qbittorrent: fix OpenVPN stale-process loop and broken _routing_del

Agent-Logs-Url: https://github.com/alexbelgium/hassio-addons/sessions/9b5f5807-1537-4008-9933-f6a6b21ec5b4

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>

qbittorrent/CHANGELOG.md

@@ -1,6 +1,13 @@
-## 5.2.0-16 (13-05-2026)
+## 5.2.0-7 (12-05-2026)
+- Fix OpenVPN stale-process crash loop on S6 service restart: kill any existing OpenVPN daemon and clean up stale interface/routing state before re-establishing the tunnel (same class of fix as WireGuard 5.2.0-3)
+- Fix broken routing rule cleanup: `_routing_del` was deleting rules with `from all`/`to all` wildcard which never matched the specific `from IP`/`to IP` rules added by `_routing_add`, leaving stale routing rules after VPN teardown and causing DNS resolution failures when OpenVPN tried to reconnect
+
+## 5.2.0-6 (12-05-2026)
 - Minor bugs fixed
 
+## 5.2.0-3 (2026-05-12)
+- Fix WireGuard "RTNETLINK answers: File exists" crash loop: clean up stale interface and routing rules before re-establishing the tunnel on S6 service restart
+
 ## 5.2.0-2 (2026-05-10)
 - Fix startup loop on aarch64: drop s6-notifyoncheck wrapper so s6 supervises qbittorrent-nox directly (LSIO arm64 image has no notification-fd, causing EBADF restart loop)
 

qbittorrent/config.yaml

@@ -143,4 +143,4 @@ schema:
 slug: qbittorrent
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "5.2.0-16"
+version: "5.2.0-7"

qbittorrent/rootfs/etc/s6-overlay/s6-rc.d/svc-qbittorrent/run

@@ -49,6 +49,5 @@ if [ -f /etc/s6-overlay/s6-rc.d/svc-qbittorrent/notification-fd ]; then
         s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost ${WEBUI_PORT}" \
         s6-setuidgid abc /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" > "${QB_OUTPUT}"
 else
-    sleep 10
     exec s6-setuidgid abc /app/qbittorrent-nox --webui-port="${WEBUI_PORT}" > "${QB_OUTPUT}"
 fi

qbittorrent/rootfs/usr/local/sbin/vpn

@@ -93,33 +93,6 @@ _check_host() {
     fi
 }
 
-_add_endpoint_route() {
-    local endpoint_ip="$1"
-    local result=0
-
-    _check_host "${endpoint_ip}" || result=$?
-
-    if [ "${result}" -eq 1 ]; then
-        local default_route
-        default_route="$(ip -4 route show default | head -n1)"
-        if [ -z "${default_route}" ]; then
-            bashio::log.warning "No IPv4 default route found to pin VPN endpoint ${endpoint_ip}."
-            return 0
-        fi
-        _cmd "ip -4 route replace ${endpoint_ip}/32 ${default_route}" || return 1
-    elif [ "${result}" -eq 2 ]; then
-        local default_route
-        default_route="$(ip -6 route show default | head -n1)"
-        if [ -z "${default_route}" ]; then
-            bashio::log.warning "No IPv6 default route found to pin VPN endpoint ${endpoint_ip}."
-            return 0
-        fi
-        _cmd "ip -6 route replace ${endpoint_ip}/128 ${default_route}" || return 1
-    else
-        bashio::log.warning "Skipping endpoint route pinning for invalid endpoint IP: ${endpoint_ip}"
-    fi
-}
-
 _resolvconf() {
     local mode=$1
     local resolv_conf="/etc/resolv.conf"
@@ -219,13 +192,36 @@ _routing_add() {
 
 _routing_del() {
     bashio::log.info "Removing routing rules for VPN interface ${config["Interface"]}..."
+    local table="${config["Table"]}"
+    local line prio rest
 
