#VPN Guide for Servarr Applications

#Table of Contents

• Overview
• When VPNs are Needed
• Secure DNS Alternative (Recommended)
  • Standard DNS Servers
  • DNS over HTTPS (DoH) and DNS over TLS (DoT)
  • Docker DNS Configuration
• Why Gluetun is Usually NOT Needed
• Recommended Solutions
  • Single Download Client
  • Multiple Download Clients
  • Selective VPN (Prowlarr Indexers Only)
• VPN Provider Requirements
• Common Problems
• Troubleshooting

#Overview

VPNs can cause significant problems with Servarr applications when used incorrectly. This guide explains when and how to use VPNs properly.

Key Points:

• BitTorrent traffic may benefit from VPN protection in some jurisdictions
• Usenet traffic does NOT require VPN protection (uses encrypted SSL connections)
• For most countries including the UK, using secure DNS is sufficient instead of VPNs and fixes indexer connectivity issues
• Only your torrent client should be behind a VPN - not the *Arr applications
• VPNs are often unnecessary and cause more problems than they solve

To be clear it is not a matter if VPNs will cause issues with the *Arr Apps, but when: image providers will block you and cloudflare is in front of most of *Arr servers (updates, metadata, etc.) and liable to block you too {.is-warning}

#When VPNs are Needed

• Highly Restrictive Countries: China or Australia where internet access is heavily restricted
• ISP Throttling: If your ISP specifically throttles or blocks BitTorrent traffic
• Legal Requirements: If local laws require VPN use for P2P/BitTorrent activities

#Secure DNS Alternative (Recommended)

For most users, secure DNS is sufficient instead of VPNs and fixes indexer connectivity issues without the complexity and problems of VPN setups:

#Standard DNS Servers

• Cloudflare: 1.1.1.1 and 1.0.0.1
• Google: 8.8.8.8 and 8.8.4.4
• Quad9: 9.9.9.9 and 149.112.112.112

#DNS over HTTPS (DoH) and DNS over TLS (DoT)

For enhanced privacy and encrypted DNS queries:

• Cloudflare DNS Setup - Instructions for DoH/DoT configuration
• Google Public DNS - DoH/DoT setup guide
• Quad9 Setup Instructions - Configuration for various platforms

#Docker DNS Configuration

For Docker containers, see the Docker DNS documentation for configuration instructions.

Note: These providers offer comprehensive setup instructions for browsers, operating systems, routers, and mobile devices. {.is-info}

#Why Gluetun is Usually NOT Needed

Gluetun and similar VPN containers create more problems than they solve:

1. Network Complexity: Adds unnecessary routing complexity
2. Container Dependencies: Creates fragile dependencies
3. Debugging Difficulty: Makes troubleshooting much harder
4. Performance Overhead: Adds unnecessary overhead
5. DNS Problems: Often causes DNS resolution issues

#Recommended Solutions

#Single Download Client

Use download clients with built-in VPN support:

• Hotio qBittorrent - Built-in WireGuard VPN support
• Binhex VPN containers - OpenVPN support (e.g., binhex/arch-qbittorrentvpn)

Important: When using VPN containers, configure other containers to connect using the .internal domain suffix (e.g., qbittorrent.internal instead of just qbittorrent). This ensures reliable DNS resolution through Docker's built-in DNS, especially important with VPN routing. See the Docker Guide for more details. {.is-warning}

#Multiple Download Clients

Use Hotio's base image and route all download clients through it. This is the only acceptable use case for sharing a VPN container.

Important: When routing multiple download clients through a VPN container, always use the .internal domain suffix for container communication (e.g., sabnzbd.internal, qbittorrent.internal). This provides reliable DNS resolution regardless of VPN routing complexity. {.is-warning}

#Selective VPN (Prowlarr Indexers Only)

If specific indexers require VPN access, add your VPN provider's proxy to Settings -> Indexers -> Indexer Proxies and apply only to those specific indexers. This allows only indexer traffic to go through the VPN while keeping the main application free from VPN-related issues.

See the TRaSH Guide for Prowlarr Proxy Setup for detailed configuration instructions.

#VPN Provider Requirements

For BitTorrent, you must use a VPN with port forwarding:

Recommended (with port forwarding):

• TorGuard
• Private Internet Access (PIA)
• Proton VPN
• AirVPN

Avoid (no port forwarding):

• Mullvad
• NordVPN
• Most commercial VPN services

See TRaSH Guide for VPN setup.

#Common Problems

• Rate Limiting/IP Bans: VPN IPs are shared and often blocked
• Private Tracker Bans: Most private trackers ban VPN usage
• DNS Issues: Use public DNS servers (8.8.8.8, 1.1.1.1)
• Service Accessibility: Many services block VPN IP ranges

#Troubleshooting

Debug Commands:

# Check IP
curl ifconfig.me

# Test DNS
nslookup google.com

# Test container DNS resolution with .internal
nslookup qbittorrent.internal

# Container networking
docker network inspect <network_name>

DNS Resolution Issues with VPN:

If containers cannot communicate when using VPN:

1. Use .internal suffix for all container references (e.g., qbittorrent.internal)
2. Verify DNS configuration in VPN container
3. Check that containers are on the same Docker network
4. Test DNS resolution from within the container using the debug commands above

When to Get Help:

• Sonarr Discord
• Radarr Discord
• Lidarr Discord
• Prowlarr Discord
• TRaSH Discord

Remember: The best VPN setup is often no VPN at all. Only use VPNs when you have specific requirements, and always prefer simple, tested solutions over complex setups. {.is-success}