push.rocks/smartvpn
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: push.rocks/smartvpn:v1.18.0
Branches Tags
push.rocks/smartvpn:main
push.rocks/smartvpn:v1.20.0 push.rocks/smartvpn:v1.19.4 push.rocks/smartvpn:v1.19.3 push.rocks/smartvpn:v1.19.2 push.rocks/smartvpn:v1.19.1 push.rocks/smartvpn:v1.19.0 push.rocks/smartvpn:v1.18.0 push.rocks/smartvpn:v1.17.1 push.rocks/smartvpn:v1.17.0 push.rocks/smartvpn:v1.16.5 push.rocks/smartvpn:v1.16.4 push.rocks/smartvpn:v1.16.3 push.rocks/smartvpn:v1.16.2 push.rocks/smartvpn:v1.16.1 push.rocks/smartvpn:v1.16.0 push.rocks/smartvpn:v1.15.0 push.rocks/smartvpn:v1.14.0 push.rocks/smartvpn:v1.13.0 push.rocks/smartvpn:v1.12.0 push.rocks/smartvpn:v1.11.0 push.rocks/smartvpn:v1.10.2 push.rocks/smartvpn:v1.10.1 push.rocks/smartvpn:v1.10.0 push.rocks/smartvpn:v1.9.0 push.rocks/smartvpn:v1.8.0 push.rocks/smartvpn:v1.7.0 push.rocks/smartvpn:v1.6.0 push.rocks/smartvpn:v1.5.0 push.rocks/smartvpn:v1.4.1 push.rocks/smartvpn:v1.4.0 push.rocks/smartvpn:v1.3.0 push.rocks/smartvpn:v1.2.0 push.rocks/smartvpn:v1.1.0 push.rocks/smartvpn:v1.0.3 push.rocks/smartvpn:v1.0.2 push.rocks/smartvpn:v1.0.1
...
compare: push.rocks/smartvpn:v1.19.4
Branches Tags
push.rocks/smartvpn:main
push.rocks/smartvpn:v1.20.0 push.rocks/smartvpn:v1.19.4 push.rocks/smartvpn:v1.19.3 push.rocks/smartvpn:v1.19.2 push.rocks/smartvpn:v1.19.1 push.rocks/smartvpn:v1.19.0 push.rocks/smartvpn:v1.18.0 push.rocks/smartvpn:v1.17.1 push.rocks/smartvpn:v1.17.0 push.rocks/smartvpn:v1.16.5 push.rocks/smartvpn:v1.16.4 push.rocks/smartvpn:v1.16.3 push.rocks/smartvpn:v1.16.2 push.rocks/smartvpn:v1.16.1 push.rocks/smartvpn:v1.16.0 push.rocks/smartvpn:v1.15.0 push.rocks/smartvpn:v1.14.0 push.rocks/smartvpn:v1.13.0 push.rocks/smartvpn:v1.12.0 push.rocks/smartvpn:v1.11.0 push.rocks/smartvpn:v1.10.2 push.rocks/smartvpn:v1.10.1 push.rocks/smartvpn:v1.10.0 push.rocks/smartvpn:v1.9.0 push.rocks/smartvpn:v1.8.0 push.rocks/smartvpn:v1.7.0 push.rocks/smartvpn:v1.6.0 push.rocks/smartvpn:v1.5.0 push.rocks/smartvpn:v1.4.1 push.rocks/smartvpn:v1.4.0 push.rocks/smartvpn:v1.3.0 push.rocks/smartvpn:v1.2.0 push.rocks/smartvpn:v1.1.0 push.rocks/smartvpn:v1.0.3 push.rocks/smartvpn:v1.0.2 push.rocks/smartvpn:v1.0.1

10 Commits
v1.18.0 ... v1.19.4

Author SHA1 Message Date
jkunz 10f9c2e609 v1.19.4 2026-05-12 23:08:13 +00:00
jkunz 3c515c7d7f fix(rust-wireguard): keep WireGuard peer registration and client state in sync 2026-05-12 23:08:11 +00:00
jkunz 773eb6426e v1.19.3 2026-05-12 22:22:51 +00:00
jkunz c520220df2 fix(release): update release config schema, bump dependencies, and refresh runtime documentation 2026-05-12 22:22:14 +00:00
jkunz f8bdb991c8 v1.19.2 2026-04-06 10:15:37 +00:00
jkunz d4bad38908 fix(server): clean up bridge and hybrid shutdown handling 2026-04-06 10:15:37 +00:00
jkunz a293986d6d v1.19.1 2026-04-01 03:58:10 +00:00
jkunz 96a3159c5d fix(rust): clean up unused Rust warnings in bridge, network, and server modules 2026-04-01 03:58:10 +00:00
jkunz 3f40506246 v1.19.0 2026-04-01 03:47:26 +00:00
jkunz 180282ba86 feat(forwarding): add hybrid forwarding mode with per-client bridge and VLAN settings 2026-04-01 03:47:26 +00:00
13 changed files with 2919 additions and 2931 deletions
Expand all files Collapse all files
.smartconfig.json
+14 -8
View File
@@ -26,11 +26,17 @@
]
},
"release": {
"registries": [
"https://verdaccio.lossless.digital",
"https://registry.npmjs.org"
],
"accessLevel": "public"
}
}
}
"targets": {
"npm": {
"registries": [
"https://verdaccio.lossless.digital",
"https://registry.npmjs.org"
],
"accessLevel": "public"
}
}
},
"schemaVersion": 2
},
"@ship.zone/szci": {}
}
changelog.md
+47 -1
View File
@@ -1,5 +1,51 @@
# Changelog
## Pending
## 2026-05-12 - 1.19.4
### Fixes
- keep WireGuard peer registration and client state in sync (rust-wireguard)
- index WireGuard public keys in the client registry for duplicate detection and direct lookup
- skip inactive clients when loading or adding WireGuard peers and fail fast when peer registration cannot be completed
- make IP reservation idempotent for the same client and avoid releasing WireGuard-assigned IPs on disconnect
- roll back client registry and peer state when WireGuard peer creation or key rotation fails
- update hybrid routing entries when registered client networking flags change
## 2026-05-12 - 1.19.3
### Fixes
- update release config schema, bump dependencies, and refresh runtime documentation (release)
- migrates .smartconfig.json release settings to the targets-based schema with schemaVersion 2
- bumps runtime and development dependencies including smartnftables and smartrust
- clarifies README details for custom Rust binaries, transport behavior, runtime events, and protocol frame types
## 2026-04-06 - 1.19.2 - fix(server)
clean up bridge and hybrid shutdown handling
- persist bridge teardown metadata so stop() can restore host IP configuration and remove the bridge in bridge and hybrid modes
- use separate shutdown channels for hybrid socket and bridge engines to stop both forwarding paths correctly
- avoid IP pool leaks when client registration fails and ignore unspecified IPv4 addresses when selecting WireGuard peer addresses
- make daemon bridge stop await nftables cleanup and process exit, and cap effective tunnel MTU to the link MTU
## 2026-04-01 - 1.19.1 - fix(rust)
clean up unused Rust warnings in bridge, network, and server modules
- remove the unused error import from the bridge module
- mark IpPool.prefix_len as intentionally unused to suppress dead code warnings
- rename the unused socket shutdown sender binding in the server to an underscore-prefixed variable
## 2026-04-01 - 1.19.0 - feat(forwarding)
add hybrid forwarding mode with per-client bridge and VLAN settings
- introduces a new hybrid forwarding mode that routes each client through either userspace NAT or bridge mode based on per-client configuration
- adds per-client bridge options including useHostIp, DHCP, static LAN IP, and VLAN assignment fields to the server and TypeScript interfaces
- adds Linux bridge VLAN helper functions and updates documentation to cover hybrid mode and VLAN-capable bridge clients
## 2026-03-31 - 1.18.0 - feat(server)
add bridge forwarding mode and per-client destination policy overrides
@@ -222,4 +268,4 @@ bump patch version (no code changes)
Initial commit creating the project repository and baseline files.
- Initial project scaffold and configuration
- Repository initialized with base files and metadata
- Repository initialized with base files and metadata
package.json
+8 -8
View File
@@ -1,6 +1,6 @@
{
"name": "@push.rocks/smartvpn",
"version": "1.18.0",
"version": "1.19.4",
"private": false,
"description": "A VPN solution with TypeScript control plane and Rust data plane daemon",
"type": "module",
@@ -29,16 +29,16 @@
],
"license": "MIT",
"dependencies": {
"@push.rocks/smartnftables": "1.1.0",
"@push.rocks/smartnftables": "1.2.0",
"@push.rocks/smartpath": "^6.0.0",
"@push.rocks/smartrust": "^1.3.2"
"@push.rocks/smartrust": "^1.4.0"
},
"devDependencies": {
"@git.zone/tsbuild": "^4.4.0",
"@git.zone/tsrun": "^2.0.2",
"@git.zone/tsrust": "^1.3.2",
"@git.zone/tstest": "^3.6.3",
"@types/node": "^25.5.0"
"@git.zone/tsbuild": "^4.4.1",
"@git.zone/tsrun": "^2.0.4",
"@git.zone/tsrust": "^1.3.4",
"@git.zone/tstest": "^3.6.6",
"@types/node": "^25.7.0"
},
"files": [
"ts/**/*",
pnpm-lock.yaml
Generated
+2134 -2808
View File
File diff suppressed because it is too large Load Diff
readme.md
+89 -45
View File
@@ -2,17 +2,19 @@
A high-performance VPN solution with a **TypeScript control plane** and a **Rust data plane daemon**. Enterprise-ready client authentication, triple transport support (WebSocket + QUIC + WireGuard), and a typed hub API for managing clients from code.
