push.rocks/smartvpn
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: push.rocks:v1.4.1
Branches Tags
push.rocks:main
push.rocks:v1.9.0 push.rocks:v1.8.0 push.rocks:v1.7.0 push.rocks:v1.6.0 push.rocks:v1.5.0 push.rocks:v1.4.1 push.rocks:v1.4.0 push.rocks:v1.3.0 push.rocks:v1.2.0 push.rocks:v1.1.0 push.rocks:v1.0.3 push.rocks:v1.0.2 push.rocks:v1.0.1
...
compare: push.rocks:v1.7.0
Branches Tags
push.rocks:main
push.rocks:v1.9.0 push.rocks:v1.8.0 push.rocks:v1.7.0 push.rocks:v1.6.0 push.rocks:v1.5.0 push.rocks:v1.4.1 push.rocks:v1.4.0 push.rocks:v1.3.0 push.rocks:v1.2.0 push.rocks:v1.1.0 push.rocks:v1.0.3 push.rocks:v1.0.2 push.rocks:v1.0.1

6 Commits
v1.4.1 ... v1.7.0

Author SHA1 Message Date
Juergen Kunz
64dedd389e v1.7.0 2026-03-29 15:46:32 +00:00
Juergen Kunz
13d8cbe3fa feat(rust-tests): add end-to-end WireGuard UDP integration tests and align TypeScript build configuration 2026-03-29 15:46:32 +00:00
Juergen Kunz
f46ea70286 v1.6.0 2026-03-29 15:25:22 +00:00
Juergen Kunz
26ee3634c8 feat(readme): document WireGuard transport support, configuration, and usage examples 2026-03-29 15:25:22 +00:00
Juergen Kunz
049fa00563 v1.5.0 2026-03-29 15:24:41 +00:00
Juergen Kunz
e4e59d72f9 feat(wireguard): add WireGuard transport support with management APIs and config generation 2026-03-29 15:24:41 +00:00
19 changed files with 3518 additions and 413 deletions
Expand all files Collapse all files

0
npmextra.json → .smartconfig.json
View File

23
changelog.md
View File

@@ -1,5 +1,28 @@
# Changelog # Changelog
## 2026-03-29 - 1.7.0 - feat(rust-tests)
add end-to-end WireGuard UDP integration tests and align TypeScript build configuration
- Add userspace Rust end-to-end tests that validate WireGuard handshake, encryption, peer isolation, and preshared-key data exchange over real UDP sockets.
- Update the TypeScript build setup by removing the allowimplicitany build flag and explicitly including Node types in tsconfig.
- Refresh development toolchain versions to support the updated test and build workflow.
## 2026-03-29 - 1.6.0 - feat(readme)
document WireGuard transport support, configuration, and usage examples
- Expand the README from dual-transport to triple-transport support by adding WireGuard alongside WebSocket and QUIC
- Add client and server WireGuard examples, including live peer management and .conf generation with WgConfigGenerator
- Document new WireGuard-related API methods, config fields, transport modes, and security model details
## 2026-03-29 - 1.5.0 - feat(wireguard)
add WireGuard transport support with management APIs and config generation
- add Rust WireGuard module integration using boringtun and route management through client/server management handlers
- extend TypeScript client and server configuration schemas with WireGuard-specific options and validation
- add server-side WireGuard peer management commands including keypair generation, peer add/remove, and peer listing
- export a WireGuard config generator for producing client and server .conf files
- add WireGuard-focused test coverage for config validation and config generation
## 2026-03-21 - 1.4.1 - fix(readme) ## 2026-03-21 - 1.4.1 - fix(readme)
preserve markdown line breaks in feature list preserve markdown line breaks in feature list

12
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "@push.rocks/smartvpn", "name": "@push.rocks/smartvpn",
"version": "1.4.1", "version": "1.7.0",
"private": false, "private": false,
"description": "A VPN solution with TypeScript control plane and Rust data plane daemon", "description": "A VPN solution with TypeScript control plane and Rust data plane daemon",
"type": "module", "type": "module",
@@ -10,7 +10,7 @@
"main": "dist_ts/index.js", "main": "dist_ts/index.js",
"typings": "dist_ts/index.d.ts", "typings": "dist_ts/index.d.ts",
"scripts": { "scripts": {
"build": "(tsbuild tsfolders --allowimplicitany) && (tsrust)", "build": "(tsbuild tsfolders) && (tsrust)",
"test:before": "(tsrust)", "test:before": "(tsrust)",
"test": "tstest test/ --verbose", "test": "tstest test/ --verbose",
"buildDocs": "tsdoc" "buildDocs": "tsdoc"
@@ -33,10 +33,10 @@
"@push.rocks/smartrust": "^1.3.2" "@push.rocks/smartrust": "^1.3.2"
}, },
"devDependencies": { "devDependencies": {
"@git.zone/tsbuild": "^4.3.0", "@git.zone/tsbuild": "^4.4.0",
"@git.zone/tsrun": "^2.0.1", "@git.zone/tsrun": "^2.0.2",
"@git.zone/tsrust": "^1.3.0", "@git.zone/tsrust": "^1.3.2",
"@git.zone/tstest": "^3.5.0", "@git.zone/tstest": "^3.6.3",
"@types/node": "^25.5.0" "@types/node": "^25.5.0"
}, },
"files": [ "files": [

865
pnpm-lock.yaml generated
View File

File diff suppressed because it is too large Load Diff

285
readme.md
View File

@@ -2,11 +2,12 @@
A high-performance VPN with a **TypeScript control plane** and a **Rust data plane daemon**. Manage VPN connections with clean, fully-typed APIs while all networking heavy lifting — encryption, tunneling, QoS, rate limiting — runs at native speed in Rust. A high-performance VPN with a **TypeScript control plane** and a **Rust data plane daemon**. Manage VPN connections with clean, fully-typed APIs while all networking heavy lifting — encryption, tunneling, QoS, rate limiting — runs at native speed in Rust.
🔒 **Noise NK** handshake + **XChaCha20-Poly1305** encryption 🔒 **Noise NK** handshake + **XChaCha20-Poly1305** encryption
🚀 **Dual transport**: WebSocket (Cloudflare-friendly) and raw **QUIC** (with datagram support) 🚀 **Triple transport**: WebSocket (Cloudflare-friendly), raw **QUIC** (datagrams), and **WireGuard** (standard protocol)
📊 **Adaptive QoS**: packet classification, priority queues, per-client rate limiting 📊 **Adaptive QoS**: packet classification, priority queues, per-client rate limiting
🔄 **Auto-transport**: tries QUIC first, falls back to WebSocket seamlessly 🔄 **Auto-transport**: tries QUIC first, falls back to WebSocket seamlessly
📡 **Real-time telemetry**: RTT, jitter, loss, link health — all exposed via typed APIs 📡 **Real-time telemetry**: RTT, jitter, loss, link health — all exposed via typed APIs
🛡️ **WireGuard mode**: full userspace WireGuard via `boringtun` — generate `.conf` files, manage peers live
## Issue Reporting and Security ## Issue Reporting and Security
@@ -27,9 +28,10 @@ TypeScript (control plane) Rust (data plane)
│ └─ VpnBridge │──stdio/──▶ │ ├─ management (JSON IPC) │ │ └─ VpnBridge │──stdio/──▶ │ ├─ management (JSON IPC) │
│ └─ RustBridge │ socket │ ├─ transport_trait (abstraction) │ │ └─ RustBridge │ socket │ ├─ transport_trait (abstraction) │
│ (smartrust) │ │ │ ├─ transport (WebSocket/TLS) │ │ (smartrust) │ │ │ ├─ transport (WebSocket/TLS) │
└──────────────────────────┘ │ │ └─ quic_transport (QUIC/UDP) │ │ │ │ │ └─ quic_transport (QUIC/UDP) │
│ ├─ crypto (Noise NK + XCha20) │ WgConfigGenerator │ ├─ wireguard (boringtun WG)
│ ├─ codec (binary framing) └─ .conf file output │ ├─ crypto (Noise NK + XCha20)
└──────────────────────────┘ │ ├─ codec (binary framing) │
│ ├─ keepalive (adaptive state FSM) │ │ ├─ keepalive (adaptive state FSM) │
│ ├─ telemetry (RTT/jitter/loss) │ │ ├─ telemetry (RTT/jitter/loss) │
│ ├─ qos (classify + priority Q) │ │ ├─ qos (classify + priority Q) │
@@ -45,8 +47,9 @@ TypeScript (control plane) Rust (data plane)
| Decision | Choice | Why | | Decision | Choice | Why |
|----------|--------|-----| |----------|--------|-----|
| Transport | WebSocket + QUIC (dual) | WS works through Cloudflare; QUIC gives lower latency + unreliable datagrams | | Transport | WebSocket + QUIC + WireGuard | WS works through Cloudflare; QUIC gives low latency + datagrams; WG for standard protocol interop |
| Auto-transport | QUIC first, WS fallback | Best performance when QUIC is available, graceful degradation when it's not | | Auto-transport | QUIC first, WS fallback | Best performance when QUIC is available, graceful degradation when it's not |
| WireGuard | Userspace via `boringtun` | No kernel module needed, runs on any platform, full peer management via IPC |
| Encryption | Noise NK + XChaCha20-Poly1305 | Strong forward secrecy, large nonce space (no counter sync needed) | | Encryption | Noise NK + XChaCha20-Poly1305 | Strong forward secrecy, large nonce space (no counter sync needed) |
| QUIC auth | Certificate hash pinning | WireGuard-style trust model — no CA needed, just pin the server cert hash | | QUIC auth | Certificate hash pinning | WireGuard-style trust model — no CA needed, just pin the server cert hash |
| Keepalive | Adaptive app-level pings | Cloudflare drops WS pings; interval adapts to link health (1060s) | | Keepalive | Adaptive app-level pings | Cloudflare drops WS pings; interval adapts to link health (1060s) |
@@ -132,6 +135,37 @@ await autoClient.connect({
}); });
``` ```
### VPN Client with WireGuard
```typescript
import { VpnClient } from '@push.rocks/smartvpn';
const wgClient = new VpnClient({
transport: { transport: 'stdio' },
});
await wgClient.start();
const { assignedIp } = await wgClient.connect({
serverPublicKey: 'BASE64_SERVER_WG_PUBLIC_KEY',
serverUrl: '', // not used for WireGuard
transport: 'wireguard',
wgPrivateKey: 'BASE64_CLIENT_PRIVATE_KEY',
wgAddress: '10.8.0.2',
wgAddressPrefix: 24,
wgEndpoint: 'vpn.example.com:51820',
wgAllowedIps: ['0.0.0.0/0'], // route all traffic
wgPersistentKeepalive: 25,
wgPresharedKey: 'OPTIONAL_PSK', // optional extra layer
dns: ['1.1.1.1'],
mtu: 1420,
});
console.log(`WireGuard connected! IP: ${assignedIp}`);
await wgClient.disconnect();
wgClient.stop();
```
### VPN Server ### VPN Server
```typescript ```typescript
@@ -154,7 +188,7 @@ await server.start({
dns: ['1.1.1.1'], dns: ['1.1.1.1'],
mtu: 1420, mtu: 1420,
enableNat: true, enableNat: true,
// Transport mode: 'websocket', 'quic', or 'both' (default) // Transport mode: 'websocket', 'quic', 'both', or 'wireguard'
transportMode: 'both', transportMode: 'both',
// Optional: separate QUIC listen address // Optional: separate QUIC listen address
quicListenAddr: '0.0.0.0:4433', quicListenAddr: '0.0.0.0:4433',
@@ -188,6 +222,125 @@ await server.stopServer();
server.stop(); server.stop();
``` ```
### WireGuard Server Mode
```typescript
import { VpnServer } from '@push.rocks/smartvpn';
const wgServer = new VpnServer({
transport: { transport: 'stdio' },
});
// Generate a WireGuard X25519 keypair
await wgServer.start();
const keypair = await wgServer.generateWgKeypair();
console.log(`Server public key: ${keypair.publicKey}`);
// Start in WireGuard mode
await wgServer.start({
listenAddr: '0.0.0.0:51820',
privateKey: keypair.privateKey,
publicKey: keypair.publicKey,
subnet: '10.8.0.0/24',
