Guide: Electric Eel VPN for qBittorrent - OpenVPN + Sonarr/Radarr Import Support

This is similar to the guide that idevpy made, however I ended up having issues with using Radarr/Sonarr to automatically import files correctly and download permission issues. So posting the the YAMLs I ended up using that worked well.

TrueNas Scales App Side:

Install Dockge

Give it access to the following datasets:
Gluetun Config Dataset
qBittorrent Config Dataset
Torrent Download Dataset

Resources: Give it enough resources to run the VPN and qBit, I’m running it with 4vCPUs and 10GB RAM, can probably just leave these on defaults to be honest.

Dockge Side

Gluetun (VPN):
Click “Compose”
Call it “gluetun” or similar

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8080:8080 #qbittorrent
      - 6881:6881 #qbittorrent
      - 6881:6881/udp #qbittorrent
    volumes:
      - /mnt/AppPool/Apps/gluetun - #CHANGE TO CONFIG FOLDER
    environment:
      # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
      - VPN_TYPE=openvpn
      - VPN_SERVICE_PROVIDER=private internet access
      - OPENVPN_USER=USERNAME
      - OPENVPN_PASSWORD=PASSWORD
      - SERVER_REGIONS=UK London
networks:
  10.0.100.0/24: {} - #CHANGE TO LOCAL CIDR IF REQUIRED so VPN doesn't break if calling local resources

Follow instructions for your chosen VPN, I used PIA, so I left the config I used for UK London server for that - gluetun-wiki/setup/providers at main · qdm12/gluetun-wiki · GitHub

qBittorrent

services:
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    environment:
      - PUID=0 - #CHANGE THIS IF YOU DON'T WANT TO RUN AS ROOT
      - PGID=0
      - TZ=GMT+1
      - WEBUI_PORT=8080
      - TORRENTING_PORT=6881
    volumes:
      - /mnt/AppPool/Apps/qbitconfig:/config #qbit config location
      - /mnt/DataPool/Media/Torrents:/mnt/DataPool/Media/Torrents #where you're downloading to 
    restart: unless-stopped
    network_mode: container:gluetun
networks:
  10.0.50.0/24: {} #CHANGE to local CIDR if required

For the volumes, you need to follow the following format:

For Config:

/mnt/path/to/config:/config (make sure that :/config is there)

For download location you need to put the path, then the : then the path again, otherwise Sonarr/Radarr doesn’t recognise the path and can’t import correctly.

/mnt/Path/to/Downloads:/mnt/Path/to/Downloads

qBittorrent note:

Remember that qBittorrent uses a random password to begin with when you compose it for the first time, the password will be in the terminal log of the docker image within Dockge.

Log into qBit, go to Tools > Options > WebUI - then change the password. This will reset each restart otherwise.

You can test that the VPN is working by clicking “bash” on the container and typing in “curl ipconfig.io”, it should return a public IP from the VPN provider.

Like so:

image723×345 11.4 KB

The qBit Download Location should automatically fill with your path, if it doesn’t, swap it to the correct path:

Config from Sonarr/Radarr side is all exactly the same as you’d expect, I didn’t need to change anything there.

Hope this helps

Hello,

You guide has been extremely useful in helping me get back up and running with qBitorrent post upgrade to Electric Eel (24.10.0)

I am able to run curl ipconfig.io within the qbitorrent container so I know it can access the internet through my VPN thanks to gluetun. I am, however, having issues accessing the WebUI for qbitorrent.

Here is the setup for my qbitorrent

services:
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    environment:
      - PUID=568 #CHANGE THIS IF YOU DON'T WANT TO RUN AS ROOT
      - PGID=568
      - TZ=GMT+1
      - WEBUI_PORT=30024
      - TORRENTING_PORT=6881
    volumes:
      - /mnt/ALPHApool/Dockge/qBitorrent:/config #qbit config location
      - /mnt/ALPHApool/PlexMediaServer/Torrents:/mnt/ALPHApool/PlexMediaServer/Torrents #where you're downloading to 
    restart: unless-stopped
    network_mode: container:gluetun
networks:
  192.168.0.0/24: {}

