@serve.zone/dcrouter 11.12.4 → 11.13.0

package/dist_ts/vpn/classes.vpn-manager.js

@@ -0,0 +1,297 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logger.js';
+const STORAGE_PREFIX_KEYS = '/vpn/server-keys';
+const STORAGE_PREFIX_CLIENTS = '/vpn/clients/';
+/**
+ * Manages the SmartVPN server lifecycle and VPN client CRUD.
+ * Persists server keys and client registrations via StorageManager.
+ */
+export class VpnManager {
+    storageManager;
+    config;
+    vpnServer;
+    clients = new Map();
+    serverKeys;
+    _forwardingMode;
+    constructor(storageManager, config) {
+        this.storageManager = storageManager;
+        this.config = config;
+        // Auto-detect forwarding mode: tun if root, socket otherwise
+        this._forwardingMode = config.forwardingMode
+            ?? (process.getuid?.() === 0 ? 'tun' : 'socket');
+    }
+    /** The effective forwarding mode (tun or socket). */
+    get forwardingMode() {
+        return this._forwardingMode;
+    }
+    /** The VPN subnet CIDR. */
+    getSubnet() {
+        return this.config.subnet || '10.8.0.0/24';
+    }
+    /** Whether the VPN server is running. */
+    get running() {
+        return this.vpnServer?.running ?? false;
+    }
+    /**
+     * Start the VPN server.
+     * Loads or generates server keys, loads persisted clients, starts VpnServer.
+     */
+    async start() {
+        // Load or generate server keys
+        this.serverKeys = await this.loadOrGenerateServerKeys();
+        // Load persisted clients
+        await this.loadPersistedClients();
+        // Build client entries for the daemon
+        const clientEntries = [];
+        for (const client of this.clients.values()) {
+            clientEntries.push({
+                clientId: client.clientId,
+                publicKey: client.noisePublicKey,
+                wgPublicKey: client.wgPublicKey,
+                enabled: client.enabled,
+                tags: client.tags,
+                description: client.description,
+                assignedIp: client.assignedIp,
+                expiresAt: client.expiresAt,
+            });
+        }
+        const subnet = this.getSubnet();
+        const wgListenPort = this.config.wgListenPort ?? 51820;
+        // Create and start VpnServer
+        this.vpnServer = new plugins.smartvpn.VpnServer({
+            transport: { transport: 'stdio' },
+        });
+        const serverConfig = {
+            listenAddr: '0.0.0.0:0', // WS listener not strictly needed but required field
+            privateKey: this.serverKeys.noisePrivateKey,
+            publicKey: this.serverKeys.noisePublicKey,
+            subnet,
+            dns: this.config.dns,
+            forwardingMode: this._forwardingMode,
+            transportMode: 'all',
+            wgPrivateKey: this.serverKeys.wgPrivateKey,
+            wgListenPort,
+            clients: clientEntries,
+            socketForwardProxyProtocol: this._forwardingMode === 'socket',
+        };
+        await this.vpnServer.start(serverConfig);
+        logger.log('info', `VPN server started: mode=${this._forwardingMode}, subnet=${subnet}, wg=:${wgListenPort}, clients=${this.clients.size}`);
+    }
+    /**
+     * Stop the VPN server.
+     */
+    async stop() {
+        if (this.vpnServer) {
+            try {
+                await this.vpnServer.stopServer();
+            }
+            catch {
+                // Ignore stop errors
+            }
+            this.vpnServer.stop();
+            this.vpnServer = undefined;
+        }
+        logger.log('info', 'VPN server stopped');
+    }
+    // ── Client CRUD ────────────────────────────────────────────────────────
+    /**
+     * Create a new VPN client. Returns the config bundle (secrets only shown once).
+     */
+    async createClient(opts) {
+        if (!this.vpnServer) {
+            throw new Error('VPN server not running');
+        }
