qBittorrent

qBittorrent running

Torrent client running behind AirVPN WireGuard tunnel

Version: v5.1.4
Port: 8080
Internal: http://192.168.1.28:8080

VPN-enforced. AirVPN Stockholm (Norma). Port 46698 forwarded.

Item	Detail
VPN	AirVPN WireGuard, Stockholm (Norma)
Forwarded port	46698 (TCP + UDP)
Managed via	Arcane

VPN architecture

qBittorrent runs inside the hotio image which handles WireGuard natively. The WireGuard configuration is stored at /mnt/tank/configs/qbittorrent/wireguard/wg0.conf and is loaded automatically on container start.

The container uses NET_ADMIN capability and sysctls net.ipv4.conf.all.src_valid_mark=1 and net.ipv6.conf.all.disable_ipv6=1. IPv6 is disabled entirely to prevent leaks.

All torrent traffic binds to the wg0 interface. If the tunnel drops, torrent traffic stops rather than routing through the LAN interface.

The AirVPN WireGuard tunnel exits through Stockholm server Norma. Port 46698 is forwarded from AirVPN to the container (both TCP and UDP), allowing incoming torrent connections. This is important for upload ratios on private trackers.

To verify the VPN is active:

docker exec qbittorrent curl -s https://ifconfig.me

This should return an AirVPN exit IP, not the home IP.

Key settings

Connection

Setting	Value
Listening port	46698
Network interface	wg0

Downloads

Setting	Value
Default save path	/media/downloads

Cinephage uses categories (movies and tv) to place completed downloads in subdirectories under downloads. This lets Cinephage locate completed files reliably.

Compose configuration

qbittorrent:
  container_name: qbittorrent
  image: ghcr.io/hotio/qbittorrent:release-5.1.2
  restart: unless-stopped
  ports:
    - 8080:8080
  environment:
    - PUID=568
    - PGID=568
    - UMASK=002
    - TZ=Europe/London
    - WEBUI_PORTS=8080/tcp,8080/udp
    - VPN_ENABLED=true
    - VPN_CONF=wg0
    - VPN_PROVIDER=generic
    - VPN_LAN_NETWORK=192.168.1.0/24
    - VPN_LAN_LEAK_ENABLED=false
    - VPN_AUTO_PORT_FORWARD=true
    - VPN_FIREWALL_TYPE=auto
    - VPN_NAMESERVERS=wg
  cap_add:
    - NET_ADMIN
  sysctls:
    - net.ipv4.conf.all.src_valid_mark=1
    - net.ipv6.conf.all.disable_ipv6=1
  volumes:
    - /mnt/tank/configs/qbittorrent:/config
    - /mnt/tank/media:/media

VPN_LAN_NETWORK is set to 192.168.1.0/24 so LAN devices (including Cinephage at 192.168.1.28:3000) can reach the qBittorrent WebUI while the VPN is active.

WireGuard config location

/mnt/tank/configs/qbittorrent/wireguard/wg0.conf

This file contains the AirVPN private key, peer public key, endpoint, and allowed IPs. It should not be edited manually unless rotating VPN credentials.

Troubleshooting

WebUI not accessible after container start

The VPN tunnel takes a few seconds to establish. Wait 30 seconds and retry. If still inaccessible, check Arcane logs for the qbittorrent container.

Verify VPN is active

docker exec qbittorrent curl -s https://ifconfig.me

Check WireGuard interface inside the container

docker exec qbittorrent ip addr show wg0

Torrent port not reachable

Log in to the AirVPN client portal and confirm port 46698 is still forwarded and enabled. Then verify qBittorrent has 46698 set as the listening port under Tools - Options - Connection.

Downloads not moving after completion

Confirm the category is set correctly in qBittorrent (movies or tv). Check Cinephage’s download client health and that the category names match exactly.