I’m setting up a self-hosted stack with a bunch of services running on a home device. I’m also tunneling all the traffic through a VPS in order to expose the services without exposing my home IP or opening ports on my local network. Currently all my traffic is HTTP, and its path looks like this:
- Caddy proxy on remote VPS (HTTPS, :80 & :443)
- Wireguard tunnel
- Caddy proxy in Docker on homeserver (HTTP, :80)
- app containers in separate isolated subnets, shared with Caddy
I want to set up qBittorrent and other torrent apps, and I want all their traffic to pass through the proxies. Proxying traffic to the WebUI is easy, there’s plenty of tutorials; what I’m struggling with is proxying the torrent leeching and seeding traffic, which is the most important part since I live in a country that’s not cool with piracy.
Unless I’m misunderstanding, BitTorrent traffic is TCP or UDP, so I’d need Caddy to act as a Layer 4 proxy. There’s a community-maintained plugin that should support this. How would I configure it though? Do I need both instances to listen on a new port? Or can I open a new port on the VPS only, and forward traffic to the homeserver Caddy over the same port as the HTTP traffic (:80)? Are there nuances in proxying TCP traffic that I should be aware of?
Since you already have wireguard you don’t need any proxies, just set up wireguard to route through the VPS and you should be good to go.
Or you could install a proxy server on the VPS and enter those settings into qBittorrent, if you don’t want to use wireguard as a default route.
By “set up wireguard to route through the VPS” you mean having wireguard forward a port from the VPS to a port on the homeserver at its wireguard IP address?
qBittorrent will still need to publish the right IP address to peers though, right? So I will need to configure the proxy VPS’s IP address in qBittorrent…
Also that means binding a port on the qBittorrent container directly to the homeserver localhost. I’ve managed to keep the app containers isolated so far and it’d be nice to keep that, but if proxying the traffic is too annoying I guess I can just say removed it and go with it.
By “set up wireguard to route through the VPS” you mean having wireguard forward a port from the VPS to a port on the homeserver at its wireguard IP address?
Yes, he means that.
qBittorrent will still need to publish the right IP address to peers though, right? So I will need to configure the proxy VPS’s IP address in qBittorrent…
No. For most things qBittorrent does public IP detection. For the rest your VPS will be doing NAT between the WG interface and the public internet. This means your qBittorrent client sends outgoing packets with the source address of your WG private IP and then the VPS will change those to it’s public IP address.
The thing you must be careful about is that you need to restrict qBittorrent to only send and receive traffic on the WG interface, otherwise it will be using both. You can do it in the settings, but the safest way is to do it at the container setup or systemd service level and completely hide any interface that isn’t the WG one from it.
Wow thank you, this is the most useful reply I’ve received so far!
This means I don’t need to mess around with QBT’s “proxy” settings? I was pretty confused since the only options available are SOCKS/SOCKS5 and HTTP, but I’m guessing that’s a different kind of proxy than what I need…
This means I don’t need to mess around with QBT’s “proxy” settings?
No, you don’t. In short, trackers will look at the source address of the incoming connection on their side, that means you VPS IP because you’re doing NAT on the VPS.
Just make sure qBittorrent is restricted to the WG interface and nothing else.
Fantastic, thank you
What you describe doesnt really make sense so ill suggest what i think you really want;
You want your vps to be the wireguard server, the local PC connects as a client this “proxies” your connection so torrent swarms see the IP of your vps.
If you want port forwarding it gets a bit complicated because you need to forward the vps port over wireguard, but this is optional so you dont have to worry if you can’t figure it out.
Caddy doesn’t really seem relevant unless you want to have a domain name that forwards to your home network.
I indeed have a domain name pointing to the VPS IP, with Caddy managing TLS. Other apps are exposed this way, and I will do the same for the qBittorrent WebUI as well. I like having Caddy as a single gateway where I can apply security configs and monitor all traffic, I was hoping I would be able to pass torrent traffic through it as well but everybody seems very much against it.
I already have wireguard setup as you describe so I guess I’ll just give up on passing torrent traffic through the proxies and just open a localhost port on the qBittorrent container…
I think what you’re trying to do is called a VPN. Set up a VPN that tunnels all the torrent traffic to and from the virtual server.
