Hello! I’m trying to set up qbittorrent and gluetun using docker compose on my home server, using the free account of ProtonVPN.

on some posts I see that ports 8080, 6881 and 6881/UDP are open in gluetun. in the guide I followed instead only port 8080 is exposed. So I exposed port 8080 and it is not working. I launched the torrent of endeavourOS iso image (that my laptop (with the same vpn) downloads in a few minutes with plenty of peers and seeds at about 4Mb/s), and it downloaded at an EXTREME low speed (a few B/s) for a few seconds, and then got stuck at stalled. When it is stalled, the qbittorrent container has no internet access (ping linux.org fails).

So my questions are:

  1. Which ports do I need to open on gluetun? if I open 6881 wouldn’t my IP be exposed bypassing gluetun?
  2. What’s wrong with my setup? Why is internet connection so slow when there is, and why does it go away so often?
  3. Is this configuration secure? in case of gluetun fail, would my IP be leaked?

here’s the two docker-compose.yml files:

version: "3"

services:
    gluetun:
        image: qmcgaw/gluetun
        container_name: gluetun
        cap_add:
            - NET_ADMIN
        environment:
            - VPN_SERVICE_PROVIDER=protonvpn
            - OPENVPN_USER=MYUSERHERE
            - OPENVPN_PASSWORD=MYPASSWORDHERE
            - SERVER_COUNTRIES=Netherlands
            - FREE_ONLY=on
        volumes:
            - ~/docker/gluetun/gluetun:/gluetun
        ports:
            - 8080:8080 # qBittorrent
        restart: unless-stopped

and

version: "3"
services:
  qbittorrent:
    image: linuxserver/qbittorrent:latest
    container_name: qbittorrent
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Rome
      - WEBUI_PORT=8080
    volumes:
      - ~/docker/qbittorrent/config:/config
      - ~/docker/qbittorrent/downloads:/downloads
    network_mode: "container:gluetun"
    #ports:
    #  - 8080:8080
    #  - 6881:6881
    #  - 6881:6881/udp
    restart: unless-stopped

and here’s some logs:

024-01-22T19:07:15Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: protonvpn
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Countries: netherlands
|   |       ├── Free only servers: yes
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.5
|       ├── User: [set]
|       ├── Password: fL...BK
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
└── Enabled: yes
2024-01-22T19:07:15Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-01-22T19:07:15Z INFO [routing] adding route for 0.0.0.0/0
2024-01-22T19:07:15Z INFO [firewall] setting allowed subnets...
2024-01-22T19:07:15Z INFO [routing] default route found: interface eth0, gateway 172.29.0.1, assigned IP 172.29.0.2 and family v4
2024-01-22T19:07:15Z INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2024-01-22T19:07:15Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-01-22T19:07:15Z INFO [http server] http server listening on [::]:8000
2024-01-22T19:07:15Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-01-22T19:07:15Z INFO [firewall] allowing VPN connection...
2024-01-22T19:07:15Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2024-01-22T19:07:15Z INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-01-22T19:07:15Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]192.40.57.231:1194
2024-01-22T19:07:15Z INFO [openvpn] UDP link local: (not bound)
2024-01-22T19:07:15Z INFO [openvpn] UDP link remote: [AF_INET]192.40.57.231:1194
2024-01-22T19:07:21Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)
2024-01-22T19:07:21Z INFO [vpn] stopping
2024-01-22T19:07:21Z INFO [vpn] starting
2024-01-22T19:07:21Z INFO [firewall] allowing VPN connection...
2024-01-22T19:07:21Z INFO [openvpn] OpenVPN 2.5.8 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Nov  2 2022
2024-01-22T19:07:21Z INFO [openvpn] library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10
2024-01-22T19:07:21Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]185.107.56.235:1194
2024-01-22T19:07:21Z INFO [openvpn] UDP link local: (not bound)
2024-01-22T19:07:21Z INFO [openvpn] UDP link remote: [AF_INET]185.107.56.235:1194
2024-01-22T19:07:22Z WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1633', remote='link-mtu 1634'
2024-01-22T19:07:22Z WARN [openvpn] 'tun-mtu' is used inconsistently, local='tun-mtu 1532', remote='tun-mtu 1500'
2024-01-22T19:07:22Z WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2024-01-22T19:07:22Z INFO [openvpn] [node-nl-164.protonvpn.net] Peer Connection Initiated with [AF_INET]185.107.56.235:1194
2024-01-22T19:07:23Z INFO [openvpn] setsockopt TCP_NODELAY=1 failed
2024-01-22T19:07:23Z INFO [openvpn] TUN/TAP device tun0 opened
2024-01-22T19:07:23Z INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2024-01-22T19:07:23Z INFO [openvpn] /sbin/ip link set dev tun0 up
2024-01-22T19:07:23Z INFO [openvpn] /sbin/ip addr add dev tun0 10.25.0.5/16
2024-01-22T19:07:23Z INFO [openvpn] UID set to nonrootuser
2024-01-22T19:07:23Z INFO [openvpn] Initialization Sequence Completed
2024-01-22T19:07:23Z INFO [dns] downloading DNS over TLS cryptographic files
2024-01-22T19:07:24Z INFO [healthcheck] healthy!
2024-01-22T19:07:24Z INFO [dns] downloading hostnames and IP block lists
2024-01-22T19:07:32Z INFO [healthcheck] unhealthy: dialing: dial tcp4: lookup cloudflare.com: i/o timeout
2024-01-22T19:07:32Z INFO [dns] init module 0: validator
2024-01-22T19:07:32Z INFO [dns] init module 1: iterator
2024-01-22T19:07:32Z INFO [dns] start of service (unbound 1.17.1).
2024-01-22T19:07:33Z INFO [dns] generate keytag query _ta-4a5c-4f66. NULL IN
2024-01-22T19:07:33Z INFO [healthcheck] healthy!
2024-01-22T19:07:33Z INFO [dns] ready
2024-01-22T19:07:33Z INFO [vpn] You are running on the bleeding edge of latest!
2024-01-22T19:07:33Z INFO [ip getter] Public IP address is 185.107.56.251 (Netherlands, North Holland, Amsterdam)
    • finestnothing@lemmy.worldEnglish
      9·
      4 months ago

