VPN For The Downloaders
This is what I did to establish a VPN gateway for my qBit and NZBGet containers to route through and protect activity. I'm sure there is a smoother way to do this, but it's what I did, so...
Network Overview
| Role | CTID | IP | Notes |
| vpn-gateway | 171 | 192.168.0.171 | Runs WG and acts as gateway |
| qBittorrent | 172 | 192.168.0.172 | Routed entirely through VPN |
| NZBGet | 173 | 192.168.0.173 | Routed entirely through VPN |
| VPN Provider | - | Mullvad | WireGuard config from Mullvad |
The idea is to route all my downloader's traffic through the VPN, and have the VPN provide a killswitch - if the VPN stops or goes down, it kills all traffic for the downloaders.
VPN Container
1. Enable IP Forwarding
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p2. Install Required Packages
apt update
apt install wireguard iptables iptables-persistent curl -y3. Set Up WireGuard
I used a Proxmox Community Helper Script to establish the container, so all I had to do was import the config generated from Mullvad's site. If the WGDashboard complains about the content of it, you can place it in this directory for WG to see it: /etc/wireguard/
If WGDashboard doesnt pick it up, reboot the container (I had to) and then enable it from the GUI if you want. I made it the default, so it's loaded on boot.
4. Set up IPTables Rules (Routing & Killswitch)
I used the following idempotent script to establish the rules:
#!/bin/bash
QBIT_IP="192.168.0.172"
NZB_IP="192.168.0.173"
VPN_IF="us-phx-wg-204"
add_rule_if_missing() {
local rule="$1"
if ! iptables-save | grep -q -- "$rule"; then
echo "Adding: $rule"
eval "$rule"
else
echo "Already exists: $rule"
fi
}
add_rule_if_missing "iptables -A FORWARD -s $QBIT_IP -o $VPN_IF -j ACCEPT"
add_rule_if_missing "iptables -A FORWARD -s $NZB_IP -o $VPN_IF -j ACCEPT"
add_rule_if_missing "iptables -A FORWARD -i $VPN_IF -d $QBIT_IP -j ACCEPT"
add_rule_if_missing "iptables -A FORWARD -i $VPN_IF -d $NZB_IP -j ACCEPT"
add_rule_if_missing "iptables -A FORWARD -s $QBIT_IP -j DROP"
add_rule_if_missing "iptables -A FORWARD -s $NZB_IP -j DROP"
iptables-save > /etc/iptables/rules.v4
echo "Rules saved."I put it in /root/ and named it add-rules.sh - don't forget to make it executable before running it:
chmod +x /root/add-rules.sh
/root/add-rules.sh5. Ensure iptables-persistent Loads on Boot
This should already be active, if it was installed:
systemctl status netfilter-persistentRe-save manually if you change the rules:
iptables-save > /etc/iptables/rules.v4Client Container
I used the Proxmox GUI to establish the connection to the VPN and set these things:
- Network → net0 → Gateway: 192.168.0.171
- DNS → DNS Domain: 10.64.0.1 (Mullvad VPN DNS IP)
- Reboot Container
After all that, you might want to check that the container is routing through the VPN correctly. I used this:
curl ifconfig.meIt should show you the VPN's IP and not yours - if you still see yours, something is wrong!
Troubleshooting
Here are the things I ran into when setting all this up the first time, hopefully it can help you
| Symptom | Cause | Fix |
curl ifconfig.me returns home IP |
Wrong gateway in client | Check /etc/network/interfaces (or GUI) |
| No internet at all | WG down or DNS broken | Check wg show and check /etc/resolv.conf |
| Killswitch not working | Missing DROP rules | Re-run the firewall script |