Pin resolved WireGuard endpoint route before VPN startup

2026-06-24 08:16:04 +02:00 · 2026-05-13 11:31:41 +02:00
3 changed files with 30 additions and 47 deletions
--- a/qbittorrent/CHANGELOG.md
+++ b/qbittorrent/CHANGELOG.md
@@ -1,9 +1,3 @@
-## 5.2.0-18 (13-05-2026)
- Simplify VPN endpoint route pinning to minimal helpers (single endpoint, no tracking list).
-
-## 5.2.0-17 (13-05-2026)
- Fix VPN endpoint routing by pinning OpenVPN/WireGuard server IPs to the pre-VPN main route, preventing recursive tunnel routing drops.
-
 ## 5.2.0-16 (13-05-2026)
 - Minor bugs fixed

--- a/qbittorrent/config.yaml
+++ b/qbittorrent/config.yaml
@@ -143,4 +143,4 @@ schema:
 slug: qbittorrent
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "5.2.0-18"
+version: "5.2.0-16"
--- a/qbittorrent/rootfs/usr/local/sbin/vpn
+++ b/qbittorrent/rootfs/usr/local/sbin/vpn
@@ -93,6 +93,33 @@ _check_host() {
    fi
 }

+_add_endpoint_route() {
+    local endpoint_ip="$1"
+    local result=0
+
+    _check_host "${endpoint_ip}" || result=$?
+
+    if [ "${result}" -eq 1 ]; then
+        local default_route
+        default_route="$(ip -4 route show default | head -n1)"
+        if [ -z "${default_route}" ]; then
+            bashio::log.warning "No IPv4 default route found to pin VPN endpoint ${endpoint_ip}."
+            return 0
+        fi
+        _cmd "ip -4 route replace ${endpoint_ip}/32 ${default_route}" || return 1
+    elif [ "${result}" -eq 2 ]; then
+        local default_route
+        default_route="$(ip -6 route show default | head -n1)"
+        if [ -z "${default_route}" ]; then
+            bashio::log.warning "No IPv6 default route found to pin VPN endpoint ${endpoint_ip}."
+            return 0
+        fi
+        _cmd "ip -6 route replace ${endpoint_ip}/128 ${default_route}" || return 1
+    else
+        bashio::log.warning "Skipping endpoint route pinning for invalid endpoint IP: ${endpoint_ip}"
+    fi
+}
+
 _resolvconf() {
    local mode=$1
    local resolv_conf="/etc/resolv.conf"
@@ -149,28 +176,6 @@ _resolve_hostname() {
    echo "${ips[@]}"
 }

-_endpoint_route_add() {
-    local ip="$1"
-    local rt via dev
-    rt="$(ip route get "${ip}" 2>/dev/null | head -n1)"
-    via="$(awk '{for(i=1;i<=NF;i++) if($i=="via"){print $(i+1);exit}}' <<< "${rt}")"
-    dev="$(awk '{for(i=1;i<=NF;i++) if($i=="dev"){print $(i+1);exit}}' <<< "${rt}")"
-    [ -z "${dev}" ] && { bashio::log.error "No route to VPN endpoint ${ip}."; return 1; }
-    if [ -n "${via}" ]; then
-        ip route replace "${ip}" via "${via}" dev "${dev}" || return 1
-    else
-        ip route replace "${ip}" dev "${dev}" || return 1
-    fi
-    bashio::log.info "Pinned VPN endpoint ${ip} to pre-VPN route (dev ${dev})."
-}
-
-_endpoint_route_del() {
-    local ip
-    ip="$(cat "${config["EndpointIPFile"]}" 2>/dev/null)"
-    [ -n "${ip}" ] && ip route del "${ip}" 2>/dev/null || true
-    rm -f "${config["EndpointIPFile"]}" || true
-}
-
 _routing_add() {
    bashio::log.info "Adding routing rules for VPN interface ${config["Interface"]}..."