transportMode: 'wireguard',
wgListenPort: 51820,
wgPeers: [
{
publicKey: 'CLIENT_PUBLIC_KEY_BASE64',
allowedIps: ['10.8.0.2/32'],
persistentKeepalive: 25,
},
],
enableNat: true,
dns: ['1.1.1.1'],
mtu: 1420,
});
// Live peer management — add/remove peers without restart
await wgServer.addWgPeer({
publicKey: 'NEW_CLIENT_PUBLIC_KEY',
allowedIps: ['10.8.0.3/32'],
persistentKeepalive: 25,
});
// List peers with live stats
const peers = await wgServer.listWgPeers();
for (const peer of peers) {
console.log(`${peer.publicKey}: ↑${peer.bytesSent}${peer.bytesReceived}`);
}
// Remove a peer by public key
await wgServer.removeWgPeer('CLIENT_PUBLIC_KEY_BASE64');
await wgServer.stopServer();
wgServer.stop();
```
### Generating WireGuard .conf Files
The `WgConfigGenerator` creates standard WireGuard `.conf` files compatible with `wg-quick`, iOS/Android apps, and all standard WireGuard clients:
```typescript
import { WgConfigGenerator } from '@push.rocks/smartvpn';
// Client config (for wg-quick or mobile apps)
const clientConf = WgConfigGenerator.generateClientConfig({
privateKey: 'CLIENT_PRIVATE_KEY_BASE64',
address: '10.8.0.2/24',
dns: ['1.1.1.1', '8.8.8.8'],
mtu: 1420,
peer: {
publicKey: 'SERVER_PUBLIC_KEY_BASE64',
endpoint: 'vpn.example.com:51820',
allowedIps: ['0.0.0.0/0', '::/0'],
persistentKeepalive: 25,
presharedKey: 'OPTIONAL_PSK_BASE64',
},
});
// Server config (for wg-quick)
const serverConf = WgConfigGenerator.generateServerConfig({
privateKey: 'SERVER_PRIVATE_KEY_BASE64',
address: '10.8.0.1/24',
listenPort: 51820,
dns: ['1.1.1.1'],
mtu: 1420,
enableNat: true,
natInterface: 'eth0', // auto-detected if omitted
peers: [
{
publicKey: 'CLIENT_PUBLIC_KEY_BASE64',
allowedIps: ['10.8.0.2/32'],
persistentKeepalive: 25,
},
],
});
// Write to disk
import * as fs from 'fs';
fs.writeFileSync('/etc/wireguard/wg0.conf', serverConf);
```
<details>
<summary>Example output: client .conf</summary>
```ini
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY_BASE64
Address = 10.8.0.2/24
DNS = 1.1.1.1, 8.8.8.8
MTU = 1420
[Peer]
PublicKey = SERVER_PUBLIC_KEY_BASE64
PresharedKey = OPTIONAL_PSK_BASE64
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
```
</details>
### Production: Socket Transport ### Production: Socket Transport
In production, the daemon runs as a system service and you connect over a Unix socket: In production, the daemon runs as a system service and you connect over a Unix socket:
@@ -216,7 +369,7 @@ When using socket transport, `client.stop()` closes the socket but **does not ki
| Method | Returns | Description | | Method | Returns | Description |
|--------|---------|-------------| |--------|---------|-------------|
| `start()` | `Promise<boolean>` | Start the daemon bridge (spawn or connect) | | `start()` | `Promise<boolean>` | Start the daemon bridge (spawn or connect) |
| `connect(config?)` | `Promise<{ assignedIp }>` | Connect to VPN server | | `connect(config?)` | `Promise<{ assignedIp }>` | Connect to VPN server (WS, QUIC, or WireGuard) |
| `disconnect()` | `Promise<void>` | Disconnect from VPN | | `disconnect()` | `Promise<void>` | Disconnect from VPN |
| `getStatus()` | `Promise<IVpnStatus>` | Current connection state | | `getStatus()` | `Promise<IVpnStatus>` | Current connection state |
| `getStatistics()` | `Promise<IVpnStatistics>` | Traffic stats + connection quality | | `getStatistics()` | `Promise<IVpnStatistics>` | Traffic stats + connection quality |
@@ -239,6 +392,10 @@ When using socket transport, `client.stop()` closes the socket but **does not ki
| `setClientRateLimit(id, rate, burst)` | `Promise<void>` | Set per-client rate limit (bytes/sec) | | `setClientRateLimit(id, rate, burst)` | `Promise<void>` | Set per-client rate limit (bytes/sec) |
| `removeClientRateLimit(id)` | `Promise<void>` | Remove rate limit (unlimited) | | `removeClientRateLimit(id)` | `Promise<void>` | Remove rate limit (unlimited) |
| `getClientTelemetry(id)` | `Promise<IVpnClientTelemetry>` | Per-client telemetry + drop stats | | `getClientTelemetry(id)` | `Promise<IVpnClientTelemetry>` | Per-client telemetry + drop stats |
| `generateWgKeypair()` | `Promise<IVpnKeypair>` | Generate WireGuard X25519 keypair |
| `addWgPeer(peer)` | `Promise<void>` | Add a WireGuard peer at runtime |
| `removeWgPeer(publicKey)` | `Promise<void>` | Remove a WireGuard peer by key |
| `listWgPeers()` | `Promise<IWgPeerInfo[]>` | List WG peers with traffic stats |
| `stop()` | `void` | Kill/close the daemon bridge | | `stop()` | `void` | Kill/close the daemon bridge |
### `VpnConfig` ### `VpnConfig`
@@ -257,6 +414,19 @@ const config = await VpnConfig.loadFromFile<IVpnClientConfig>('/etc/smartvpn/cli
await VpnConfig.saveToFile('/etc/smartvpn/client.json', config); await VpnConfig.saveToFile('/etc/smartvpn/client.json', config);
``` ```
Validation covers both smartvpn-native configs and WireGuard configs — base64 key format, CIDR ranges, port ranges, and required fields are all checked.
### `WgConfigGenerator`
Static generator for standard WireGuard `.conf` files:
| Method | Returns | Description |
|--------|---------|-------------|
| `generateClientConfig(opts)` | `string` | Generate a `wg-quick` compatible client `.conf` |
| `generateServerConfig(opts)` | `string` | Generate a `wg-quick` compatible server `.conf` with NAT rules |
Output is compatible with `wg-quick`, WireGuard iOS/Android apps, and any standard WireGuard implementation.
### `VpnInstaller` ### `VpnInstaller`
Generate system service units for the daemon: Generate system service units for the daemon:
@@ -306,9 +476,9 @@ server.on('stopped', () => { /* server listener stopped */ });
## 🌐 Transport Modes ## 🌐 Transport Modes
smartvpn supports two transport protocols through a unified transport abstraction layer. Both use the same encryption, framing, and QoS pipeline — the transport is swappable without changing any application logic. smartvpn supports three transport protocols. The smartvpn-native transports (WebSocket + QUIC) share the same encryption, framing, and QoS pipeline. WireGuard mode uses the standard WireGuard protocol for broad interoperability.
### WebSocket (default) ### WebSocket (default for smartvpn-native)
- Works through Cloudflare, reverse proxies, and HTTP load balancers - Works through Cloudflare, reverse proxies, and HTTP load balancers
- Reliable delivery only (no datagram support) - Reliable delivery only (no datagram support)
@@ -322,7 +492,17 @@ smartvpn supports two transport protocols through a unified transport abstractio
- URL format: `host:port` - URL format: `host:port`
- ALPN protocol: `smartvpn` - ALPN protocol: `smartvpn`
### Auto-Transport (Recommended) ### WireGuard
- Standard WireGuard protocol via `boringtun` (userspace, no kernel module)
- Compatible with **all WireGuard clients** — iOS, Android, macOS, Windows, Linux, routers
- X25519 key exchange, ChaCha20-Poly1305 encryption
- Dynamic peer management at runtime (add/remove without restart)
- Optional preshared keys for post-quantum defense-in-depth
- Generate `.conf` files for standard clients via `WgConfigGenerator`
- Default port: `51820/UDP`
### Auto-Transport (Recommended for smartvpn-native)
The default `transport: 'auto'` mode gives you the best of both worlds: The default `transport: 'auto'` mode gives you the best of both worlds:
@@ -339,16 +519,26 @@ await client.connect({
}); });
``` ```
### Server Dual-Mode ### Server Dual-Mode / Multi-Mode
The server can listen on both transports simultaneously: The server can listen on multiple transports simultaneously:
```typescript ```typescript
// WebSocket + QUIC (dual mode)
await server.start({ await server.start({
listenAddr: '0.0.0.0:443', // WebSocket listener listenAddr: '0.0.0.0:443', // WebSocket listener
quicListenAddr: '0.0.0.0:4433', // QUIC listener (optional, defaults to listenAddr) quicListenAddr: '0.0.0.0:4433', // QUIC listener (optional, defaults to listenAddr)
transportMode: 'both', // 'websocket' | 'quic' | 'both' (default) transportMode: 'both', // 'websocket' | 'quic' | 'both' | 'wireguard'
quicIdleTimeoutSecs: 30, // QUIC connection idle timeout quicIdleTimeoutSecs: 30,
// ... other config
});
// WireGuard standalone
await server.start({
listenAddr: '0.0.0.0:51820',
transportMode: 'wireguard',
wgListenPort: 51820,
wgPeers: [{ publicKey: '...', allowedIps: ['10.8.0.2/32'] }],
// ... other config // ... other config
}); });
``` ```
@@ -428,6 +618,8 @@ For a standard 1500-byte Ethernet link, effective TUN MTU = **1421 bytes**. The
## 🔐 Security Model ## 🔐 Security Model
### smartvpn-native (WebSocket / QUIC)
The VPN uses a **Noise NK** handshake pattern: The VPN uses a **Noise NK** handshake pattern:
1. **NK** = client does **N**ot authenticate, but **K**nows the server's static public key 1. **NK** = client does **N**ot authenticate, but **K**nows the server's static public key
@@ -440,6 +632,14 @@ Post-handshake, all IP packets are encrypted with **XChaCha20-Poly1305**:
- 16-byte authentication tags - 16-byte authentication tags
- Wire format: `[nonce:24B][ciphertext:var][tag:16B]` - Wire format: `[nonce:24B][ciphertext:var][tag:16B]`
### WireGuard Mode
Uses the standard [Noise IKpsk2](https://www.wireguard.com/protocol/) handshake:
- **X25519** key exchange (Curve25519 Diffie-Hellman)
- **ChaCha20-Poly1305** AEAD encryption
- Optional **preshared keys** for post-quantum defense-in-depth
- Implemented via `boringtun` — Cloudflare's userspace WireGuard in Rust
### QUIC Certificate Pinning ### QUIC Certificate Pinning
When using QUIC transport, the server generates a self-signed TLS certificate (or uses a configured PEM). Instead of relying on a CA chain, clients pin the server's certificate by its **SHA-256 hash** (base64-encoded) — a WireGuard-inspired trust model: When using QUIC transport, the server generates a self-signed TLS certificate (or uses a configured PEM). Instead of relying on a CA chain, clients pin the server's certificate by its **SHA-256 hash** (base64-encoded) — a WireGuard-inspired trust model:
@@ -481,6 +681,8 @@ Inside the tunnel (both WebSocket and QUIC reliable channels), packets use a sim
When QUIC datagrams are available, IP packets can optionally be sent via the unreliable datagram channel for lower latency. Packets that exceed the max datagram size automatically fall back to the reliable stream. When QUIC datagrams are available, IP packets can optionally be sent via the unreliable datagram channel for lower latency. Packets that exceed the max datagram size automatically fall back to the reliable stream.
