonVPN Compose – Layered in a new section for the upcoming changes to GlueTUN 3.41 Control Server Auth where required. – General layout and wording tweaks! | 07/01/2025 |
| Fixed my inability to copy and paste and moved the GSP mod back to the correct container (I put them in the GlueTUN section sorry!!) | 14/01/2025 |
| Further GSP mod changes – I think we may have nailed the config!! ready for GlueTUN 3.40 – Removed the volume mount for gluetun/auth – Removed the GSP_QBT_ADDR variable – Removed the “quotes” around the GSP_API_KEY | 21/01/2025 |
| Further ProtonVPN updates now that 3.40 GlueTUN has been released it now can use the default ProtonVPN Compose rather than a Custom compose. We are testing a further change that removes the need for GSPMod which will be a further update likely over this weekend. | 31/01/2025 |
| OK this should be the final update for Proton for a little while (I hope) GSP Mod is no longer required, replaced with a command. Thanks to the team on Discord for testing and sorting this out! | 03/02/2025 |
| While not really good for torrents I have added N0rdVPN (OpenVPN) compose as we get a lot of people stuck in long contracts with them looking for help on Discord | 07/04/2025 |
What are qBittorrent and GlueTUN?
qBittorrent is a torrent downloader and GlueTUN is the Docker container that has pre-configured VPN connections for numerous VPN providers.
Before you start check the GlueTUN Wiki to see if your provider is on the supported list.
Also, if you are yet to choose a provider I currently use AirVPN which has nice easy port forwarding and is P2P friendly. This is my affiliate link if you fancy signing up.
Useful external links for this guide
GlueTUN Wiki
GlueTUN Docker GitHub
Linuxserver qBittorrent Container GitHub
qBittorrent Forums
Let’s Begin
In this guide I will take you through the steps to get qBittorrent up and running in Docker and a separate GlueTUN VPN container. By having a separate container for the VPN connection we can use it in the future for other applications.
In order for you to successfully use this guide please complete the three preceding guides
- Docker Package, SSD and Memory Recommendations
- Step 1: Directory Setup Guide
- Step 2: Setting up a restricted Docker user
- Step 3: Setting up a Docker Bridge Network (synobridge)
Folder Setup
Letβs start by getting some folders set up for the containers to use. Open up File Station create the following.
/docker/projects/vpnproject-compose
/docker/gluetun
/docker/qbittorrent
Setting up the TUN start up script
In order for the VPN connection to work we need to make sure the TUN Interface is available to make the connection to a VPN provider. In order to ensure it is available even after a reboot we will set up a small script.
Open up Control Panel and then click on Task Scheduler
Next click on Create, Triggered Task then User Defined Script.
Enter the following:
| Section | Setting |
|---|---|
| Task: | VPNTUN |
| User: | root |
| Event: | Boot-up |
| Enabled | Tick |
On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section. It will look like screenshot.
#!/bin/sh -e
insmod /lib/modules/tun.ko
You can now press OK and agree to the warning message. Next run the script which will enable the TUN device.
You can now move on to the next step.
WireGuard Kernel Module (not required for OpenVPN)
The default GlueTUN WireGuard setup uses the ‘Userspace’ implementation of WireGuard which requires higher CPU resources. For example a 40MiB/s download via qBittorrent uses up to 176% in CPU (1.7 Cores) on my 1821+.
By installing the appropriate Kernel Module this reduces down to 1 or 2% which frees up the CPU for other tasks.
BlackVoid.club have put together a Kernel Module for Synology which allows Gluetun to use the lower level Kernel to perform Wireguard duties make sure you drop them a thanks as this would not be possible without them!
While on first glances it looks like a long installation process the page details a number of methods. I recommend having a read taking note of warnings and also if you want to build your own module it tells you how.
The TLDR is below.
