• originalucifer@moist.catsweat.com
      link
      fedilink
      arrow-up
      3
      ·
      8 months ago

      i think docker allows for this configuration. i use a gluetun container for the network definition of the torrent container to prevent leaking. the torrent container knows of no other network than the vpn container.

    • the_third@feddit.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      There’s readily available docker containers for it but I wanted to build it by hand. Well, more or less, Extremely hacky but it works, so fine for me.

      I started out with cheating and used this wrapper around wg-quick that gives us a persistent network namespace with the tunnel interface in it:

      https://github.com/dadevel/wg-netns

      cat /etc/systemd/system/wg-qbittorrent.service
      [Unit]
      Description=WireGuard Network Namespace for qBittorrent
      Wants=network-online.target nss-lookup.target
      After=network-online.target nss-lookup.target
      
      [Service]
      Type=oneshot
      Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
      Environment=WG_VERBOSE=1
      ExecStart=/opt/wg-netns/bin/wg-netns up /etc/wireguard/wgconfig.yaml
      ExecStop=/opt/wg-netns/bin/wg-netns down /etc/wireguard/wgconfig.yaml
      RemainAfterExit=yes
      
      WorkingDirectory=%E/wireguard
      ConfigurationDirectory=wireguard
      ConfigurationDirectoryMode=0700
      
      CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
      LimitNOFILE=4096
      LimitNPROC=512
      LockPersonality=true
      MemoryDenyWriteExecute=true
      NoNewPrivileges=true
      ProtectClock=true
      ProtectHostname=true
      RemoveIPC=true
      RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
      RestrictNamespaces=mnt net
      RestrictRealtime=true
      RestrictSUIDSGID=true
      SystemCallArchitectures=native
      
      [Install]
      WantedBy=multi-user.target
      

      Then I built a static binary of qbittorrent using this really neat docker image: https://github.com/userdocs/qbittorrent-nox-static

      …and stuffed the result into a systemd service that runs it in the namespace wg-netns provides:

      cat /etc/systemd/system/qbittorrent-nox.service 
      
      [Unit]
      Description=qBittorrent-nox service
      Wants=network-online.target wg-qbittorrent.service 
      After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 
      
      [Service]
      Type=simple
      PrivateTmp=false
      #User=qbittorrent
      ExecStart=/usr/sbin/ip netns exec ns-qbittorrent sudo -u qbittorrent /opt/qbittorrent/qbittorrent-nox
      TimeoutStopSec=1800
      RestartSec=15
      RestartMaxDelaySec=600
      RestartSteps=10
      Restart=always
      
      [Install]
      WantedBy=multi-user.target
      
      

      To get the webui out of that I stuck two instances of socat together at the stdout and from there it depends on whatever you want to use as a reverse proxy on the host - or you bind to a network interface if you trust the network:

      cat /etc/systemd/system/qbittorrent-webui.service 
      [Unit]
      Description=qBittorrent-nox webui forwarding into its namespace
      Wants=network-online.target wg-qbittorrent.service 
      After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 
      
      [Service]
      Type=simple
      PrivateTmp=false
      ExecStart=/opt/qbittorrent/forward-webinterface.sh
      TimeoutStopSec=1800
      Restart=always
      RestartSec=10
      
      [Install]
      WantedBy=multi-user.target
      
      cat /opt/qbittorrent/forward-webinterface.sh
      #!/bin/sh
      set -eu
      
      exec socat tcp6-listen:"8080",reuseaddr,fork,range=[::1]/128 "exec:ip netns exec ns-qbittorrent socat stdio 'tcp-connect:127.0.0.1:8080',nofork"
      
      

      Works, is reboot safe, stopped caring about beauty at that point.