From fa45da21a3a2ec089596ace875ecb5c385d3c28f Mon Sep 17 00:00:00 2001 From: Alexandre <44178713+alexbelgium@users.noreply.github.com> Date: Tue, 25 Nov 2025 10:27:47 +0100 Subject: [PATCH] Default container VPN binding --- qbittorrent/CHANGELOG.md | 3 +++ qbittorrent/README.md | 4 ++- qbittorrent/config.yaml | 7 +++++- .../rootfs/etc/cont-init.d/94-wireguard.sh | 15 ++++++++--- .../rootfs/etc/services.d/vpn-monitor/run | 25 +++++++++++++------ 5 files changed, 41 insertions(+), 13 deletions(-) diff --git a/qbittorrent/CHANGELOG.md b/qbittorrent/CHANGELOG.md index c76234b9c..e8245d342 100644 --- a/qbittorrent/CHANGELOG.md +++ b/qbittorrent/CHANGELOG.md @@ -1,3 +1,6 @@ +## 5.1.2-23 (29-11-2025) +- Default VPN container binding for OpenVPN and WireGuard with optional qBittorrent-only interface binding. + ## 5.1.2-22 (24-11-2025) - Minor bugs fixed ## 5.1.2-21 (24-11-2025) diff --git a/qbittorrent/README.md b/qbittorrent/README.md index 33f8368f5..039f0aa1b 100644 --- a/qbittorrent/README.md +++ b/qbittorrent/README.md @@ -77,13 +77,15 @@ Network disk is mounted to `/mnt/`. You need to map the exposed port | `openvpn_config` | str | | OpenVPN config file name (in `/config/openvpn/`) | | `openvpn_username` | str | | OpenVPN username | | `openvpn_password` | str | | OpenVPN password | -| `openvpn_alt_mode` | bool | `false` | Bind at container level instead of app level | +| `openvpn_alt_mode` | bool | `true` | Container binding for VPN traffic (disable to bind qBittorrent only) | | `wireguard_enabled` | bool | `false` | Enable WireGuard tunnel | | `wireguard_config` | str | _(empty)_ | WireGuard config file name (in `/config/wireguard/`) | | `qbit_manage` | bool | `false` | Enable qBit Manage integration | | `run_duration` | str | | Run duration (e.g., `12h`, `5d`) | | `silent` | bool | `false` | Suppress debug messages | +By default, VPN traffic is container-bound (OpenVPN and WireGuard). Disable `openvpn_alt_mode` only if you prefer binding qBittorrent itself to the VPN interface while exposing the rest of the container on the host network. + ### WireGuard Setup WireGuard configuration files must be stored in `/config/wireguard`. If several `.conf` files are present, set `wireguard_config` to the file name you want to use (for example `wg0.conf`). Expose UDP port `51820` in the add-on options and forward it from your router only when your tunnel expects inbound peers (for example, site-to-site setups). Outbound-only commercial VPN providers usually do not require a mapped port. The runtime configuration now preserves both IPv4 and IPv6 entries, so you can use dual-stack WireGuard peers when your endpoint supports them. diff --git a/qbittorrent/config.yaml b/qbittorrent/config.yaml index dc8a97177..8232aa34c 100644 --- a/qbittorrent/config.yaml +++ b/qbittorrent/config.yaml @@ -89,6 +89,11 @@ options: certfile: fullchain.pem customUI: vuetorrent keyfile: privkey.pem + openvpn_alt_mode: true + openvpn_config: "" + openvpn_enabled: false + openvpn_password: "" + openvpn_username: "" qbit_manage: false ssl: false wireguard_enabled: false @@ -145,4 +150,4 @@ schema: slug: qbittorrent udev: true url: https://github.com/alexbelgium/hassio-addons -version: 5.1.2-22 +version: 5.1.2-23 diff --git a/qbittorrent/rootfs/etc/cont-init.d/94-wireguard.sh b/qbittorrent/rootfs/etc/cont-init.d/94-wireguard.sh index 056f704ba..9a2016cb0 100755 --- a/qbittorrent/rootfs/etc/cont-init.d/94-wireguard.sh +++ b/qbittorrent/rootfs/etc/cont-init.d/94-wireguard.sh @@ -19,10 +19,6 @@ if bashio::config.true 'openvpn_enabled'; then bashio::exit.nok 'OpenVPN and WireGuard cannot be enabled simultaneously. Disable one of them.' fi -if bashio::config.true 'openvpn_alt_mode'; then - bashio::log.warning 'The openvpn_alt_mode option is ignored when WireGuard is enabled.' -fi - if bashio::config.has_value 'wireguard_config'; then configured_name="$(bashio::config 'wireguard_config')" configured_name="${configured_name##*/}" @@ -66,6 +62,17 @@ bashio::log.info 'Prepared WireGuard runtime configuration for initial connectio echo "${wireguard_runtime_config}" > "${WIREGUARD_STATE_DIR}/config" echo "${interface_name}" > "${WIREGUARD_STATE_DIR}/interface" +if bashio::config.true 'openvpn_alt_mode'; then + bashio::log.info 'Using container-wide WireGuard binding (default).' + if bashio::fs.file_exists "${QBT_CONFIG_FILE}"; then + sed -i '/Interface/d' "${QBT_CONFIG_FILE}" + else + bashio::log.warning 'qBittorrent config file not found. Unable to remove interface binding entries.' + fi + bashio::log.info "WireGuard prepared with interface ${interface_name} using configuration ${wireguard_config##*/}." + exit 0 +fi + if bashio::fs.file_exists "${QBT_CONFIG_FILE}"; then sed -i '/Interface/d' "${QBT_CONFIG_FILE}" sed -i "/\\[Preferences\\]/ i\\Connection\\\\Interface=${interface_name}" "${QBT_CONFIG_FILE}" diff --git a/qbittorrent/rootfs/etc/services.d/vpn-monitor/run b/qbittorrent/rootfs/etc/services.d/vpn-monitor/run index 5117c5fa3..fa7d7f00a 100755 --- a/qbittorrent/rootfs/etc/services.d/vpn-monitor/run +++ b/qbittorrent/rootfs/etc/services.d/vpn-monitor/run @@ -129,17 +129,28 @@ if bashio::config.true 'openvpn_enabled'; then vpn_openvpn=true fi -if [[ "${vpn_openvpn}" == true ]] && ! bashio::config.true 'openvpn_alt_mode'; then - VPN_INTERFACE="tun0" - bashio::log.info "VPN monitor set to query external IP through interface ${VPN_INTERFACE} (interface binding)." -else - VPN_INTERFACE="" -fi - if bashio::config.true 'wireguard_enabled'; then vpn_wireguard=true fi +if ! bashio::config.true 'openvpn_alt_mode'; then + if [[ "${vpn_openvpn}" == true ]]; then + VPN_INTERFACE="tun0" + bashio::log.info "VPN monitor set to query external IP through interface ${VPN_INTERFACE} (interface binding)." + elif [[ "${vpn_wireguard}" == true ]]; then + if [[ -f /var/run/wireguard/interface ]]; then + VPN_INTERFACE="$(cat /var/run/wireguard/interface)" + else + VPN_INTERFACE="wg0" + fi + bashio::log.info "VPN monitor set to query external IP through interface ${VPN_INTERFACE} (interface binding)." + else + VPN_INTERFACE="" + fi +else + VPN_INTERFACE="" +fi + if [[ "${vpn_openvpn}" != true && "${vpn_wireguard}" != true ]]; then bashio::log.info "VPN leak monitor not started because no VPN is enabled." exit 0