OpenVPN, rTorrent and Flood Docker Compose Configuration

0_README.md

The Setup

This is a docker-compose file for a simple, secure torrent setup. It includes rTorrent (a torrent client), flood (a web interface for rTorrent), OpenVPN (to tunnel traffic through your ISP) and a simple iptables firewall to allow rTorrent to only access the internet through a VPN.

To run everything, put your open vpn configuration file in ./vpn.ovpn and the other configuration files from this gist in a directory then go to that directory and run

docker-compose up

Now flood can be accessed by visiting localhost:3000.

🎉

docker-compose.yml

version: '3.4'

services:
  # This service sets up a firewall which only allows traffic to the docker
  # network and the specified destination (ip, port protocol). See its repo for
  # more information: https://github.com/0xcaff/docker-simple-firewall
  firewall:
    image: quay.io/0xcaff/simple-firewall:latest

    # Needed by the image to setup the fireall.
    cap_add:
      - net_admin

    # The DNS servers which are used through the VPN.
    dns:
      - 8.8.8.8
      - 8.8.4.4

    environment:
      # The only address, port and protocol combination allowed through the
      # firewall. This should be the address, port and protocol of the VPN
      # service.
      ALLOW_IP_ADDRESS: 178.60.78.125
      ALLOW_PORT: 1194
      ALLOW_PROTO: udp

      # TCP connections will be accepted at this port once the firewall is
      # configured.
      FIREWALL_READY_SIGNAL_PORT: 60000

    # The only traffic allowed out of this container is traffic to this network
    # and traffic to the specified ip address.
    networks:
      - local

  # A service which creates an openvpn tunnel. Check out its repo for more
  # information: https://github.com/0xcaff/docker-openvpn-client
  vpn:
    image: quay.io/0xcaff/openvpn-client:latest

    # Needed for OpenVPN to work.
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun

    # Share the network stack of the firewall client container. When this
    # container binds ports, they can be reached through the "firewall" service.
    network_mode: service:firewall

    volumes:
      # This is the wait-for script from https://github.com/Eficode/wait-for. It
      # is used to ensure that the VPN only starts after the firewall is
      # configured. This is done so if the VPN tries to connect to a non-allowed
      # address the failure is fast.
      - ./wait-for/wait-for:/wait-for

      # The VPN configuration file.
      - ./vpn.ovpn:/vpn/config/config.ovpn

    # Start openvpn after the firewall is done.
    command: "/wait-for localhost:60000 -- openvpn --config /vpn/config/config.ovpn"

  # A service with the rtorrent torrent client. See the repository for more
  # information: https://github.com/0xcaff/docker-rtorrent
  rtorrent:
    image: 0xcaff/rtorrent:latest

    # Share the network stack of the firewall client container. When this
    # container binds ports, they can be reached through the "firewall" service.
    network_mode: service:firewall

    # SCGI is exposed on port 5000.

    volumes:
      # rTorrent configuration file.
      - ./rtorrent.rc:/rtorrent/.rtorrent.rc

      # rTorrent persistant state.
      - downloaded:/rtorrent/downloaded
      - session:/rtorrent/.rtorrent.session

      # This is the wait-for script from https://github.com/Eficode/wait-for. It
      # is used to ensure that the rtorrent starts only after the firewall is
      # initialized.
      - ./wait-for/wait-for:/wait-for

    # Waits for the firewall to be set up before running rtorrent. The VPN may
    # or may not be ready but no traffic will be leaked because of the firewall.
    entrypoint: "/bin/sh"
    command: "/wait-for localhost:60000 -- rtorrent"

