@qpjoy/tunnel-cli 0.1.5 → 0.1.7

package/README.md

@@ -45,7 +45,9 @@ The command:
 - downloads the HDO manifest from `electron-server`
 - writes a local WireGuard config
 - stores local HDO state and refresh credentials
-- starts a system-level tunnel at boot
+- starts a system-level tunnel at boot. On Linux, if `wg-quick@.service` is not
+  installed by the OS, the CLI writes a compatible systemd unit that uses the
+  bundled WireGuard tools from the npm package.
 
 Useful follow-up commands:
 

package/README.setup.md

@@ -13,4 +13,7 @@ sudo qp-tunnel-cli server-on
 sudo qp-tunnel-cli status
 
 qp-tunnel-cli curl google.com
+
+# 删除mac的HDO进程
+qp-tunnel-cli hdo down --interface hdo-client
 ```

package/dist/hdo.js

@@ -58,6 +58,12 @@ Enroll options:
   --install-dir PATH     WireGuard engine install/cache directory
   --state-file PATH      HDO client state file
   --role ROLE            Metadata role. Default: internal
+  --direct-listener      Accept direct WireGuard peers from other HDO devices
+  --try-direct-peers     Try direct HDO device peers from observed NAT endpoints
+  --public-endpoint HOST:PORT
+                         Publish this device as a direct peer endpoint
+  --endpoint-host HOST   Direct peer endpoint host
+  --listen-port PORT     Local WireGuard listen port for direct peers
   --rotate-key           Generate a new WireGuard keypair
   --no-start             Write config without starting the system tunnel
 
@@ -66,6 +72,7 @@ Environment:
   HDO_USERNAME / QPJOY_HDO_USERNAME
   HDO_PASSWORD / QPJOY_HDO_PASSWORD
   HDO_TOKEN / QPJOY_HDO_TOKEN
+  HDO_PUBLIC_ENDPOINT / QPJOY_HDO_PUBLIC_ENDPOINT
 
 Examples:
   qp-tunnel-cli hdo enroll \\
@@ -78,6 +85,11 @@ Examples:
 
 Notes:
   Linux writes /etc/wireguard and enables wg-quick@<interface>.
+  If Linux does not provide wg-quick@.service, this CLI installs a compatible
+  systemd unit that uses the bundled WireGuard tools from npm.
+  Use --direct-listener --public-endpoint HOST:PORT on reachable Internal
+  machines. Use --try-direct-peers only when both devices are managed by this
+  CLI/plugin and you accept NAT hole-punching fallback risk.
   macOS installs a LaunchDaemon and may prompt for an administrator password.
   Windows installs a WireGuard tunnel service and may show a UAC prompt.
 
@@ -110,6 +122,7 @@ async function enrollCommand(args, refreshOnly) {
         `hdo-${process.platform}-${sanitizeId((0, node_os_1.hostname)())}`;
     const label = options.label || previous.label || `${process.platform} ${(0, node_os_1.hostname)()}`;
     const keys = resolveKeypair(options, previous, installDir);
+    const direct = resolveDirectEndpoint(options, previous);
     const registered = await apiJson(serverUrl, auth.accessToken, '/api/v1/hdo/devices/register', {
         method: 'POST',
         body: {
@@ -125,6 +138,12 @@ async function enrollCommand(args, refreshOnly) {
                 wireGuard: {
                     publicKey: keys.publicKey,
                     interfaceName,
+                    preferDirectPeers: direct.preferDirectPeers,
+                    acceptDirectPeers: direct.directListener,
+                    directListener: direct.directListener,
+                    endpointHost: direct.endpointHost,
+                    listenPort: direct.listenPort,
+                    endpoint: direct.endpoint,
                     updatedAt: new Date().toISOString(),
                 },
             },
@@ -137,9 +156,11 @@ async function enrollCommand(args, refreshOnly) {
     writeWireGuardConfig(configPath, (0, electron_core_wireguard_1.renderHdoClientWireGuardConfig)({
         privateKey: runtime.privateKey,
         address: runtime.address,
+        listenPort: direct.listenPort,
         domesticPublicKey: runtime.domesticPublicKey,
         domesticEndpoint: runtime.domesticEndpoint,
         allowedIps: runtime.allowedIps,
+        directPeers: runtime.directPeers,
         persistentKeepalive: 25,
     }));
     const now = new Date().toISOString();
@@ -158,6 +179,10 @@ async function enrollCommand(args, refreshOnly) {
         privateKey: keys.privateKey,
         publicKey: keys.publicKey,
         overlayIp: runtime.overlayIp,
+        directListener: direct.directListener,
+        preferDirectPeers: direct.preferDirectPeers,
+        endpointHost: direct.endpointHost,
+        listenPort: direct.listenPort,
         lastManifestGeneration: runtime.generation,
         enrolledAt: previous.enrolledAt || now,
         updatedAt: now,