Here is the setup for my gluetun

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 30024:30024 #qbittorrent
      - 6881:6881 #qbittorrent
      - 6881:6881/udp #qbittorrent
    volumes:
      - /mnt/ALPHApool/Dockge/Gluetun - #CHANGE TO CONFIG FOLDER
    environment:
      # See https://github.com/qdm12/gluetun-wiki/tree/main/setup#setup
      - VPN_TYPE=openvpn
      - VPN_SERVICE_PROVIDER=protonvpn
      - OPENVPN_USER=[redacted[
      - OPENVPN_PASSWORD=[redacted]
      - SERVER_COUNTRIES=United States
networks:
  192.168.0.0/24: {}

When I try and access localhost:30024 (192.168.1.16:30024), Chrome tells me I cannot connect.

Any help would be appreciated!

I figured it out, had to change my CIDR from 192.168.0.0/24 to 192.168.1.0/24

Hi,

As a PSA, it appears that the image is hiding something more nefarious. See the attached image.

Screenshot 2024-11-07 085137908×1656 267 KB

is this the best we have to use openvpn on scale now then?

i could not believe the backwards move (no thats not true, yes i could believe it, its been nothing but trouble).

i looked in the wiki for how to setup the vpn, only to be told it had been removed in place of better apps for the job.

image1514×403 43.5 KB

image1513×589 107 KB

So i go look for apps

image1701×626 67.1 KB

O great.

So i came searching. I do not know what im doing with docker. Im very hesitant to even try but looks like i have no choice.

So has this info changed any since November?

cheers all.

Hi Jack,

The VPN bit I think you’re referring to is when truenas was using k3s so you could have a VPN Container within an application, this is now not possible on the latest version because it uses docker instead.

The above guide still works perfectly for me, not had any issues with it and I can restart the dockge application or the server and it all restores without me needing to do anything.

If you have any issues post them here and try look - but it is a mostly copy/paste, edit a couple points for your specific setup though, so should be seamless.

Ok, i’ll be happy to take up up on that

heres what is got atm

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8080:8080 # qBittorrent WebUI
      - 6881:6881 # Torrenting port
      - 6881:6881/udp # Torrenting port
    volumes:
      - /mnt/basepool/aplications/gluetun:/config
      - /mnt/basepool/aplications/gluetun/config.ovpn:/config/config.ovpn
    environment:
      - VPN_TYPE=openvpn
      - PUID=3003
      - PGID=3003
      - FIREWALL_VPN_INPUT_PORTS=8080,6881
      - OPENVPN_CUSTOM_CONFIG=/config/config.ovpn
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_USER="xxxxx"
      - OPENVPN_PASSWORD="xxxxxx"
    dns:
      - 1.1.1.1
      - 1.0.0.1
    restart: unless-stopped
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    environment:
      - PUID=3003
      - PGID=3003
      - TZ=GMT+1
      - WEBUI_PORT=8080
      - TORRENTING_PORT=6881
    volumes:
      - /mnt/basepool/aplications/qbittorrent/qbitconfig:/config
      - /mnt/basepool/aplications/qbittorrent/media:/downloads
    restart: unless-stopped
    network_mode: container:gluetun
networks: {}