> **Note:** WireGuard mode uses the standard WireGuard wire protocol, not this binary framing.
## 🛠️ Rust Daemon CLI ## 🛠️ Rust Daemon CLI
```bash ```bash
@@ -507,7 +709,7 @@ pnpm build
# Build Rust only (debug) # Build Rust only (debug)
cd rust && cargo build cd rust && cargo build
# Run all tests (77 Rust + 59 TypeScript) # Run all tests (93 Rust + 77 TypeScript)
cd rust && cargo test cd rust && cargo test
pnpm test pnpm test
``` ```
@@ -533,12 +735,20 @@ type TVpnTransportOptions =
// Client config // Client config
interface IVpnClientConfig { interface IVpnClientConfig {
serverUrl: string; // WS: 'wss://host/path' | QUIC: 'host:port' serverUrl: string; // WS: 'wss://host/path' | QUIC: 'host:port'
serverPublicKey: string; // Base64-encoded Noise static key serverPublicKey: string; // Base64-encoded Noise static key (or WG public key)
transport?: 'auto' | 'websocket' | 'quic'; // Default: 'auto' transport?: 'auto' | 'websocket' | 'quic' | 'wireguard'; // Default: 'auto'
serverCertHash?: string; // SHA-256 cert hash (base64) for QUIC pinning serverCertHash?: string; // SHA-256 cert hash (base64) for QUIC pinning
dns?: string[]; dns?: string[];
mtu?: number; mtu?: number;
keepaliveIntervalSecs?: number; keepaliveIntervalSecs?: number;
// WireGuard-specific
wgPrivateKey?: string; // Client private key (base64, X25519)
wgAddress?: string; // Client TUN address (e.g. 10.8.0.2)
wgAddressPrefix?: number; // Address prefix length (default: 24)
wgPresharedKey?: string; // Optional preshared key (base64)
wgPersistentKeepalive?: number; // Persistent keepalive interval (seconds)
wgEndpoint?: string; // Server endpoint (host:port)
wgAllowedIps?: string[]; // Allowed IPs (CIDR strings)
} }
// Server config // Server config
@@ -553,11 +763,36 @@ interface IVpnServerConfig {
mtu?: number; mtu?: number;
keepaliveIntervalSecs?: number; keepaliveIntervalSecs?: number;
enableNat?: boolean; enableNat?: boolean;
transportMode?: 'websocket' | 'quic' | 'both'; // Default: 'both' transportMode?: 'websocket' | 'quic' | 'both' | 'wireguard';
quicListenAddr?: string; // Separate QUIC bind address quicListenAddr?: string;
quicIdleTimeoutSecs?: number; // QUIC idle timeout (default: 30) quicIdleTimeoutSecs?: number;
defaultRateLimitBytesPerSec?: number; defaultRateLimitBytesPerSec?: number;
defaultBurstBytes?: number; defaultBurstBytes?: number;
// WireGuard-specific
wgListenPort?: number; // UDP port (default: 51820)
wgPeers?: IWgPeerConfig[]; // Initial peers
}
// WireGuard peer config
interface IWgPeerConfig {
publicKey: string; // Peer's X25519 public key (base64)
presharedKey?: string; // Optional preshared key (base64)
allowedIps: string[]; // Allowed IP ranges (CIDR)
endpoint?: string; // Peer endpoint (host:port)
persistentKeepalive?: number; // Keepalive interval (seconds)
}
// WireGuard peer info (with live stats)
interface IWgPeerInfo {
publicKey: string;
allowedIps: string[];
endpoint?: string;
persistentKeepalive?: number;
bytesSent: number;
bytesReceived: number;
packetsSent: number;
packetsReceived: number;
lastHandshakeTime?: string;
} }
// Status // Status
@@ -652,7 +887,7 @@ interface IVpnKeypair {
## License and Legal Information ## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file. This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./license.md) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file. **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.

130
rust/Cargo.lock generated
View File

@@ -137,12 +137,30 @@ version = "1.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
[[package]]
name = "autocfg"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
[[package]]
name = "base64"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
[[package]] [[package]]
name = "base64" name = "base64"
version = "0.22.1" version = "0.22.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
[[package]]
name = "bitflags"
version = "1.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
[[package]] [[package]]
name = "bitflags" name = "bitflags"
version = "2.11.0" version = "2.11.0"
@@ -180,6 +198,30 @@ dependencies = [
"piper", "piper",
] ]
[[package]]
name = "boringtun"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8dc4267b0c97985d9b089b19ff965b959e61870640d2f0842a97552e030fa43f"
dependencies = [
"aead",
"base64 0.13.1",
"blake2",
"chacha20poly1305",
"hex",
"hmac",
"ip_network",
"ip_network_table",
"libc",
"nix 0.25.1",
"parking_lot",
"rand_core 0.6.4",
"ring",
"tracing",
"untrusted",
"x25519-dalek",
]
[[package]] [[package]]
name = "bumpalo" name = "bumpalo"
version = "3.20.2" version = "3.20.2"
@@ -655,6 +697,21 @@ version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
[[package]]
name = "hex"
version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "hmac"
version = "0.12.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
dependencies = [
"digest",
]
[[package]] [[package]]
name = "http" name = "http"
version = "1.4.0" version = "1.4.0"
@@ -680,6 +737,28 @@ dependencies = [
"generic-array", "generic-array",
] ]
[[package]]
name = "ip_network"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aa2f047c0a98b2f299aa5d6d7088443570faae494e9ae1305e48be000c9e0eb1"
[[package]]
name = "ip_network_table"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4099b7cfc5c5e2fe8c5edf3f6f7adf7a714c9cc697534f63a5a5da30397cb2c0"
dependencies = [
"ip_network",
"ip_network_table-deps-treebitmap",
]
[[package]]
name = "ip_network_table-deps-treebitmap"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8e537132deb99c0eb4b752f0346b6a836200eaaa3516dd7e5514b63930a09e5d"
[[package]] [[package]]
name = "ipnet" name = "ipnet"
version = "2.11.0" version = "2.11.0"
@@ -824,13 +903,25 @@ dependencies = [
"windows-sys 0.61.2", "windows-sys 0.61.2",
] ]
[[package]]
name = "nix"
version = "0.25.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f346ff70e7dbfd675fe90590b92d59ef2de15a8779ae305ebcbfd3f0caf59be4"
dependencies = [
"autocfg",
"bitflags 1.3.2",
"cfg-if",
"libc",
]
[[package]] [[package]]
name = "nix" name = "nix"
version = "0.30.1" version = "0.30.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6" checksum = "74523f3a35e05aba87a1d978330aef40f67b0304ac79c1c00b294c9830543db6"
dependencies = [ dependencies = [
"bitflags", "bitflags 2.11.0",
"cfg-if", "cfg-if",
"cfg_aliases", "cfg_aliases",
"libc", "libc",
@@ -910,7 +1001,7 @@ version = "3.0.6"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be" checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
dependencies = [ dependencies = [
"base64", "base64 0.22.1",
"serde_core", "serde_core",
] ]
@@ -1128,7 +1219,7 @@ version = "0.5.18"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d" checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d"
dependencies = [ dependencies = [
"bitflags", "bitflags 2.11.0",
] ]
[[package]] [[package]]
@@ -1296,7 +1387,7 @@ version = "3.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d" checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d"
dependencies = [ dependencies = [
"bitflags", "bitflags 2.11.0",
"core-foundation", "core-foundation",
"core-foundation-sys", "core-foundation-sys",
"libc", "libc",
@@ -1433,7 +1524,8 @@ version = "0.1.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"async-trait", "async-trait",
"base64", "base64 0.22.1",
"boringtun",
"bytes", "bytes",
"chacha20poly1305", "chacha20poly1305",
"clap", "clap",
@@ -1733,7 +1825,7 @@ dependencies = [
"ipnet", "ipnet",
"libc", "libc",
"log", "log",
"nix", "nix 0.30.1",
"thiserror 2.0.18", "thiserror 2.0.18",
"tokio", "tokio",
"tokio-util", "tokio-util",
@@ -2197,6 +2289,18 @@ version = "0.51.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5" checksum = "d7249219f66ced02969388cf2bb044a09756a083d0fab1e566056b04d9fbcaa5"
[[package]]
name = "x25519-dalek"
version = "2.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c7e468321c81fb07fa7f4c636c3972b9100f0346e5b6a9f2bd0603a52f7ed277"
dependencies = [
"curve25519-dalek",
"rand_core 0.6.4",
"serde",
"zeroize",
]
[[package]] [[package]]
name = "yasna" name = "yasna"
version = "0.5.2" version = "0.5.2"
@@ -2231,6 +2335,20 @@ name = "zeroize"
version = "1.8.2" version = "1.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
dependencies = [
"zeroize_derive",
]
[[package]]
name = "zeroize_derive"
version = "1.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]] [[package]]
name = "zmij" name = "zmij"

1
rust/Cargo.toml
View File

@@ -34,6 +34,7 @@ rustls-pki-types = "1"
rustls-pemfile = "2" rustls-pemfile = "2"
webpki-roots = "1" webpki-roots = "1"
mimalloc = "0.1" mimalloc = "0.1"
boringtun = "0.7"
[profile.release] [profile.release]
opt-level = 3 opt-level = 3

1
rust/src/lib.rs
View File

@@ -17,3 +17,4 @@ pub mod telemetry;
pub mod ratelimit; pub mod ratelimit;
pub mod qos; pub mod qos;
pub mod mtu; pub mod mtu;
pub mod wireguard;

249
rust/src/management.rs
View File

@@ -7,6 +7,7 @@ use tracing::{info, error, warn};
use crate::client::{ClientConfig, VpnClient}; use crate::client::{ClientConfig, VpnClient};
use crate::crypto; use crate::crypto;
use crate::server::{ServerConfig, VpnServer}; use crate::server::{ServerConfig, VpnServer};
use crate::wireguard::{self, WgClient, WgClientConfig, WgPeerConfig, WgServer, WgServerConfig};
// ============================================================================ // ============================================================================
// IPC protocol types // IPC protocol types
@@ -93,6 +94,8 @@ pub async fn management_loop_stdio(mode: &str) -> Result<()> {
let mut vpn_client = VpnClient::new(); let mut vpn_client = VpnClient::new();
let mut vpn_server = VpnServer::new(); let mut vpn_server = VpnServer::new();
let mut wg_client = WgClient::new();
let mut wg_server = WgServer::new();
send_event_stdout("ready", serde_json::json!({ "mode": mode })); send_event_stdout("ready", serde_json::json!({ "mode": mode }));
@@ -127,8 +130,8 @@ pub async fn management_loop_stdio(mode: &str) -> Result<()> {
}; };
let response = match mode { let response = match mode {
"client" => handle_client_request(&request, &mut vpn_client).await, "client" => handle_client_request(&request, &mut vpn_client, &mut wg_client).await,
"server" => handle_server_request(&request, &mut vpn_server).await, "server" => handle_server_request(&request, &mut vpn_server, &mut wg_server).await,
_ => ManagementResponse::err(request.id.clone(), format!("Unknown mode: {}", mode)), _ => ManagementResponse::err(request.id.clone(), format!("Unknown mode: {}", mode)),
}; };
send_response_stdout(&response); send_response_stdout(&response);
@@ -150,6 +153,8 @@ pub async fn management_loop_socket(socket_path: &str, mode: &str) -> Result<()>
// Shared state behind Mutex for socket mode (multiple connections) // Shared state behind Mutex for socket mode (multiple connections)
let vpn_client = std::sync::Arc::new(Mutex::new(VpnClient::new())); let vpn_client = std::sync::Arc::new(Mutex::new(VpnClient::new()));
let vpn_server = std::sync::Arc::new(Mutex::new(VpnServer::new())); let vpn_server = std::sync::Arc::new(Mutex::new(VpnServer::new()));
let wg_client = std::sync::Arc::new(Mutex::new(WgClient::new()));
let wg_server = std::sync::Arc::new(Mutex::new(WgServer::new()));
loop { loop {
