feat(vpn): add tag-aware WireGuard AllowedIPs for VPN-gated routes
This commit is contained in:
@@ -29,6 +29,10 @@ export interface IVpnManagerConfig {
|
||||
allowList?: string[];
|
||||
blockList?: string[];
|
||||
};
|
||||
/** Compute per-client AllowedIPs based on the client's server-defined tags.
|
||||
* Called at config generation time (create/export). Returns CIDRs for WireGuard AllowedIPs.
|
||||
* When not set, defaults to [subnet]. */
|
||||
getClientAllowedIPs?: (clientTags: string[]) => string[];
|
||||
}
|
||||
|
||||
interface IPersistedServerKeys {
|
||||
@@ -190,6 +194,15 @@ export class VpnManager {
|
||||
description: opts.description,
|
||||
});
|
||||
|
||||
// Override AllowedIPs with per-client values based on tag-matched routes
|
||||
if (this.config.getClientAllowedIPs && bundle.wireguardConfig) {
|
||||
const allowedIPs = this.config.getClientAllowedIPs(opts.serverDefinedClientTags || []);
|
||||
bundle.wireguardConfig = bundle.wireguardConfig.replace(
|
||||
/AllowedIPs\s*=\s*.+/,
|
||||
`AllowedIPs = ${allowedIPs.join(', ')}`,
|
||||
);
|
||||
}
|
||||
|
||||
// Persist client entry (including WG private key for export/QR)
|
||||
const persisted: IPersistedClient = {
|
||||
clientId: bundle.entry.clientId,
|
||||
@@ -199,7 +212,8 @@ export class VpnManager {
|
||||
assignedIp: bundle.entry.assignedIp,
|
||||
noisePublicKey: bundle.entry.publicKey,
|
||||
wgPublicKey: bundle.entry.wgPublicKey || '',
|
||||
wgPrivateKey: bundle.secrets?.wgPrivateKey,
|
||||
wgPrivateKey: bundle.secrets?.wgPrivateKey
|
||||
|| bundle.wireguardConfig?.match(/PrivateKey\s*=\s*(.+)/)?.[1]?.trim(),
|
||||
createdAt: Date.now(),
|
||||
updatedAt: Date.now(),
|
||||
expiresAt: bundle.entry.expiresAt,
|
||||
@@ -273,7 +287,8 @@ export class VpnManager {
|
||||
if (client) {
|
||||
client.noisePublicKey = bundle.entry.publicKey;
|
||||
client.wgPublicKey = bundle.entry.wgPublicKey || '';
|
||||
client.wgPrivateKey = bundle.secrets?.wgPrivateKey;
|
||||
client.wgPrivateKey = bundle.secrets?.wgPrivateKey
|
||||
|| bundle.wireguardConfig?.match(/PrivateKey\s*=\s*(.+)/)?.[1]?.trim();
|
||||
client.updatedAt = Date.now();
|
||||
await this.persistClient(client);
|
||||
}
|
||||
@@ -282,21 +297,32 @@ export class VpnManager {
|
||||
}
|
||||
|
||||
/**
|
||||
* Export a client config. Injects the stored WG private key for complete configs.
|
||||
* Export a client config. Injects stored WG private key and per-client AllowedIPs.
|
||||
*/
|
||||
public async exportClientConfig(clientId: string, format: 'smartvpn' | 'wireguard'): Promise<string> {
|
||||
if (!this.vpnServer) throw new Error('VPN server not running');
|
||||
let config = await this.vpnServer.exportClientConfig(clientId, format);
|
||||
|
||||
// Inject stored WG private key so exports produce valid, scannable configs
|
||||
if (format === 'wireguard') {
|
||||
const persisted = this.clients.get(clientId);
|
||||
|
||||
// Inject stored WG private key so exports produce valid, scannable configs
|
||||
if (persisted?.wgPrivateKey) {
|
||||
config = config.replace(
|
||||
'[Interface]\n',
|
||||
`[Interface]\nPrivateKey = ${persisted.wgPrivateKey}\n`,
|
||||
);
|
||||
}
|
||||
|
||||
// Override AllowedIPs with per-client values based on tag-matched routes
|
||||
if (this.config.getClientAllowedIPs) {
|
||||
const clientTags = persisted?.serverDefinedClientTags || [];
|
||||
const allowedIPs = this.config.getClientAllowedIPs(clientTags);
|
||||
config = config.replace(
|
||||
/AllowedIPs\s*=\s*.+/,
|
||||
`AllowedIPs = ${allowedIPs.join(', ')}`,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
return config;
|
||||
|
||||
Reference in New Issue
Block a user