Personally, I don’t use torrents. My preferred choice is Usenet. Still, every now and then people tend to ask me how to setup docker containers and most often is how to set up a torrent client with VPN protection.

I have written in the past how to utilize VPN on your NAS and one method of tunneling your torrent traffic via your NAS and a VPN connection is using a VDSM instance that will be protected with a VPN and in return, any other app running under that VDSM instance will be protected as well.

Now, this is useful if you will be using that same instance for more then just torrenting. If you are looking for occasional torrent download, then maybe a docker container will be far less resource demanding, not to mention that you will not need a VDSM license (unless you have the free license still open to use).

In these steps, I will explain a bit how to use qBittorrent client in a combination with a VPN provider of your choice. For this, I will use image.

  1. Download the image from docker repository

  2. Log into your NAS via SSH and elevate to root
    a) use sudo -i to get root access

  3. Create openvpn folder inside the future /config location where you will copy your OVPN file of choice

  4. Run the following docker run as a single line and change the settings to match your needs.

docker run --privileged -d \
              -v /your/config/path/:/config \
              -v /your/downloads/path/:/downloads \
              -e "VPN_ENABLED=yes" \
	      -e "VPN_USERNAME=your_VPN_username" \
	      -e "VPN_PASSWORD=your_VPN_password" \
              -e "LAN_NETWORK=" \
              -e "NAME_SERVERS=," \
              -p 8080:8080 \
              -p 8999:8999 \
              -p 8999:8999/udp \
Keep in mind that you need to run this as a single line so just delete each \ and replace it with a single space
The most important option here is the fact that you will need to make an openvpn folder inside your config mount point. This is explained in the steps, but if you are not reading carefully you might miss it. In that folder drop the OVPN file that you wanna use.

Getting OVPN files from your provider will depend on the provider and also some providers use different username/password combination that’s different from your login credentials to use their service, so keep that in mind as well when filling out the configuration parameters.

So, for example, let's say that you will use this location for your config volume mount: /volume1/docker/qbittorrent. You will need to make openvpn folder inside that qbittorrent folder and copy the OVPN file inside it.

  1. Now that you have your container running, check the logs for any error and if all is well you should have the container running.
  2. Access the qBittorrent using your NAS IP address on port 8080

If you get an error in log saying "Cannot open TUN/TAP dev /dev/net/tun", read the next section, if all is well, skip to "How to check if you are running inside the VPN?"

I get the "ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)"

NOTE: All credits for this fix go to Rui Marinho (@ruipmarinho) at

If this error happens plese follow the steps described bellow:

Check the tun module status

Check if you have the tunmodule installed:

lsmod | grep tun

If the result comes out empty, try installing it:

insmod /lib/modules/tun.ko

If everything went fine, move on to the next test.

Test if the tun.ko module works

Now let’s make sure the tun.komodule works as expected (run each line one at a time. If you get errors that the locations already exist just keep running the next line):

mkdir /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
cat /dev/net/tun

If the result of the catcommand was File descriptor in bad state, it means the module has been correctly installed.

Make tun.ko module persistent

The module installation needs to be made persistent otherwise on every Synology restart, you’ll have to repeat the insmod command.

Create the following file to run on every system boot:

cat /usr/local/etc/rc.d/

This will open up a file and inside it copy this block and hit return:

#!/bin/sh -e

insmod /lib/modules/tun.ko

Make the script executable:

chmod a+x /usr/local/etc/rc.d/

Reboot your Synology NAS or execute the script manually once. Done!

How to check if you are running inside the VPN?

Now that you have it running the question is are you inside the VPN or not. The easy way to test this is to use the Docker UI Terminal tab (of via console inside Portainer if you are running that as well) and open up a bash command.

Inside the command line, run this command:


This command will contact the service that will in return tell you what’s your public IP address. If you have a public address that’s different from the one you get when you visit whatsmyip address from your computer, then you are golden.

In my example, I will be using a NORDVPN provider connection to Switzerland. In the following steps, I will explain how to confirm that your traffic is inside the VPN tunnel and not exposed to your ISP.

  1. Once you get logged into your VPN container using the Terminal tab and running the curl command, run that IP address result on website.

Depending on the VPN file that you decided to use, you will get a different result and a different country. In this example, Switzerland was my destination.

Confirmation that the active docker IP is in Switzerland

Now that we have confirmation that we are indeed in a different country, it would be nice to see if the traffic is completely inside the VPN tunnel as well. The best way to do this is to trace traffic to a certain destination and see if we get a hit to our ISP provider along the way.

To do this we will use traceroute command inside the container. So again, log into it with a bash command (using the Terminal tab inside Docker UI). Now that you are inside you will need to install traceroute first. To do this run the following commands:

apt update
apt install traceroute
  1. With traceroute command line installed, run this to see how traffic is running:


traceroute command - second hop has the same IP address from picture 1, VPN destination and not your router. We want that.

As you can see from the image, the second hop (number 2) is hitting our VPN address confirming that we are indeed getting out in Switzerland (same IP as provided by using If this was not the case, the second hop would be your local router IP address and then a few more hops from your ISP. Considering that in this image there is no router local IP address as well as no ISP addresses, we can be sure that the traffic is completely tunneled.

One more bonus thing here is that once the VPN goes down, your torrenets will stop as well, so you have a kill switch scenario as well.

Again, logging onto your NAS IP address on port 8080 should land you on the main qBittorrent page where you can log in using username/password combination: admin/adminadmin (default values).

Main qBittotrrent login page on default port 8080
qBittorrent in action running via VPN

If you have any questions, comments, or suggestions, please leave a comment down below.