hyperreal

FOSS geek, privacy advocate, digital archivist, mental illness advocate, gamer

My Comcast/home ISP-proof qBittorrent setup

Published on: by hyperreal

4 min read

This setup consists of two Orange Pi 5 Plus devices. One of them I use as my NAS server, which we’ll call /nas-node/. The other is an auxiliary that runs the qBittorrent Docker container, which we’ll call /aux-node/.

nas-node

My NAS server uses Tailscale so that I can conveniently access it from any device on my tailnet. I have an external NAS hard drive enclosure connected to it via USB 3.0, and this NAS enclosure contains four 20 TB enterprise HDDs, so I have a total of roughly 80 TB of storage space that comprises a “RAID0” ZFS pool. My goal is to use some of this storage space for open access data, such as Anna’s Archive. The problem is if I start bittorrenting those archives, it’s possible my Comcast ISP will complain or block, or I’ll get legal scare letters, or some such nonsense. A solution, or a way to circumvent detection by Comcast, would be to use a VPN for the qBittorrent connection. I could use ProtonVPN from my Proton Unlimited account, but this would interfere with the Tailscale VPN. A solution to this, in turn, is to use one of my other Orange Pi 5 Plus devices as an auxiliary node to run the qBittorrent Docker container, and have qBittorrent configured to save downloaded data to the NAS via an NFS share on the nas-node. In order to ensure a consistent and fast connection to the nas-node, I decided to use the second ethernet ports on the Orange Pi 5 Plus devices. So I have a 12-inch ethernet cable connecting both Orange Pi 5 Plus devices to their second ethernet ports. I configured this with systemd-networkd by setting up a subnet between the two devices.

For the sake of this post, eth0 refers to the primary ethernet port that receives Internet, and eth1 refers to the second ethernet port that connects to the subnet.

On /nas-node/, I created a network file for systemd at /etc/systemd/network/eth1.network:

[Match]  
Name=eth1  
  
[Network]  
Address=10.0.4.1/24

On /aux-node/, I created a network file for systemd at /etc/systemd/network/eth1.network:

[Match]  
Name=eth1  
  
[Network]  
Address=10.0.4.2/24

Both nas-node and aux-node are running Ubuntu 24.04, which uses netplan.io to configure the network interfaces. I had to disable netplan.io by removing its package, enable systemd-networkd, and reboot in order to use systemd-networkd.

sudo apt purge netplan.io  
sudo apt autoremove  
sudo systemctl enable systemd-networkd  
sudo systemctl reboot

Now that I have a li’l subnet for nas-node and aux-node, I configured the NFS share on nas-node to allow connection from the aux-node IP address 10.0.4.2. First, I had to create a ZFS dataset to store the torrent data, and then configure that dataset to be an NFS share.

sudo zfs create naspool/torrents  
sudo zfs set sharenfs`"rw`@10.0.4.0/24" naspool/torrents  
sudo chown -R jas:jas /naspool/torrents

In /etc/exports:

/naspool/torrents 10.0.4.2(rw,sync,no//subtree//check)

I set the ownership of the naspool/torrents dataset to the jas user, so that the jas user on both the nas-node and aux-node can access it.

aux-node

I configured /etc/fstab to mount the NFS share from nas-node automatically on boot.

10.0.4.1:/naspool/torrents /mnt/torrents nfs4 rw,relatime,vers`4.2,rsize`1048576,wsize`1048576,namlen`255,hard,proto`tcp,timeo`600,retrans`2,sec`sys,clientaddr`10.0.4.2,local_lock`none,addr=10.0.4.1 0 0

I installed Docker and the wireguard-tools packages on aux-node. I created and downloaded a ProtonVPN Wireguard configuration file and saved it to /etc/wireguard/wg0.conf. I actually have several of these from various geographic locations in case one stops working for whatever reason. When creating the Wireguard configurations for ProtonVPN, I made sure to select NAT port-fowarding for peer-to-peer filesharing.

For the qBittorrent Docker container, I used docker compose with the following compose.yml file:

---  
services:  
  qbittorrent:  
    image: lscr.io/linuxserver/qbittorrent:latest  
    container_name: qbittorrent  
    environment:  
      - PUID=1000  
      - PGID=1000  
      - TZ=Etc/UTC  
      - WEBUI_PORT=8080  
      - TORRENTING_PORT=6881  
    volumes:  
      - /mnt/torrents/downloads:/downloads  
      - qbittorrent-config:/config  
    ports:  
      - 8080:8080  
      - 6881:6881  
      - 6881:6881/udp  
      - 9000:9000  
      - 9000:9000/udp  
    restart: unless-stopped  
  
volumes:  
  qbittorrent-config:

Note that /mnt/torrents on aux-node is the NFS share from nas-node via the subnet I created for nas-node and aux-node. Port 8080 is so that I can access the qBittorrent web UI. Port 6881 for TCP and UDP are the torrenting ports that will be forwarded through the ProtonVPN connection. Port 9000 for TCP and UDP is to allow port-forwarding for the embedded tracker in qBittorrent. The qBittorrent Docker container automatically uses the ProtonVPN connection from the host. I checked this by entering the qBittorrent container’s shell environment and running curl ipinfo.io to check its public IP address, which was indeed the ProtonVPN IP address.

Closing

So, with this setup, I am able to use some of my ~80 TB NAS storage to help out the open access community, with my Comcast ISP being none the wiser. Though, to be epistemically thorough, it’s possible there is some hole in this setup that Comcast can hypothetically circumvent. At the very least, they are able to tell I’m using a VPN.

qbittorrent bittorrent comcast isp vpn protonvpn orangepi networking openaccess