Synology VPN Tunnel with Gluetun

The Gluetun container allows you to force services through a VPN tunnel. It needs the TUN kernel module to be loaded on your NAS:

• Log in to your Synology NAS using SSH, become root (‘sudo -i’) and run:

    insmod /lib/modules/tun.ko
  

On DSM >= 7.1, it should now automatically load on every boot. You can verify that the kernel module is loaded:

~~~
lsmod |grep tun
~~~

OpenVPN Tunnel using Private Internet Access

• Add VPN credentials to your /volume1/docker/.env file:

    # PrivateInternetAccess
    PIA_USER="your_pia_username"
    PIA_PASS="your_pia_password"
  

• Add the Gluetun container to your docker-compose.yaml services:

###### SERVICES
services:

  # See https://github.com/qdm12/gluetun/wiki
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp # HTTP proxy
      - 8388:8388/tcp # Shadowsocks
      - 8388:8388/udp # Shadowsocks
    volumes:
      - $DOCKERDIR/appdata/gluetun/data:/gluetun
    environment:
      TZ: $TZ
      PUID: $PUID
      PGID: $PGID
      VPN_SERVICE_PROVIDER: "private internet access"
      VPN_TYPE: openvpn
      SERVER_REGIONS: Netherlands
      OPENVPN_USER: $PIA_USER
      OPENVPN_PASSWORD: $PIA_PASS
      UPDATER_PERIOD: 24h

Test your setup:

~~~
root@nas# cd /volume1/docker
root@nas# source .env
root@nas# docker-compose -f docker-compose.yaml up
~~~

If all is well, your VPN tunnel is now up and running. Next step is to add a service that uses this tunnel.

Tunneling container traffic through Gluetun

Add qbittorrent to your docker-compose.yaml - note that you need to copy the ‘ports:’ entry to the gluetun container!

  # qBittorrent - Torrent downloader
  qbittorrent:
    <<: *common-keys-apps # See EXTENSION FIELDS at the top
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    network_mode: "service:gluetun"
    # ports:
    #   - 18080:8080   # Exposed via gluetun 18080/tcp, connects to qbittorrent port 8080
    volumes:
      - $DOCKERDIR/appdata/qbittorrent/config:/config
      - $MEDIADIR/qbittorrent:/data/downloads # Ensure that the downloads folder is set to /data/downloads in qBittorrent
    environment:
      TZ: $TZ
      PUID: $PUID
      PGID: $PGID
      UMASK_SET: 002

Test your setup:

~~~
root@nas# cd /volume1/docker
root@nas# source .env
root@nas# docker-compose -f docker-compose.yaml up
root@nas# docker exec -ti qbittorrent /bin/bash
curl ifconfig.io
~~~

The ‘curl’ command should show the VPN exit node IP address, not your own IP address.

When accessing the qBittorrent web interface, you will probably only see ‘unauthorized’. To fix this error, stop the container and add the following to your /volume1/docker/appdata/qbittorrent/config/qBittorrent/qBittorrent.conf:

~~~
WebUI\HostHeaderValidation=false
~~~

The default login is “admin”, password “adminadmin”. Please change this ;-)