match listener.accept().await { match listener.accept().await {
@@ -157,9 +162,11 @@ pub async fn management_loop_socket(socket_path: &str, mode: &str) -> Result<()>
let mode = mode.to_string(); let mode = mode.to_string();
let client = vpn_client.clone(); let client = vpn_client.clone();
let server = vpn_server.clone(); let server = vpn_server.clone();
let wg_c = wg_client.clone();
let wg_s = wg_server.clone();
tokio::spawn(async move { tokio::spawn(async move {
if let Err(e) = if let Err(e) =
handle_socket_connection(stream, &mode, client, server).await handle_socket_connection(stream, &mode, client, server, wg_c, wg_s).await
{ {
warn!("Socket connection error: {}", e); warn!("Socket connection error: {}", e);
} }
@@ -177,6 +184,8 @@ async fn handle_socket_connection(
mode: &str, mode: &str,
vpn_client: std::sync::Arc<Mutex<VpnClient>>, vpn_client: std::sync::Arc<Mutex<VpnClient>>,
vpn_server: std::sync::Arc<Mutex<VpnServer>>, vpn_server: std::sync::Arc<Mutex<VpnServer>>,
wg_client: std::sync::Arc<Mutex<WgClient>>,
wg_server: std::sync::Arc<Mutex<WgServer>>,
) -> Result<()> { ) -> Result<()> {
let (reader, mut writer) = stream.into_split(); let (reader, mut writer) = stream.into_split();
let buf_reader = BufReader::new(reader); let buf_reader = BufReader::new(reader);
@@ -227,11 +236,13 @@ async fn handle_socket_connection(
let response = match mode { let response = match mode {
"client" => { "client" => {
let mut client = vpn_client.lock().await; let mut client = vpn_client.lock().await;
handle_client_request(&request, &mut client).await let mut wg_c = wg_client.lock().await;
handle_client_request(&request, &mut client, &mut wg_c).await
} }
"server" => { "server" => {
let mut server = vpn_server.lock().await; let mut server = vpn_server.lock().await;
handle_server_request(&request, &mut server).await let mut wg_s = wg_server.lock().await;
handle_server_request(&request, &mut server, &mut wg_s).await
} }
_ => ManagementResponse::err(request.id.clone(), format!("Unknown mode: {}", mode)), _ => ManagementResponse::err(request.id.clone(), format!("Unknown mode: {}", mode)),
}; };
@@ -252,38 +263,79 @@ async fn handle_socket_connection(
async fn handle_client_request( async fn handle_client_request(
request: &ManagementRequest, request: &ManagementRequest,
vpn_client: &mut VpnClient, vpn_client: &mut VpnClient,
wg_client: &mut WgClient,
) -> ManagementResponse { ) -> ManagementResponse {
let id = request.id.clone(); let id = request.id.clone();
match request.method.as_str() { match request.method.as_str() {
"connect" => { "connect" => {
let config: ClientConfig = match serde_json::from_value( // Check if transport is "wireguard"
request.params.get("config").cloned().unwrap_or_default(), let transport = request.params
) { .get("config")
Ok(c) => c, .and_then(|c| c.get("transport"))
Err(e) => { .and_then(|t| t.as_str())
return ManagementResponse::err(id, format!("Invalid config: {}", e)); .unwrap_or("");
}
};
match vpn_client.connect(config).await { if transport == "wireguard" {
Ok(assigned_ip) => { let config: WgClientConfig = match serde_json::from_value(
ManagementResponse::ok(id, serde_json::json!({ "assignedIp": assigned_ip })) request.params.get("config").cloned().unwrap_or_default(),
) {
Ok(c) => c,
Err(e) => {
return ManagementResponse::err(id, format!("Invalid WG config: {}", e));
}
};
match wg_client.connect(config).await {
Ok(assigned_ip) => {
ManagementResponse::ok(id, serde_json::json!({ "assignedIp": assigned_ip }))
}
Err(e) => ManagementResponse::err(id, format!("WG connect failed: {}", e)),
}
} else {
let config: ClientConfig = match serde_json::from_value(
request.params.get("config").cloned().unwrap_or_default(),
) {
Ok(c) => c,
Err(e) => {
return ManagementResponse::err(id, format!("Invalid config: {}", e));
}
};
match vpn_client.connect(config).await {
Ok(assigned_ip) => {
ManagementResponse::ok(id, serde_json::json!({ "assignedIp": assigned_ip }))
}
Err(e) => ManagementResponse::err(id, format!("Connect failed: {}", e)),
}
}
}
"disconnect" => {
if wg_client.is_running() {
match wg_client.disconnect().await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("WG disconnect failed: {}", e)),
}
} else {
match vpn_client.disconnect().await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("Disconnect failed: {}", e)),
} }
Err(e) => ManagementResponse::err(id, format!("Connect failed: {}", e)),
} }
} }
"disconnect" => match vpn_client.disconnect().await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("Disconnect failed: {}", e)),
},
"getStatus" => { "getStatus" => {
let status = vpn_client.get_status().await; if wg_client.is_running() {
ManagementResponse::ok(id, status) ManagementResponse::ok(id, wg_client.get_status().await)
} else {
let status = vpn_client.get_status().await;
ManagementResponse::ok(id, status)
}
} }
"getStatistics" => { "getStatistics" => {
let stats = vpn_client.get_statistics().await; if wg_client.is_running() {
ManagementResponse::ok(id, stats) ManagementResponse::ok(id, wg_client.get_statistics().await)
} else {
let stats = vpn_client.get_statistics().await;
ManagementResponse::ok(id, stats)
}
} }
"getConnectionQuality" => { "getConnectionQuality" => {
match vpn_client.get_connection_quality() { match vpn_client.get_connection_quality() {
@@ -329,45 +381,92 @@ async fn handle_client_request(
async fn handle_server_request( async fn handle_server_request(
request: &ManagementRequest, request: &ManagementRequest,
vpn_server: &mut VpnServer, vpn_server: &mut VpnServer,
wg_server: &mut WgServer,
) -> ManagementResponse { ) -> ManagementResponse {
let id = request.id.clone(); let id = request.id.clone();
match request.method.as_str() { match request.method.as_str() {
"start" => { "start" => {
let config: ServerConfig = match serde_json::from_value( // Check if transportMode is "wireguard"
request.params.get("config").cloned().unwrap_or_default(), let transport_mode = request.params
) { .get("config")
Ok(c) => c, .and_then(|c| c.get("transportMode"))
Err(e) => { .and_then(|t| t.as_str())
return ManagementResponse::err(id, format!("Invalid config: {}", e)); .unwrap_or("");
}
};
match vpn_server.start(config).await { if transport_mode == "wireguard" {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})), let config: WgServerConfig = match serde_json::from_value(
Err(e) => ManagementResponse::err(id, format!("Start failed: {}", e)), request.params.get("config").cloned().unwrap_or_default(),
) {
Ok(c) => c,
Err(e) => {
return ManagementResponse::err(id, format!("Invalid WG config: {}", e));
}
};
match wg_server.start(config).await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("WG start failed: {}", e)),
}
} else {
let config: ServerConfig = match serde_json::from_value(
request.params.get("config").cloned().unwrap_or_default(),
) {
Ok(c) => c,
Err(e) => {
return ManagementResponse::err(id, format!("Invalid config: {}", e));
}
};
match vpn_server.start(config).await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("Start failed: {}", e)),
}
}
}
"stop" => {
if wg_server.is_running() {
match wg_server.stop().await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("WG stop failed: {}", e)),
}
} else {
match vpn_server.stop().await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("Stop failed: {}", e)),
}
} }
} }
"stop" => match vpn_server.stop().await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("Stop failed: {}", e)),
},
"getStatus" => { "getStatus" => {
let status = vpn_server.get_status(); if wg_server.is_running() {
ManagementResponse::ok(id, status) ManagementResponse::ok(id, wg_server.get_status())
} else {
let status = vpn_server.get_status();
ManagementResponse::ok(id, status)
}
} }
"getStatistics" => { "getStatistics" => {
let stats = vpn_server.get_statistics().await; if wg_server.is_running() {
match serde_json::to_value(&stats) { ManagementResponse::ok(id, wg_server.get_statistics().await)
Ok(v) => ManagementResponse::ok(id, v), } else {
Err(e) => ManagementResponse::err(id, format!("Serialize error: {}", e)), let stats = vpn_server.get_statistics().await;
match serde_json::to_value(&stats) {
Ok(v) => ManagementResponse::ok(id, v),
Err(e) => ManagementResponse::err(id, format!("Serialize error: {}", e)),
}
} }
} }
"listClients" => { "listClients" => {
let clients = vpn_server.list_clients().await; if wg_server.is_running() {
match serde_json::to_value(&clients) { let peers = wg_server.list_peers().await;
Ok(v) => ManagementResponse::ok(id, serde_json::json!({ "clients": v })), match serde_json::to_value(&peers) {
Err(e) => ManagementResponse::err(id, format!("Serialize error: {}", e)), Ok(v) => ManagementResponse::ok(id, serde_json::json!({ "clients": v })),
Err(e) => ManagementResponse::err(id, format!("Serialize error: {}", e)),
}
} else {
let clients = vpn_server.list_clients().await;
match serde_json::to_value(&clients) {
Ok(v) => ManagementResponse::ok(id, serde_json::json!({ "clients": v })),
Err(e) => ManagementResponse::err(id, format!("Serialize error: {}", e)),
}
} }
} }
"disconnectClient" => { "disconnectClient" => {
@@ -436,6 +535,56 @@ async fn handle_server_request(
), ),
Err(e) => ManagementResponse::err(id, format!("Keypair generation failed: {}", e)), Err(e) => ManagementResponse::err(id, format!("Keypair generation failed: {}", e)),
}, },
"generateWgKeypair" => {
let (public_key, private_key) = wireguard::generate_wg_keypair();
ManagementResponse::ok(
id,
serde_json::json!({
"publicKey": public_key,
"privateKey": private_key,
}),
)
}
"addWgPeer" => {
if !wg_server.is_running() {
return ManagementResponse::err(id, "WireGuard server not running".to_string());
}
let config: WgPeerConfig = match serde_json::from_value(
request.params.get("peer").cloned().unwrap_or_default(),
) {
Ok(c) => c,
Err(e) => {
return ManagementResponse::err(id, format!("Invalid peer config: {}", e));
}
};
match wg_server.add_peer(config).await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("Add peer failed: {}", e)),
}
}
"removeWgPeer" => {
if !wg_server.is_running() {
return ManagementResponse::err(id, "WireGuard server not running".to_string());
}
let public_key = match request.params.get("publicKey").and_then(|v| v.as_str()) {
Some(k) => k.to_string(),
None => return ManagementResponse::err(id, "Missing publicKey".to_string()),
};
match wg_server.remove_peer(&public_key).await {
Ok(()) => ManagementResponse::ok(id, serde_json::json!({})),
Err(e) => ManagementResponse::err(id, format!("Remove peer failed: {}", e)),
}
}
"listWgPeers" => {
if !wg_server.is_running() {
return ManagementResponse::err(id, "WireGuard server not running".to_string());
}
let peers = wg_server.list_peers().await;
match serde_json::to_value(&peers) {
Ok(v) => ManagementResponse::ok(id, serde_json::json!({ "peers": v })),
Err(e) => ManagementResponse::err(id, format!("Serialize error: {}", e)),
}
}
_ => ManagementResponse::err(id, format!("Unknown server method: {}", request.method)), _ => ManagementResponse::err(id, format!("Unknown server method: {}", request.method)),
} }
} }

1329
rust/src/wireguard.rs Normal file
View File

File diff suppressed because it is too large Load Diff

320
rust/tests/wg_e2e.rs Normal file
View File

@@ -0,0 +1,320 @@
//! End-to-end WireGuard protocol tests over real UDP sockets.
