refactor(qbittorrent): simplify vpn endpoint route to single-IP helpers

Agent-Logs-Url: https://github.com/alexbelgium/hassio-addons/sessions/c4801bc4-9748-4959-986c-8459fd6d52cd

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>

qbittorrent/CHANGELOG.md

@@ -1,13 +1,12 @@
-## 5.2.0-7 (12-05-2026)
-- Fix OpenVPN stale-process crash loop on S6 service restart: kill any existing OpenVPN daemon and clean up stale interface/routing state before re-establishing the tunnel (same class of fix as WireGuard 5.2.0-3)
-- Fix broken routing rule cleanup: `_routing_del` was deleting rules with `from all`/`to all` wildcard which never matched the specific `from IP`/`to IP` rules added by `_routing_add`, leaving stale routing rules after VPN teardown and causing DNS resolution failures when OpenVPN tried to reconnect
+## 5.2.0-18 (13-05-2026)
+- Simplify VPN endpoint route pinning to minimal helpers (single endpoint, no tracking list).
 
-## 5.2.0-6 (12-05-2026)
+## 5.2.0-17 (13-05-2026)
+- Fix VPN endpoint routing by pinning OpenVPN/WireGuard server IPs to the pre-VPN main route, preventing recursive tunnel routing drops.
+
+## 5.2.0-16 (13-05-2026)
 - Minor bugs fixed
 
-## 5.2.0-3 (2026-05-12)
-- Fix WireGuard "RTNETLINK answers: File exists" crash loop: clean up stale interface and routing rules before re-establishing the tunnel on S6 service restart
-
 ## 5.2.0-2 (2026-05-10)
 - Fix startup loop on aarch64: drop s6-notifyoncheck wrapper so s6 supervises qbittorrent-nox directly (LSIO arm64 image has no notification-fd, causing EBADF restart loop)
 

qbittorrent/config.yaml

@@ -143,4 +143,4 @@ schema:
 slug: qbittorrent
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "5.2.0-7"
+version: "5.2.0-18"

qbittorrent/rootfs/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run

@@ -49,5 +49,6 @@ if [ -f /etc/s6-overlay/s6-rc.d/svc-qbittorrent/notification-fd ]; then
         s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost ${WEBUI_PORT}" \
         s6-setuidgid abc /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" > "${QB_OUTPUT}"
 else
+    sleep 10
     exec s6-setuidgid abc /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" > "${QB_OUTPUT}"
 fi

qbittorrent/rootfs/usr/local/sbin/vpn

@@ -149,6 +149,28 @@ _resolve_hostname() {
     echo "${ips[@]}"
 }
 
+_endpoint_route_add() {
+    local ip="$1"
+    local rt via dev
+    rt="$(ip route get "${ip}" 2>/dev/null | head -n1)"
+    via="$(awk '{for(i=1;i<=NF;i++) if($i=="via"){print $(i+1);exit}}' <<< "${rt}")"
+    dev="$(awk '{for(i=1;i<=NF;i++) if($i=="dev"){print $(i+1);exit}}' <<< "${rt}")"
+    [ -z "${dev}" ] && { bashio::log.error "No route to VPN endpoint ${ip}."; return 1; }
+    if [ -n "${via}" ]; then
+        ip route replace "${ip}" via "${via}" dev "${dev}" || return 1
+    else
+        ip route replace "${ip}" dev "${dev}" || return 1
+    fi
+    bashio::log.info "Pinned VPN endpoint ${ip} to pre-VPN route (dev ${dev})."
+}
+
+_endpoint_route_del() {
+    local ip
+    ip="$(cat "${config["EndpointIPFile"]}" 2>/dev/null)"
+    [ -n "${ip}" ] && ip route del "${ip}" 2>/dev/null || true
+    rm -f "${config["EndpointIPFile"]}" || true
+}
+
 _routing_add() {
     bashio::log.info "Adding routing rules for VPN interface ${config["Interface"]}..."
 
