I would like to avoid having to use Docker; I’m not a programmer and ultimately I like using a GUI (pause for audience booing)
My goal is to use a VPN profile (I’m using a paid-ProtonVPN server in Sweden) to send *only* P2P traffic through the VPN. Simultaneously, I want to have all other traffic (including Plex client traffic) sent outside the VPN. Is there a way to set this up that does not involve Docker? VPN profile is on Synology box, only. Router is configured to use a non-ISP provided DNS (Quad9 or Cloudflare) and is providing nothing further to this setup.
What if instead I flashed dd-wrt onto my router and used a VPN profile on my router (still paid-ProtonVPN), does DD-WRT have the ability to handle routing *only* P2P traffic through a VPN?
To make it work, you have to be able to tell the P2P client to use the network path provided by VPN. This is very easily accomplished with docker containers and can be done in such a way no traffic can ever leak out. You’ve chosen the hard way though, so your best bet is to use a VPN provider that offers a SOCKS proxy, and use a P2P client thar can also do that.
Dperson has a docker container in github that is an openvpn client that does this isolation. And a transmission client meant to easily work with it. Plus web containers that create a reverse proxy in to this network enclave. You’ll repoint your apps to use the IP of your NAS with the port you end up using for transmission, which might be able to stay the same.
Docker has a GUI. I use the Deluge Open VPN container with Proton.
Figured I’d at least see if it’s possible! Sounds like I get to finally dive into Docker. As long as I can get away with only running Transmission in Docker, I’ll be happy. Will Radarr and Sonarr need to be reconfigured to find Transmission?
I found this repo, pulled down the .zip, and I have Docker installed. Now what? I see where I can import a container.
Did you read the Readme on their page? It describes how to use the container. You shouldn’t be downloading anything, btw
Yep, looking right at the readme. I thought I could just grab the repo and import the container from my local machine.
You’ll want docker to download the image and do what all it needs to work. The VPN image installs much easier with the cli than through the web interface or with portainer. You’ll also need to look at how to create /dev/net/tun, and have it recreate at reboot since it won’t persist. It’s necessary for this approach to work.
I found the dperson/transmission image and dperson/openvpn-client in Container Manager>Registry and pulled both down; I can run both images, and arrive at the top of the setup process in General Settings. From here the setup is well over my head, and the read_me is targeted towards setup over SSH. If anyone has experience setting both of these containers up via the GUI, please let me know. Preference is setup from within DSM GUI, which seems to be possible.
If you don’t want to SSH and deal with any command line, perform these steps:
1\ Create a share for housing your configs. You can reuse something else if you’d like, it doesn’t much matter. I reused the same share that everything downloads to and created a subfolder called vpn. Let’s assume this will be Transmission/vpn created on volume1, for purposes of this guide.
2\ Download the OpenVPN profile(s) from your VPN provider and place them inside Transmission/vpn
3\ Find the .conf file and rename it to vpn.conf. You might instead have a bunch of .opvn files, so just rename whichever from there to vpn.conf for the one you choose.
4\ Modify the vpn.auth file (you may have to create this) to have your username (email?) on the first line, and put your password on the second line.
5\ Find the .crt file and rename it to vpn-ca.crt
6\ Modify the vpn.conf file to set auth-user-pass to /vpn/vpn.auth and set ca to /vpn/vpn-ca.crt
7\ Connect to DSM web UI
8\ Open Control Panel and navigate to Task Scheduler
9\ Create > Triggered Task > User-defined Script
10\ Task: Set up tun device
11\ User: root
12\ Event: Boot-up
13\ Move over to Task Settings and paste this in:
#!/bin/sh
# Create the necessary file structure for /dev/net/tun
if ( [ ! -c /dev/net/tun ] ); then
if ( [ ! -d /dev/net ] ); then
mkdir -m 755 /dev/net
fi
mknod /dev/net/tun c 10 200
chmod 0755 /dev/net/tun
fi
14\ Save
15\ Select the Set up tun device script entry at the bottom and hit Run at the top to get the device created
16\ Create > Triggered Task > User-defined Script
17\ Task: Recreate Containers
18\ User: root
19\ Event: Boot-up
20\ Uncheck Enabled (since we don’t want to do this at every reboot)
21\ Move over to Task Settings and paste this in:
#!/bin/sh
docker container stop vpn
docker container rm vpn
docker rmi dperson/openvpn-client
docker run -it --cap-add=NET_ADMIN --restart always --device /dev/net/tun --name vpn -v /volume1/Transmission/vpn:/vpn -d dperson/openvpn-client
docker container stop bit
docker container rm bit
docker rmi dperson/transmission
docker run -it --name bit -e USERID=`id -u ADMIN_USERNAME` -e GROUPID=`id -g ADMIN_USERNAME` --restart always --net=container:vpn -v /volume1/Transmission:/var/lib/transmission-daemon -d dperson/transmission
docker container stop web-bit
docker container rm web-bit
docker rmi dperson/nginx
docker run -it --name web-bit -p 10080:80 -p 10443:443 --restart always --link vpn:bit -d dperson/nginx -w "http://bit:9091/transmission;/transmission"
22\ Replace ADMIN_USERNAME with the admin username you use in DSM. If you have separated out permissions then use the username most appropriate to create files on the Transmission share.
23\ Save
24\ Select the Recreate Containers script entry at the bottom and hit Run at the top to create everything
This script stops and deletes each container and the underlying image, then recreates them. There haven’t been updates to these images in a while since the underlying programs don’t update very often, but it is low cost to recreate things. The steps here is it’ll create the openvpn client docker container and makes it a network container, then create the transmission client docker container, bind it to the vpn docker container to be its network, and makes it run under the user context of your admin user. Without this you’ll end up with permissions issues that are a chore to resolve after reboots. Finally it creates the reverse proxy in to this isolated network and binds across to the transmission client, makes the “outside” ports be 10080 and 10443 (mapped to 80/443 inside), and fixes redirects to properly work with the last bit.
Now in your Transmission share you should have downloads, incomplete, info, and vpn subfolders. info has the transmission config file, which you can only modify while the transmission container is stopped or it’ll override the file on shutdown. It has entries for download-dir and incomplete-dir, which should be pointing to /var/lib/transmission-daemon/downloads and […]/incomplete. This is expected since that is the “internal” directory which we remapped when creating the docker container.
Caveats: You’ll need to configure Sonarr, etc. to use port 10443 on the IP of your Synology. Sometimes when you lose internet connectivity things don’t auto-recover. You’ll have to manually stop the vpn, bit, and web-bit containers, start the vpn container (no need to wait for it to say healthy), and start the bit and web-bit containers.
And I suppose:
25\ Profit
https://kb.synology.com/en-us/DSM/help/Docker/docker_container?version=6
This tells you how to read the docker hub pages but it’s an older version of the GUI. Also, you picked a less simple one to start with, maybe try setting up a torrent client first to get an idea of the Docker concepts THEN do one with a VPN. You could also run a virtual DSM in the virtual machine manager app and put that on a VPN separate from your other apps