Please note if you are using DSM7.2 or higher you should use the Container Manager version of this guide from the menu.
This guide has reached the end of its updates as most people are now on the latest DSM update - This guide is correct as of 08/12/2023 however no further updates will be added.
Important or Recent Updates
| Historic Updates | Date |
|---|---|
| New guide | 23/09/2022 |
| Fixed a typo in the yaml ‘vpngluetun’ to ‘gluetun’ | 26/09/2022 |
| Added the synobridge network to the VPN container | 07/10/2022 |
| Added depends_on to the compose file to help with the container stack coming online at boot. | 18/10/2022 |
| Removed requirement to use VPN Package | 06/11/2022 |
| Amended compose file for enabling or disabling the built-in proxy | 09/12/2022 |
| Added note to the FAQ about how to Update the containers | 06/01/2023 |
| Added additional step to force qBittorrent to use the tun0 interface | 06/02/2023 |
| Added firewall exception for network subnet | 22/02/2023 |
| Added firewall exception for ‘synobridge’ subnet as this seems to be yet another random thing that works for some and not others! | 31/03/2023 |
| Compose version number removed and image updated in line with amendment | 09/04/2023 |
| Amended the path to save the compose file – this is for security, so the container has no access to the file contents. | 14/04/2023 |
| Added watchtower labels to the compose to allow updates and changed the proxies to off by default | 06/05/2023 |
| Removed the Watchtower ‘Depends On’ Labels as they do not successfully update the GlueTUN container. Added an Exclusion label to the GlueTUN container, so it can just be manually updated. | 11/05/2023 |
| Update includes: Firewall Input Ports for when your provider offers port forwarding, also a note in relation to volumes and added PUID/PGID settings for GlueTUN | 14/06/2023 |
| Update for Wireguard Kernel Module Install which reduces overall CPU usage for Wireguard connections Please note if you previously followed this guide you can follow the new section to update your existing set-up. Added Health checks to dependent containers | 25/09/2023 |
| Updated with new steps to obtain and change WebUI password | 21/11/2023 |
| Issue with passwords has been fixed in 4.6.2 so removed tty line from yaml | 29/11/2023 |
What are qBittorrent and GlueTUN?
qBittorrent is a torrent downloader and GlueTUN is the Docker container that has pre-configured VPN connections for numerous VPN providers.
Before you start check the GlueTUN Wiki to see if your provider is on the supported list on the left-hand side.
Also, if you are yet to choose a provider have a look at the Reddit list of recommended suppliers as could save you a headache when trying to seed. I currently use AirVPN which has nice easy port forwarding unlike some others. This is my affiliate link if you fancy signing up.
Let’s Begin
In this guide I will take you through the steps to get qBittorrent up and running in Docker and a separate GlueTUN VPN container. By having a separate container for the VPN connection we can use it in the future for other applications such as Prowlarr, this is useful if you have torrent indexers blocked in your country.
As the Synology DSM Docker GUI does not support some of the functions we need for this tutorial we will be using Docker Compose. This is not as complicated as it might seem!
In order for you to successfully use this guide please complete the three preceding guides
- Step 1: Directory Setup Guide
- Step 2: Setting up a restricted Docker user
- Step 3: Setting up a Docker Bridge Network
Folder Setup
Let’s start by getting a couple of folders set up for the containers to use. Open up Filestation and within the /docker share create a folder called ‘qbittorrent’ and one called ‘gluetun’
Setting up the start up script
Open up Control Panel and then click on Task Scheduler
Next click on Create, Triggered Task then User Defined Script.
Now enter a name for the script – you can call it anything you like. The User must be ‘root’ and ‘Boot-up’ for the Event.
On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section. It will look like screenshot.
#!/bin/sh -e
insmod /lib/modules/tun.ko
You can now press OK and agree to the warning message. Next run the script which will enable the TUN device.
You can now move on to the next step.
Firewall (Optional Step if you have the Firewall Enabled)
If you have the Synology Firewall enabled and configured to block outgoing connections you will need to do this step. Otherwise, you will have issues with the VPN connecting to your provider. (please note the screenshot below does not show all the other rules you would normally have enabled)
Go into Control Panel > Security > Firewall
Click on Edit Rules and in the screen that appears click on ‘Create’
In the first screen select ‘Custom’
On the next screen we select the Type as ‘Destination Port’ and Protocol as ‘All’. In this example I am going to open up both 1194 and 1195 as some providers use UDP and some TCP and these are the most commonly used ports.
