Last updated on 21 March 2026
What are qBittorrent and GlueTUN?
qBittorrent is a torrent downloader and GlueTUN is the Docker container that has pre-configured VPN connections for numerous VPN providers.
This guide provides some presets the cover the most popular VPN providers using WireGuard.
If you are yet to choose a provider have a look at AirVPN* or ProtonVPN* which have port forwarding and are P2P friendly.
*Affiliate Links
Useful external links for this guide
GlueTUN Wiki
GlueTUN Docker GitHub
Linuxserver qBittorrent Container GitHub
qBittorrent Forums
Let’s Begin
In this guide I will take you through the steps to get qBittorrent up and running in Docker and a separate GlueTUN VPN container. By having a separate container for the VPN connection we can use it in the future for other applications.
In order for you to successfully use this guide please complete the three preceding guides
- Docker Package, SSD and Memory Recommendations
- Step 1: Directory Setup Guide
- Step 2: Setting up a restricted Docker user
- Step 3: Setting up a Docker Bridge Network (synobridge)
Folder Setup
Let’s get some folders set up for the containers to use. Open up File Station create the following.
/docker/projects/vpnproject-compose
/docker/gluetun
/docker/qbittorrentSetting up the TUN start up script
In order for the VPN connection to work we need to make sure the TUN Interface is available to make the connection to a VPN provider. In order to ensure it is available even after a reboot we will set up a small script.
Open up Control Panel and then click on Task Scheduler
Next click on Create, Triggered Task then User Defined Script.
On the General Tab enter the following
| Section | Setting |
|---|---|
| Task: | VPNTUN |
| User: | root |
| Event: | Boot-up |
| Enabled | Tick |
On the Task Settings tab copy and paste the code below in the ‘User-Defined script’ section.
#!/bin/sh -e
insmod /lib/modules/tun.ko
You can now press OK and agree to the warning message. Next run the script which will enable the TUN device.
You can now move on to the next step.
WireGuard Kernel Module
Synology DSM does not have WireGuard built into it’s older Kernel so this means anything requiring this will make use of a “userspace” version, this is a bit less efficient and can result in higher CPU usage.
While this step is optional as WireGuard will function without it, I would recommend installing the module as it is more efficient and will reduce CPU usage.
You can find the files over at BlackVoid.club make sure to drop them a thanks or a coffee! As this would not be possible without them!
The page covers the installation methods and also how to build the module yourself. I cover the key steps below.
Find your model of NAS under the correct DSM version section and download the pre compiled .spk file.
Open Package Center and click ‘Manual Install’ on the top right and install the .spk file ensuring you untick the box to run after install and then reboot your NAS
Next SSH Into your NAS (Just like in the User Setup guide) and elevate yourself to root by typing.
sudo -iAnd enter your password as requested, then finally type this command and press enter to start up the module
/var/packages/WireGuard/scripts/startYou should now be able to see the WireGuard package running in Package Center.
Container Manager Project (aka Docker Compose)
Next we are going to set up a ‘Project’ in Container Manager, a project is used when you want multiple containers to all be loaded together and often rely on each other to function. In our case we want qBittorrent to load and talk to the GlueTUN VPN container.
Open up Container Manager and click on Project then on the right-hand side click ‘Create’
In the next screen we will set up our General Settings, enter the following:
| Section | Setting |
|---|---|
| Project Name: | vpn-project |
| Path: | /docker/projects/vpnproject-compose |
| Source: | Create docker-compose.yml |
Next we are going to paste in our Docker Compose.
To make things a little easier we have put together some presets below. Select the appropriate version for you.
Docker Compose Presets
What if I am using a different provider?
The Presets above should cover the majority of good quality VPN providers who offer WireGuard. If you need to use OpenVPN you will need to find your provider in the GlueTUN Wiki and follow the instructions for the Docker Compose (Ignore the Docker Run commands)
GlueTUN Versions
In order to ensure a stable connection you should use a specific version tag for GlueTUN. The “latest” tag tends to be unstable and is more like a development version so should not be used other than for testing.
As of March 2026 version 3.41.0 works perfectly with Synology, if you wish to update to a newer version change the tag ensuring you have a look at the change logs and also any recent issues before doing so!
image: qmcgaw/gluetun:v3.41.0
Docker Compose Required Edits
IDs and Timezone
Look for the lines below, they appear twice, these control the containers access to our filesystem and also the user the containers run as.
| Variable | Value |
|---|---|
| PUID | (required) The UID you obtained in the user setup guide |
| PGID | (required) The GID you obtained in the user setup guide |
| TZ | (required) Your timezone wikipedia.org/wiki/List_of_tz_database_time_zones |
Firewall Outbound Subnet
This section controls your ability to access the UIs of any containers running through the GlueTUN containers network.
- FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.0.0/24The first part ‘172.20.0.0/16’ don’t edit as this is our ‘synobridge’ network and allows other containers such as Radarr to access the download client.
We need to change the second IP after the comma this allows us to access the WebUI and containers via our local network.
This IP address (subnet) is easy to figure out. If you NAS IP is 192.168.0.27 your subnet is 192.168.0.0/24 (notice I just changed the last number before the /24 to 0)
Docker Compose Optional Edits
Ports and Proxies
In the top GlueTUN section you will notice that we have some additional ports assigned for a http proxy and Shadowsocks Proxy – this means you can direct traffic from other devices or applications on your network through the container! If you want to use these change the following.
| Variable | Value |
|---|---|
| HTTPPROXY | off (default) on (enabled) |
| SHADOWSOCKS | off (default) on (enabled) |
Firewall Input Ports (Port Forwarding)
This is only relevant for the WireGuard Preset and your VPN provider offers port forwarding. Remove the # from the start of the line and change the port number(s) in line with the ones provided to you. Make sure you also manually update the ‘Listening Port’ in qbit once you are running.