@@ -182,21 +207,26 @@ function statusCommand(input) {
     const interfaceName = sanitizeInterfaceName(input.interfaceName || state.interfaceName || defaultInterfaceName);
     const configPath = resolveConfigPath(input.configPath || state.configPath, interfaceName);
     const installDir = resolveInstallDir(input.installDir || state.installDir);
+    const runtime = (0, electron_core_wireguard_1.resolveWireGuardConnectionRuntime)({
+        installDir,
+        allowSystemFallback: true,
+    });
     process.stdout.write(`State file: ${stateFile}\n`);
     process.stdout.write(`Server URL: ${state.serverUrl || 'unset'}\n`);
     process.stdout.write(`Device: ${state.deviceId || 'unset'}\n`);
     process.stdout.write(`Overlay IP: ${state.overlayIp || 'unset'}\n`);
     process.stdout.write(`WireGuard config: ${configPath}\n\n`);
     if (process.platform === 'linux') {
-        inherit('systemctl', ['status', `wg-quick@${interfaceName}`, '--no-pager']);
-        process.stdout.write('\n');
-        inherit('wg', ['show', interfaceName]);
+        if (commandAvailable('systemctl')) {
+            inherit('systemctl', ['status', `wg-quick@${interfaceName}`, '--no-pager']);
+            process.stdout.write('\n');
+        }
+        else {
+            process.stdout.write('systemctl unavailable; showing WireGuard runtime status only.\n\n');
+        }
+        printWireGuardRuntimeStatus(runtime, configPath);
         return;
     }
-    const runtime = (0, electron_core_wireguard_1.resolveWireGuardConnectionRuntime)({
-        installDir,
-        allowSystemFallback: true,
-    });
     if (process.platform === 'darwin') {
         const daemon = (0, electron_core_wireguard_1.getDarwinWireGuardLaunchDaemonStatus)({ runtime, configPath });
         process.stdout.write(`LaunchDaemon: ${daemon.loaded ? 'loaded' : 'not loaded'}; running=${daemon.running}\n`);
@@ -225,7 +255,18 @@ async function downCommand(input) {
     const configPath = resolveConfigPath(input.configPath || state.configPath, interfaceName);
     const installDir = resolveInstallDir(input.installDir || state.installDir);
     if (process.platform === 'linux') {
-        inheritRequired('systemctl', ['disable', '--now', `wg-quick@${interfaceName}`]);
+        const runtime = (0, electron_core_wireguard_1.resolveWireGuardConnectionRuntime)({
+            installDir,
+            allowSystemFallback: true,
+        });
+        if (commandAvailable('systemctl') && systemdUnitExists('wg-quick@.service')) {
+            inheritRequired('systemctl', ['disable', '--now', `wg-quick@${interfaceName}`]);
+            return;
+        }
+        const result = await (0, electron_core_wireguard_1.setWireGuardTunnelState)({ runtime, configPath, action: 'down' });
+        if (!result.ok)
+            throw new Error(result.message);
+        process.stdout.write(`${result.message}\n`);
         return;
     }
     const runtime = (0, electron_core_wireguard_1.resolveWireGuardConnectionRuntime)({
@@ -254,6 +295,8 @@ function parseEnrollOptions(args) {
         role: 'internal',
         start: true,
         rotateKey: false,
+        directListener: false,
+        preferDirectPeers: false,
     };
     for (let index = 0; index < args.length; index += 1) {
         const arg = args[index];
@@ -305,6 +348,23 @@ function parseEnrollOptions(args) {
             case '--role':
                 options.role = readValue();
                 break;
+            case '--direct-listener':
+                options.directListener = true;
+                break;
+            case '--try-direct-peers':
+            case '--prefer-direct-peers':
+                options.preferDirectPeers = true;
+                break;
+            case '--public-endpoint':
+                options.publicEndpoint = readValue();
+                break;
+            case '--endpoint-host':
+            case '--public-host':
+                options.endpointHost = readValue();
+                break;
+            case '--listen-port':
+                options.listenPort = parsePort(readValue(), arg);
+                break;
             case '--rotate-key':
                 options.rotateKey = true;
                 break;
@@ -449,8 +509,67 @@ function resolveKeypair(options, previous, installDir) {
     }
     return (0, electron_core_wireguard_1.generateWireGuardKeyPairWithCli)(runtime.command);
 }
+function resolveDirectEndpoint(options, previous) {
+    const publicEndpoint = options.publicEndpoint ??