🔐 **Noise IK** mutual authentication — per-client X25519 keypairs, server-side registry
🚀 **Triple transport**: WebSocket (Cloudflare-friendly), raw **QUIC** (datagrams), and **WireGuard** (standard protocol)
🛡️ **ACL engine** — deny-overrides-allow IP filtering, aligned with SmartProxy conventions
🔀 **PROXY protocol v2** — real client IPs behind reverse proxies (HAProxy, SmartProxy, Cloudflare Spectrum)
📊 **Per-transport metrics**: active clients and total connections broken down by websocket, QUIC, and WireGuard
🔄 **Hub API**: one `createClient()` call generates keys, assigns IP, returns both SmartVPN + WireGuard configs
📡 **Real-time telemetry**: RTT, jitter, loss ratio, link health — all via typed APIs
🌐 **Unified forwarding pipeline**: all transports share the same engine — TUN (kernel), userspace NAT (no root), L2 bridge, or testing mode
🏠 **Bridge mode**: VPN clients get IPs from your LAN subnet — seamlessly bridge remote clients onto a physical network
🎯 **Destination routing policy**: force-target, block, or allow traffic per destination with nftables integration
**Handshake-driven WireGuard state**: peers appear as "connected" only after a successful WireGuard handshake, and auto-disconnect on idle timeout
- 🔐 **Noise IK** mutual authentication — per-client X25519 keypairs, server-side registry
- 🚀 **Triple transport**: WebSocket (Cloudflare-friendly), raw **QUIC** (datagrams), and **WireGuard** (standard protocol)
- 🛡️ **ACL engine** — deny-overrides-allow IP filtering, aligned with SmartProxy conventions
- 🔀 **PROXY protocol v2** — real client IPs behind reverse proxies (HAProxy, SmartProxy, Cloudflare Spectrum)
- 📊 **Per-transport metrics**: active clients and total connections broken down by websocket, QUIC, and WireGuard
- 🔄 **Hub API**: one `createClient()` call generates keys, assigns IP, returns both SmartVPN + WireGuard configs
- 📡 **Real-time telemetry**: RTT, jitter, loss ratio, link health — all via typed APIs
- 🌐 **Unified forwarding pipeline**: all transports share the same engine — TUN (kernel), userspace NAT (no root), L2 bridge, hybrid, or testing mode
- 🏠 **Bridge mode**: VPN clients get IPs from your LAN subnet — seamlessly bridge remote clients onto a physical network
- 🔀 **Hybrid mode**: per-client routing — some clients bridge to the LAN, others use userspace NAT, all on the same server
- 🏷️ **VLAN support**: assign individual clients to 802.1Q VLANs on the bridge
- 🎯 **Destination routing policy**: force-target, block, or allow traffic per destination with nftables integration
-**Handshake-driven WireGuard state**: peers appear as "connected" only after a successful WireGuard handshake, and auto-disconnect on idle timeout
## Issue Reporting and Security
@@ -22,11 +24,9 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
```bash
pnpm install @push.rocks/smartvpn
# or
npm install @push.rocks/smartvpn
```
The package ships with pre-compiled Rust binaries for **linux/amd64** and **linux/arm64**. No Rust toolchain required at runtime.
The package ships with pre-compiled Rust binaries for **linux/amd64** and **linux/arm64**. No Rust toolchain is required at runtime. Set `SMARTVPN_RUST_BINARY` if you want the TypeScript bridge to use a custom daemon binary.
## Architecture 🏗️
@@ -35,7 +35,7 @@ The package ships with pre-compiled Rust binaries for **linux/amd64** and **linu
│ TypeScript Control Plane │ ◄─────────────────────► │ Rust Data Plane Daemon │
│ │ stdio or Unix sock │ │
│ VpnServer / VpnClient │ │ Noise IK handshake │
│ Typed IPC commands │ │ XChaCha20-Poly1305
│ Typed IPC commands │ │ Noise transport encryption
│ Config validation │ │ WS + QUIC + WireGuard │
│ Hub: client management │ │ TUN device, IP pool, NAT │
│ WireGuard .conf generation │ │ Rate limiting, ACLs, QoS │
@@ -43,7 +43,7 @@ The package ships with pre-compiled Rust binaries for **linux/amd64** and **linu
└──────────────────────────────┘ └───────────────────────────────┘
```
**Split-plane design** — TypeScript handles orchestration, config, and DX; Rust handles every hot-path byte with zero-copy async I/O (tokio, mimalloc).
**Split-plane design** — TypeScript handles orchestration, config, and DX; Rust handles the hot path with async I/O, framed packet codecs, and the Noise transport state after authentication.
### IPC Transport Modes
@@ -85,7 +85,7 @@ await server.start({
publicKey: '<server-noise-public-key-base64>',
subnet: '10.8.0.0/24',
transportMode: 'all', // WebSocket + QUIC + WireGuard simultaneously (default)
forwardingMode: 'tun', // 'tun' | 'socket' | 'bridge' | 'testing'
forwardingMode: 'tun', // 'tun' | 'socket' | 'bridge' | 'hybrid' | 'testing'
wgPrivateKey: '<server-wg-private-key-base64>', // required for WireGuard transport
enableNat: true,
dns: ['1.1.1.1', '8.8.8.8'],
@@ -140,7 +140,7 @@ Every client authenticates with a **Noise IK handshake** (`Noise_IK_25519_ChaCha
| **QUIC** | UDP (via quinn) | Low latency, datagram support for IP packets |
| **WireGuard** | UDP (via boringtun) | Standard WG clients (iOS, Android, wg-quick) |
The server runs **all three simultaneously** by default with `transportMode: 'all'`. All transports share the same unified forwarding pipeline (`ForwardingEngine`), IP pool, client registry, and stats — so WireGuard peers get the same userspace NAT, rate limiting, and monitoring as WS/QUIC clients. Clients auto-negotiate with `transport: 'auto'` (tries QUIC first, falls back to WS).
The server runs with `transportMode: 'all'` by default: WebSocket and QUIC are enabled, and WireGuard joins the same server when `wgPrivateKey` is configured. All server transports share the same forwarding pipeline (`ForwardingEngine`), IP pool, client registry, and statistics, so WireGuard peers can use the same userspace NAT, bridge/hybrid routing, and monitoring model as WS/QUIC clients. Native SmartVPN clients auto-negotiate with `transport: 'auto'` (tries QUIC first, falls back to WS).
### 📊 Per-Transport Metrics
@@ -267,13 +267,14 @@ await server.start({
### 📦 Packet Forwarding Modes
SmartVPN supports four forwarding modes, configurable per-server and per-client:
SmartVPN supports five forwarding modes, configurable per-server:
| Mode | Flag | Description | Root Required |
|------|------|-------------|---------------|
| **TUN** | `'tun'` | Kernel TUN device — real packet forwarding with system routing | ✅ Yes |
| **Userspace NAT** | `'socket'` | Userspace TCP/UDP proxy via `connect(2)` — no TUN, no root needed | ❌ No |
| **Bridge** | `'bridge'` | L2 bridge — VPN clients get IPs from a physical LAN subnet | ✅ Yes |
| **Hybrid** | `'hybrid'` | Per-client routing: some clients use socket NAT, others use bridge — both engines run simultaneously | ✅ Yes |
| **Testing** | `'testing'` | Monitoring only — packets are counted but not forwarded | ❌ No |
```typescript
@@ -294,6 +295,13 @@ await server.start({
bridgeIpRangeEnd: 250,
});
// Server with hybrid mode — per-client routing
await server.start({
// ...
forwardingMode: 'hybrid',
bridgePhysicalInterface: 'eth0', // for bridge clients
});
// Client with TUN device
const { assignedIp } = await client.connect({
// ...
@@ -305,6 +313,52 @@ The **userspace NAT** mode extracts destination IP/port from IP packets, opens a
The **bridge** mode assigns VPN clients IPs from a real LAN subnet instead of a virtual VPN subnet. Clients appear as if they're directly on the physical network — perfect for remote access to home labs, office networks, or IoT devices.
The **hybrid** mode runs both engines simultaneously with a **per-client routing table**. Each client's `useHostIp` flag determines whether its packets go through the bridge (L2, LAN IP) or socket NAT (userspace, VPN IP). This is ideal when most clients need internet NAT but some need direct LAN access.
