VPN-Protected Media Automation Stack for Synology NAS
A Docker Compose configuration for automated media management with VPN protection, specifically tested and documented for Synology NAS systems. Features the popular Servarr (*arr) applications, qBittorrent, and VPN Sentinel monitoring with Telegram notifications.
This is a Docker Compose configuration that integrates existing open-source tools:
- Gluetun - VPN gateway container
- Servarr Apps - Media automation suite (Sonarr, Radarr, etc.)
- qBittorrent - Download client
- VPN Sentinel - VPN monitoring with Telegram alerts (by @agigante80)
What makes this configuration useful:
- β Synology NAS Tested: Documented Gluetun version compatibility for Synology DSM 7.x
- β VPN Sentinel Integration: Pre-configured monitoring with DNS leak detection
- β Working Configuration: Battle-tested setup that actually works on Synology
- β Media Server Agnostic: No Plex/Jellyfin - use your own media server
Tested Hardware: Synology DS220+ with DSM 7.x
Status: β
Fully Working
| Gluetun Version | Synology Compatible | Notes |
|---|---|---|
| v3.40.4 (Dec 24, 2024) | β Works out-of-box | Recommended - No sysctls needed |
| v3.41.0+ (Dec 25, 2024+) | Needs kernel parameters |
Symptoms of v3.41.0+ without sysctls:
netfilter query: netlink receive: invalid argument
Container restart loop
Solutions:
- Recommended: Use Gluetun v3.40.4 (this repo's default)
- Alternative: Add sysctls for v3.41.0+:
sysctls: - net.ipv4.conf.all.src_valid_mark=1 - net.ipv6.conf.all.disable_ipv6=0
This repository pins Gluetun to v3.40.4 for maximum Synology compatibility.
- VPN Sentinel by @agigante80 - VPN monitoring with Telegram notifications, DNS leak detection, and interactive bot commands
- Gluetun by @qdm12 - Lightweight VPN client container
- Servarr - Suite of media automation applications
- navilg/media-stack - Complete media server with Plex
- DonMcD/ultimate-plex-stack - Ultimate Plex server stack
| Feature | This Stack | navilg/media-stack | ultimate-plex-stack |
|---|---|---|---|
| Synology Tested | β DS220+, DSM 7.x | ||
| Gluetun Version Docs | β v3.40.4 pinned | ||
| VPN Monitoring | β VPN Sentinel | β None | β None |
| Telegram Alerts | β Via VPN Sentinel | β No | β No |
| DNS Leak Detection | β Automated | β Manual | β Manual |
| Interactive Bot | β VPN status check | β No | β No |
| Media Server | β Agnostic | β Plex | β Plex + Tautulli |
| Request Management | β Use Trakt | β Overseerr | β Overseerr |
| Dashboard | β None | β None | β Organizr |
| Architecture | Standard | Standard | Standard |
When to use this configuration:
- β You have a Synology NAS (especially DS220+ or similar)
- β You want VPN monitoring with Telegram notifications
- β You prefer Trakt over Overseerr for content management
- β You want acquisition-only (bring your own media server)
- β You need working Gluetun version documentation
- VPN Gateway: All traffic routed through Gluetun (supports 20+ VPN providers)
- VPN Monitoring: VPN Sentinel with real-time status tracking
- DNS Leak Detection: Automated monitoring and Telegram alerts
- Connection Alerts: Instant notifications when VPN disconnects or reconnects
- Interactive Bot:
/status,/ping,/helpcommands - Real-time Alerts: VPN connection loss, restoration, DNS leaks
- Location Tracking: Shows current VPN server location and ISP
- Status Reports: On-demand VPN status with IP, location, and uptime
- Sonarr: TV show automation and management
- Radarr: Movie automation and management
- Readarr: Book and audiobook automation
- Bazarr: Subtitle automation
- Prowlarr: Unified indexer management
- Jackett: Additional torrent indexer support
- FlareSolverr: Cloudflare bypass for protected sites
- qBittorrent: Feature-rich download client with WebUI
- Tested Hardware: DS220+ with DSM 7.x
- Version Pinning: Gluetun v3.40.4 for stability
- Path Configuration: Pre-configured for
/volume1/structure - Permission Handling: PUID/PGID configuration included
- Media Server Agnostic: No Plex/Jellyfin/Emby - bring your own
- Acquisition Focus: Download and organize, not serve
- Standard Architecture: Uses proven
network_mode: service:gluetunpattern - External Port Access: All services accessible from local network
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Host Network β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Gluetun VPN Gateway β β