      Yep, their free servers are great for trying out the service and web browsing if you don’t it being slow, but none of the free servers are p2p enabled. Only paid servers have p2p

    • tubbadu@lemmy.kde.socialOPEnglish
      1·
      4 months ago

      uhm I just searched and yes, it shouldn’t be allowed, but I have always did it on my desktop without issues, except for it being a bit slow but nothing to worry about. Perhaps they will block it after a certain rate?

      • zingo@lemmy.caEnglish
        4·
        4 months ago

        Yes, I couldn’t even use whoogle with the free tier as I got ratelimited on normal search queries.

        Needless to say that many ppl share the same (proton vpn IP) on the free tier.

              • Kuinox@lemmy.worldEnglish
                2·
                4 months ago

                They want you to install their client, but it’s wireguard under the hood, so you can make it work with glutun.
                You need to generate a wireguard config file with this tool: https://github.com/ViRb3/wgcf
                There is a bug with gluten which make it not accept nameservers for a custom wireguard config: https://github.com/qdm12/gluetun/issues/2042
                So you will need to resolve the IP yourself.
                Personally, I set it up through TrueNAS, and I didn’t managed to make it work with a file config, so I passed everything through environment variables.
                Use this wiki if you are lost: https://github.com/qdm12/gluetun-wiki/blob/main/setup/providers/custom.md#wireguard
                It output in USA for me, it torrent with a very decent speed, 150-200/Mbps.
                And yes, it’s free.

                • tubbadu@lemmy.kde.socialOPEnglish
                  1·
                  4 months ago

                  Hi! I tried to configure it as you suggested:

                  • I used wgcf to generate wgcf-profile.conf
                  • I then configured gluetun with the following docker compose file:
                  version: "3"

services:
	gluetun:
		image: qmcgaw/gluetun
		container_name: gluetun
		cap_add:
			- NET_ADMIN
		environment:
			- VPN_SERVICE_PROVIDER=custom
			- VPN_TYPE=wireguard
			- VPN_ENDPOINT_IP=162.159.192.1 # I resolved the ip running `host engage.cloudflareclient.com`
			- VPN_ENDPOINT_PORT=2408 # Endpoint from wgcf-profile.conf (engage.cloudflareclient.com:2408)
			- WIREGUARD_PUBLIC_KEY=asdfghjklqwertyuiopzxcvbnm # PublicKey from wgcf-profile.conf
			- WIREGUARD_PRIVATE_KEY=lkjhgfdsapoiuytrewqmnbvcxz # PrivateKey from wgcf-profile.conf
			# - WIREGUARD_PRESHARED_KEY= #I dnd't find anything about this in wgcf-profile.conf, but in gluetun wiki it says it's optional, so I removed it
			- WIREGUARD_ADDRESSES=172.16.0.2/32 # Address from wgcf-profile.conf (the first one)
		volumes:
			- ./gluetun:/gluetun
		ports:
			- 8080:8080 # qBittorrent
		restart: unless-stopped

                  However, it is stuck in a loop trying to authenticate:

                  2024-01-24T09:59:48Z INFO [vpn] starting

2024-01-24T09:59:48Z INFO [firewall] allowing VPN connection...

