├── .gitignore ├── .env.example ├── LICENSE ├── README.md └── docker-compose.yml /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore environment variables (credentials, API keys) 2 | .env 3 | config.toml 4 | 5 | # Ignore VPN credentials and config files 6 | auth.txt 7 | protonvpn-*.conf 8 | wireguard.conf 9 | *.ovpn 10 | 11 | # Ignore Docker volumes (optional, if you don't want them included) 12 | gluetun/ 13 | qbittorrent/ 14 | 15 | # Ignore macOS system files (if applicable) 16 | .DS_Store 17 | 18 | # Ignore logs & temporary files 19 | *.log 20 | *.tmp 21 | -------------------------------------------------------------------------------- /.env.example: -------------------------------------------------------------------------------- 1 | # ProtonVPN WireGuard Configuration 2 | WIREGUARD_PRIVATE_KEY=your_private_key_here 3 | SERVER_COUNTRIES="United Kingdom" 4 | SERVER_CITIES="London" 5 | 6 | # User & Timezone Settings 7 | PUID=1000 8 | PGID=1000 9 | TZ=Europe/London 10 | 11 | # Gluetun API Authentication (Secures VPN Port Sync) 12 | GLUETUN_USER=your_admin_username 13 | GLUETUN_PASS=your_admin_password 14 | 15 | # qBittorrent Port Forwarding Sync 16 | GSP_GTN_API_KEY=your_random_api_key_here 17 | GSP_QBITTORRENT_PORT=your_forwarded_port_here 18 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 torrentsec 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 🏰️ qBittorrent + ProtonVPN (WireGuard) in Docker (macOS) 2 | 3 | **Securely run qBittorrent in Docker with ProtonVPN (WireGuard) using Gluetun, ensuring full VPN routing and automatic port forwarding for improved torrenting performance.** 4 | 5 | 6 | 7 | --- 8 | 9 | ## 📌 Table of Contents 10 | 11 | 1. [Overview](#overview) 12 | 2. [Features](#features) 13 | 3. [Prerequisites](#prerequisites) 14 | 4. [Installation Guide](#installation-guide) 15 | - [Install Docker](#install-docker) 16 | - [Clone the Repository](#clone-the-repository) 17 | - [Set Up the ](#set-up-the-env-file)[`.env`](#set-up-the-env-file)[ File](#set-up-the-env-file) 18 | - [Configure Authentication](#configure-authentication) 19 | - [Start the Containers](#start-the-containers) 20 | 5. [Accessing qBittorrent Web UI](#accessing-qbittorrent-web-ui) 21 | 6. [Security & Best Practices](#security--best-practices) 22 | 7. [Troubleshooting](#troubleshooting) 23 | 8. [License](#license) 24 | 9. [Contributing](#contributing) 25 | 10. [Support & Feedback](#support--feedback) 26 | 27 | --- 28 | 29 | ## 🔹 Overview 30 | 31 | This setup ensures **qBittorrent only connects through ProtonVPN (WireGuard)** using **Gluetun**, preventing leaks and enhancing security.\ 32 | It also **automates port forwarding** for better torrent speeds and **runs everything inside Docker** for easy management. 33 | 34 | --- 35 | 36 | ## ✅ Features 37 | 38 | - **🔒 VPN-Enforced Torrenting** – No leaks, all traffic runs **inside** the VPN. 39 | - **⚡ Automatic Port Forwarding** – Ensures better speeds and improved peer connections. 40 | - **🌐 Local Web UI Access** – Easily control torrents via [`http://localhost:8080`](http://localhost:8080). 41 | - **📺 Fully Containerized** – Uses Docker for easy deployment, updates, and isolation. 42 | - **🔄 Resilient Setup** – Containers **auto-restart** if anything crashes. 