fix(vpn): configure SmartVPN client exports with explicit server endpoint and split-tunnel allowed IPs

changelog.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 2026-03-30 - 11.19.1 - fix(vpn)
+configure SmartVPN client exports with explicit server endpoint and split-tunnel allowed IPs
+
+- Pass the configured WireGuard server endpoint directly to SmartVPN instead of rewriting generated client configs in dcrouter.
+- Set client allowed IPs to the VPN subnet so generated WireGuard configs default to split-tunnel routing.
+- Update documentation to reflect SmartVPN startup, dashboard/API coverage, and the new split-tunnel behavior.
+- Bump @push.rocks/smartvpn from 1.14.0 to 1.16.1 to support the updated VPN configuration flow.
+
 ## 2026-03-30 - 11.19.0 - feat(vpn)
 document tag-based VPN access control, declarative clients, and destination policy options
 

package.json

@@ -59,7 +59,7 @@
     "@push.rocks/smartrx": "^3.0.10",
     "@push.rocks/smartstate": "^2.3.0",
     "@push.rocks/smartunique": "^3.0.9",
-    "@push.rocks/smartvpn": "1.14.0",
+    "@push.rocks/smartvpn": "1.16.1",
     "@push.rocks/taskbuffer": "^8.0.2",
     "@serve.zone/catalog": "^2.9.0",
     "@serve.zone/interfaces": "^5.3.0",

pnpm-lock.yaml

@@ -96,8 +96,8 @@ importers:
         specifier: ^3.0.9
         version: 3.0.9
       '@push.rocks/smartvpn':
-        specifier: 1.14.0
+        specifier: 1.16.1
-        version: 1.14.0
+        version: 1.16.1
       '@push.rocks/taskbuffer':
         specifier: ^8.0.2
         version: 8.0.2
@@ -1246,6 +1246,9 @@ packages:
   '@push.rocks/smartnftables@1.0.1':
     resolution: {integrity: sha512-o822GH4J8dlEBvNLbm+CwU4h6isMUEh03tf2ZnOSWXc5iewRDdKdOCDwI/e+WdnGYWyv7gvH0DHztCmne6rTCg==}
 
+  '@push.rocks/smartnftables@1.1.0':
+    resolution: {integrity: sha512-7JNzerlW20HEl2wKMBIHltwneCQRpXiD2lJkXZZc02ctnfjgFejXVDIeWomhPx6PZ0Z6zmqdF6rrFDtDHyqqfA==}
+
   '@push.rocks/smartnpm@2.0.6':
     resolution: {integrity: sha512-7anKDOjX6gXWs1IAc+YWz9ZZ8gDsTwaLh+CxRnGHjAawOmK788NrrgVCg2Fb3qojrPnoxecc46F8Ivp1BT7Izw==}
 
@@ -1330,8 +1333,8 @@ packages:
   '@push.rocks/smartversion@3.0.5':
     resolution: {integrity: sha512-8MZSo1yqyaKxKq0Q5N188l4un++9GFWVbhCAX5mXJwewZHn97ujffTeL+eOQYpWFTEpUhaq1QhL4NhqObBCt1Q==}
 
-  '@push.rocks/smartvpn@1.14.0':
+  '@push.rocks/smartvpn@1.16.1':
-    resolution: {integrity: sha512-zJmHiuLwY4OEN4jBVrJf1hAXpfO9f6Bulq/v1DrB16nR7VgE82KNqRLt0Wi/9PCsAUfmVJTvOf4yirnjBrEWQg==}
+    resolution: {integrity: sha512-LQzt3ajMKIs3anYki/3drt7XcCuekoKvApCltLEjsoGEEX5JkXGSZFB+UFvqEhG8NcEuHw574rU3tB2orHzKTQ==}
 
   '@push.rocks/smartwatch@6.4.0':
     resolution: {integrity: sha512-KDswRgE/siBmZRCsRA07MtW5oF4c9uQEBkwTGPIWneHzksbCDsvs/7agKFEL7WnNifLNwo8w1K1qoiVWkX1fvw==}
@@ -6331,6 +6334,11 @@ snapshots:
       '@push.rocks/smartlog': 3.2.1
       '@push.rocks/smartpromise': 4.2.3
 
+  '@push.rocks/smartnftables@1.1.0':
+    dependencies:
+      '@push.rocks/smartlog': 3.2.1
+      '@push.rocks/smartpromise': 4.2.3
+
   '@push.rocks/smartnpm@2.0.6':
     dependencies:
       '@push.rocks/consolecolor': 2.0.3
@@ -6562,8 +6570,9 @@ snapshots:
       '@types/semver': 7.7.1
       semver: 7.7.4
 
