This page collects the reusable decisions behind a private download station.
The detailed posts show exact Docker Compose examples. This docs page explains which pieces you need and how they fit together.
Use these tools responsibly and follow the laws and terms that apply where you live.
Recommended Pattern
For a private download stack, the pattern is:
- Run a VPN client container with Gluetun.
- Run qBittorrent or Transmission through the Gluetun network namespace.
- Expose the download client’s web UI through Gluetun, not through the download container.
- Keep downloads and config on persistent volumes.
- Do not expose the web UI directly to the public internet without authentication and HTTPS.
Main Components
| Component | Purpose |
|---|---|
| Gluetun | VPN client container and network boundary |
| qBittorrent | Feature-rich BitTorrent client with strong web UI |
| Transmission | Lightweight BitTorrent client with simple web UI |
| Nginx Proxy Manager | Optional HTTPS reverse proxy for a private UI |
| Tailscale | Optional private access from your own devices |
qBittorrent
qBittorrent is a good default when you want a full-featured web UI, categories, tags, search plugins, and detailed torrent controls.
Useful links:
Transmission
Transmission is a good default when you want something simpler and lighter.
It has fewer knobs than qBittorrent, but that is often exactly the point for a home server.
Useful links:
Gluetun
Gluetun is the important privacy boundary in this setup.
Instead of running a VPN on the host and forcing every service through it, you can route only selected containers through Gluetun.
That gives you:
- a VPN kill switch for the routed containers
- provider flexibility
- cleaner separation from the rest of the HomeLab
- one place to expose web UI ports for routed services
Useful links:
Network Mode Rule
When a service should use the VPN, use the Gluetun container’s network namespace:
network_mode: "container:gluetun"
Then expose the service ports on Gluetun.
That is why qBittorrent or Transmission ports often appear under the Gluetun service instead of the download client service.
Accessing the Web UI
For private use, prefer:
- Tailscale or another private VPN
- a local LAN only
- an HTTPS reverse proxy with authentication
Avoid exposing qBittorrent or Transmission directly to the public internet.
Useful related guides:
Choosing a Client
| Goal | Pick |
|---|---|
| More controls, labels, and richer web UI | qBittorrent |
| Simple, lightweight downloads | Transmission |
| Route only one stack through VPN | Gluetun |
| Access from your devices only | Tailscale |
| Public domain with HTTPS | Nginx Proxy Manager, with strong auth |
Comments