Click on OK and Apply the rule, and leave the ‘Source IP’ and ‘Action’ to their defaults on the original screen.
Wireguard Kernel Module
(Recommended for Performance & Reduced CPU Resource)
The default Gluetun Wireguard setup uses a ‘Userspace’ implementation of Wireguard which normally should not use much from a CPU resource perspective. However, on Synology it tends to require high CPU utilisation. For example a 40MiB download via qBittorrent uses up to 176% in CPU (1.7 Cores) on my 1821+.
By installing the appropriate Kernel Module this reduces down to 1 or 2% which over time would add up from an electric usage perspective and free up the CPU for other tasks.
BlackVoid.club have put together a Kernel Module for Synology which allows Gluetun to use the lower level Kernel to perform Wireguard duties make sure you drop them a thanks as this would not be possible without them!
While on first glances it looks like a long installation process the page details a number of methods. I recommend having a read taking note of warnings and also if you want to build your own model it tells you how.
The TLDR is below.
Step 1 – Find your model of NAS under the correct DSM version section (If you are following this guide it will be 7.0/1) and download the pre compiled .spk file
Step 2 – Head into Package Manager and click ‘Manual Install’ on the top right and install the .spk file and untick the box to run after install
Step 3 – Reboot (Not always required for DSM7.1 and lower)
Step 4 – SSH Into your NAS (Just like in the User Setup guide) and elevate yourself to root by typing sudo -i and entering your password
Step 5 – Enter this command and press enter to start up the module /var/packages/WireGuard/scripts/start
You should now be able to see the WireGuard package running in Package Manager. Please note while I will try my best to support in relation to this module I may have to refer you on if it is a specific technical issue.
When you have GlueTUN running check the log for this line [wireguard] Using available kernelspace implementation, and you know it is working.
On to the next part.
Docker Compose
Next we are going to create a Docker Compose file, this is used to tell Docker how to set up our containers with all the variables we require that are not available in the DSM GUI.
You can edit this file in a number of ways, but to keep the guide OS-agnostic we will be using the Synology Text Editor package which can be installed via Package Center.
Open up Text Editor and create a new file then, copy and paste the information below into the file.
You will notice that we have some additional ports assigned for a http proxy and Shadowsocks Proxy – this means you can direct traffic from other devices or applications on your network through the container! If you do not want to use this functionality remove those ports.
services:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
ports:
- 8888:8888/tcp # HTTP proxy
- 8388:8388/tcp # Shadowsocks
- 8388:8388/udp # Shadowsocks
- 8090:8090 # port for qbittorrent
volumes:
- /volume1/docker/gluetun:/gluetun
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- VPN_SERVICE_PROVIDER=NAMEOFYOURPROVIDER
- VPN_TYPE=openvpn
- OPENVPN_USER=VPNUSERNAME
- OPENVPN_PASSWORD=VPNPASSWORD
- SERVER_COUNTRIES=VPNSERVERCOUNTRY
- HTTPPROXY=off #change to on if you wish to enable
- SHADOWSOCKS=off #change to on if you wish to enable
- FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24 #change this in line with your subnet see note on guide.
# - FIREWALL_VPN_INPUT_PORTS=12345 #uncomment this line and change the port as per the note on the guide
network_mode: synobridge
labels:
- com.centurylinklabs.watchtower.enable=false
restart: unless-stopped
qbittorrent:
image: linuxserver/qbittorrent:latest
container_name: qbittorrent
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- WEBUI_PORT=8090
volumes:
- /volume1/docker/qbittorrent:/config
- /volume1/data/torrents:/data/torrents
network_mode: service:gluetun # run on the vpn network
depends_on:
gluetun:
condition: service_healthy
restart: unless-stoppedYou can change the formatting to YAML in the bottom right of the editor to make it easier to read.
Firewall Subnet
You will see an environment variable in the yml file called FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24
The first part 172.20.0.0/16 don’t edit this, the second IP after the , change as per below.