### 🏠 Per-Client Bridge & VLAN Settings
When using `bridge` or `hybrid` mode, each client can be individually configured for LAN bridging, static IPs, DHCP, and 802.1Q VLAN assignment:
```typescript
// Client that bridges to the LAN with a static IP
await server.createClient({
clientId: 'office-printer',
useHostIp: true, // bridge to LAN instead of VPN subnet
staticIp: '192.168.1.210', // fixed LAN IP
});
// Client that gets a LAN IP via DHCP
await server.createClient({
clientId: 'roaming-laptop',
useHostIp: true,
useDhcp: true, // obtain IP from LAN DHCP server
});
// Client on a specific VLAN
await server.createClient({
clientId: 'iot-sensor',
useHostIp: true,
forceVlan: true,
vlanId: 100, // 802.1Q VLAN ID (1-4094)
});
// Regular NAT client (default, no bridge)
await server.createClient({
clientId: 'remote-worker',
// useHostIp defaults to false → uses socket NAT
});
```
| Field | Type | Description |
|-------|------|-------------|
| `useHostIp` | `boolean` | `true` = bridge to LAN (host IP), `false` = VPN subnet via NAT (default) |
| `useDhcp` | `boolean` | When `useHostIp` is true, obtain IP via DHCP relay instead of static/auto-assign |
| `staticIp` | `string` | Fixed LAN IP when `useHostIp` is true and `useDhcp` is false |
| `forceVlan` | `boolean` | Assign this client to a specific 802.1Q VLAN on the bridge |
| `vlanId` | `number` | VLAN ID (1-4094), required when `forceVlan` is true |
VLAN support uses Linux bridge VLAN filtering — each client's TAP port gets tagged with the specified VLAN ID, isolating traffic at Layer 2.
### 📊 Telemetry & QoS
- **Connection quality**: Smoothed RTT, jitter, min/max RTT, loss ratio, link health (`healthy` / `degraded` / `critical`)
@@ -425,37 +479,23 @@ const unit = VpnInstaller.generateServiceUnit({
You can also call `generateSystemdUnit()` or `generateLaunchdPlist()` directly for platform-specific options like custom descriptions.
### 📢 Events
### 📢 Runtime Events
Both `VpnServer` and `VpnClient` extend `EventEmitter` and emit typed events:
`VpnServer` and `VpnClient` extend `EventEmitter`. The high-level wrappers currently forward bridge lifecycle events:
```typescript
server.on('client-connected', (info: IVpnClientInfo) => {
console.log(`${info.registeredClientId} connected from ${info.remoteAddr} via ${info.transportType}`);
});
server.on('client-disconnected', ({ clientId, reason }) => {
console.log(`${clientId} disconnected: ${reason}`);
});
client.on('status', (status: IVpnStatus) => {
console.log(`State: ${status.state}, IP: ${status.assignedIp}`);
});
// Both server and client emit:
server.on('exit', ({ code, signal }) => { /* daemon process exited */ });
server.on('reconnected', () => { /* socket transport reconnected */ });
client.on('exit', ({ code, signal }) => { /* daemon process exited */ });
```
| Event | Emitted By | Payload |
|-------|-----------|---------|
| `status` | Both | `IVpnStatus` — connection state changes |
| `error` | Both | `{ message, code? }` |
| `client-connected` | Server | `IVpnClientInfo` — full client info including transport type |
| `client-disconnected` | Server | `{ clientId, reason? }` |
| `exit` | Both | `{ code, signal }` — daemon process exited |
| `reconnected` | Both | `void` — socket transport reconnected |
For connection state and telemetry, use `getStatus()`, `getStatistics()`, `listClients()`, and `getClientTelemetry()`.
## API Reference 📖
### Classes
@@ -473,9 +513,9 @@ server.on('reconnected', () => { /* socket transport reconnected */ });
| Interface | Purpose |
|-----------|---------|
| `IVpnServerConfig` | Server configuration (listen addr, keys, subnet, transport mode, forwarding mode incl. bridge, clients, proxy protocol, destination policy) |
| `IVpnServerConfig` | Server configuration (listen addr, keys, subnet, transport mode, forwarding mode incl. bridge/hybrid, clients, proxy protocol, destination policy) |
| `IVpnClientConfig` | Client configuration (server URL, keys, transport, forwarding mode, WG options, client-defined tags) |
| `IClientEntry` | Server-side client definition (ID, keys, security, priority, server/client tags, expiry) |
| `IClientEntry` | Server-side client definition (ID, keys, security, priority, server/client tags, expiry, bridge/VLAN settings) |
| `IClientSecurity` | Per-client ACLs, rate limits, and destination policy override (SmartProxy-aligned naming) |
| `IClientRateLimit` | Rate limiting config (bytesPerSec, burstBytes) |
| `IClientConfigBundle` | Full config bundle returned by `createClient()` — includes SmartVPN config, WireGuard .conf, and secrets |
@@ -485,7 +525,7 @@ server.on('reconnected', () => { /* socket transport reconnected */ });
| `IVpnMtuInfo` | TUN MTU, effective MTU, overhead bytes, oversized packet stats |
| `IVpnKeypair` | Base64-encoded public/private key pair |
| `IDestinationPolicy` | Destination routing policy (forceTarget / block / allow with allow/block lists) |
| `IVpnEventMap` | Typed event map for server and client EventEmitter |
| `IVpnEventMap` | Exported event payload shapes for lifecycle and daemon event integrations |
### Server IPC Commands
@@ -544,8 +584,8 @@ All transport modes share the same `forwardingMode` — WireGuard peers can use
// Explicit QUIC with certificate pinning
{ transport: 'quic', serverUrl: '1.2.3.4:4433', serverCertHash: '<sha256-base64>' }
// WireGuard
{ transport: 'wireguard', wgPrivateKey: '...', wgEndpoint: 'vpn.example.com:51820', ... }
// WireGuard clients use the standard .conf returned by createClient()
// or generated via WgConfigGenerator.
```
## Cryptography 🔑
@@ -554,7 +594,7 @@ All transport modes share the same `forwardingMode` — WireGuard peers can use
|-------|-----------|---------|
| **Handshake** | Noise IK (X25519 + ChaChaPoly + BLAKE2s) | Mutual authentication + key exchange |
| **Transport** | Noise transport state (ChaChaPoly) | All post-handshake data encryption |
| **Additional** | XChaCha20-Poly1305 | Extended nonce space for data-at-rest |
| **Utility** | XChaCha20-Poly1305 helper | Nonce-safe symmetric encryption helper in the Rust crypto module |
| **WireGuard** | X25519 + ChaCha20-Poly1305 (via boringtun) | Standard WireGuard crypto |
## Binary Protocol 📡
@@ -568,6 +608,9 @@ All frames use `[type:1B][length:4B][payload:NB]` with a 64KB max payload:
| IpPacket | `0x10` | Bidirectional | Encrypted tunnel data |
| Keepalive | `0x20` | Client → Server | App-level keepalive (not WS ping) |
| KeepaliveAck | `0x21` | Server → Client | Keepalive response with RTT payload |
| SessionResume | `0x30` | Client → Server | Session resume attempt |
| SessionResumeOk | `0x31` | Server → Client | Session resume accepted |
| SessionResumeErr | `0x32` | Server → Client | Session resume rejected |
| Disconnect | `0x3F` | Bidirectional | Graceful disconnect |
## Development 🛠️
@@ -618,6 +661,7 @@ smartvpn/
│ ├── transport_trait.rs # Transport abstraction (Sink/Stream)
│ ├── quic_transport.rs # QUIC transport
│ ├── wireguard.rs # WireGuard (boringtun)
│ ├── bridge.rs # Linux bridge/TAP integration
│ ├── codec.rs # Binary frame protocol
│ ├── keepalive.rs # Adaptive keepalives
│ ├── ratelimit.rs # Token bucket
@@ -635,7 +679,7 @@ smartvpn/
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license.md](./license.md) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
rust/src/bridge.rs
+45 -1
View File
@@ -13,7 +13,7 @@ use std::net::Ipv4Addr;
use std::sync::Arc;
use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::sync::mpsc;
use tracing::{debug, error, info, warn};
use tracing::{debug, info, warn};
use crate::server::ServerState;
@@ -225,6 +225,50 @@ pub async fn enable_proxy_arp(iface: &str) -> Result<()> {
Ok(())
}
// ============================================================================
// VLAN support (802.1Q via Linux bridge VLAN filtering)
// ============================================================================
async fn run_bridge_cmd(args: &[&str]) -> Result<String> {
let output = tokio::process::Command::new("bridge")
.args(args)
.output()
.await?;
if !output.status.success() {
let stderr = String::from_utf8_lossy(&output.stderr);
anyhow::bail!("bridge {} failed: {}", args.join(" "), stderr.trim());
}
Ok(String::from_utf8_lossy(&output.stdout).to_string())
}
/// Enable VLAN filtering on a bridge.
pub async fn enable_vlan_filtering(bridge: &str) -> Result<()> {
run_ip_cmd(&["link", "set", bridge, "type", "bridge", "vlan_filtering", "1"]).await?;
info!("Enabled VLAN filtering on bridge {}", bridge);
Ok(())
}
/// Add a VLAN ID to a bridge port (TAP or physical interface).
