Default container VPN binding

2026-01-10 09:51:02 +01:00 · 2025-11-25 10:27:47 +01:00
parent 51fd1a7404
commit fa45da21a3
5 changed files with 41 additions and 13 deletions
--- a/qbittorrent/CHANGELOG.md
+++ b/qbittorrent/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 5.1.2-23 (29-11-2025)
+- Default VPN container binding for OpenVPN and WireGuard with optional qBittorrent-only interface binding.
+
 ## 5.1.2-22 (24-11-2025)
 - Minor bugs fixed
 ## 5.1.2-21 (24-11-2025)
--- a/qbittorrent/README.md
+++ b/qbittorrent/README.md
@@ -77,13 +77,15 @@ Network disk is mounted to `/mnt/<share_name>`. You need to map the exposed port
 | `openvpn_config` | str | | OpenVPN config file name (in `/config/openvpn/`) |
 | `openvpn_username` | str | | OpenVPN username |
 | `openvpn_password` | str | | OpenVPN password |
-| `openvpn_alt_mode` | bool | `false` | Bind at container level instead of app level |
+| `openvpn_alt_mode` | bool | `true` | Container binding for VPN traffic (disable to bind qBittorrent only) |
 | `wireguard_enabled` | bool | `false` | Enable WireGuard tunnel |
 | `wireguard_config` | str | _(empty)_ | WireGuard config file name (in `/config/wireguard/`) |
 | `qbit_manage` | bool | `false` | Enable qBit Manage integration |
 | `run_duration` | str | | Run duration (e.g., `12h`, `5d`) |
 | `silent` | bool | `false` | Suppress debug messages |

+By default, VPN traffic is container-bound (OpenVPN and WireGuard). Disable `openvpn_alt_mode` only if you prefer binding qBittorrent itself to the VPN interface while exposing the rest of the container on the host network.
+
 ### WireGuard Setup

 WireGuard configuration files must be stored in `/config/wireguard`. If several `.conf` files are present, set `wireguard_config` to the file name you want to use (for example `wg0.conf`). Expose UDP port `51820` in the add-on options and forward it from your router only when your tunnel expects inbound peers (for example, site-to-site setups). Outbound-only commercial VPN providers usually do not require a mapped port. The runtime configuration now preserves both IPv4 and IPv6 entries, so you can use dual-stack WireGuard peers when your endpoint supports them.
--- a/qbittorrent/config.yaml
+++ b/qbittorrent/config.yaml
@@ -89,6 +89,11 @@ options:
  certfile: fullchain.pem
  customUI: vuetorrent
  keyfile: privkey.pem
+  openvpn_alt_mode: true
+  openvpn_config: ""
+  openvpn_enabled: false
+  openvpn_password: ""
+  openvpn_username: ""
  qbit_manage: false
  ssl: false
  wireguard_enabled: false
@@ -145,4 +150,4 @@ schema:
 slug: qbittorrent
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: 5.1.2-22
+version: 5.1.2-23
--- a/qbittorrent/rootfs/etc/cont-init.d/94-wireguard.sh
+++ b/qbittorrent/rootfs/etc/cont-init.d/94-wireguard.sh
@@ -19,10 +19,6 @@ if bashio::config.true 'openvpn_enabled'; then
    bashio::exit.nok 'OpenVPN and WireGuard cannot be enabled simultaneously. Disable one of them.'
 fi

-if bashio::config.true 'openvpn_alt_mode'; then
-    bashio::log.warning 'The openvpn_alt_mode option is ignored when WireGuard is enabled.'
-fi
-
 if bashio::config.has_value 'wireguard_config'; then
    configured_name="$(bashio::config 'wireguard_config')"
    configured_name="${configured_name##*/}"
@@ -66,6 +62,17 @@ bashio::log.info 'Prepared WireGuard runtime configuration for initial connectio
 echo "${wireguard_runtime_config}" > "${WIREGUARD_STATE_DIR}/config"
 echo "${interface_name}" > "${WIREGUARD_STATE_DIR}/interface"

+if bashio::config.true 'openvpn_alt_mode'; then
+    bashio::log.info 'Using container-wide WireGuard binding (default).'
+    if bashio::fs.file_exists "${QBT_CONFIG_FILE}"; then
+        sed -i '/Interface/d' "${QBT_CONFIG_FILE}"
+    else
+        bashio::log.warning 'qBittorrent config file not found. Unable to remove interface binding entries.'
+    fi
+    bashio::log.info "WireGuard prepared with interface ${interface_name} using configuration ${wireguard_config##*/}."
+    exit 0
+fi
+
 if bashio::fs.file_exists "${QBT_CONFIG_FILE}"; then
    sed -i '/Interface/d' "${QBT_CONFIG_FILE}"
    sed -i "/\\[Preferences\\]/ i\\Connection\\\\Interface=${interface_name}" "${QBT_CONFIG_FILE}"
--- a/qbittorrent/rootfs/etc/services.d/vpn-monitor/run
+++ b/qbittorrent/rootfs/etc/services.d/vpn-monitor/run
@@ -129,17 +129,28 @@ if bashio::config.true 'openvpn_enabled'; then
    vpn_openvpn=true
 fi

-if [[ "${vpn_openvpn}" == true ]] && ! bashio::config.true 'openvpn_alt_mode'; then
-    VPN_INTERFACE="tun0"
-    bashio::log.info "VPN monitor set to query external IP through interface ${VPN_INTERFACE} (interface binding)."
-else
-    VPN_INTERFACE=""
-fi
-
 if bashio::config.true 'wireguard_enabled'; then
    vpn_wireguard=true
 fi

+if ! bashio::config.true 'openvpn_alt_mode'; then
+    if [[ "${vpn_openvpn}" == true ]]; then
+        VPN_INTERFACE="tun0"
+        bashio::log.info "VPN monitor set to query external IP through interface ${VPN_INTERFACE} (interface binding)."
+    elif [[ "${vpn_wireguard}" == true ]]; then
+        if [[ -f /var/run/wireguard/interface ]]; then
+            VPN_INTERFACE="$(cat /var/run/wireguard/interface)"
+        else
+            VPN_INTERFACE="wg0"
+        fi
+        bashio::log.info "VPN monitor set to query external IP through interface ${VPN_INTERFACE} (interface binding)."
+    else
+        VPN_INTERFACE=""
+    fi
+else
+    VPN_INTERFACE=""
+fi
+
 if [[ "${vpn_openvpn}" != true && "${vpn_wireguard}" != true ]]; then
    bashio::log.info "VPN leak monitor not started because no VPN is enabled."
    exit 0