Add WireGuard VPN with random /31 subnet isolation (v0.40.0)
Some checks failed
Go / build-and-release (push) Has been cancelled
Some checks failed
Go / build-and-release (push) Has been cancelled
- Add embedded WireGuard VPN server using wireguard-go + netstack - Implement deterministic /31 subnet allocation from seed + sequence - Use Badger's built-in Sequence for atomic counter allocation - Add NIP-46 bunker server for remote signing over VPN - Add revoked key tracking and access audit logging for users - Add Bunker tab to web UI with WireGuard/bunker QR codes - Support key regeneration with old keypair archiving New environment variables: - ORLY_WG_ENABLED: Enable WireGuard VPN server - ORLY_WG_PORT: UDP port for WireGuard (default 51820) - ORLY_WG_ENDPOINT: Public endpoint for WireGuard - ORLY_WG_NETWORK: Base network for subnet pool (default 10.0.0.0/8) - ORLY_BUNKER_ENABLED: Enable NIP-46 bunker - ORLY_BUNKER_PORT: WebSocket port for bunker (default 3335) Files added: - pkg/wireguard/: WireGuard server, keygen, subnet pool, errors - pkg/bunker/: NIP-46 bunker server and session handling - pkg/database/wireguard.go: Peer storage with audit logging - app/handle-wireguard.go: API endpoints for config/regenerate/audit - app/wireguard-helpers.go: Key derivation helpers - app/web/src/BunkerView.svelte: Bunker UI with QR codes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -33,9 +33,11 @@ import (
|
||||
"next.orly.dev/pkg/protocol/graph"
|
||||
"next.orly.dev/pkg/protocol/nip43"
|
||||
"next.orly.dev/pkg/protocol/publish"
|
||||
"next.orly.dev/pkg/bunker"
|
||||
"next.orly.dev/pkg/ratelimit"
|
||||
"next.orly.dev/pkg/spider"
|
||||
dsync "next.orly.dev/pkg/sync"
|
||||
"next.orly.dev/pkg/wireguard"
|
||||
)
|
||||
|
||||
type Server struct {
|
||||
@@ -78,6 +80,11 @@ type Server struct {
|
||||
eventAuthorizer *authorization.Service
|
||||
eventRouter *routing.DefaultRouter
|
||||
eventProcessor *processing.Service
|
||||
|
||||
// WireGuard VPN and NIP-46 Bunker
|
||||
wireguardServer *wireguard.Server
|
||||
bunkerServer *bunker.Server
|
||||
subnetPool *wireguard.SubnetPool
|
||||
}
|
||||
|
||||
// isIPBlacklisted checks if an IP address is blacklisted using the managed ACL system
|
||||
@@ -335,6 +342,14 @@ func (s *Server) UserInterface() {
|
||||
s.mux.HandleFunc("/cluster/events", s.clusterManager.HandleEventsRange)
|
||||
log.Printf("Cluster replication API enabled at /cluster")
|
||||
}
|
||||
|
||||
// WireGuard VPN and Bunker API endpoints
|
||||
// These are always registered but will return errors if not enabled
|
||||
s.mux.HandleFunc("/api/wireguard/config", s.handleWireGuardConfig)
|
||||
s.mux.HandleFunc("/api/wireguard/regenerate", s.handleWireGuardRegenerate)
|
||||
s.mux.HandleFunc("/api/wireguard/status", s.handleWireGuardStatus)
|
||||
s.mux.HandleFunc("/api/wireguard/audit", s.handleWireGuardAudit)
|
||||
s.mux.HandleFunc("/api/bunker/url", s.handleBunkerURL)
|
||||
}
|
||||
|
||||
// handleFavicon serves orly-favicon.png as favicon.ico
|
||||
|
||||
Reference in New Issue
Block a user