Dummy Guide for docker-transmission-openvpn + Synology Container Manager + PIA VPN

[metaclam]

Here's a "dummy guide" to install and run Transmission in this docker OpenVPN container on a Synology NAS, with a port open for seeding.

This is from the perspective of a long-time Transmission user on the Mac, who is comfortable at a basic level on the command line and router configuration, but little to no experience with containers, NAS devices, or VPNs. Hopefully this is of use to others in similar situations. Some of what's below may be misguided or inaccurate or plagued by misnomers (and I welcome comments from the experienced!) but it worked for me in the end.

The goal, Issue, and starting point:

Having moved all seeding torrent files from Mac to a new NAS (on Shared Folders), I realized that it is possible to run Transmission itself off the NAS, thus not needing to keep my Mac on to seed, and freeing up the the resources on the Mac completely. Using a VPN was desired for security.

Main Points and Realizations

• Containers are like virtual systems, and any user files that system needs has to be somehow mapped onto that system. It is not necessary for any of these mapped files to be located within anything resembling the name of the container, as seems typical in other guides, as long as the container can access them via this mapping.
• Synology has an app called "Container Manager" that, uh, manages containers. Install it with Package Center.
• Installing this container with Container Manager (via "Projects") for me was unsuccessful and led to crashes. Installing it via the command line with a "docker run" command (see below) was successful.
• Container Manager can manage all necessary settings. Using it do this is not recommended by the developers of this container (or maybe other experts) but it is easy for novices and works. The more recommended method involves using a "docker compose" file which is regarded as portable.
• Port forwarding is needed for transmission to be able to be "connectable" to other peers. This avoids "invalid port" errors on some trackers, improves the swarm and should also improve ratio on private trackers.
• To get port forwarding, you need a VPN that supports this and a particular server on that VPN that supports it.
• For port forwarding to work at all, you need a static or "dedicated" IP, which on PIA VPN (the VPN of choice) is an extra fee, almost as much as the cost of the VPN itself.
• You have to find a server that first supports a dedicated IP and also supports port fowarding, which is not really intuitive.

Read the Official Documentation

Before proceeding, read though the official quick start on this repo and the official documentation, in full. You will be utterly baffled but make an effort, and bookmark it for later.

Setting up PIA

• Subscribe to PIA. Use my referral code for 30-days free (& me too).
• Install the PIA client app on a desktop computer. (Mac download) To get the port forwarding set up, it won't work on an iPhone. Follow [these instructions, in part]
• After enabling the box to request port forwarding (Settings>Network), now the client GUI will show you which servers support it with an obscure icon. (Note: no servers in the US support this). You'll want to pick one that supports it and has lowest latency (usually closest to you), and also supports dedicated IP (see next).

• Now subscribe to the dedicated IP. It will give you a token you need to keep to enter into the app (Settings > Dedicated IP). You'll also need to pick from one of the few available locations at this point, and you'll also need to pick one that supports port forwarding (see above). In my case the closest option was Toronto. (I learned this is not the same as Ontario. Choose carefully because you cannot switch it later. )

• Connect to PIA in the app and verify you have both an IP and a forwarded port. Note these both down (for other purposes; you won't need either for this container setup, just to know that they work.) Then disconnect. You do not need the VPN to be running on your computer/mac for the container to use it. The container is it's own separate device.

Install this Docker Container

Make sure SSH is enabled in DSM

• I recommend creating an admin user specific to transmisison. in my case, "tmission":

• Make a new Shared Folder called docker. Make sure that tmission user has read/write access.
• Create some folders in that Shared Folder. At minimum for data and config folders.
• The data folder is typically where all the settings files, blocklists, torrents and resume folders, etc., would go. The config folder may contain other files, such as credentials. These folders can be called anything, but this haugene docker-transmission-openvpn container defaults to a set up in a somewhat non-standard way (which one of the devs acknowledged elsewhere but I can't find now). Config is the main directory with those credentials, and "transmission-home" is the data directory, which is a sub-directory of config. So in my case I created a config directory called "trm-config" and a "transmission-home" directory within that. You can create other directories at the same time. I found it useful to have a trm-ui folder for local copies of the various WebUIs available, even though I found out later that this container already builds-in the major WebUI options (see below). I also put my watch folder in there.

