Question Direct Download Station to go through VPN?

If the VPN connection goes down, VDSM including any package running under it will default back to the default LAN adapter. If that LAN adapter has configured gateway parameter, the traffic will continue forward outside VPN.

Multiple Gateways setting is by default turned off, have you activated it for a specific reason? Guessing it is needed in order to connect to that VDSM instance from the outside while the VPN connection is active?

Bottom line, a "kill-switch" will not work out of the box. Try and remove the gateway parameter on your main VDSM adapter, and connect via VPN. Then, download and terminate the VPN. See if the traffic will stop in that case.

Rusty,
Thanks for the quick reply!

I did not activate the multiple gateways setting. I thought I deactivated it, but in any case the tick box is "unchecked". I am still able to connect to the VDSM remotely and locally with that setting unchecked. What does that setting do if it doesn't force VDSM to use only the default gateway?

I believe if I remove the gateway parameter for the main VDSM (LAN adapter) I will lose all connectivity. The VPN connection is remote through a third party (Windscribe) so it relies on the LAN adapter to provide internet connection if I understand it correctly.

Perhaps I need to configure the VPN on my router to direct all VDSM IP traffic through the VPN? I'll have to look for info about how to do that with my router (Orbi RBR50) and see if router supports such a configuration.
 
What does that setting do if it doesn't force VDSM to use only the default gateway?
multiple gateway settings is for when you need access to that DSM instance and their services but on the other hand that same instance is acting up as a VPN client (like in your case).

Now considering VDSM is a virtual instance ofc you can reach it as you can reach the NAS on bare metal level, that's why it is working. But if that was a direct access instance that you need access to while VPN was active, certain services would not be accessible unless that setting was on (reason why its off by default).

it relies on the LAN adapter to provide internet connection
Correct. That's why by default, vdsm doesn't have a kill switch option.

If your goal is to just close off torrent traffic behind a VPN might I suggest to run a torrent client+vpn combo inside Docker? While you will no longer use Download Station as your client, you will also get back your DSM license back, spend less resources (much less, as VDSM requires at least 1GB of RAM), and you will get a kill-switch option in a single container.

Also, not your entire VDSM instance would be locked inside the VPN if you still need to use it for something else.
 
multiple gateway settings is for when you need access to that DSM instance and their services but on the other hand that same instance is acting up as a VPN client (like in your case).

Now considering VDSM is a virtual instance ofc you can reach it as you can reach the NAS on bare metal level, that's why it is working. But if that was a direct access instance that you need access to while VPN was active, certain services would not be accessible unless that setting was on (reason why its off by default).


Correct. That's why by default, vdsm doesn't have a kill switch option.

If your goal is to just close off torrent traffic behind a VPN might I suggest to run a torrent client+vpn combo inside Docker? While you will no longer use Download Station as your client, you will also get back your DSM license back, spend less resources (much less, as VDSM requires at least 1GB of RAM), and you will get a kill-switch option in a single container.

Also, not your entire VDSM instance would be locked inside the VPN if you still need to use it for something else.
Rusty,
That makes sense, thanks for clarifying how the VDSM changes things.

I would love to run a torrent client and VPN inside docker and lose the VDSM. So far the only docker packages I've setup have been with a step by step walkthrough (marious hosting) but I would love to setup something to keep it on the main DSM and avoid a virtual instance. I added RAM specifically to support a VDSM, but I suppose that will only help DSM performance, so not a waste.

Do you or anyone have and recommendations for a client+vpn docker package? I have seen that idea mentioned on relevant forum discussion but never any detail or specifics mentioned for resources or client software to use. I have also heard of some torrent clients that have built in VPN kill-switch, perhaps that would be an effective solution?

In any case, thank you again for your generosity with help and advice. It is much appreciated.
 
Do you or anyone have and recommendations for a client+vpn docker package?
Here is one running with Nord VPN (both openvpn and wireguard) with Qbittorrent client


And another one running only via openvpn protocol for various VPN providers (not just Nord):


If you get into any problems, let me know in PM, here, or on my chat platform (link on the site, upper right corner).
 
At first I was using qbittorrentVpn container following Rusty's guide. But this container, although working at the moment, is not often updated.
At some time I decided to use gluetun because I wanted to route also Jackett and *arr containers through vpn (Cyberghost in my case) and let them altogether update frequently. I used some help from here:


@Rusty could you please consider adding a guide about gluetun (in conjuction to download tools) to Blackvoid? I believe it would be great as Blackvoid is among the most trusted sources out there!
 
@Rusty could you please consider adding a guide about gluetun (in conjuction to download tools) to Blackvoid?
Considering I do not use torrent myself, I guess I did miss the ball on this one. Gluten is great as it does support also both open and WG (limited to certain providers) protocols, so I could consider making the article on that. That being said, DrFrankenstein as well as other resources out there are also very well known, so sometimes I skip the "topic" if I notice that it was covered well somewhere else.

