feat(vpn): support optional non-mandatory VPN route access and align route config with enabled semantics

2026-03-31 11:19:29 +00:00
parent 95daee1d8f
commit 29687670e8
10 changed files with 39 additions and 24 deletions
--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/dcrouter',
-  version: '11.22.0',
+  version: '11.23.0',
  description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }
--- a/ts/classes.dcrouter.ts
+++ b/ts/classes.dcrouter.ts
@@ -192,7 +192,7 @@ export interface IDcRouterOptions {

  /**
   * VPN server configuration.
-   * Enables VPN-based access control: routes with vpn.required are only
+   * Enables VPN-based access control: routes with vpn.enabled are only
   * accessible from VPN clients. Supports WireGuard + native (WS/QUIC) transports.
   */
  vpnConfig?: {
@@ -2110,7 +2110,7 @@ export class DcRouter {
        const domainsToResolve = new Set<string>();
        for (const route of routes) {
          const dcRoute = route as import('../ts_interfaces/data/remoteingress.js').IDcRouterRouteConfig;
-          if (!dcRoute.vpn?.required) continue;
+          if (!dcRoute.vpn?.enabled) continue;

          const routeTags = dcRoute.vpn.allowedServerDefinedClientTags;
          if (!routeTags?.length || clientTags.some(t => routeTags.includes(t))) {
--- a/ts/config/classes.route-config-manager.ts
+++ b/ts/config/classes.route-config-manager.ts
@@ -255,17 +255,20 @@ export class RouteConfigManager {
    const http3Config = this.getHttp3Config?.();
    const vpnAllowList = this.getVpnAllowList;

-    // Helper: inject VPN security into a route if vpn.required is set
+    // Helper: inject VPN security into a route if vpn.enabled is set
    const injectVpn = (route: plugins.smartproxy.IRouteConfig): plugins.smartproxy.IRouteConfig => {
      if (!vpnAllowList) return route;
      const dcRoute = route as IDcRouterRouteConfig;
-      if (!dcRoute.vpn?.required) return route;
+      if (!dcRoute.vpn?.enabled) return route;
      const allowList = vpnAllowList(dcRoute.vpn.allowedServerDefinedClientTags);
+      const mandatory = dcRoute.vpn.mandatory !== false; // defaults to true
      return {
        ...route,
        security: {
          ...route.security,
-          ipAllowList: [...(route.security?.ipAllowList || []), ...allowList],
+          ipAllowList: mandatory
+            ? allowList
+            : [...(route.security?.ipAllowList || []), ...allowList],
        },
      };
    };