- Find your model of NAS under the correct DSM version section (If you are following this guide it will be 7.2 or above) and download the pre compiled .spk file
- Head into Package Center and click ‘Manual Install’ on the top right and install the .spk file and untick the box to run after install
- Reboot
- SSH Into your NAS (Just like in the User Setup guide) and elevate yourself to root by typing
sudo -iand entering your password - Enter this command and press enter to start up the module
/var/packages/WireGuard/scripts/start
You should now be able to see the WireGuard package running in Package Center. Please note while I will try my best to support in relation to this module I may have to refer you on if it is a specific technical issue.
On to the next part.
Container Manager Project (aka Docker Compose)
Next we are going to set up a ‘Project’ in Container Manager, a project is used when you want multiple containers to all be loaded together and often rely on each other to function. In our case we want qBittorrent to load and talk to the GlueTUN VPN container.
Open up Container Manager and click on Project then on the right-hand side click ‘Create’
In the next screen we will set up our General Settings, enter the following:
| Section | Setting |
|---|---|
| Project Name: | vpn-project |
| Path: | /docker/projects/vpnproject-compose |
| Source: | Create docker-compose.yml |
OK we are now going to drop in our Docker Compose configuration (YAML) – You will find some presets below – A basic WireGuard or OpenVPN setup which covers the majority of providers, but I have also provided some standard WireGuard presets for AirVPN and ProtonVPN, select the one that is appropriate for you.
See the GlueTUN Wiki for your specific provider steps or amendments
Docker Compose Presets
Standard OpenVPN Preset
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
- 8090:8090/tcp # port for qbittorrent
volumes:
- /volume1/docker/gluetun:/gluetun
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- VPN_SERVICE_PROVIDER=NAMEOFYOURPROVIDER
- VPN_TYPE=openvpn
- OPENVPN_USER=abc
- OPENVPN_PASSWORD=abc
- SERVER_COUNTRIES=VPNSERVERCOUNTRY #Change based on the Wiki
- HTTPPROXY=off #change to on if you wish to enable
- SHADOWSOCKS=off #change to on if you wish to enable
- FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24
# - FIREWALL_VPN_INPUT_PORTS=12345
- UPDATER_PERIOD=24h
network_mode: synobridge
labels:
- com.centurylinklabs.watchtower.enable=false
security_opt:
- no-new-privileges:true
restart: always
qbittorrent:
image: linuxserver/qbittorrent:latest
container_name: qbittorrent
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- WEBUI_PORT=8090
- UMASK=022
volumes:
- /volume1/docker/qbittorrent:/config
- /volume1/data/torrents:/data/torrents
network_mode: service:gluetun # run on the vpn network
security_opt:
- no-new-privileges:true
restart: alwaysStandard WireGuard Preset
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
- 8090:8090/tcp # port for qbittorrent
volumes:
- /volume1/docker/gluetun:/gluetun
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- VPN_SERVICE_PROVIDER=NAMEOFYOURPROVIDER
- VPN_TYPE=wireguard
- WIREGUARD_PRIVATE_KEY=YOUR-PRIVATE-KEY
- WIREGUARD_PRESHARED_KEY
- WIREGUARD_ADDRESSES=10.x.x.x
- SERVER_COUNTRIES=VPNSERVERCOUNTRY #Change based on the Wiki
- HTTPPROXY=off #change to on if you wish to enable
- SHADOWSOCKS=off #change to on if you wish to enable
- FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24
# - FIREWALL_VPN_INPUT_PORTS=12345
- UPDATER_PERIOD=24h
network_mode: synobridge
labels:
- com.centurylinklabs.watchtower.enable=false
security_opt:
- no-new-privileges:true
restart: always
qbittorrent:
image: linuxserver/qbittorrent:latest
container_name: qbittorrent
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- WEBUI_PORT=8090
- UMASK=022
volumes:
- /volume1/docker/qbittorrent:/config
- /volume1/data/torrents:/data/torrents
network_mode: service:gluetun # run on the vpn network
security_opt:
- no-new-privileges:true
restart: alwaysAirVPN WireGuard Preset
How to obtain your Wireguard Details from AirVPN
- Login to your AirVPN account and go to the Client Area
- Click on
VPN Devicesand create a new device namedGlueTUN(you can name this anything) - Back in the Client Area select
Config Generatorand select the following- Linux
- Turn on WireGuard
- Choose the newly created
GlueTUNdevice - Select your preferred Server or Region
- Click Generate and download the config file.