This IP address is easy to figure out. If you NAS IP is 192.168.1.27 your subnet is 192.168.1.0/24 (notice I just changed the last number to 0) This variable allows any containers connected via the VPN access to your local network.
Firewall Input Ports
This part is # commented out by default, if your provider offers port forwarding remove the # from the start of the line and change the port number in line with the one provided to you. This will also be the port used within qBittorrent and will help overall connectivity. (Note if you are using Proton VPN see the FAQ for an important extra step now!)
Volumes
By default, I have assumed you have your config files stored on /volume1 if these are located on another volume amend this line accordingly.
Watchtower Exclusion
You don’t need to change this, I added a label to avoid Watchtower automatically updating the GlueTUN container as it will always break the overall project which can be inconvenient if you are not around to fix it. You can update the container using the mini guide on the left menu of the site.
labels:
- com.centurylinklabs.watchtower.enable=falseImportant – Provider Specific Edits
Next up we will need to make some edits to the Environment Variables section of the compose in line with what is required for your specific provider. Open up the GlueTun Wiki and in the list find your provider.
For example in the Privado section (screenshot below) it has the variables required to make a successful connection, The ‘Required environment variables’ section will get you connected to a random server of the containers choosing.
You can add the ‘Optional environment variables’ parameters in order to select a specific server or range of servers. These are found on the same page.
(Pay close attention to your providers amendments as often people are caught out by using the incorrect settings such as SERVER_COUNTRIES when it should be SERVER_REGIONS etc)
If your provider is not supported, you can make a request on GitHub to add it, I do not currently have custom providers covered in this guide, feel free to jump on Discord / email me for help here.
Also note that some providers don’t like you having special characters in the password you will generally spot this in the log with AUTH errors.
This will be very similar across all the providers built in with some slight variances.
Once you have checked for your provider, make the appropriate edits to the compose accordingly.
In addition to the edits we just made there are a couple more in the table below, do these in the sections I have pre-filled
| Variable | Value |
|---|---|
| PUID | (required) The UID you obtained in the user setup guide |
| PGID | (required) The GID you obtained in the user setup guide |
| TZ | (required) Your timezone wikipedia.org/wiki/List_of_tz_database_time_zones |
You can now save this compose file in /docker and call it qbittorrentvpn.yml
SSH and Docker-Compose
It’s time to get logged into you Diskstation via SSH, you can do this in the same way as when you obtained your IDs in the ‘Setting up a restricted Docker user‘ guide.
Once you have logged in you will need to give 2 commands, you can copy and paste these one at a time — you will need to enter your password for the command starting with ‘sudo’
First we are going to change directory to where the qbittorrentvpn.yml is located, type the below and then press enter.
cd /volume1/dockerThen we are going to instruct Docker Compose to read the file we created and complete the set-up of the container. Again type the below and press enter.
sudo docker-compose -f qbittorrentvpn.yml up -dWhen the command has completed you should be able to see both qBittorrent and the VPN container running in the list of containers in the Synology GUI.
Error: “gluetun is unhealthy”
At this stage if you receive an error relating to GlueTUN being unhealthy there is likely an error in the config file, this usually relates to the provider specific elements. If you check the logs for the GlueTUN container it will tell you why it couldn’t connect. If you get stuck drop me a comment with a copy of the logs via https://paste.drfrankenstein.co.uk.
Changing the default WebUI login and password
If you skip this step you won’t be able to log in.
Now the container has started open it in the Docker UI and go to the Log tab. Within the logs you will see the login details
Now before doing any more of the guide go to the Web UI by going to the IP of your NAS followed by port 8090 and log in. Then on the WebUI tab change the defaults to your own and save them.
Now continue on..
Final qBittorrent steps
As we have used /data/torrents as the mount point for our downloads we need to make sure qBittorrent uses this same file path.
We need to change the file paths by editing the qBittorrent config file, before doing this stop both of the containers.