//!
//! Entirely userspace — no root, no TUN devices.
//! Two boringtun `Tunn` instances exchange real WireGuard packets
//! over loopback UDP, validating handshake, encryption, and data flow.
use std::net::{Ipv4Addr, SocketAddr};
use std::time::Duration;
use boringtun::noise::{Tunn, TunnResult};
use boringtun::x25519::{PublicKey, StaticSecret};
use tokio::net::UdpSocket;
use tokio::time;
use base64::engine::general_purpose::STANDARD as BASE64;
use base64::Engine;
use smartvpn_daemon::wireguard::generate_wg_keypair;
// ============================================================================
// Helpers
// ============================================================================
fn parse_key_pair(pub_b64: &str, priv_b64: &str) -> (PublicKey, StaticSecret) {
let pub_bytes: [u8; 32] = BASE64.decode(pub_b64).unwrap().try_into().unwrap();
let priv_bytes: [u8; 32] = BASE64.decode(priv_b64).unwrap().try_into().unwrap();
(PublicKey::from(pub_bytes), StaticSecret::from(priv_bytes))
}
fn clone_secret(priv_b64: &str) -> StaticSecret {
let priv_bytes: [u8; 32] = BASE64.decode(priv_b64).unwrap().try_into().unwrap();
StaticSecret::from(priv_bytes)
}
fn make_ipv4_packet(src: Ipv4Addr, dst: Ipv4Addr, payload: &[u8]) -> Vec<u8> {
let total_len = 20 + payload.len();
let mut pkt = vec![0u8; total_len];
pkt[0] = 0x45;
pkt[2] = (total_len >> 8) as u8;
pkt[3] = total_len as u8;
pkt[9] = 0x11;
pkt[12..16].copy_from_slice(&src.octets());
pkt[16..20].copy_from_slice(&dst.octets());
pkt[20..].copy_from_slice(payload);
pkt
}
/// Send any WriteToNetwork result, then drain the tunn for more packets.
async fn send_and_drain(
tunn: &mut Tunn,
pkt: &[u8],
socket: &UdpSocket,
peer: SocketAddr,
) {
socket.send_to(pkt, peer).await.unwrap();
let mut drain_buf = vec![0u8; 2048];
loop {
match tunn.decapsulate(None, &[], &mut drain_buf) {
TunnResult::WriteToNetwork(p) => { socket.send_to(p, peer).await.unwrap(); }
_ => break,
}
}
}
/// Try to receive a UDP packet and decapsulate it. Returns decrypted IP data if any.
async fn try_recv_decap(
tunn: &mut Tunn,
socket: &UdpSocket,
timeout_ms: u64,
) -> Option<(Vec<u8>, Ipv4Addr, SocketAddr)> {
let mut recv_buf = vec![0u8; 65536];
let mut dst_buf = vec![0u8; 65536];
let (n, src_addr) = match time::timeout(
Duration::from_millis(timeout_ms),
socket.recv_from(&mut recv_buf),
).await {
Ok(Ok(r)) => r,
_ => return None,
};
let result = tunn.decapsulate(Some(src_addr.ip()), &recv_buf[..n], &mut dst_buf);
match result {
TunnResult::WriteToNetwork(pkt) => {
send_and_drain(tunn, pkt, socket, src_addr).await;
None
}
TunnResult::WriteToTunnelV4(pkt, addr) => Some((pkt.to_vec(), addr, src_addr)),
TunnResult::WriteToTunnelV6(_, _) => None,
TunnResult::Done => None,
TunnResult::Err(_) => None,
}
}
/// Drive the full WireGuard handshake between client and server over real UDP.
async fn do_handshake(
client_tunn: &mut Tunn,
server_tunn: &mut Tunn,
client_socket: &UdpSocket,
server_socket: &UdpSocket,
server_addr: SocketAddr,
) {
let mut buf = vec![0u8; 2048];
let mut recv_buf = vec![0u8; 65536];
let mut dst_buf = vec![0u8; 65536];
// Step 1: Client initiates handshake
match client_tunn.encapsulate(&[], &mut buf) {
TunnResult::WriteToNetwork(pkt) => {
client_socket.send_to(pkt, server_addr).await.unwrap();
}
_ => panic!("Expected handshake init"),
}
// Step 2: Server receives init → sends response
let (n, client_from) = server_socket.recv_from(&mut recv_buf).await.unwrap();
match server_tunn.decapsulate(Some(client_from.ip()), &recv_buf[..n], &mut dst_buf) {
TunnResult::WriteToNetwork(pkt) => {
send_and_drain(server_tunn, pkt, server_socket, client_from).await;
}
other => panic!("Expected WriteToNetwork from server, got variant {}", variant_name(&other)),
}
// Step 3: Client receives response
let (n, _) = client_socket.recv_from(&mut recv_buf).await.unwrap();
match client_tunn.decapsulate(Some(server_addr.ip()), &recv_buf[..n], &mut dst_buf) {
TunnResult::WriteToNetwork(pkt) => {
send_and_drain(client_tunn, pkt, client_socket, server_addr).await;
}
TunnResult::Done => {}
_ => {}
}
// Step 4: Process any remaining handshake packets
let _ = try_recv_decap(server_tunn, server_socket, 200).await;
let _ = try_recv_decap(client_tunn, client_socket, 100).await;
// Step 5: Timer ticks to settle
for _ in 0..3 {
match server_tunn.update_timers(&mut dst_buf) {
TunnResult::WriteToNetwork(pkt) => {
server_socket.send_to(pkt, client_from).await.unwrap();
}
_ => {}
}
match client_tunn.update_timers(&mut dst_buf) {
TunnResult::WriteToNetwork(pkt) => {
client_socket.send_to(pkt, server_addr).await.unwrap();
}
_ => {}
}
let _ = try_recv_decap(server_tunn, server_socket, 50).await;
let _ = try_recv_decap(client_tunn, client_socket, 50).await;
}
}
fn variant_name(r: &TunnResult) -> &'static str {
match r {
TunnResult::Done => "Done",
TunnResult::Err(_) => "Err",
TunnResult::WriteToNetwork(_) => "WriteToNetwork",
TunnResult::WriteToTunnelV4(_, _) => "WriteToTunnelV4",
TunnResult::WriteToTunnelV6(_, _) => "WriteToTunnelV6",
}
}
/// Encapsulate an IP packet and send it, then loop-receive on the other side until decrypted.