From the downloaded config file use the following parts and populate them into the compose below.
- Address = 10.141.x.x/32 #Nothing after this part
- PrivateKey = uFdxxxxxxxxxxxxxxxx
- PresharedKey = 4s2xxxxxxxxxxxxxxxxxxxx
In addition, there are some extra variables you can add to tell GlueTUN to use a specific Country, Region, Server etc. See this on the GlueTUN wiki and add based on your preferences.
Next you will want to set up port forwarding, so back in the Client Area, select Manage Ports and request a random port ensuring you turn on P2P and then assign the port to your GlueTUN device.
You will now enter this port number into the section of the compose labelled Firewall VPN Input Ports, make a note of this port number as you will set it as the Listening Port for the torrent client during its setup process. You can now continue with the guide to make the other general edits.
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
- 8090:8090/tcp # port for qbittorrent
volumes:
- /volume1/docker/gluetun:/gluetun
environment:
- VPN_SERVICE_PROVIDER=airvpn
- VPN_TYPE=wireguard
- WIREGUARD_PRIVATE_KEY=
- WIREGUARD_PRESHARED_KEY=
- WIREGUARD_ADDRESSES=
- TZ=Europe/London
- PUID=1234
- PGID=65432
- HTTPPROXY=off
- SHADOWSOCKS=off
- FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24
- FIREWALL_VPN_INPUT_PORTS=12345
- UPDATER_PERIOD=24h
network_mode: synobridge
labels:
- com.centurylinklabs.watchtower.enable=false
security_opt:
- no-new-privileges:true
restart: always
qbittorrent:
image: linuxserver/qbittorrent:latest
container_name: qbittorrent
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- WEBUI_PORT=8090
- UMASK=022
volumes:
- /volume1/docker/qbittorrent:/config
- /volume1/data/torrents:/data/torrents
network_mode: service:gluetun # run on the vpn network
security_opt:
- no-new-privileges:true
restart: alwaysProtonVPN WireGuard Preset
ProtonVPN previously used the Custom config in GlueTUN to get it working correctly, it has now changed again in version 3.40!
Thanks to Geebru on Discord for the settings and screenshots
- Use any name you like
- Select GNU/Linux
- Turn on the following
- Block malware only
- Moderate NAT
- NAT-PMP (Port Forwarding)
- VPN Accelerator
- Select a server that is physcially close to you and low usage
- Ensure its a P2P server (double left and right arrows)
You can then layer in the WireGuard details it provides you into the compose below.
(Note Proton Wireguard keys expire after 12 months so you will need to renew them after that period of time)
services:
gluetun:
image: qmcgaw/gluetun:latest
container_name: gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
- 8090:8090 # qBittorrent
volumes:
- /volume1/docker/gluetun:/gluetun
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- VPN_SERVICE_PROVIDER=protonvpn
- VPN_TYPE=wireguard
- WIREGUARD_PRIVATE_KEY= #Your Key
- SERVER_COUNTRIES= #Your Choice
- PORT_FORWARD_ONLY=on
- VPN_PORT_FORWARDING=on
- VPN_PORT_FORWARDING_UP_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORTS}}}" http://172.20.0.1:8090/api/v2/app/setPreferences 2>&1'
- HTTPPROXY=off
- SHADOWSOCKS=off
- FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.4.0/24
- UPDATER_PERIOD=24h
network_mode: synobridge
labels:
- com.centurylinklabs.watchtower.enable=false
security_opt:
- no-new-privileges:true
restart: always
qbittorrent:
image: linuxserver/qbittorrent:latest
container_name: qbittorrent
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- WEBUI_PORT=8090
- UMASK=022
volumes:
- /volume1/docker/qbittorrent:/config
- /volume1/data/torrents:/data/torrents
network_mode: service:gluetun # run on the vpn network
security_opt:
- no-new-privileges:true
restart: alwaysOnce you have qBittorrent up and running you will need to add a couple of exceptions to its authentication settings to allow the command in the GlueTUN container to update the Listening port for you automatically.
