A VPN-protected media automation stack tested on Synology NAS
A Docker Compose media automation stack with VPN protection, Telegram alerts, and DNS leak detection, tested on Synology NAS.
Running a self-hosted media automation stack on a Synology NAS has two failure modes that stay invisible until they hurt you.
The first is silent VPN exposure. If the VPN tunnel drops, the download client and indexer apps keep running. They simply route through the host network instead, with no warning. By the time you notice, you have been exposed for hours.
The second is undocumented breakage between tool versions. Gluetun v3.41.0 introduced a netfilter change that Synology DSM does not handle without specific kernel parameters. Without them the container enters a restart loop and prints netfilter query: netlink receive: invalid argument, an error that tells you almost nothing. The fix exists, but it is scattered across issue threads.
I wanted a stack that closed both gaps by default, not one that assumed the happy path.
SafeHarbor is a Docker Compose configuration that wires together existing open-source tools: Gluetun as the VPN gateway, the Servarr suite (Sonarr, Radarr, Readarr, Bazarr, Prowlarr) plus Jackett and FlareSolverr for acquisition, and qBittorrent as the download client.
Every service that touches the internet uses network_mode: service:gluetun. That single decision means all download and indexer traffic routes through the VPN as a property of the network namespace, not as a setting someone can forget to enable. Gluetun’s kill switch handles the rest: if the tunnel goes down, the traffic stops rather than leaking.
For the version problem I pinned Gluetun to v3.40.4, the last release that works out of the box on Synology DSM 7.x. The README documents exactly which sysctls to add if you want to move to v3.41.0 or later, so the upgrade path is a deliberate choice rather than a surprise.
I made the stack deliberately media-server agnostic. It acquires and organizes content; you point your own Plex, Jellyfin, or Emby at the finished library. That keeps the configuration small and avoids forcing a media server choice on anyone.
Monitoring is the part most stacks skip. SafeHarbor integrates VPN Sentinel, a project of mine, in a client-server split. The client runs inside the Gluetun tunnel and continuously reports its external IP, geolocation, and DNS resolver. The server runs outside the tunnel with a real IP and compares those reports. When the VPN drops or the DNS country stops matching the VPN country, it pushes a Telegram alert immediately. The same server doubles as an interactive bot, so a /status command returns the current IP, location, and uptime on demand.
The result is a stack where the safety mechanism is structural (traffic cannot leave except through the VPN) and the monitoring is active (you find out within seconds when something is wrong), all on hardware as modest as a Synology DS220+.
cp .env.example .env && docker compose up -ddocker compose ps→ Full setup guide configuration, deployment, troubleshooting
Snapshot: 2026-02-28. Versions and feature flags reflect each project at that date.
| Feature | SafeHarbor Media Stack | navilg/media-stack | ultimate-plex-stack |
|---|---|---|---|
| Synology tested | DS220+, DSM 7.x | Generic Docker | Generic Docker |
| Gluetun version pinned | v3.40.4 | Latest, may break | Latest, may break |
| VPN monitoring and alerts | VPN Sentinel plus Telegram | None | None |
| DNS leak detection | Automated | Manual | Manual |
| Bundled media server | Agnostic, bring your own | Plex | Plex plus Tautulli |
Drawn from the README comparison table. This stack trades a bundled media server for VPN safety and documented Synology compatibility.