• If you're migrating from running Transmission on your Mac, you can now copy your torrent and resume files, and blocklists, to these appropriate folders, after creating the structure as shown above. (Otherwise the container will create it at first start). FYI those files are here on your Mac: ~/Library/Application Support/Transmission. And you probably won't need it but what in most Transmisison installations is called settings.json is stored in a preference file on the Mac:
  ~/Library/Preferences/org.m0k.transmission.plist.

• SSH into the Synology (with it's local IP on your LAN or local name, and using either root@ or the the admin user you just created, with the appropriate password). (see screenshot below for this and the next steps over SSH)

• Type "id" to get the user & group IDs (UID,GID). Admin = 101. Note these down.

• Copy and paste this docker run command (taken from the Quick Start here, with a --name flag for the name, into a text editor for temporary edits :

$ docker run --cap-add=NET_ADMIN -d --name=transmissionopenvpn \ -v /your/storage/path/:/data \ -v /your/config/path/:/config \ -e OPENVPN_PROVIDER=PIA \ -e OPENVPN_CONFIG=france \ -e OPENVPN_USERNAME=user \ -e OPENVPN_PASSWORD=pass \ -e LOCAL_NETWORK=192.168.0.0/16 \ --log-driver json-file \ --log-opt max-size=10m \ -p 9091:9091 \ haugene/transmission-openvpn

• edit this command with your own info. OPENVPN_CONFIG is the name of the server you are using in a machine-readable format. For instance in my case, Toronto is "ca_toronto". This was another not obvious thing to find. (This list may be helpful, also to figure out which ones support port_forwarding too.). the -p 9091:9091 flag is the WebUI port. LOCAL_NETWORK is the lowest value in the range of your LAN, and the "/16" or "/24" refers to the IP range. Use "192.168.0.0/24" for the whole 192.168.0.0 - 192.168.0.255 range). The -v commands map paths. On the left side of the colon is the local path on your NAS, and on the right side is the path relative to the container: In my case, that part looked like this:

    -v /volume1/docker/trm-data:/data \
    -v /volume1/docker/trm-config:/config \

(Note: mapping trm-data this way turned out to be unneeded because "transmission-home" serves as the data folder, see below)

• Now, you're finally ready to run that edited command which will install the container! Do that in the SSH session you are already logged into. If necessary, run as root with "sudo"; (i.e. "sudo docker run " … etc). The whole thing would look something like this (but with your own edits as described above):

Configuration in Container Manager

• Assuming that successfully installed -- and it should as that's the most basic configuration, you can now tweak all the other settings using the Container Manager GUI. I can't recall which of these were successfully set-up by that run command and which I edited later, but here are my Container Manager settings, with notes at the end of these screenshots.

Notes on Above Settings

• Container Manager will create fields that probably aren't needed. You can either remove them, or fill in dummy data, but cannot save the settings with unfilled values. I tended to do the latter.
• See the official documentation for a list of configuration options.
• container name was defined with the --name flag in the docker run command. I don't think that can be changed later.
• I used Port Settings 9092:9092 so as not to conflict with another transmission container that does not use OpenVPN. probably you'd have 9091:9091 both there and in that docker run command above. See also TRANSMISSION_RPC_PORT in the settings below.
• Volume Settings should be mapped as in the docker run command above, but you can add the others, including other top-level Shared Folders, where in my case I kept the actual torrent files (and downloads folder). Again, note that the right side info, such as "/config" is the mapping relative to the container.
• TRANSMISSION_HOME = /config/transmission-home. That applies if you did as I did and create that "transmission-home" directory (which is effectively the /data directory) inside the /config directory.
• Therefore in my Volume Settings the first line defining the /data directory was not really needed at all, and that directory is not actually used. (I should probably just remove it. :)
• the RPC USER & PASS are those of the admin user you created above.
• TRANSMISSION_DOWNLOADS & TRANSMISSION_INCOMPLETE: again relative to the folders mapped in Volume Settings above.
• UFW_EXTRA_PORTS: I have no idea what I'm doing here but was thinking SFTP. Not needed probably. I'd be happy for an explanation of this in the comments.
• UFP_DISABLE_IPTABLES & DISABLE_PORT_UPDATER: set each to false, may be related to port forwarding working right. Not sure but it works. Found elsewhere.
• PEER_DNS & PEER_DNS_PIN_ROUTES: set both to true for same reasons as above.
• PUID & PGID: the user & group you found with the "id" command via SSH above.
• WEBPROXY stuff: dummy / garbage data (see top note here).
• TRANSMISSION_WEB_UI: your choice of various web interfaces to use when connecting in your browser.