@@ -366,8 +371,6 @@ _wireguard_up() {
    fi

    _cmd "ip link set ${config["Interface"]} up" || return 1
-    _endpoint_route_add "${config["EndpointIP"]}" || return 1
-    echo "${config["EndpointIP"]}" > "${config["EndpointIPFile"]}"

    # Add routing rules for VPN interface and DNS servers
    _routing_add || return 1
@@ -382,7 +385,6 @@ _wireguard_up() {
 }

 _wireguard_down() {
-    _endpoint_route_del || true
    # Update resolv.conf to remove VPN DNS servers
    _resolvconf "reset" || true
    # Remove routing rules for VPN interface and DNS servers
@@ -424,7 +426,6 @@ wireguard() {
    config["Interface"]="${interface}"
    config["ConfigFile"]="${config_file}"
    config["Table"]="${config["Table"]:-1000}"
-    config["EndpointIPFile"]="${WIREGUARD_STATE_DIR}/endpoint-ip"
    config["ListenPort"]="${config["ListenPort"]:-51820}"
    config["EndpointHost"]="${config["Endpoint"]%:*}"
    config["EndpointPort"]="${config["Endpoint"]##*:}"
@@ -461,6 +462,7 @@ wireguard() {
            for endpoint_ip in "${endpoint_ips[@]}"; do
                bashio::log.info "Resolved WireGuard endpoint hostname ${config["EndpointHost"]} to IP: ${endpoint_ip}"
                config["EndpointIP"]="${endpoint_ip}"
+                _add_endpoint_route "${config["EndpointIP"]}" || return 1
                if _wireguard_up; then
                    bashio::log.info "WireGuard interface ${config["Interface"]} is up."
                    bashio::exit.ok 'WireGuard started.'
@@ -471,6 +473,7 @@ wireguard() {
        else
            bashio::log.debug "WireGuard endpoint ${config["EndpointHost"]} is a valid IP address. Using as is."
            config["EndpointIP"]="${config["EndpointHost"]}"
+            _add_endpoint_route "${config["EndpointIP"]}" || return 1
            if _wireguard_up; then
                bashio::log.info "WireGuard interface ${config["Interface"]} is up."
                bashio::exit.ok 'WireGuard started.'
@@ -511,8 +514,6 @@ _openvpn_check() {
 }

 _openvpn_up() {
-    local endpoint_ip result=0
-
    bashio::log.warning "This script force OpenvPN to ignore any routes and DNS settings pushed by the server."
    bashio::log.warning "Default route will be inserted into custom routing table: ${config["Table"]}"
    bashio::log.warning "This routing table will be used for traffic from the VPN interface and to the configured DNS servers."
@@ -526,15 +527,6 @@ _openvpn_up() {
    echo "${config["MySelf"]} openvpn postdown" >> ${config["PostDownScript"]}
    chmod 755 ${config["PostDownScript"]}

-    endpoint_ip="$(awk '/^[[:space:]]*remote[[:space:]]/ {print $2; exit}' "${config["ConfigFile"]}")"
-    if [ -n "${endpoint_ip}" ]; then
-        _check_host "${endpoint_ip}" || result=$?
-        [ "${result}" -eq 3 ] && endpoint_ip="$(_resolve_hostname "${endpoint_ip}" | awk '{print $1}')"
-        if [ -n "${endpoint_ip}" ]; then
-            _endpoint_route_add "${endpoint_ip}" && echo "${endpoint_ip}" > "${config["EndpointIPFile"]}"
-        fi
-    fi
-
    # Define logging
    declare -A verbosity=(
        ["fatal"]=1
@@ -570,7 +562,6 @@ _openvpn_up() {
 _openvpn_down() {
    # Terminate OpenVPN process
    pkill -f "openvpn --config ${config["ConfigFile"]}" || true
-    _endpoint_route_del || true
    # Safety-net cleanup in case the --down callback was never invoked
    _routing_del || true
 }
@@ -595,7 +586,6 @@ _openpvn_postdown() {
    if bashio::config.true 'vpn_upnp_enabled'; then
        _firewall_del || true
    fi
-    _endpoint_route_del || true
 }

 openvpn() {
@@ -625,7 +615,6 @@ openvpn() {
    config["Interface"]="${interface}"
    config["ConfigFile"]="${config_file}"
    config["Table"]="${config["Table"]:-1000}"
-    config["EndpointIPFile"]="${OPENVPN_STATE_DIR}/endpoint-ip"
    config["PostUpScript"]="${OPENVPN_STATE_DIR}/up.sh"
    config["PostDownScript"]="${OPENVPN_STATE_DIR}/down.sh"