β β ββββββββββββ ββββββββββββ ββββββββββββ βββββββββββ β β
β β βqBittorrentβ β Sonarr β β Radarr β β Jackett β β β
β β ββββββββββββ ββββββββββββ ββββββββββββ βββββββββββ β β
β β ββββββββββββ ββββββββββββ ββββββββββββ βββββββββββ β β
β β β Prowlarr β β Bazarr β β Readarr β βFlareSlvrβ β β
β β ββββββββββββ ββββββββββββ ββββββββββββ βββββββββββ β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β VPN Sentinel Client β β β
β β β (Monitors VPN from inside tunnel) β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β β Internet (via VPN) β
β β β
β β ββββββββββββββββββββββββββββ β
β β β VPN Sentinel Server β β
β βββΊβ (External monitoring) β β
β β + Telegram Bot β β
β ββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
VPN Routing (Standard Pattern):
- All services use
network_mode: "service:gluetun" - Traffic from *arr apps and qBittorrent routes through Gluetun
- Containers communicate via
localhost(shared network namespace)
VPN Sentinel Monitoring:
- Client: Runs inside VPN tunnel, reports VPN IP and location
- Server: External server with real IP, receives client reports
- Telegram Bot: Integrated in server, sends alerts and responds to commands
- DNS Leak Detection: Compares VPN location with DNS resolver location
Why This Architecture:
- β
Simple: Standard Docker Compose
network_modepattern - β Secure: All acquisition traffic forced through VPN
- β Monitored: VPN Sentinel detects failures and leaks
- β Maintainable: Uses well-established open-source tools
Gluetun is a lightweight VPN client container that supports 20+ VPN providers out of the box:
Major Providers: AirVPN, ExpressVPN, IPVanish, IVPN, Mullvad, NordVPN, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, Surfshark, TorGuard, Windscribe, and more.
Protocol Support:
- OpenVPN: Full support for all providers
- Wireguard: Native and custom configuration support
Why use Gluetun:
- β Single container routes all other containers' traffic
- β No VPN client needed on host system
- β Easy provider switching via environment variables
- β Built-in health checks and auto-reconnect
- β Kill switch prevents leaks if VPN disconnects
See the Gluetun GitHub repository for the complete provider list and documentation.
| Service | Purpose | Port | Notes |
|---|---|---|---|
| Gluetun | VPN Gateway | - | v3.40.4 pinned for Synology |
| qBittorrent | Download Client | 9802 | Routes through Gluetun |
| Sonarr | TV Automation | 9804 | Part of Servarr suite |
| Radarr | Movie Automation | 9809 | Part of Servarr suite |
| Readarr | Book Automation | 9808 | Part of Servarr suite |
| Bazarr | Subtitle Automation | 9810 | Integrates with Sonarr/Radarr |
| Prowlarr | Indexer Manager | 9805 | Unified indexer management |
| Jackett | Indexer Proxy | 9803 | Additional indexer support |
| FlareSolverr | Cloudflare Bypass | 9806 | For protected sites |
| Service | Purpose | Notes |
|---|---|---|
| VPN Sentinel | VPN Monitoring | Client + Server with Telegram bot |
About Servarr:
Servarr is a suite of applications for automated media management. The *arr apps provide consistent APIs and interfaces for different media types (TV, movies, books, music).
Required:
- Synology NAS with Docker package installed (tested on DS220+ with DSM 7.x)
- VPN provider account (PrivateVPN, NordVPN, etc.)
Optional but Recommended:
- Telegram bot token (for VPN Sentinel monitoring)
VPN Sentinel provides Telegram notifications for VPN status. To enable:
-
Create a Telegram Bot:
- Message @BotFather on Telegram
- Send
/newbotand follow the prompts - Save the Bot Token (format:
1234567890:ABCdefGHIjklMNOpqrsTUVwxyZ)
-
Get Your Chat ID:
- Message @userinfobot to get your Chat ID
- Or visit
https://api.telegram.org/bot<BOT_TOKEN>/getUpdatesafter messaging your bot
-
Test the Bot:
curl -X POST "https://api.telegram.org/bot<BOT_TOKEN>/sendMessage" \ -d "chat_id=<CHAT_ID>&text=Test from SafeHarbor Stack"
SSH into your Synology:
ssh admin@your-synology-ip -p 22Clone and configure:
# Navigate to your Docker project directory
cd /volume1/docker/project
# Clone this repository
git clone <repository-url> VPN-media
cd VPN-media
# Copy and edit environment file
cp .env.example .env
nano .env # Configure VPN credentials, paths, and Telegram tokensConfigure Environment Variables (.env):
# VPN Configuration
VPN_SERVICE_PROVIDER=privatevpn # or nordvpn, mullvad, etc.