Go back into DSM and open Text Editor, browse to /docker/qbittorrent/qbittorrent and open the qBittorrent.conf then edit the file in line with the table below, once amended save the changes.
| Original Value | New Value |
|---|---|
| Session\DefaultSavePath=/downloads/ | Session\DefaultSavePath=/data/torrents/completed |
| Session\TempPath=/downloads/incomplete/ | Session\TempPath=/data/torrents/incoming/ |
| Downloads\SavePath=/downloads/ | Downloads\SavePath=/data/torrents/completed |
| Downloads\TempPath=/downloads/incomplete/ | Downloads\TempPath=/data/torrents/incoming/ |
You can now bring the containers back up again by repeating the steps in the SSH and Docker Compose section above.
Once the containers are running you can log into the Web UI by going to the IP of your NAS followed by port 8090
e.g. 192.168.0.30:8090
Log in with the username and password you created earlier.
Now you are in the UI click on settings cog at the top of the screen, we are going to change one more directory which is the watched folder to /data/torrents/watch. You can also turn on the option ‘keep incomplete torrents in:’ which should already have /data/torrents/incoming’ prefilled.
Next we are going to set a command to run when each torrent finishes to automatically extract any .rar files (Note if you have any issues with this I would recommend using Unpackerr the guide is on the menu)
Scroll down in the options to the ‘Run external program on torrent completion’ and enter the below, it tells qbittorrent to run unrar and extract the file to the same save path as the original file. This will not delete anything, so you can continue seeding.
unrar x "%D/*.r*" "%D/"
Advanced Network Settings
The last step is to tell qBittorrent to only use the tun0 interface for its traffic, go to the Advanced tab then from the ‘Network Interfaces’ drop down select ‘tun0’ and click Apply
I am not going to walk through all the other settings as you can customise these as you wish.
That’s it you are completely set up, I recommend having a quick read through the FAQ as it covers some questions you may have!
FAQs
Q: How can I update the GlueTUN containers?
A: See the Updating Containers section on the menu for a specific guide for GlueTUN
Q: How can I be sure the VPN connection is working?
A: Go to the TorGuard Check My Torrent IP site, right-click on the Green banner and copy the link (it’s a Magnet link) Then add this link into qBittorrent and start the torrent. Keeping the site open after a few seconds the site will show the IP address of the connection it finds. This will be of the VPN provider not your home IP. (Please note the torrent doesn’t actually download anything it’s purely doing an IP check)
Q: I tried to start Deluge / qBittorrent manually, and it says ‘Container must join at least one network’
A: This is due to the Synology Docker GUI not understanding that the container will be on the VPNs ‘network’. You will either need to start the container again via SSH or you can set up a manually triggered script via Task Scheduler you will only need to do use this if you ever stop the container.
Head into Control Panel and go to Task Scheduler, Click Create > Triggered Task > User Defined Task
| Section | Setting |
|---|---|
| Task Name | DockerVPNRestart |
| User | Root |
| Enabled | Leave Unticked |
In the ‘Task Settings’ tab enter the following and then click Save
docker-compose -f /volume1/docker/qbittorrentvpn.yml down
wait
docker-compose -f /volume1/docker/qbittorrentvpn.yml up -dQ: Everything seems to be connected but nothing is downloading.
Are you using TorGuard – If so they block torrents on their US servers. Change to another country – Also while you are at it, you may need to configure port forwarding in your TorGuard account.
Try grabbing the Ubuntu torrent as that is a sure fire way of testing as generally it has over 3k seeds.
Q: My container doesn’t seem to start on a reboot even with the TUN script.
A: I have seen this a few times and usually relates to the VPN not completing its connection fast enough before containers using the VPN start. You can try setting an additional startup script by doing the following.
Head into Control Panel and go to Task Scheduler Click Create > Triggered Task > User Defined Task
| Section | Setting |
|---|---|
| Task Name | DockerVPNBootUp |
| User | Root |
| Event | Boot Up |
| Pre Task | Select the TUN script from the drop-down |
In the ‘Task Settings’ tab enter the following and then click Save
sleep 120
docker-compose -f /volume1/docker/qbittorrentvpn.yml down
wait
docker-compose -f /volume1/docker/qbittorrentvpn.yml up -dProton VPN Port Forwarding Extra Step
Proton doesn’t allow you to choose your own port for port forwarding, so we need to add another container to the compose in order for this to be automatically updated for us. (Please note I am unable to test this personally it is based on Feedback via our Discord channel)
First don’t uncomment this line in the compose leave it disabled# - FIREWALL_VPN_INPUT_PORTS=40312
Next copy the code below to bottom of the compose file and then amend the following only leave the other options.
