Proxying torrent traffic to homeserver
Proxying torrent traffic to homeserver
I'm setting up a self-hosted stack with a bunch of services running on a home device. I'm also tunneling all the traffic through a VPS in order to expose the services without exposing my home IP or opening ports on my local network. Currently all my traffic is HTTP, and its path looks like this:
- Caddy proxy on remote VPS (HTTPS, :80 & :443)
- Wireguard tunnel
- Caddy proxy in Docker on homeserver (HTTP, :80)
- app containers in separate isolated subnets, shared with Caddy
I want to set up qBittorrent and other torrent apps, and I want all their traffic to pass through the proxies. Proxying traffic to the WebUI is easy, there's plenty of tutorials; what I'm struggling with is proxying the torrent leeching and seeding traffic, which is the most important part since I live in a country that's not cool with piracy.
Unless I'm misunderstanding, BitTorrent traffic is TCP or UDP, so I'd need Caddy to act as a Layer 4 proxy. There's a community-maintained plugin that should support this. How would I configure it though? Do I need both instances to listen on a new port? Or can I open a new port on the VPS only, and forward traffic to the homeserver Caddy over the same port as the HTTP traffic (:80)? Are there nuances in proxying TCP traffic that I should be aware of?
Since you already have wireguard you don't need any proxies, just set up wireguard to route through the VPS and you should be good to go.
Or you could install a proxy server on the VPS and enter those settings into qBittorrent, if you don't want to use wireguard as a default route.
11By "set up wireguard to route through the VPS" you mean having wireguard forward a port from the VPS to a port on the homeserver at its wireguard IP address?
qBittorrent will still need to publish the right IP address to peers though, right? So I will need to configure the proxy VPS's IP address in qBittorrent...
Also that means binding a port on the qBittorrent container directly to the homeserver localhost. I've managed to keep the app containers isolated so far and it'd be nice to keep that, but if proxying the traffic is too annoying I guess I can just say fuck it and go with it.
1By “set up wireguard to route through the VPS” you mean having wireguard forward a port from the VPS to a port on the homeserver at its wireguard IP address?
Yes, he means that.
qBittorrent will still need to publish the right IP address to peers though, right? So I will need to configure the proxy VPS’s IP address in qBittorrent…
No. For most things qBittorrent does public IP detection. For the rest your VPS will be doing NAT between the WG interface and the public internet. This means your qBittorrent client sends outgoing packets with the source address of your WG private IP and then the VPS will change those to it's public IP address.
The thing you must be careful about is that you need to restrict qBittorrent to only send and receive traffic on the WG interface, otherwise it will be using both. You can do it in the settings, but the safest way is to do it at the container setup or systemd service level and completely hide any interface that isn't the WG one from it.
1
What you describe doesnt really make sense so ill suggest what i think you really want;
You want your vps to be the wireguard server, the local PC connects as a client this "proxies" your connection so torrent swarms see the IP of your vps.
If you want port forwarding it gets a bit complicated because you need to forward the vps port over wireguard, but this is optional so you dont have to worry if you can't figure it out.
Caddy doesn't really seem relevant unless you want to have a domain name that forwards to your home network.
4I indeed have a domain name pointing to the VPS IP, with Caddy managing TLS. Other apps are exposed this way, and I will do the same for the qBittorrent WebUI as well. I like having Caddy as a single gateway where I can apply security configs and monitor all traffic, I was hoping I would be able to pass torrent traffic through it as well but everybody seems very much against it.
I already have wireguard setup as you describe so I guess I'll just give up on passing torrent traffic through the proxies and just open a localhost port on the qBittorrent container...
1
I think what you're trying to do is called a VPN. Set up a VPN that tunnels all the torrent traffic to and from the virtual server.
2Yes I already have that set up with Wireguard, what I'm figuring out is how to route traffic through it.
2A) Set up a wiregard VPN server in your remote instance. Or better, get a VPN provider, the VPS is kinda pointless.
B) Assuming you're using docker as you should to run your home server's service, use gluetun to connect to the VPN and route your docker traffic for the instances through gluetun. This will ensure that you have a dead man switch when/if the VPN goes down.
C) set-up a reverse proxy to access the various instance from the outside if that is something you need.
Here's a fully developed config, you can use a jumping point.
4
That's Wireguard, no?
2
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NAT Network Address Translation SSL Secure Sockets Layer, for transparent encryption TCP Transmission Control Protocol, most often over IP TLS Transport Layer Security, supersedes SSL UDP User Datagram Protocol, for real-time communications VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
[Thread #981 for this sub, first seen 20th Sep 2024, 10:15] [FAQ] [Full list] [Contact] [Source code]
1I think you're missing the point of what a proxy is. You don't need a proxy in this scenario if you're connected with Wireguard...
1I'm guessing what you mean is setting up port forwarding in Wireguard...
The thing is ideally I would want all connections in and out of my homeserver's Docker network to go through the local Caddy proxy, so the app containers are isolated. That still means having at least the local Caddy acting as a TCP proxy, even if the VPS Caddy is bypassed. If that's too much of a hassle though I can instead just expose a port on the qBittorrent container directly to the homeserver's localhost, and forward that with wireguard to the VPS.
1Nooooo...that's not what I'm saying.
I'm seriously not trying to be rude here, but I went and read the rest of the thread just now. Your understanding of processes, networks and VPNs is wildly misinformed. I think you need to spend some time learning about each before you go and dismiss what everyone is telling you here, which is that you're trying to make an overcomplicated and very inefficient VPN right now.
Running a torrent client through a proxy doesn't isolated a process. Especially not when you're pushing the traffic through a local proxy. You also don't need to forward any ports.
Connect to the VPN, make sure your traffic is routing there properly, and you're done. OR, you really want a proxy, you setup a proxy. You don't need both, and neither gains you any security. If you're concerned about process isolation, that's a whole other thing you should read up on.
1