-  '@push.rocks/smartvpn@1.14.0':
+  '@push.rocks/smartvpn@1.16.1':
     dependencies:
+      '@push.rocks/smartnftables': 1.1.0
       '@push.rocks/smartpath': 6.0.0
       '@push.rocks/smartrust': 1.3.2
 

readme.md

@@ -372,8 +372,8 @@ graph TB
 
 DcRouter acts purely as an **orchestrator** — it doesn't implement protocols itself. Instead, it wires together best-in-class packages for each protocol:
 
-1. **On `start()`**: DcRouter initializes OpsServer (default port 3000, configurable via `opsServerPort`), then spins up SmartProxy, smartmta, SmartDNS, SmartRadius, and RemoteIngress based on which configs are provided.
+1. **On `start()`**: DcRouter initializes OpsServer (default port 3000, configurable via `opsServerPort`), then spins up SmartProxy, smartmta, SmartDNS, SmartRadius, RemoteIngress, and SmartVPN based on which configs are provided. Services start in dependency order via `ServiceManager`.
-2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. RemoteIngress runs a Rust data plane for edge tunnel networking. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
+2. **During operation**: Each service handles its own protocol independently. SmartProxy uses a Rust-powered engine for maximum throughput. smartmta uses a hybrid TypeScript + Rust architecture for reliable email delivery. RemoteIngress runs a Rust data plane for edge tunnel networking. SmartVPN runs a Rust data plane for WireGuard and custom transports. SmartAcme v9 handles all certificate operations with built-in concurrency control and rate limiting.
 3. **On `stop()`**: All services are gracefully shut down in parallel, including cleanup of HTTP agents and DNS clients.
 
 ### Rust-Powered Architecture
@@ -386,6 +386,7 @@ DcRouter itself is a pure TypeScript orchestrator, but several of its core sub-c
 | **smartmta** | `mailer-bin` | SMTP server + client, DKIM/SPF/DMARC, content scanning, IP reputation |
 | **SmartDNS** | `smartdns-bin` | DNS server (UDP + DNS-over-HTTPS), DNSSEC, DNS client resolution |
 | **RemoteIngress** | `remoteingress-bin` | Edge tunnel data plane, multiplexed streams, heartbeat management |
+| **SmartVPN** | `smartvpn_daemon` | WireGuard (boringtun), Noise IK handshake, QUIC/WS transports, userspace NAT (smoltcp) |
 | **SmartRadius** | — | Pure TypeScript (no Rust component) |
 
 ## Configuration Reference
@@ -1029,10 +1030,11 @@ DcRouter integrates [`@push.rocks/smartvpn`](https://code.foss.global/push.rocks
 
 1. **SmartVPN daemon** runs inside dcrouter with a Rust data plane (WireGuard via `boringtun`, custom protocol via Noise IK)
 2. Clients connect and get assigned an IP from the VPN subnet (e.g. `10.8.0.0/24`)
-3. Routes with `vpn: { required: true }` get `security.ipAllowList` automatically injected
+3. **Split tunnel** by default — generated WireGuard configs only route VPN subnet traffic through the tunnel (`AllowedIPs = 10.8.0.0/24`), so regular internet traffic stays direct
-4. When `allowedServerDefinedClientTags` is set, only matching client IPs are injected (not the whole subnet)
+4. Routes with `vpn: { required: true }` get `security.ipAllowList` automatically injected
-5. SmartProxy enforces the allowlist — only authorized VPN clients can access protected routes
+5. When `allowedServerDefinedClientTags` is set, only matching client IPs are injected (not the whole subnet)
-6. All VPN traffic is forced through SmartProxy via userspace NAT with PROXY protocol v2 — no root required
+6. SmartProxy enforces the allowlist — only authorized VPN clients can access protected routes
+7. All VPN traffic is forced through SmartProxy via userspace NAT with PROXY protocol v2 — no root required
 
 ### Destination Policy
 
@@ -1316,8 +1318,12 @@ The OpsServer provides a web-based management interface served on port 3000 by d
 | 📊 **Overview** | Real-time server stats, CPU/memory, connection counts, email throughput |
 | 🌐 **Network** | Active connections, top IPs, throughput rates, SmartProxy metrics |
 | 📧 **Email** | Queue monitoring (queued/sent/failed), bounce records, security incidents |
+| 🛣️ **Routes** | Merged route list (hardcoded + programmatic), create/edit/toggle/override routes |
+| 🔑 **API Tokens** | Token management with scopes, create/revoke/roll/toggle |
 | 🔐 **Certificates** | Domain-centric certificate overview, status, backoff info, reprovisioning, import/export |
 | 🌍 **RemoteIngress** | Edge node management, connection status, token generation, enable/disable |
+| 🔐 **VPN** | VPN client management, server status, create/toggle/export/rotate/delete clients |
+| 📡 **RADIUS** | NAS client management, VLAN mappings, session monitoring, accounting |
 | 📜 **Logs** | Real-time log viewer with level filtering and search |
 | ⚙️ **Configuration** | Read-only view of current system configuration |
 | 🛡️ **Security** | IP reputation, rate limit status, blocked connections |
@@ -1382,6 +1388,17 @@ All management is done via TypedRequest over HTTP POST to `/typedrequest`:
 'getRecentLogs'                        // Retrieve system logs with filtering
 'getLogStream'                         // Stream live logs
 
