Skip to content

hotio/qbittorrent

Important Announcement

Due to scarf.sh after all this time still being on various block lists used by PiHole or other ad blockers, the use of cr.hotio.dev is being phased out. As you can see from the examples, ghcr.io is the new default, but if you insist on needing an older tag, you might have to pull it from docker.io (Docker Hub).

GitHub
docker.io / ghcr.io

Starting the container

docker run --rm \
    --name qbittorrent \
    -p 8080:8080 \
    -e PUID=1000 \
    -e PGID=1000 \
    -e UMASK=002 \
    -e TZ="Etc/UTC" \
    -v /<host_folder_config>:/config \
    -v /<host_folder_data>:/data \
    ghcr.io/hotio/qbittorrent

version: "3.7"

services:
  qbittorrent:
    container_name: qbittorrent
    image: ghcr.io/hotio/qbittorrent
    ports:
      - "8080:8080"
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=Etc/UTC
    volumes:
      - /<host_folder_config>:/config
      - /<host_folder_data>:/data

Login credentials

The default qBittorrent username is admin and the default password is adminadmin. If this doesn't work you're probably running Unraid and you'll most likely have to change the internal port on which the WebUI runs to match the external port.

Tags

Tags Description Last Updated Age

Changing the WebUI port

Under certain circumstances it's required to run the WebUI on a different internal port, you can do that by modifying the environment variable WEBUI_PORTS accordingly. It should be in the format xxxx/tcp,xxxx/udp, take a look at the default with docker logs (variable is printed at container start) or docker inspect.

VueTorrent

vuetorrentui

This image comes bundled with the alternative Web UI VueTorrent, to enable it you'll have to adjust your settings like pictured below.

vuetorrentsettings

WireGuard VPN

docker run --rm \
    --name qbittorrent \
    -p 8080:8080 \
    -p 8118:8118 \
    -e PUID=1000 \
    -e PGID=1000 \
    -e UMASK=002 \
    -e TZ="Etc/UTC" \
    -e VPN_ENABLED="true" \
    -e VPN_LAN_NETWORK="192.168.1.0/24" \
    -e VPN_CONF="wg0" \
    -e VPN_ADDITIONAL_PORTS="" \
    -e PRIVOXY_ENABLED="false" \
    -v /<host_folder_config>:/config \
    -v /<host_folder_data>:/data \
    --cap-add=NET_ADMIN \
    --dns 1.1.1.1 \
    --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
    --sysctl="net.ipv6.conf.all.disable_ipv6=1" \
    ghcr.io/hotio/qbittorrent

version: "3.7"

services:
  qbittorrent:
    container_name: qbittorrent
    image: ghcr.io/hotio/qbittorrent
    ports:
      - "8080:8080"
      - "8118:8118"
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=Etc/UTC
      - VPN_ENABLED=true
      - VPN_LAN_NETWORK=192.168.1.0/24
      - VPN_CONF=wg0
      - VPN_ADDITIONAL_PORTS
      - PRIVOXY_ENABLED=false
    volumes:
      - /<host_folder_config>:/config
      - /<host_folder_data>:/data
    cap_add:
      - NET_ADMIN
    dns:
      - 1.1.1.1
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=1

There needs to be a file wg0.conf located in /config/wireguard and you need to set the variable VPN_ENABLED to true for the VPN to start.

With net.ipv6.conf.all.disable_ipv6=1 you can enable ipv6 support by setting the value to 0. Leave ipv6 disabled and remove all references to it in your wg0.conf file to keep things simple, but keep in mind that the option is there if you need it.

The environment variable VPN_LAN_NETWORK can be set to for example 192.168.1.0/24, 192.168.1.0/24,192.168.44.0/24 or 192.168.1.33, so you can get access to the webui or other additional ports (see below).