43 | - Uses **separate storage** for incomplete and completed torrents 44 | - **Automatically updates containers using Watchtower** 🛠️ 45 | 46 | --- 47 | 48 | ## 🛠️ Prerequisites 49 | 50 | - **Docker Desktop** (macOS/Windows/Linux) 51 | - **Docker Compose** (bundled with Docker Desktop) 52 | - **ProtonVPN account** (Plus or Visionary required for WireGuard support) 53 | 54 | --- 55 | 56 | ## 📂 Installation Guide 57 | 58 | ### **1️⃣ Install Docker** 59 | 60 | Download and install **Docker Desktop** from [here](https://www.docker.com/products/docker-desktop/).\ 61 | Ensure Docker is **running** before proceeding. 62 | 63 | --- 64 | 65 | ### **2️⃣ Clone the Repository** 66 | 67 | ```sh 68 | git clone https://github.com/torrentsec/qbittorrent-protonvpn-docker.git 69 | cd qbittorrent-protonvpn-docker 70 | ``` 71 | 72 | --- 73 | 74 | ### **3️⃣ Set Up the **`.env`** File** 75 | 76 | This project uses an `.env` file to store **sensitive configuration values** (which are ignored by Git for security). 77 | 78 | #### **Create Your **`.env`** File** 79 | 80 | ```sh 81 | cp .env.example .env 82 | nano .env 83 | ``` 84 | 85 | #### **Fill in the Following Variables** 86 | 87 | ```ini 88 | WIREGUARD_PRIVATE_KEY=your_private_key_here 89 | SERVER_COUNTRIES="United Kingdom" 90 | SERVER_CITIES="London" 91 | 92 | PUID=1000 93 | PGID=1000 94 | TZ=Europe/London 95 | 96 | GLUETUN_USER=your_admin_username 97 | GLUETUN_PASS=your_admin_password 98 | 99 | GSP_GTN_API_KEY=your_random_api_key_here 100 | GSP_QBITTORRENT_PORT=your_forwarded_port_here 101 | ``` 102 | 103 | Save and close (`CTRL + X`, then `Y`, then `ENTER`). 104 | 105 | --- 106 | 107 | ### **4️⃣ Start the Containers** 108 | 109 | ```sh 110 | docker-compose up -d 111 | ``` 112 | 113 | 🚀 **qBittorrent is now running securely through ProtonVPN!** 114 | 115 | --- 116 | 117 | ## 📚 Accessing qBittorrent Web UI 118 | 119 | Once running, open:\ 120 | 📌 [**http://localhost:8080**](http://localhost:8080)\ 121 | *(Default username: admin, password: check console for temporarily password)* 122 | 123 | Make sure to change your web UI password after the first login. Otherwise, the password will be randomly generated after every container restart. 124 | 125 | --- 126 | 127 | ## 🛡️ Security & Best Practices 128 | 129 | 1. **Keep **`.env`** Private** 130 | 131 | - The `.gitignore` file **already prevents **`.env`** from being uploaded to GitHub.** 132 | 133 | 2. **Use a Strong Password for Gluetun API** 134 | 135 | - **Modify **`GLUETUN_PASS`** in **`.env` to prevent unauthorized API access. 136 | 137 | 3. **Verify VPN Connectivity Before Torrenting** 138 | 139 | - Run `curl ifconfig.me` inside the container: 140 | ```sh 141 | docker exec -it qbittorrent curl ifconfig.me 142 | ``` 143 | - ✅ **If the IP matches ProtonVPN**, it's working. 144 | - ❌ **If it shows your real IP, something is wrong.** 145 | 146 | --- 147 | 148 | ## 🛠️ Troubleshooting 149 | 150 | ### **Check if VPN is Running** 151 | 152 | ```sh 153 | docker ps 154 | ``` 155 | 156 | If Gluetun isn’t running, restart everything: 157 | 158 | ```sh 159 | docker-compose down && docker-compose up -d 160 | ``` 161 | 162 | ### **Verify qBittorrent is Using VPN** 163 | 164 | ```sh 165 | docker exec -it qbittorrent curl ifconfig.me 166 | ``` 167 | 168 | 🟢 If the IP matches ProtonVPN, it’s working.\ 169 | 🔴 If it shows your real IP, something is wrong. 170 | 171 | ### **Check Logs for Errors** 172 | 173 | ```sh 174 | docker logs -f gluetun 175 | ``` 176 | 177 | Look for **AUTH\_FAILED** or connection issues. 