If I use this container with Mullvad and a Mullvad provided forwarded port, do I need to open up the port in UFW on the host?

[mboothroyd]

I have a dedicated server in a datacenter I'm trying to use as a bittorrent box. It is sufficiently powerful (i5, 32GB RAM, 250GB SSD) and runs Debian 11 (no ability to change OS remotely).

As the server is directly exposed to the internet with its own public IP, I have enabled UFW to deny all incoming connections by default.

I have the arch-qbittorrentvpn container mapping its webui to 127.0.0.1:8080 and caddy (installed via debian package) doing reverse proxy + TLS for the qBittorrent Web UI. ​

My ufw ruleset on the debian 11 host is:

sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https

I am also using Mullvad with wireguard, and have assigned a port on the Mullvad site to my wireguard connection. I have arch-qbittorrentvpn working perfectly and have verified the port is open (at least to the Mullvad server) but the speeds are not what I imagined. The ISP server is only one hop away from the wireguard endpoint (over a local IXP) and I've all of the different Mullvad servers in the location. I am assuming there is no other network issue at this level.

Do I need to add a UFW rule on the debian host to allow the incoming port forward to make it all the way to the arch-qbittorrentvpn container?

[binhex]

The answer is no, the only port you would need to open on your host is for outbound connection to the VPN endpoint

[mboothroyd]

Wow, thank you for the fast response!

Given I have sudo ufw default allow outgoing in the ufw rules, I don't think I need to open the port as the VPN connection can punch through (it's working now).. Unless there's something I'm missing?

[binhex]

Unless there's something I'm missing?

not that i can think of, sounds like its setup correctly to me.

[mboothroyd]

Thank you!!!