async fn send_and_expect_data(
sender_tunn: &mut Tunn,
receiver_tunn: &mut Tunn,
sender_socket: &UdpSocket,
receiver_socket: &UdpSocket,
dest_addr: SocketAddr,
ip_packet: &[u8],
) -> (Vec<u8>, Ipv4Addr) {
let mut enc_buf = vec![0u8; 65536];
match sender_tunn.encapsulate(ip_packet, &mut enc_buf) {
TunnResult::WriteToNetwork(pkt) => {
sender_socket.send_to(pkt, dest_addr).await.unwrap();
}
TunnResult::Err(e) => panic!("Encapsulate failed: {:?}", e),
other => panic!("Expected WriteToNetwork, got {}", variant_name(&other)),
}
// Receive — may need a few rounds for control packets
for _ in 0..10 {
if let Some((data, addr, _)) = try_recv_decap(receiver_tunn, receiver_socket, 1000).await {
return (data, addr);
}
}
panic!("Did not receive decrypted IP packet");
}
// ============================================================================
// Test 1: Single client ↔ server bidirectional data exchange
// ============================================================================
#[tokio::test]
async fn wg_e2e_single_client_bidirectional() {
let (server_pub_b64, server_priv_b64) = generate_wg_keypair();
let (client_pub_b64, client_priv_b64) = generate_wg_keypair();
let (server_public, server_secret) = parse_key_pair(&server_pub_b64, &server_priv_b64);
let (client_public, client_secret) = parse_key_pair(&client_pub_b64, &client_priv_b64);
let server_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let client_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let server_addr = server_socket.local_addr().unwrap();
let client_addr = client_socket.local_addr().unwrap();
let mut server_tunn = Tunn::new(server_secret, client_public, None, None, 0, None);
let mut client_tunn = Tunn::new(client_secret, server_public, None, None, 1, None);
do_handshake(&mut client_tunn, &mut server_tunn, &client_socket, &server_socket, server_addr).await;
// Client → Server
let pkt_c2s = make_ipv4_packet(Ipv4Addr::new(10, 0, 0, 2), Ipv4Addr::new(10, 0, 0, 1), b"Hello from client!");
let (decrypted, src_ip) = send_and_expect_data(
&mut client_tunn, &mut server_tunn,
&client_socket, &server_socket,
server_addr, &pkt_c2s,
).await;
assert_eq!(src_ip, Ipv4Addr::new(10, 0, 0, 2));
assert_eq!(&decrypted[..pkt_c2s.len()], &pkt_c2s[..]);
// Server → Client
let pkt_s2c = make_ipv4_packet(Ipv4Addr::new(10, 0, 0, 1), Ipv4Addr::new(10, 0, 0, 2), b"Hello from server!");
let (decrypted, src_ip) = send_and_expect_data(
&mut server_tunn, &mut client_tunn,
&server_socket, &client_socket,
client_addr, &pkt_s2c,
).await;
assert_eq!(src_ip, Ipv4Addr::new(10, 0, 0, 1));
assert_eq!(&decrypted[..pkt_s2c.len()], &pkt_s2c[..]);
}
// ============================================================================
// Test 2: Two clients ↔ one server (peer routing)
// ============================================================================
#[tokio::test]
async fn wg_e2e_two_clients_peer_routing() {
let (server_pub_b64, server_priv_b64) = generate_wg_keypair();
let (client1_pub_b64, client1_priv_b64) = generate_wg_keypair();
let (client2_pub_b64, client2_priv_b64) = generate_wg_keypair();
let (server_public, _) = parse_key_pair(&server_pub_b64, &server_priv_b64);
let (client1_public, client1_secret) = parse_key_pair(&client1_pub_b64, &client1_priv_b64);
let (client2_public, client2_secret) = parse_key_pair(&client2_pub_b64, &client2_priv_b64);
// Separate server socket per peer to avoid UDP mux complexity in test
let server_socket_1 = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let server_socket_2 = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let client1_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let client2_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let server_addr_1 = server_socket_1.local_addr().unwrap();
let server_addr_2 = server_socket_2.local_addr().unwrap();
let mut server_tunn_1 = Tunn::new(clone_secret(&server_priv_b64), client1_public, None, None, 0, None);
let mut server_tunn_2 = Tunn::new(clone_secret(&server_priv_b64), client2_public, None, None, 1, None);
let mut client1_tunn = Tunn::new(client1_secret, server_public.clone(), None, None, 2, None);
let mut client2_tunn = Tunn::new(client2_secret, server_public, None, None, 3, None);
do_handshake(&mut client1_tunn, &mut server_tunn_1, &client1_socket, &server_socket_1, server_addr_1).await;
do_handshake(&mut client2_tunn, &mut server_tunn_2, &client2_socket, &server_socket_2, server_addr_2).await;
// Client 1 → Server
let pkt1 = make_ipv4_packet(Ipv4Addr::new(10, 0, 0, 2), Ipv4Addr::new(10, 0, 0, 1), b"From client 1");
let (decrypted, src_ip) = send_and_expect_data(
&mut client1_tunn, &mut server_tunn_1,
&client1_socket, &server_socket_1,
server_addr_1, &pkt1,
).await;
assert_eq!(src_ip, Ipv4Addr::new(10, 0, 0, 2));
assert_eq!(&decrypted[..pkt1.len()], &pkt1[..]);
// Client 2 → Server
let pkt2 = make_ipv4_packet(Ipv4Addr::new(10, 0, 0, 3), Ipv4Addr::new(10, 0, 0, 1), b"From client 2");
let (decrypted, src_ip) = send_and_expect_data(
&mut client2_tunn, &mut server_tunn_2,
&client2_socket, &server_socket_2,
server_addr_2, &pkt2,
).await;
assert_eq!(src_ip, Ipv4Addr::new(10, 0, 0, 3));
assert_eq!(&decrypted[..pkt2.len()], &pkt2[..]);
}
// ============================================================================
// Test 3: Preshared key handshake + data exchange
// ============================================================================
#[tokio::test]
async fn wg_e2e_preshared_key() {
let (server_pub_b64, server_priv_b64) = generate_wg_keypair();
let (client_pub_b64, client_priv_b64) = generate_wg_keypair();
let (server_public, server_secret) = parse_key_pair(&server_pub_b64, &server_priv_b64);
let (client_public, client_secret) = parse_key_pair(&client_pub_b64, &client_priv_b64);
let psk: [u8; 32] = rand::random();
let server_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let client_socket = UdpSocket::bind("127.0.0.1:0").await.unwrap();
let server_addr = server_socket.local_addr().unwrap();
let mut server_tunn = Tunn::new(server_secret, client_public, Some(psk), None, 0, None);
let mut client_tunn = Tunn::new(client_secret, server_public, Some(psk), None, 1, None);
do_handshake(&mut client_tunn, &mut server_tunn, &client_socket, &server_socket, server_addr).await;
let pkt = make_ipv4_packet(Ipv4Addr::new(10, 0, 0, 2), Ipv4Addr::new(10, 0, 0, 1), b"PSK-protected data");
let (decrypted, src_ip) = send_and_expect_data(
&mut client_tunn, &mut server_tunn,
&client_socket, &server_socket,
server_addr, &pkt,
).await;
assert_eq!(src_ip, Ipv4Addr::new(10, 0, 0, 2));
assert_eq!(&decrypted[..pkt.len()], &pkt[..]);
}

353
test/test.wireguard.node.ts Normal file
View File

@@ -0,0 +1,353 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import {
VpnConfig,
VpnServer,
WgConfigGenerator,
} from '../ts/index.js';
import type {
IVpnClientConfig,
IVpnServerConfig,
IVpnServerOptions,
IWgPeerConfig,
} from '../ts/index.js';
// ============================================================================
// WireGuard config validation — client
// ============================================================================
// A valid 32-byte key in base64 (44 chars)
const VALID_KEY = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';
const VALID_KEY_2 = 'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=';
tap.test('WG client config: valid wireguard config passes validation', async () => {
const config: IVpnClientConfig = {
serverUrl: '', // not needed for WG
serverPublicKey: VALID_KEY,
transport: 'wireguard',
wgPrivateKey: VALID_KEY_2,
wgAddress: '10.8.0.2',
wgEndpoint: 'vpn.example.com:51820',
wgAllowedIps: ['0.0.0.0/0'],
};
VpnConfig.validateClientConfig(config);
});
tap.test('WG client config: rejects missing wgPrivateKey', async () => {
const config: IVpnClientConfig = {
serverUrl: '',
serverPublicKey: VALID_KEY,
transport: 'wireguard',
wgAddress: '10.8.0.2',
wgEndpoint: 'vpn.example.com:51820',
};
let threw = false;
try {
VpnConfig.validateClientConfig(config);
} catch (e) {
threw = true;
expect((e as Error).message).toContain('wgPrivateKey');
}
expect(threw).toBeTrue();
});
tap.test('WG client config: rejects missing wgAddress', async () => {
const config: IVpnClientConfig = {
serverUrl: '',
serverPublicKey: VALID_KEY,
transport: 'wireguard',
wgPrivateKey: VALID_KEY_2,
wgEndpoint: 'vpn.example.com:51820',
};
let threw = false;
try {
VpnConfig.validateClientConfig(config);
} catch (e) {
threw = true;
expect((e as Error).message).toContain('wgAddress');
}
expect(threw).toBeTrue();
});
tap.test('WG client config: rejects missing wgEndpoint', async () => {
const config: IVpnClientConfig = {
serverUrl: '',
serverPublicKey: VALID_KEY,
transport: 'wireguard',
wgPrivateKey: VALID_KEY_2,
wgAddress: '10.8.0.2',
};
let threw = false;
try {
VpnConfig.validateClientConfig(config);
} catch (e) {
threw = true;
expect((e as Error).message).toContain('wgEndpoint');
}
expect(threw).toBeTrue();
});
tap.test('WG client config: rejects invalid key length', async () => {
const config: IVpnClientConfig = {
serverUrl: '',
serverPublicKey: VALID_KEY,
transport: 'wireguard',
wgPrivateKey: 'tooshort',
wgAddress: '10.8.0.2',
wgEndpoint: 'vpn.example.com:51820',
};
let threw = false;
try {
VpnConfig.validateClientConfig(config);
} catch (e) {
threw = true;
expect((e as Error).message).toContain('44 characters');
}
expect(threw).toBeTrue();
});
tap.test('WG client config: rejects invalid CIDR in allowedIps', async () => {
const config: IVpnClientConfig = {
serverUrl: '',
serverPublicKey: VALID_KEY,
transport: 'wireguard',
wgPrivateKey: VALID_KEY_2,
wgAddress: '10.8.0.2',
wgEndpoint: 'vpn.example.com:51820',
wgAllowedIps: ['not-a-cidr'],
};
let threw = false;
try {
VpnConfig.validateClientConfig(config);
} catch (e) {
threw = true;
expect((e as Error).message).toContain('CIDR');
}
expect(threw).toBeTrue();
});
// ============================================================================
// WireGuard config validation — server
// ============================================================================
tap.test('WG server config: valid config passes validation', async () => {
const config: IVpnServerConfig = {
listenAddr: '',
privateKey: VALID_KEY,
publicKey: VALID_KEY_2,
subnet: '10.8.0.0/24',
transportMode: 'wireguard',
wgPeers: [
{
publicKey: VALID_KEY_2,
allowedIps: ['10.8.0.2/32'],
},
],
};
VpnConfig.validateServerConfig(config);
});
tap.test('WG server config: rejects empty wgPeers', async () => {
const config: IVpnServerConfig = {
listenAddr: '',
privateKey: VALID_KEY,
publicKey: VALID_KEY_2,
subnet: '10.8.0.0/24',
transportMode: 'wireguard',
wgPeers: [],
};
let threw = false;
try {
VpnConfig.validateServerConfig(config);
} catch (e) {
threw = true;
expect((e as Error).message).toContain('wgPeers');
}
expect(threw).toBeTrue();
});
tap.test('WG server config: rejects peer without publicKey', async () => {
const config: IVpnServerConfig = {
listenAddr: '',
privateKey: VALID_KEY,
publicKey: VALID_KEY_2,
subnet: '10.8.0.0/24',
transportMode: 'wireguard',
wgPeers: [
{
publicKey: '',
allowedIps: ['10.8.0.2/32'],
},
],
};
let threw = false;
try {
VpnConfig.validateServerConfig(config);
} catch (e) {
threw = true;
expect((e as Error).message).toContain('publicKey');
}
expect(threw).toBeTrue();
});
tap.test('WG server config: rejects invalid wgListenPort', async () => {
const config: IVpnServerConfig = {
listenAddr: '',
privateKey: VALID_KEY,
publicKey: VALID_KEY_2,
subnet: '10.8.0.0/24',
transportMode: 'wireguard',
wgListenPort: 0,
wgPeers: [
{