jack@TruenasScale ~ $ cat /mnt/basepool/aplications/gluetun/config.ovpn 
remote 185.107.94.249
verify-x509-name CN=vpn-nl.premiumize.me
client
dev tun
proto udp
cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
reneg-sec 0
setenv CLIENT_CERT 0
ignore-unknown-option block-outside-dns
<ca>
-----BEGIN CERTIFICATE-----
MIIFJTCCAw2gAwIBAgIRAPAmbQRNE+PBqvFyFG8GOSIwDQYJKoZIhvcNAQELBQAw
LDEYMBYGA1UECgwPU2VjdXJlIFNlcnZpY2VzMRAwDgYDVQQDDAdSb290IFgxMB4X
DTIxMDEwNDE1MjEwM1oXDTQwMTIzMDE1MjEwM1owLDEYMBYGA1UECgwPU2VjdXJl
IFNlcnZpY2VzMRAwDgYDVQQDDAdSb290IFgxMIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEAvuhFcbO0Y5SXBr+h/XU1sPXo/OSjN4W32jzVZ3jmkqA2nH5D
dI5XYHYB9JkW23K37zOlvOWj9J3HiV6WYk0uqQ3cpqDMnIpi1MJCtSRxiaD7LTNO
XrvLpsREq9Vf+lN+zxFxhINv3W4jUyfx5zIjPyjY+vFgH5G56b12EeLKFLYUWwgF
9vTicXJvlV1h+TJVF8wZ5DugrgNZhSZ6QZzda0Zdu1dCwZOafd1GGDWPubgZ8enF
b9gWPGZmS59ZvlLsLQmtLvCEegELzRR5G/OI1CIntcImcKO9ZDdWP+HmqJ4Ss7Ng
0g5xQVx9VgMxwpHw4h/tMV8q1vQQZJXJHdoDRQr5RzVnMjq90FFMd3nfX1B6cheH
cBq31J84ifxcO2vIz/eK/6zNyynuj2+99Yz7MsYI+sfGznngglpYo9u3xNkRfRPP

Im trying with my credentials in the env’s of gluetun instead of trying to use a credentials.txt file and point to it from inside the ,ovpn file with auth-user-pass /config/credentials.txt

im getting Your credentials might be wrong 🤨

But i can assure you they are the correct credentials, 100%.

Maybe something in this log output might help

jack@TruenasScale ~ $ sudo docker run -it --rm --cap-add=NET_ADMIN --device /dev/net/tun -e VPN_SERVICE_PROVIDER=custom -e OPENVPN_CUSTOM_CONFIG=/config/config.ovpn -v /mnt/basepool/aplications/gluetun/config.ovpn:/config/config.ovpn:ro -e OPENVPN_USER="387728620" -e OPENVPN_PASSWORD="w5r68fRim7rts4j" qmcgaw/gluetun
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2024-12-27T20:18:46.989Z (commit 61b053f)

🔧 Need help? ☕ Discussion? https://github.com/qdm12/gluetun/discussions/new/choose
🐛 Bug? ✨ New feature? https://github.com/qdm12/gluetun/issues/new/choose
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2025-01-02T17:48:02Z INFO [routing] default route found: interface eth0, gateway 172.16.0.1, assigned IP 172.16.0.2 and family v4
2025-01-02T17:48:02Z INFO [routing] local ethernet link found: eth0
2025-01-02T17:48:02Z INFO [routing] local ipnet found: 172.16.0.0/24
2025-01-02T17:48:02Z INFO [firewall] enabling...
2025-01-02T17:48:02Z INFO [firewall] enabled successfully
2025-01-02T17:48:02Z INFO [storage] creating /gluetun/servers.json with 20776 hardcoded servers
2025-01-02T17:48:03Z INFO Alpine version: 3.20.3
2025-01-02T17:48:03Z INFO OpenVPN 2.5 version: 2.5.10
2025-01-02T17:48:03Z INFO OpenVPN 2.6 version: 2.6.11
2025-01-02T17:48:03Z INFO IPtables version: v1.8.10
2025-01-02T17:48:03Z INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: custom
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       └── OpenVPN server selection settings:
|   |           ├── Protocol: UDP
|   |           └── Custom configuration file: /config/config.ovpn
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.6
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Custom configuration file: /config/config.ovpn
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── Keep existing nameserver(s): no
|   ├── DNS server address to use: 127.0.0.1
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Upstream resolvers:
|       |   └── cloudflare
|       ├── Caching: yes
|       ├── IPv6: no
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:127.0.0.1/104
|               ├── ::ffff:10.0.0.0/104
|               ├── ::ffff:169.254.0.0/112
|               ├── ::ffff:172.16.0.0/108
|               └── ::ffff:192.168.0.0/112
├── Firewall settings:
|   └── Enabled: yes
├── Log settings:
|   └── Log level: info
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Duration to wait after success: 5s
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   ├── Logging: yes
|   └── Authentication file path: /gluetun/auth/config.toml
├── Storage settings:
|   └── Filepath: /gluetun/servers.json
├── OS Alpine settings:
|   ├── Process UID: 1000
|   └── Process GID: 1000
├── Public IP settings:
|   ├── IP file path: /tmp/gluetun/ip
|   ├── Public IP data base API: ipinfo
|   └── Public IP data backup APIs:
|       ├── ifconfigco
|       ├── ip2location
|       └── cloudflare
└── Version settings:
    └── Enabled: yes
2025-01-02T17:48:03Z INFO [routing] default route found: interface eth0, gateway 172.16.0.1, assigned IP 172.16.0.2 and family v4
2025-01-02T17:48:03Z INFO [routing] adding route for 0.0.0.0/0
2025-01-02T17:48:03Z INFO [firewall] setting allowed subnets...
2025-01-02T17:48:03Z INFO [routing] default route found: interface eth0, gateway 172.16.0.1, assigned IP 172.16.0.2 and family v4
2025-01-02T17:48:03Z INFO [dns] using plaintext DNS at address 1.1.1.1
2025-01-02T17:48:03Z INFO [http server] http server listening on [::]:8000
2025-01-02T17:48:03Z INFO [healthcheck] listening on 127.0.0.1:9999
2025-01-02T17:48:03Z INFO [firewall] allowing VPN connection...
2025-01-02T17:48:03Z INFO [openvpn] DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2025-01-02T17:48:03Z INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2025-01-02T17:48:03Z INFO [openvpn] library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
2025-01-02T17:48:03Z INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]185.107.94.249:1194
2025-01-02T17:48:03Z INFO [openvpn] UDPv4 link local: (not bound)
2025-01-02T17:48:03Z INFO [openvpn] UDPv4 link remote: [AF_INET]185.107.94.249:1194
2025-01-02T17:48:05Z INFO [openvpn] [vpn-nl.premiumize.me] Peer Connection Initiated with [AF_INET]185.107.94.249:1194
2025-01-02T17:48:05Z ERROR [openvpn] AUTH: Received control message: AUTH_FAILED

