⚠️
WARNING: while this tutorial is functional, it will work with the image version 3.12.2. DO NOT use the latest image tag as it causes problems. The issue is still ongoing on Github.

In the past, I did an article on running qBittorrent client via a VPN (OpenVPN protocol) that works for almost any VPN provider out there. In this article, I would like to narrow the scope down a bit and focus on Wireguard protocol.

Specifically, NordVPN implementation of the WG protocol that they call "Lynx". To make this work I will be using a well maintained Docker image, bubuntux/nordvpn.

More details on this image can be found on its GitHub site here: https://github.com/bubuntux/nordvpn.

For the torrent client, you can use anyone you want, but I will focus on qBit one maintained by linuxserver team.

As always you can run all your docker-compose code from the command line, but I will be using Portainer. If you want to follow along, be sure to set it up using the linked article, and then come back here.

Docker-compose example

To get started with this setup, unlike with OpenVPN where you need to point the container to a specific VPN server configuration file, in this case, that will not be needed. We will just need to use the country for our destination, username, and password for our Nord account, and we are set.

version: "3.5"
services:
  vpn:
    image: bubuntux/nordvpn:v3.12.2
    network_mode: bridge
    container_name: nordvpnwireguard
    cap_add:
      - NET_ADMIN    # Required
      - NET_RAW      # Required
    environment:                # Review https://github.com/bubuntux/nordvpn#environment-variables
      - USER=xxxxxxx
      - PASS=xxxxxxx
      - CONNECT=Switzerland
      - TECHNOLOGY=NordLynx
      - NETWORK=192.168.1.0/24  # So it can be accessed within the local network
    ports:
      - 8088:8088
      - 6881:6881
      - 6881:6881/udp
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=1  # Recomended if using ipv4 only
  torrent:
    image: linuxserver/qbittorrent:latest
    container_name: qbitwireguard
    network_mode: service:vpn
    environment:
      - WEBUI_PORT=8088
      - PUID=1026
      - PGID=101
    volumes:
      - /volume1/docker/yourfolderofchoice:/config
      - /volume1/yourfolderofchoice:/downloads
    depends_on:
      - vpn
    restart: always

As you can notice we will be running two containers to have this solution up and running. The torrent one and the VPN one as part of a single compose.

Do note that all ports that the torrent container is using are actually in the ports section of the vpn container. The reason for this is that we are telling our torrent container to use the VPN container as its gateway with the following line:

network_mode: service:vpn

This way we have to have all the needed ports published in the "gateway" container that in this case is the NordVPN one.

Deploying the container using "Stacks"

As I said before you are welcome to run this using the conventional docker-compose up -d command line, or you can run it with Portainer.

If you decided to run it with Portainer follow along. Go to your Portainer instance and in the main menu on the left-hand side, select Stacks.

Click +Add stack button and in the web editor windows paste the docker-compose code from above.

Give the stack its Name, and click the Deploy the stack button on the bottom.

Once you have your stack running, be sure to check the VPN container log to see if the connection has been made. Should look similar to this:

[2021-06-20T20:53:24+00:00] Firewall is up, everything has to go through the vpn
[2021-06-20T20:53:24+00:00] Enabling connection to secure interfaces
[2021-06-20T20:53:24+00:00] Enabling connection to nordvpn group
iptables: No chain/target/match by that name.
[2021-06-20T20:53:24+00:00] group match failed, fallback to open necessary ports
[2021-06-20T20:53:24+00:00] ip6 group match failed, fallback to open necessary ports
[2021-06-20T20:53:24+00:00] Enabling connection to docker network
[2021-06-20T20:53:24+00:00] Enabling connection to network 192.168.1.0/24
[2021-06-20T20:53:24+00:00] Restarting the service
[2021-06-20T20:53:24+00:00] Waiting for the service to start
[2021-06-20T20:53:25+00:00] Logging in
Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'.
[2021-06-20T20:53:27+00:00] Setting up NordVPN Version 3.9.5
Technology is successfully set to 'NordLynx'.
Subnet 172.24.0.0/16 is whitelisted successfully.
Subnet 192.168.1.0/24 is whitelisted successfully.
[2021-06-20T20:53:27+00:00] Connecting...
Connecting to Switzerland #240 (ch240.nordvpn.com)
You are connected to Switzerland #240 (ch240.nordvpn.com)!

Now you can access your qBit torrent application on the port set in the docker-compose (8088 in this example) by going to your browser and using the following URL: http://yourNASIP:8088. You will change the value to your NAS LAN IP address and hopefully land on the login page.

qBittorrent web UI main page

For the user name and password use admin and adminadmin respectfully to log into it initially.