engels74/qflood
What is this?
This is a fork of Hotio's rflood Docker image, that uses qBittorrent instead of rtorrent. The qflood image has both "releases" and "nightly support". The included qBittorrent uses libtorrent v2.x.
What is nightly?
Nightly means it updates automatically after a successful run of this workflow file. This means that whenever the official flood repository receives a push commit, this docker image should automatically be updated. All thanks to hotio's brilliant setup.
Starting the container¶
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
|
Tags¶
Tags | Description | Last Updated | Age |
---|
Changing the WebUI port¶
Under certain circumstances it's required to run the WebUI on a different internal port, you can do that by modifying the environment variable WEBUI_PORTS
accordingly. It should be in the format xxxx/tcp,xxxx/udp
, take a look at the default with docker logs
(variable is printed at container start) or docker inspect
.
WireGuard¶
Info
This image includes VPN support. The cli/compose examples below are environment variables and settings complementary to the app image examples. In case you are still in need of a VPN, consider using my affiliate link for Proton, Private Internet Access or TorGuard (50% Off: hotio.dev-50-all
).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
|
-
The environment variable
VPN_LAN_NETWORK
can be set to for example192.168.1.0/24
,192.168.1.0/24,192.168.44.0/24
or192.168.1.33
, so you can get access to the webui or other additional ports (see below). If for example you were to pick192.168.0.0/24
, every device with an ip in the range192.168.0.0 - 192.168.0.255
on your LAN is allowed access to the webui. -
If you need to expose ports on your LAN you can use
VPN_EXPOSE_PORTS_ON_LAN
. For exampleVPN_EXPOSE_PORTS_ON_LAN=7878/tcp,9117/tcp
, will block those ports on the vpn interface, so that there's no risk that they might be exposed to the world and allow access to them from your LAN. Some images also have aWEBUI_PORTS
environment variable that does basically the same for the vpn part. For those apps that support it, it'll also change the port on which the app runs. -
With
net.ipv6.conf.all.disable_ipv6=1
all ipv6 support is disabled. Leave ipv6 disabled and remove all references to it in yourwg0.conf
file to keep things simple. If you need any sort of ipv6 support, enable it withnet.ipv6.conf.all.disable_ipv6=0
. A WireGuard ipv6 endpoint is currently not supported. -
Possible values are
generic
,proton
andpia
. -
There needs to be a file
wg0.conf
located in/config/wireguard
and you need to set the variableVPN_ENABLED
totrue
for the VPN to start. If you'd like to execute some of your own bash commands you can place two scripts alongside yourwg0.conf
, calledwg0-pre.sh
andwg0-post.sh
. These will execute right before the check for the existence of awg0.conf
file and almost at the end, right before the internet connectivity test. -
Auto retrieve a forwarded port and configure the supported app if set to
true
or if you can manually request/set a forwarded port in the VPN provider's web interface, fill in the port number (just the number). Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
By default a random server is used, but if you prefer a certain region you can fill in the region id. A list of available regions can be found in
/config/wireguard
after the first start. If you're seeing an error messageshuf: getrandom: Function not implemented
, you can't let it pick one randomly and are forced to fill in a region id. -
With
VPN_CONF
you can set the name used for your WireGuard config. This is an example of how yourwg0.conf
file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. The WireGuard config is automatically modified to useAllowedIPs = 0.0.0.0/1,128.0.0.0/1
for compatibility with Synology/QNAP/Asustor/WSL2 systems if you append-fix
, soVPN_CONF=wg0-fix
. WSL2 users can also compile their own kernel if they don't wanna use this workaround.[Interface] PrivateKey = supersecretprivatekey Address = xx.xx.xxx.xxx/32 # Yes, /32 DNS = x.x.x.x [Peer] PublicKey = publickey AllowedIPs = 0.0.0.0/0 Endpoint = xxx.x.xxx.x:51820
-
If the WireGuard kernel module is missing (most likely on Synology/QNAP/Asustor), you can run WireGuard in userspace thanks to
wireguard-go
. For that you'll need to add the device/dev/net/tun
. It's most likely that the device/dev/net/tun
does not exist however, have a read here for instructions on checking and adding the device. -
Setting this to
true
will re-add the default nameserver if it's been overwritten by theDNS = ...
entry inwgO.conf
. This should keep container name resolution working. If container name resolution still doesn't work, add--dns 1.1.1.1
, somehow this can fix it (confirmed on MacOS). -
When using
VPN_PROVIDER=pia
, fill in your username and password. Awg0.conf
will be automatically downloaded. -
Required in most cases, on some systems that don't have
rp_filter
set to strict, it's optional. -
Fill in your DIP token here, if you've bought the dedicated ip option.
-
If you'd like to keep using the same forwarded port until it expires, set this to
true
. -
Adds a redirect for the forwarded port from your vpn provider to the internal port on which the app runs, ports in this list are also not blocked on the wireguard interface, so this var is also useful if you want to expose a port on both your LAN and VPN. Values like
32400/tcp
will use the port fromVPN_AUTO_PORT_FORWARD
to create the redirect or if set totrue
the forwarded port from pia/proton. Use3000@3001/tcp,3002@3003/tcp
syntax for extra static redirects. The only known usecase as of right now is Plex and exposing it on the VPN with a non configurable forwarded port, because it's not possible to run Plex on anything else but 32400. Useful website to check for open ports is YouGetSignal and ipleak.net to leak test with.torrent
file. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
. -
Possible values are
auto
,legacy
ornftables
. The default isauto
, this will try to use the most modern method available. If this doesn't work, you can try forcing it tolegacy
ornftables
. -
When enabling the Unbound DNS server your requests will use DNS over TLS to Cloudflare. Except for requests made to
.internal
and.vpn
TLDs, those are done to the local docker DNS server on 127.0.0.11. So if you want to use container hostnames to connect to other containers within a bridge network, you'll have to use--hostname
and usecontainer-name.internal
orcontainer-name.vpn
. Currently.vpn
is a non existing TLD, but that can change in the future. The TLD.internal
should become the standard for internal networks, so it's the safest choice. Unbound can be used regardless ofVPN_ENABLED
beingtrue
orfalse
.