Guide: qBittorrent App with Wireguard VPN

Apps and Virtualization
1

This is a guide to setup the qBittorrent app with Bittorrent traffic routed through a Wireguard tunnel.

This is based on OpenVPN and qBittorrent without X server · qbittorrent/qBittorrent Wiki · GitHub

Step 1: Create the Wireguard configuration file

Connect to TrueNAS using SSH and create /etc/wireguard/wg0.conf with the following contents:

[Interface]
PrivateKey = (redacted)
Address = 10.2.0.2/32
Table = 1000
PostUp = ip -4 route change default via 10.2.0.1 table 1000
PostUp = ip -4 rule add priority 1 from 10.2.0.2 table 1000
PostDown = ip -4 rule del priority 1 from 10.2.0.2 table 1000

[Peer]
PublicKey = (redacted)
AllowedIPs = 10.2.0.1/32, 0.0.0.0/0
Endpoint = (redacted)

Adapt the keys, addresses and endpoint to your VPN provider.

The following lines allow to route only Bittorrent traffic through the VPN:

Table = 1000
PostUp = ip -4 rule add priority 1 from 10.2.0.2 table 1000
PostDown = ip -4 rule del priority 1 from 10.2.0.2 table 1000

The following lines allow to use NAT-PMP if your provider supports it:

PostUp = ip -4 route change default via 10.2.0.1 table 1000
AllowedIPs = 10.2.0.1/32

Step 2: Start the Wireguard interface

Execute sudo wg-quick up wg0

Verify that all is configured well:

admin@truenas ~ $ ip addr show dev wg0
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.2.0.2/32 scope global wg0
       valid_lft forever preferred_lft forever
admin@truenas ~ $ ip -4 route show table 1000
default via 10.2.0.1 dev wg0
10.2.0.1 dev wg0 scope link
admin@truenas ~ $ ip -4 rule show
0:      from all lookup local
1:      from 10.2.0.2 lookup 1000
32764:  from 172.16.0.0/16 lookup kube-router
32765:  from all lookup external_ip
32766:  from all lookup main
32767:  from all lookup default

Execute sudo systemctl enable wg-quick@wg0 to start the interface at boot.

Step 3: Install and configure qBittorrent

Install the qBittorrent app. In “Network Configuration”, check “Host network”.

Open the qBittorrent Web UI.

Navigate to Tools > Options, select the “Advanced” tab, and in “qBittorrent Section” set “Network interface” to “wg0”.

Navigate to View, check “Log”, then click the “Execution Log” tab.
You should see this:

Successfully listening on IP. IP: "10.2.0.2". Port: "TCP/xxxxx"
Successfully listening on IP. IP: "10.2.0.2". Port: "UDP/xxxxx"

and if your provider supports NAT-PMP:

UPnP/NAT-PMP port mapping succeeded. Message: "successfully mapped port using NAT-PMP. external port: TCP/yyyyy"
UPnP/NAT-PMP port mapping succeeded. Message: "successfully mapped port using NAT-PMP. external port: UDP/yyyyy"

Enjoy!

1 Like
2

Can’t connect to any tracker, getting : “Host not found (non-authoritative)” despite having both Successfully listening on IP. and UPnP/NAT-PMP port mapping succeeded.

I don’t know if it is related, but the conf file given by my vpn provided had a DNS = 10.2.0.1 line. I tried both leaving it as if, and deleting the line, but it made no difference.

3

Yes, the DNS option will cause errors here. Try to remove it and reboot the NAS.

4

Hi,

I tried to build a VPN but keep failing with the following message:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.2.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 10.2.0.1/32 dev wg0 table 1000
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 1000
[#] iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip -4 route change default via 10.2.0.1 table 1000 && ip -4 rule add priority 1 from 10.66.227.74 table 1000
iptables v1.8.9 (nf_tables): mark: bad integer value for option “–mark”, or out of range.

Try `iptables -h’ or ‘iptables --help’ for more information.
[#] resolvconf -d wg0 -f
[#] ip link delete dev wg0

This is my config:

[Interface]
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 192.168.205.101 #personal DNS server, same error if I remove this.

Table = 1000
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip -4 route change default via 10.2.0.1 table 1000 && ip -4 rule add priority 1 from 10.66.227.74 table 1000
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip -4 rule del priority 1 from 10.66.227.74 table 1000

[Peer]
PublicKey = *****
AllowedIPs = 10.2.0.1/32, 0.0.0.0/0
Endpoint = ...:*****

I’m using Mullvad’s killswitch, is that a problem?
Any other idea?

5

I did this with the wireguard settings from ProtonVPN. And it seems to be working fine, however, i’m running adguard on truenas as well and even if I go to what is my ip, it sees my normal ip, but some websites i need for work are saying that I’m behind a vpn and wont load. Is there a way to check this?
Here is my config

[Interface]
#Key for truenas
#Bouncing = 0
#NetShield = 1
#Moderate NAT = off
#NAT-PMP (Port Forwarding) = on
#VPN Accelerator = on
PrivateKey = -------------------------------------------
Address = 10.2.0.2/32
Table = 1000
PostUp = ip -4 route change default via 10.2.0.1 table 1000
PostUp = ip -4 rule add priority 1 from 10.2.0.2 table 1000
PostDown = ip -4 rule del priority 1 from 10.2.0.2 table 1000

[Peer]
#-------
PublicKey = --------------------------------------
PostUp = ip -4 route change default via 10.2.0.1 table 1000
AllowedIPs = 10.2.0.1/32, 0.0.0.0/24
Endpoint = --------------

6

I just posted my guide to run any app with VPN (openvpn) on TrueNas Electric Eel: How to install qbittorrent (or any app) with vpn on Truenas Electric Eel

1 Like
7

The WireGuard configuration you provided was very helpful, thank you!

1 Like
8

I dont think it is working for me, qBittorrent is still detecting my external IP adress.

All steps were done correctly, i do believe.
I got the succesfully listening on IP message. And all the WG commands returned correctly.

9

Clearly the error is due to the iptables commands that you have added.

That won’t work here since we are not using fwmark (because of the Table option).

If you want to route BitTorrent traffic through the VPN only, then you don’t need a kill-switch, because here we configure qBittorrent to use wg0 only.
If you want to route all NAS traffic through the VPN, then I suggest that you use the WireGuard configuration from your provider as-is.

10

I’m not sure, sorry… The app description shows “AdGuard runs with host networking enabled” so it could be related to that… Is there any way to make it bind to your regular network interface?

Having the WireGuard interface in the host namespace - like in this guide - is not ideal and has flaws…