npm - @qpjoy/tunnel-cli - Versions diffs - 0.1.6 → 0.1.8 - Mend

@qpjoy/tunnel-cli 0.1.6 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/hdo.js +125 -2
package/package.json +2 -2

package/dist/hdo.js CHANGED Viewed

@@ -58,6 +58,12 @@ Enroll options:
   --install-dir PATH     WireGuard engine install/cache directory
   --state-file PATH      HDO client state file
   --role ROLE            Metadata role. Default: internal
+  --direct-listener      Accept direct WireGuard peers from other HDO devices
+  --try-direct-peers     Try direct HDO device peers from observed NAT endpoints
+  --public-endpoint HOST:PORT
+                         Publish this device as a direct peer endpoint
+  --endpoint-host HOST   Direct peer endpoint host
+  --listen-port PORT     Local WireGuard listen port for direct peers
   --rotate-key           Generate a new WireGuard keypair
   --no-start             Write config without starting the system tunnel
@@ -66,6 +72,7 @@ Environment:
   HDO_USERNAME / QPJOY_HDO_USERNAME
   HDO_PASSWORD / QPJOY_HDO_PASSWORD
   HDO_TOKEN / QPJOY_HDO_TOKEN
+  HDO_PUBLIC_ENDPOINT / QPJOY_HDO_PUBLIC_ENDPOINT
 Examples:
   qp-tunnel-cli hdo enroll \\
@@ -80,6 +87,9 @@ Notes:
   Linux writes /etc/wireguard and enables wg-quick@<interface>.
   If Linux does not provide wg-quick@.service, this CLI installs a compatible
   systemd unit that uses the bundled WireGuard tools from npm.
+  Use --direct-listener --public-endpoint HOST:PORT on reachable Internal
+  machines. Use --try-direct-peers only when both devices are managed by this
+  CLI/plugin and you accept NAT hole-punching fallback risk.
   macOS installs a LaunchDaemon and may prompt for an administrator password.
   Windows installs a WireGuard tunnel service and may show a UAC prompt.
@@ -112,6 +122,7 @@ async function enrollCommand(args, refreshOnly) {
         `hdo-${process.platform}-${sanitizeId((0, node_os_1.hostname)())}`;
     const label = options.label || previous.label || `${process.platform} ${(0, node_os_1.hostname)()}`;
     const keys = resolveKeypair(options, previous, installDir);
+    const direct = resolveDirectEndpoint(options, previous);
     const registered = await apiJson(serverUrl, auth.accessToken, '/api/v1/hdo/devices/register', {
         method: 'POST',
         body: {
@@ -127,6 +138,12 @@ async function enrollCommand(args, refreshOnly) {
                 wireGuard: {
                     publicKey: keys.publicKey,
                     interfaceName,
+                    preferDirectPeers: direct.preferDirectPeers,
+                    acceptDirectPeers: direct.directListener,
+                    directListener: direct.directListener,
+                    endpointHost: direct.endpointHost,
+                    listenPort: direct.listenPort,
+                    endpoint: direct.endpoint,
                     updatedAt: new Date().toISOString(),
                 },
             },
@@ -135,13 +152,17 @@ async function enrollCommand(args, refreshOnly) {
     const manifest = await apiJson(serverUrl, auth.accessToken, `/api/v1/hdo/manifest/${encodeURIComponent(deviceId)}`, {
         method: 'GET',
     });
-    const runtime = hdoRuntimeFromManifest(manifest, registered, keys.privateKey);
+    const runtime = hdoRuntimeFromManifest(manifest, registered, keys.privateKey, {
+        allowEndpointlessDirectPeers: direct.directListener,
+    });
     writeWireGuardConfig(configPath, (0, electron_core_wireguard_1.renderHdoClientWireGuardConfig)({
         privateKey: runtime.privateKey,
         address: runtime.address,
+        listenPort: direct.listenPort,
         domesticPublicKey: runtime.domesticPublicKey,
         domesticEndpoint: runtime.domesticEndpoint,
         allowedIps: runtime.allowedIps,
+        directPeers: runtime.directPeers,
         persistentKeepalive: 25,
     }));
     const now = new Date().toISOString();
@@ -160,6 +181,10 @@ async function enrollCommand(args, refreshOnly) {
         privateKey: keys.privateKey,
         publicKey: keys.publicKey,
         overlayIp: runtime.overlayIp,
+        directListener: direct.directListener,
+        preferDirectPeers: direct.preferDirectPeers,
+        endpointHost: direct.endpointHost,
+        listenPort: direct.listenPort,
         lastManifestGeneration: runtime.generation,
         enrolledAt: previous.enrolledAt || now,
         updatedAt: now,
@@ -272,6 +297,8 @@ function parseEnrollOptions(args) {
         role: 'internal',
         start: true,
         rotateKey: false,
+        directListener: false,
+        preferDirectPeers: false,
     };
     for (let index = 0; index < args.length; index += 1) {
         const arg = args[index];
@@ -323,6 +350,23 @@ function parseEnrollOptions(args) {
             case '--role':
                 options.role = readValue();
                 break;
+            case '--direct-listener':
+                options.directListener = true;
+                break;
+            case '--try-direct-peers':
+            case '--prefer-direct-peers':
+                options.preferDirectPeers = true;
+                break;
+            case '--public-endpoint':
+                options.publicEndpoint = readValue();
+                break;
+            case '--endpoint-host':
+            case '--public-host':
+                options.endpointHost = readValue();
+                break;
+            case '--listen-port':