Your credentials might be wrong 🤨


2025-01-02T17:48:05Z INFO [openvpn] SIGUSR1[soft,auth-failure] received, process restarting
2025-01-02T17:48:09Z INFO [healthcheck] program has been unhealthy for 6s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.16.0.2:57082->1.1.1.1:53: write: operation not permitted)
2025-01-02T17:48:09Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2025-01-02T17:48:09Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2025-01-02T17:48:09Z INFO [vpn] stopping
2025-01-02T1

For this bit, it looks like if you’re wanting to do a custom VPN like this, you need to remove these from the YAML, and pass it via environment

Such as

image962×239 13.4 KB

OPENVPN_CUSTOM_CONFIG=/config/config.ovpn
OPENVPN_USER=username
OPENVPN_PASSWORD=password qmcgaw/gluetun

This bit are you sure that is correct? I just downloaded the (Assuming Netherlands?) openvpn file from Premiumsize and it gave me a remote “remote vpn-nl.premiumize.me” instead of that specific IP? Though, that might just be a custom config you have, not used these guys so not sure how theirs work specifically.

It does look like gluetun wants a .conf file not a .ovpn file from their guide on these custom VPNs though, might need to read further or test if it works or not gluetun-wiki/setup/providers/custom.md at main · qdm12/gluetun-wiki · GitHub

Was reading here gluetun-wiki/setup/openvpn-configuration-file.md at main · qdm12/gluetun-wiki · GitHub

In the following we assume your custom openvpn configuration file is named custom.conf. Note this can be named something else, for example autralia.ovpn.

