fix(qbittorrent): prevent recursive routing with blackhole route in table 1000

Agent-Logs-Url: https://github.com/alexbelgium/hassio-addons/sessions/14f8993e-d073-4a6b-8c36-40ebf1b0e396

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>

qbittorrent/CHANGELOG.md

@@ -1,12 +1,7 @@
-## 5.2.0-8 (12-05-2026)
-- Minor bugs fixed
-## 5.2.0-7 (12-05-2026)
-- Minor bugs fixed
-## 5.2.0-6 (12-05-2026)
-- Minor bugs fixed
+## 5.2.0-19 (13-05-2026)
+- OpenVPN: simplify recursive routing fix — use a single blackhole route for the VPN server IP in table 1000 (no AWK, no ipcalc, no physical device detection required)
 
-## 5.2.0-3 (2026-05-12)
-- Fix WireGuard "RTNETLINK answers: File exists" crash loop: clean up stale interface and routing rules before re-establishing the tunnel on S6 service restart
+- Minor bugs fixed
 
 ## 5.2.0-2 (2026-05-10)
 - Fix startup loop on aarch64: drop s6-notifyoncheck wrapper so s6 supervises qbittorrent-nox directly (LSIO arm64 image has no notification-fd, causing EBADF restart loop)

qbittorrent/config.yaml

@@ -143,4 +143,4 @@ schema:
 slug: qbittorrent
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "5.2.0-8"
+version: "5.2.0-19"

qbittorrent/rootfs/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run

@@ -44,6 +44,11 @@ fi
 
 bashio::log.info "Starting qBittorrent..."
 
-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost ${WEBUI_PORT}" \
-    s6-setuidgid abc /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" > "${QB_OUTPUT}"
+if [ -f /etc/s6-overlay/s6-rc.d/svc-qbittorrent/notification-fd ]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost ${WEBUI_PORT}" \
+        s6-setuidgid abc /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" > "${QB_OUTPUT}"
+else
+    sleep 10
+    exec s6-setuidgid abc /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" > "${QB_OUTPUT}"
+fi

qbittorrent/rootfs/usr/local/sbin/vpn

@@ -535,9 +535,32 @@ _openvpn_down() {
     pkill -f "openvpn --config ${config["ConfigFile"]}" || true
     # Safety-net cleanup in case the --down callback was never invoked
     _routing_del || true
+    # Safety-net: remove blackhole route for VPN server if postdown was never invoked
+    if [ -f "${OPENVPN_STATE_DIR}/server_ip" ]; then
+        local saved_ip
+        saved_ip=$(cat "${OPENVPN_STATE_DIR}/server_ip" 2>/dev/null || true)
+        if [ -n "${saved_ip}" ]; then
+            ip -4 route del blackhole "${saved_ip}/32" table "${config["Table"]}" 2>/dev/null || true
+        fi
+        rm -f "${OPENVPN_STATE_DIR}/server_ip"
+    fi
 }
 
-_openpvn_postup() {
+_openvpn_postup() {
+    # Prevent recursive routing: add a blackhole route for the VPN server IP in
+    # table 1000. qBittorrent is bound to tun0, so its traffic is policy-routed
+    # into table 1000 (rule: from <tun_ip> -> table 1000).  Without this, packets
+    # destined for the VPN server go through tun0, OpenVPN detects the loop and
+    # drops them.  The blackhole makes qBittorrent's traffic to the server IP fail
+    # immediately (EHOSTUNREACH) instead of looping.  OpenVPN itself is not bound
+    # to tun0, so its traffic uses the main table and reaches the server normally.
+    if [ -n "${trusted_ip:-}" ]; then
+        bashio::log.info "Adding blackhole route for VPN server ${trusted_ip} in table ${config["Table"]} to prevent recursive routing."
+        ip -4 route add blackhole "${trusted_ip}/32" table "${config["Table"]}" 2>/dev/null \
+            && echo "${trusted_ip}" > "${OPENVPN_STATE_DIR}/server_ip" \
+            || bashio::log.warning "Could not add blackhole route for VPN server ${trusted_ip}."
+    fi
+
     # Add routing rules for VPN interface and DNS servers
     _routing_add || return 1
     # Add firewall rules for VPN interface (only when UPnP port mapping is enabled)
@@ -548,7 +571,19 @@ _openpvn_postup() {
     _resolvconf "update" || return 1
 }
 
-_openpvn_postdown() {
+_openvpn_postdown() {
+    # Remove blackhole route for VPN server (added in postup to prevent recursive routing)
+    local server_ip=""
+    if [ -n "${trusted_ip:-}" ]; then
+        server_ip="${trusted_ip}"
+    elif [ -f "${OPENVPN_STATE_DIR}/server_ip" ]; then
+        server_ip=$(cat "${OPENVPN_STATE_DIR}/server_ip" 2>/dev/null || true)
+    fi
+    if [ -n "${server_ip}" ]; then
+        ip -4 route del blackhole "${server_ip}/32" table "${config["Table"]}" 2>/dev/null || true
+        rm -f "${OPENVPN_STATE_DIR}/server_ip"
+    fi
+
     # Update resolv.conf to remove VPN DNS servers
     _resolvconf "reset" || true
     # Remove routing rules for VPN interface and DNS servers
@@ -604,10 +639,10 @@ openvpn() {
         bashio::log.info "OpenVPN on interface ${config["Interface"]} is down."
         bashio::exit.ok 'OpenVPN stopped.'
     elif [ "${mode}" = "postup" ]; then
-        _openpvn_postup
+        _openvpn_postup
         bashio::exit.ok 'OpenVPN routes added.'
     elif [ "${mode}" = "postdown" ]; then
-        _openpvn_postdown
+        _openvpn_postdown
         bashio::exit.ok 'OpenVPN routes deleted.'
     else
         bashio::log.error "Invalid OpenVPN mode specified. Use 'up', 'down', 'postup', or 'postdown'."