qBittorrent, WireGuard and OpenVPN
Docker container which runs the latest qBittorrent-nox client while connecting to WireGuard or OpenVPN with iptables killswitch to prevent IP leakage when the tunnel goes down.
- Base: Debian bullseye-slim
- qBittorrent compiled from source
- libtorrent compiled from source
- Compiled with the latest version of Boost
- Compiled with the latest versions of CMake
- Selectively enable or disable WireGuard or OpenVPN support
- IP tables killswitch to prevent IP leaking when VPN connection fails
- Configurable UID and GID for config files and /downloads for qBittorrent
- Created with Unraid in mind
- BitTorrent port 8999 exposed by default
| Variable | Required | Function | Example | Default |
|---|---|---|---|---|
VPN_ENABLED |
Yes | Enable VPN (yes/no)? | VPN_ENABLED=yes |
yes |
VPN_TYPE |
Yes | WireGuard or OpenVPN (wireguard/openvpn)? | VPN_TYPE=wireguard |
openvpn |
VPN_USERNAME |
No | If username and password provided, configures ovpn file automatically | VPN_USERNAME=ad8f64c02a2de |
|
VPN_PASSWORD |
No | If username and password provided, configures ovpn file automatically | VPN_PASSWORD=ac98df79ed7fb |
|
LAN_NETWORK |
Yes (atleast one) | Comma delimited local Network's with CIDR notation | LAN_NETWORK=192.168.0.0/24,10.10.0.0/24 |
|
LEGACY_IPTABLES |
No | Use iptables (legacy) instead of iptables (nf_tables) |
LEGACY_IPTABLES=yes |
|
ENABLE_SSL |
No | Let the container handle SSL (yes/no)? | ENABLE_SSL=yes |
yes |
NAME_SERVERS |
No | Comma delimited name servers | NAME_SERVERS=1.1.1.1,1.0.0.1 |
1.1.1.1,1.0.0.1 |
PUID |
No | UID applied to /config files and /downloads | PUID=99 |
99 |
PGID |
No | GID applied to /config files and /downloads | PGID=100 |
100 |
UMASK |
No | UMASK=002 |
002 |
|
HEALTH_CHECK_HOST |
No | This is the host or IP that the healthcheck script will use to check an active connection | HEALTH_CHECK_HOST=one.one.one.one |
one.one.one.one |
HEALTH_CHECK_INTERVAL |
No | This is the time in seconds that the container waits to see if the internet connection still works (check if VPN died) | HEALTH_CHECK_INTERVAL=300 |
300 |
HEALTH_CHECK_SILENT |
No | Set to 1 to supress the 'Network is up' message. Defaults to 1 if unset. |
HEALTH_CHECK_SILENT=1 |
1 |
HEALTH_CHECK_AMOUNT |
No | The amount of pings that get send when checking for connection. | HEALTH_CHECK_AMOUNT=10 |
1 |
RESTART_CONTAINER |
No | Set to no to disable the automatic restart when the network is possibly down. |
RESTART_CONTAINER=yes |
yes |
INSTALL_PYTHON3 |
No | Set this to yes to let the container install Python3. |
INSTALL_PYTHON3=yes |
no |
ADDITIONAL_PORTS |
No | Adding a comma delimited list of ports will allow these ports via the iptables script. | ADDITIONAL_PORTS=1234,8112 |
|
DOWNLOADS_PATH |
Yes | Location on the host OS where torrents will be stored | /d/PlexMedia |
none |
DOWNLOADS_MOVIES_PATH |
No | /d/PlexMedia/Movies |
||
DOWNLOADS_TV_PATH |
No | /d/PlexMedia/TV |
||
DOWNLOADS_MUSIC_PATH |
No | /d/PlexMedia/Music |
||
DOWNLOADS_TORRENT_FILES |
No | Location to store .torrent files to track where files originated | /d/PlexMedia/TorrentFiles |
| Volume | Required | Function | Example |
|---|---|---|---|
config |
Yes | qBittorrent, WireGuard and OpenVPN config files | /your/config/path/:/config |
downloads |
No | Default downloads path for saving downloads | /your/downloads/path/:/downloads |
| Port | Proto | Required | Function | Example |
|---|---|---|---|---|
8280 |
TCP | Yes | qBittorrent WebUI | 8280:8080 |
8999 |
TCP | Yes | qBittorrent TCP Listening Port | 8999:8999 |
8999 |
UDP | Yes | qBittorrent UDP Listening Port | 8999:8999/udp |
Access https://IPADDRESS:PORT from a browser on the same network. (for example: https://192.168.0.90:8280)
Default username is admin. Password is generated at first startup and can be found in the container logs. The password can be changed from the WebUI after logging in.
The container will fail to boot if VPN_ENABLED is set and there is no valid .conf file present in the /config/wireguard directory. Drop a .conf file from your VPN provider into /config/wireguard and start the container again. The file must have the name wg0.conf, or it will fail to start.
If you use WireGuard and also have IPv6 enabled, it is necessary to add the IPv6 range to the LAN_NETWORK environment variable.
Additionally the parameter --sysctl net.ipv6.conf.all.disable_ipv6=0 also must be added to the docker run command, or to the "Extra Parameters" in Unraid.
The full Unraid Extra Parameters would be: --restart unless-stopped --sysctl net.ipv6.conf.all.disable_ipv6=0"
If you do not do this, the container will keep on stopping with the error RTNETLINK answers permission denied.
Since I do not have IPv6, I am did not test.
The container will fail to boot if VPN_ENABLED is set and there is no valid .ovpn file present in the /config/openvpn directory. Drop a .ovpn file from your VPN provider into /config/openvpn (if necessary with additional files like certificates) and start the container again. You may need to edit the ovpn configuration file to load your VPN credentials from a file by setting auth-user-pass.
Note: The script will use the first ovpn file it finds in the /config/openvpn directory. Adding multiple ovpn files will not start multiple VPN connections.
auth-user-pass credentials.conf
username
password
User ID (PUID) and Group ID (PGID) can be found by issuing the following command for the user you want to run the container as:
id <username>
If you are having issues with this container please submit an issue on GitHub.
Please provide logs, Docker version and other information that can simplify reproducing the issue.
If possible, always use the most up to date version of Docker, you operating system, kernel and the container itself. Support is always a best-effort basis.
MarkusMcNugen/docker-qBittorrentvpn
DyonR/jackettvpn
This projects originates from MarkusMcNugen/docker-qBittorrentvpn, but forking was not possible since DyonR/jackettvpn uses the fork already.