qBittorrent & WG+ProtonVPN tunnel

14/03/2025

Contents

!! Disclaimer: I am a homelab hobbyist. I have no IT SecOps background. Please please double-check any code before running it.

Yesterday, I decided I should probably put my qBittorrent Proxmox LXC behind a VPN. I already had Wireguard up and running, so I thought I could get a ProtonVPN config file up in no time. It was simultaneously trickier and less tricky than I thought it would be. Here’s how I did it.^[1]

this article assumes you already have Wireguard and qBittorrent LXCs installed via tteck’s Proxmox VE Helper Scripts

wireguard lxc

install dependencies

$ apt install openresolv
$ apt-get install iptables-persistent

acquire ProtonVPN config file

Steps can be found here.

Make sure you choose a server with the P2P icon, which does require a paid proton subscription. Once you have the config text, download it & copy it. Make sure that the file name is less than 15 characters! Then, either upload the downloaded file to the wireguard lxc in the /etc/wireguard folder, or copy-paste the text inside a newly-made config file from the LXC’s terminal.

add config to LXC

$ cd /etc/wireguard
$ nano proton-config.conf

Now we can check our connection using curl and wg:

$ curl -4 icanhazip.com
OR
$ curl ifconfig.me
$ wg-quick up proton-config
$ wg show 

# To make the file non-"world accessible," as a private key is inside it, run:
$ chmod 600 /etc/wireguard/proton-config.conf

You want to make sure not to include the .conf file ender in the quick up command. The output here should give a latest handshake field for the new config. We can then re-run the above curl command and see the new shiny IP instead of the original one.

network bridge time

make the new linux bridge

In your Proxmox server tab on the Proxmox interface, go to the Network menu and create a new linux bridge. Apply this; if you encounter an error here, see if you are missing the ifupdown2 package. You can also just entirely restart the Proxmox server and that’ll do the trick too.

Next, go to the wireguard lxc Network menu on the Proxmox interface. Add a new network device; select the one you just created; and set your static IPv4 address to a new subnet. I went with 10.10.10.1/24 for wireguard.

Do the same thing in the qbittorrent lxc! For this IPv4 address, increment it by one, so it would be 10.10.10.2/24. Use ping to confirm that the two LXCs can talk!

# from the wireguard lxc:
$ ping 10.10.10.2

establish IP forwarding on wg lxc

Next, in the wireguard lxc again, establish IP forwarding and NAT rules:

$ echo "net.ipv4.ip_forward=1" | tee -a /etc/sysctl.conf
$ sysctl -p
$ iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# to make sure this persists even after reboot
$ netfilter-persistent save

update network interface on qbit lxc

Then head to the qbittorrent lxc and add the following to your /etc/network/interfaces file:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 192.168.Y.XXX # [Your qBittorrent LXC's static IP]
    netmask 255.255.255.0

auto eth1
iface eth1 inet static
    address 10.10.10.2/24
    netmask 255.255.255.0
    gateway 10.10.10.1
    dns-nameservers 1.1.1.1
    post-up ip route add default via 10.10.10.1 dev eth1
    post-up ip route del default via 192.168.Y.1 dev eth0 || true

The X and Y values are what you will change to match your own. You can use ip route to check what your default path is – it should be the eth1 interface. You can also install net-tools for the route command to check the LXC’s IP routing table. I found it super useful for troubleshooting.

restart network service

It’s also good to restart your network services at this point. You can find which services you’re running, and restart them, with these commands:

# find your network services
$ systemctl list-unit-files --type=service --state=enabled | grep network

# for systemd-networkd:
$ sudo systemctl restart systemd-networkd.service
$ sudo systemctl status systemd-networkd.service

# for networking:
$ sudo systemctl restart networking
$ sudo systemctl status networking

# for NetworkManager:
$ sudo systemctl restart NetworkManager
$ sudo systemctl status NetworkManager

[optional] make qbittorrent lxc’s IP static
If you use DHCP, and you have errors after changing the eth0 interface block, this step is for you. Head to the Network tab on the Proxmox VE and edit the eth0 connection. Click on static ipv4 (and ipv6 if you have one), and fill them with your IPv4 & IPv6 addresses. I found trying to directly alter the /etc/network/interfaces file to be a lot more of a hassle than just using the GUI.

test

Test the VPN bridge to see if it worked:

$ ping -c 4 google.com   # Test DNS resolution
$ curl -4 icanhazip.com  # Should return the WireGuard IP

qbittorrent lxc

All that is left is to bind the VPN tunnel to the qBittorrent Web UI, and turn the VPN on! In the Web UI, click on the settings wheel and go to the Advanced menu. Towards the top there is a Network interface drop-down menu. Select the newly-made VPN config! Then, right below that, bind the client to the 10.10.10.2 IP address. This makes sure all traffic is passed through the VPN tunnel. Make sure you save these changes.

turn it on!

You can do this a few ways. If you installed Wireguard using the Proxmox Helper Scripts, you can just log into wgDashboard and turn on the ProtonVPN config file there. Otherwise, you can follow the steps outlined in this article and turn the config file into a systemd service, if you’d like. Either of these options beats running wg-quick up proton-SE every time you reboot the Wireguard LXC.

Big thanks to Evan McKinney for this article published on 2024-03-20. A lot of what I did was adapted from his work there. ↩︎