@@ -192,36 +214,13 @@ _routing_add() {
 
 _routing_del() {
     bashio::log.info "Removing routing rules for VPN interface ${config["Interface"]}..."
-    local table="${config["Table"]}"
-    local line prio rest
 
-    # Remove all IPv4 policy rules pointing to our custom routing table.
-    # We must parse `ip rule list` and delete each matching rule individually,
-    # because the rules were added with specific from/to selectors (e.g.
-    # "from 10.8.0.2" or "to 8.8.8.8") — not the "from all" wildcard that
-    # the old code tried to delete, which never matched anything.
-    while IFS= read -r line; do
-        [[ "${line}" =~ ^[[:space:]]*([0-9]+):[[:space:]]+(.*lookup[[:space:]]+${table}.*)$ ]] || continue
-        prio="${BASH_REMATCH[1]}"
-        rest="${BASH_REMATCH[2]}"
-        # shellcheck disable=SC2206 — word-split is intentional: ip needs individual tokens
-        local -a rule_args=( ${rest} )
-        ip -4 rule del prio "${prio}" "${rule_args[@]}" 2>/dev/null || true
-    done < <(ip -4 rule list 2>/dev/null)
-
-    # Same for IPv6
-    while IFS= read -r line; do
-        [[ "${line}" =~ ^[[:space:]]*([0-9]+):[[:space:]]+(.*lookup[[:space:]]+${table}.*)$ ]] || continue
-        prio="${BASH_REMATCH[1]}"
-        rest="${BASH_REMATCH[2]}"
-        # shellcheck disable=SC2206 — word-split is intentional: ip needs individual tokens
-        local -a rule_args=( ${rest} )
-        ip -6 rule del prio "${prio}" "${rule_args[@]}" 2>/dev/null || true
-    done < <(ip -6 rule list 2>/dev/null)
-
-    # Flush all routes in our custom table
-    ip -4 route flush table "${table}" 2>/dev/null || true
-    ip -6 route flush table "${table}" 2>/dev/null || true
+    while _cmd "ip -4 rule del priority 1 from all table ${config["Table"]} 2>/dev/null"; do :; done
+    while _cmd "ip -4 rule del priority 1 to all table ${config["Table"]} 2>/dev/null"; do :; done
+    while _cmd "ip -4 route del default dev ${config["Interface"]} table ${config["Table"]} 2>/dev/null"; do :; done
+    while _cmd "ip -6 rule del priority 1 from all table ${config["Table"]} 2>/dev/null"; do :; done
+    while _cmd "ip -6 rule del priority 1 to all table ${config["Table"]} 2>/dev/null"; do :; done
+    while _cmd "ip -6 route del default dev ${config["Interface"]} table ${config["Table"]} 2>/dev/null"; do :; done
 }
 
 # --- Firewall Specific Functions ---
@@ -302,16 +301,6 @@ _wireguard_up() {
         fi
     done
 
-    # Clean up any leftover state from a previous run (e.g., after an S6 service restart).
-    # Without this, `ip link add` and `ip rule add` fail with "RTNETLINK answers: File exists"
-    # when the svc-qbittorrent service is restarted while the WireGuard interface is still up.
-    if ip link show "${config["Interface"]}" > /dev/null 2>&1; then
-        bashio::log.info "WireGuard interface ${config["Interface"]} already exists. Cleaning up before re-establishing connection."
-        ip link set "${config["Interface"]}" down 2>/dev/null || true
-        ip link del "${config["Interface"]}" 2>/dev/null || true
-    fi
-    _routing_del 2>/dev/null || true
-
     _cmd "ip link add ${config["Interface"]} type wireguard" || return 1
 
     mapfile -d ',' -t local_ips < <(echo "${config["Address"]}" | tr -d ' ')
@@ -377,6 +366,8 @@ _wireguard_up() {
     fi
 
     _cmd "ip link set ${config["Interface"]} up" || return 1
+    _endpoint_route_add "${config["EndpointIP"]}" || return 1
+    echo "${config["EndpointIP"]}" > "${config["EndpointIPFile"]}"
 
     # Add routing rules for VPN interface and DNS servers
     _routing_add || return 1
@@ -391,6 +382,7 @@ _wireguard_up() {
 }
 