That’s Wireguard, no?
Yes I already have that set up with Wireguard, what I’m figuring out is how to route traffic through it.
A) Set up a wiregard VPN server in your remote instance. Or better, get a VPN provider, the VPS is kinda pointless.
B) Assuming you’re using docker as you should to run your home server’s service, use gluetun to connect to the VPN and route your docker traffic for the instances through gluetun. This will ensure that you have a dead man switch when/if the VPN goes down.
C) set-up a reverse proxy to access the various instance from the outside if that is something you need.
Here’s a fully developed config, you can use a jumping point.
I have already set up all of that. My setup is similar to the one in this blogpost and it’s already working for various apps that only use HTTP. What I’m trying to do is to also route BitTorrent traffic (TCP/UDP) over the same setup without opening up entirely new paths.
Usually that’s done by the network routing. Add a default(?) route(?) or make the software bind to the vpn interface. I’m not sure. I think firewall rules can do the same thing. If you’re using docker, I’d advise you to use “gluetun” that seems to do everything for you.
Usually people do copyright violation with bittorrent. That means they tend to make sure the routing or dns doesn’t leak anything. I think that’s usually done by running the software inside of some containers or virtualization. If you do that your setup becomes simpler than inventing a dozen or so firewall rules. Either use gluetun or make the container bind to the vpn in its entirety. So practically the same setup everyone uses for pirating, just that you don’t pay for a VPN service, but do that (server) part yourself on your virtual server. Everything else is a good bit more elaborate and complicated…
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NAT Network Address Translation SSL Secure Sockets Layer, for transparent encryption TCP Transmission Control Protocol, most often over IP TLS Transport Layer Security, supersedes SSL UDP User Datagram Protocol, for real-time communications VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
[Thread #981 for this sub, first seen 20th Sep 2024, 10:15] [FAQ] [Full list] [Contact] [Source code]
I think you’re missing the point of what a proxy is. You don’t need a proxy in this scenario if you’re connected with Wireguard…
I’m guessing what you mean is setting up port forwarding in Wireguard…
The thing is ideally I would want all connections in and out of my homeserver’s Docker network to go through the local Caddy proxy, so the app containers are isolated. That still means having at least the local Caddy acting as a TCP proxy, even if the VPS Caddy is bypassed. If that’s too much of a hassle though I can instead just expose a port on the qBittorrent container directly to the homeserver’s localhost, and forward that with wireguard to the VPS.
Nooooo…that’s not what I’m saying.
I’m seriously not trying to be rude here, but I went and read the rest of the thread just now. Your understanding of processes, networks and VPNs is wildly misinformed. I think you need to spend some time learning about each before you go and dismiss what everyone is telling you here, which is that you’re trying to make an overcomplicated and very inefficient VPN right now.
Running a torrent client through a proxy doesn’t isolated a process. Especially not when you’re pushing the traffic through a local proxy. You also don’t need to forward any ports.
Connect to the VPN, make sure your traffic is routing there properly, and you’re done. OR, you really want a proxy, you setup a proxy. You don’t need both, and neither gains you any security. If you’re concerned about process isolation, that’s a whole other thing you should read up on.
Resetting the “time since last being told I don’t know removed on the internet” back to 0 once again…
I already have an existing and working setup used for other apps, it’s close to the one described in this blogpost. Yes, it’s complicated and inefficient, but it has reasons to be. I want to keep my qBittorrent configuration as close to this setup as reasonably possible for consistency. If your point is that it’s counterproductive to follow this setup then… fair enough. I can just route traffic from the VPS to an exposed port on the local qBittorrent container over Wireguard, but that wasn’t my preferred solution.
Running a torrent client through a proxy doesn’t isolated a process.
I was talking about network isolation, not process isolation.
make sure your traffic is routing there properly
That was pretty much what I was asking for help with.
Well everyone here is telling you what the problem is. If you’re trying to go by every step in that blog post you linked, that’s wrong for what you’re trying to do. That’s a reverse proxy for HTTP requests.