A simple step by step guide on how to configure JDownloader 2 to run inside a Docker container (on a Synology NAS) with only its traffic routed through NordVPN.

• Synology NAS running DSM 6.2
• Default Synology Docker application
• JDownloader running on a container
• NordVPN running on a separate container

Some of the tips in the Troubleshooting section might also apply to other Docker hosts or VPN clients.

One JDownloader container with its traffic routed through another container with NordVPN. All other containers and the host itself stay unaffected and accesible on LAN.

The Synology NAS is a great tool even if only for its basic functionality. However, many will use it for many purposes, just like me. For example, this is a small insight into my setup:

• Shared folders
• Volume dedicated to Time Machine
• Plex Server
• Docker
  • Pi-Hole
  • Ombi server for Plex
  • Telegram Bot for Ombi
  • Homebridge
  • On-demand Minecraft servers

For a while I used a regular installation of JDownloader 2 for DSM. The next move is then to route the traffic for JDownloader through the VPN.

Indeed, it can. If what you are looking for is to route all the traffic through the VPN, go ahead and follow the simple official setup guide. It works fine and does exactly what it's supposed to.

But take a second look at my setup above. As soon as all traffic goes through the VPN, everything starts to slow down, fall apart and I lose local and/or remote access to the rest of containers and applications; far from ideal.

To follow the steps below you will need to SSH into your Synology NAS.

1. Open the Synology Control Panel and navigate to Terminal & SNMP.
2. Check the option Enable SSH service. Although not strictly necessary, it is recommended to specify a port other than the default 22.

Now you can simply SSH into your Synology NAS like this:

ssh <user>@<Synology local IP> -p <port>

Example:

ssh michael@192.168.0.2 -p 77

You will now be prompted to enter the password for the user.

As noted in the image above, only Synology users belonging to the administrators group can login using SSH.

1. Open the Package Center and search for Docker
2. Click on Install and follow the instructions.

All the commands used in this sections are to be used from within the SSH session.

Running sudo commands will prompt you to enter a password from time to time. Use the password for the Synology user currently logged into the SSH-session.

We will be using the following Docker images:

• bubuntux/nordvpn
  • https://hub.docker.com/r/bubuntux/nordvpn
• jlesage/jdownloader-2
  • https://hub.docker.com/r/jlesage/jdownloader-2

To install them:

1. Open the Docker application inside Synology.
2. Navigate to Image and click on Add > Add from URL.
3. In the prompt, enter the image's URL and click on Add.
4. If prompted to, select the latest tag and continue.

We could create the containers from within the Docker GUI, however, the functionality is limited and not all options we need are available.

Since the jdownloader container needs to use the network provided by the nordvpn container, we need to create nordvpn first:

sudo docker run -ti \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
--device /dev/net/tun \
--name nordvpn \
-e USER=<NORDVPN_EMAIL> \
-e PASS='<NORDVPN_PASSWORD>' \
-e CONNECT=de \
-e TECHNOLOGY=NordLynx \
-e NETWORK=<ROUTER_LOCAL_IP>/24 \
-e TZ=Europe/Berlin \
-p 5800:5800 \
-p 3129:3129 \
-d bubuntux/nordvpn

Just in case you were wondering what those \ at the end of each line are doing: They tell your Terminal not to execute the command but instead await a new line. This is often done for easier readability when using lots of arguments.

You will need to replace the following information:

Please refer to the official NordVPN Docker documentation for a detailed description of the rest of parameters.

Take a look at the command above again. You might have noticed these two lines:

-p 5800:5800 \
-p 3129:3129 \

Those are port mappings between the host and the container. We will need those in order to be able to access the jdownloader container. However, since it's the nordvpn container who creates the network, they must be specified here.

This container requires two volumes to be mounted, /config and /output. If necessary, create the necessary folders in your Synology NAS.

Volumes are mounted using the syntax: -v "<host path>:<container path>:rw". The :rw at the end denotes the container will have read/write access rights.