TZ= #ENTER YOUR TIMEZONEQBITTORRENT_SERVER= NAS IP or 172.20.0.1QBITTORRENT_USER=admin (change to the username you will be using later for qbit)QBITTORRENT_PASS=adminadmin (change to the password you will be using later for qbit)
Once added continue with the guide 🙂
qbittorrent-natmap:
# https://github.com/soxfor/qbittorrent-natmap
image: ghcr.io/soxfor/qbittorrent-natmap:latest
container_name: qbittorrent-natmap
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
- QBITTORRENT_SERVER= #NAS IP or 172.20.0.1
- QBITTORRENT_PORT=8090
- QBITTORRENT_USER=admin
- QBITTORRENT_PASS=adminadmin
# - VPN_GATEWAY=
# - VPN_CT_NAME=gluetun
# - VPN_IF_NAME=tun0
# - CHECK_INTERVAL=300
# - NAT_LEASE_LIFETIME=300
network_mode: service:gluetun
depends_on:
qbittorrent:
condition: service_started
gluetun:
condition: service_healthyQ: How can I add additional services to the VPN container?
A: Adding additional containers to the VPN network is very easy. As you can see in the example below I have added Prowlarr to the bottom of the compose. The only amendments are that the ‘network_mode’ uses the Gluetun container and the ports for Prowlarr have been moved up to the Gluetun containers ports section.
Also see the separate Prowlarr guide on the left menu for setting up FlareSolver (In the Extras section)
- 9696:9696 # add this to the ports section of GlueTUN
#add the below to the bottom of the compose
linuxserver-prowlarr:
image: linuxserver/prowlarr:latest
container_name: prowlarr
environment:
- PUID=1234 #CHANGE_TO_YOUR_UID
- PGID=65432 #CHANGE_TO_YOUR_GID
- TZ=Europe/London #CHANGE_TO_YOUR_TZ
volumes:
- /volume1/docker/prowlarr:/config
network_mode: service:gluetun # run on the vpn network
depends_on:
gluetun:
condition: service_healthy
restart: unless-stoppedQ: I Get a long error mentioning OCI when bringing up the containers.
A: Stop both the containers from the Docker UI and delete them, run the command again, and it should start up fine. If this still happens double check you have set your VPN providers settings correctly.
More will be added as questions come up
Looking for some help, join our Discord community
If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!
Buy me a beverage!
If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated. Plus 10% goes to the devs of the apps I do guides for every year.
Hi,
since couple of days , maybe very few weeks, the project can’t run anymore , I absolutely have not changed anything to my environment.
Prior that , from time to time , whole project could not be executed , my fix always been to delete and recreate (30 secs job and all was fine) or changing the wireguard server details (I picked up another country from my VPN provider) and all was always OK , this time I’m stuck I have no clue to resolve.
I hope the below will help pinpoint the issue.
WARN [dns] cannot update files: Get “https://www.internic.net/domain/named.root”: dial tcp: lookup http://www.internic.net on 1.1.1.1:53: read udp 10.103.177.2:51873->1.1.1.1:53: i/o timeout
INFO [dns] downloading DNS over TLS cryptographic files
INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
INFO [wireguard] Connecting to 104.254.92.42:257
INFO [wireguard] Using userspace implementation since Kernel support does not exist
INFO [firewall] allowing VPN connection…
INFO [vpn] starting
ERROR [wireguard] Failed to load updated MTU of device: failed to get MTU of TUN device: no such device
INFO [vpn] stopping
INFO [healthcheck] program has been unhealthy for 56s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)
from ssh:
root@MINI-PC:~# insmod /lib/modules/tun.ko
insmod: ERROR: could not insert module /lib/modules/tun.ko: File exists
root@MINI-PC:~#
Thanks
Hey XT intermittent issues are the worst!
This on the face of it looks like DNS issues with the connection not being able to reach a look-up address that checks the connection is active. Can you try adding this to your environment variables section of GlueTUN. It will try using a different DNS provider.