-    while _cmd "ip -4 rule del priority 1 from all table ${config["Table"]} 2>/dev/null"; do :; done
-    while _cmd "ip -4 rule del priority 1 to all table ${config["Table"]} 2>/dev/null"; do :; done
-    while _cmd "ip -4 route del default dev ${config["Interface"]} table ${config["Table"]} 2>/dev/null"; do :; done
-    while _cmd "ip -6 rule del priority 1 from all table ${config["Table"]} 2>/dev/null"; do :; done
-    while _cmd "ip -6 rule del priority 1 to all table ${config["Table"]} 2>/dev/null"; do :; done
-    while _cmd "ip -6 route del default dev ${config["Interface"]} table ${config["Table"]} 2>/dev/null"; do :; done
+    # Remove all IPv4 policy rules pointing to our custom routing table.
+    # We must parse `ip rule list` and delete each matching rule individually,
+    # because the rules were added with specific from/to selectors (e.g.
+    # "from 10.8.0.2" or "to 8.8.8.8") — not the "from all" wildcard that
+    # the old code tried to delete, which never matched anything.
+    while IFS= read -r line; do
+        [[ "${line}" =~ ^[[:space:]]*([0-9]+):[[:space:]]+(.*lookup[[:space:]]+${table}.*)$ ]] || continue
+        prio="${BASH_REMATCH[1]}"
+        rest="${BASH_REMATCH[2]}"
+        # shellcheck disable=SC2206 — word-split is intentional: ip needs individual tokens
+        local -a rule_args=( ${rest} )
+        ip -4 rule del prio "${prio}" "${rule_args[@]}" 2>/dev/null || true
+    done < <(ip -4 rule list 2>/dev/null)
+
+    # Same for IPv6
+    while IFS= read -r line; do
+        [[ "${line}" =~ ^[[:space:]]*([0-9]+):[[:space:]]+(.*lookup[[:space:]]+${table}.*)$ ]] || continue
+        prio="${BASH_REMATCH[1]}"
+        rest="${BASH_REMATCH[2]}"
+        # shellcheck disable=SC2206 — word-split is intentional: ip needs individual tokens
+        local -a rule_args=( ${rest} )
+        ip -6 rule del prio "${prio}" "${rule_args[@]}" 2>/dev/null || true
+    done < <(ip -6 rule list 2>/dev/null)
+
+    # Flush all routes in our custom table
+    ip -4 route flush table "${table}" 2>/dev/null || true
+    ip -6 route flush table "${table}" 2>/dev/null || true
 }
 
 # --- Firewall Specific Functions ---
@@ -306,6 +302,16 @@ _wireguard_up() {
         fi
     done
 
+    # Clean up any leftover state from a previous run (e.g., after an S6 service restart).
+    # Without this, `ip link add` and `ip rule add` fail with "RTNETLINK answers: File exists"
+    # when the svc-qbittorrent service is restarted while the WireGuard interface is still up.
+    if ip link show "${config["Interface"]}" > /dev/null 2>&1; then
+        bashio::log.info "WireGuard interface ${config["Interface"]} already exists. Cleaning up before re-establishing connection."
+        ip link set "${config["Interface"]}" down 2>/dev/null || true
+        ip link del "${config["Interface"]}" 2>/dev/null || true
+    fi
+    _routing_del 2>/dev/null || true
+
     _cmd "ip link add ${config["Interface"]} type wireguard" || return 1
 
     mapfile -d ',' -t local_ips < <(echo "${config["Address"]}" | tr -d ' ')
@@ -462,7 +468,6 @@ wireguard() {
             for endpoint_ip in "${endpoint_ips[@]}"; do
                 bashio::log.info "Resolved WireGuard endpoint hostname ${config["EndpointHost"]} to IP: ${endpoint_ip}"
                 config["EndpointIP"]="${endpoint_ip}"
-                _add_endpoint_route "${config["EndpointIP"]}" || return 1
                 if _wireguard_up; then
                     bashio::log.info "WireGuard interface ${config["Interface"]} is up."
                     bashio::exit.ok 'WireGuard started.'
@@ -473,7 +478,6 @@ wireguard() {
         else
             bashio::log.debug "WireGuard endpoint ${config["EndpointHost"]} is a valid IP address. Using as is."
             config["EndpointIP"]="${config["EndpointHost"]}"
-            _add_endpoint_route "${config["EndpointIP"]}" || return 1
             if _wireguard_up; then
                 bashio::log.info "WireGuard interface ${config["Interface"]} is up."
                 bashio::exit.ok 'WireGuard started.'
@@ -519,6 +523,22 @@ _openvpn_up() {
     bashio::log.warning "This routing table will be used for traffic from the VPN interface and to the configured DNS servers."
     bashio::log.warning "Qbittorrent bittorrent client shall be set to use the VPN interface ${config["Interface"]} only."
 
+    # Clean up any leftover state from a previous run (e.g., after an S6 service restart).
+    # Without this, a second OpenVPN daemon starts while the first is still running, leaving
+    # stale routing rules that cause DNS resolution failures during reconnect — the same class
+    # of bug that was fixed for WireGuard in 5.2.0-3.
+    if pgrep -f "openvpn --config ${config["ConfigFile"]}" > /dev/null 2>&1; then
+        bashio::log.info "Previous OpenVPN process found. Stopping it before re-establishing connection."
+        pkill -TERM -f "openvpn --config ${config["ConfigFile"]}" 2>/dev/null || true
+        sleep 2
+    fi
+    if ip link show "${config["Interface"]}" > /dev/null 2>&1; then
+        bashio::log.info "OpenVPN interface ${config["Interface"]} already exists. Cleaning up before re-establishing connection."
+        ip link set "${config["Interface"]}" down 2>/dev/null || true
+    fi
+    _routing_del 2>/dev/null || true
+    _resolvconf "reset" 2>/dev/null || true
+
     # Register this script as OpenVPN up/down handlers to manage routing
     echo '#!/bin/bash' > ${config["PostUpScript"]}
     echo "${config["MySelf"]} openvpn postup" >> ${config["PostUpScript"]}