We can now run the jdownloader container:

sudo docker run -ti \
--network=container:nordvpn \
--name jdownloader \
-v "/volume1/docker/jdownloader:/config:rw" \
-v "/volume1/Downloads:/output:rw" \
-d jlesage/jdownloader-2

In case you ever need to delete the jdownloader container, as long as you map the /config directory from the container to the same path on your host, your configuration will still be available. Furthermore, (although untested) in case you already have a JDownloader configuration, you should be able to use it by mounting the corresponding directory.

You can now open your browser and navigate to http://<Synology NAS IP>:5800 and you should be able to reach your JDownloader instance running inside the Docker container.

When starting your first download, it is possible that JDownloader will show an error regarding Invalid download directory. This is due to the fact that, although we mounted the /output directory, the user for which the jdownloader container is running doesn't have the necessary access rights. Please refer to the Troubleshooting section further down for a step by step fix.

Phew...job done, right!?

Well, I would recommend setting up MyJDownloader to access your JDownloader. This has a few advantages:

• Access remotely, not just from your local network (or messing around with port forwarding rules in your router)
• Access from mobile apps
• "Native" browser interface, instead of a application interface from within the browser
• You don't sacrifice anything and still can tweak all possible settings, update, restart, etc.

From the Settings menu you can enter your MyJDownloader credentials (or create a new account), as well as give it a shiny new name you like.

If you need to paste anything from your computer's clipboard into the JDownloader running inside the browser, you can use the tool in the top right corner of the windows. This might be the case if you use a long, auto-generated password stored in a password manager (which you totally should be using, btw.).

Once you enter your credentials and your JDownloader is linked with your MyJDownloader account, you can close this windows and never open it again. Head over to https://my.jdwonloader.org and you should be able to access from there.

Since we won't be needing to access the application using the port 5800 anymore, we could, theoretically, remove its mapping from the nordvpn container to limit LAN access to our JDownloader.

Let me guess what you are thinking: How could I exploit this to bypass download limits? Well, I won't go into that. However, when you connect to a new VPN server, you usually get a new IP. I'll leave it at that.

Keep in mind: If you restart the nordvpn container, you will have to restart the jdownloader container, too. Additionally, restarting your nordvpn container might reconnect you to the same server you were already connected to.

You can enter into the docker container through the terminal using:

sudo docker exec -it nordvpn bash

You can read more about NordVPN commands in the official NordVPN Linux guide.

Indeed, if we take a look at the Docker log, we will find an Error entry with the following Event:

Start container nordvpn failed: {"message":"linux runtime spec devices: error gathering device information while adding custom device \"/dev/net/tun\": no such file or directory"}.

If we were running the container from the console, it could look like this:

Error response from daemon: linux runtime spec devices: error gathering device information while adding custom device "/dev/net/tun": no such file or directory.

I found the solution here does do the trick. Type in these two commands

sudo insmod /lib/modules/tun.ko

No response here is perfectly normal. Go on with the second one:

insmod /lib/modules/iptable_mangle.ko

If it returns the error insmod: ERROR: could not insert module /lib/modules/iptable_mangle.ko: File exists that's perfectly fine. You should now be able to restart the nordvpn container using:

sudo docker container restart nordvpn

When Docker runs your jdownloader container, it does so by using a specific user and group ID. This error occurs when your jdownloader uses the ID of a user that doesn't have read/write permissions for the mounted volume (Synology path) mounted as /output.

The easiest fix for this is to run the container using your user and group IDs. To find out what these IDs are, just type in:

id

which should give you an output like this:

uid=1026(michael) gid=100(users) groups=100(users),101(administrators)

Now we must tell Docker to run jdownloader as user (uid) 1026 and group (gid) 100.

1. Stop jdownloader from the Docker GUI.
2. Right click on it and select Edit.
3. Go to the Environment tab and enter the corresponding uid and gid that you got when running the id command.

Our jdownloader container requires the information on restart about which network to join. You will see the error above if you try to start the container from the Synology Docker GUI. Instead, you can do this from the console:

sudo docker container restart jdownloader