I’m setting up a self-hosted stack with a bunch of services running on a home device. I’m also tunneling all the traffic through a VPS in order to expose the services without exposing my home IP or opening ports on my local network. Currently all my traffic is HTTP, and its path looks like this:
- Caddy proxy on remote VPS (HTTPS, :80 & :443)
- Wireguard tunnel
- Caddy proxy in Docker on homeserver (HTTP, :80)
- app containers in separate isolated subnets, shared with Caddy
I want to set up qBittorrent and other torrent apps, and I want all their traffic to pass through the proxies. Proxying traffic to the WebUI is easy, there’s plenty of tutorials; what I’m struggling with is proxying the torrent leeching and seeding traffic, which is the most important part since I live in a country that’s not cool with piracy.
Unless I’m misunderstanding, BitTorrent traffic is TCP or UDP, so I’d need Caddy to act as a Layer 4 proxy. There’s a community-maintained plugin that should support this. How would I configure it though? Do I need both instances to listen on a new port? Or can I open a new port on the VPS only, and forward traffic to the homeserver Caddy over the same port as the HTTP traffic (:80)? Are there nuances in proxying TCP traffic that I should be aware of?
Wow thank you, this is the most useful reply I’ve received so far!
This means I don’t need to mess around with QBT’s “proxy” settings? I was pretty confused since the only options available are SOCKS/SOCKS5 and HTTP, but I’m guessing that’s a different kind of proxy than what I need…
No, you don’t. In short, trackers will look at the source address of the incoming connection on their side, that means you VPS IP because you’re doing NAT on the VPS.
Just make sure qBittorrent is restricted to the WG interface and nothing else.
Fantastic, thank you