As per the screenshot add an exception for our synobridge Docker Bridge. and also you may require for your local subnet. These are the same IPs you entered into the Firewall Outbound Subnets section of the compose (you do this shortly)
N0rdVPN OpenVPN Preset
The #1 advertiser for VPNs – If you are still within your cooling off period I would recommend getting a refund and use a VPN provider who offers port forwarding such as AirVPN or ProtonVPN. If you are stuck with them you will have limited connectivity and will not be able to use private trackers.
You need to create Service Credentials for the Username and Password elements on the compose from within your Account.
services:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
- 8090:8090 # qBittorrent
volumes:
- /volume1/docker/gluetun:/gluetun
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- VPN_SERVICE_PROVIDER=nordvpn
- OPENVPN_USER= #User and Pass are Service Credentials in your Nord account
- OPENVPN_PASSWORD=
- TZ=
- HTTPPROXY=off #change to on if you wish to enable
- SHADOWSOCKS=off #change to on if you wish to enable
- FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.XX.XX/24 #change this in line with your subnet see note on guide.
network_mode: synobridge
labels:
- com.centurylinklabs.watchtower.enable=false
restart: unless-stopped
qbittorrent:
image: linuxserver/qbittorrent:latest
container_name: qbittorrent
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- WEBUI_PORT=8090
- UMASK=022
volumes:
- /volume1/docker/qbittorrent:/config
- /volume1/data/torrents:/data/torrents
network_mode: service:gluetun # run on the vpn network
security_opt:
- no-new-privileges:true
restart: always
Docker Compose General Edits
IDs and Timezone
First look for the lines below, they appear twice each, these control the containers access to our filesystem and also the user the containers run as.
| Variable | Value |
|---|---|
| PUID | (required) The UID you obtained in the user setup guide |
| PGID | (required) The GID you obtained in the user setup guide |
| TZ | (required) Your timezone wikipedia.org/wiki/List_of_tz_database_time_zones |
Ports and Proxies
In the top Gluetun section you will notice that we have some additional ports assigned for a http proxy and Shadowsocks Proxy β this means you can direct traffic from other devices or applications on your network through the container! If you want to use these change the following.
| Variable | Value |
|---|---|
| HTTPPROXY | off (default) on (enabled) |
| SHADOWSOCKS | off (default) on (enabled) |
Firewall Outbound Subnet
This section controls your ability to access the UIs of any containers running through the GlueTUN containers network.
- FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24The first part ‘172.20.0.0/16’ don’t edit as this is our ‘synobridge’ network and allows other containers such as Radarr to access the download client.
We need to change the second IP after the comma this allows us to access the WebUI and containers via out local network.
This IP address (subnet) is easy to figure out. If you NAS IP is 192.168.0.27 your subnet is 192.168.0.0/24 (notice I just changed the last number before the /24 to 0)
Firewall Input Ports (Port Forwarding)
This line is #commented out by default, if your VPN provider offers port forwarding remove the # from the start of the line and change the port number(s) in line with the ones provided to you. Make sure you also manually update the ‘Listening Port’ in qbit once you are running.
- FIREWALL_VPN_INPUT_PORTS=12345,56789Volumes
By default, I have assumed you have your config files stored on /volume1 if these are located on another volume amend these lines accordingly.
- /volume1/docker/gluetun:/gluetun
- /volume1/docker/qbittorrent:/config
- /volume1/data/torrents:/data/torrents Watchtower Exclusion
You don’t need to change this, I added a label to avoid Watchtower automatically updating the GlueTUN container as it will always break the overall project which can be inconvenient if you are not around to fix it. You can update the container using the mini guide on the left menu of the site.
labels:
- com.centurylinklabs.watchtower.enable=falseDocker Compose β Provider Specific Edits
This next bit is important and if you don’t pay attention to the details you will have a harder time connecting up to your VPN provider, if you used the pre-configured settings for AirVPN or ProtonVPN skip this section.
Open up the GlueTun Wiki and in the list find your provider.