+        const bundle = await this.vpnServer.createClient({
+            clientId: opts.clientId,
+            tags: opts.tags,
+            description: opts.description,
+        });
+        // Update WireGuard config endpoint if serverEndpoint is configured
+        if (this.config.serverEndpoint && bundle.wireguardConfig) {
+            const wgPort = this.config.wgListenPort ?? 51820;
+            bundle.wireguardConfig = bundle.wireguardConfig.replace(/Endpoint\s*=\s*.+/, `Endpoint = ${this.config.serverEndpoint}:${wgPort}`);
+        }
+        // Persist client entry (without private keys)
+        const persisted = {
+            clientId: bundle.entry.clientId,
+            enabled: bundle.entry.enabled ?? true,
+            tags: bundle.entry.tags,
+            description: bundle.entry.description,
+            assignedIp: bundle.entry.assignedIp,
+            noisePublicKey: bundle.entry.publicKey,
+            wgPublicKey: bundle.entry.wgPublicKey || '',
+            createdAt: Date.now(),
+            updatedAt: Date.now(),
+            expiresAt: bundle.entry.expiresAt,
+        };
+        this.clients.set(persisted.clientId, persisted);
+        await this.persistClient(persisted);
+        return bundle;
+    }
+    /**
+     * Remove a VPN client.
+     */
+    async removeClient(clientId) {
+        if (!this.vpnServer) {
+            throw new Error('VPN server not running');
+        }
+        await this.vpnServer.removeClient(clientId);
+        this.clients.delete(clientId);
+        await this.storageManager.delete(`${STORAGE_PREFIX_CLIENTS}${clientId}`);
+    }
+    /**
+     * List all registered clients (without secrets).
+     */
+    listClients() {
+        return [...this.clients.values()];
+    }
+    /**
+     * Enable a client.
+     */
+    async enableClient(clientId) {
+        if (!this.vpnServer)
+            throw new Error('VPN server not running');
+        await this.vpnServer.enableClient(clientId);
+        const client = this.clients.get(clientId);
+        if (client) {
+            client.enabled = true;
+            client.updatedAt = Date.now();
+            await this.persistClient(client);
+        }
+    }
+    /**
+     * Disable a client.
+     */
+    async disableClient(clientId) {
+        if (!this.vpnServer)
+            throw new Error('VPN server not running');
+        await this.vpnServer.disableClient(clientId);
+        const client = this.clients.get(clientId);
+        if (client) {
+            client.enabled = false;
+            client.updatedAt = Date.now();
+            await this.persistClient(client);
+        }
+    }
+    /**
+     * Rotate a client's keys. Returns the new config bundle.
+     */
+    async rotateClientKey(clientId) {
+        if (!this.vpnServer)
+            throw new Error('VPN server not running');
+        const bundle = await this.vpnServer.rotateClientKey(clientId);
+        // Update endpoint in WireGuard config
+        if (this.config.serverEndpoint && bundle.wireguardConfig) {
+            const wgPort = this.config.wgListenPort ?? 51820;
+            bundle.wireguardConfig = bundle.wireguardConfig.replace(/Endpoint\s*=\s*.+/, `Endpoint = ${this.config.serverEndpoint}:${wgPort}`);
+        }
+        // Update persisted entry with new public keys
+        const client = this.clients.get(clientId);
+        if (client) {
+            client.noisePublicKey = bundle.entry.publicKey;
+            client.wgPublicKey = bundle.entry.wgPublicKey || '';
+            client.updatedAt = Date.now();
+            await this.persistClient(client);
+        }
+        return bundle;
+    }
+    /**
+     * Export a client config (without secrets).
+     */
+    async exportClientConfig(clientId, format) {
+        if (!this.vpnServer)
+            throw new Error('VPN server not running');
+        let config = await this.vpnServer.exportClientConfig(clientId, format);
