ANSWERED Help with Gluetun & Qbittorrent

[DownTheRabbitHole 1]

Hi everyone, I'm kind of pulling my hair out with this one...

I've tried to set up a docker container with gluetun (wireguard) and qbittorrent, and it looks like both are working, with qbittorrent WebUI accessible on the forwarded port from Airvpn, but it won't connect to trackers.

Here is my compose.yaml file
 

services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 27586:27586 # Web UI port for qBittorrent
      - 27587:27587
      - 27587:27587/udp # tried this to get it to use this port for trackers
    devices:
      - /dev/net/tun:/dev/net/tun
#    volumes:
#      - /srv/docker/gluetun:/gluetun
#      - /srv/docker/gluetun/wireguard.conf:/gluetun/wireguard.conf:ro # Read-only WireGuard config
    environment:
      - VPN_SERVICE_PROVIDER=airvpn # Use custom to manually specify WireGuard
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=[redacted]=
      - WIREGUARD_PRESHARED_KEY=[redacted]=
      - WIREGUARD_ADDRESSES=10.150.191.110/32 #ipv6 omitted because it crashes gluetun, seems not available
      - SERVER_REGIONS=Europe
      - FIREWALL_VPN_INPUT_PORTS=27586
      - TZ=Asia/Tokyo # Adjust to your time zone
    restart: unless-stopped

  qbittorrent:
     image: lscr.io/linuxserver/qbittorrent
     container_name: qbittorrent
     network_mode: "service:gluetun" # Forces qBittorrent to use Gluetun's network stack
     environment:
      - PUID=1000 # Change to your user ID
      - PGID=1000 # Change to your group ID
      - TZ=Asia/Tokyo # Adjust to your time zone
      - WEBUI_PORT=27586
     volumes:
      - /srv/docker/qbittorrent/config:/config # qBittorrent configuration
      - /tank/Remote_Downloads:/downloads
     restart: unless-stopped

I would love if someone could walk me through fixing this. I've kind of hit the limit of me being able to figure this out myself. Bonus points if there's a way to make the webUI available on the local subnet (10.77.77.0/24) or even just on the localhost. Would also be okay with gluetun and qbittorrent being in different containers. In a pinch, would be willing to change torrent clients, but I need support for RSS feeds.

[ByteBuccaneer 3]

Some differences between yours and mine are:

1. I also use Wireguard and I have "- WIREGUARD_PUBLIC_KEY=[redacted]" and you don't;
2. I don't have any volumes set up, everything in the docker compose;
3. You aren't specifying the latest image, consider using "qmcgaw/gluetun:latest";
4. I do not use CIDR notation for the "WIREGUARD_ADDRESSES" and you do, consider trying it without the "/32";
5. Are you sure your forwarded port is in AirVPN's pool #1? For P2P it has to be.

For qBittorrent:

1. again use the latest: "lscr.io/linuxserver/qbittorrent:latest"
2. consider adding the following for robustness: "depends_on:
         gluetun:
           condition: service_healthy
           restart: true"
3. You don't have "TORRENTING_PORT=[your pool #1 port number]";

Its usually best to have these in the same stack, not separate containers. Keep trying, it DOES work.

 

[DownTheRabbitHole 1]

Thanks. Where would I add:

depends_on:
      gluetun:
        condition: service_healthy
        restart: true

Would I need to have TORRENTING_PORT set if I'm using the default 6881 (which is what is forwarded to 27587 on Airvpn)
?

[ByteBuccaneer 3]

It would probably be faster for everyone to simply show you my stack:
 

# This is a P2P demonstration stack template which has been tested to work well with AirVPN as of January 2025.
# Use AirVPN's config generator to obtain your specific values (https://airvpn.org/generator). Make sure to specify your device.
# Remember that the indentation of a Docker Compose file is important.