Let’s use AirVPN as our example.
On the page you will see a number of key sections highlighting the variables that work with AirVPN.
Note ignore the ‘docker run’ code it’s not relevant for what we are doing.
Read the compose section and make note of what is shown for either WireGuard or OpenVPN dependent on what you are using to connect and then make the same amendments to the compose you copied earlier.
Key differences are generally the SERVER_COUNTRIES / SERVER_CITIES or what keys are required and IP addresses etc.
I have provided some common defaults in the compose for you, but you need to amend them in line with your providers page.
If your provider is not supported, you can make a request on GitHub to add it, or you can follow the custom providers guidance on GlueTUNs WIKI.
Once you have checked for your provider, make the appropriate edits to the compose accordingly.
That completes the edits to the compose!
Click ‘Next’
You do not need to enable anything on the ‘Web portal settings’ screen click ‘Next’ again
On the final screen click Done which will begin the download of the container images and once downloaded they will be launched!
The images will now be downloaded and extracted. You should see βCode 0β when it has finished.
You will now see your vpn-project running both containers should have a green status on the left-hand side.
Firewall Exceptions
(Skip if you don’t have the Firewall configured)
If you have the Synology Firewall enabled please see this additional guide for further info on exceptions and correct set up.
Final qBittorrent Setup
Changing the default WebUI login and password
If you skip this step you won’t be able to log in.
Now the container has started open it in the Docker UI and go to the Log tab. Within the logs you will see the login details
Now before doing any more of the guide go to the Web UI by going to the IP of your NAS followed by port 8090 and log in. Then on the WebUI tab change the defaults to your own and save them.
As we have used /data/torrents as the mount point for our downloads we need to make sure qBittorrent uses this same file path. Open the settings and edit the following paths and save.
| Option | Original Value | New Value |
|---|---|---|
| Default Save Path | /downloads | /data/torrents/completed |
| Keep incomplete torrents in | /downloads/incomplete | /data/torrents/incoming |
| Monitored Folder (optional) | blank | /data/torrents/watch |
In prior versions of this guide I had a command to unzip RAR and ZIP files, I have removed this as it is not reliable, check out Unpackerr from the menu.
Advanced Network Settings (Use the TUN Device)
The last step is to tell qBittorrent to only use the tun0 interface for its traffic, go to the Advanced tab then from the ‘Network Interfaces’ drop down select ‘tun0’ and click Apply, If this doesn’t appear the first time you may need to completely reboot your NAS.
I am not going to walk through all the other settings as you can customise these as you wish.
That’s it you are completely set up, you can now start up the Project again from the ‘Project’ tab.
I recommend having a quick read through the FAQ as it covers some questions you may have!
FAQs
Q: My GlueTUN is unhealthy what can I do?
A: The GlueTUN logs should be your first point of call, they will tell you if you have key issues with the configuration that are sometimes easily remedied. If you are still stuck leave a comment on this post, include the contents of your compose and also the log file (Use my PrivateBin https://paste.drfrankenstein.co.uk) remove passwords or WireGuard keys!
Or Join Discord for some more immediate help..
Q: How can I update the GlueTUN containers?
A: See the Updating Containers section on the menu.
Q: How can I be sure the VPN connection is working?
A: Go to the TorGuard Check My Torrent IP site, right-click on the Green banner and copy the link (it’s a Magnet link) Then add this link into qBittorrent and start the torrent. Keeping the site open after a few seconds the site will show the IP address of the connection it finds. This will be of the VPN provider not your home IP. (Please note the torrent doesn’t actually download anything it’s purely doing an IP check)
Q: I am getting the ‘errored’ status for all my torrents
This is very likely a permissions issue, go to the User and Group guide and see the permission fixes towards the bottom.
Q: Everything seems to be connected but nothing is downloading.
Try grabbing the Ubuntu torrent as that is a sure fire way of testing as generally it has over 3k seeds.
Are you using TorGuard – If so they block torrents on their US servers. Change to another country β Also while you are at it, you may need to configure port forwarding in your TorGuard account.