At this point you should be able to start the container and it should "just work"!

Port Fowarding

• It was not in the slightest bit obvious to me that the port forwarding would be managed entirely within the container, without any additional configuration, as long as: the container can log into your PIA account, you set up a dedicated IP, and you picked a server that supports port forwarding. You don't need to configure anything on your router either.
• When you get it up and running and open a WebUI (and I recommend this currently most updated fork of Transmission Remote GUI), you can test the listening port, and it should just work.

Transmission Remote GUI:
Set all the settings for both "transmission options" and "application options"
It is most helpful to setup the "paths" tab in the "applications options", which map the container paths back to your actual Mac folders. This way you can move data locations with the standard Finder file-browser. Very useful. (Here it's sort of the opposite of the Volume Settings mappings in Container Manager. The path relative to the container is on the left, and the path relative to MacOS is on the right:

[zanyraspi]

How are you enabling the Transmission to pick the Dedicated IP? Is there anywhere you are configuring the Access Token?
For me it is picking a random IP from ca_toronto location.

Also, why would you need a dedicated IP if you are able to port forward on any of the Toronto or Ontario servers?

[popeadam]

Agree, no need to have a dedicated IP for this to work. Save your cash!

[metaclam]

I'm not sure about this TBH. I was trying without, and transmission couldn't open an incoming port. It's been a while since I set this up, but what I recall learning was that transmission will function without an open incoming port but it will restrict your ability to seed and affect ratios on private trackers.

[popeadam]

I just switched from nordvpn to pia for this very reason. Transmission now showing 'Port is Open' under .../Edit preferences/Network whereas it wouldn't using nordvpn - at least when not using wireguard, which this handy repo doesn't yet support.

[istrait]

Figured it out. I was an idiot. I was not on the right local network and has the wrong CIDR notation for the network. I had to change it to LOCAL_NETWORK=192.1068.1.0 /24 to make it work.

I keep getting this when I set this up...
RTNETLINK answers: Invalid argument

Complete log from one run.
` Starting container with revision: 07f5a2b

TRANSMISSION_HOME is currently set to: /config/transmission-home

Creating TUN device /dev/net/tun

Using OpenVPN provider: PIA

Running with VPN_CONFIG_SOURCE auto

Provider PIA has a bundled setup script. Defaulting to internal config

Executing setup script for PIA

Downloading OpenVPN config bundle openvpn into temporary file /tmp/tmp.Bhkdxl2rnp

Extract OpenVPN config bundle into PIA directory /etc/openvpn/pia

Starting OpenVPN using config ca_vancouver.ovpn

Modifying /etc/openvpn/pia/ca_vancouver.ovpn for best behaviour in this container

Modification: Point auth-user-pass option to the username/password file

Modification: Change ca certificate path

Modification: Change ping options

Modification: Update/set resolv-retry to 15 seconds

Modification: Change tls-crypt keyfile path

Modification: Set output verbosity to 3

Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop

Modification: Updating status for config failure detection

Setting OpenVPN credentials...