    Replace the VPN server hostname by one of its IP addresses. In custom.conf, find the line starting with remote. The second field is the VPN server hostname. If it is not an IP address, you need to DNS resolve it, for example with nslookup domain.com and replace the hostname field with one of its corresponding IP addresses. This is the case as gluetun's firewall is designed not to leak anything including an initial DNS resolution when starting.

ok i managed to get a bit further,

version: "3"
services:
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
      - 8080:8080 # qBittorrent WebUI
      - 6881:6881 # Torrenting port
      - 6881:6881/udp # Torrenting port
    volumes:
      - /mnt/basepool/aplications/gluetun:/config
      - /mnt/basepool/aplications/gluetun/config.ovpn:/config/config.ovpn
    environment:
      - VPN_TYPE=openvpn
      - PUID=3003
      - PGID=3003
      - FIREWALL_VPN_INPUT_PORTS=8080,6881
      - VPN_SERVICE_PROVIDER=custom
    dns:
      - 1.1.1.1
      - 1.0.0.1
    restart: unless-stopped
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    environment:
      - PUID=3003
      - PGID=3003
      - TZ=GMT+1
      - WEBUI_PORT=8080
      - TORRENTING_PORT=6881
    volumes:
      - /mnt/basepool/aplications/qbittorrent/qbitconfig:/config
      - /mnt/basepool/aplications/qbittorrent/media:/downloads
    restart: unless-stopped
    network_mode: container:gluetun
networks: {}

gives
gluetun | 2025-01-02T18:21:55Z ERROR VPN settings: OpenVPN settings: custom configuration file: filepath is missing

my file path to the .ovpn

jack@TruenasScale ~ $ ls -al /mnt/basepool/aplications/gluetun/config.ovpn 
-rwxrwxr-x 1 jack jack 2118 Jan  2 17:00 /mnt/basepool/aplications/gluetun/config.ovpn
jack@TruenasScale ~ $ 

Whats it referring to?

Try add:

  - OPENVPN_CUSTOM_CONFIG=/config/config.ovpn

to your environment section of the yaml

luetun      | 2025-01-02T18:34:38Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
gluetun      | 2025-01-02T18:34:38Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
gluetun      | 2025-01-02T18:34:47Z INFO [firewall] allowing VPN connection...
gluetun      | 2025-01-02T18:34:47Z INFO [openvpn] DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
gluetun      | 2025-01-02T18:34:47Z ERROR [openvpn] No client-side authentication method is specified.  You must use either --cert/--key, --pkcs12, or --auth-user-pass
gluetun      | 2025-01-02T18:34:47Z INFO [openvpn] Use --help for more information.
gluetun      | 2025-01-02T18:34:47Z ERROR [vpn] exit status 1
gluetun      | 2025-01-02T18:34:47Z INFO [vpn] retrying in 30s
gluetun      | 2025-01-02T18:34:49Z INFO [healthcheck] program has been unhealthy for 11s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.16.6.2:42799->1.1.1.1:53: write: operation not permitted)
gluetun      | 2025-01-02T18:34:49Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
gluetun      | 2025-01-02T18:34:49Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
gluetun      | 2025-01-02T18:35:05Z INFO [healthcheck] program has been unhealthy for 16s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.16.6.2:33766->1.1.1.1:53: write: operation not permitted)
gluetun      | 2025-01-02T18:35:05Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
gluetun      | 2025-01-02T18:35:05Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
gluetun      | 2025-01-02T18:35:17Z INFO [firewall] allowing VPN connection...
gluetun      | 2025-01-02T18:35:17Z INFO [openvpn] DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
gluetun      | 2025-01-02T18:35:17Z ERROR [openvpn] No client-side authentication method is specified.  You must use either --cert/--key, --pkcs12, or --auth-user-pass
gluetun      | 2025-01-02T18:35:17Z INFO [openvpn] Use --help for more information.
gluetun      | 2025-01-02T18:35:17Z ERROR [vpn] exit status 1
gluetun      | 2025-01-02T18:35:17Z INFO [vpn] retrying in 1m0s
gluetun      | 2025-01-02T18:35:26Z INFO [healthcheck] program has been unhealthy for 21s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.16.6.2:44100->1.1.1.1:53: write: operation not permitted)
gluetun      | 2025-01-02T18:35:26Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
gluetun      | 2025-01-02T18:35:26Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
gluetun      | 2025-01-02T18:36:17Z ERROR [openvpn] No client-side authentication method is specified.  You must use either --cert/--key, --pkcs12, or --auth-user-pass
gluetun      | 2025-01-02T18:36:17Z INFO [openvpn] Use --help for more information.
gluetun      | 2025-01-02T18:36:17Z ERROR [vpn] exit status 1
gluetun      | 2025-01-02T18:36:17Z INFO [vpn] retrying in 2m0s
gluetun      | 2025-01-02T18:36:23Z INFO [healthcheck] program has been unhealthy for 31s: restarting VPN (healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.16.6.2:38356->1.1.1.1:53: write: operation not permitted)
gluetun      | 2025-01-02T18:36:23Z INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
gluetun      | 2025-01-02T18:36:23Z INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION

Have not figured how to get access to the logs on a big terminal yet so I just grabbed what I could, but it’s definitely different.

looks like a dns problem, possibly, but i put dns to use in there. Not sure why
(healthcheck error: dialing: dial tcp4: lookup cloudflare.com on 1.1.1.1:53: write udp 172.16.6.2:51050->1.1.1.1:53: write: operation not permitted)
or maybe its this
No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass

Looks like the file you’re using is trying to use a deprecated method

well i dunno, just tested on my desktop

❱sudo openvpn --config Downloads/vpn-nl.premiumize.me.ovpn --auth-user-pass credentials.txt
[sudo] password for greg: 
2025-01-02 19:12:02 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations. 
2025-01-02 19:12:02 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2025-01-02 19:12:02 WARNING: file 'credentials.txt' is group or others accessible
2025-01-02 19:12:02 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Jul 18 2024
2025-01-02 19:12:02 library versions: OpenSSL 3.4.0 22 Oct 2024, LZO 2.10
2025-01-02 19:12:02 DCO version: N/A
2025-01-02 19:12:02 TCP/UDP: Preserving recently used remote address: [AF_INET]185.107.94.249:1194
2025-01-02 19:12:02 Socket Buffers: R=[212992->212992] S=[212992->212992]
2025-01-02 19:12:02 UDPv4 link local: (not bound)
2025-01-02 19:12:02 UDPv4 link remote: [AF_INET]185.107.94.249:1194
2025-01-02 19:12:02 TLS: Initial packet from [AF_INET]185.107.94.249:1194, sid=a1043458 b20a4cc6
2025-01-02 19:12:02 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2025-01-02 19:12:02 VERIFY OK: depth=2, O=Secure Services, CN=Root X1
2025-01-02 19:12:02 VERIFY OK: depth=1, O=Secure Services, CN=Intermediate X5
2025-01-02 19:12:02 VERIFY X509NAME OK: CN=vpn-nl.premiumize.me
2025-01-02 19:12:02 VERIFY OK: depth=0, CN=vpn-nl.premiumize.me
2025-01-02 19:12:03 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2025-01-02 19:12:03 [vpn-nl.premiumize.me] Peer Connection Initiated with [AF_INET]185.107.94.249:1194
2025-01-02 19:12:03 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2025-01-02 19:12:03 TLS: tls_multi_process: initial untrusted session promoted to trusted
2025-01-02 19:12:03 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 ::/3,route-ipv6 2000::/4,route-ipv6 3000::/4,route-ipv6 fc00::/7,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,block-outside-dns,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 50,ping-restart 120,ifconfig-ipv6 fde7:523e:dd18:bf22::1032/64 fde7:523e:dd18:bf22::1,ifconfig 10.8.0.52 255.255.0.0,peer-id 69,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm dyn-tls-crypt,tun-mtu 1500'
2025-01-02 19:12:03 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:8: block-outside-dns (2.6.12)
2025-01-02 19:12:03 OPTIONS IMPORT: --ifconfig/up options modified
2025-01-02 19:12:03 OPTIONS IMPORT: route options modified
2025-01-02 19:12:03 OPTIONS IMPORT: route-related options modified
2025-01-02 19:12:03 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2025-01-02 19:12:03 OPTIONS IMPORT: tun-mtu set to 1500
2025-01-02 19:12:03 net_route_v4_best_gw query: dst 0.0.0.0
