From 79069d2b646ccd4744fa2c87dcd0e7747de59c08 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Sun, 28 Jun 2026 14:41:24 +0200 Subject: [PATCH] fix(wireguard): allocate client IPs in the existing peer subnet defaultWireguardClients always allocated new tunnel addresses from the hardcoded 10.0.0.0/24 base, so a legacy or migrated inbound whose peers live in a different subnet (e.g. 172.16.0.0/24) got new clients in an unrelated, unroutable range. Derive the allocation base from the existing peers' /24 and fall back to 10.0.0.0/24 only when there are none. --- internal/web/service/client_wireguard.go | 16 +++++++++- internal/web/service/client_wireguard_test.go | 32 +++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) diff --git a/internal/web/service/client_wireguard.go b/internal/web/service/client_wireguard.go index c02d4afe8..261a8e363 100644 --- a/internal/web/service/client_wireguard.go +++ b/internal/web/service/client_wireguard.go @@ -33,6 +33,19 @@ func wireguardHostAddr(s string) netip.Addr { return netip.Addr{} } +func wireguardAllocationBase(used []string, fallback string) string { + for _, u := range used { + a := wireguardHostAddr(u) + if !a.IsValid() || !a.Is4() || a.IsUnspecified() { + continue + } + if p, err := a.Prefix(24); err == nil { + return p.String() + } + } + return fallback +} + // allocateWireguardAddress returns the first free /32 host address in base that // is not already present in used. The server holds the first host (.1), so // allocation starts at the second host (.2). @@ -71,6 +84,7 @@ func defaultWireguardClients(existing, clients []model.Client, interfaceClients for i := range existing { used = append(used, existing[i].AllowedIPs...) } + base := wireguardAllocationBase(used, defaultWireguardBase) for i := range clients { c := &clients[i] if c.PrivateKey == "" && c.PublicKey == "" { @@ -88,7 +102,7 @@ func defaultWireguardClients(existing, clients []model.Client, interfaceClients c.PublicKey = pub } if len(c.AllowedIPs) == 0 { - addr, err := allocateWireguardAddress(used, defaultWireguardBase) + addr, err := allocateWireguardAddress(used, base) if err != nil { return err } diff --git a/internal/web/service/client_wireguard_test.go b/internal/web/service/client_wireguard_test.go index 9a59bf331..eb35d975c 100644 --- a/internal/web/service/client_wireguard_test.go +++ b/internal/web/service/client_wireguard_test.go @@ -98,6 +98,38 @@ func TestDefaultWireguardClientsPreservesProvided(t *testing.T) { } } +func TestWireguardAllocationBase(t *testing.T) { + tests := []struct { + name string + used []string + fallback string + want string + }{ + {name: "no peers uses fallback", used: nil, fallback: "10.0.0.0/24", want: "10.0.0.0/24"}, + {name: "derives subnet from existing peer", used: []string{"172.16.0.2/32"}, fallback: "10.0.0.0/24", want: "172.16.0.0/24"}, + {name: "skips catch-all and ipv6", used: []string{"0.0.0.0/0", "::/0", "fd00::2/128", "192.168.5.7/32"}, fallback: "10.0.0.0/24", want: "192.168.5.0/24"}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := wireguardAllocationBase(tt.used, tt.fallback); got != tt.want { + t.Fatalf("got %q, want %q", got, tt.want) + } + }) + } +} + +func TestDefaultWireguardClientsHonorsExistingSubnet(t *testing.T) { + existing := []model.Client{{Email: "old@wg", AllowedIPs: []string{"172.16.0.2/32"}}} + clients := []model.Client{{Email: "new@wg"}} + ifaces := []any{map[string]any{"email": "new@wg"}} + if err := defaultWireguardClients(existing, clients, ifaces); err != nil { + t.Fatalf("defaultWireguardClients: %v", err) + } + if got := clients[0].AllowedIPs[0]; got != "172.16.0.3/32" { + t.Fatalf("new client address = %q, want 172.16.0.3/32 in existing subnet", got) + } +} + func TestDefaultWireguardClientsAllocatesDistinctIPs(t *testing.T) { clients := []model.Client{{Email: "x@wg"}, {Email: "y@wg"}} ifaces := []any{map[string]any{"email": "x@wg"}, map[string]any{"email": "y@wg"}}