178 | 179 | --- 180 | 181 | ## 💎 License 182 | 183 | This project is licensed under the **MIT License** – see the LICENSE file for details. 184 | 185 | --- 186 | 187 | ## 💪 Contributing 188 | 189 | Contributions are welcome! If you have improvements or feedback, feel free to submit an issue or pull request. 190 | 191 | --- 192 | 193 | ## 💬 Support & Feedback 194 | 195 | - If you found this helpful, give it a ⭐ star on GitHub! 196 | - Feedback & suggestions are always welcome. 197 | 198 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | # ────────────────────────────────────────────────────────────────────── 2 | # 📌 Docker Compose Configuration for Secure qBittorrent with VPN 3 | # ────────────────────────────────────────────────────────────────────── 4 | # ✅ Runs qBittorrent behind Gluetun (VPN) for security & privacy 5 | # ✅ Ensures all qBittorrent traffic is routed ONLY through the VPN 6 | # ✅ Exposes the Web UI (http://localhost:8080) properly 7 | # ✅ Uses a separate storage system for incomplete and completed torrents 8 | # ✅ Includes Watchtower for optional automatic container updates 9 | # ✅ Optimized for security, performance, and maintainability 10 | # ✅ Requires an `.env` file to store sensitive credentials (see README) 11 | # ────────────────────────────────────────────────────────────────────── 12 | 13 | 14 | services: 15 | 16 | # ────────────────────────────────────────────────────────────────────── 17 | # 🛡️ VPN CONTAINER (Gluetun) - Provides a secure connection via ProtonVPN 18 | # ────────────────────────────────────────────────────────────────────── 19 | gluetun: 20 | image: ghcr.io/qdm12/gluetun:latest # Uses the latest Gluetun VPN image 21 | container_name: gluetun # Assigns a fixed name to the container for easy reference 22 | 23 | restart: unless-stopped # Ensures Gluetun restarts if it crashes 24 | 25 | # ─── Networking Permissions ───────────────────────────────────────── 26 | cap_add: 27 | - NET_ADMIN # Grants networking privileges required for VPN operation 28 | 29 | devices: 30 | - /dev/net/tun:/dev/net/tun # Enables VPN tunneling inside the container 31 | 32 | sysctls: 33 | - net.ipv6.conf.all.disable_ipv6=1 # Disables IPv6 to prevent leaks 34 | 35 | # ─── VPN Configuration ───────────────────────────────────────────── 36 | environment: 37 | - VPN_SERVICE_PROVIDER=protonvpn # Specifies ProtonVPN as the VPN provider 38 | - VPN_TYPE=wireguard # Uses WireGuard as the VPN protocol 39 | - WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY} # Private key for authentication (from .env) 40 | - SERVER_COUNTRIES=${SERVER_COUNTRIES} # Preferred VPN server country selection 41 | - SERVER_CITIES=${SERVER_CITIES} # (Optional) Restrict to a specific city 42 | - VPN_PORT_FORWARDING=on # Enables automatic port forwarding (needed for torrenting) 43 | - TZ=${TZ} # Sets the timezone for correct timestamps in logs 44 | - QBT_WEBUI_ENABLED=true # ✅ Ensures Web UI is always enabled 45 | 46 | # ─── Persistent Storage ──────────────────────────────────────────── 47 | volumes: 48 | - gluetun-config:/gluetun # Stores VPN configuration persistently 49 | 50 | # ─── Exposed Ports ───────────────────────────────────────────────── 51 | ports: 52 | - "8080:8080" # ✅ Exposes qBittorrent Web UI to localhost 53 | 54 | # ─── Health Check ────────────────────────────────────────────────── 55 | healthcheck: 56 | test: ["CMD", "wget", "--spider", "-q", "http://google.com"] # Checks if the VPN connection is active 57 | interval: 30s # Runs every 30 seconds 58 | timeout: 10s # Fails if it takes longer than 10 seconds 59 | retries: 3 # Allows 3 failures before marking the container as unhealthy 60 | 61 | # ────────────────────────────────────────────────────────────────────── 62 | # 📂 TORRENT CLIENT (qBittorrent) - Secure Torrent Downloading & Seeding 63 | # ────────────────────────────────────────────────────────────────────── 64 | qbittorrent: 65 | image: lscr.io/linuxserver/qbittorrent:latest # Uses the latest qBittorrent image 66 | container_name: qbittorrent # Assigns a fixed name to the container 67 | 68 | restart: unless-stopped # Ensures qBittorrent restarts if it crashes 69 | 70 | # ─── Network Configuration ───────────────────────────────────────── 71 | network_mode: "service:gluetun" # 🔒 Ensures qBittorrent ONLY works through the VPN (Prevents leaks) 72 | 73 | depends_on: 74 | gluetun: 75 | condition: service_healthy # Ensures qBittorrent starts only when the VPN is fully functional 76 | 77 | # ─── qBittorrent Configuration ───────────────────────────────────── 78 | environment: 79 | - PUID=${PUID} # User ID (ensures correct file permissions) 80 | - PGID=${PGID} # Group ID (ensures correct file ownership) 81 | - TZ=${TZ} # Timezone for logs and schedules 82 | - WEBUI_PORT=8080 # Sets qBittorrent's Web UI to port 8080 83 | - QBITTORRENT_INTERFACE=tun0 # 🔒 Forces all traffic through VPN interface 84 | 85 | # 🔄 Port Forwarding Mod (Syncs qBittorrent with Gluetun) 86 | - DOCKER_MODS=ghcr.io/t-anc/gsp-qbittorent-gluetun-sync-port-mod:main 87 | - GSP_GTN_API_KEY=${GSP_GTN_API_KEY:-randomapikey} # API key for port forwarding updates 88 | - GSP_QBITTORRENT_PORT=${GSP_QBITTORRENT_PORT:-53764} # Torrenting port (auto-updated by Gluetun) 89 | - GSP_MINIMAL_LOGS=false # Enables full logs for debugging purposes 90 | # ─── Persistent Storage ──────────────────────────────────────────── 91 | 92 | volumes: 93 | - ./qbittorrent:/config # Stores qBittorrent settings persistently 94 | - ./incomplete:/incomplete # ⚡ Temporary download location (reduces SSD wear) 95 | - ./:/downloads # ✅ Completed torrents move here 96 | 97 | # ─── Performance Optimization ────────────────────────────────────── 98 | ulimits: 99 | nofile: 100 | soft: 32768 101 | hard: 65536 # Increases allowed open files (important for high-speed torrenting) 102 | 103 | # ────────────────────────────────────────────────────────────────────── 104 | # 🔄 WATCHTOWER - Automatically Updates Select Docker Containers 105 | # ────────────────────────────────────────────────────────────────────── 106 | watchtower: 107 | image: containrrr/watchtower 108 | container_name: watchtower 109 | restart: unless-stopped 110 | volumes: 111 | - /var/run/docker.sock:/var/run/docker.sock 112 | environment: 113 | - WATCHTOWER_CLEANUP=true # Deletes old images after updating 114 | - WATCHTOWER_POLL_INTERVAL=86400 # Checks for updates every 24 hours 115 | - WATCHTOWER_LABEL_ENABLE=true # Ensures only labeled containers are updated 116 | 117 | volumes: 118 | gluetun-config: # Stores VPN settings 119 | qbittorrent-config: # Stores qBittorrent configuration 120 | --------------------------------------------------------------------------------