/// `pvid` = set as port VLAN ID (untagged ingress), `untagged` = strip tag on egress.
pub async fn add_vlan_to_port(port: &str, vlan_id: u16, pvid: bool, untagged: bool) -> Result<()> {
let mut args = vec!["vlan", "add", "dev", port, "vid"];
let vid_str = vlan_id.to_string();
args.push(&vid_str);
if pvid { args.push("pvid"); }
if untagged { args.push("untagged"); }
run_bridge_cmd(&args).await?;
info!("Added VLAN {} to port {} (pvid={}, untagged={})", vlan_id, port, pvid, untagged);
Ok(())
}
/// Remove a VLAN ID from a bridge port.
pub async fn remove_vlan_from_port(port: &str, vlan_id: u16) -> Result<()> {
let vid_str = vlan_id.to_string();
run_bridge_cmd(&["vlan", "del", "dev", port, "vid", &vid_str]).await?;
info!("Removed VLAN {} from port {}", vlan_id, port);
Ok(())
}
/// Create a TAP device (L2) using the tun crate.
pub fn create_tap(name: &str, mtu: u16) -> Result<tun::AsyncDevice> {
let mut config = tun::Configuration::default();
rust/src/client_registry.rs
+89 -1
View File
@@ -60,6 +60,19 @@ pub struct ClientEntry {
pub expires_at: Option<String>,
/// Assigned VPN IP address.
pub assigned_ip: Option<String>,
// Per-client bridge/host-IP settings
/// If true, client gets a host network IP via bridge mode.
pub use_host_ip: Option<bool>,
/// If true and use_host_ip is true, obtain IP via DHCP relay.
pub use_dhcp: Option<bool>,
/// Static LAN IP when use_host_ip is true and use_dhcp is false.
pub static_ip: Option<String>,
/// If true, assign this client to a specific 802.1Q VLAN.
pub force_vlan: Option<bool>,
/// 802.1Q VLAN ID (1-4094).
pub vlan_id: Option<u16>,
}
impl ClientEntry {
@@ -85,6 +98,8 @@ pub struct ClientRegistry {
entries: HashMap<String, ClientEntry>,
/// Secondary index: publicKey (base64) → clientId (fast lookup during handshake)
key_index: HashMap<String, String>,
/// WireGuard public key → clientId (fast lookup during WG handshakes)
wg_key_index: HashMap<String, String>,
/// Tertiary index: assignedIp → clientId (fast lookup during NAT destination policy)
ip_index: HashMap<String, String>,
}
@@ -94,6 +109,7 @@ impl ClientRegistry {
Self {
entries: HashMap::new(),
key_index: HashMap::new(),
wg_key_index: HashMap::new(),
ip_index: HashMap::new(),
}
}
@@ -119,6 +135,12 @@ impl ClientRegistry {
if self.key_index.contains_key(&entry.public_key) {
anyhow::bail!("Public key already registered to another client");
}
if let Some(ref wg_key) = entry.wg_public_key {
if self.wg_key_index.contains_key(wg_key) {
anyhow::bail!("WireGuard public key already registered to another client");
}
self.wg_key_index.insert(wg_key.clone(), entry.client_id.clone());
}
self.key_index.insert(entry.public_key.clone(), entry.client_id.clone());
if let Some(ref ip) = entry.assigned_ip {
self.ip_index.insert(ip.clone(), entry.client_id.clone());
@@ -132,6 +154,9 @@ impl ClientRegistry {
let entry = self.entries.remove(client_id)
.ok_or_else(|| anyhow::anyhow!("Client '{}' not found", client_id))?;
self.key_index.remove(&entry.public_key);
if let Some(ref wg_key) = entry.wg_public_key {
self.wg_key_index.remove(wg_key);
}
if let Some(ref ip) = entry.assigned_ip {
self.ip_index.remove(ip);
}
@@ -149,6 +174,12 @@ impl ClientRegistry {
self.entries.get(client_id)
}
/// Get a client by WireGuard public key.
pub fn get_by_wg_key(&self, public_key: &str) -> Option<&ClientEntry> {
let client_id = self.wg_key_index.get(public_key)?;
self.entries.get(client_id)
}
/// Get a client by assigned IP (used for per-client destination policy in NAT engine).
pub fn get_by_assigned_ip(&self, ip: &str) -> Option<&ClientEntry> {
let client_id = self.ip_index.get(ip)?;
@@ -171,6 +202,7 @@ impl ClientRegistry {
let entry = self.entries.get_mut(client_id)
.ok_or_else(|| anyhow::anyhow!("Client '{}' not found", client_id))?;
let old_key = entry.public_key.clone();
let old_wg_key = entry.wg_public_key.clone();
let old_ip = entry.assigned_ip.clone();
updater(entry);
// If public key changed, update the key index
@@ -178,6 +210,15 @@ impl ClientRegistry {
self.key_index.remove(&old_key);
self.key_index.insert(entry.public_key.clone(), client_id.to_string());
}
// If WireGuard public key changed, update the WG key index.
if entry.wg_public_key != old_wg_key {
if let Some(ref old) = old_wg_key {
self.wg_key_index.remove(old);
}
if let Some(ref new_key) = entry.wg_public_key {
self.wg_key_index.insert(new_key.clone(), client_id.to_string());
}
}
// If assigned IP changed, update the IP index
if entry.assigned_ip != old_ip {
if let Some(ref old) = old_ip {
@@ -197,13 +238,32 @@ impl ClientRegistry {
/// Rotate a client's keys. Returns the updated entry.
pub fn rotate_key(&mut self, client_id: &str, new_public_key: String, new_wg_public_key: Option<String>) -> Result<()> {
if let Some(existing_client_id) = self.key_index.get(&new_public_key) {
if existing_client_id != client_id {
anyhow::bail!("Public key already registered to another client");
}
}
if let Some(ref new_wg_key) = new_wg_public_key {
if let Some(existing_client_id) = self.wg_key_index.get(new_wg_key) {
if existing_client_id != client_id {
anyhow::bail!("WireGuard public key already registered to another client");
}
}
}
let entry = self.entries.get_mut(client_id)
.ok_or_else(|| anyhow::anyhow!("Client '{}' not found", client_id))?;
// Update key index
self.key_index.remove(&entry.public_key);
if let Some(ref old_wg_key) = entry.wg_public_key {
self.wg_key_index.remove(old_wg_key);
}
entry.public_key = new_public_key.clone();
entry.wg_public_key = new_wg_public_key;
self.key_index.insert(new_public_key, client_id.to_string());
if let Some(ref wg_key) = entry.wg_public_key {
self.wg_key_index.insert(wg_key.clone(), client_id.to_string());
}
Ok(())
}
@@ -236,6 +296,11 @@ mod tests {
description: None,
expires_at: None,
assigned_ip: None,
use_host_ip: None,
use_dhcp: None,
static_ip: None,
force_vlan: None,
vlan_id: None,
}
}
@@ -349,13 +414,36 @@ mod tests {
let mut reg = ClientRegistry::new();
reg.add(make_entry("alice", "old_key")).unwrap();
reg.rotate_key("alice", "new_key".to_string(), None).unwrap();
reg.rotate_key("alice", "new_key".to_string(), Some("new_wg_key".to_string())).unwrap();
assert!(reg.get_by_key("old_key").is_none());
assert!(reg.get_by_key("new_key").is_some());
assert!(reg.get_by_wg_key("new_wg_key").is_some());
assert_eq!(reg.get_by_id("alice").unwrap().public_key, "new_key");
}
#[test]
fn lookup_by_wireguard_key() {
let mut reg = ClientRegistry::new();
let mut entry = make_entry("alice", "key_alice");
entry.wg_public_key = Some("wg_key_alice".to_string());
reg.add(entry).unwrap();
assert_eq!(reg.get_by_wg_key("wg_key_alice").unwrap().client_id, "alice");
}
#[test]
fn reject_duplicate_wireguard_key() {
let mut reg = ClientRegistry::new();
let mut alice = make_entry("alice", "key_alice");
alice.wg_public_key = Some("same_wg_key".to_string());
let mut bob = make_entry("bob", "key_bob");
bob.wg_public_key = Some("same_wg_key".to_string());
reg.add(alice).unwrap();
assert!(reg.add(bob).is_err());
}
#[test]
fn from_entries() {
let entries = vec![
rust/src/network.rs
+15 -1
View File
@@ -8,6 +8,7 @@ pub struct IpPool {
/// Network address (e.g., 10.8.0.0)
network: Ipv4Addr,
/// Prefix length (e.g., 24)
#[allow(dead_code)]
prefix_len: u8,
/// Allocated IPs: IP -> client_id
allocated: HashMap<Ipv4Addr, String>,
@@ -123,7 +124,10 @@ impl IpPool {
/// Reserve a specific IP for a client (e.g., WireGuard static IP from allowed_ips).
pub fn reserve(&mut self, ip: Ipv4Addr, client_id: &str) -> Result<()> {
if self.allocated.contains_key(&ip) {
if let Some(existing_client_id) = self.allocated.get(&ip) {
if existing_client_id == client_id {
return Ok(());
}
anyhow::bail!("IP {} is already allocated", ip);
}
self.allocated.insert(ip, client_id.to_string());
@@ -232,6 +236,16 @@ mod tests {
assert!(pool.allocate("client2").is_err());
}
#[test]
fn ip_pool_reserve_is_idempotent_for_same_client() {
let mut pool = IpPool::new("10.9.0.0/24").unwrap();
let ip = pool.allocate("alice").unwrap();
pool.reserve(ip, "alice").unwrap();
assert_eq!(pool.allocated_count(), 1);
assert!(pool.reserve(ip, "bob").is_err());
}
#[test]
fn ip_pool_invalid_subnet() {
assert!(IpPool::new("invalid").is_err());
rust/src/server.rs
+338 -29
View File
@@ -161,10 +161,26 @@ pub enum ForwardingEngine {
Socket(mpsc::Sender<Vec<u8>>),
/// L2 Bridge — packets sent to BridgeEngine via channel, bridged to host LAN.