Make sure you line up the spacing.
– DNS_ADDRESS=9.9.9.9
Thank you for quick answer ….. which I have seen only today
unfortunately this does not help , this new issue is not intermittent , it’s always failing like this , I really don’t know what to do
2023/10/23 21:12:25 stdout 2023-10-23T21:12:25+02:00 ERROR [ip getter] Get “https://ipinfo.io/”: dial tcp: lookup ipinfo.io on 9.9.9.9:53: read udp 10.103.177.2:40666->9.9.9.9:53: i/o timeout – retrying in 1m20s
2023/10/23 21:12:19 stdout 2023-10-23T21:12:19+02:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
SNIP
2023/10/23 21:11:23 stdout 2023-10-23T21:11:23+02:00 WARN [dns] cannot update files: Get “https://www.internic.net/domain/named.root”: dial tcp: lookup http://www.internic.net on 9.9.9.9:53: read udp 10.103.177.2:57729->9.9.9.9:53: i/o timeout
OK, snipped the above comment just to shorten it but can you ping me a copy of your yaml/compose information via my HelpMe! page so we can investigate further. Also would be good to know if you have the Firewall enabled either on the Synology box or upstream on your Router etc as have seen peoples Routers having a Firewall that blocked access etc.
Thanks ! it’s so good to feel supported 🙂
I’ve just copied and paste the YML on your pastebin.
I don’t have any FW on the Synology box , I have not touched anything ay my ISP router nor my router I’ve used in the middle ,absolutely nothing has changed in my environment , I ‘m sure of that.
You will need to give me the link to the pastebin as it’s so private I can’t see it without the link 🙂
If you don’t want to share Publically ping it over via my Help Me! page
Thanks , I am not the only one , https://github.com/qdm12/gluetun/issues/1333
issue has started suddendly , for me incompatibility with Synology and this container somehow
I’ve decided to move GluTun to an LXC container on my Proxmox Server , that’s for me the best option as I can’t test downgrade on Synology
Thanks for your detailed article. Have had this working well with TorGuard with port forwarding for the last few months.
I tried to add a second container of qBitttorrent, as I am using a 3TB external for music and plan to move it onto a separate synology in the future. Gave the instance a separate name and web port and accessed it fine.
My problems are with connectivity (I only get as good as the orange flame). First tried using the same open port as the first qBittorrent instance but soon realised this caused a conflict, as both containers probably cannot use the same port. So I set up another set of ports through TorGuard and played around with the port settings in Gluetun’s environment settings but failed with the following attempts:
1. – FIREWALL_VPN_INPUT_PORTS=XXXXX,YYYYY
2. – FIREWALL_VPN_INPUT_PORTS=XXXXX:YYYYY
3. – FIREWALL_VPN_INPUT_PORTS=XXXXX
– FIREWALL_VPN_INPUT_PORTS=YYYYY
I thought I had read that you could have multiple containers using the Gluetun service but I am failing miserably here.
Perhaps I am just best off doing a second compose file with a complete serparate Gluetun and qBittorrent containers (with different names)?
Hey
So you can have many containers on the VPN connection. however you will not be able to have the firewall input ports direct the same ports to two containers, it’s a bit like trying to forward the same ports to two PCs you can only use 1 set per container..
The method in theory would be..
Add a second instance of qbit to the compose and adjust its webui port and paths
– WEBUI_PORT=8091
The in the Gluetun section add this in
ports:
– 8888:8888/tcp # HTTP proxy
– 8388:8388/tcp # Shadowsocks
– 8388:8388/udp # Shadowsocks
– 8090:8090 # port for qbittorrent
– 8091:8091 # port for qbit second instance
The the second instance will need another set of port forwards from your VPN provider and these added into that section
– FIREWALL_VPN_INPUT_PORTS=12345,98765 #comma separated
Hope that makes sense if I get what you are trying to achieve..
Thanks for the quick reply (sorry mine wasn’t)!
Yes this worked and is exactly what I tried initially, so thank you for confirming. My issue in the end was not knowing that I had to reconfigure Wireguard for TorGuard every time you add new new ports to your dedicated IP VPN, (this usually only involves updating your private key in the .yml). This is all done now and for good measure I added a few more ports to save having to reconfigure again albeit quite quick to do.