VPN_USER=your_vpn_username
VPN_PASSWORD=your_vpn_password
SERVER_COUNTRIES=Switzerland,Netherlands
# Synology Paths
VOLUME_DOCKER_PROJECT=/volume1/docker/project
VOLUME_DOWNLOADS=/volumeUSB2/usbshare/Downloader/downloads
VOLUME_MEDIA=/volume1/Media
# User IDs (typically 1026 for Synology admin)
PUID_MEDIA=1026
PGID_MEDIA=100
# Telegram (optional - for VPN Sentinel)
TELEGRAM_BOT_TOKEN=your_bot_token
TELEGRAM_CHAT_ID=your_chat_idStart the stack:
# Create necessary directories (if needed)
mkdir -p {gluetun,qbittorrent/config,jackett/config,prowlarr/config,sonarr/config,radarr/config,readarr/config,bazarr/config}
# Start all containers
docker compose up -d
# Check status
docker compose ps
# View logs
docker compose logs -f gluetunAccess services from your local network using your Synology IP:
-
qBittorrent -
http://synology-ip:9802- Default:
admin/adminadmin(change immediately) - Set download path:
/downloads
- Default:
-
Prowlarr -
http://synology-ip:9805- Add indexers (torrent sites)
- Connect to Sonarr/Radarr via API
- Add FlareSolverr:
http://localhost:8191
-
Sonarr -
http://synology-ip:9804- Add Prowlarr indexers
- Add qBittorrent:
http://localhost:8085 - Configure root folder:
/media/TV Shows
-
Radarr -
http://synology-ip:9809- Similar to Sonarr configuration
- Configure root folder:
/media/Movies
-
Bazarr -
http://synology-ip:9810- Connect to Sonarr and Radarr
- Add subtitle providers
-
Optional: VPN Sentinel Bot Commands
- Send
/statusto your Telegram bot to check VPN - Send
/pingto verify bot connectivity - Send
/helpfor command list
- Send
This stack is intentionally media player agnostic - no Plex/Jellyfin/Emby included. The downloaded media is organized and ready for any media server to scan.
Popular Media Server Options:
Point your media server to the configured media directories (e.g., /volume1/Media/TV Shows, /volume1/Media/Movies).
Access services from your local network:
| Service | Port | URL Example |
|---|---|---|
| qBittorrent | 9802 | http://192.168.1.100:9802 |
| Jackett | 9803 | http://192.168.1.100:9803 |
| Sonarr | 9804 | http://192.168.1.100:9804 |
| Prowlarr | 9805 | http://192.168.1.100:9805 |
| FlareSolverr | 9806 | http://192.168.1.100:9806 |
| Readarr | 9808 | http://192.168.1.100:9808 |
| Radarr | 9809 | http://192.168.1.100:9809 |
| Bazarr | 9810 | http://192.168.1.100:9810 |
Note: Replace 192.168.1.100 with your Synology's IP address.
- All download traffic routed through VPN tunnel
- Kill switch prevents leaks if VPN disconnects
- External IP verification
- Automatic VPN reconnection on failures
This stack integrates VPN Sentinel by @agigante80 for comprehensive VPN monitoring.
What VPN Sentinel Provides:
- Client-Server Architecture: Client monitors from inside VPN, server runs with real IP
- Telegram Bot: Interactive commands (
/status,/ping,/help) - Real-time Alerts: Immediate notifications when VPN connects/disconnects
- DNS Leak Detection: Compares VPN location with DNS resolver location
- Location Tracking: Shows current VPN server location and ISP
- Connection History: Tracks VPN uptime and connection status
See VPN Sentinel documentation for full details.
π΄ VPN Disconnection Alert:
π¨ VPN CONNECTION LOST! π¨
Client: my-media-stack
Time: 2025-01-12 15:30:15
External IP: 203.0.113.42 (Real IP detected!)
Location: United States, New York
ISP: Example ISP
DNS Servers: 8.8.8.8 (DNS leak detected!)
β οΈ Media services are now exposed!
