It tunnels everything that is bound to the same network (see the line with gluetun within the qbittorrent container.
And for anyone using a reverse proxy: that can run against the gluetun container with the bound containers port. (edit: in OPs example gluetun:8090 for qbittorrent web)
Only qbit
I have other stuff in that stack as well, like sonarr and radarr, that I cut out.
The network mode setting in docker acts as a bind. The port is exposed to the host in gluetun. If gluetun throws an error and shuts down, qBit WebUI is no longer accessible.
People run their stuff in docker cause it tends to make the process more straight forward.
The question is specifically about isolating your torrent client to a VPN only network, that way leaks are impossible since if the VPN goes down, there are no other networks accessible to the container.
Doesn't QBittorrent already have its own setting for that? Like you can set the network interface to wg-mullvad or whatever and then it won't work outside of that? Or is the docker thing just for an extra layer of protection on top of that?
I removed mine since I moved away from Gitlab. There's other comments with working docker composes, but here's the latest working version of mine if you're interested:
services:
gluetun:
image: ghcr.io/qdm12/gluetun:latest
container_name: gluetun
# line above must be uncommented to allow external containers to connect. See https://github.com/qdm12/gluetun/wiki/Connect-a-container-to-gluetun#external-container-to-gluetun
restart: always
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun:/dev/net/tun
volumes:
- ./data:/gluetun
environment:
## ProtonVPN Wireguard
- VPN_SERVICE_PROVIDER=custom
- VPN_TYPE=wireguard
- VPN_ENDPOINT_IP=${WIREGUARD_ENDPOINT_IP}
- VPN_ENDPOINT_PORT=${WIREGUARD_ENDPOINT_PORT}
- WIREGUARD_PUBLIC_KEY=${WIREGUARD_PUBLIC_KEY}
- WIREGUARD_PRIVATE_KEY=${WIREGUARD_PRIVATE_KEY}
- WIREGUARD_ADDRESSES=${WIREGUARD_ADDRESSES}
- TZ=Etc/UTC
ports:
- ${QBITTORRENT_EXPOSED_WEBUI_PORT}:8080/tcp # qBittorrent Web UI
qbittorrent:
# https://docs.linuxserver.io/images/docker-qbittorrent
build: .
container_name: qbittorrent
restart: always
volumes:
- ./config:/config
# using download path as mount so other services can play nice
- ${QBITTORRENT_DOWNLOAD_PATH}:${QBITTORRENT_DOWNLOAD_PATH}
- ${QBITTORRENT_THEMES_PATH}:/themes
environment:
# https://github.com/linuxserver/docker-qbittorrent#umask-for-running-applications
- PUID=${QBITTORRENT_WRITE_UID}
- PGID=${QBITTORRENT_WRITE_GID}
- UMASK=0002
- TZ=Etc/UTC
- WEBUI_PORT=8080
network_mode: "service:gluetun"
depends_on:
gluetun:
condition: service_healthy
portcheck:
image: eiqnepm/portcheck:latest
container_name: portcheck
restart: always
environment:
- QBITTORRENT_PORT=6881
- QBITTORRENT_WEBUI_PORT=8080
- QBITTORRENT_WEBUI_SCHEME=http
- QBITTORRENT_USERNAME=admin
- QBITTORRENT_PASSWORD=${QBITTORRENT_ADMIN_PASSOWRD}
- TIMEOUT=300
- DIAL_TIMEOUT=5
network_mode: "service:gluetun"
depends_on:
qbittorrent:
condition: service_healthy