+        process.env.HDO_PUBLIC_ENDPOINT ??
+        process.env.QPJOY_HDO_PUBLIC_ENDPOINT;
+    const parsedEndpoint = publicEndpoint ? parseEndpoint(publicEndpoint) : {};
+    const endpointHost = options.endpointHost ??
+        process.env.HDO_ENDPOINT_HOST ??
+        process.env.QPJOY_HDO_ENDPOINT_HOST ??
+        parsedEndpoint.host ??
+        previous.endpointHost;
+    const listenPort = options.listenPort ??
+        parseOptionalPort(process.env.HDO_LISTEN_PORT ?? process.env.QPJOY_HDO_LISTEN_PORT) ??
+        parsedEndpoint.port ??
+        previous.listenPort;
+    const directListener = Boolean(options.directListener ||
+        publicEndpoint ||
+        options.endpointHost ||
+        options.listenPort ||
+        previous.directListener);
+    const preferDirectPeers = Boolean(options.preferDirectPeers || previous.preferDirectPeers);
+    return {
+        directListener,
+        preferDirectPeers,
+        endpointHost,
+        listenPort,
+        endpoint: endpointHost && listenPort ? `${endpointHost}:${listenPort}` : undefined,
+    };
+}
+function directPeersFromManifest(wireGuard, ownOverlayIp) {
+    const ownIp = ownOverlayIp.split('/')[0] || ownOverlayIp;
+    const rows = Array.isArray(wireGuard.directPeers) ? wireGuard.directPeers : [];
+    return rows.flatMap((item) => {
+        const row = plainObject(item);
+        if (!row)
+            return [];
+        const publicKey = stringField(row.publicKey);
+        const overlayIp = stringField(row.overlayIp);
+        if (!publicKey || !overlayIp || overlayIp === ownIp)
+            return [];
+        const allowedIps = stringArray(row.allowedIps);
+        const peer = {
+            name: `HDO Direct ${stringField(row.label) ?? stringField(row.id) ?? overlayIp}`,
+            publicKey,
+            allowedIps: allowedIps.length ? allowedIps : [`${overlayIp}/32`],
+            endpoint: stringField(row.endpoint),
+            persistentKeepalive: 25,
+        };
+        return [peer];
+    });
+}
 async function startSystemTunnel(interfaceName, configPath, installDir) {
     if (process.platform === 'linux') {
+        const runtime = await ensureLinuxWireGuardRuntime(installDir);
+        if (!commandAvailable('systemctl')) {
+            const result = await (0, electron_core_wireguard_1.setWireGuardTunnelState)({ runtime, configPath, action: 'restart' });
+            if (!result.ok)
+                throw new Error(result.message);
+            return `${result.message} systemctl is unavailable, so this tunnel is not installed as a boot service.`;
+        }
+        ensureLinuxWgQuickSystemdUnit(runtime);
+        inheritRequired('systemctl', ['daemon-reload']);
         inheritRequired('systemctl', ['enable', `wg-quick@${interfaceName}`]);
         inheritRequired('systemctl', ['restart', `wg-quick@${interfaceName}`]);
         return `Enabled and restarted wg-quick@${interfaceName}.`;
@@ -526,6 +645,7 @@ function hdoRuntimeFromManifest(manifest, registered, privateKey) {
         domesticPublicKey,
         domesticEndpoint,
         allowedIps,
+        directPeers: directPeersFromManifest(wireGuard, overlayIp),
         generation: numberField(root.generation),
     };
 }
@@ -596,6 +716,138 @@ function inheritRequired(command, args) {
     const result = (0, node_child_process_1.spawnSync)(command, args, { stdio: 'inherit' });
     assertSpawnOk(command, args, result);
 }
+function printWireGuardRuntimeStatus(runtime, configPath) {
+    process.stdout.write(`Runtime: ${runtime.method}\n`);
+    if (runtime.warnings.length) {
+        process.stdout.write(`Runtime warnings: ${runtime.warnings.join('; ')}\n`);
+    }
+    try {
+        const tunnel = (0, electron_core_wireguard_1.getWireGuardTunnelStatus)({ runtime, configPath });
+        process.stdout.write(`WireGuard active: ${tunnel.active}\n`);
+        if (tunnel.realInterfaceName)