publicKey: VALID_KEY_2,
allowedIps: ['10.8.0.2/32'],
},
],
};
let threw = false;
try {
VpnConfig.validateServerConfig(config);
} catch (e) {
threw = true;
expect((e as Error).message).toContain('wgListenPort');
}
expect(threw).toBeTrue();
});
// ============================================================================
// WireGuard keypair generation via daemon
// ============================================================================
let server: VpnServer;
tap.test('WG: spawn server daemon for keypair generation', async () => {
const options: IVpnServerOptions = {
transport: { transport: 'stdio' },
};
server = new VpnServer(options);
const started = await server['bridge'].start();
expect(started).toBeTrue();
expect(server.running).toBeTrue();
});
tap.test('WG: generateWgKeypair returns valid keypair', async () => {
const keypair = await server.generateWgKeypair();
expect(keypair.publicKey).toBeTypeofString();
expect(keypair.privateKey).toBeTypeofString();
// WireGuard keys: base64 of 32 bytes = 44 characters
expect(keypair.publicKey.length).toEqual(44);
expect(keypair.privateKey.length).toEqual(44);
// Verify they decode to 32 bytes
const pubBuf = Buffer.from(keypair.publicKey, 'base64');
const privBuf = Buffer.from(keypair.privateKey, 'base64');
expect(pubBuf.length).toEqual(32);
expect(privBuf.length).toEqual(32);
});
tap.test('WG: generateWgKeypair returns unique keys each time', async () => {
const kp1 = await server.generateWgKeypair();
const kp2 = await server.generateWgKeypair();
expect(kp1.publicKey).not.toEqual(kp2.publicKey);
expect(kp1.privateKey).not.toEqual(kp2.privateKey);
});
tap.test('WG: stop server daemon', async () => {
server.stop();
await new Promise((resolve) => setTimeout(resolve, 500));
expect(server.running).toBeFalse();
});
// ============================================================================
// WireGuard config file generation
// ============================================================================
tap.test('WgConfigGenerator: generate client config', async () => {
const conf = WgConfigGenerator.generateClientConfig({
privateKey: 'clientPrivateKeyBase64====================',
address: '10.8.0.2/24',
dns: ['1.1.1.1', '8.8.8.8'],
mtu: 1420,
peer: {
publicKey: 'serverPublicKeyBase64====================',
endpoint: 'vpn.example.com:51820',
allowedIps: ['0.0.0.0/0', '::/0'],
persistentKeepalive: 25,
},
});
expect(conf).toContain('[Interface]');
expect(conf).toContain('PrivateKey = clientPrivateKeyBase64====================');
expect(conf).toContain('Address = 10.8.0.2/24');
expect(conf).toContain('DNS = 1.1.1.1, 8.8.8.8');
expect(conf).toContain('MTU = 1420');
expect(conf).toContain('[Peer]');
expect(conf).toContain('PublicKey = serverPublicKeyBase64====================');
expect(conf).toContain('Endpoint = vpn.example.com:51820');
expect(conf).toContain('AllowedIPs = 0.0.0.0/0, ::/0');
expect(conf).toContain('PersistentKeepalive = 25');
});
tap.test('WgConfigGenerator: generate client config without optional fields', async () => {
const conf = WgConfigGenerator.generateClientConfig({
privateKey: 'key1',
address: '10.0.0.2/32',
peer: {
publicKey: 'key2',
endpoint: 'server:51820',
allowedIps: ['10.0.0.0/24'],
},
});
expect(conf).toContain('[Interface]');
expect(conf).not.toContain('DNS');
expect(conf).not.toContain('MTU');
expect(conf).not.toContain('PresharedKey');
expect(conf).not.toContain('PersistentKeepalive');
});
tap.test('WgConfigGenerator: generate server config with NAT', async () => {
const conf = WgConfigGenerator.generateServerConfig({
privateKey: 'serverPrivKey',
address: '10.8.0.1/24',
listenPort: 51820,
dns: ['1.1.1.1'],
enableNat: true,
natInterface: 'ens3',
peers: [
{
publicKey: 'peer1PubKey',
allowedIps: ['10.8.0.2/32'],
presharedKey: 'psk1',
persistentKeepalive: 25,
},
{
publicKey: 'peer2PubKey',
allowedIps: ['10.8.0.3/32'],
},
],
});
expect(conf).toContain('[Interface]');
expect(conf).toContain('ListenPort = 51820');
expect(conf).toContain('PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE');
expect(conf).toContain('PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE');
// Two [Peer] sections
const peerCount = (conf.match(/\[Peer\]/g) || []).length;
expect(peerCount).toEqual(2);
expect(conf).toContain('PresharedKey = psk1');
});
tap.test('WgConfigGenerator: generate server config without NAT', async () => {
const conf = WgConfigGenerator.generateServerConfig({
privateKey: 'serverPrivKey',
address: '10.8.0.1/24',
listenPort: 51820,
peers: [
{
publicKey: 'peerKey',
allowedIps: ['10.8.0.2/32'],
},
],
});
expect(conf).not.toContain('PostUp');
expect(conf).not.toContain('PostDown');
});
export default tap.start();

2
ts/00_commitinfo_data.ts
View File

@@ -3,6 +3,6 @@
*/ */
export const commitinfo = { export const commitinfo = {
name: '@push.rocks/smartvpn', name: '@push.rocks/smartvpn',
version: '1.4.1', version: '1.7.0',
description: 'A VPN solution with TypeScript control plane and Rust data plane daemon' description: 'A VPN solution with TypeScript control plane and Rust data plane daemon'
} }

1
ts/index.ts
View File

@@ -4,3 +4,4 @@ export { VpnClient } from './smartvpn.classes.vpnclient.js';
export { VpnServer } from './smartvpn.classes.vpnserver.js'; export { VpnServer } from './smartvpn.classes.vpnserver.js';
export { VpnConfig } from './smartvpn.classes.vpnconfig.js'; export { VpnConfig } from './smartvpn.classes.vpnconfig.js';
export { VpnInstaller } from './smartvpn.classes.vpninstaller.js'; export { VpnInstaller } from './smartvpn.classes.vpninstaller.js';
export { WgConfigGenerator } from './smartvpn.classes.wgconfig.js';

144
ts/smartvpn.classes.vpnconfig.ts
View File

@@ -12,17 +12,45 @@ export class VpnConfig {
* Validate a client config object. Throws on invalid config. * Validate a client config object. Throws on invalid config.
*/ */
public static validateClientConfig(config: IVpnClientConfig): void { public static validateClientConfig(config: IVpnClientConfig): void {
if (!config.serverUrl) { if (config.transport === 'wireguard') {
throw new Error('VpnConfig: serverUrl is required'); // WireGuard-specific validation
} if (!config.wgPrivateKey) {
// For QUIC-only transport, serverUrl is a host:port address; for WebSocket/auto it must be ws:// or wss:// throw new Error('VpnConfig: wgPrivateKey is required for WireGuard transport');
if (config.transport !== 'quic') { }
if (!config.serverUrl.startsWith('wss://') && !config.serverUrl.startsWith('ws://')) { VpnConfig.validateBase64Key(config.wgPrivateKey, 'wgPrivateKey');
throw new Error('VpnConfig: serverUrl must start with wss:// or ws:// (for WebSocket transport)'); if (!config.wgAddress) {
throw new Error('VpnConfig: wgAddress is required for WireGuard transport');
}
if (!config.serverPublicKey) {
throw new Error('VpnConfig: serverPublicKey is required for WireGuard transport');
}
VpnConfig.validateBase64Key(config.serverPublicKey, 'serverPublicKey');
if (!config.wgEndpoint) {
throw new Error('VpnConfig: wgEndpoint is required for WireGuard transport');
}
if (config.wgPresharedKey) {
VpnConfig.validateBase64Key(config.wgPresharedKey, 'wgPresharedKey');
}
if (config.wgAllowedIps) {
for (const cidr of config.wgAllowedIps) {
if (!VpnConfig.isValidCidr(cidr)) {
throw new Error(`VpnConfig: invalid allowedIp CIDR: ${cidr}`);
}
}
}
} else {
if (!config.serverUrl) {
throw new Error('VpnConfig: serverUrl is required');
}
// For QUIC-only transport, serverUrl is a host:port address; for WebSocket/auto it must be ws:// or wss://
if (config.transport !== 'quic') {
if (!config.serverUrl.startsWith('wss://') && !config.serverUrl.startsWith('ws://')) {
throw new Error('VpnConfig: serverUrl must start with wss:// or ws:// (for WebSocket transport)');
}
}
if (!config.serverPublicKey) {
throw new Error('VpnConfig: serverPublicKey is required');
} }
}
if (!config.serverPublicKey) {
throw new Error('VpnConfig: serverPublicKey is required');
} }
if (config.mtu !== undefined && (config.mtu < 576 || config.mtu > 65535)) { if (config.mtu !== undefined && (config.mtu < 576 || config.mtu > 65535)) {
throw new Error('VpnConfig: mtu must be between 576 and 65535'); throw new Error('VpnConfig: mtu must be between 576 and 65535');
@@ -43,20 +71,51 @@ export class VpnConfig {
* Validate a server config object. Throws on invalid config. * Validate a server config object. Throws on invalid config.
*/ */
public static validateServerConfig(config: IVpnServerConfig): void { public static validateServerConfig(config: IVpnServerConfig): void {
if (!config.listenAddr) { if (config.transportMode === 'wireguard') {
throw new Error('VpnConfig: listenAddr is required'); // WireGuard server validation
} if (!config.privateKey) {
if (!config.privateKey) { throw new Error('VpnConfig: privateKey is required');
throw new Error('VpnConfig: privateKey is required'); }
} VpnConfig.validateBase64Key(config.privateKey, 'privateKey');
if (!config.publicKey) { if (!config.wgPeers || config.wgPeers.length === 0) {
throw new Error('VpnConfig: publicKey is required'); throw new Error('VpnConfig: at least one wgPeers entry is required for WireGuard mode');
} }
if (!config.subnet) { for (const peer of config.wgPeers) {
throw new Error('VpnConfig: subnet is required'); if (!peer.publicKey) {
} throw new Error('VpnConfig: peer publicKey is required');
if (!VpnConfig.isValidSubnet(config.subnet)) { }
throw new Error(`VpnConfig: invalid subnet: ${config.subnet}`); VpnConfig.validateBase64Key(peer.publicKey, 'peer.publicKey');
if (!peer.allowedIps || peer.allowedIps.length === 0) {
throw new Error('VpnConfig: peer allowedIps is required');
}
for (const cidr of peer.allowedIps) {
if (!VpnConfig.isValidCidr(cidr)) {
throw new Error(`VpnConfig: invalid peer allowedIp CIDR: ${cidr}`);
}
}
if (peer.presharedKey) {
VpnConfig.validateBase64Key(peer.presharedKey, 'peer.presharedKey');
}
}
if (config.wgListenPort !== undefined && (config.wgListenPort < 1 || config.wgListenPort > 65535)) {
throw new Error('VpnConfig: wgListenPort must be between 1 and 65535');
}
} else {
if (!config.listenAddr) {
throw new Error('VpnConfig: listenAddr is required');
}
if (!config.privateKey) {
throw new Error('VpnConfig: privateKey is required');
}
if (!config.publicKey) {
throw new Error('VpnConfig: publicKey is required');
}
if (!config.subnet) {
throw new Error('VpnConfig: subnet is required');
}
if (!VpnConfig.isValidSubnet(config.subnet)) {
throw new Error(`VpnConfig: invalid subnet: ${config.subnet}`);
}
} }
if (config.mtu !== undefined && (config.mtu < 576 || config.mtu > 65535)) { if (config.mtu !== undefined && (config.mtu < 576 || config.mtu > 65535)) {
throw new Error('VpnConfig: mtu must be between 576 and 65535'); throw new Error('VpnConfig: mtu must be between 576 and 65535');
@@ -104,4 +163,41 @@ export class VpnConfig {
const prefixNum = parseInt(prefix, 10); const prefixNum = parseInt(prefix, 10);
return !isNaN(prefixNum) && prefixNum >= 0 && prefixNum <= 32; return !isNaN(prefixNum) && prefixNum >= 0 && prefixNum <= 32;
} }
/**
* Validate a CIDR string (IPv4 or IPv6).
*/
private static isValidCidr(cidr: string): boolean {
const parts = cidr.split('/');
if (parts.length !== 2) return false;
const prefixNum = parseInt(parts[1], 10);
if (isNaN(prefixNum) || prefixNum < 0) return false;
// IPv4
if (VpnConfig.isValidIp(parts[0])) {
return prefixNum <= 32;
}
// IPv6 (basic check)
if (parts[0].includes(':')) {
return prefixNum <= 128;
}
return false;
}
/**
* Validate a base64-encoded 32-byte key (WireGuard X25519 format).