- FIREWALL_VPN_INPUT_PORTS=12345,56789Volumes
By default, I have assumed you have your config files for your docker share are stored on /volume1/docker if these are located on another volume such as a SSD or NVME amend these lines accordingly.
- /volume1/docker/gluetun
- /volume1/docker/qbittorrent
- /volume1/docker/gluetun/wireguardWatchtower Exclusion
You don’t need to change this, I added a label to avoid Watchtower automatically updating the GlueTUN container as it will always break the overall project which can be inconvenient if you are not around to fix it. You can update the container using the mini guide on the left menu of the site.
labels:
- com.centurylinklabs.watchtower.enable=falseThat completes the edits to the compose!
Click ‘Next’
You do not need to enable anything on the ‘Web portal settings’ screen click ‘Next’ again
On the final screen click Done which will begin the download of the container images and once downloaded they will be launched!
The images will now be downloaded and extracted. You should see ‘Code 0’ when it has finished.
You will now see your vpn-project running both containers should have a green status on the left-hand side.
If either of the two containers are unhealthy you should check the logs as they are usually fairly good at pointing out immediate issues.
Firewall Exceptions
(Skip if you don’t have the Firewall configured)
If you have the Synology Firewall enabled please see this additional guide for further info on exceptions and correct set up.
Final qBittorrent Setup
Changing the default Web UI login and password
If you skip this step you won’t be able to log in.
Now the container has started open it in the Docker UI and go to the Log tab. Within the logs you will see the login details
Now before doing any more of the guide go to the Web UI by going to the IP of your NAS followed by port 8090 and log in. Then on the WebUI tab change the defaults to your own and save them.
As we have used /data/torrents as the mount point for our downloads we need to make sure qBittorrent uses this same file path. Open the settings and edit the following paths and save.
| Option | Original Value | New Value |
|---|---|---|
| Default Save Path | /downloads | /data/torrents/completed |
| Monitored Folder (optional) | blank | /data/torrents/watch |
Also note that you should set Saving Management Mode to “Automatic”
Advanced Network Settings (Use the TUN Device)
The last step is to tell qBittorrent to only use the tun0 interface for its traffic, go to the Advanced tab then from the ‘Network Interfaces’ drop down select ‘tun0’ and click Apply, If this doesn’t appear the first time you may need to completely reboot your NAS.
I am not going to walk through all the other settings as you can customise these as you wish.
That’s it you are completely set up, you can now start up the Project again from the ‘Project’ tab.
I recommend having a quick read through the FAQ as it covers some questions you may have!
Warning!!
Do not expose the qBittorrent web interface to the internet via a proxy or even directly, even with a strong password you will likely get hacked and find the Container mining Crypto. We have seen numerous examples of this!
FAQs
Q: How can I be sure the VPN connection is working?
A: Go to the TorGuard Check My Torrent IP site, right-click on the Green banner and copy the link (it’s a Magnet link) Then add this link into qBittorrent and start the torrent. Keeping the site open after a few seconds the site will show the IP address of the connection it finds. This will be of the VPN provider not your home IP. (Please note the torrent doesn’t actually download anything it’s purely doing an IP check)
Q: I am getting the ‘errored’ status for all my torrents
This is very likely a permissions issue, go to the Permissions Fix guide on the left menu.
Q: Everything seems to be connected but nothing is downloading.
Try grabbing the Ubuntu torrent as that is a sure fire way of testing as generally it has over 3k seeds.
Are you using TorGuard – If so they block torrents on their US servers. Change to another country – Also while you are at it, you may need to configure port forwarding in your TorGuard account.
Q: My container doesn’t seem to start on a reboot even with the TUN script.
A: I have seen this a few times and usually relates to the VPN not completing its connection fast enough before containers using the VPN start. You can try setting an additional startup script by doing the following.
Head into Control Panel and go to Task Scheduler Click Create > Triggered Task > User Defined Task
| Section | Setting |
|---|---|
| Task Name | DockerVPNBootUp |
| User | Root |
| Event | Boot Up |
| Pre Task | Select the VPNTUN script from the drop-down that you created at the start of the guide |
In the ‘Task Settings’ tab enter the following and then click Save (adjust the volume1 to the volume your docker folder is located)
sleep 120
docker-compose -p vpn-project -f /volume1/docker/projects/vpnproject-compose/compose.yaml down
wait
docker-compose -p vpn-project -f /volume1/docker/projects/vpnproject-compose/compose.yaml up -dOnce added Save and Container Manager will rebuild the project with the mod enabled, you will see it working in the qBittorrent containers log.
Q: I tried to start qBittorrent manually, and it says ‘Container must join at least one network’
A: This is due to the Synology Container Manager GUI not understanding that the container will be on the GlueTUN containers ‘network’. You will need to stop the overall “Project” and then click “Action > Build” to bring the whole compose up at the same time.
Looking for some help, join our Discord community
If you are struggling with any steps in the guides or looking to branch out into other containers join our Discord community!
![](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="562" height="85"><rect fill-opacity="0"/></svg>)
Buy me a beverage!
If you have found my site useful please consider pinging me a tip as it helps cover the cost of running things or just lets me stay hydrated.
