Guide: qBittorrent App with Wireguard VPN

zubgne · June 5, 2024, 9:36pm

This is a guide to setup the qBittorrent app with Bittorrent traffic routed through a Wireguard tunnel.

This is based on OpenVPN and qBittorrent without X server · qbittorrent/qBittorrent Wiki · GitHub

Step 1: Create the Wireguard configuration file

Connect to TrueNAS using SSH and create /etc/wireguard/wg0.conf with the following contents:

[Interface]
PrivateKey = (redacted)
Address = 10.2.0.2/32
Table = 1000
PostUp = ip -4 route change default via 10.2.0.1 table 1000
PostUp = ip -4 rule add priority 1 from 10.2.0.2 table 1000
PostDown = ip -4 rule del priority 1 from 10.2.0.2 table 1000

[Peer]
PublicKey = (redacted)
AllowedIPs = 10.2.0.1/32, 0.0.0.0/0
Endpoint = (redacted)

Adapt the keys, addresses and endpoint to your VPN provider.

The following lines allow to route only Bittorrent traffic through the VPN:

Table = 1000
PostUp = ip -4 rule add priority 1 from 10.2.0.2 table 1000
PostDown = ip -4 rule del priority 1 from 10.2.0.2 table 1000

The following lines allow to use NAT-PMP if your provider supports it:

PostUp = ip -4 route change default via 10.2.0.1 table 1000
AllowedIPs = 10.2.0.1/32

Step 2: Start the Wireguard interface

Execute sudo wg-quick up wg0

Verify that all is configured well:

admin@truenas ~ $ ip addr show dev wg0
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.2.0.2/32 scope global wg0
       valid_lft forever preferred_lft forever
admin@truenas ~ $ ip -4 route show table 1000
default via 10.2.0.1 dev wg0
10.2.0.1 dev wg0 scope link
admin@truenas ~ $ ip -4 rule show
0:      from all lookup local
1:      from 10.2.0.2 lookup 1000
32764:  from 172.16.0.0/16 lookup kube-router
32765:  from all lookup external_ip
32766:  from all lookup main
32767:  from all lookup default

Execute sudo systemctl enable wg-quick@wg0 to start the interface at boot.

Step 3: Install and configure qBittorrent

Install the qBittorrent app. In “Network Configuration”, check “Host network”.

Open the qBittorrent Web UI.

Navigate to Tools > Options, select the “Advanced” tab, and in “qBittorrent Section” set “Network interface” to “wg0”.

Navigate to View, check “Log”, then click the “Execution Log” tab.
You should see this:

Successfully listening on IP. IP: "10.2.0.2". Port: "TCP/xxxxx"
Successfully listening on IP. IP: "10.2.0.2". Port: "UDP/xxxxx"

and if your provider supports NAT-PMP:

UPnP/NAT-PMP port mapping succeeded. Message: "successfully mapped port using NAT-PMP. external port: TCP/yyyyy"
UPnP/NAT-PMP port mapping succeeded. Message: "successfully mapped port using NAT-PMP. external port: UDP/yyyyy"

Enjoy!

nnfezfze2 · July 14, 2024, 5:15pm

Can’t connect to any tracker, getting : “Host not found (non-authoritative)” despite having both Successfully listening on IP. and UPnP/NAT-PMP port mapping succeeded.

I don’t know if it is related, but the conf file given by my vpn provided had a DNS = 10.2.0.1 line. I tried both leaving it as if, and deleting the line, but it made no difference.

zubgne · July 16, 2024, 3:12pm

Yes, the DNS option will cause errors here. Try to remove it and reboot the NAS.

Bishop · July 26, 2024, 11:00am

Hi,

I tried to build a VPN but keep failing with the following message:

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.2.0.2/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] ip -4 route add 10.2.0.1/32 dev wg0 table 1000
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 1000
[#] iptables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o wg0 -m mark ! --mark $(wg show wg0 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip -4 route change default via 10.2.0.1 table 1000 && ip -4 rule add priority 1 from 10.66.227.74 table 1000
iptables v1.8.9 (nf_tables): mark: bad integer value for option “–mark”, or out of range.

Try `iptables -h’ or ‘iptables --help’ for more information.
[#] resolvconf -d wg0 -f
[#] ip link delete dev wg0

This is my config:

[Interface]
PrivateKey = *****
Address = 10.2.0.2/32
DNS = 192.168.205.101 #personal DNS server, same error if I remove this.

Table = 1000
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip -4 route change default via 10.2.0.1 table 1000 && ip -4 rule add priority 1 from 10.66.227.74 table 1000
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip -4 rule del priority 1 from 10.66.227.74 table 1000

[Peer]
PublicKey = *****
AllowedIPs = 10.2.0.1/32, 0.0.0.0/0
Endpoint = ...:*****

I’m using Mullvad’s killswitch, is that a problem?
Any other idea?