From cdbf511aca0621ee4c9bb670cbc9be2a70bda282 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Mar 2026 10:28:49 +0000
Subject: [PATCH] Fix OpenVPN broken by unconditional firewall rules; guard
 _firewall_add/del behind vpn_upnp_enabled; bump version to 5.1.4-19

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>
Agent-Logs-Url: https://github.com/alexbelgium/hassio-addons/sessions/cd0a7e2e-8b4d-4fe1-9ddc-64a8127f64cf
---
 qbittorrent/config.yaml               |  2 +-
 qbittorrent/rootfs/usr/local/sbin/vpn | 26 ++++++++++++++++++--------
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/qbittorrent/config.yaml b/qbittorrent/config.yaml
index 749b0972e..a0c2daf6e 100644
--- a/qbittorrent/config.yaml
+++ b/qbittorrent/config.yaml
@@ -143,4 +143,4 @@ schema:
 slug: qbittorrent
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "5.1.4-18"
+version: "5.1.4-19"
diff --git a/qbittorrent/rootfs/usr/local/sbin/vpn b/qbittorrent/rootfs/usr/local/sbin/vpn
index 2972a8f3d..55a248570 100755
--- a/qbittorrent/rootfs/usr/local/sbin/vpn
+++ b/qbittorrent/rootfs/usr/local/sbin/vpn
@@ -347,8 +347,10 @@ _wireguard_up() {
 
     # Add routing rules for VPN interface and DNS servers
     _routing_add || return 1
-    # Add firewall rules for VPN interface
-    _firewall_add || return 1
+    # Add firewall rules for VPN interface (only when UPnP port mapping is enabled)
+    if bashio::config.true 'vpn_upnp_enabled'; then
+        _firewall_add || bashio::log.warning "Firewall rules could not be applied (non-fatal)."
+    fi
     # Update resolv.conf with VPN DNS servers
     _resolvconf "update" || return 1
     # Wait for handshake to be established before returning success
@@ -360,8 +362,10 @@ _wireguard_down() {
     _resolvconf "reset" || true
     # Remove routing rules for VPN interface and DNS servers
     _routing_del || true
-    # Remove firewall rules for VPN interface
-    _firewall_del || true
+    # Remove firewall rules for VPN interface (only when UPnP port mapping is enabled)
+    if bashio::config.true 'vpn_upnp_enabled'; then
+        _firewall_del || true
+    fi
 
     _cmd "ip link set ${config["Interface"]} down" 2>/dev/null || true
     _cmd "ip link del ${config["Interface"]}" 2>/dev/null || true
@@ -521,13 +525,17 @@ _openvpn_up() {
 _openvpn_down() {
     # Terminate OpenVPN process
     pkill -f "openvpn --config ${config["ConfigFile"]}" || true
+    # Safety-net cleanup in case the --down callback was never invoked
+    _routing_del || true
 }
 
 _openpvn_postup() {
     # Add routing rules for VPN interface and DNS servers
     _routing_add || return 1
-    # Add firewall rules for VPN interface
-    _firewall_add || return 1
+    # Add firewall rules for VPN interface (only when UPnP port mapping is enabled)
+    if bashio::config.true 'vpn_upnp_enabled'; then
+        _firewall_add || bashio::log.warning "Firewall rules could not be applied (non-fatal)."
+    fi
     # Update resolv.conf with VPN DNS servers
     _resolvconf "update" || return 1
 }
@@ -537,8 +545,10 @@ _openpvn_postdown() {
     _resolvconf "reset" || true
     # Remove routing rules for VPN interface and DNS servers
     _routing_del || true
-    # Remove firewall rules for VPN interface
-    _firewall_del || true
+    # Remove firewall rules for VPN interface (only when UPnP port mapping is enabled)
+    if bashio::config.true 'vpn_upnp_enabled'; then
+        _firewall_del || true
+    fi
 }
 
 openvpn() {