+            process.stdout.write(`Interface: ${tunnel.realInterfaceName}\n`);
+        if (tunnel.peers.length)
+            process.stdout.write(`Peers: ${tunnel.peers.length}\n`);
+        if (tunnel.error)
+            process.stdout.write(`Status detail: ${tunnel.error}\n`);
+    }
+    catch (err) {
+        process.stdout.write(`WireGuard status detail: ${errorMessage(err)}\n`);
+    }
+}
+async function ensureLinuxWireGuardRuntime(installDir) {
+    let runtime = (0, electron_core_wireguard_1.resolveWireGuardConnectionRuntime)({
+        installDir,
+        allowSystemFallback: true,
+    });
+    if (runtime.available)
+        return runtime;
+    const installed = installLinuxWireGuardTools();
+    runtime = (0, electron_core_wireguard_1.resolveWireGuardConnectionRuntime)({
+        installDir,
+        allowSystemFallback: true,
+    });
+    if (runtime.available)
+        return runtime;
+    throw new Error(installed
+        ? runtime.error ?? 'WireGuard runtime unavailable after installing wireguard-tools.'
+        : `${runtime.error ?? 'WireGuard runtime unavailable'}. Install wireguard-tools or use an npm package with the matching @qpjoy/electron-core-wireguard-engine package.`);
+}
+function installLinuxWireGuardTools() {
+    const installers = [
+        { probe: 'apt-get', label: 'apt-get', commands: [['apt-get', 'update'], ['apt-get', 'install', '-y', 'wireguard-tools']] },
+        { probe: 'dnf', label: 'dnf', commands: [['dnf', 'install', '-y', 'wireguard-tools']] },
+        { probe: 'yum', label: 'yum', commands: [['yum', 'install', '-y', 'epel-release'], ['yum', 'install', '-y', 'wireguard-tools']] },
+        { probe: 'apk', label: 'apk', commands: [['apk', 'add', '--no-cache', 'wireguard-tools']] },
+        { probe: 'zypper', label: 'zypper', commands: [['zypper', '--non-interactive', 'install', 'wireguard-tools']] },
+        { probe: 'pacman', label: 'pacman', commands: [['pacman', '-Sy', '--noconfirm', 'wireguard-tools']] },
+    ];
+    for (const installer of installers) {
+        if (!commandAvailable(installer.probe))
+            continue;
+        process.stdout.write(`WireGuard tools are missing; installing wireguard-tools with ${installer.label}.\n`);
+        for (const command of installer.commands) {
+            const [name, ...args] = command;
+            const result = (0, node_child_process_1.spawnSync)(name, args, { stdio: 'inherit' });
+            if (result.status !== 0) {
+                process.stdout.write(`wireguard-tools install step failed: ${command.join(' ')}\n`);
+                return false;
+            }
+        }
+        return true;
+    }
+    return false;
+}
+function ensureLinuxWgQuickSystemdUnit(runtime) {
+    if (systemdUnitUsable())
+        return;
+    const wgQuick = runtime.wgQuick?.command;
+    if (!wgQuick) {
+        throw new Error(runtime.error ?? 'wg-quick unavailable; cannot install systemd boot service.');
+    }
+    const unitPath = '/etc/systemd/system/wg-quick@.service';
+    if ((0, node_fs_1.existsSync)(unitPath)) {
+        throw new Error(`${unitPath} exists but wg/wg-quick is not available in PATH. Install wireguard-tools or fix the existing unit.`);
+    }
+    (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(unitPath), { recursive: true });
+    (0, node_fs_1.writeFileSync)(unitPath, renderLinuxWgQuickSystemdUnit(runtime, wgQuick), { mode: 0o644 });
+    chmodSyncSafe(unitPath, 0o644);
+    process.stdout.write(`Installed ${unitPath} using bundled WireGuard tools.\n`);
+}
+function renderLinuxWgQuickSystemdUnit(runtime, wgQuick) {
+    const pathDirs = uniqueStrings([
+        runtime.wg.command ? (0, node_path_1.dirname)(runtime.wg.command) : '',
+        runtime.wgQuick?.command ? (0, node_path_1.dirname)(runtime.wgQuick.command) : '',
+        runtime.wireGuardGo?.command ? (0, node_path_1.dirname)(runtime.wireGuardGo.command) : '',
+        '/usr/local/sbin',