Use case: setting up a separate client for music, as this resides on a different volume.
One thing I do notice which is odd but not the end of the world is that the WebUI is only reachable on one client at a time. For example, I connect to my original WebUI and it connects fine, but then as soon as I do the same for the new container I get “qBittorrent client is not reachable” on the old one. Refreshing the original WebUI then knocks out the new one. I am sure I didn’t have this issue last time.
Also, would just like to add, I think a lot of people would love a guide for cross-seed (fully automated) for this setup.
To add to this, both WebUIs work simultaneously through a Cloudfare tunnel so it looks like a local network issue perhaps?
Here’s my config anyway, hopefully this helps solve the problem:
services:
gluetun:
image: qmcgaw/gluetun
container_name: gluetun
cap_add:
– NET_ADMIN
devices:
– /dev/net/tun:/dev/net/tun
ports:
– 8888:8888/tcp # HTTP proxy
– 8388:8388/tcp # Shadowsocks
– 8388:8388/udp # Shadowsocks
– 8090:8090 # port for qbittorrent
– 8091:8091 # port for qbittorrent
volumes:
– /volume1/docker/gluetun:/gluetun
environment:
– PUID=1028
– PGID=100
– VPN_SERVICE_PROVIDER=custom
– VPN_TYPE=wireguard
– VPN_ENDPOINT_IP=REDACTED
– VPN_ENDPOINT_PORT=1443
– WIREGUARD_PUBLIC_KEY=REDACTED
– WIREGUARD_PRIVATE_KEY=REDACTED
– WIREGUARD_ADDRESSES=REDACTED
– TZ=GB
– DNS_ADDRESS=1.1.1.1
– HTTPPROXY=off #change to on if you wish to enable
– SHADOWSOCKS=off #change to on if you wish to enable
– FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.1.0/24 #change this in line with your subnet see note on guide.
– FIREWALL_VPN_INPUT_PORTS=58063,58064,58065,58066 #uncomment this line and change the port as per the note on the guide
network_mode: synobridge
labels:
– com.centurylinklabs.watchtower.enable=false
restart: unless-stopped
qbittorrent:
image: linuxserver/qbittorrent
container_name: qbittorrent
environment:
– PUID=1028
– PGID=100
– TZ=GB
– WEBUI_PORT=8090
volumes:
– /volume1/docker/qbittorrent:/config
– /volume1/data/torrents:/data/torrents
– /volumeUSB2/usbshare/downloading:/incoming
network_mode: service:gluetun # run on the vpn network
depends_on:
– gluetun
restart: unless-stopped
qbittorrent-music:
image: linuxserver/qbittorrent
container_name: qbitmusic
environment:
– PUID=1028
– PGID=100
– TZ=GB
– WEBUI_PORT=8091
volumes:
– /volume1/docker/qbitmusic:/config
– /volumeUSB3/usbshare/data/torrents:/data/torrents
network_mode: service:gluetun # run on the vpn network
depends_on:
– gluetun
restart: unless-stopped
Thanks for the clear write up. I was originally thinking it may be to do with both qbit instances running on port 8090 internally, but it looks like you mitigated that as you changed the WEB UI port. However, I wonder how that port is then routed to the underlying service as maybe that is the issue so while you are going to Instance 1s Web Port its routing to Instance 2s libtorrent instance. I will try and have a play at some point this week.
Thanks – yes it is quite odd, as I can run both Web UIs simultaneously through the same CloudFare tunnel.
Thanks for the quick reply (sorry mine wasn’t)!
Yes this worked and is exactly what I tried initially, so thank you for confirming. My issue in the end was not knowing that I had to reconfigure Wireguard for TorGuard every time you add new new ports to your dedicated IP VPN, (this usually only involves updating your private key in the .yml). This is all done now and for good measure I added a few more ports to save having to reconfigure again albeit quite quick to do.
Use case: setting up a separate client for music, as this resides on a different volume.
One thing I do notice which is odd but not the end of the world is that the WebUI is only reachable on one client at a time. For example, I connect to my original WebUI and it connects fine, but then as soon as I do the same for the new container I get “qBittorrent client is not reachable” on the old one. Refreshing the original WebUI then knocks out the new one. I am sure I didn’t have this issue last time.