2025-01-02 19:12:03 net_route_v4_best_gw result: via 192.168.1.1 dev wlp89s0
2025-01-02 19:12:03 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp89s0 HWADDR=d0:12:55:2c:19:94
2025-01-02 19:12:03 GDG6: remote_host_ipv6=n/a
2025-01-02 19:12:03 net_route_v6_best_gw query: dst ::
2025-01-02 19:12:03 sitnl_send: rtnl: generic error (-101): Network is unreachable
2025-01-02 19:12:03 ROUTE6: default_gateway=UNDEF
2025-01-02 19:12:03 TUN/TAP device tun0 opened
2025-01-02 19:12:03 net_iface_mtu_set: mtu 1500 for tun0
2025-01-02 19:12:03 net_iface_up: set tun0 up
2025-01-02 19:12:03 net_addr_v4_add: 10.8.0.52/16 dev tun0
2025-01-02 19:12:03 net_iface_mtu_set: mtu 1500 for tun0
2025-01-02 19:12:03 net_iface_up: set tun0 up
2025-01-02 19:12:03 net_addr_v6_add: fde7:523e:dd18:bf22::1032/64 dev tun0
2025-01-02 19:12:03 net_route_v4_add: 185.107.94.249/32 via 192.168.1.1 dev [NULL] table 0 metric -1
2025-01-02 19:12:03 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2025-01-02 19:12:03 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2025-01-02 19:12:03 add_route_ipv6(::/3 -> fde7:523e:dd18:bf22::1 metric -1) dev tun0
2025-01-02 19:12:03 net_route_v6_add: ::/3 via :: dev tun0 table 0 metric -1
2025-01-02 19:12:03 add_route_ipv6(2000::/4 -> fde7:523e:dd18:bf22::1 metric -1) dev tun0
2025-01-02 19:12:03 net_route_v6_add: 2000::/4 via :: dev tun0 table 0 metric -1
2025-01-02 19:12:03 add_route_ipv6(3000::/4 -> fde7:523e:dd18:bf22::1 metric -1) dev tun0
2025-01-02 19:12:03 net_route_v6_add: 3000::/4 via :: dev tun0 table 0 metric -1
2025-01-02 19:12:03 add_route_ipv6(fc00::/7 -> fde7:523e:dd18:bf22::1 metric -1) dev tun0
2025-01-02 19:12:03 net_route_v6_add: fc00::/7 via :: dev tun0 table 0 metric -1
2025-01-02 19:12:03 Initialization Sequence Completed
2025-01-02 19:12:03 Data Channel: cipher 'AES-256-GCM', peer-id: 69
2025-01-02 19:12:03 Timers: ping 50, ping-restart 120
2025-01-02 19:12:03 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
2025-01-02 19:12:05 read UDPv4 [EMSGSIZE Path-MTU=1480|EMSGSIZE Path-MTU=1480]: Message too long (fd=3,code=90)
^C2025-01-02 19:13:48 net_route_v4_del: 185.107.94.249/32 via 192.168.1.1 dev [NULL] table 0 metric -1
2025-01-02 19:13:48 net_route_v4_del: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2025-01-02 19:13:48 net_route_v4_del: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2025-01-02 19:13:48 delete_route_ipv6(::/3)
2025-01-02 19:13:48 net_route_v6_del: ::/3 via :: dev tun0 table 0 metric -1
2025-01-02 19:13:48 delete_route_ipv6(2000::/4)
2025-01-02 19:13:48 net_route_v6_del: 2000::/4 via :: dev tun0 table 0 metric -1
2025-01-02 19:13:48 delete_route_ipv6(3000::/4)
2025-01-02 19:13:48 net_route_v6_del: 3000::/4 via :: dev tun0 table 0 metric -1
2025-01-02 19:13:48 delete_route_ipv6(fc00::/7)
2025-01-02 19:13:48 net_route_v6_del: fc00::/7 via :: dev tun0 table 0 metric -1
2025-01-02 19:13:48 Closing TUN/TAP interface
2025-01-02 19:13:48 net_addr_v4_del: 10.8.0.52 dev tun0
2025-01-02 19:13:48 net_addr_v6_del: fde7:523e:dd18:bf22::1032/64 dev tun0
2025-01-02 19:13:49 SIGINT[hard,] received, process exiting