+                options.listenPort = parsePort(readValue(), arg);
+                break;
             case '--rotate-key':
                 options.rotateKey = true;
                 break;
@@ -467,6 +511,59 @@ function resolveKeypair(options, previous, installDir) {
     }
     return (0, electron_core_wireguard_1.generateWireGuardKeyPairWithCli)(runtime.command);
 }
+function resolveDirectEndpoint(options, previous) {
+    const publicEndpoint = options.publicEndpoint ??
+        process.env.HDO_PUBLIC_ENDPOINT ??
+        process.env.QPJOY_HDO_PUBLIC_ENDPOINT;
+    const parsedEndpoint = publicEndpoint ? parseEndpoint(publicEndpoint) : {};
+    const endpointHost = options.endpointHost ??
+        process.env.HDO_ENDPOINT_HOST ??
+        process.env.QPJOY_HDO_ENDPOINT_HOST ??
+        parsedEndpoint.host ??
+        previous.endpointHost;
+    const listenPort = options.listenPort ??
+        parseOptionalPort(process.env.HDO_LISTEN_PORT ?? process.env.QPJOY_HDO_LISTEN_PORT) ??
+        parsedEndpoint.port ??
+        previous.listenPort;
+    const directListener = Boolean(options.directListener ||
+        publicEndpoint ||
+        options.endpointHost ||
+        options.listenPort ||
+        previous.directListener);
+    const preferDirectPeers = Boolean(options.preferDirectPeers || previous.preferDirectPeers);
+    return {
+        directListener,
+        preferDirectPeers,
+        endpointHost,
+        listenPort,
+        endpoint: endpointHost && listenPort ? `${endpointHost}:${listenPort}` : undefined,
+    };
+}
+function directPeersFromManifest(wireGuard, ownOverlayIp, options = {}) {
+    const ownIp = ownOverlayIp.split('/')[0] || ownOverlayIp;
+    const rows = Array.isArray(wireGuard.directPeers) ? wireGuard.directPeers : [];
+    return rows.flatMap((item) => {
+        const row = plainObject(item);
+        if (!row)
+            return [];
+        const publicKey = stringField(row.publicKey);
+        const overlayIp = stringField(row.overlayIp);
+        if (!publicKey || !overlayIp || overlayIp === ownIp)
+            return [];
+        const allowedIps = stringArray(row.allowedIps);
+        const endpoint = stringField(row.endpoint);
+        if (!endpoint && options.allowEndpointlessDirectPeers !== true)
+            return [];
+        const peer = {
+            name: `HDO Direct ${stringField(row.label) ?? stringField(row.id) ?? overlayIp}`,
+            publicKey,
+            allowedIps: allowedIps.length ? allowedIps : [`${overlayIp}/32`],
+            endpoint,
+            persistentKeepalive: 25,
+        };
+        return [peer];
+    });
+}
 async function startSystemTunnel(interfaceName, configPath, installDir) {
     if (process.platform === 'linux') {
         const runtime = await ensureLinuxWireGuardRuntime(installDir);
@@ -519,7 +616,7 @@ function writeWireGuardConfig(path, content) {
     (0, node_fs_1.writeFileSync)(path, content, { mode: 0o600 });
     chmodSyncSafe(path, 0o600);
 }
-function hdoRuntimeFromManifest(manifest, registered, privateKey) {
+function hdoRuntimeFromManifest(manifest, registered, privateKey, options = {}) {
     const root = requireRecord(manifest, 'manifest');
     const license = requireRecord(root.license, 'manifest.license');
     if (license.active !== true) {
@@ -553,6 +650,7 @@ function hdoRuntimeFromManifest(manifest, registered, privateKey) {
         domesticPublicKey,
         domesticEndpoint,
         allowedIps,
+        directPeers: directPeersFromManifest(wireGuard, overlayIp, options),
         generation: numberField(root.generation),
     };
 }
@@ -809,6 +907,28 @@ function sanitizeId(value) {
         .replace(/^-+|-+$/g, '')
         .slice(0, 80) || 'device';
 }
+function parseEndpoint(value) {
+    const trimmed = value.trim();
+    const index = trimmed.lastIndexOf(':');
+    if (index <= 0 || index === trimmed.length - 1) {
+        throw new Error(`Invalid --public-endpoint, expected HOST:PORT: ${value}`);
+    }
+    const host = trimmed.slice(0, index).replace(/^\[|\]$/g, '');
+    const port = parsePort(trimmed.slice(index + 1), '--public-endpoint');
+    return { host, port };
+}
+function parsePort(value, label) {
+    const port = Number(value);
+    if (!Number.isInteger(port) || port < 1 || port > 65535) {
+        throw new Error(`Invalid ${label}: ${value}`);
+    }
+    return port;
+}
+function parseOptionalPort(value) {
+    if (!value)
+        return undefined;
+    return parsePort(value, 'listen port');
+}
 function tokenExpired(value) {
     if (!value)
         return false;
@@ -849,6 +969,9 @@ function requireRecord(value, label) {
         throw new Error(`${label} is not an object.`);
     return value;
 }
+function plainObject(value) {
+    return isRecord(value) ? value : null;
+}
 function isRecord(value) {
     return typeof value === 'object' && value !== null && !Array.isArray(value);
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@qpjoy/tunnel-cli",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "Global QPJoy Tunnel CLI for mihomo-client and cross-platform HDO mesh enrollment.",
   "private": false,
   "type": "commonjs",
@@ -22,7 +22,7 @@
     "access": "public"
   },
   "dependencies": {
-    "@qpjoy/electron-core-wireguard": "^0.1.18"
+    "@qpjoy/electron-core-wireguard": "^0.1.21"
   },
   "devDependencies": {
     "@types/node": "^22.10.7"