If and when I get time to do it, I might consider writing up a Gluten one as well. Thx for pointing it out @dimfil
 
Here is one running with Nord VPN (both openvpn and wireguard) with Qbittorrent client


And another one running only via openvpn protocol for various VPN providers (not just Nord):


If you get into any problems, let me know in PM, here, or on my chat platform (link on the site, upper right corner).
Thank you much. Somehow I have not heard of or come across blackvoid in my previous research on the subject. I will dig into this tonight and hopefully have some success.


At first I was using qbittorrentVpn container following Rusty's guide. But this container, although working at the moment, is not often updated.
At some time I decided to use gluetun because I wanted to route also Jackett and *arr containers through vpn (Cyberghost in my case) and let them altogether update frequently. I used some help from here:


@Rusty could you please consider adding a guide about gluetun (in conjuction to download tools) to Blackvoid? I believe it would be great as Blackvoid is among the most trusted sources out there!
I am unfamiliar with gluten and jackett. I'll look into those things. Is infrequent updates a security concern for something like this or just a compatibility/keep things working kind of thing? Or both? Thank you for that info.
 
I am unfamiliar with gluten and jackett. I'll look into those things. Is infrequent updates a security concern for something like this or just a compatibility/keep things working kind of thing? Or both? Thank you for that info.

GlueTun is a vpn client docker container which works with a big list of vpn providers. You can use it so other containers connect to vpn through gluetun. Very very useful as you occupy just one vpn position of your vpn account for a lot of services.
Jackett accepts queries from other containers to get data from torrent trackers, so it needs vpn to be fully usable.

One problem is that many torrent trackers often blacklist older versions of torrent clients. This could be an issue if your client is not updated regularly.
Using gluetun you can have normal qbittorrent (or deluge and transmission if you prefer) container which gets updated regularly and avoid special vpn versions of clients which get old or abandoned sometimes.
 
GlueTun is a vpn client docker container which works with a big list of vpn providers. You can use it so other containers connect to vpn through gluetun. Very very useful as you occupy just one vpn position of your vpn account for a lot of services.
Jackett accepts queries from other containers to get data from torrent trackers, so it needs vpn to be fully usable.

One problem is that many torrent trackers often blacklist older versions of torrent clients. This could be an issue if your client is not updated regularly.
Using gluetun you can have normal qbittorrent (or deluge and transmission if you prefer) container which gets updated regularly and avoid special vpn versions of clients which get old or abandoned sometimes.
That sounds like a clever solution. I assume GlueTun also acts as a kill switch to only allow BTclient traffic to use the VPN?
 
That sounds like a clever solution. I assume GlueTun also acts as a kill switch to only allow BTclient traffic to use the VPN?
Gluetun provides a bridge network and all containers you decide connect through this to the VPN service. Nothing else.
Yes, it has a built-in firewall kill switch but I believe most vpn providers support kill switch anyway.
For me, gluetun is now a necessity. The majority of BT trackers and subtitle sites is already blocked in my country (Greece) and I know that more or less it's the same situation in most countries.
VPN is the only way if you want to have access to torrents, *arr apps and subtitles. Docker on Synology makes all these so easy...
 
Sorry to revive this thread, however I have set up a VPN on my Syno and connected it, however it doesn't appear that Download Station is running through the VPN. Is there anything I need to do on my router or elsewhere on the Syno to have the Download Station traffic run through the VPN?

Screenshot 2024-02-17 at 12.13.02 PM.png
 
On the NAS network settings, set the service order so that the VPN listed first.

In the router, block the NAS from reaching anywhere on the internet other than the IP address of the TorGuard server you’re connecting to. That way if the vpn connection goes down, the NAS won’t continue downloading, exposing your traffic for all to see.
 
Thank you for this guidance.

If I do this, then do I lose connectivity to the DS by quick connect

Yes, by enabling vpn on NAS you loose Quickconnect. Synology has a note in this.
DDNS works OK though.

After a lot of testing and trying myself, I strongly suggest to consider using GlueTun if your NAS supports docker.
 
I have a 423+ so it does support docker although I have no idea how to use it....any guidance on an install guide?
-- post merged: --

and if I use GlueTun, will that allow me to just run the Download Station traffic on the Syno through the VPN?
 
I have a 423+ so it does support docker although I have no idea how to use it....any guidance on an install guide?
-- post merged: --

and if I use GlueTun, will that allow me to just run the Download Station traffic on the Syno through the VPN?

Check here for some great guides utilising GlueTun and download tools.
-- post merged: --

-- post merged: --

and if I use GlueTun, will that allow me to just run the Download Station traffic on the Syno through the VPN?

You can leave alone Download Station for good. There are better download tools available out there.
Have a look at the link I gave you.
 
So now the VPN network interface keeps dropping on the Synology, and the service order then reverts back to not having the VPN first...any thoughts? Sorry for all the nob questions.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
To my knowledge the PAN FW is configured to allow the active and passive ip + cluster ip through to...
Replies
4
Views
835

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top