Also, would just like to add, I think a lot of people would love a guide for cross-seed (fully automated) for this setup.
I am not sure why; but my qBittorrent notes an error and won’t save data. When I check the log file it indicates there is an permission denied error.
I am note using /data/ as my folder but rather /Media/ as my main folder and I’ve changed any reference to /data/ to /Media/).
Any clue what might be the issue?
Double check the permissions on the overall share that the Docker user you created has read/write access – then check that the subfolders down to the torrents’ folder also are owned by the same user. Failing that let me know, and I will reach out on your email.
Any updates about this issue? I am running into the same problem. I double checked that the docker user has read/write permissions to in /data and /docker
Log from qB:
File error alert. Torrent: “My.Torrent”. File: “/data/torrents/completed/My.Torrent/My.Tracker.txt”. Reason: “My.Torrent file_stat (/data/torrents/completed/My.Torrent/My.Tracker.txt) error: Permission denied”
Many thanks
Hey if you have checked you have used the correct PUID / PGID and the correct way around can you reach out to me via my Help Me! page, make sure you use an email I can reply to as I have had quite a few duck.com emails that just bounce.
I had written down the wrong number for the PGID – all is working now! Many thanks for the reply
Hello, I just updated to DSM 7.2-64570 Update 3 and now I get the error in Gluetun saying “error gathering device information while adding custom device “/dev/net/tun”: no such file or directory.
This was working fine until this update.
Thank you.
Have you tried running the TUN script manually – I have not received the update yet to test on my live system.
I had the same problem. The script for this is:
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
Thanks for this – I am hesitant to put this in the guide as seems a rarity for this error currently. But will keep it here in the comments for the moment
Thank you for putting together this guide. I’m running into an issue with wireguard in the gluetun container. Looks like it’s unable to utilize the TUN device. Seeing the following in the logs:
ERROR [wireguard] Failed to load updated MTU of device: failed to get MTU of TUN device: no such device
The startup script was configured and ran as prescribed. When I execute `lsmod | grep tun` I see that TUN is loaded. `sudo cat /dev/net/tun` returns `cat: /dev/net/tun: File descriptor in bad state` which I believe is expected as well.
Would really appreciate any suggestions on how I might resolve this.
Hey – Do a reboot this should get you running.
I tried rebooting the NAS, as well as deleting the containers, and running Docker compose again, but no luck, unfortunately. Still getting the same error. Another error shows up occasionally: “[vpn] cannot get version information.” Here are the logs in context:
INFO [vpn] starting
ERROR [wireguard] Failed to load updated MTU of device: failed to get MTU of TUN device: no such device
ERROR [vpn] cannot get version information: Get “https://api.github.com/repos/qdm12/gluetun/commits”: context canceled
INFO [vpn] stopping
Out of interest – are you doing this on a completely new install of DSM7.2 or an upgrade from 7.1.x
I’m actually currently on DSM 7.1.1-42962. Do I need to upgrade to 7.2 to use this guide?
No apologies mixed up guides lol – When you set up the TUN script is it running as root? If it is a still not working we have one other way for a quick fix.
Yep, it’s running as root and configured exactly like the guide specifies.
OK lets see why the script is not doing its thing. Go to the Task Scheduler click Settings at the top and then in the screen that appears choose a folder to save output results. Then run the script – can you post the output here…
If I manually run the script, then I see:
insmod: ERROR: could not insert module /lib/modules/tun.ko: File exists
Which makes sense, since it runs on start up.
If I restart my NAS and check the logs, they’re empty.
OK lets see if we can fix this..
Open up package centre and install the Synology VPN Server.
Once installed open it up and enable the OpenVPN server in the main settings page.
Do a reboot..
Then turn off the OpenVPN server.
Now try the container…
I followed those steps, but still getting that error unfortunately
OK this seems to be affecting you and one other person – funny how these things come along in pairs! The last time I have seen this problem was back in October last year.
Does it do it if you leave the openvpn server enabled?. If it still doesn’t work can you ping me a message via my HelpMe! page on the left menu.
Still no dice, unfortunately. Just reached out via HelpMe.