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=airvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PUBLIC_KEY= # copy from config file
      - WIREGUARD_PRIVATE_KEY= # copy from config file
      - WIREGUARD_PRESHARED_KEY= # copy from config file
      - WIREGUARD_ADDRESSES= # copy from config file
      - SERVER_REGIONS= # optional, comma seperated list, no spaces after commas, make sure it matches the config you created
      - SERVER_COUNTRIES= # optional, comma seperated list, no spaces after commas, make sure it matches the config you created
      - SERVER_CITIES= # optional, comma seperated list, no spaces after commas, make sure it matches the config you created
      - FIREWALL_VPN_INPUT_PORTS= # mandatory, the port number AirVPN forwarded for you (from pool #1) should appear here
      - TZ= # choose timezone value from list at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones (e.g.: Asia/Tokyo)
    ports:
      - 8080:8080 # qbittorrent web GUI, port number can be changed BUT it must match WEBUI_PORT in qbittorrent service environment
      - (port forwarded from AirVPN):(port forwarded from AirVPN) # also place in TORRENTING_PORT field in qbittorrent service environment
    restart: unless-stopped

  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    depends_on:
      gluetun:
        condition: service_healthy
        restart: true
    environment:
      - PUID= # your desired user's number
      - PGID= # your desired user's group number
      - TZ= # choose timezone value from list at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
      - WEBUI_PORT=8080 # must match "qbittorrent web GUI" port number in gluetun's service above
      - TORRENTING_PORT=(port forwarded from AirVPN) # must match forwarded port number in gluetun's service above
    volumes:
      - /mnt/(your folder structure here):/config # directory you want to save your qbittorrent config files
      - /mnt/(your folder structure here):/downloads # qbittorrent download location
    restart: unless-stopped
    network_mode: "service:gluetun" # this is what forces qbittorrent to only use the VPN connection from gluetun

Hope this helps!
 

[DownTheRabbitHole 1]

Thanks @ByteBuccaneer, that was helpful.

Qbittorrent is up and running, webGUI accessible on port 8082 on local network. It is also now seeing the peers and seeds. Had some file permissions issue because I didn't realize that all volumes had to be added for various download location. (Also, what's up with Qbittorrent not having a directory browser in their WebGUI?!)

My only problem now is that although I have port 8082 forwarded to 27586 on Airvpn, my webGUI isn't available there and the port shows as not open. My Firewall line is:

FIREWALL_VPN_INPUT_PORTS=8082,27586,27587

Put in both the GUI port and the forwarded port (and the torrenting port) just for good measure.

And in the qbittorrent section:

      - WEBUI_PORT=8082
      - TORRENTING_PORT=27587



Any ideas?

[ByteBuccaneer 3]

Sounds like you are making great progress, congrats! 

It sounds to me like everything is working as it should now, so we need to either:

1. reset your expectations and correct your assumptions, or
2. have you communicate why you think something should work a certain way or what your goals are.

Putting your first and third posts together, it sounds like you expect to see the WebGUI on multiple ports. Can you explain why you would want that? I'm not going to say you couldn't engineer that, but I'm going to challenge your thinking here. Let's assume your machine has a local network static IP of 10.77.77.42; you access the WebGUI with http://10.77.77.42:8082 right? Why do you need additional access on port 27586? Are you trying to admin qBittorrent from outside your network? You haven't stated that before which is why I ask.

Many users are uncomfortable exposing their WebGUI to the world, so you need to be clear that this is your desire (and secure it with https before doing so!). How many ports do you have forwarded from AirVPN? Are ports 8082 and 27586 in pool #2 (saving pool #1 ports for P2P users is the goal here)? Your line "FIREWALL_VPN_INPUT_PORTS=8082,27586,27587" isn't going to work unless all three of those ports are forwarded from AirVPN. I believe the most common use case is to only forward the torrenting port from pool #1 (27587) keeping the WebGUI port just for local network use.

Lets check your devices to ensure they are not an issue. When you go to the devices screen have you set up a device? Then in the ports screen is that device linked to the port (in the dropdown)? And when making your config file did you select that device? When working correctly, the sessions screen should list your device at the top of the card when connected.
 

[DownTheRabbitHole 1]

Yes, everything is working well.

I want to have the webGUI on 8082 internally, forwarded to 27586 by airvpn. I don't plan to have this enabled all the time, but there are times when I can't access my internal network and it would be easier to flip a switch and access remotely with Transdroid.

I think you've nailed it with the devices issue. On my previous server using rtorrent/rutorrent over Eddie (not running docker), I think because the device was connected all the time, it was considered "default", so it always worked. I've now given that device a specific name and used those keys in the compose file. Now that server appears as "device2" in the sessions list and the port is now showing as open. However, I'm getting an "unauthorized" message when I connect.

[ByteBuccaneer 3]

Nice job! So now you are into your own network and the server/service is handing out the unauthorized status based on a local ACL. You are on your way! Happy hunting!