diff --git a/flake.nix b/flake.nix
index 3dc6dcb..92e5360 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 134 current  2025-10-08 22:40:11  25.05.20251006.20c4598  6.12.50                          *
+# generation: 135 current  2025-10-08 22:40:45  25.05.20251006.20c4598  6.12.50                          *
 {
   description = "blakes nix config";
   inputs = {
diff --git a/modules/homelab/services/qbittorrent/default.nix b/modules/homelab/services/qbittorrent/default.nix
index 85d1462..dea83e4 100644
--- a/modules/homelab/services/qbittorrent/default.nix
+++ b/modules/homelab/services/qbittorrent/default.nix
@@ -2,9 +2,10 @@
 
 let
   cfg = config.modules.services.qbittorrent;
-  ids = 2003;
   default_port = 8080;
   data_dir = "/var/lib/qBittorrent";
+  ids = 2003;
+  vpn_inf = "enp89s0.69"; # vpn interfacve
 in
 {
   options.modules.services.qbittorrent = {
@@ -49,22 +50,31 @@ in
       profileDir = data_dir;
       webuiPort = cfg.port;
 #      torrentingPort = cfg.port;
-
     };
 
     # override umask to make permissions work out
     systemd.services.qbittorrent = {
       serviceConfig = {
         UMask = lib.mkForce "0007";
-#       User = "qbittorrent";
-#       Group = "qbittorrent";
       };
 
+    networking.firewall.extraCommands = ''
+      # qbittorrent kill switch for uid ${toString ids}
+      iptables -N QBIT
+      iptables -A OUTPUT -m owner --uid-owner ${toString ids} -j QBIT
+      iptables -A QBIT -o ${vpn_inf} -j ACCEPT
+      iptables -A QBIT -j DROP
+    '';
+
+
+
+# ------------------------------------------------------------------------------
 #      # add systemd service to VPN network namespace
 #      vpnConfinement = {
 #        enable = true;
 #        vpnNamespace = "wgmex";
 #      };
+# ------------------------------------------------------------------------------
     };
 
 #    # open firewall