204 lines
7.1 KiB
TypeScript
204 lines
7.1 KiB
TypeScript
import * as plugins from './smartvpn.plugins.js';
|
|
import type {
|
|
IVpnClientConfig,
|
|
IVpnServerConfig,
|
|
} from './smartvpn.interfaces.js';
|
|
|
|
/**
|
|
* VPN configuration loader, saver, and validator.
|
|
*/
|
|
export class VpnConfig {
|
|
/**
|
|
* Validate a client config object. Throws on invalid config.
|
|
*/
|
|
public static validateClientConfig(config: IVpnClientConfig): void {
|
|
if (config.transport === 'wireguard') {
|
|
// WireGuard-specific validation
|
|
if (!config.wgPrivateKey) {
|
|
throw new Error('VpnConfig: wgPrivateKey is required for WireGuard transport');
|
|
}
|
|
VpnConfig.validateBase64Key(config.wgPrivateKey, 'wgPrivateKey');
|
|
if (!config.wgAddress) {
|
|
throw new Error('VpnConfig: wgAddress is required for WireGuard transport');
|
|
}
|
|
if (!config.serverPublicKey) {
|
|
throw new Error('VpnConfig: serverPublicKey is required for WireGuard transport');
|
|
}
|
|
VpnConfig.validateBase64Key(config.serverPublicKey, 'serverPublicKey');
|
|
if (!config.wgEndpoint) {
|
|
throw new Error('VpnConfig: wgEndpoint is required for WireGuard transport');
|
|
}
|
|
if (config.wgPresharedKey) {
|
|
VpnConfig.validateBase64Key(config.wgPresharedKey, 'wgPresharedKey');
|
|
}
|
|
if (config.wgAllowedIps) {
|
|
for (const cidr of config.wgAllowedIps) {
|
|
if (!VpnConfig.isValidCidr(cidr)) {
|
|
throw new Error(`VpnConfig: invalid allowedIp CIDR: ${cidr}`);
|
|
}
|
|
}
|
|
}
|
|
} else {
|
|
if (!config.serverUrl) {
|
|
throw new Error('VpnConfig: serverUrl is required');
|
|
}
|
|
// For QUIC-only transport, serverUrl is a host:port address; for WebSocket/auto it must be ws:// or wss://
|
|
if (config.transport !== 'quic') {
|
|
if (!config.serverUrl.startsWith('wss://') && !config.serverUrl.startsWith('ws://')) {
|
|
throw new Error('VpnConfig: serverUrl must start with wss:// or ws:// (for WebSocket transport)');
|
|
}
|
|
}
|
|
if (!config.serverPublicKey) {
|
|
throw new Error('VpnConfig: serverPublicKey is required');
|
|
}
|
|
}
|
|
if (config.mtu !== undefined && (config.mtu < 576 || config.mtu > 65535)) {
|
|
throw new Error('VpnConfig: mtu must be between 576 and 65535');
|
|
}
|
|
if (config.keepaliveIntervalSecs !== undefined && config.keepaliveIntervalSecs < 1) {
|
|
throw new Error('VpnConfig: keepaliveIntervalSecs must be >= 1');
|
|
}
|
|
if (config.dns) {
|
|
for (const dns of config.dns) {
|
|
if (!VpnConfig.isValidIp(dns)) {
|
|
throw new Error(`VpnConfig: invalid DNS address: ${dns}`);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Validate a server config object. Throws on invalid config.
