I’m setting up a self-hosted stack with a bunch of services running on a home device. I’m also tunneling all the traffic through a VPS in order to expose the services without exposing my home IP or opening ports on my local network. Currently all my traffic is HTTP, and its path looks like this:
- Caddy proxy on remote VPS (HTTPS, :80 & :443)
- Wireguard tunnel
- Caddy proxy in Docker on homeserver (HTTP, :80)
- app containers in separate isolated subnets, shared with Caddy
I want to set up qBittorrent and other torrent apps, and I want all their traffic to pass through the proxies. Proxying traffic to the WebUI is easy, there’s plenty of tutorials; what I’m struggling with is proxying the torrent leeching and seeding traffic, which is the most important part since I live in a country that’s not cool with piracy.
Unless I’m misunderstanding, BitTorrent traffic is TCP or UDP, so I’d need Caddy to act as a Layer 4 proxy. There’s a community-maintained plugin that should support this. How would I configure it though? Do I need both instances to listen on a new port? Or can I open a new port on the VPS only, and forward traffic to the homeserver Caddy over the same port as the HTTP traffic (:80)? Are there nuances in proxying TCP traffic that I should be aware of?
Yes, he means that.
No. For most things qBittorrent does public IP detection. For the rest your VPS will be doing NAT between the WG interface and the public internet. This means your qBittorrent client sends outgoing packets with the source address of your WG private IP and then the VPS will change those to it’s public IP address.
The thing you must be careful about is that you need to restrict qBittorrent to only send and receive traffic on the WG interface, otherwise it will be using both. You can do it in the settings, but the safest way is to do it at the container setup or systemd service level and completely hide any interface that isn’t the WG one from it.
Wow thank you, this is the most useful reply I’ve received so far!
This means I don’t need to mess around with QBT’s “proxy” settings? I was pretty confused since the only options available are SOCKS/SOCKS5 and HTTP, but I’m guessing that’s a different kind of proxy than what I need…
No, you don’t. In short, trackers will look at the source address of the incoming connection on their side, that means you VPS IP because you’re doing NAT on the VPS.
Just make sure qBittorrent is restricted to the WG interface and nothing else.
Fantastic, thank you