  # A service containing flood, a web interface for rtorrent.
  flood:
    image: 0xcaff/flood
    depends_on:
      - rtorrent

    environment:
      # Configuration for flood. Check out this file for all possible
      # configuration options:
      # https://github.com/jfurrow/flood/blob/master/config.docker.js
      #
      # The host and port the rTorrent SCGI API can be reached at.
      RTORRENT_SCGI_HOST: firewall
      RTORRENT_SCGI_PORT: 5000

    volumes:
      - flood:/data

    # Expose the flood web interface port.
    ports:
      - 3000:3000

    # The firewall destination (vpn, firewall, rtorrent) is only accessible
    # through the local network.
    networks:
      - local

volumes:
  downloaded:
    driver: local

  session:
    driver: local

  flood:
    driver: local

networks:
  # A network for connecting local services.
  local:

rtorrent.rc

directory = ~/downloaded
session = ~/.rtorrent.session

system.daemon.set = true
scgi_port = 0.0.0.0:5000

Is there a way to build the rtorrent image with XMLRPC enabled

@adrianocr, the image does build rtorrent with xmlrpc already, which is used by the current flood UI

And also a way to expose the correct port.

If you add another service to the existing docker-compose.yml local network the service should be able to communicate to rtorrent same as the flood service can, firewall:5000

I get this error after running the command:

flood-docker_firewall_1 is up-to-date
Starting flood-docker_vpn_1 ... error
Starting flood-docker_rtorrent_1 ...

ERROR: for flood-docker_vpn_1 Cannot start service vpn: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: "/wait-forStarting flood-docker_rtorrent_1 ... done
flood-docker_flood_1 is up-to-date

ERROR: for vpn Cannot start service vpn: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: "/wait-for": permission denied": unknown
ERROR: Encountered errors while bringing up the project.

In the comments, it provides the URL for wait-for. Create the directory and put the script in there.

I also had to change the wait-for lines to './wait-for/wait-for.sh:/wait-for.sh' to get it to work. If I didn't, it gave an error about trying to mount a file as a directory.

Hi there,

I've been looking around for a secure rtorrent + openvpn setup for my raspberry pi. I have a Pi4 4gb and a Pi0. I was hoping to either setup a docker stack on the Pi4 to run alongside other containers or to use my pizero as a dedicated torrent downloader.

The setup shown in this gist looks particularly secure but the images are only for amd64. Would it be possible to build these images for armv6/armv7?

I'm fairly new to docker and am having difficulties working out the best approach to building for armv6 or v7.

Any suggestions would be appreciated.

Thanks!

Hi again!
I think I figured out my issue with crossbuilding docker images for other architectures, and I'm now just trying to get my old i3 to pull and run the images so I can be certain things work before trying to crossbuild.

I'm getting an error like skoLLC. I followed the suggestion from freakyc and yet I'm still hitting a brick wall.

ERROR: for 60357cb88f32_test_vpn_1 Cannot start service vpn: OCI runtime create failed: container_linux.go:349: starting container process caused "exRecreating test_rtorrent_1 ... done
test_flood_1 is up-to-date

ERROR: for vpn Cannot start service vpn: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: "/wait-for": stat /wait-for: no such file or directory": unknown

ERROR: Encountered errors while bringing up the project.

If anyone could let me know where I'm going wrong, I'd be grateful. I followed the link to the waitfor script and see that it can also be built as an image, would that help?

Happy to share details of any progress I make. Would also be happy if someone just told me to read something. My issue is really understanding where to start looking for the solution.

I realise that noobs such as myself can be irritating. I have done quite a lot of rooting around on the internet to see if there is anything that would make, what is probably a painfully obvious mistake, obvious to me! Alas I remain ignorant!

This error seems to be caused by the wait-for script missing. Clone https://github.com/Eficode/wait-for into your working directory before running docker-compose up.

So far I've gotten everything up and running, technically, but once I register with Flood that container crashes. Logs suggest errors with npm / node / flood. I'm still new to docker; I'm not even sure if one can update node / npm / flood in an existing container. Is this compose still viable for new installations?

This script hangs and does not continue after the line that says flood server starting on port 3000. The flood login does come up through the host browser but that's about it. I did clone the wait-for directory as mentioned in a previous post which did solve some initial issues in getting the script going.

Any ideas? I am running fedora 33.