 _wireguard_down() {
+    _endpoint_route_del || true
     # Update resolv.conf to remove VPN DNS servers
     _resolvconf "reset" || true
     # Remove routing rules for VPN interface and DNS servers
@@ -432,6 +424,7 @@ wireguard() {
     config["Interface"]="${interface}"
     config["ConfigFile"]="${config_file}"
     config["Table"]="${config["Table"]:-1000}"
+    config["EndpointIPFile"]="${WIREGUARD_STATE_DIR}/endpoint-ip"
     config["ListenPort"]="${config["ListenPort"]:-51820}"
     config["EndpointHost"]="${config["Endpoint"]%:*}"
     config["EndpointPort"]="${config["Endpoint"]##*:}"
@@ -518,27 +511,13 @@ _openvpn_check() {
 }
 
 _openvpn_up() {
+    local endpoint_ip result=0
+
     bashio::log.warning "This script force OpenvPN to ignore any routes and DNS settings pushed by the server."
     bashio::log.warning "Default route will be inserted into custom routing table: ${config["Table"]}"
     bashio::log.warning "This routing table will be used for traffic from the VPN interface and to the configured DNS servers."
     bashio::log.warning "Qbittorrent bittorrent client shall be set to use the VPN interface ${config["Interface"]} only."
 
-    # Clean up any leftover state from a previous run (e.g., after an S6 service restart).
-    # Without this, a second OpenVPN daemon starts while the first is still running, leaving
-    # stale routing rules that cause DNS resolution failures during reconnect — the same class
-    # of bug that was fixed for WireGuard in 5.2.0-3.
-    if pgrep -f "openvpn --config ${config["ConfigFile"]}" > /dev/null 2>&1; then
-        bashio::log.info "Previous OpenVPN process found. Stopping it before re-establishing connection."
-        pkill -TERM -f "openvpn --config ${config["ConfigFile"]}" 2>/dev/null || true
-        sleep 2
-    fi
-    if ip link show "${config["Interface"]}" > /dev/null 2>&1; then
-        bashio::log.info "OpenVPN interface ${config["Interface"]} already exists. Cleaning up before re-establishing connection."
-        ip link set "${config["Interface"]}" down 2>/dev/null || true
-    fi
-    _routing_del 2>/dev/null || true
-    _resolvconf "reset" 2>/dev/null || true
-
     # Register this script as OpenVPN up/down handlers to manage routing
     echo '#!/bin/bash' > ${config["PostUpScript"]}
     echo "${config["MySelf"]} openvpn postup" >> ${config["PostUpScript"]}
@@ -547,6 +526,15 @@ _openvpn_up() {
     echo "${config["MySelf"]} openvpn postdown" >> ${config["PostDownScript"]}
     chmod 755 ${config["PostDownScript"]}
 
+    endpoint_ip="$(awk '/^[[:space:]]*remote[[:space:]]/ {print $2; exit}' "${config["ConfigFile"]}")"
+    if [ -n "${endpoint_ip}" ]; then
+        _check_host "${endpoint_ip}" || result=$?
+        [ "${result}" -eq 3 ] && endpoint_ip="$(_resolve_hostname "${endpoint_ip}" | awk '{print $1}')"
+        if [ -n "${endpoint_ip}" ]; then
+            _endpoint_route_add "${endpoint_ip}" && echo "${endpoint_ip}" > "${config["EndpointIPFile"]}"
+        fi
+    fi
+
     # Define logging
     declare -A verbosity=(
         ["fatal"]=1
@@ -582,6 +570,7 @@ _openvpn_up() {
 _openvpn_down() {
     # Terminate OpenVPN process
     pkill -f "openvpn --config ${config["ConfigFile"]}" || true
+    _endpoint_route_del || true
     # Safety-net cleanup in case the --down callback was never invoked
     _routing_del || true
 }
@@ -606,6 +595,7 @@ _openpvn_postdown() {
     if bashio::config.true 'vpn_upnp_enabled'; then
         _firewall_del || true
     fi
+    _endpoint_route_del || true
 }
 
 openvpn() {
@@ -635,6 +625,7 @@ openvpn() {
     config["Interface"]="${interface}"
     config["ConfigFile"]="${config_file}"
     config["Table"]="${config["Table"]:-1000}"
+    config["EndpointIPFile"]="${OPENVPN_STATE_DIR}/endpoint-ip"
     config["PostUpScript"]="${OPENVPN_STATE_DIR}/up.sh"
     config["PostDownScript"]="${OPENVPN_STATE_DIR}/down.sh"