Q: My container doesn’t seem to start on a reboot even with the TUN script.
A: I have seen this a few times and usually relates to the VPN not completing its connection fast enough before containers using the VPN start. You can try setting an additional startup script by doing the following.
Head into Control Panel and go to Task Scheduler Click Create > Triggered Task > User Defined Task
| Section | Setting |
|---|---|
| Task Name | DockerVPNBootUp |
| User | Root |
| Event | Boot Up |
| Pre Task | Select the VPNTUN script from the drop-down that you created at the start of the guide |
In the ‘Task Settings’ tab enter the following and then click Save
sleep 120
docker-compose -f /volume1/docker/projects/vpnproject-compose/compose.yaml down
wait
docker-compose -f /volume1/docker/projects/vpnproject-compose/compose.yaml up -dOnce added Save and Container Manager will rebuild the project with the mod enabled, you will see it working in the qBittorrent containers log.
Q: I tried to start Deluge / qBittorrent manually, and it says βContainer must join at least one networkβ
A: This is due to the Synology Container Manager GUI not understanding that the container will be on the GlueTUN βnetworkβ. You will need to start the container via the Project as it is part of the overall Project compose.
Q: How can I add additional services to the VPN container?
See some of my other GlueTUN related guides as they show the steps required to add other containers to GlueTUN
Looking for some help, join our Discord community
If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!
Buy me a beverage!
If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated. Plus 10% goes to the devs of the apps I do guides for every year.
Hey! Amazing guide, I’ve used it myself and recommended it to others. I set this up almost 2 years ago and its been working smooth up until a couple of days ago. I got hit with this error on the qbit container: “cannot join network of a non running container” I assume this has to do with gluetun? Gluetun is indeed running, so I’m wondering if an update broke that connection. Any ideas on where to start?
Hey – are you still using the docker compose commands to start your setup up.. if so you need to run the docker compose in order for both containers to start up together successfully. Otherwise, Container Manager doesn’t understand how the two link..
Perhaps? Its been some time since I’ve looked at this. Can you point me to where I should look?
If you followed the older guide from 2 years back you likely are using docker compose and running the start-up of the containers via a command using SSH or you may have set up a script on Start Up in the Schedule Tasks in Control Panel. Or if it’s a bit more recent than 2 years, you will have a project setup as per the top of this guide. Have a look for a docker-compose.yaml in your docker folder with the information in it.
Hello again!
Sorry for the super long delay here, finally getting a chance to get around to this. I don’t have a docker-compose.yaml file, but I do have a .yaml file for the VPN. I just checked when I worked on this last and it was Feb of 2023.
Appreciate your help here again.
No worries – In you are using Container Manager I would transition to the latest method at this point. Feel free to drop your compose in a reply and I can edit it for you, but then for you to follow this latest guide to get it running again.
https://paste.drfrankenstein.co.uk (remove any passwords)
Ok I went through the steps on this page, and when I went to “create” the project, I got hit with an error. The error is that glutun already exists. Should I delete the old config?
This is what I put in the compose if you wanna check. Passwords removed.
https://paste.drfrankenstein.co.uk/?c42d5d1ffa6f8d29#H8D6X28ouNBc977dU3spNCFffz9TTug8CtEcd14apRRE
I deleted glutun because I figured it was fine. Now I’m being faced with deleting qbittorent. Is that necessary? Will I lose any settings I have set up? Fine if so, just curious.
Hey you won’t lose settings all your configs for your containers are stored in /docker the containers themselves are disposible
Phew okay, sorry for blowing you up here. I went ahead and deleted the qbittorent container I had already because i figured it wouldn’t be too much to set back up. I hit one more error, (something I forgot about in the past, i didn’t use “data” in my directory) and couldn’t find a way to edit the yaml file in the project section so I deleted the project and tried to recreate it. Now using the exact same compose but with a new directory, im getting hit with several errors including: “Map keys must be unique”, “Property ports is not allowed”, and “Property cap_add is not allowed”
Sorry for screwing things up so bad lol.
Hey looks like I was AFK when you replied
Send over your new compose via my paste link again, I will take a look It’s likely just a spacing issue somewhere.