Bridge(mpsc::Sender<Vec<u8>>),
/// Hybrid — both socket NAT and bridge engines running simultaneously.
/// Per-client routing: look up src_ip in routing_table to decide socket vs bridge.
Hybrid {
socket_tx: mpsc::Sender<Vec<u8>>,
bridge_tx: mpsc::Sender<Vec<u8>>,
/// Fast lookup: VPN IP → true if client uses bridge (host IP), false for socket.
routing_table: Arc<RwLock<HashMap<Ipv4Addr, bool>>>,
},
/// Testing/monitoring — packets are counted but not forwarded.
Testing,
}
/// Info needed to tear down bridge infrastructure on stop().
pub struct BridgeCleanupInfo {
pub physical_iface: String,
pub bridge_name: String,
pub host_ip: Ipv4Addr,
pub host_prefix: u8,
}
/// Shared server state.
pub struct ServerState {
pub config: ServerConfig,
@@ -181,6 +197,10 @@ pub struct ServerState {
pub tun_routes: RwLock<HashMap<Ipv4Addr, mpsc::Sender<Vec<u8>>>>,
/// Shutdown signal for the forwarding background task (TUN reader or NAT engine).
pub tun_shutdown: mpsc::Sender<()>,
/// Shutdown signal for the bridge engine (bridge/hybrid modes only).
pub bridge_shutdown: Option<mpsc::Sender<()>>,
/// Bridge teardown info (bridge/hybrid modes only).
pub bridge_cleanup: Option<BridgeCleanupInfo>,
}
/// The VPN server.
@@ -246,9 +266,22 @@ impl VpnServer {
tap_device: tun::AsyncDevice,
shutdown_rx: mpsc::Receiver<()>,
},
Hybrid {
socket_tx: mpsc::Sender<Vec<u8>>,
socket_rx: mpsc::Receiver<Vec<u8>>,
socket_shutdown_rx: mpsc::Receiver<()>,
bridge_tx: mpsc::Sender<Vec<u8>>,
bridge_rx: mpsc::Receiver<Vec<u8>>,
bridge_shutdown_rx: mpsc::Receiver<()>,
tap_device: tun::AsyncDevice,
routing_table: Arc<RwLock<HashMap<Ipv4Addr, bool>>>,
},
Testing,
}
let mut bridge_cleanup_info: Option<BridgeCleanupInfo> = None;
let mut bridge_shut_tx: Option<mpsc::Sender<()>> = None;
let (setup, fwd_shutdown_tx) = match mode {
"tun" => {
let tun_config = TunConfig {
@@ -292,10 +325,65 @@ impl VpnServer {
info!("Bridge {} created: TAP={}, physical={}, IP={}/{}", bridge_name, tap_name, phys_iface, host_ip, host_prefix);
bridge_cleanup_info = Some(BridgeCleanupInfo {
physical_iface: phys_iface,
bridge_name: bridge_name.to_string(),
host_ip,
host_prefix,
});
let (packet_tx, packet_rx) = mpsc::channel::<Vec<u8>>(4096);
let (tx, rx) = mpsc::channel::<()>(1);
(ForwardingSetup::Bridge { packet_tx, packet_rx, tap_device, shutdown_rx: rx }, tx)
}
"hybrid" => {
info!("Starting hybrid forwarding (socket + bridge, per-client routing)");
// Socket engine setup
let (s_tx, s_rx) = mpsc::channel::<Vec<u8>>(4096);
let (s_shut_tx, s_shut_rx) = mpsc::channel::<()>(1);
// Bridge engine setup
let phys_iface = match &config.bridge_physical_interface {
Some(i) => i.clone(),
None => crate::bridge::detect_default_interface().await?,
};
let (host_ip, host_prefix) = crate::bridge::get_interface_ip(&phys_iface).await?;
let bridge_name = "svpn_br0";
let tap_name = "svpn_tap0";
let tap_device = crate::bridge::create_tap(tap_name, link_mtu)?;
crate::bridge::create_bridge(bridge_name).await?;
crate::bridge::set_interface_up(bridge_name).await?;
crate::bridge::bridge_add_interface(bridge_name, tap_name).await?;
crate::bridge::set_interface_up(tap_name).await?;
crate::bridge::bridge_add_interface(bridge_name, &phys_iface).await?;
crate::bridge::migrate_host_ip_to_bridge(&phys_iface, bridge_name, host_ip, host_prefix).await?;
crate::bridge::enable_proxy_arp(bridge_name).await?;
let (b_tx, b_rx) = mpsc::channel::<Vec<u8>>(4096);
let (b_shut_tx, b_shut_rx) = mpsc::channel::<()>(1);
// Build routing table from registered clients
let routing_table = Arc::new(RwLock::new(HashMap::<Ipv4Addr, bool>::new()));
info!("Hybrid mode: socket + bridge (TAP={}, physical={}, IP={}/{})", tap_name, phys_iface, host_ip, host_prefix);
bridge_cleanup_info = Some(BridgeCleanupInfo {
physical_iface: phys_iface,
bridge_name: bridge_name.to_string(),
host_ip,
host_prefix,
});
bridge_shut_tx = Some(b_shut_tx);
// Socket engine uses fwd_shutdown_tx (stored in state.tun_shutdown)
(ForwardingSetup::Hybrid {
socket_tx: s_tx, socket_rx: s_rx, socket_shutdown_rx: s_shut_rx,
bridge_tx: b_tx, bridge_rx: b_rx, bridge_shutdown_rx: b_shut_rx,
tap_device, routing_table,
}, s_shut_tx)
}
_ => {
info!("Forwarding disabled (testing/monitoring mode)");
let (tx, _rx) = mpsc::channel::<()>(1);
@@ -305,7 +393,7 @@ impl VpnServer {
// Compute effective MTU from overhead
let overhead = TunnelOverhead::default_overhead();
let mtu_config = MtuConfig::new(overhead.effective_tun_mtu(1500).max(link_mtu));
let mtu_config = MtuConfig::new(overhead.effective_tun_mtu(1500).min(link_mtu));
// Build client registry from config
let registry = ClientRegistry::from_entries(
@@ -325,6 +413,8 @@ impl VpnServer {
forwarding_engine: Mutex::new(ForwardingEngine::Testing),
tun_routes: RwLock::new(HashMap::new()),
tun_shutdown: fwd_shutdown_tx,
bridge_shutdown: bridge_shut_tx,
bridge_cleanup: bridge_cleanup_info,
});
// Spawn the forwarding background task and set the engine
@@ -363,6 +453,51 @@ impl VpnServer {
}
});
}
ForwardingSetup::Hybrid {
socket_tx, socket_rx, socket_shutdown_rx,
bridge_tx, bridge_rx, bridge_shutdown_rx,
tap_device, routing_table,
} => {
// Populate routing table from registered clients
{
let registry = state.client_registry.read().await;
let mut rt = routing_table.write().await;
for entry in registry.list() {
if let Some(ref ip_str) = entry.assigned_ip {
if let Ok(ip) = ip_str.parse::<Ipv4Addr>() {
rt.insert(ip, entry.use_host_ip.unwrap_or(false));
}
}
}
}
// Start socket (NAT) engine
let proxy_protocol = config.socket_forward_proxy_protocol.unwrap_or(false);
let nat_engine = crate::userspace_nat::NatEngine::new(
gateway_ip,
link_mtu as usize,
state.clone(),
proxy_protocol,
config.destination_policy.clone(),
);
tokio::spawn(async move {
if let Err(e) = nat_engine.run(socket_rx, socket_shutdown_rx).await {
error!("NAT engine error (hybrid): {}", e);
}
});
// Start bridge engine
let bridge_engine = crate::bridge::BridgeEngine::new(state.clone());
tokio::spawn(async move {
if let Err(e) = bridge_engine.run(tap_device, bridge_rx, bridge_shutdown_rx).await {
error!("Bridge engine error (hybrid): {}", e);
}
});
*state.forwarding_engine.lock().await = ForwardingEngine::Hybrid {
socket_tx, bridge_tx, routing_table,
};
}
ForwardingSetup::Testing => {}
}
@@ -449,6 +584,9 @@ impl VpnServer {
if self.wg_command_tx.is_some() {
let registry = state.client_registry.read().await;
for entry in registry.list() {
if !entry.is_enabled() || entry.is_expired() {
continue;
}
if let (Some(ref wg_key), Some(ref ip_str)) = (&entry.wg_public_key, &entry.assigned_ip) {
let peer_config = crate::wireguard::WgPeerConfig {
public_key: wg_key.clone(),
@@ -483,6 +621,43 @@ impl VpnServer {
let _ = state.tun_shutdown.send(()).await;
*state.forwarding_engine.lock().await = ForwardingEngine::Testing;
}
"bridge" => {
let _ = state.tun_shutdown.send(()).await;
*state.forwarding_engine.lock().await = ForwardingEngine::Testing;
// Restore host networking: move IP back and remove bridge
if let Some(ref cleanup) = state.bridge_cleanup {
if let Err(e) = crate::bridge::restore_host_ip(
&cleanup.physical_iface, &cleanup.bridge_name,
cleanup.host_ip, cleanup.host_prefix,
).await {
warn!("Failed to restore host IP: {}", e);
}
