Hello everyone. This is my first dive into this world so be patient and keep it as simple as possible.

...
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    environment:
      - PUID=1000
      - PGID=1000
      - WEBUI_PORT=8080
    volumes:
      - ##
      - ##
    restart: unless-stopped 
    network_mode: "service:gluetun"
    depends_on:
      gluetun:
        condition: service_healthy

  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_SERVICE_PROVIDER=mullvad
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=##
      - WIREGUARD_ADDRESSES=##
      - SERVER_COUNTRIES=Sweden
      - OWNED_ONLY=yes
    ports:
      - 8080:8080 #qbit
      - 7878:7878 #radarr
      - 9696:9696 #prowlarr
      - 8989:8989 #sonarr
      - 3001:3001 #firefox
    restart: unless-stopped

This is how i setup my qbittorent and my gluetun composes. They are both in the same file, together with other services such as the arr suite. To make the arr suite talk with qbit i attached it to the gluetun container. Probably this is unnecessary, but i dont mind it. I still can access the webUIs via 192.168.*.**:1234 so unless it is a problem id like to keep it like this. In the Arr suite settings when it came to download control i had to set 127.0.0.1:8080 as the address of qbit to make it work. If you are wondering why there is a port to firefox, it is because i use it to check my ip and things like that when running behind the VPN. Is this a risk? I dont plan to do anything else apart from that.

One thing i added to basically all gluetun’s composes i found online is “restart: unless-stopped”. Is there a reason why it does not come suggested by default?

I tried to play with Linux ISOs to check that everything was working, and it seemed to be but i dont really have a way to check that my real IP is not being broadcast. On the otherhand thanks to a miscopied WG key i saw that until the container became healthy, all the others werent working. Or at least i couldnt access them.

The only thing missing from having a functioning media server is setting up prowlarr, but before i do it i want to make sure that i did everything right.

Do you see any issues with this setup?

Anything i can improve? Keep in mind that my knowledge is very limited, i cant change router settings so everything i do must be done on the machine and i dont plan to access anything from outside my house.

  • Ursa_Solaris@alien.topBEnglish
    1·
    10 months ago

    You have things set up correctly. Normally, Docker creates a virtual network connection for every container. When you use network_mode: "service:container" you are making those two containers share a single network connection instead. From a network perspective, it is effectively the same as running two pieces of software on one computer, just virtually. All your other software in that stack that is set up that way will piggyback on Gluetun’s network interface instead of creating their own, and they all see each other as being on the same localhost as if you ran multiple programs directly on your computer.

    You also opened ports correctly. Since everything is using Gluetun’s network connection, you have to open ports on Gluetun. Opening ports in Docker carries no risk of leaking your connection or breaking your VPN, as long as you don’t forward those ports from your router (which you said you can’t do anyways). Ports are to let traffic in, not out. By opening it, you are telling your computer to “listen” for anybody trying to talk to it using that port; otherwise, it would just ignore anybody who tried.

    Gluetun by default does something VPN software calls “split tunneling”, which is that traffic goes out to the VPN only if it’s externally bound traffic. Any traffic bound for an address in the private network spaces (192.168.x.x, 172.16.x.x, 10.x.x.x) will not use the VPN. This is done by design, specifically so you can do what you just did. This way you can access stuff that’s intended to be accessed locally, but still forward all external traffic to the VPN.

    The only thing you don’t really need is the depends_on because network_mode: "service:container" already acts like depends_on, so it’s redundant, but it’s not hurting anything to explicitly call it out either.

    As /u/SpacezCowboy said, for peace of mind you can test your torrent client with https://ipleak.net/. You can also test a regular connection from inside the container by running docker exec -t qbittorrent curl icanhazip.com