+        // Update endpoint in WireGuard config
+        if (format === 'wireguard' && this.config.serverEndpoint) {
+            const wgPort = this.config.wgListenPort ?? 51820;
+            config = config.replace(/Endpoint\s*=\s*.+/, `Endpoint = ${this.config.serverEndpoint}:${wgPort}`);
+        }
+        return config;
+    }
+    // ── Status and telemetry ───────────────────────────────────────────────
+    /**
+     * Get server status.
+     */
+    async getStatus() {
+        if (!this.vpnServer)
+            return null;
+        return this.vpnServer.getStatus();
+    }
+    /**
+     * Get server statistics.
+     */
+    async getStatistics() {
+        if (!this.vpnServer)
+            return null;
+        return this.vpnServer.getStatistics();
+    }
+    /**
+     * List currently connected clients.
+     */
+    async getConnectedClients() {
+        if (!this.vpnServer)
+            return [];
+        return this.vpnServer.listClients();
+    }
+    /**
+     * Get telemetry for a specific client.
+     */
+    async getClientTelemetry(clientId) {
+        if (!this.vpnServer)
+            return null;
+        return this.vpnServer.getClientTelemetry(clientId);
+    }
+    /**
+     * Get server public keys (for display/info).
+     */
+    getServerPublicKeys() {
+        if (!this.serverKeys)
+            return null;
+        return {
+            noisePublicKey: this.serverKeys.noisePublicKey,
+            wgPublicKey: this.serverKeys.wgPublicKey,
+        };
+    }
+    // ── Private helpers ────────────────────────────────────────────────────
+    async loadOrGenerateServerKeys() {
+        const stored = await this.storageManager.getJSON(STORAGE_PREFIX_KEYS);
+        if (stored?.noisePrivateKey && stored?.wgPrivateKey) {
+            logger.log('info', 'Loaded VPN server keys from storage');
+            return stored;
+        }
+        // Generate new keys via the daemon
+        const tempServer = new plugins.smartvpn.VpnServer({
+            transport: { transport: 'stdio' },
+        });
+        await tempServer.start();
+        const noiseKeys = await tempServer.generateKeypair();
+        const wgKeys = await tempServer.generateWgKeypair();
+        tempServer.stop();
+        const keys = {
+            noisePrivateKey: noiseKeys.privateKey,
+            noisePublicKey: noiseKeys.publicKey,
+            wgPrivateKey: wgKeys.privateKey,
+            wgPublicKey: wgKeys.publicKey,
+        };
+        await this.storageManager.setJSON(STORAGE_PREFIX_KEYS, keys);
+        logger.log('info', 'Generated and persisted new VPN server keys');
+        return keys;
+    }
+    async loadPersistedClients() {
+        const keys = await this.storageManager.list(STORAGE_PREFIX_CLIENTS);
+        for (const key of keys) {
+            const client = await this.storageManager.getJSON(key);
+            if (client) {
+                this.clients.set(client.clientId, client);
+            }
+        }
+        if (this.clients.size > 0) {
+            logger.log('info', `Loaded ${this.clients.size} persisted VPN client(s)`);
+        }
+    }
+    async persistClient(client) {
+        await this.storageManager.setJSON(`${STORAGE_PREFIX_CLIENTS}${client.clientId}`, client);
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xhc3Nlcy52cG4tbWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL3Zwbi9jbGFzc2VzLnZwbi1tYW5hZ2VyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sS0FBSyxPQUFPLE1BQU0sZUFBZSxDQUFDO0FBQ3pDLE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSxjQUFjLENBQUM7QUFHdEMsTUFBTSxtQkFBbUIsR0FBRyxrQkFBa0IsQ0FBQztBQUMvQyxNQUFNLHNCQUFzQixHQUFHLGVBQWUsQ0FBQztBQW1DL0M7OztHQUdHO0FBQ0gsTUFBTSxPQUFPLFVBQVU7SUFDYixjQUFjLENBQWlCO0lBQy9CLE1BQU0sQ0FBb0I7SUFDMUIsU0FBUyxDQUE4QjtJQUN2QyxPQUFPLEdBQWtDLElBQUksR0FBRyxFQUFFLENBQUM7SUFDbkQsVUFBVSxDQUF3QjtJQUNsQyxlQUFlLENBQW1CO0lBRTFDLFlBQVksY0FBOEIsRUFBRSxNQUF5QjtRQUNuRSxJQUFJLENBQUMsY0FBYyxHQUFHLGNBQWMsQ0FBQztRQUNyQyxJQUFJLENBQUMsTUFBTSxHQUFHLE1BQU0sQ0FBQztRQUNyQiw2REFBNkQ7UUFDN0QsSUFBSSxDQUFDLGVBQWUsR0FBRyxNQUFNLENBQUMsY0FBYztlQUN2QyxDQUFDLE9BQU8sQ0FBQyxNQUFNLEVBQUUsRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxRQUFRLENBQUMsQ0FBQztJQUNyRCxDQUFDO0lBRUQscURBQXFEO0lBQ3JELElBQVcsY0FBYztRQUN2QixPQUFPLElBQUksQ0FBQyxlQUFlLENBQUM7SUFDOUIsQ0FBQztJQUVELDJCQUEyQjtJQUNwQixTQUFTO1FBQ2QsT0FBTyxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sSUFBSSxhQUFhLENBQUM7SUFDN0MsQ0FBQztJQUVELHlDQUF5QztJQUN6QyxJQUFXLE9BQU87UUFDaEIsT0FBTyxJQUFJLENBQUMsU0FBUyxFQUFFLE9BQU8sSUFBSSxLQUFLLENBQUM7SUFDMUMsQ0FBQztJQUVEOzs7T0FHRztJQUNJLEtBQUssQ0FBQyxLQUFLO1FBQ2hCLCtCQUErQjtRQUMvQixJQUFJLENBQUMsVUFBVSxHQUFHLE1BQU0sSUFBSSxDQUFDLHdCQUF3QixFQUFFLENBQUM7UUFFeEQseUJBQXlCO1FBQ3pCLE1BQU0sSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7UUFFbEMsc0NBQXNDO1FBQ3RDLE1BQU0sYUFBYSxHQUFvQyxFQUFFLENBQUM7UUFDMUQsS0FBSyxNQUFNLE1BQU0sSUFBSSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUM7WUFDM0MsYUFBYSxDQUFDLElBQUksQ0FBQztnQkFDakIsUUFBUSxFQUFFLE1BQU0sQ0FBQyxRQUFRO2dCQUN6QixTQUFTLEVBQUUsTUFBTSxDQUFDLGNBQWM7Z0JBQ2hDLFdBQVcsRUFBRSxNQUFNLENBQUMsV0FBVztnQkFDL0IsT0FBTyxFQUFFLE1BQU0sQ0FBQyxPQUFPO2dCQUN2QixJQUFJLEVBQUUsTUFBTSxDQUFDLElBQUk7Z0JBQ2pCLFdBQVcsRUFBRSxNQUFNLENBQUMsV0FBVztnQkFDL0IsVUFBVSxFQUFFLE1BQU0sQ0FBQyxVQUFVO2dCQUM3QixTQUFTLEVBQUUsTUFBTSxDQUFDLFNBQVM7YUFDNUIsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUVELE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQztRQUNoQyxNQUFNLFlBQVksR0FBRyxJQUFJLENBQUMsTUFBTSxDQUFDLFlBQVksSUFBSSxLQUFLLENBQUM7UUFFdkQsNkJBQTZCO1FBQzdCLElBQUksQ0FBQyxTQUFTLEdBQUcsSUFBSSxPQUFPLENBQUMsUUFBUSxDQUFDLFNBQVMsQ0FBQztZQUM5QyxTQUFTLEVBQUUsRUFBRSxTQUFTLEVBQUUsT0FBTyxFQUFFO1NBQ2xDLENBQUMsQ0FBQztRQUVILE1BQU0sWUFBWSxHQUFzQztZQUN0RCxVQUFVLEVBQUUsV0FBVyxFQUFFLHFEQUFxRDtZQUM5RSxVQUFVLEVBQUUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxlQUFlO1lBQzNDLFNBQVMsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLGNBQWM7WUFDekMsTUFBTTtZQUNOLEdBQUcsRUFBRSxJQUFJLENBQUMsTUFBTSxDQUFDLEdBQUc7WUFDcEIsY0FBYyxFQUFFLElBQUksQ0FBQyxlQUFlO1lBQ3BDLGFBQWEsRUFBRSxLQUFLO1lBQ3BCLFlBQVksRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLFlBQVk7WUFDMUMsWUFBWTtZQUNaLE9BQU8sRUFBRSxhQUFhO1lBQ3RCLDBCQUEwQixFQUFFLElBQUksQ0FBQyxlQUFlLEtBQUssUUFBUTtTQUM5RCxDQUFDO1FBRUYsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLEtBQUssQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUN6QyxNQUFNLENBQUMsR0FBRyxDQUFDLE1BQU0sRUFBRSw0QkFBNEIsSUFBSSxDQUFDLGVBQWUsWUFBWSxNQUFNLFNBQVMsWUFBWSxhQUFhLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQztJQUM5SSxDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsSUFBSTtRQUNmLElBQUksSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ25CLElBQUksQ0FBQztnQkFDSCxNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDcEMsQ0FBQztZQUFDLE1BQU0sQ0FBQztnQkFDUCxxQkFBcUI7WUFDdkIsQ0FBQztZQUNELElBQUksQ0FBQyxTQUFTLENBQUMsSUFBSSxFQUFFLENBQUM7WUFDdEIsSUFBSSxDQUFDLFNBQVMsR0FBRyxTQUFTLENBQUM7UUFDN0IsQ0FBQztRQUNELE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLG9CQUFvQixDQUFDLENBQUM7SUFDM0MsQ0FBQztJQUVELDBFQUEwRTtJQUUxRTs7T0FFRztJQUNJLEtBQUssQ0FBQyxZQUFZLENBQUMsSUFJekI7UUFDQyxJQUFJLENBQUMsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ3BCLE1BQU0sSUFBSSxLQUFLLENBQUMsd0JBQXdCLENBQUMsQ0FBQztRQUM1QyxDQUFDO1FBRUQsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLFlBQVksQ0FBQztZQUMvQyxRQUFRLEVBQUUsSUFBSSxDQUFDLFFBQVE7WUFDdkIsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJO1lBQ2YsV0FBVyxFQUFFLElBQUksQ0FBQyxXQUFXO1NBQzlCLENBQUMsQ0FBQztRQUVILG1FQUFtRTtRQUNuRSxJQUFJLElBQUksQ0FBQyxNQUFNLENBQUMsY0FBYyxJQUFJLE1BQU0sQ0FBQyxlQUFlLEVBQUUsQ0FBQztZQUN6RCxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsTUFBTSxDQUFDLFlBQVksSUFBSSxLQUFLLENBQUM7WUFDakQsTUFBTSxDQUFDLGVBQWUsR0FBRyxNQUFNLENBQUMsZUFBZSxDQUFDLE9BQU8sQ0FDckQsbUJBQW1CLEVBQ25CLGNBQWMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxjQUFjLElBQUksTUFBTSxFQUFFLENBQ3JELENBQUM7UUFDSixDQUFDO1FBRUQsOENBQThDO1FBQzlDLE1BQU0sU0FBUyxHQUFxQjtZQUNsQyxRQUFRLEVBQUUsTUFBTSxDQUFDLEtBQUssQ0FBQyxRQUFRO1lBQy9CLE9BQU8sRUFBRSxNQUFNLENBQUMsS0FBSyxDQUFDLE9BQU8sSUFBSSxJQUFJO1lBQ3JDLElBQUksRUFBRSxNQUFNLENBQUMsS0FBSyxDQUFDLElBQUk7WUFDdkIsV0FBVyxFQUFFLE1BQU0sQ0FBQyxLQUFLLENBQUMsV0FBVztZQUNyQyxVQUFVLEVBQUUsTUFBTSxDQUFDLEtBQUssQ0FBQyxVQUFVO1lBQ25DLGNBQWMsRUFBRSxNQUFNLENBQUMsS0FBSyxDQUFDLFNBQVM7WUFDdEMsV0FBVyxFQUFFLE1BQU0sQ0FBQyxLQUFLLENBQUMsV0FBVyxJQUFJLEVBQUU7WUFDM0MsU0FBUyxFQUFFLElBQUksQ0FBQyxHQUFHLEVBQUU7WUFDckIsU0FBUyxFQUFFLElBQUksQ0FBQyxHQUFHLEVBQUU7WUFDckIsU0FBUyxFQUFFLE1BQU0sQ0FBQyxLQUFLLENBQUMsU0FBUztTQUNsQyxDQUFDO1FBQ0YsSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsU0FBUyxDQUFDLFFBQVEsRUFBRSxTQUFTLENBQUMsQ0FBQztRQUNoRCxNQUFNLElBQUksQ0FBQyxhQUFhLENBQUMsU0FBUyxDQUFDLENBQUM7UUFFcEMsT0FBTyxNQUFNLENBQUM7SUFDaEIsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLFlBQVksQ0FBQyxRQUFnQjtRQUN4QyxJQUFJLENBQUMsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ3BCLE1BQU0sSUFBSSxLQUFLLENBQUMsd0JBQXdCLENBQUMsQ0FBQztRQUM1QyxDQUFDO1FBQ0QsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLFlBQVksQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUM1QyxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUM5QixNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsTUFBTSxDQUFDLEdBQUcsc0JBQXNCLEdBQUcsUUFBUSxFQUFFLENBQUMsQ0FBQztJQUMzRSxDQUFDO0lBRUQ7O09BRUc7SUFDSSxXQUFXO1FBQ2hCLE9BQU8sQ0FBQyxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQztJQUNwQyxDQUFDO0lBRUQ7O09BRUc7SUFDSSxLQUFLLENBQUMsWUFBWSxDQUFDLFFBQWdCO1FBQ3hDLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUztZQUFFLE1BQU0sSUFBSSxLQUFLLENBQUMsd0JBQXdCLENBQUMsQ0FBQztRQUMvRCxNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsWUFBWSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQzVDLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQzFDLElBQUksTUFBTSxFQUFFLENBQUM7WUFDWCxNQUFNLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQztZQUN0QixNQUFNLENBQUMsU0FBUyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztZQUM5QixNQUFNLElBQUksQ0FBQyxhQUFhLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDbkMsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxhQUFhLENBQUMsUUFBZ0I7UUFDekMsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTO1lBQUUsTUFBTSxJQUFJLEtBQUssQ0FBQyx3QkFBd0IsQ0FBQyxDQUFDO1FBQy9ELE1BQU0sSUFBSSxDQUFDLFNBQVMsQ0FBQyxhQUFhLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDN0MsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxHQUFHLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDMUMsSUFBSSxNQUFNLEVBQUUsQ0FBQztZQUNYLE1BQU0sQ0FBQyxPQUFPLEdBQUcsS0FBSyxDQUFDO1lBQ3ZCLE1BQU0sQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1lBQzlCLE1BQU0sSUFBSSxDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUNuQyxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLGVBQWUsQ0FBQyxRQUFnQjtRQUMzQyxJQUFJLENBQUMsSUFBSSxDQUFDLFNBQVM7WUFBRSxNQUFNLElBQUksS0FBSyxDQUFDLHdCQUF3QixDQUFDLENBQUM7UUFDL0QsTUFBTSxNQUFNLEdBQUcsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLGVBQWUsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUU5RCxzQ0FBc0M7UUFDdEMsSUFBSSxJQUFJLENBQUMsTUFBTSxDQUFDLGNBQWMsSUFBSSxNQUFNLENBQUMsZUFBZSxFQUFFLENBQUM7WUFDekQsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxZQUFZLElBQUksS0FBSyxDQUFDO1lBQ2pELE1BQU0sQ0FBQyxlQUFlLEdBQUcsTUFBTSxDQUFDLGVBQWUsQ0FBQyxPQUFPLENBQ3JELG1CQUFtQixFQUNuQixjQUFjLElBQUksQ0FBQyxNQUFNLENBQUMsY0FBYyxJQUFJLE1BQU0sRUFBRSxDQUNyRCxDQUFDO1FBQ0osQ0FBQztRQUVELDhDQUE4QztRQUM5QyxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsQ0FBQztRQUMxQyxJQUFJLE1BQU0sRUFBRSxDQUFDO1lBQ1gsTUFBTSxDQUFDLGNBQWMsR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLFNBQVMsQ0FBQztZQUMvQyxNQUFNLENBQUMsV0FBVyxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsV0FBVyxJQUFJLEVBQUUsQ0FBQztZQUNwRCxNQUFNLENBQUMsU0FBUyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztZQUM5QixNQUFNLElBQUksQ0FBQyxhQUFhLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDbkMsQ0FBQztRQUVELE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxRQUFnQixFQUFFLE1BQWdDO1FBQ2hGLElBQUksQ0FBQyxJQUFJLENBQUMsU0FBUztZQUFFLE1BQU0sSUFBSSxLQUFLLENBQUMsd0JBQXdCLENBQUMsQ0FBQztRQUMvRCxJQUFJLE1BQU0sR0FBRyxNQUFNLElBQUksQ0FBQyxTQUFTLENBQUMsa0JBQWtCLENBQUMsUUFBUSxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBRXZFLHNDQUFzQztRQUN0QyxJQUFJLE1BQU0sS0FBSyxXQUFXLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxjQUFjLEVBQUUsQ0FBQztZQUN6RCxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsTUFBTSxDQUFDLFlBQVksSUFBSSxLQUFLLENBQUM7WUFDakQsTUFBTSxHQUFHLE1BQU0sQ0FBQyxPQUFPLENBQ3JCLG1CQUFtQixFQUNuQixjQUFjLElBQUksQ0FBQyxNQUFNLENBQUMsY0FBYyxJQUFJLE1BQU0sRUFBRSxDQUNyRCxDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sTUFBTSxDQUFDO0lBQ2hCLENBQUM7SUFFRCwwRUFBMEU7SUFFMUU7O09BRUc7SUFDSSxLQUFLLENBQUMsU0FBUztRQUNwQixJQUFJLENBQUMsSUFBSSxDQUFDLFNBQVM7WUFBRSxPQUFPLElBQUksQ0FBQztRQUNqQyxPQUFPLElBQUksQ0FBQyxTQUFTLENBQUMsU0FBUyxFQUFFLENBQUM7SUFDcEMsQ0FBQztJQUVEOztPQUVHO0lBQ0ksS0FBSyxDQUFDLGFBQWE7UUFDeEIsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTO1lBQUUsT0FBTyxJQUFJLENBQUM7UUFDakMsT0FBTyxJQUFJLENBQUMsU0FBUyxDQUFDLGFBQWEsRUFBRSxDQUFDO0lBQ3hDLENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxtQkFBbUI7UUFDOUIsSUFBSSxDQUFDLElBQUksQ0FBQyxTQUFTO1lBQUUsT0FBTyxFQUFFLENBQUM7UUFDL0IsT0FBTyxJQUFJLENBQUMsU0FBUyxDQUFDLFdBQVcsRUFBRSxDQUFDO0lBQ3RDLENBQUM7SUFFRDs7T0FFRztJQUNJLEtBQUssQ0FBQyxrQkFBa0IsQ0FBQyxRQUFnQjtRQUM5QyxJQUFJLENBQUMsSUFBSSxDQUFDLFNBQVM7WUFBRSxPQUFPLElBQUksQ0FBQztRQUNqQyxPQUFPLElBQUksQ0FBQyxTQUFTLENBQUMsa0JBQWtCLENBQUMsUUFBUSxDQUFDLENBQUM7SUFDckQsQ0FBQztJQUVEOztPQUVHO0lBQ0ksbUJBQW1CO1FBQ3hCLElBQUksQ0FBQyxJQUFJLENBQUMsVUFBVTtZQUFFLE9BQU8sSUFBSSxDQUFDO1FBQ2xDLE9BQU87WUFDTCxjQUFjLEVBQUUsSUFBSSxDQUFDLFVBQVUsQ0FBQyxjQUFjO1lBQzlDLFdBQVcsRUFBRSxJQUFJLENBQUMsVUFBVSxDQUFDLFdBQVc7U0FDekMsQ0FBQztJQUNKLENBQUM7SUFFRCwwRUFBMEU7SUFFbEUsS0FBSyxDQUFDLHdCQUF3QjtRQUNwQyxNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsT0FBTyxDQUF1QixtQkFBbUIsQ0FBQyxDQUFDO1FBQzVGLElBQUksTUFBTSxFQUFFLGVBQWUsSUFBSSxNQUFNLEVBQUUsWUFBWSxFQUFFLENBQUM7WUFDcEQsTUFBTSxDQUFDLEdBQUcsQ0FBQyxNQUFNLEVBQUUscUNBQXFDLENBQUMsQ0FBQztZQUMxRCxPQUFPLE1BQU0sQ0FBQztRQUNoQixDQUFDO1FBRUQsbUNBQW1DO1FBQ25DLE1BQU0sVUFBVSxHQUFHLElBQUksT0FBTyxDQUFDLFFBQVEsQ0FBQyxTQUFTLENBQUM7WUFDaEQsU0FBUyxFQUFFLEVBQUUsU0FBUyxFQUFFLE9BQU8sRUFBRTtTQUNsQyxDQUFDLENBQUM7UUFDSCxNQUFNLFVBQVUsQ0FBQyxLQUFLLEVBQUUsQ0FBQztRQUV6QixNQUFNLFNBQVMsR0FBRyxNQUFNLFVBQVUsQ0FBQyxlQUFlLEVBQUUsQ0FBQztRQUNyRCxNQUFNLE1BQU0sR0FBRyxNQUFNLFVBQVUsQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO1FBQ3BELFVBQVUsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUVsQixNQUFNLElBQUksR0FBeUI7WUFDakMsZUFBZSxFQUFFLFNBQVMsQ0FBQyxVQUFVO1lBQ3JDLGNBQWMsRUFBRSxTQUFTLENBQUMsU0FBUztZQUNuQyxZQUFZLEVBQUUsTUFBTSxDQUFDLFVBQVU7WUFDL0IsV0FBVyxFQUFFLE1BQU0sQ0FBQyxTQUFTO1NBQzlCLENBQUM7UUFFRixNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsT0FBTyxDQUFDLG1CQUFtQixFQUFFLElBQUksQ0FBQyxDQUFDO1FBQzdELE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLDZDQUE2QyxDQUFDLENBQUM7UUFDbEUsT0FBTyxJQUFJLENBQUM7SUFDZCxDQUFDO0lBRU8sS0FBSyxDQUFDLG9CQUFvQjtRQUNoQyxNQUFNLElBQUksR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsSUFBSSxDQUFDLHNCQUFzQixDQUFDLENBQUM7UUFDcEUsS0FBSyxNQUFNLEdBQUcsSUFBSSxJQUFJLEVBQUUsQ0FBQztZQUN2QixNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsT0FBTyxDQUFtQixHQUFHLENBQUMsQ0FBQztZQUN4RSxJQUFJLE1BQU0sRUFBRSxDQUFDO2dCQUNYLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLEVBQUUsTUFBTSxDQUFDLENBQUM7WUFDNUMsQ0FBQztRQUNILENBQUM7UUFDRCxJQUFJLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQzFCLE1BQU0sQ0FBQyxHQUFHLENBQUMsTUFBTSxFQUFFLFVBQVUsSUFBSSxDQUFDLE9BQU8sQ0FBQyxJQUFJLDBCQUEwQixDQUFDLENBQUM7UUFDNUUsQ0FBQztJQUNILENBQUM7SUFFTyxLQUFLLENBQUMsYUFBYSxDQUFDLE1BQXdCO1FBQ2xELE1BQU0sSUFBSSxDQUFDLGNBQWMsQ0FBQyxPQUFPLENBQUMsR0FBRyxzQkFBc0IsR0FBRyxNQUFNLENBQUMsUUFBUSxFQUFFLEVBQUUsTUFBTSxDQUFDLENBQUM7SUFDM0YsQ0FBQztDQUNGIn0=