if let Err(e) = crate::bridge::remove_bridge(&cleanup.bridge_name).await {
warn!("Failed to remove bridge: {}", e);
}
}
}
"hybrid" => {
// Shut down socket (NAT) engine
let _ = state.tun_shutdown.send(()).await;
// Shut down bridge engine
if let Some(ref bridge_shut) = state.bridge_shutdown {
let _ = bridge_shut.send(()).await;
}
*state.forwarding_engine.lock().await = ForwardingEngine::Testing;
// Restore host networking: move IP back and remove bridge
if let Some(ref cleanup) = state.bridge_cleanup {
if let Err(e) = crate::bridge::restore_host_ip(
&cleanup.physical_iface, &cleanup.bridge_name,
cleanup.host_ip, cleanup.host_prefix,
).await {
warn!("Failed to restore host IP: {}", e);
}
if let Err(e) = crate::bridge::remove_bridge(&cleanup.bridge_name).await {
warn!("Failed to remove bridge: {}", e);
}
}
}
_ => {}
}
@@ -553,8 +728,10 @@ impl VpnServer {
if let Some(ref state) = self.state {
let mut clients = state.clients.write().await;
if let Some(client) = clients.remove(client_id) {
let ip: Ipv4Addr = client.assigned_ip.parse()?;
state.ip_pool.lock().await.release(&ip);
if client.transport_type != "wireguard" {
let ip: Ipv4Addr = client.assigned_ip.parse()?;
state.ip_pool.lock().await.release(&ip);
}
state.rate_limiters.lock().await.remove(client_id);
info!("Client {} disconnected", client_id);
}
@@ -695,10 +872,18 @@ impl VpnServer {
description: partial.get("description").and_then(|v| v.as_str()).map(String::from),
expires_at: partial.get("expiresAt").and_then(|v| v.as_str()).map(String::from),
assigned_ip: Some(assigned_ip.to_string()),
use_host_ip: partial.get("useHostIp").and_then(|v| v.as_bool()),
use_dhcp: partial.get("useDhcp").and_then(|v| v.as_bool()),
static_ip: partial.get("staticIp").and_then(|v| v.as_str()).map(String::from),
force_vlan: partial.get("forceVlan").and_then(|v| v.as_bool()),
vlan_id: partial.get("vlanId").and_then(|v| v.as_u64()).map(|v| v as u16),
};
// Add to registry
state.client_registry.write().await.add(entry.clone())?;
// Add to registry — release IP on failure to avoid pool leak
if let Err(e) = state.client_registry.write().await.add(entry.clone()) {
state.ip_pool.lock().await.release(&assigned_ip);
return Err(e);
}
// Register WG peer with the running WG listener (if active)
if self.wg_command_tx.is_some() {
@@ -710,7 +895,9 @@ impl VpnServer {
persistent_keepalive: Some(25),
};
if let Err(e) = self.add_wg_peer(wg_peer_config).await {
warn!("Failed to register WG peer for client {}: {}", client_id, e);
let _ = state.client_registry.write().await.remove(&client_id);
state.ip_pool.lock().await.release(&assigned_ip);
return Err(anyhow::anyhow!("Failed to register WG peer for client {}: {}", client_id, e));
}
}
@@ -768,15 +955,28 @@ impl VpnServer {
pub async fn remove_registered_client(&self, client_id: &str) -> Result<()> {
let state = self.state.as_ref()
.ok_or_else(|| anyhow::anyhow!("Server not running"))?;
let entry = state.client_registry.write().await.remove(client_id)?;
let entry = {
let registry = state.client_registry.read().await;
registry.get_by_id(client_id)
.cloned()
.ok_or_else(|| anyhow::anyhow!("Client '{}' not found", client_id))?
};
// Remove WG peer from running listener
if self.wg_command_tx.is_some() {
if let Some(ref wg_key) = entry.wg_public_key {
if let Err(e) = self.remove_wg_peer(wg_key).await {
debug!("Failed to remove WG peer for client {}: {}", client_id, e);
if entry.is_enabled() && !entry.is_expired() {
return Err(anyhow::anyhow!("Failed to remove WG peer for client {}: {}", client_id, e));
}
debug!("Failed to remove inactive WG peer for client {}: {}", client_id, e);
}
}
}
state.client_registry.write().await.remove(client_id)?;
// Release the IP if assigned
if let Some(ref ip_str) = entry.assigned_ip {
if let Ok(ip) = ip_str.parse::<Ipv4Addr>() {
@@ -833,7 +1033,37 @@ impl VpnServer {
if let Some(expires) = update.get("expiresAt").and_then(|v| v.as_str()) {
entry.expires_at = Some(expires.to_string());
}
if let Some(use_host_ip) = update.get("useHostIp").and_then(|v| v.as_bool()) {
entry.use_host_ip = Some(use_host_ip);
}
if let Some(use_dhcp) = update.get("useDhcp").and_then(|v| v.as_bool()) {
entry.use_dhcp = Some(use_dhcp);
}
if let Some(static_ip) = update.get("staticIp").and_then(|v| v.as_str()) {
entry.static_ip = Some(static_ip.to_string());
}
if let Some(force_vlan) = update.get("forceVlan").and_then(|v| v.as_bool()) {
entry.force_vlan = Some(force_vlan);
}
if let Some(vlan_id) = update.get("vlanId").and_then(|v| v.as_u64()) {
entry.vlan_id = Some(vlan_id as u16);
}
})?;
let updated_entry = {
let registry = state.client_registry.read().await;
registry.get_by_id(client_id).cloned()
};
if let Some(entry) = updated_entry {
if let Some(ref ip_str) = entry.assigned_ip {
if let Ok(ip) = ip_str.parse::<Ipv4Addr>() {
if let ForwardingEngine::Hybrid { routing_table, .. } = &*state.forwarding_engine.lock().await {
routing_table.write().await.insert(ip, entry.use_host_ip.unwrap_or(false));
}
}
}
}
Ok(())
}
@@ -843,13 +1073,56 @@ impl VpnServer {
.ok_or_else(|| anyhow::anyhow!("Server not running"))?;
state.client_registry.write().await.update(client_id, |entry| {
entry.enabled = Some(true);
})
})?;
let entry = {
let registry = state.client_registry.read().await;
registry.get_by_id(client_id)
.cloned()
.ok_or_else(|| anyhow::anyhow!("Client '{}' not found", client_id))?
};
if self.wg_command_tx.is_some() {
if let (Some(ref wg_key), Some(ref ip_str)) = (&entry.wg_public_key, &entry.assigned_ip) {
let peer_config = crate::wireguard::WgPeerConfig {
public_key: wg_key.clone(),
preshared_key: None,
allowed_ips: vec![format!("{}/32", ip_str)],
endpoint: None,
persistent_keepalive: Some(25),
};
if let Err(e) = self.add_wg_peer(peer_config).await {
let _ = state.client_registry.write().await.update(client_id, |entry| {
entry.enabled = Some(false);
});
return Err(anyhow::anyhow!("Failed to register WG peer for enabled client {}: {}", client_id, e));
}
}
}
Ok(())
}
/// Disable a registered client (also disconnects if connected).
pub async fn disable_client(&self, client_id: &str) -> Result<()> {
let state = self.state.as_ref()
.ok_or_else(|| anyhow::anyhow!("Server not running"))?;
let entry = {
let registry = state.client_registry.read().await;
registry.get_by_id(client_id).cloned()
};
if self.wg_command_tx.is_some() {
if let Some(ref entry) = entry {
if let Some(ref wg_key) = entry.wg_public_key {
if let Err(e) = self.remove_wg_peer(wg_key).await {
debug!("Failed to remove WG peer for disabled client {}: {}", client_id, e);
}
}
}
}
state.client_registry.write().await.update(client_id, |entry| {
entry.enabled = Some(false);
})?;
@@ -863,17 +1136,33 @@ impl VpnServer {
let state = self.state.as_ref()
.ok_or_else(|| anyhow::anyhow!("Server not running"))?;
// Capture old WG key before rotation (needed to remove from WG listener)
let old_wg_pub = {
// Capture old keys before rotation so listener and registry can be rolled back together.
let old_entry = {
let registry = state.client_registry.read().await;
let entry = registry.get_by_id(client_id)
.ok_or_else(|| anyhow::anyhow!("Client '{}' not found", client_id))?;
entry.wg_public_key.clone()
registry.get_by_id(client_id)
.cloned()
.ok_or_else(|| anyhow::anyhow!("Client '{}' not found", client_id))?