adding route to local network 192.168.15.0/16 via 172.25.0.1 dev eth0

RTNETLINK answers: Invalid argument `

My Docker compose... (Could not get docker run to run it... It gives me a docker: invalid reference format.
See 'docker run --help'. error)

name: <your project name> services: transmission-openvpn: cap_add: - NET_ADMIN container_name: transmissionopenvpnpia volumes: - /volume1/docker/transmission-openvpn-pia/:/data - /volume1/docker/transmission-openvpn-pia/:/config environment: - OPENVPN_PROVIDER=PIA - OPENVPN_CONFIG=ca_vancouver - OPENVPN_USERNAME=p0878870 - OPENVPN_PASSWORD=XXXXXX - LOCAL_NETWORK=192.168.15.0/16 logging: driver: json-file options: max-size: 10m ports: - 9091:9091 image: haugene/transmission-openvpn

Any thoughts?

[neil-west-oz]

Seriously, WOW!!!!! And thanks, @metaclam !!!

Ever since I began self-hosting a few years ago, I've used a qbittorrent docker image that also managed an openvpn connection to PIA.

Straightforward and sweet. Until it abruptly stopped working six weeks ago.

Since then I haven't been able to get any qbittorrent image to work with PIA (surprisingly common). Diagnosing the cause turned out to be beyond my skills, patience & willingness to throw time at the matter, so I tried Deluge (couldn't get it to play nice either), then settled on Transmission. I told myself I could overlook its minimalist UI if I could find an image of any torrent client that was reliable through PIA.

But "reliable" turned out to be frustratingly and surprisingly elusive - I tried literally dozens of combinations of different images and scripts, and none were (reliable).

Then tonight I stumbled across your excellent guide. It took me about a minute to turn your docker run command into a Compose script, then another 30 seconds to spin it up in Portainer (my docker UI overlay). It worked perfectly first time: Transmission's peer listening port is open; I've verified the container is on a PIA IP; and (drum roll) torrents are downloading and seeding. Nice and quick, thanks very much.

Your guide proved to be very useful indeed (and appreciated most warmly), even though my environment (Docker via Openmediavault on a Raspberry Pi) is quite different to your own.

Apologies for all the exclamation marks, but I'm excited. Problem solved. Big win. Love your work.

@metaclam rocks!!

Thanks and very best regards

Neil (Perth, Western Australia)

[ubuntuaddicted]

I am struggling to get the transmission web portal to show that my peer port is open so that I can seed back what I am leeching. I am running docker with haugene/transmission-openvpn:latest. I added port 51413 tcp and udp as port configuration for docker (my tranmission peer port) along with 9091 tcp. I am using PIA, ca_toronto as the server so port forwarding should be working. what am I doing wrong?

[ubuntuaddicted]

I am struggling to get the transmission web portal to show that my peer port is open so that I can seed back what I am leeching. I am running docker with haugene/transmission-openvpn:latest. I added port 51413 tcp and udp as port configuration for docker (my tranmission peer port) along with 9091 tcp. I am using PIA, ca_toronto as the server so port forwarding should be working. what am I doing wrong?

I figured it out, well at least now the port shows that it's open. I had DISABLE_PORT_UPDATER=true when this should be FALSE to get port forwarding to work. What is does is change the peer port after the vpn port is forwarded. Hopefully now I can seed stuff back while still being behind a vpn.

[asyncro]

I noticed you mentioned using sudo to run docker - I do my best to avoid using sudo as much as possible to avoid unnecessary escalation of privileges.

You also mentioned getting the UID via the id command but not what to do with it afterwards.

I first tried solving the docker permission errors that I got when trying to run docker without sudo by adding myself to the docker group and changing the group of docker.sock - as suggested in this post: https://superuser.com/questions/1545551/give-permission-to-acces-var-run-docker-sock-on-synology-nas

sudo synogroup --add docker <userid>
sudo chgrp docker /var/run/docker.sock

This didn't work at first, but after adding my user to the Docker group in the Synology web UI Control Panel - I was able to run docker without sudo.