package/dist_ts/vpn/index.d.ts

@@ -0,0 +1 @@
+export * from './classes.vpn-manager.js';

package/dist_ts/vpn/index.js

@@ -0,0 +1,2 @@
+export * from './classes.vpn-manager.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi90cy92cG4vaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYywwQkFBMEIsQ0FBQyJ9

package/dist_ts_interfaces/data/index.d.ts

@@ -2,3 +2,4 @@ export * from './auth.js';
 export * from './stats.js';
 export * from './remoteingress.js';
 export * from './route-management.js';
+export * from './vpn.js';

package/dist_ts_interfaces/data/index.js

@@ -2,4 +2,5 @@ export * from './auth.js';
 export * from './stats.js';
 export * from './remoteingress.js';
 export * from './route-management.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi90c19pbnRlcmZhY2VzL2RhdGEvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYyxXQUFXLENBQUM7QUFDMUIsY0FBYyxZQUFZLENBQUM7QUFDM0IsY0FBYyxvQkFBb0IsQ0FBQztBQUNuQyxjQUFjLHVCQUF1QixDQUFDIn0=
+export * from './vpn.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi90c19pbnRlcmZhY2VzL2RhdGEvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsY0FBYyxXQUFXLENBQUM7QUFDMUIsY0FBYyxZQUFZLENBQUM7QUFDM0IsY0FBYyxvQkFBb0IsQ0FBQztBQUNuQyxjQUFjLHVCQUF1QixDQUFDO0FBQ3RDLGNBQWMsVUFBVSxDQUFDIn0=

package/dist_ts_interfaces/data/remoteingress.d.ts

@@ -47,11 +47,20 @@ export interface IRouteRemoteIngress {
      *  When absent, the route applies to all edges. */
     edgeFilter?: string[];
 }
+/**
+ * Route-level VPN access configuration.
+ * When attached to a route, restricts access to VPN clients only.
+ */
+export interface IRouteVpn {
+    /** Whether this route requires VPN access */
+    required: boolean;
+}
 /**
  * Extended route config used within dcrouter.
- * Adds the optional `remoteIngress` property to SmartProxy's IRouteConfig.
+ * Adds optional `remoteIngress` and `vpn` properties to SmartProxy's IRouteConfig.
  * SmartProxy ignores unknown properties at runtime.
  */
 export type IDcRouterRouteConfig = IRouteConfig & {
     remoteIngress?: IRouteRemoteIngress;
+    vpn?: IRouteVpn;
 };