❱curl ifconfig.me
2a00:1768:6001:1e::4⏎                                                                                                                                                      
⎼⎼⎼⎼⎼⎼⎼⎼⎼⎼ /home/greg ⎼⎼⎼⎼⎼⎼⎼⎼⎼⎼
❱curl -4 ifconfig.me

185.107.94.249⏎                                                                                                                                                            
⎼⎼⎼⎼⎼⎼⎼⎼⎼⎼ /home/greg ⎼⎼⎼⎼⎼⎼⎼⎼⎼⎼
❱curl ipinfo.io

{
  "ip": "185.107.94.249",
  "city": "Roosendaal",
  "region": "North Brabant",
  "country": "NL",
  "loc": "51.5308,4.4653",
  "org": "AS43350 NForce Entertainment B.V.",
  "postal": "4701",
  "timezone": "Europe/Amsterdam",
  "readme": "https://ipinfo.io/missingauth"
}⏎

All looks good to me, :)                                                                                                                                                                         

but if you have any suggestions, im up to try anything.

im prepared to give away my credentials if anyone would like to see if they can get it to work. Im that far gone.

I can change them after.

Anyone up for the challenge?

@jackdinn - i had a similar issue and found that gluetun does not use DNS at all and all FQDNs need to be converted to IPs to work. i also noticed that your yaml config doesn’t have any reference to credentials as others have noted. below is my yaml file that has my VPN config setup for SABNZBD and Transmission. This means that in your OVPN file you need to change all references to FQDNs to the corresponding IPs for them.

services:
  gluetun:
    cap_add:
      - NET_ADMIN
    container_name: gluetun
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 4096M
    devices:
      - /dev/net/tun:/dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=openvpn
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      - OPENVPN_USER=[redacted - user account]
      - OPENVPN_PASSWORD=[redacted - password]
    image: qmcgaw/gluetun:latest
    labels:
      - diun.enable=true
    ports:
      - 8080:8080
      - 9091:9091
      - 58012:58012
      - 58012:58012/udp
    volumes:
      - >-
        /mnt/data01/apps/apps.nas01/gluetun/data/openvpn/myvpnprovider.ovpn:/gluetun/custom.conf:ro
  sabnzbd:
    container_name: sabnzbd
    depends_on:
      - gluetun
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 4096M
    environment:
      - PUID=568
      - PGID=568
      - TZ=Etc/UTC
    image: lscr.io/linuxserver/sabnzbd:latest
    labels:
      - diun.enable=true
    network_mode: container:gluetun
    restart: unless-stopped
    volumes:
      - /mnt/data01/apps/apps.nas01/sabnzbd/data:/config
      - /mnt/data01/download/downloads:/media/downloads
      - /mnt/data01/download/nzb:/media/nzb
  transmission:
    container_name: transmission
    depends_on:
      - gluetun
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 4096M
    environment:
      - PUID=568
      - PGID=568
      - TZ=Etc/UTC
    image: lscr.io/linuxserver/transmission:latest
    labels:
      - diun.enable=true
    network_mode: container:gluetun
    restart: unless-stopped
    volumes:
      - /mnt/data01/apps/apps.nas01/transmission/data:/config
      - /mnt/data01/download/downloads:/media/downloads
      - /mnt/data01/download/torrent:/media/torrent

Hi, i managed to get it working. The credentials problem i have no idea why but i rebooted the server in the end and it just worked. There are several places that you can put your credentials and i had tried them all but its working now and they are in the .ovpn file atm. I did have a few problems after that with MTU being wrong size and the webui port not being exposed to the lan but it look slike its working.

Many thx for your help it is highly appreciated.

Awesome to hear! I’d also make sure you check the apps to ensure what external IP they are going out as. It should be the IP of your VPN and not your ISP. In SABNZBD it will tell you this under the settings but for Transmission and other torrent downloaders I suggest getting a torrent tracker IP checker from WhatIsMyIP that you add and will confirm your external tracking IP.

sure

jack@TruenasScale ~ $ sudo docker exec -it gluetun wget -qO- https://ipinfo.io/ip
[sudo] password for jack: 
185.107.94.249