2024-01-24T09:59:48Z INFO [wireguard] Using available kernelspace implementation

2024-01-24T09:59:48Z INFO [wireguard] Connecting to 162.159.192.1:2480

2024-01-24T09:59:48Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.

2024-01-24T10:01:11Z INFO [healthcheck] program has been unhealthy for 1m21s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)

2024-01-24T10:01:11Z INFO [vpn] stopping

2024-01-24T10:01:11Z INFO [vpn] starting

2024-01-24T10:01:11Z INFO [firewall] allowing VPN connection...

2024-01-24T10:01:11Z INFO [wireguard] Using available kernelspace implementation

2024-01-24T10:01:11Z INFO [wireguard] Connecting to 162.159.192.1:2480

2024-01-24T10:01:11Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.

2024-01-24T10:01:19Z INFO [dns] downloading DNS over TLS cryptographic files

2024-01-24T10:01:34Z WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

2024-01-24T10:01:34Z INFO [dns] attempting restart in 10m40s

2024-01-24T10:01:47Z ERROR [ip getter] Get "https://ipinfo.io/": context deadline exceeded (Client.Timeout exceeded while awaiting headers) - retrying in 10m40s

2024-01-24T10:02:38Z INFO [healthcheck] program has been unhealthy for 1m26s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)

2024-01-24T10:02:38Z INFO [vpn] stopping

2024-01-24T10:02:38Z INFO [vpn] starting

2024-01-24T10:02:38Z INFO [firewall] allowing VPN connection...

2024-01-24T10:02:38Z INFO [wireguard] Using available kernelspace implementation

2024-01-24T10:02:38Z INFO [wireguard] Connecting to 162.159.192.1:2480

2024-01-24T10:02:38Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.

2024-01-24T10:04:09Z INFO [healthcheck] program has been unhealthy for 1m31s: restarting VPN (see https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md)

2024-01-24T10:04:09Z INFO [vpn] stopping

2024-01-24T10:04:09Z INFO [vpn] starting

2024-01-24T10:04:09Z INFO [firewall] allowing VPN connection...

2024-01-24T10:04:09Z INFO [wireguard] Using available kernelspace implementation

2024-01-24T10:04:09Z INFO [wireguard] Connecting to 162.159.192.1:2480

2024-01-24T10:04:09Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.

                  Is my configuration correct or am I missing something?

                  thank you very very much in advance!

          • folkrav@lemmy.caEnglish
            2·
            4 months ago

            Their very existence in our capitalistic market would heavily raise my suspicions as to what they do with my traffic not to be immediately running at a loss.

  • Azzu@lemm.eeEnglish
    9·
    4 months ago

    Maybe your server just has Gluetun intolerance…

    • tubbadu@lemmy.kde.socialOPEnglish
      1·
      4 months ago

      Uh this is very interesting actually! I’ll try to install it and see if this works, thank you very much!

  • R7KT@lemmy.worldEnglish
    5·
    4 months ago

    I can’t answer all your questions but I am using a similar setup. To my knowledge the free tier on proton doesn’t allow torrent traffic, this could explain why you see the connection fail after some time.

    You do have to open 6881 on gluetun. You do need to make sure that your qbit is utilizing your gluetun connection. I am using docker and have the qbit container use gluetun network. That way, if something happens to gluetun, qbit won’t failover to your host’s network and leak your ip.

    • tubbadu@lemmy.kde.socialOPEnglish
      2·
      4 months ago

      Thanks for the answer! On my desktop with the same account I’m able to torrent without any problems, I’ve done it for years, I don’t think it’s a problem

      I’ll try to open the port and see if it works, thanks!

  • Decronym@lemmy.decronym.xyzBEnglish
    2·
    4 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    IP Internet Protocol
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network

    4 acronyms in this thread; the most compressed thread commented on today has 3 acronyms.

    [Thread #451 for this sub, first seen 24th Jan 2024, 10:15] [FAQ] [Full list] [Contact] [Source code]

  • stown@sedd.itEnglish
    1·
    4 months ago

    Port 8080 is where the Web-UI / Web-API is running. If you want to be able to upload data and not just leech you need to forward port 6881 (and probably also tell QBT to listen on that port)