*/
private static validateBase64Key(key: string, fieldName: string): void {
if (key.length !== 44) {
throw new Error(`VpnConfig: ${fieldName} must be 44 characters (base64 of 32 bytes), got ${key.length}`);
}
try {
const buf = Buffer.from(key, 'base64');
if (buf.length !== 32) {
throw new Error(`VpnConfig: ${fieldName} must decode to 32 bytes, got ${buf.length}`);
}
} catch (e) {
if (e instanceof Error && e.message.startsWith('VpnConfig:')) throw e;
throw new Error(`VpnConfig: ${fieldName} is not valid base64`);
}
}
} }

31
ts/smartvpn.classes.vpnserver.ts
View File

@@ -8,6 +8,8 @@ import type {
IVpnClientInfo, IVpnClientInfo,
IVpnKeypair, IVpnKeypair,
IVpnClientTelemetry, IVpnClientTelemetry,
IWgPeerConfig,
IWgPeerInfo,
TVpnServerCommands, TVpnServerCommands,
} from './smartvpn.interfaces.js'; } from './smartvpn.interfaces.js';
@@ -121,6 +123,35 @@ export class VpnServer extends plugins.events.EventEmitter {
return this.bridge.sendCommand('getClientTelemetry', { clientId }); return this.bridge.sendCommand('getClientTelemetry', { clientId });
} }
/**
* Generate a WireGuard-compatible X25519 keypair.
*/
public async generateWgKeypair(): Promise<IVpnKeypair> {
return this.bridge.sendCommand('generateWgKeypair', {} as Record<string, never>);
}
/**
* Add a WireGuard peer (server must be running in wireguard mode).
*/
public async addWgPeer(peer: IWgPeerConfig): Promise<void> {
await this.bridge.sendCommand('addWgPeer', { peer });
}
/**
* Remove a WireGuard peer by public key.
*/
public async removeWgPeer(publicKey: string): Promise<void> {
await this.bridge.sendCommand('removeWgPeer', { publicKey });
}
/**
* List WireGuard peers with stats.
*/
public async listWgPeers(): Promise<IWgPeerInfo[]> {
const result = await this.bridge.sendCommand('listWgPeers', {} as Record<string, never>);
return result.peers;
}
/** /**
* Stop the daemon bridge. * Stop the daemon bridge.
*/ */

123
ts/smartvpn.classes.wgconfig.ts Normal file
View File

@@ -0,0 +1,123 @@
import type { IWgPeerConfig } from './smartvpn.interfaces.js';
// ============================================================================
// WireGuard .conf file generator
// ============================================================================
export interface IWgClientConfOptions {
/** Client private key (base64) */
privateKey: string;
/** Client TUN address with prefix (e.g. 10.8.0.2/24) */
address: string;
/** DNS servers */
dns?: string[];
/** TUN MTU */
mtu?: number;
/** Server peer config */
peer: {
publicKey: string;
presharedKey?: string;
endpoint: string;
allowedIps: string[];
persistentKeepalive?: number;
};
}
export interface IWgServerConfOptions {
/** Server private key (base64) */
privateKey: string;
/** Server TUN address with prefix (e.g. 10.8.0.1/24) */
address: string;
/** UDP listen port */
listenPort: number;
/** DNS servers */
dns?: string[];
/** TUN MTU */
mtu?: number;
/** Enable NAT — adds PostUp/PostDown iptables rules */
enableNat?: boolean;
/** Network interface for NAT (e.g. eth0). Auto-detected if omitted. */
natInterface?: string;
/** Configured peers */
peers: IWgPeerConfig[];
}
/**
* Generates standard WireGuard .conf files compatible with wg-quick,
* WireGuard iOS/Android apps, and other standard WireGuard clients.
*/
export class WgConfigGenerator {
/**
* Generate a client .conf file content.
*/
public static generateClientConfig(opts: IWgClientConfOptions): string {
const lines: string[] = [];
lines.push('[Interface]');
lines.push(`PrivateKey = ${opts.privateKey}`);
lines.push(`Address = ${opts.address}`);
if (opts.dns && opts.dns.length > 0) {
lines.push(`DNS = ${opts.dns.join(', ')}`);
}
if (opts.mtu) {
lines.push(`MTU = ${opts.mtu}`);
}
lines.push('');
lines.push('[Peer]');
lines.push(`PublicKey = ${opts.peer.publicKey}`);
if (opts.peer.presharedKey) {
lines.push(`PresharedKey = ${opts.peer.presharedKey}`);
}
lines.push(`Endpoint = ${opts.peer.endpoint}`);
lines.push(`AllowedIPs = ${opts.peer.allowedIps.join(', ')}`);
if (opts.peer.persistentKeepalive) {
lines.push(`PersistentKeepalive = ${opts.peer.persistentKeepalive}`);
}
lines.push('');
return lines.join('\n');
}
/**
* Generate a server .conf file content.
*/
public static generateServerConfig(opts: IWgServerConfOptions): string {
const lines: string[] = [];
lines.push('[Interface]');
lines.push(`PrivateKey = ${opts.privateKey}`);
lines.push(`Address = ${opts.address}`);
lines.push(`ListenPort = ${opts.listenPort}`);
if (opts.dns && opts.dns.length > 0) {
lines.push(`DNS = ${opts.dns.join(', ')}`);
}
if (opts.mtu) {
lines.push(`MTU = ${opts.mtu}`);
}
if (opts.enableNat) {
const iface = opts.natInterface || 'eth0';
lines.push(`PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ${iface} -j MASQUERADE`);
lines.push(`PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ${iface} -j MASQUERADE`);
}
for (const peer of opts.peers) {
lines.push('');
lines.push('[Peer]');
lines.push(`PublicKey = ${peer.publicKey}`);
if (peer.presharedKey) {
lines.push(`PresharedKey = ${peer.presharedKey}`);
}
lines.push(`AllowedIPs = ${peer.allowedIps.join(', ')}`);
if (peer.endpoint) {
lines.push(`Endpoint = ${peer.endpoint}`);
}
if (peer.persistentKeepalive) {
lines.push(`PersistentKeepalive = ${peer.persistentKeepalive}`);
}
}
lines.push('');
return lines.join('\n');
}
}

59
ts/smartvpn.interfaces.ts
View File

@@ -32,10 +32,24 @@ export interface IVpnClientConfig {
mtu?: number; mtu?: number;
/** Keepalive interval in seconds (default: 30) */ /** Keepalive interval in seconds (default: 30) */
keepaliveIntervalSecs?: number; keepaliveIntervalSecs?: number;
/** Transport protocol: 'auto' (default, tries QUIC then WS), 'websocket', or 'quic' */ /** Transport protocol: 'auto' (default, tries QUIC then WS), 'websocket', 'quic', or 'wireguard' */
transport?: 'auto' | 'websocket' | 'quic'; transport?: 'auto' | 'websocket' | 'quic' | 'wireguard';
/** For QUIC: SHA-256 hash of server certificate (base64) for cert pinning */ /** For QUIC: SHA-256 hash of server certificate (base64) for cert pinning */
serverCertHash?: string; serverCertHash?: string;
/** WireGuard: client private key (base64, X25519) */
wgPrivateKey?: string;
/** WireGuard: client TUN address (e.g. 10.8.0.2) */
wgAddress?: string;
/** WireGuard: client TUN address prefix length (default: 24) */
wgAddressPrefix?: number;
/** WireGuard: preshared key (base64, optional) */
wgPresharedKey?: string;
/** WireGuard: persistent keepalive interval in seconds */
wgPersistentKeepalive?: number;
/** WireGuard: server endpoint (host:port, e.g. vpn.example.com:51820) */
wgEndpoint?: string;
/** WireGuard: allowed IPs (CIDR strings, e.g. ['0.0.0.0/0']) */
wgAllowedIps?: string[];
} }
export interface IVpnClientOptions { export interface IVpnClientOptions {
@@ -72,12 +86,16 @@ export interface IVpnServerConfig {
defaultRateLimitBytesPerSec?: number; defaultRateLimitBytesPerSec?: number;
/** Default burst size for new clients (bytes). Omit for unlimited. */ /** Default burst size for new clients (bytes). Omit for unlimited. */
defaultBurstBytes?: number; defaultBurstBytes?: number;
/** Transport mode: 'both' (default, WS+QUIC), 'websocket', or 'quic' */ /** Transport mode: 'both' (default, WS+QUIC), 'websocket', 'quic', or 'wireguard' */
transportMode?: 'websocket' | 'quic' | 'both'; transportMode?: 'websocket' | 'quic' | 'both' | 'wireguard';
/** QUIC listen address (host:port). Defaults to listenAddr. */ /** QUIC listen address (host:port). Defaults to listenAddr. */
quicListenAddr?: string; quicListenAddr?: string;
/** QUIC idle timeout in seconds (default: 30) */ /** QUIC idle timeout in seconds (default: 30) */
quicIdleTimeoutSecs?: number; quicIdleTimeoutSecs?: number;
/** WireGuard: UDP listen port (default: 51820) */
wgListenPort?: number;
/** WireGuard: configured peers */
wgPeers?: IWgPeerConfig[];
} }
export interface IVpnServerOptions { export interface IVpnServerOptions {
@@ -187,6 +205,35 @@ export interface IVpnClientTelemetry {
burstBytes?: number; burstBytes?: number;
} }
// ============================================================================
// WireGuard-specific types
// ============================================================================
export interface IWgPeerConfig {
/** Peer's public key (base64, X25519) */
publicKey: string;
/** Optional preshared key (base64) */
presharedKey?: string;
/** Allowed IP ranges (CIDR strings) */
allowedIps: string[];
/** Peer endpoint (host:port) — optional for server peers, required for client */
endpoint?: string;
/** Persistent keepalive interval in seconds */
persistentKeepalive?: number;
}
export interface IWgPeerInfo {
publicKey: string;
allowedIps: string[];
endpoint?: string;
persistentKeepalive?: number;
bytesSent: number;
bytesReceived: number;
packetsSent: number;
packetsReceived: number;
lastHandshakeTime?: string;
}
// ============================================================================ // ============================================================================
// IPC Command maps (used by smartrust RustBridge<TCommands>) // IPC Command maps (used by smartrust RustBridge<TCommands>)
// ============================================================================ // ============================================================================
@@ -211,6 +258,10 @@ export type TVpnServerCommands = {
setClientRateLimit: { params: { clientId: string; rateBytesPerSec: number; burstBytes: number }; result: void }; setClientRateLimit: { params: { clientId: string; rateBytesPerSec: number; burstBytes: number }; result: void };
removeClientRateLimit: { params: { clientId: string }; result: void }; removeClientRateLimit: { params: { clientId: string }; result: void };
getClientTelemetry: { params: { clientId: string }; result: IVpnClientTelemetry }; getClientTelemetry: { params: { clientId: string }; result: IVpnClientTelemetry };
generateWgKeypair: { params: Record<string, never>; result: IVpnKeypair };
addWgPeer: { params: { peer: IWgPeerConfig }; result: void };
removeWgPeer: { params: { publicKey: string }; result: void };
listWgPeers: { params: Record<string, never>; result: { peers: IWgPeerInfo[] } };
}; };
// ============================================================================ // ============================================================================

3
tsconfig.json
View File

@@ -6,7 +6,8 @@
"module": "NodeNext", "module": "NodeNext",
"moduleResolution": "NodeNext", "moduleResolution": "NodeNext",
"esModuleInterop": true, "esModuleInterop": true,
"verbatimModuleSyntax": true "verbatimModuleSyntax": true,
"types": ["node"]
}, },
"exclude": [ "exclude": [
"dist_ts/**/*.d.ts" "dist_ts/**/*.d.ts"