+// VPN
+'getVpnClients'                        // List all registered VPN clients
+'getVpnStatus'                         // VPN server status (running, subnet, port, keys)
+'createVpnClient'                      // Create client → returns WireGuard config (shown once)
+'deleteVpnClient'                      // Remove a VPN client
+'enableVpnClient'                      // Enable a disabled client
+'disableVpnClient'                     // Disable a client
+'rotateVpnClientKey'                   // Generate new keys (invalidates old ones)
+'exportVpnClientConfig'                // Export WireGuard (.conf) or SmartVPN (.json) config
+'getVpnClientTelemetry'                // Per-client bytes sent/received, keepalives
+
 // RADIUS
 'getRadiusSessions'                    // Active RADIUS sessions
 'getRadiusClients'                     // List NAS clients
@@ -1499,6 +1516,7 @@ const router = new DcRouter(options: IDcRouterOptions);
 | `radiusServer` | `RadiusServer` | RADIUS server instance |
 | `remoteIngressManager` | `RemoteIngressManager` | Edge registration CRUD manager |
 | `tunnelManager` | `TunnelManager` | Tunnel lifecycle and status manager |
+| `vpnManager` | `VpnManager` | VPN server lifecycle and client CRUD manager |
 | `storageManager` | `StorageManager` | Storage backend |
 | `opsServer` | `OpsServer` | OpsServer/dashboard instance |
 | `metricsManager` | `MetricsManager` | Metrics collector |
@@ -1639,7 +1657,7 @@ The Docker build supports multi-platform (`linux/amd64`, `linux/arm64`) via [tsd
 
 ## License and Legal Information
 
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license) file.
 
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '11.19.0',
+  version: '11.19.1',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

ts/vpn/classes.vpn-manager.ts

@@ -127,6 +127,10 @@ export class VpnManager {
       socketForwardProxyProtocol: true,
       destinationPolicy: this.config.destinationPolicy
         ?? { default: 'forceTarget' as const, target: '127.0.0.1' },
+      serverEndpoint: this.config.serverEndpoint
+        ? `${this.config.serverEndpoint}:${wgListenPort}`
+        : undefined,
+      clientAllowedIPs: [subnet],
     };
 
     await this.vpnServer.start(serverConfig);
@@ -184,15 +188,6 @@ export class VpnManager {
       description: opts.description,
     });
 
-    // Update WireGuard config endpoint if serverEndpoint is configured
-    if (this.config.serverEndpoint && bundle.wireguardConfig) {
-      const wgPort = this.config.wgListenPort ?? 51820;
-      bundle.wireguardConfig = bundle.wireguardConfig.replace(
-        /Endpoint\s*=\s*.+/,
-        `Endpoint = ${this.config.serverEndpoint}:${wgPort}`,
-      );
-    }
-
     // Persist client entry (without private keys)
     const persisted: IPersistedClient = {
       clientId: bundle.entry.clientId,
@@ -270,15 +265,6 @@ export class VpnManager {
     if (!this.vpnServer) throw new Error('VPN server not running');
     const bundle = await this.vpnServer.rotateClientKey(clientId);
 
-    // Update endpoint in WireGuard config
-    if (this.config.serverEndpoint && bundle.wireguardConfig) {
-      const wgPort = this.config.wgListenPort ?? 51820;
-      bundle.wireguardConfig = bundle.wireguardConfig.replace(
-        /Endpoint\s*=\s*.+/,
-        `Endpoint = ${this.config.serverEndpoint}:${wgPort}`,
-      );
-    }
-
     // Update persisted entry with new public keys
     const client = this.clients.get(clientId);
     if (client) {
@@ -296,18 +282,7 @@ export class VpnManager {
    */
   public async exportClientConfig(clientId: string, format: 'smartvpn' | 'wireguard'): Promise<string> {
     if (!this.vpnServer) throw new Error('VPN server not running');
-    let config = await this.vpnServer.exportClientConfig(clientId, format);
+    return this.vpnServer.exportClientConfig(clientId, format);
-
-    // Update endpoint in WireGuard config
-    if (format === 'wireguard' && this.config.serverEndpoint) {
-      const wgPort = this.config.wgListenPort ?? 51820;
-      config = config.replace(
-        /Endpoint\s*=\s*.+/,
-        `Endpoint = ${this.config.serverEndpoint}:${wgPort}`,
-      );
-    }
-
-    return config;
   }
 
   // ── Tag-based access control ───────────────────────────────────────────

ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '11.19.0',
+  version: '11.19.1',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }