WireGuard and qBittorrent
WireGuard and qBittorrent
Problem Description
I was wanting to run qBittorrent on a system located within my home network, but I wanted qBittorrent to do the torrenting of the data via a Virtual Private Server (VPS) located out on the Internet, using a WireGuard VPN connection.
One issue I ran into was that I only wanted to send the qBittorrent traffic
over the WireGuard connection but all other traffic on my system would use my
normal network connection. The issue that I ran into is that when using
wg-quick
to configure the WireGuard connection qBittorrent traffic wouldn’t
work across the connection due to AllowedIPs
being set to only the VPS Host’s
IP address. But if I set AllowedIPs = 0.0.0.0/0
then all traffic would end up
being sent across the WireGuard connection.
Definitions
- qBittorrent Host: The computer on my home network that will be running the qBittorrent software.
- Virtual Private Server (VPS) Host. The system on the Internet that I want the torrent traffic to go through.
- RFC 5737 IPv4 Address
Blocks Reserved for Documentation: We will use
203.0.113.0/24
and198.51.100.0/24
in the examples below. You will need to use your own IP address and subnet. - qBittorrent Listening Port: Assumed to be
6881
in the examples. The setting is accessed in qBittorrent atTools -> Options -> Connection -> Listening Port -> Port used for incoming connections
Steps taken
This assumes that things are setup so that WireGuard can be setup. There are a lot of tutorials out there on getting WireGuard working. For example: https://www.wireguard.com/quickstart/
qBittorrent Host and VPS Host pre-work
On both the qBittorrent Host and the VPS Host you will need to generate the WireGuard public and private keys for each host. They will be needed below.
qBittorrent Host WireGuard setup
On the qBittorrent Host you will need a /etc/wireguard/wg0.conf
file like
this:
qBittorrent Host /etc/wireguard/wg0.conf
:
[Interface]
Address = 203.0.113.1/24
PrivateKey = QBITTORRENT_HOST_PRIVATE_KEY
ListenPort = 51820
Table = off # This is very important
[Peer]
# VPS Host's WireGuard public key
PublicKey = VPS_HOST_PUBLIC_KEY
AllowedIPs = 203.0.113.2/32
AllowedIPs = 0.0.0.0/0
The key here is the use of Table = off
. This causes wg-quick
to not setup
the routing tables when setting up the WireGuard connection. Then we can set
AllowedIPs = 0.0.0.0/0
and not by default send the data out the WireGuard
connection. But since we have set AllowedIPs
to allow any IP address then
traffic will not be blocked by WireGuard.
We will be able to set qBittorrent in the Tools -> Options -> Advanced -> Network Interface
to use the wg0
network interface. So all torrent traffic
will be sent via the wgo
WireGuard interface.
Virtual Private Server (VPS) Host WireGuard setup
On the VPS Host you also need a /etc/wireguard/wg0.conf
file like this:
VPS Host /etc/wireguard/wg0.conf
:
[Interface]
# The address your computer will use on the WireGuard network
Address = 203.0.113.2/24
PrivateKey = VPS_HOST_PRIVATE_KEY
# Assumption that `eth0` is the name of the network interface connected to the Internet
# We need to setup NAT so that the torrent traffic coming from the qBittorrent
# Host can be sent out and responses come back
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Route the listening port (6881) to go to the qBittorrent Host
PostUp = iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6881 -j DNAT --to-destination 203.0.113.1
PostUp = iptables -t nat -A PREROUTING -i eth0 -p udp --dport 6881 -j DNAT --to-destination 203.0.113.1
# When the connection goes down remove all the NAT routing rules
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 6881 -j DNAT --to-destination 203.0.113.1
PostDown = iptables -t nat -D PREROUTING -i eth0 -p udp --dport 6881 -j DNAT --to-destination 203.0.113.1
[Peer]
# qBittorrent Host's WireGuard public key
PublicKey = QBITTORRENT_HOST_PUBLIC_KEY
# Public IP address of your qBittorrent Host, use your own public IP as
# 198.51.100.254 is an example IP address
Endpoint = 198.51.100.254:51820
AllowedIPs = 203.0.113.1/24
PersistentKeepalive = 25
Other tasks
I would recommend that you setup a firewall on both the qBittorrent Host and the VPS Host to only allow expected traffic.
qBittorrent Host:
- Only allow incoming traffic on
6881/tcp
and6881/udp
for thewg0
interface on the qBittorrent Host.
VPS Host:
- Only allow incoming traffic on
6881/tcp
and6881/udp
for theeth0
interface on the VPS Host. - And allow any other required ports, for example SSH at port 22.