push.rocks/smartvpn
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth,client-registry): add Noise IK client authentication with managed client registry and per-client ACL controls

Browse Source
This commit is contained in:
Jürgen Kunz
2026-03-29 17:04:27 +00:00
parent 187a69028b
commit 01a0d8b9f4
20 changed files with 1930 additions and 897 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
ts/smartvpn.classes.vpnconfig.ts
View File

@@ -51,6 +51,15 @@ export class VpnConfig {
if (!config.serverPublicKey) {
throw new Error('VpnConfig: serverPublicKey is required');
}
// Noise IK requires client keypair
if (!config.clientPrivateKey) {
throw new Error('VpnConfig: clientPrivateKey is required for Noise IK authentication');
}
VpnConfig.validateBase64Key(config.clientPrivateKey, 'clientPrivateKey');
if (!config.clientPublicKey) {
throw new Error('VpnConfig: clientPublicKey is required for Noise IK authentication');
}
VpnConfig.validateBase64Key(config.clientPublicKey, 'clientPublicKey');
}
if (config.mtu !== undefined && (config.mtu < 576 || config.mtu > 65535)) {
throw new Error('VpnConfig: mtu must be between 576 and 65535');
@@ -116,6 +125,18 @@ export class VpnConfig {
if (!VpnConfig.isValidSubnet(config.subnet)) {
throw new Error(`VpnConfig: invalid subnet: ${config.subnet}`);
}
// Validate client entries if provided
if (config.clients) {
for (const client of config.clients) {
if (!client.clientId) {
throw new Error('VpnConfig: client entry must have a clientId');
}
if (!client.publicKey) {
throw new Error(`VpnConfig: client '${client.clientId}' must have a publicKey`);
}
VpnConfig.validateBase64Key(client.publicKey, `client '${client.clientId}' publicKey`);
}
}
}
if (config.mtu !== undefined && (config.mtu < 576 || config.mtu > 65535)) {
throw new Error('VpnConfig: mtu must be between 576 and 65535');