If you need to expose additional ports you can use VPN_ADDITIONAL_PORTS, for example VPN_ADDITIONAL_PORTS=7878/tcp,9117/tcp. Every port in this list will be blocked on the vpn interface, so that there's no risk that they might be exposed to the world via the vpn (mostly there in case your vpn provider screws up and piece of mind). Why would you need this? Wanting to route traffic from other containers over the vpn is probably the most used scenario.

This is an example of how your wg0.conf file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for.

[Interface]
PrivateKey = supersecretprivatekey
Address = xx.xx.xxx.xxx/32

[Peer]
PublicKey = publickey
AllowedIPs = 0.0.0.0/0
Endpoint = xxx.x.xxx.x:51820

resolv.conf error message

If you are seeing an error message like mv: cannot move '/etc/resolv.conf.173.openresolv' to '/etc/resolv.conf': Resource busy. Remove the DNS = 1.1.1.1 from your wg0.conf file and set the dns server using the docker cli argument --dns 1.1.1.1 or the equivalent for compose. This should be done if you were following past instructions.

Synology (WireGuard Go)

docker run --rm \
    --name qbittorrent \
    -p 8080:8080 \
    -p 8118:8118 \
    -e PUID=1000 \
    -e PGID=1000 \
    -e UMASK=002 \
    -e TZ="Etc/UTC" \
    -e VPN_ENABLED="true" \
    -e VPN_LAN_NETWORK="192.168.1.0/24" \
    -e VPN_CONF="wg0" \
    -e VPN_ADDITIONAL_PORTS="" \
    -e PRIVOXY_ENABLED="false" \
    -v /<host_folder_config>:/config \
    -v /<host_folder_data>:/data \
    --cap-add=NET_ADMIN \
    --dns 1.1.1.1 \
    --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
    --sysctl="net.ipv6.conf.all.disable_ipv6=1" \
    --device /dev/net/tun:/dev/net/tun \
    ghcr.io/hotio/qbittorrent

version: "3.7"

services:
  qbittorrent:
    container_name: qbittorrent
    image: ghcr.io/hotio/qbittorrent
    ports:
      - "8080:8080"
      - "8118:8118"
    environment:
      - PUID=1000
      - PGID=1000
      - UMASK=002
      - TZ=Etc/UTC
      - VPN_ENABLED=true
      - VPN_LAN_NETWORK=192.168.1.0/24
      - VPN_CONF=wg0
      - VPN_ADDITIONAL_PORTS
      - PRIVOXY_ENABLED=false
    volumes:
      - /<host_folder_config>:/config
      - /<host_folder_data>:/data
    cap_add:
      - NET_ADMIN
    dns:
      - 1.1.1.1
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.all.disable_ipv6=1
    devices:
      - /dev/net/tun:/dev/net/tun

This image includes wireguard-go, the Go implementation of WireGuard which runs in userspace. Systems like Synology, Qnap or others with missing kernel modules can make use of this to establish a WireGuard VPN connection.

This is an example of how your wg0.conf file should look like. If there's a lot of extra stuff, remove it unless you know what it's there for. Don't forget to add PreUp and adjust ÀllowedIPs.

[Interface]
PrivateKey = supersecretprivatekey
Address = xx.xx.xxx.xxx/32
PreUp = bash /config/wireguard/preup.sh

[Peer]
PublicKey = publickey
AllowedIPs = 0.0.0.0/1,128.0.0.0/1
Endpoint = xxx.x.xxx.x:51820

The preup.sh script stored in /config/wireguard/preup.sh.

#!/bin/bash
wgserver=$(grep Endpoint "${CONFIG_DIR}/wireguard/${VPN_CONF}.conf" | awk '{print $3}')
gateway=$(ip -o -4 route show to default | awk '{print $3}')

ip -4 route add "${wgserver%:*}" via "${gateway}" dev eth0

It's most likely that the device /dev/net/tun does not exist, have a read here for instructions on checking and adding the device.

It basically comes down to these few shell commands (tested with DSM 7.1.1-42962 Update 6):

sudo mkdir /dev/net
sudo mknod /dev/net/tun c 10 200
sudo chmod 600 /dev/net/tun