@qpjoy/tunnel-cli 0.1.6 → 0.1.7

package/dist/hdo.js

@@ -58,6 +58,12 @@ Enroll options:
   --install-dir PATH     WireGuard engine install/cache directory
   --state-file PATH      HDO client state file
   --role ROLE            Metadata role. Default: internal
+  --direct-listener      Accept direct WireGuard peers from other HDO devices
+  --try-direct-peers     Try direct HDO device peers from observed NAT endpoints
+  --public-endpoint HOST:PORT
+                         Publish this device as a direct peer endpoint
+  --endpoint-host HOST   Direct peer endpoint host
+  --listen-port PORT     Local WireGuard listen port for direct peers
   --rotate-key           Generate a new WireGuard keypair
   --no-start             Write config without starting the system tunnel
 
@@ -66,6 +72,7 @@ Environment:
   HDO_USERNAME / QPJOY_HDO_USERNAME
   HDO_PASSWORD / QPJOY_HDO_PASSWORD
   HDO_TOKEN / QPJOY_HDO_TOKEN
+  HDO_PUBLIC_ENDPOINT / QPJOY_HDO_PUBLIC_ENDPOINT
 
 Examples:
   qp-tunnel-cli hdo enroll \\
@@ -80,6 +87,9 @@ Notes:
   Linux writes /etc/wireguard and enables wg-quick@<interface>.
   If Linux does not provide wg-quick@.service, this CLI installs a compatible
   systemd unit that uses the bundled WireGuard tools from npm.
+  Use --direct-listener --public-endpoint HOST:PORT on reachable Internal
+  machines. Use --try-direct-peers only when both devices are managed by this
+  CLI/plugin and you accept NAT hole-punching fallback risk.
   macOS installs a LaunchDaemon and may prompt for an administrator password.
   Windows installs a WireGuard tunnel service and may show a UAC prompt.
 