|
|
*/
|
|
public static validateServerConfig(config: IVpnServerConfig): void {
|
|
if (config.transportMode === 'wireguard') {
|
|
// WireGuard server validation
|
|
if (!config.privateKey) {
|
|
throw new Error('VpnConfig: privateKey is required');
|
|
}
|
|
VpnConfig.validateBase64Key(config.privateKey, 'privateKey');
|
|
if (!config.wgPeers || config.wgPeers.length === 0) {
|
|
throw new Error('VpnConfig: at least one wgPeers entry is required for WireGuard mode');
|
|
}
|
|
for (const peer of config.wgPeers) {
|
|
if (!peer.publicKey) {
|
|
throw new Error('VpnConfig: peer publicKey is required');
|
|
}
|
|
VpnConfig.validateBase64Key(peer.publicKey, 'peer.publicKey');
|
|
if (!peer.allowedIps || peer.allowedIps.length === 0) {
|
|
throw new Error('VpnConfig: peer allowedIps is required');
|
|
}
|
|
for (const cidr of peer.allowedIps) {
|
|
if (!VpnConfig.isValidCidr(cidr)) {
|
|
throw new Error(`VpnConfig: invalid peer allowedIp CIDR: ${cidr}`);
|
|
}
|
|
}
|
|
if (peer.presharedKey) {
|
|
VpnConfig.validateBase64Key(peer.presharedKey, 'peer.presharedKey');
|
|
}
|
|
}
|
|
if (config.wgListenPort !== undefined && (config.wgListenPort < 1 || config.wgListenPort > 65535)) {
|
|
throw new Error('VpnConfig: wgListenPort must be between 1 and 65535');
|
|
}
|
|
} else {
|
|
if (!config.listenAddr) {
|
|
throw new Error('VpnConfig: listenAddr is required');
|
|
}
|
|
if (!config.privateKey) {
|
|
throw new Error('VpnConfig: privateKey is required');
|
|
}
|
|
if (!config.publicKey) {
|
|
throw new Error('VpnConfig: publicKey is required');
|
|
}
|
|
if (!config.subnet) {
|
|
throw new Error('VpnConfig: subnet is required');
|
|
}
|
|
if (!VpnConfig.isValidSubnet(config.subnet)) {
|
|
throw new Error(`VpnConfig: invalid subnet: ${config.subnet}`);
|
|
}
|
|
}
|
|
if (config.mtu !== undefined && (config.mtu < 576 || config.mtu > 65535)) {
|
|
throw new Error('VpnConfig: mtu must be between 576 and 65535');
|
|
}
|
|
if (config.keepaliveIntervalSecs !== undefined && config.keepaliveIntervalSecs < 1) {
|
|
throw new Error('VpnConfig: keepaliveIntervalSecs must be >= 1');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Load a config from a JSON file.
|
|
*/
|
|
public static async loadFromFile<T>(filePath: string): Promise<T> {
|
|
const content = await plugins.fs.promises.readFile(filePath, 'utf-8');
|
|
return JSON.parse(content) as T;
|
|
}
|
|
|
|
/**
|
|
* Save a config to a JSON file.
|
|
*/
|
|
public static async saveToFile<T>(filePath: string, config: T): Promise<void> {
|
|
const content = JSON.stringify(config, null, 2);
|
|
await plugins.fs.promises.writeFile(filePath, content, 'utf-8');
|
|
}
|
|
|
|
/**
|
|
* Basic IP address validation.
|
|
*/
|
|
private static isValidIp(ip: string): boolean {
|
|
const parts = ip.split('.');
|
|
if (parts.length !== 4) return false;
|
|
return parts.every((part) => {
|
|
const num = parseInt(part, 10);
|
|
return !isNaN(num) && num >= 0 && num <= 255 && String(num) === part;
|
|
});
|
|
}
|
|
|
|
/**
|
|
* Basic subnet validation (CIDR notation).
|
|
*/
|
|
private static isValidSubnet(subnet: string): boolean {
|
|
const [ip, prefix] = subnet.split('/');
|
|
if (!ip || !prefix) return false;
|
|
if (!VpnConfig.isValidIp(ip)) return false;
|
|
const prefixNum = parseInt(prefix, 10);
|
|
return !isNaN(prefixNum) && prefixNum >= 0 && prefixNum <= 32;
|
|
}
|
|
|
|
/**
|
|
* Validate a CIDR string (IPv4 or IPv6).
|
|
*/
|
|
private static isValidCidr(cidr: string): boolean {
|
|
const parts = cidr.split('/');
|
|
if (parts.length !== 2) return false;
|
|
const prefixNum = parseInt(parts[1], 10);
|
|
if (isNaN(prefixNum) || prefixNum < 0) return false;
|
|
// IPv4
|
|
if (VpnConfig.isValidIp(parts[0])) {
|
|
return prefixNum <= 32;
|
|
}
|
|
// IPv6 (basic check)
|
|
if (parts[0].includes(':')) {
|
|
return prefixNum <= 128;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Validate a base64-encoded 32-byte key (WireGuard X25519 format).
|
|
*/
|
|
private static validateBase64Key(key: string, fieldName: string): void {
|
|
if (key.length !== 44) {
|
|
throw new Error(`VpnConfig: ${fieldName} must be 44 characters (base64 of 32 bytes), got ${key.length}`);
|
|
}
|
|
try {
|
|
const buf = Buffer.from(key, 'base64');
|
|
if (buf.length !== 32) {
|
|
throw new Error(`VpnConfig: ${fieldName} must decode to 32 bytes, got ${buf.length}`);
|
|
}
|
|
} catch (e) {
|
|
if (e instanceof Error && e.message.startsWith('VpnConfig:')) throw e;
|
|
throw new Error(`VpnConfig: ${fieldName} is not valid base64`);
|
|
}
|
|
}
|
|
}
|