β VPN Restored Alert:
β
VPN CONNECTION RESTORED β
Client: my-media-stack
Time: 2025-01-12 15:35:22
External IP: 185.72.199.129 (VPN IP)
Location: Poland, ToruΕ
ISP: PrivateVPN
DNS Servers: VPN DNS (secure)
π‘οΈ All traffic now protected
π Status Check (via /status command):
π VPN STATUS REPORT π
Client: my-media-stack
Status: β
CONNECTED
External IP: 185.170.104.53
Location: Poland, ToruΕ
Connected since: 2 hours 15 minutes
Last check: 30 seconds ago
| Command | Description |
|---|---|
/status |
Get current VPN status with IP and location |
/ping |
Test bot connectivity |
/help |
Show available commands |
- Media Network: All *arr apps and qBittorrent share Gluetun's network
- Container Communication: Services communicate via
localhost(shared network namespace) - VPN Sentinel: Optional monitoring runs in separate network spaces
Containers sharing Gluetun's network (via network_mode: "service:gluetun") communicate via localhost:
# From qBittorrent UI, configure:
Jackett URL: http://localhost:9117
Prowlarr URL: http://localhost:9696
# From Sonarr/Radarr, configure:
qBittorrent: http://localhost:8085
FlareSolverr: http://localhost:8191# Check current VPN IP
docker exec gluetun wget -qO- https://ipinfo.io/ip
# Get detailed location information
docker exec gluetun wget -qO- https://ipinfo.io/json
# DNS leak test (VPN country should match DNS country)
VPN_COUNTRY=$(docker exec gluetun wget -qO- https://ipinfo.io/json | grep country | cut -d'"' -f4)
DNS_COUNTRY=$(docker exec gluetun wget -qO- https://1.1.1.1/cdn-cgi/trace | grep '^loc=' | cut -d'=' -f2)
echo "VPN: $VPN_COUNTRY | DNS: $DNS_COUNTRY"
# View real-time VPN logs
docker logs gluetun --follow
# Check Gluetun health
docker exec gluetun wget -qO- http://localhost:9999/health# View VPN Sentinel client logs (runs inside VPN)
docker logs vpn-sentinel-client --tail 20
# View VPN Sentinel server logs (external)
docker logs vpn-sentinel-server --tail 20
# Check both in real-time
docker compose logs -f vpn-sentinel-client vpn-sentinel-server# Update all containers
docker compose pull
docker compose up -d
# Update specific container
docker compose pull gluetun
docker compose up -d gluetun
# Restart specific service
docker compose restart sonarrv3.40.4 for Synology compatibility. Before updating to newer versions, review the Synology compatibility section above.
# Check container status
docker compose ps
# View logs for specific services
docker compose logs gluetun | grep -iE 'error|warn'
docker compose logs qbittorrent --tail 20
# Test VPN connectivity
docker exec gluetun wget -qO- https://ipinfo.io/ip
# Test container communication
docker exec sonarr curl -s http://localhost:9696 # Prowlarr
docker exec sonarr curl -s http://localhost:8085 # qBittorrent1. VPN Not Connecting
- Check VPN credentials in
.env - Verify
VPN_SERVICE_PROVIDERis correct - Check Gluetun logs:
docker logs gluetun - Try a different VPN server country
2. Services Not Accessible
- Verify containers are running:
docker compose ps - Check port conflicts:
netstat -tlnp | grep 980 - Verify Synology firewall allows ports
3. Container Communication Issues
- Containers must use
localhost(they share Gluetun's network) - Use internal ports, not external:
http://localhost:8085(not 9802) - Check logs:
docker compose logs <service-name>
4. VPN Sentinel Not Sending Alerts
- Verify Telegram bot token and chat ID in
.env - Test bot: Send message to your bot via Telegram
- Check logs:
docker logs vpn-sentinel-server - Verify VPN Sentinel server is reachable from client
5. Gluetun Restart Loops (Synology)
- Symptom:
netfilter query: netlink receive: invalid argument - Cause: Using Gluetun v3.41.0+ without sysctls
- Solution: Use v3.40.4 (default) or add sysctls (see Synology section)
If services can't communicate:
# Restart VPN gateway first
docker compose restart gluetun
sleep 10
# Then restart dependent services
docker compose restart qbittorrent sonarr radarr
# Verify status
docker compose ps# Stop all containers
docker compose down
# Start everything fresh
docker compose up -d
# Monitor startup
docker compose logs -f- Check Gluetun logs:
docker logs gluetun --tail 50 - Check VPN Sentinel logs if using:
docker logs vpn-sentinel-client - Verify
.envconfiguration (especially VPN credentials) - Test VPN connectivity outside Docker first
- Consult Gluetun documentation
- Consult VPN Sentinel documentation
VPN-media/ # Repository root
βββ compose.yaml # Docker Compose configuration
βββ .env.example # Environment variables template
βββ .gitignore # Git ignore patterns
βββ README.md # This documentation
βββ gluetun/ # Gluetun VPN config (auto-created)
βββ PrivateVPN-*.ovpn # Optional custom VPN configs
Runtime Directories (auto-created on Synology at /volume1/docker/project/VPN-media/):
qbittorrent/config/ # qBittorrent settings and session
jackett/config/ # Jackett indexer configurations
prowlarr/config/ # Prowlarr settings
sonarr/config/ # Sonarr TV configuration
radarr/config/ # Radarr movie configuration
readarr/config/ # Readarr book configuration
bazarr/config/ # Bazarr subtitle settings
Note: Config directories are excluded from git via .gitignore.
