My NAS server uses Tailscale so that I can conveniently access it from any device on my tailnet. I have an external NAS hard drive enclosure connected to it via USB 3.0, and this NAS enclosure contains four 20 TB enterprise HDDs, so I have a total of roughly 80 TB of storage space that comprises a "RAID0" ZFS pool. My goal is to use some of this storage space for open access data, such as Anna's Archive. The problem is if I start bittorrenting those archives, it's possible my Comcast ISP will complain or block, or I'll get legal scare letters, or some such nonsense. A solution, or a way to circumvent detection by Comcast, would be to use a VPN for the qBittorrent connection. I could use ProtonVPN from my Proton Unlimited account, but this would interfere with the Tailscale VPN. A solution to this, in turn, is to use one of my other Orange Pi 5 Plus devices as an auxiliary node to run the qBittorrent Docker container, and have qBittorrent configured to save downloaded data to the NAS via an NFS share on the nas-node. In order to ensure a consistent and fast connection to the nas-node, I decided to use the second ethernet ports on the Orange Pi 5 Plus devices. So I have a 12-inch ethernet cable connecting both Orange Pi 5 Plus devices to their second ethernet ports. I configured this with systemd-networkd by setting up a subnet between the two devices.

For the sake of this post, eth0 refers to the primary ethernet port that receives Internet, and eth1 refers to the second ethernet port that connects to the subnet.

On nas-node, I created a network file for systemd at /etc/systemd/network/eth1.network:

[Match]
Name=eth1

[Network]
Address=10.0.4.1/24

On aux-node, I created a network file for systemd at /etc/systemd/network/eth1.network:

[Match]
Name=eth1

[Network]
Address=10.0.4.2/24

Both nas-node and aux-node are running Ubuntu 24.04, which uses netplan.io to configure the network interfaces. I had to disable netplan.io by removing its package, enable systemd-networkd, and reboot in order to use systemd-networkd.

sudo apt purge netplan.io
sudo apt autoremove
sudo systemctl enable systemd-networkd
sudo systemctl reboot

Now that I have a li'l subnet for nas-node and aux-node, I configured the NFS share on nas-node to allow connection from the aux-node IP address 10.0.4.2. First, I had to create a ZFS dataset to store the torrent data, and then configure that dataset to be an NFS share.

sudo zfs create naspool/torrents
sudo zfs set sharenfs="rw=@10.0.4.0/24" naspool/torrents
sudo chown -R jas:jas /naspool/torrents

In /etc/exports:

/naspool/torrents 10.0.4.2(rw,sync,no_subtree_check)

I set the ownership of the naspool/torrents dataset to the jas user, so that the jas user on both the nas-node and aux-node can access it.

I configured /etc/fstab to mount the NFS share from nas-node automatically on boot.

10.0.4.1:/naspool/torrents /mnt/torrents nfs4 rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.0.4.2,local_lock=none,addr=10.0.4.1 0 0

I installed Docker and the wireguard-tools packages on aux-node. I created and downloaded a ProtonVPN Wireguard configuration file and saved it to /etc/wireguard/wg0.conf. I actually have several of these from various geographic locations in case one stops working for whatever reason. When creating the Wireguard configurations for ProtonVPN, I made sure to select NAT port-fowarding for peer-to-peer filesharing.

For the qBittorrent Docker container, I used docker compose with the following compose.yml file:

---
services:
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
    container_name: qbittorrent
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - WEBUI_PORT=8080
      - TORRENTING_PORT=6881
    volumes:
      - /mnt/torrents/downloads:/downloads
      - qbittorrent-config:/config
    ports:
      - 8080:8080
      - 6881:6881
      - 6881:6881/udp
      - 9000:9000
      - 9000:9000/udp
    restart: unless-stopped

volumes:
  qbittorrent-config:

Note that /mnt/torrents on aux-node is the NFS share from nas-node via the subnet I created for nas-node and aux-node. Port 8080 is so that I can access the qBittorrent web UI. Port 6881 for TCP and UDP are the torrenting ports that will be forwarded through the ProtonVPN connection. Port 9000 for TCP and UDP is to allow port-forwarding for the embedded tracker in qBittorrent. The qBittorrent Docker container automatically uses the ProtonVPN connection from the host. I checked this by entering the qBittorrent container's shell environment and running curl ipinfo.io to check its public IP address, which was indeed the ProtonVPN IP address.

So, with this setup, I am able to use some of my ~80 TB NAS storage to help out the open access community, with my Comcast ISP being none the wiser. Though, to be epistemically thorough, it's possible there is some hole in this setup that Comcast can hypothetically circumvent. At the very least, they are able to tell I'm using a VPN.