@@ -112,6 +122,7 @@ async function enrollCommand(args, refreshOnly) {
         `hdo-${process.platform}-${sanitizeId((0, node_os_1.hostname)())}`;
     const label = options.label || previous.label || `${process.platform} ${(0, node_os_1.hostname)()}`;
     const keys = resolveKeypair(options, previous, installDir);
+    const direct = resolveDirectEndpoint(options, previous);
     const registered = await apiJson(serverUrl, auth.accessToken, '/api/v1/hdo/devices/register', {
         method: 'POST',
         body: {
@@ -127,6 +138,12 @@ async function enrollCommand(args, refreshOnly) {
                 wireGuard: {
                     publicKey: keys.publicKey,
                     interfaceName,
+                    preferDirectPeers: direct.preferDirectPeers,
+                    acceptDirectPeers: direct.directListener,
+                    directListener: direct.directListener,
+                    endpointHost: direct.endpointHost,
+                    listenPort: direct.listenPort,
+                    endpoint: direct.endpoint,
                     updatedAt: new Date().toISOString(),
                 },
             },
@@ -139,9 +156,11 @@ async function enrollCommand(args, refreshOnly) {
     writeWireGuardConfig(configPath, (0, electron_core_wireguard_1.renderHdoClientWireGuardConfig)({
         privateKey: runtime.privateKey,
         address: runtime.address,
+        listenPort: direct.listenPort,
         domesticPublicKey: runtime.domesticPublicKey,
         domesticEndpoint: runtime.domesticEndpoint,
         allowedIps: runtime.allowedIps,
+        directPeers: runtime.directPeers,
         persistentKeepalive: 25,
     }));
     const now = new Date().toISOString();
@@ -160,6 +179,10 @@ async function enrollCommand(args, refreshOnly) {
         privateKey: keys.privateKey,
         publicKey: keys.publicKey,
         overlayIp: runtime.overlayIp,
+        directListener: direct.directListener,
+        preferDirectPeers: direct.preferDirectPeers,
+        endpointHost: direct.endpointHost,
+        listenPort: direct.listenPort,
         lastManifestGeneration: runtime.generation,
         enrolledAt: previous.enrolledAt || now,
         updatedAt: now,
@@ -272,6 +295,8 @@ function parseEnrollOptions(args) {
         role: 'internal',
         start: true,
         rotateKey: false,
+        directListener: false,
+        preferDirectPeers: false,
     };
     for (let index = 0; index < args.length; index += 1) {
         const arg = args[index];
@@ -323,6 +348,23 @@ function parseEnrollOptions(args) {
             case '--role':
                 options.role = readValue();
                 break;
+            case '--direct-listener':
+                options.directListener = true;
+                break;
+            case '--try-direct-peers':
+            case '--prefer-direct-peers':
+                options.preferDirectPeers = true;
+                break;
+            case '--public-endpoint':
+                options.publicEndpoint = readValue();
+                break;
+            case '--endpoint-host':
+            case '--public-host':
+                options.endpointHost = readValue();
+                break;
+            case '--listen-port':
+                options.listenPort = parsePort(readValue(), arg);
+                break;
             case '--rotate-key':
                 options.rotateKey = true;
                 break;
@@ -467,6 +509,56 @@ function resolveKeypair(options, previous, installDir) {
     }
     return (0, electron_core_wireguard_1.generateWireGuardKeyPairWithCli)(runtime.command);
 }
+function resolveDirectEndpoint(options, previous) {
+    const publicEndpoint = options.publicEndpoint ??
+        process.env.HDO_PUBLIC_ENDPOINT ??
+        process.env.QPJOY_HDO_PUBLIC_ENDPOINT;
+    const parsedEndpoint = publicEndpoint ? parseEndpoint(publicEndpoint) : {};
+    const endpointHost = options.endpointHost ??
+        process.env.HDO_ENDPOINT_HOST ??
+        process.env.QPJOY_HDO_ENDPOINT_HOST ??
+        parsedEndpoint.host ??
+        previous.endpointHost;
+    const listenPort = options.listenPort ??
+        parseOptionalPort(process.env.HDO_LISTEN_PORT ?? process.env.QPJOY_HDO_LISTEN_PORT) ??
+        parsedEndpoint.port ??
+        previous.listenPort;
+    const directListener = Boolean(options.directListener ||
+        publicEndpoint ||
+        options.endpointHost ||
+        options.listenPort ||
+        previous.directListener);
+    const preferDirectPeers = Boolean(options.preferDirectPeers || previous.preferDirectPeers);
+    return {
+        directListener,
+        preferDirectPeers,
+        endpointHost,
+        listenPort,
+        endpoint: endpointHost && listenPort ? `${endpointHost}:${listenPort}` : undefined,
+    };
+}
+function directPeersFromManifest(wireGuard, ownOverlayIp) {
+    const ownIp = ownOverlayIp.split('/')[0] || ownOverlayIp;
+    const rows = Array.isArray(wireGuard.directPeers) ? wireGuard.directPeers : [];
+    return rows.flatMap((item) => {
+        const row = plainObject(item);
+        if (!row)
+            return [];
+        const publicKey = stringField(row.publicKey);
+        const overlayIp = stringField(row.overlayIp);
+        if (!publicKey || !overlayIp || overlayIp === ownIp)
+            return [];
+        const allowedIps = stringArray(row.allowedIps);
+        const peer = {
+            name: `HDO Direct ${stringField(row.label) ?? stringField(row.id) ?? overlayIp}`,
+            publicKey,
+            allowedIps: allowedIps.length ? allowedIps : [`${overlayIp}/32`],
+            endpoint: stringField(row.endpoint),
+            persistentKeepalive: 25,
+        };
+        return [peer];
+    });
+}
 async function startSystemTunnel(interfaceName, configPath, installDir) {
     if (process.platform === 'linux') {
         const runtime = await ensureLinuxWireGuardRuntime(installDir);
@@ -553,6 +645,7 @@ function hdoRuntimeFromManifest(manifest, registered, privateKey) {
         domesticPublicKey,
         domesticEndpoint,
         allowedIps,
+        directPeers: directPeersFromManifest(wireGuard, overlayIp),
         generation: numberField(root.generation),
     };
 }
@@ -809,6 +902,28 @@ function sanitizeId(value) {
         .replace(/^-+|-+$/g, '')
         .slice(0, 80) || 'device';
 }
+function parseEndpoint(value) {
+    const trimmed = value.trim();
+    const index = trimmed.lastIndexOf(':');
+    if (index <= 0 || index === trimmed.length - 1) {
+        throw new Error(`Invalid --public-endpoint, expected HOST:PORT: ${value}`);
+    }
+    const host = trimmed.slice(0, index).replace(/^\[|\]$/g, '');
+    const port = parsePort(trimmed.slice(index + 1), '--public-endpoint');
+    return { host, port };
+}
+function parsePort(value, label) {
+    const port = Number(value);
+    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+        throw new Error(`Invalid ${label}: ${value}`);
+    }
+    return port;
+}
+function parseOptionalPort(value) {
+    if (!value)
+        return undefined;
+    return parsePort(value, 'listen port');
+}
 function tokenExpired(value) {
     if (!value)
         return false;
@@ -849,6 +964,9 @@ function requireRecord(value, label) {
         throw new Error(`${label} is not an object.`);
     return value;
 }
+function plainObject(value) {
+    return isRecord(value) ? value : null;
+}
 function isRecord(value) {
     return typeof value === 'object' && value !== null && !Array.isArray(value);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qpjoy/tunnel-cli",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Global QPJoy Tunnel CLI for mihomo-client and cross-platform HDO mesh enrollment.",
   "private": false,
   "type": "commonjs",
@@ -22,7 +22,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@qpjoy/electron-core-wireguard": "^0.1.18"
+    "@qpjoy/electron-core-wireguard": "^0.1.19"
   },
   "devDependencies": {
     "@types/node": "^22.10.7"