# Update all to latest versions
docker compose pull
docker compose up -d
# Update specific service
docker compose pull sonarr
docker compose up -d sonarr
This repo pins Gluetun to v3.40.4 for Synology compatibility. To update to v3.41.0+:
- Review Synology Compatibility section above
- Add required sysctls to
compose.yaml, OR - Stay on v3.40.4 (recommended for Synology)
# Backup all service configurations
cd /volume1/docker/project/VPN-media
tar -czf backup-$(date +%Y%m%d).tar.gz */config/
# Restore from backup
tar -xzf backup-20260228.tar.gz-
Docker Package: Install from Package Center
-
SSH Access: Enable for management
-
User Permissions:
- PUID: Typically
1026foradminuser on Synology - PGID: Typically
100forusersgroup - Get with:
id admin
- PUID: Typically
-
Volume Structure:
/volume1/docker/project/ # Docker configurations /volume1/Media/ # Media library /volumeUSB2/usbshare/ # External USB (optional) -
Port Conflicts to Avoid:
- 5000, 5001 (DSM web interface)
- 5800, 5801 (Surveillance Station)
- This stack uses 9802-9810 (safe range)
-
File Permissions:
# If you encounter permission issues: sudo chown -R admin:users /volume1/docker/project/VPN-media sudo chmod -R 755 /volume1/docker/project/VPN-media
Breaking Change: Gluetun v3.41.0 introduced netfilter requirements that conflict with Synology's Docker implementation.
| Version | Release | Synology Status |
|---|---|---|
| v3.40.4 | Dec 24, 2024 | β Works perfectly |
| v3.41.0+ | Dec 25, 2024+ |
Symptoms without fix:
- Container restart loops
netfilter query: netlink receive: invalid argument- VPN never connects
Options:
- Use v3.40.4 (this repo's default) - Works out of box
- Add sysctls for v3.41.0+ - Requires compose.yaml modification
This repository defaults to option 1 for maximum compatibility.
This project is open source and available under the MIT License.
Attribution:
- This is a Docker Compose configuration integrating existing open-source tools
- VPN Sentinel by @agigante80
- Gluetun by @qdm12
- Servarr Apps by various contributors
- Each component maintains its own license
Contributions welcome! Please submit Pull Requests for:
- Synology-specific improvements or fixes
- Documentation enhancements
- Configuration optimizations
- Bug fixes
Not accepting:
- Alternative architectures (this is intentionally simple)
- Bundled media servers (keep it agnostic)
- Extensive custom scripts (use existing tools)
This is an EDUCATIONAL PROJECT demonstrating Docker Compose configuration and VPN integration.
This repository demonstrates:
- Docker Compose orchestration
- VPN integration patterns (
network_mode: service) - Synology NAS Docker deployment
- Integration of open-source monitoring tools
- Review Local Laws: Copyright, VPN usage, and content laws vary by jurisdiction
- Compliance: Users are solely responsible for ensuring legal compliance
- VPN Regulations: Some countries restrict or prohibit VPN usage
- Content Sources: Ensure all content and indexers comply with local laws
The authors and contributors are not responsible for:
- Any misuse of this configuration or software
- Legal consequences from improper use
- Violation of local laws or terms of service
- Any damages arising from use of this setup
Use at your own risk. Ensure full compliance with all applicable laws and regulations.
- Always use VPN: Never run download clients without VPN protection
- Monitor regularly: Check VPN Sentinel alerts to ensure protection
- Update carefully: Test updates in non-production environment first
- Backup configs: Regular backups of service configurations
- Use Trakt: Integrate Trakt with Sonarr/Radarr for content discovery
- Check logs: When troubleshooting, start with Gluetun logs
- Synology: Stick with v3.40.4 unless you need v3.41.0+ features
Made for Synology NAS users who want a simple, working VPN-protected media automation setup.