};
let old_noise_pub = old_entry.public_key.clone();
let old_wg_pub = old_entry.wg_public_key.clone();
let assigned_ip = old_entry.assigned_ip.clone().unwrap_or_else(|| "0.0.0.0".to_string());
let should_have_wg_peer = self.wg_command_tx.is_some()
&& old_entry.is_enabled()
&& !old_entry.is_expired()
&& old_wg_pub.is_some()
&& assigned_ip != "0.0.0.0";
let (noise_pub, noise_priv) = crypto::generate_keypair()?;
let (wg_pub, wg_priv) = crate::wireguard::generate_wg_keypair();
if should_have_wg_peer {
if let Some(ref old_key) = old_wg_pub {
if let Err(e) = self.remove_wg_peer(old_key).await {
return Err(anyhow::anyhow!("Failed to remove old WG peer during rotation for {}: {}", client_id, e));
}
}
}
state.client_registry.write().await.rotate_key(
client_id,
noise_pub.clone(),
@@ -883,31 +1172,40 @@ impl VpnServer {
// Disconnect existing connection (old key is no longer valid)
let _ = self.disconnect_client(client_id).await;
// Get updated entry for the config bundle
let entry_json = self.get_registered_client(client_id).await?;
let assigned_ip = entry_json.get("assignedIp")
.and_then(|v| v.as_str())
.unwrap_or("0.0.0.0");
// Update WG listener: remove old peer, add new peer
if self.wg_command_tx.is_some() {
if let Some(ref old_key) = old_wg_pub {
if let Err(e) = self.remove_wg_peer(old_key).await {
debug!("Failed to remove old WG peer during rotation: {}", e);
}
}
// Update WG listener with the new key. Roll back the registry if this fails.
if should_have_wg_peer {
let wg_peer_config = crate::wireguard::WgPeerConfig {
public_key: wg_pub.clone(),
preshared_key: None,
allowed_ips: vec![format!("{}/32", assigned_ip)],
allowed_ips: vec![format!("{}/32", assigned_ip.as_str())],
endpoint: None,
persistent_keepalive: Some(25),
};
if let Err(e) = self.add_wg_peer(wg_peer_config).await {
warn!("Failed to register new WG peer during rotation: {}", e);
let _ = state.client_registry.write().await.rotate_key(
client_id,
old_noise_pub,
old_wg_pub.clone(),
);
if let Some(ref old_key) = old_wg_pub {
let rollback_peer_config = crate::wireguard::WgPeerConfig {
public_key: old_key.clone(),
preshared_key: None,
allowed_ips: vec![format!("{}/32", assigned_ip.as_str())],
endpoint: None,
persistent_keepalive: Some(25),
};
if let Err(rollback_err) = self.add_wg_peer(rollback_peer_config).await {
warn!("Failed to restore old WG peer after rotation failure for {}: {}", client_id, rollback_err);
}
}
return Err(anyhow::anyhow!("Failed to register new WG peer during rotation for {}: {}", client_id, e));
}
}
// Get updated entry for the config bundle
let entry_json = self.get_registered_client(client_id).await?;
let smartvpn_server_url = format!("wss://{}",
state.config.server_endpoint.as_deref()
.unwrap_or(&state.config.listen_addr)
@@ -1495,6 +1793,17 @@ async fn handle_client_connection(
ForwardingEngine::Bridge(sender) => {
let _ = sender.try_send(buf[..len].to_vec());
}
ForwardingEngine::Hybrid { socket_tx, bridge_tx, routing_table } => {
if len >= 20 {
let src_ip = Ipv4Addr::new(buf[12], buf[13], buf[14], buf[15]);
let use_bridge = routing_table.read().await.get(&src_ip).copied().unwrap_or(false);
if use_bridge {
let _ = bridge_tx.try_send(buf[..len].to_vec());
} else {
let _ = socket_tx.try_send(buf[..len].to_vec());
}
}
}
ForwardingEngine::Testing => {}
}
}
rust/src/wireguard.rs
+102 -25
View File
@@ -215,6 +215,8 @@ pub enum WgCommand {
struct PeerState {
tunn: Tunn,
public_key_b64: String,
/// Registered SmartVPN client ID when this peer belongs to a registry entry.
client_id: Option<String>,
allowed_ips: Vec<AllowedIp>,
endpoint: Option<SocketAddr>,
#[allow(dead_code)]
@@ -237,6 +239,28 @@ impl PeerState {
}
}
fn synthetic_wg_client_id(pubkey: &str) -> String {
format!("wg-{}", &pubkey[..8.min(pubkey.len())])
}
fn peer_client_id(peer: &PeerState) -> String {
peer.client_id
.clone()
.unwrap_or_else(|| synthetic_wg_client_id(&peer.public_key_b64))
}
async fn registered_peer_info(
state: &Arc<ServerState>,
pubkey: &str,
) -> Option<(String, bool, bool)> {
let registry = state.client_registry.read().await;
registry.get_by_wg_key(pubkey).map(|entry| (
entry.client_id.clone(),
entry.use_host_ip.unwrap_or(false),
entry.is_enabled() && !entry.is_expired(),
))
}
fn add_peer_to_loop(
peers: &mut Vec<PeerState>,
@@ -281,6 +305,7 @@ fn add_peer_to_loop(
peers.push(PeerState {
tunn,
public_key_b64: config.public_key.clone(),
client_id: None,
allowed_ips,
endpoint,
persistent_keepalive: config.persistent_keepalive,
@@ -319,10 +344,12 @@ fn extract_peer_vpn_ip(allowed_ips: &[AllowedIp]) -> Option<Ipv4Addr> {
}
}
}
// Fallback: use the first IPv4 address from any prefix length
// Fallback: use the first non-unspecified IPv4 address from any prefix length
for aip in allowed_ips {
if let IpAddr::V4(v4) = aip.addr {
return Some(v4);
if !v4.is_unspecified() {
return Some(v4);
}
}
}
None
@@ -342,7 +369,7 @@ fn wg_timestamp_now() -> String {
/// Returns the VPN IP.
async fn register_wg_peer(
state: &Arc<ServerState>,
peer: &PeerState,
peer: &mut PeerState,
wg_return_tx: &mpsc::Sender<(String, Vec<u8>)>,
) -> Result<Option<Ipv4Addr>> {
let vpn_ip = match extract_peer_vpn_ip(&peer.allowed_ips) {
@@ -354,12 +381,24 @@ async fn register_wg_peer(
}
};
let client_id = format!("wg-{}", &peer.public_key_b64[..8.min(peer.public_key_b64.len())]);
let (client_id, use_host_ip) = match registered_peer_info(state, &peer.public_key_b64).await {
Some((client_id, use_host_ip, true)) => (client_id, use_host_ip),
Some((client_id, _, false)) => {
warn!("WG peer {} maps to disabled or expired client {}, skipping registration", peer.public_key_b64, client_id);
return Ok(None);
}
None => (synthetic_wg_client_id(&peer.public_key_b64), false),
};
peer.client_id = Some(client_id.clone());
// Reserve IP in the pool
if let Err(e) = state.ip_pool.lock().await.reserve(vpn_ip, &client_id) {
warn!("Failed to reserve IP {} for WG peer {}: {}", vpn_ip, client_id, e);
return Ok(None);
return Err(e);
}
if let ForwardingEngine::Hybrid { routing_table, .. } = &*state.forwarding_engine.lock().await {
routing_table.write().await.insert(vpn_ip, use_host_ip);
}
// Create per-peer return channel and register in tun_routes
@@ -391,7 +430,7 @@ async fn connect_wg_peer(
peer: &PeerState,
vpn_ip: Ipv4Addr,
) {
let client_id = format!("wg-{}", &peer.public_key_b64[..8.min(peer.public_key_b64.len())]);
let client_id = peer_client_id(peer);
let client_info = ClientInfo {
client_id: client_id.clone(),
assigned_ip: vpn_ip.to_string(),
@@ -424,24 +463,27 @@ async fn connect_wg_peer(
/// Remove a WG peer from state.clients (disconnect without unregistering).
async fn disconnect_wg_peer(
state: &Arc<ServerState>,
pubkey: &str,
peer: &PeerState,
) {
let client_id = format!("wg-{}", &pubkey[..8.min(pubkey.len())]);
let client_id = peer_client_id(peer);
if state.clients.write().await.remove(&client_id).is_some() {
info!("WG peer {} disconnected (removed from active clients)", pubkey);
info!("WG peer {} disconnected (removed from active clients)", peer.public_key_b64);
}
}
/// Unregister a WG peer from ServerState.
