When using a VPN, will leak your IP address. Use https://ipleak.net/ to check. It'll show your VPN IP address, home ip address, and your IP address will leak your client information. Even if you bind it to the right bindings in the settings it'll still randomly do this.
When I saw that in the ipleak after seeding something to my private server I was in awe; that good software like this would allow something like that.
I think you mean proxy, not VPN? AFAIK qBittorrent doesn't natively do any kind of VPN stuff, so the issue would be elsewere, since it shouldn't be possible if configured properly.
If we're actually talking proxies: If you enable UDP-based protocols, it's very hard to avoid IP leaking. A surprising amount of clients just don't support proxying UDP at at all, or misbehave in various ways.
Word of advice: Set up the torrent client in a dedicated VM (or box) and set it up on kernel-level to route all its traffic through a separate VM(/box), which itself connects to the VPN (Wireguard,OVPN or what-have-you) and forwards traffic. It sounds complex but is robust and avoids a lot of potential pitfalls.
Reliably routing P2P UDP traffic with container networks is a fool's errand so I wouldn't recommend Docker networks (ofc fine to run the container with network=host tho)
There is the open source software project gluetun, that allows setting up a containers that are only able to communicate through a vpn network interface in an easy way.
gluetun can be great for many other use-cases, but what I said still stands regarding udp p2p like bittorrent. You are very likely to get surprises like GP unless you are very lucky or really know what you are doing wrt the actual networking configuration.
If the VPN container does things correctly and kills the default non-vpn route, how would those surprises occur? To be clear, I hope 3np is talking about containers like the following, and not trying to proxy only udp or only tcp piecemeal.
services:
vpncontainer:
image: <whatever>
container_name: vpncontainer
cap_add: [NET_ADMIN]
vpn-qbittorrent:
image: lscr.io/linuxserver/qbittorrent:latest
container_name: vpn-qbittorrent
network_mode: service:vpncontainer
# and optionally, for other purposes, not qbittorrent above
vpn-socks:
image: serjs/go-socks5-proxy
container_name: vpn-socks
network_mode: service:vpncontainer
# environments, volumes, ports, systctls, port-fwd helpers omitted
I'm saying that the underlying container networking (Docker or whatever backend you use for podman) might not behave like you/the software are expecting with these in context more esoteric protocols.
If you verify that it behaves like you intend (dump network traffic and make sure packets go where they should over some reasonable timespan and across restarts) and ideally are prepared to file issue for any bug you come across (clears throat) definitely don't let me dissuade you from trying, though. It _should_ work.
This is concerning claim, but I checked it all out and have verified my IP is not being leaked (that is a neat site BTW, thanks for sharing).
I will say, I don’t have a ‘standard’ setup with qBittorrent and a VPN provider, so I’ll share some details in hopes that it will be useful to someone.
I use qBittorrent in headless mode with the web interface- so it’s running on a little server within docker. The docker compose has two services, one WireGuard (lscr.io/linuxserver/wireguard) the other qBittorrent (lscr.io/linuxserver/qbittorrent). The qBittorrent service has ‘network_mode: service:WireGuard’ so that it uses the WireGuard network. I’ve got WireGuard all setup with my VPN provider.
While all that should theoretically be all you need, I also configure qBittorrent to use my VPN’s SOCKS5 proxy. This acts as a great safeguard, if the VPN isn’t functioning, then the proxy auth will fail and will act as a kill switch to qbittorrent. Be sure to configure qBittorrent to use the proxy for everything (I can’t remember if this is default or not).
You shouldn't need any kind of "kill switch" for qBittorrent: normally when you set up a VPN (I use OpenVPN for reference), on Linux you get a new network device, usually called "tun0". In qBittorrent, you can specify the network device to use, rather than just letting it automatically select one. So set this to "tun0", and it'll only pass traffic over this virtual device; if something goes wrong with the VPN, qBittorrent will just be sending packets into the void.
I think this can be fixed by first understanding that a VPN is a proper network.
You do not have to rely on the qbittorrent client to do any proxying. Turn that setting off.
A wireguard VPN is literally a network that you can route traffic through. If you can somehow force qbittorrent to route all its traffic through a wireguard interface and not your wifi/eth interface, you wont need the proxy settings as your IP will be hidden by virtue of you using the wireguard network rather than your home network.
Note that this can still leak traffic like DNS requests via domain sockets that connect to a handler outside the namespace. The New Namespace Solution on that page should prevent that I think if you want to route all traffic through the vpn by default.
When I saw that in the ipleak after seeding something to my private server I was in awe; that good software like this would allow something like that.