Docker Deluge Image / Service

I want a torrent service that uses a VPN and is set-up to block non VPN WAN (internet) access. On my virtual machine implementation of this I used the following 3 packages: deluge (deluged with deluge-web), openvpn and nftables. I have used both iptables and nftables and find nftables is definitely more elegant to use. As far as I can tell there is not a Docker image that will meet my needs.

I have been successfully been running this in a container on my home server since early 2023. This replaced the a similar setup that have I been operating since about 2017 on a virtual machine using Linux KVM/Libvirt/QEMU.


  • docker build -t deluge-openvpn-nftables . - to create the image deluge-openvpn-nftables
  • docker run -it -p 8112:8112 –name deluge deluge-openvpn-nftables /bin/sh - to run the docker image deluge-openvpn-nftables as a container called deluge, with port 8112 passed through, the deluge web interface.
  • Inside the container shell the deluge system can be started with the command deluge web It looks like I need to write an openrc script to allow the application to be controlled by the build in system.

I use 2 forms of vpn (virtual private network) on my home server.

  1. VPN to gain remote secure private access to my home LAN from the WAN (internet). This is where I describe this Wireguard VPN access from WAN to LAN.
  2. VPN to anonymize my public internet access, making it more difficult for others to track my online behavior. This is the one I am describing here.
    1. There are some other potential benefits with this style of VPN usage, e.g. greater privacy and ability to have ip address based on different geographic location.

I am currently using PrivateVPN as my public VPN provider. They use openVPN for access, with a login configuration. I noticed that they recently now also have the capability to use up to 8 Wireguard configurations. After logging in to their website the Wireguard configurations can be found here PrivateVPN config panel.

Most of the notes below were taken discovering and implementing the Docker usage of openvpn with the s6 init system. That being said there my be some handy bits in there,


There are 2 type of volume needs in this set up.

  1. Deluge configuration directory
    1. I usually like to store my live application configuration files with the docker image / container setup
  2. Deluge file storage
    1. download directories (working directories)
      1. actual download working directory
      2. torrent file storage directory directory
    2. completed directory where finish torrent files are stored (longer term storage directories)

Next set is to get the deluge configuration files outside the ephemeral container storage to some permanent storage:

The -v /mnt/docker_store/media/.config:/root/.config/deluge/ make Docker map the external directory /mnt/docker_store/media/ on to the internal directory, /root/.config/deluge/.

docker run -it -v /mnt/docker_store/media/.config:/root/.config/deluge/ --network macnet1 --ip= --cap-add=NET_ADMIN --name alpine deluge-openvpn-nftables /bin/sh

Clearly deluge files need to be stored outside the docker ephemeral container storage to some permanent storage. I have nfs setup on the host which I will setup relevant sub-directories as volumes on the deluge container for storage. The docker web application allows the store to be selected, however the storage options need to setup to allow function. I will use the container directory /app to store these sub-directories.

  • -v /mnt/deluge:/app/deluge
  • -v /mnt/disk2/Media/Temp/Complete:/app/Complete

The final docker run command is now: docker run -it -v /mnt/docker_store/media/.config:/root/.config/deluge/ -v /mnt/deluge:/app/deluge -v /mnt/disk2/Media/Temp/Complete:/app/Complete --network macnet1 --ip= --cap-add=NET_ADMIN --name alpine deluge-openvpn-nftables /bin/sh

After a couple of minor syntax typos I got the basic docker nfs volume working, but when I tried to get 2 volumes set up it was wonky. To date I have not further investigated why.


As described in the vpn section openvpn setup, I decided to go with the docker macvlan network setup. This needs to be separately created and can then be called up when the container is run. A static ip address can be assigned when run.

docker network create -d macvlan  \
    --subnet=  \
    --ip-range= \
    --gateway=  \
    -o parent=enp1s0 macnet1

My final docker run command was docker run -it -v /mnt/docker_store/media/.config:/app/.config/deluge/ -v /mnt/docker_store/media/.cache/Python-Eggs:/app/.cache/Python-Eggs -v /mnt/deluge:/app/deluge -v /mnt/disk2/Media/Temp/Complete:/app/Complete –network macnet1 –ip= –cap-add=NET_ADMIN –name deluge deluge-openvpn-nftables /bin/sh which I had to convert to docker-compose yml script.

The docker build command to build the image was docker build -t deluge-openvpn-nftables .

The compose.yml file is:

version: '3.9'
    build: ./
    image: deluge-openvpn-nftables:latest
    tty: true
    stdin_open: true
    container_name: deluge
    restart: 'unless-stopped' # always | no | on-failure [:5 (max-retries)]
      - '/mnt/docker_store/media/.config:/app/.config/deluge/'
      - '/mnt/docker_store/media/.cache/Python-Eggs:/app/.cache/Python-Eggs'  
      - '/mnt/deluge:/app/deluge'
      - '/mnt/disk2/Media/Temp/Complete:/app/Complete'
      - NET_ADMIN
    command: /bin/sh

    external: true

Some basic docker compose commands:

  • docker-compose up -d to start up the container
  • docker-compose up -d --build to start up and force build the container image first
  • docker-compose down to stop and remove the container
  • docker-compose stop to stop the container
  • docker-compose start to start the container


  1. The cap_add: NET_ADMIN is required to allow the container network to allow routing functionality. This is required for the openvpn to operate.
  2. As I run all my one-shots and longruns using s6 init, this is no command that is running to keep the container open (perhaps a poor explanation) The statement command: /bin/sh not only keeps the container open it also allows me to shell into it via docker, docker attach servicename. There are 2 ways to get out, use exit in the shell which attempts to exit, or type control p then control q. (As I am not running an ssh server in the container, ssh cannot be used.)

I need to work on this one more. It did not seem to work well for me in attempts to date. I tried again in mailserver setup also to no avail.

S6_KEEP_ENV (default = 0): if set, then environment is not reset and whole supervision tree sees original set of env vars. It switches with-contenv into a nop. I placed ENV S6_KEEP_ENV=1 before first init and all the environment variable were visible.

The Alpine docker image is build using musl, BusyBox and OpenRC, however I have setup to use s6-rc instead of OpenRC. The “standard” shell commands are build in the ash library with additional commands in Busybox, Busybox is a single file. Some addtional functionality can be found by using apk add util-linux. See Wikipedia util-linux for a list of additional functionality in util-linux.

A list of BusyBox Commands

  • /app/www/public/data/pages/docker_notes/docker-deluge.txt
  • Last modified: 2024-04-28 Sun wk17 11:26
  • by baumkp