async fn unregister_wg_peer(
state: &Arc<ServerState>,
pubkey: &str,
peer: &PeerState,
vpn_ip: Option<Ipv4Addr>,
) {
let client_id = format!("wg-{}", &pubkey[..8.min(pubkey.len())]);
let client_id = peer_client_id(peer);
if let Some(ip) = vpn_ip {
state.tun_routes.write().await.remove(&ip);
if let ForwardingEngine::Hybrid { routing_table, .. } = &*state.forwarding_engine.lock().await {
routing_table.write().await.remove(&ip);
}
state.ip_pool.lock().await.release(&ip);
}
state.clients.write().await.remove(&client_id);
@@ -499,6 +541,7 @@ pub async fn run_wg_listener(
peers.push(PeerState {
tunn,
public_key_b64: peer_config.public_key.clone(),
client_id: None,
allowed_ips,
endpoint,
persistent_keepalive: peer_config.persistent_keepalive,
@@ -521,9 +564,13 @@ pub async fn run_wg_listener(
// Register initial peers in ServerState (IP reservation + tun_routes only, NOT state.clients)
let mut peer_vpn_ips: HashMap<String, Ipv4Addr> = HashMap::new();
for peer in peers.iter_mut() {
if let Ok(Some(ip)) = register_wg_peer(&state, peer, &wg_return_tx).await {
peer_vpn_ips.insert(peer.public_key_b64.clone(), ip);
peer.vpn_ip = Some(ip);
match register_wg_peer(&state, peer, &wg_return_tx).await {
Ok(Some(ip)) => {
peer_vpn_ips.insert(peer.public_key_b64.clone(), ip);
peer.vpn_ip = Some(ip);
}
Ok(None) => {}
Err(e) => warn!("Failed to register initial WG peer {}: {}", peer.public_key_b64, e),
}
}
@@ -579,6 +626,17 @@ pub async fn run_wg_listener(
ForwardingEngine::Bridge(sender) => {
let _ = sender.try_send(packet.to_vec());
}
ForwardingEngine::Hybrid { socket_tx, bridge_tx, routing_table } => {
if packet.len() >= 20 {
let src_ip = Ipv4Addr::new(packet[12], packet[13], packet[14], packet[15]);
let use_bridge = routing_table.read().await.get(&src_ip).copied().unwrap_or(false);
if use_bridge {
let _ = bridge_tx.try_send(packet.to_vec());
} else {
let _ = socket_tx.try_send(packet.to_vec());
}
}
}
ForwardingEngine::Testing => {}
}
peer.stats.bytes_received += pkt_len;
@@ -614,6 +672,17 @@ pub async fn run_wg_listener(
ForwardingEngine::Bridge(sender) => {
let _ = sender.try_send(packet.to_vec());
}
ForwardingEngine::Hybrid { socket_tx, bridge_tx, routing_table } => {
if packet.len() >= 20 {
let src_ip = Ipv4Addr::new(packet[12], packet[13], packet[14], packet[15]);
let use_bridge = routing_table.read().await.get(&src_ip).copied().unwrap_or(false);
if use_bridge {
let _ = bridge_tx.try_send(packet.to_vec());
} else {
let _ = socket_tx.try_send(packet.to_vec());
}
}
}
ForwardingEngine::Testing => {}
}
peer.stats.bytes_received += pkt_len;
@@ -681,7 +750,7 @@ pub async fn run_wg_listener(
warn!("WG peer {} connection expired", peer.public_key_b64);
if peer.is_connected {
peer.is_connected = false;
disconnect_wg_peer(&state, &peer.public_key_b64).await;
disconnect_wg_peer(&state, peer).await;
}
}
TunnResult::Err(e) => {
@@ -709,7 +778,7 @@ pub async fn run_wg_listener(
}
// Only update ClientInfo if peer is connected (in state.clients)
let client_id = format!("wg-{}", &peer.public_key_b64[..8.min(peer.public_key_b64.len())]);
let client_id = peer_client_id(peer);
if let Some(info) = clients.get_mut(&client_id) {
info.bytes_sent = peer.stats.bytes_sent;
info.bytes_received = peer.stats.bytes_received;
@@ -727,7 +796,7 @@ pub async fn run_wg_listener(
if now.duration_since(last) > std::time::Duration::from_secs(180) {
info!("WG peer {} idle timeout (180s), disconnecting", peer.public_key_b64);
peer.is_connected = false;
disconnect_wg_peer(&state, &peer.public_key_b64).await;
disconnect_wg_peer(&state, peer).await;
}
}
}
@@ -738,7 +807,12 @@ pub async fn run_wg_listener(
cmd = command_rx.recv() => {
match cmd {
Some(WgCommand::AddPeer(peer_config, resp_tx)) => {
let result = add_peer_to_loop(
if let Some((client_id, _, false)) = registered_peer_info(&state, &peer_config.public_key).await {
let _ = resp_tx.send(Err(anyhow!("WG peer maps to disabled or expired client: {}", client_id)));
continue;
}
let mut result = add_peer_to_loop(
&mut peers,
&peer_config,
&peer_index,
@@ -753,20 +827,23 @@ pub async fn run_wg_listener(
peer_vpn_ips.insert(peer_config.public_key.clone(), ip);
peer.vpn_ip = Some(ip);
}
Ok(None) => {}
Ok(None) => {
peers.retain(|p| p.public_key_b64 != peer_config.public_key);
result = Err(anyhow!("WG peer was not registered"));
}
Err(e) => {
warn!("Failed to register WG peer: {}", e);
peers.retain(|p| p.public_key_b64 != peer_config.public_key);
result = Err(e);
}
}
}
let _ = resp_tx.send(result);
}
Some(WgCommand::RemovePeer(pubkey, resp_tx)) => {
let prev_len = peers.len();
peers.retain(|p| p.public_key_b64 != pubkey);
if peers.len() < prev_len {
if let Some(index) = peers.iter().position(|p| p.public_key_b64 == pubkey) {
let peer = peers.remove(index);
let vpn_ip = peer_vpn_ips.remove(&pubkey);
unregister_wg_peer(&state, &pubkey, vpn_ip).await;
unregister_wg_peer(&state, &peer, vpn_ip).await;
let _ = resp_tx.send(Ok(()));
} else {
let _ = resp_tx.send(Err(anyhow!("Peer not found: {}", pubkey)));
@@ -790,7 +867,7 @@ pub async fn run_wg_listener(
// Cleanup: unregister all peers from ServerState
for peer in &peers {
let vpn_ip = peer_vpn_ips.get(&peer.public_key_b64).copied();
unregister_wg_peer(&state, &peer.public_key_b64, vpn_ip).await;
unregister_wg_peer(&state, peer, vpn_ip).await;
}
info!("WireGuard listener stopped");
ts/00_commitinfo_data.ts
+1 -1
View File
@@ -3,6 +3,6 @@
*/
export const commitinfo = {
name: '@push.rocks/smartvpn',
version: '1.18.0',
version: '1.19.4',
description: 'A VPN solution with TypeScript control plane and Rust data plane daemon'
}
ts/smartvpn.classes.vpnserver.ts
+20 -2
View File
@@ -333,17 +333,35 @@ export class VpnServer extends plugins.events.EventEmitter {
/**
* Stop the daemon bridge.
*/
public stop(): void {
public async stop(): Promise<void> {
// Clean up nftables rules
if (this.nftHealthInterval) {
clearInterval(this.nftHealthInterval);
this.nftHealthInterval = undefined;
}
if (this.nft) {
this.nft.cleanup().catch(() => {}); // best-effort cleanup
try {
await this.nft.cleanup();
} catch (e) {
console.warn(`[smartvpn] nftables cleanup failed: ${e}`);
}
this.nft = undefined;
}
// Wait for bridge process to exit (with timeout)
const exitPromise = new Promise<void>((resolve) => {
if (!this.bridge.running) {
resolve();
return;
}
const timeout = setTimeout(() => resolve(), 5000);
this.bridge.once('exit', () => {
clearTimeout(timeout);
resolve();
});
});
this.bridge.stop();
await exitPromise;
}
/**
ts/smartvpn.interfaces.ts
+17 -1
View File
@@ -92,8 +92,9 @@ export interface IVpnServerConfig {
/** Enable NAT/masquerade for client traffic */
enableNat?: boolean;
/** Forwarding mode: 'tun' (kernel TUN, requires root), 'socket' (userspace NAT),
* 'bridge' (L2 bridge to host LAN), 'hybrid' (per-client socket+bridge),
* or 'testing' (monitoring only). Default: 'testing'. */
forwardingMode?: 'tun' | 'socket' | 'bridge' | 'testing';
forwardingMode?: 'tun' | 'socket' | 'bridge' | 'hybrid' | 'testing';
/** Default rate limit for new clients (bytes/sec). Omit for unlimited. */
defaultRateLimitBytesPerSec?: number;
/** Default burst size for new clients (bytes). Omit for unlimited. */
@@ -361,6 +362,21 @@ export interface IClientEntry {
expiresAt?: string;
/** Assigned VPN IP address (set by server) */
assignedIp?: string;
// Per-client bridge/host-IP settings
/** If true, client gets a host network IP via bridge mode (L2 to LAN).
* If false (default), client gets a VPN subnet IP via socket/NAT mode. */
useHostIp?: boolean;
/** If true and useHostIp is true, obtain IP via DHCP relay.
* If false or omitted, use staticIp or auto-assign from bridge IP range. */
useDhcp?: boolean;
/** Static LAN IP when useHostIp is true and useDhcp is false. */
staticIp?: string;
/** If true, assign this client to a specific 802.1Q VLAN on the bridge. */
forceVlan?: boolean;
/** 802.1Q VLAN ID (1-4094). Required when forceVlan is true. */
vlanId?: number;
}
/**