+        '/usr/local/bin',
+        '/usr/sbin',
+        '/usr/bin',
+        '/sbin',
+        '/bin',
+    ].filter(Boolean));
+    return `[Unit]
+Description=WireGuard via wg-quick(8) for %I
+Documentation=man:wg-quick(8) man:wg(8)
+Wants=network-online.target
+After=network-online.target nss-lookup.target
+ConditionPathExists=/etc/wireguard/%i.conf
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=${systemdQuote(`PATH=${pathDirs.join(':')}`)}
+Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
+ExecStart=${systemdQuote(wgQuick)} up %i
+ExecStop=${systemdQuote(wgQuick)} down %i
+
+[Install]
+WantedBy=multi-user.target
+`;
+}
+function systemdUnitUsable() {
+    return systemdUnitExists('wg-quick@.service') && commandAvailable('wg') && commandAvailable('wg-quick');
+}
+function systemdUnitExists(unitName) {
+    const paths = [
+        `/etc/systemd/system/${unitName}`,
+        `/run/systemd/system/${unitName}`,
+        `/lib/systemd/system/${unitName}`,
+        `/usr/lib/systemd/system/${unitName}`,
+    ];
+    if (paths.some((path) => (0, node_fs_1.existsSync)(path)))
+        return true;
+    if (!commandAvailable('systemctl'))
+        return false;
+    const result = (0, node_child_process_1.spawnSync)('systemctl', ['cat', unitName], { stdio: 'ignore' });
+    return result.status === 0;
+}
+function commandAvailable(command) {
+    const result = (0, node_child_process_1.spawnSync)('sh', ['-c', 'command -v "$1" >/dev/null 2>&1', 'sh', command], {
+        stdio: 'ignore',
+    });
+    return result.status === 0;
+}
 function uninstallDarwinLaunchDaemonByInterface(interfaceName) {
     const component = sanitizeLaunchDaemonComponent(interfaceName);
     const label = `com.qpjoy.hdo.wireguard.${component}`;
@@ -650,6 +902,28 @@ function sanitizeId(value) {
         .replace(/^-+|-+$/g, '')
         .slice(0, 80) || 'device';
 }
+function parseEndpoint(value) {
+    const trimmed = value.trim();
+    const index = trimmed.lastIndexOf(':');
+    if (index <= 0 || index === trimmed.length - 1) {
+        throw new Error(`Invalid --public-endpoint, expected HOST:PORT: ${value}`);
+    }
+    const host = trimmed.slice(0, index).replace(/^\[|\]$/g, '');
+    const port = parsePort(trimmed.slice(index + 1), '--public-endpoint');
+    return { host, port };
+}
+function parsePort(value, label) {
+    const port = Number(value);
+    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+        throw new Error(`Invalid ${label}: ${value}`);
+    }
+    return port;
+}
+function parseOptionalPort(value) {
+    if (!value)
+        return undefined;
+    return parsePort(value, 'listen port');
+}
 function tokenExpired(value) {
     if (!value)
         return false;
@@ -676,6 +950,9 @@ function sanitizeLaunchDaemonComponent(value) {
 function shellQuote(value) {
     return `'${String(value).replace(/'/g, `'\\''`)}'`;
 }
+function systemdQuote(value) {
+    return `"${String(value).replace(/%/g, '%%').replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
+}
 function appleScriptString(value) {
     return `"${value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
 }
@@ -687,6 +964,9 @@ function requireRecord(value, label) {
         throw new Error(`${label} is not an object.`);
     return value;
 }
+function plainObject(value) {
+    return isRecord(value) ? value : null;
+}
 function isRecord(value) {
     return typeof value === 'object' && value !== null && !Array.isArray(value);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qpjoy/tunnel-cli",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "Global QPJoy Tunnel CLI for mihomo-client and cross-platform HDO mesh enrollment.",
   "private": false,
   "type": "commonjs",
@@ -22,7 +22,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@qpjoy/electron-core-wireguard": "^0.1.18"
+    "@qpjoy/electron-core-wireguard": "^0.1.19"
   },
   "devDependencies": {
     "@types/node": "^22.10.7"