Here you go! Sorry I thought I could figure it out myself haha
https://paste.drfrankenstein.co.uk/?0940e73e1562e78e#9gMcNRS59y4qAuHr7TAGXaL9HiY2UYrjBhftg6dkuADL
Here you go this is nicely formatted – I will watch for any replies just finished work but will be back online in a couple of hours
https://paste.drfrankenstein.co.uk/?b872a398f21027eb#9eW4c6jJfEYPphfhPGD8nJjgvz8UNDiPP3MmKnNZY3wN
I can’t respond to your other message for some reason. I was indeed able to get this one to create the project, but I’m not hitting an exit code: 1. “Error response from daemon: bind mount failed: ‘/volume1/docker/glutun'”
You are a lifesaver here.
Hey looks like a typo in the folder name
gluetun
Error on my part. Shows as gluetun in the error. Double checked and everything in the compose file shoes “gluetun”
You definitely have that folder created and its in /volume1/docker/gluetun – as it must be missing if it can’t see it.
ITS FIXED. I didn’t have the folders. Once they were made, everything went through. I hit some snags, but nothing I wasn’t able to handle. Appreciate all your help here. Sent some coffee your way π
Glad its all working, thanks for the coffee π
Hi! Setting up my 423+, which is my first ever NAS. Your guide here has been amazing. I’m getting stuck with the build part of the vpn-project. I ‘think’ I did everything correctly, but when it tries to build I get an error: “The container name “/qbittorrent” is already in use by container “61dfce…..”. You have to remove (or rename) that container to be able to reuse that name.
What could be the problem? thanks in advance!
Hi do you already have qbit up and running separately at all. If so check in the list of containers in Container Manager and just delete the other one then it should let you start up the Project.
“/dev/net/tun”: No such file or directory
Currently trying to sort through why this might not be present on my Synology 920+
Hey Danny – Once you set up the initial TUN script you may need to do a reboot for it to become available.
Hello Doctor,
I have made it most of the way through the tutorial, even to the point of building the container. It looks like Gluetun has been pulled and created successfully but the add-on is having issues.
I am getting the error response “conflicting options: port publishing and container type network mode”
The add-on container I am using is Overseerr because I have already built qBittorrent successfully outside the VPN container and I don’t want to mess it up unless I am confident it will work under Gluetun so this first container build is a test.
I have successfully built Overseerr before, outside VPN, but I live in China behind the Great Firewall so I can’t really use it because of the blocks (I can see the web UI but it doesn’t load any content). So I thought Overseerr would be the perfect test case for Gluetun.
I stopped the existing Overseer container before building this Gluetun stack. I cleaned the project and deleted the unused image. I created separate config folders for “overseerr-vpn” and wrote that into the .yaml file so there wouldn’t be any conflict. After the error response, I also tried assigning the new Overseer container other ports such as 5056 and made sure it was noted in both the Gluetun and Overseerr environments. And the network mode is quite simple, “service:gluetun…” (identical to every tutorial you have written), so I don’t even know where to begin to troubleshoot that. But the error remains.
Do you have any ideas where my mistake may be? Is it because I have already run Overseerr in Container Manager?
Hey Jake, try this out, it may just be you leaving the ports in the wrong section
I moved the ports up to the GlueTUN container and then switched the network mode for Overseer.. Layer the same changes into yours and it should work.
https://paste.drfrankenstein.co.uk/?f9accf2750963882#MidssU8k79T8NrAuwNxogzU9b8NxotKqvHTUFHKYu4Z
Thank you so much for the reply. I think this might have fixed the Overseer side of the issue so I really appreciate it!
Now it has revealed that there’s a problem with the gluetun custom provider information that I’ll have to figure out. I want to use the vpn provider i already subscribe to so I’ve prepared their wireguard configuration to input. I know this issue is a little too specific so no need to follow up about it. I’ll keep grinding at it and look for the right tree to bark up for help. I really appreciate all these guides and your engagement with everyone to help out so thank you again!
