backup

Without a /32 route in the main table, CHECK_HOST (1.1.1.1) fell through
to the VPN default route where source-address selection was defeated by
the priority-100 'from ETH0_IP' policy rule, causing pings to bypass
wg0 and be dropped by the kill switch.

Also add secondary google.com ping to distinguish IP vs DNS failures.

Docker/VERSION

@@ -1 +1 @@
-v1.1.11
+v1.1.12

Docker/entrypoint.sh

@@ -198,6 +198,14 @@ start_vpn() {
         echo "[vpn] DNS set to: ${VPN_DNS}"
     fi
 
+    # Add explicit host route for the health-check target so it is picked up by
+    # the 'lookup main suppress_prefixlength 0' rule (same as DNS servers above).
+    # Without this, CHECK_HOST falls through to the VPN table default route whose
+    # source-address selection can be defeated by the priority-100 'from ETH0_IP'
+    # policy rule, causing pings to bypass wg0 and be dropped by the kill switch.
+    ip -4 route add "${CHECK_HOST}" dev "$INTERFACE" 2>/dev/null || true
+    echo "[vpn] Health-check route: ${CHECK_HOST} → ${INTERFACE}"
+
     echo "[vpn] WireGuard interface ${INTERFACE} is up."
     echo "[vpn] Main routes:"
     ip route show | sed 's/^/[vpn]   /'
@@ -249,9 +257,21 @@ health_loop() {
                 echo "[health] VPN recovered."
                 failures=0
             fi
+            # Secondary DNS check
+            if ping -c 1 -W 5 "google.com" > /dev/null 2>&1; then
+                : # DNS OK — silent
+            else
+                echo "[health] WARN google.com unreachable — possible DNS issue"
+            fi
         else
             failures=$((failures + 1))
             echo "[health] Check failed ($failures/$max_failures) — ping ${CHECK_HOST} failed"
+            # Secondary check: distinguish IP failure from DNS failure
+            if ping -c 1 -W 5 "google.com" > /dev/null 2>&1; then
+                echo "[health] INFO google.com reachable — DNS works, ${CHECK_HOST} may be filtered"
+            else
+                echo "[health] INFO google.com also unreachable — DNS or general routing failure"
+            fi
             # Dump WireGuard stats to show if handshake is stale and how much data flows
             echo "[health] wg stats:"
             wg show "$INTERFACE" 2>/dev/null | grep -E 'latest handshake|transfer|endpoint' | sed 's/^/[health]   /' || echo "[health]   wg0 not found"

Docker/podman-compose.prod.yml

@@ -15,6 +15,7 @@ services:
     cap_add:
       - NET_ADMIN
       - SYS_MODULE
+      - NET_RAW
     sysctls:
       - net.ipv4.ip_forward=1
       - net.ipv4.conf.all.src_valid_mark=1
@@ -22,7 +23,7 @@ services:
       - /server/server_aniworld/wg0.conf:/etc/wireguard/wg0.conf:ro
       - /lib/modules:/lib/modules:ro
     ports:
-      - "2000:8000"
+      - "8000:8000"
     environment:
       - HEALTH_CHECK_INTERVAL=10
       - HEALTH_CHECK_HOST=1.1.1.1
@@ -51,4 +52,5 @@ services:
     volumes:
       - /server/server_aniworld/data:/app/data
       - /server/server_aniworld/logs:/app/logs
+      - /media/serien/Serien:/data
     restart: unless-stopped

package.json

@@ -1,6 +1,6 @@
 {
   "name": "aniworld-web",
-  "version": "1.1.11",
+  "version": "1.1.12",
   "description": "Aniworld Anime Download Manager - Web Frontend",
   "type": "module",
   "scripts": {