|:.:.:.:.:.:.:.:.:/.:.:.:.:.:./.:.:.:.:.:.:.:.:.:.:.:.:.:./|   '. :.:.:.:.:.:.:.:.:.:.l.ヽ:.:.:.:.l:.:.:.:.:.:.:.:.:.:∧\:.:.:.',
          |:.:.:.:.:.:.:./.:.:.:.:.:./.:.:.:.:.:.:.:.:.:.:.:.: , ′   l :.:.:.:.:.:.:.:.:.:| ∨.:.:.l:.:.:.:.:.:.:.:.:.:.∧ \:.'.
          |:.:.:.:.:.:/.:.:.:.:.: /.:.:.:.:.:.:.:.:. ヽ/ /    |:.:.:.:.:.:.:./:.:.|   y'.:.:|:.:.:.:.|:.:.:.:.:.:.∧   ヘ.
          |:.:.:.:./.:.:.:.//.:.:.:.:.:.:.:.:.:.:/ \,′   !:.:.:.:.:.:/|:.:./,/ '.:.:| :.:.:.|:.:.:.:.:.:.:.:.|
          |:.:.:/.:.:./.:./.:.:.:.:.:.:.:.:./   /` ‐-‐'|:.:.:./ |ァ'´    |:.:| :.:.:.|:.:.:.:.:.:.:.:.|
          |:.:.i.:.:./.:.:.: '.:.:.:.:.:.:.:/   ,/       |:.:.:/   ′    }.:.| :.:.:.|:.:.:.| :.:.:.:|
          |:.:.|:./.: rヘ|:.:.:.:.:.:/:.| 三三三三三  |:./   三三三 ハ|:.:.:.:.|:.:.:.| :.:.:.:|
          |:.:.l〃.:{  |:.:.:.:./.:.:.|             l.'         .i.:.:.i.:.:.:∧ :.:|ヽ :.:|
          |:.:./.:.:.:.\|:.:.:/.:.:.:.:|                '       |:.:.||:.:/  :.:.| '.:.:l
          |:./.:.:.:.:.:.:. !:./.:.:.:.:.:.'、            ,.ー--、    }.:.:|レ′ ∨  V
          |/.:.:.:.:.:.:.:.:V '´  ̄`ヽ.、            ´`¨¨{. |_.  '.:.:.:.|
         /.:.:.:.:.:.:.:./         ヘ `    . __. -r1 |:.:.:.:.:.:.:.:.|
         :.:.:.:.:.:.:, '         '. \    | _.   -┴ー──┴┐
         :.:.:.:.:./           |  \  r' |   -──────i'
    

< KONAKONA.MOE >

How to Set up qBittorrent Natively with a VPN

Last Mod.: 2024-06-09 | Created On: 2024-01-23


In this tutorial, I will guide you on how I set up qBittorrent-nox running natively with WireGuard on my Debian 12 Home Lab. After reading this you should be able to:

I thought, for a long time, that the only way to do something like this would be by using a Docker container. But I really hate using Docker and/or any other container or virtualizing systems. I don’t want to touch Docker again, at the least not on my Home Lab.

Setting up WireGuard

I already assume that you know how to set up WireGuard, aka. copying your-config.conf into /etc/wireguard and etc, but we will have to modify the config in order for the interface that WireGuard creates not route everything and just be another interface that you can optionally bind to, like Ethernet and Wi-Fi both existing at the same time, but in this case with a VPN.

You can read the guide here: Disable Routing for Wireguard Interfaces

Setting up qBittorrent

I set up, and this guide was made assuming that you would set up qBittorrent on your NAS, but I assume that this can work on your computer as well.

Install the headless version of qBittorrent on your client (qbittorrent-nox).

1apt install qbittorrent-nox

Now you can (if you want to) edit the qbittorrent-nox systemd service file. You don’t have to do this, but that’s how I like to set things up.

I included UMask=007 on the [Service] section to ensure that the files created by qBittorrent are saved with the rwxrwx--- mode (or 770). With this, only the user and its group have permission to read, write and execute these files, while others users will encounter an access denied error if they attempt to access or modify them without root privileges.

I also added --webui-port=8081 at the end of the ExecStart= line to change the WebUI port.

/usr/lib/systemd/system/[email protected]

 1[Unit]
 2Description=qBittorrent-nox service for user %I
 3Documentation=man:qbittorrent-nox(1)
 4Wants=network-online.target
 5After=local-fs.target network-online.target nss-lookup.target
 6
 7[Service]
 8Type=simple
 9PrivateTmp=false
10User=%i
11UMask=007 # ADDED BY ME
12ExecStart=/usr/bin/qbittorrent-nox --webui-port=8081 # ADDED BY ME
13TimeoutStopSec=1800
14
15[Install]
16WantedBy=multi-user.target

Now you can save the file if you made any changes and after that, reload the systemd daemon, just in case.

1systemctl reload-daemon

Now, enable and start the qbittorrent-nox service on the user of your choice, in my case, it will be the user share because this is the user that owns the files in my downloads directory.

1systemctl enable --now qbittorrent-nox@share

You can now log in the WebUI with the local IP of your machine and the port that you chose. The default username is admin and adminadmin is the default password.

Note: The default password for the WebUI is adminadmin in v4.5.2 but I saw that qBittorrent randomly generates a password during the initial setup in newer versions. If that’s your case, what you could do is to login as the share user, for example, start qBittorrent with qbittorrent-nox on the CLI (instead of as a daemon) and login with the password printed to stout and change the password. Or you could maybe look into the config files it generates to find and/or change the password.

Now you can bind qBittorrent to use the WireGuard interface you made:

You can now check if our IP has changed when downloading torrents on https://ipleak.net/. Scroll down and click on Torrent Address detection. Copy and paste the magnet link on qBittorrent and check if your IP changed. If that didn’t work, you could try restarting with systemctl restart qbittorrent-nox@share.

torrent-address-detection.png

That should be it! qBittorrent is ready to go! If your eyes burn because of the default theme you could download Stylus and add a CSS theme. Here are some:

Exposing qBittorrent to the Internet

If you want to expose qBittorrent to the internet, to use it remotely without having to use a VPN to remote into your local network, you could use Caddy server as a reverse proxy. I mean that’s what I use because it just works, but I guess you could use NGINX or Apache as well. Just remember to change your password before doing this!

/etc/caddy/Caddyfile

1qbittorrent.yourdomain.tld {
2	reverse_proxy localhost:8081 # Note: default for qBittorrent is 8080
3	encode gzip
4}

Additionally, you can set up an HTTP Basic Authentication for better security if you don’t trust the WebUI to do the work for you.

1qbittorrent.yourdomain.tld {
2	basicauth * {
3		diowo <your hashed password>
4	}
5	reverse_proxy localhost:8081 # Note: default for qBittorrent is 8080
6	encode gzip
7}

To generate the hash, use the command caddy hash-password and then replace <your hashed password> with the hash.

Now restart Caddy.

1systemctl restart caddy

Wait a few minutes and you will be able to type out your URL to access the WebUI with HTTPS.

Thanks for reading my guide, if you have any questions feel free to e-mail me, and I’ll try to help you.


Prev:
Thoughts on XMPP
Next:
Using a Plymouth Theme