Are you using Proton as I can give you a pre-set compose, we have just been talking/thinking about have some pre done compose for the top providers in the guides to save people the headache as Proton is a custom one if you use Wireguard
I have a Proton free account for the purpose of trying to get this up and running but I saw that the port forwarding feature is not included in the free account.
So my hope was to get a custom provider set up for my day-to-day VPN I already pay for, Astrill. I downloaded their wireguard config and followed the Gluetun custom provider format to the best of my ability but got an error with the wrieguard endpoint IP. Astrill gave me an address with a weird format (“xxx#.wg.xxx###.net:portnumber” with x’s being letters and #’s being numbers) and I’m assuming Gluetun wants an ipv4 address format. I’m not sure how to get it to fit in with what Gluetun wants so I plan to ask on reddit and see if anyone else has used astrill with Gluetun.
Here is the YAML I unsuccessfully used, based on the Gluetun custom instructions and the docker composes you have provided: https://paste.drfrankenstein.co.uk/?9e71ca59f0c47d6b#DhUYyqHw8w4xsSKcwW52MZUV2cTBdrXQgqG9a4YbkApY
Hey Jake – Yeah Gluetun will want an IPv4 address do they give you any other IPs at all? It might be worth asking them as generally the address is the same one for all users. Also, some providers may not supply all the keys as they just require one etc so could mean you can remove some lines – Of the items in the yaml which ones have you got from the config file.. happy to have a look if you just strip out the keys..
Here is the config Astrill gave me:
https://paste.drfrankenstein.co.uk/?9dc4d5be197d5922#33XFtWkUjgsiZHNzpJWaS4XvUwzFCa8XVCk4HYKGvLkc
The public key, private key, and wireguard address seem pretty straightforward. The endpoint IP and the port on the next line are where I assumed I needed to include the “law2……..” address even though it doesn’t seem like it should fit there. I just didn’t know what other address to put there. Perhaps the same “wireguard address”?
Here is the compose with the gluetun custom requirements (pretty much inside ‘environment’ from ‘vpn service provider’ down to ‘wireguard addresses’):
https://paste.drfrankenstein.co.uk/?9e71ca59f0c47d6b#DhUYyqHw8w4xsSKcwW52MZUV2cTBdrXQgqG9a4YbkApY
I’m afraid all of this will again be for naught because I’m going on about 28 hours of zero vpn connection on wireguard or stealth protocols. Ah, such is life behind the firewall.
Thanks so much for your help thus far; any more insight is just icing on the cake.
So I looked up the IP from the domain and popped it into the compose, looks like you just need the private and public keys.. see if that then works..
https://paste.drfrankenstein.co.uk/?fd7c74eb8cf35d88#H8umWRSRV5y9u1WPnq3stagDYHYKB35ZaWEqJx7UXrvk
It successfully built the containers! I do indeed have another can of worms to deal with (vpn issues) but at least the container works. I don’t think I’ll ever get the NAS connected to VPN but at least I’m learning a lot in the process. This is just another in the long line of attempts I have made to open up the NAS to the internet so I can port forward behind CGNAT. I’ll figure it out some day.
Thank you so much for all the help!
Hey admin I’m owner of a DS 920+ and I’m very happy to have discovered your site, so many useful resources for our lovely synology π
I followed step by step your different guides 1 to 3 to properly configure my docker, I’ve also set up a tailscale network and I see that you mention a special Wireguard Kernel module for this application.
Does this also apply to tailscale?
I suspect Tailscale is also using the Userspace version of Wireguard however I am not sure if their package looks for a kernel implementation on a Synology as none of them have it built in natively, so it certainly doesn’t hurt to have it installed I am not sure if its using it.
Hi! Thanks for your work. I have an older RS816 which doesn’t seem to support either Container Manager nor Docker. Is there any way how I still could get qBit and AirVPN on my NAS?
Hi Slim – You can install qbit via the community apps – And then use the built in DSM VPN connection manager within the Control Panel > Network > Create.. Just keep in mind that this wont feature a ‘kill switch’ so if the vpn drops you could expose qbit to you real IP
https://synocommunity.com/