Firewall settings for Download Station to be directed only over VPN

madmannyc · March 12, 2025, 11:12am

I would be grateful for the communities help to properly configure the Diskstation to only allow BT traffic over the VPN connection.

Here is what I have done which doesn’t seem to stop the traffic if the VPN is disconnected.

Bond 1 firewall settings:
BT eMule Ports Protocol: All Source: All Action: Deny - If no rules are matched: allow access.

VPN firewall settings:
BT eMule Ports Protocol: All Source: All Action: Allow - If no rules are matched: deny access.

To test when I shutdown the VPN connection I continue to see download station download the torrent file. I should stop transferring but it doesn’t.

Please help! Thank you.

Zezu · March 12, 2025, 11:13am

I’ll start off by saying I can’t help you personally…

I’ve wanted to do this and have read many threads about doing it. None of the ones I’ve read seem bullet proof or easy to execute.

I don’t have a link but Synology has identified this as a feature that people want and that they eventually want to provide.

If you figure out how to make it work, please let us know. You’ll be a hero.

Also, use this to see where you’re visible.

It will create a magnet link for you. You add the magnet link then it will repeatedly report what IP is seen sharing that link. Should make your testing a bit easier so that you know when you’re visible and when you’re behind the VPN.

madmannyc · March 12, 2025, 11:13am

Thank you for the response. I hope someone knows how to do this or Synology adds the feature. Sort of seems like the purpose of having a VPN and Firewall feature on their expensive hardware.

Anaxag · March 12, 2025, 11:13am

My approach was simply to set up a Docker DDSM, enable automatic VPN on boot-up and DownloadStation or Transmission. Be aware that you can only access the VM from your local network.

Hyperx1313 · March 12, 2025, 11:13am

Here is what worked from me (taken from another place online)

Blocked the BT ports 16881 and 6881 on my firewall, then

On my Synology …

Control Panel => Network => Network Interface
Configure VPN described by Synology help
Control Panel => Security => Firewall
Enable Firewall
Edit Rules
For each LAN: Deny BT service (At the bottom, if no rule matches then allow)
For VPN: Allow BT service (If no rule matches then deny)
Control Panel => Network => General
Advanced Settings: Check Enable Multiple Gateways
Tested…

VPN Disconnected
I can access NAS from all methods
BT does not work.
VPN Connected
I can access NAS from all methods
BT data transfer works

madmannyc · March 12, 2025, 11:13am

Thanks this was helpful.

I think I got it working, but the only issue is it defaults to the VPN being the first connection priority when I change it in the interface settings to be the second, it does not persist a restart, and at that stage, the VPN becomes the first connection priority slowing everything down.

I want to route SAB NZB to use the primary interface since its SSL NNTP traffic and much faster without the VPN.

BakeCityWay · March 12, 2025, 11:13am

What you’re trying to do isn’t why firewalls and VPNs exist at all. What you want to do is a by-product of why VPNs exist.

Search for “VPN Docker” and you should find many people’s experience with setting up a download client with integrated VPN in Docker.

Inn_u_end_o · March 12, 2025, 11:13am

Thank you! This worked for me keeping the vpn active at all times and being able to access the Management Portal!

panellet · March 12, 2025, 11:13am

Hey, I’m very grateful for your comment!!!

I’ve tried various methods to enable VPN in Download Manager while Synology Drive was still accessible via LAN, so far without success. Until I stumbled upon your answer. Pure gold.

Thanks a lot (and so the anonymous source you didn’t reference)