package/dist_ts_interfaces/data/vpn.d.ts

@@ -0,0 +1,43 @@
+/**
+ * A registered VPN client (secrets excluded from API responses).
+ */
+export interface IVpnClient {
+    clientId: string;
+    enabled: boolean;
+    tags?: string[];
+    description?: string;
+    assignedIp?: string;
+    createdAt: number;
+    updatedAt: number;
+    expiresAt?: string;
+}
+/**
+ * VPN server status.
+ */
+export interface IVpnServerStatus {
+    running: boolean;
+    forwardingMode: 'tun' | 'socket';
+    subnet: string;
+    wgListenPort: number;
+    serverPublicKeys: {
+        noisePublicKey: string;
+        wgPublicKey: string;
+    } | null;
+    registeredClients: number;
+    connectedClients: number;
+}
+/**
+ * VPN client telemetry data.
+ */
+export interface IVpnClientTelemetry {
+    clientId: string;
+    assignedIp: string;
+    bytesSent: number;
+    bytesReceived: number;
+    packetsDropped: number;
+    bytesDropped: number;
+    lastKeepaliveAt?: string;
+    keepalivesReceived: number;
+    rateLimitBytesPerSec?: number;
+    burstBytes?: number;
+}

package/dist_ts_interfaces/data/vpn.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidnBuLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vdHNfaW50ZXJmYWNlcy9kYXRhL3Zwbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiIn0=

package/dist_ts_interfaces/requests/index.d.ts

@@ -9,3 +9,4 @@ export * from './certificate.js';
 export * from './remoteingress.js';
 export * from './route-management.js';
 export * from './api-tokens.js';
+export * from './vpn.js';

package/dist_ts_interfaces/requests/index.js

@@ -9,4 +9,5 @@ export * from './certificate.js';
 export * from './remoteingress.js';
 export * from './route-management.js';
 export * from './api-tokens.js';
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi90c19pbnRlcmZhY2VzL3JlcXVlc3RzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLGNBQWMsWUFBWSxDQUFDO0FBQzNCLGNBQWMsYUFBYSxDQUFDO0FBQzVCLGNBQWMsV0FBVyxDQUFDO0FBQzFCLGNBQWMsWUFBWSxDQUFDO0FBQzNCLGNBQWMscUJBQXFCLENBQUM7QUFDcEMsY0FBYyxhQUFhLENBQUM7QUFDNUIsY0FBYyxnQkFBZ0IsQ0FBQztBQUMvQixjQUFjLGtCQUFrQixDQUFDO0FBQ2pDLGNBQWMsb0JBQW9CLENBQUM7QUFDbkMsY0FBYyx1QkFBdUIsQ0FBQztBQUN0QyxjQUFjLGlCQUFpQixDQUFDIn0=
+export * from './vpn.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi90c19pbnRlcmZhY2VzL3JlcXVlc3RzL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLGNBQWMsWUFBWSxDQUFDO0FBQzNCLGNBQWMsYUFBYSxDQUFDO0FBQzVCLGNBQWMsV0FBVyxDQUFDO0FBQzFCLGNBQWMsWUFBWSxDQUFDO0FBQzNCLGNBQWMscUJBQXFCLENBQUM7QUFDcEMsY0FBYyxhQUFhLENBQUM7QUFDNUIsY0FBYyxnQkFBZ0IsQ0FBQztBQUMvQixjQUFjLGtCQUFrQixDQUFDO0FBQ2pDLGNBQWMsb0JBQW9CLENBQUM7QUFDbkMsY0FBYyx1QkFBdUIsQ0FBQztBQUN0QyxjQUFjLGlCQUFpQixDQUFDO0FBQ2hDLGNBQWMsVUFBVSxDQUFDIn0=

package/dist_ts_interfaces/requests/vpn.d.ts

@@ -0,0 +1,135 @@
+import * as plugins from '../plugins.js';
+import * as authInterfaces from '../data/auth.js';
+import type { IVpnClient, IVpnServerStatus, IVpnClientTelemetry } from '../data/vpn.js';
+/**
+ * Get all registered VPN clients.
+ */
+export interface IReq_GetVpnClients extends plugins.typedrequestInterfaces.implementsTR<plugins.typedrequestInterfaces.ITypedRequest, IReq_GetVpnClients> {
+    method: 'getVpnClients';
+    request: {
+        identity: authInterfaces.IIdentity;
+    };
+    response: {
+        clients: IVpnClient[];
+    };
+}
+/**
+ * Get VPN server status.
+ */
+export interface IReq_GetVpnStatus extends plugins.typedrequestInterfaces.implementsTR<plugins.typedrequestInterfaces.ITypedRequest, IReq_GetVpnStatus> {
+    method: 'getVpnStatus';
+    request: {
+        identity: authInterfaces.IIdentity;
+    };
+    response: {
+        status: IVpnServerStatus;
+    };
+}
+/**
+ * Create a new VPN client. Returns the config bundle (secrets only shown once).
+ */
+export interface IReq_CreateVpnClient extends plugins.typedrequestInterfaces.implementsTR<plugins.typedrequestInterfaces.ITypedRequest, IReq_CreateVpnClient> {
+    method: 'createVpnClient';
+    request: {
+        identity: authInterfaces.IIdentity;
+        clientId: string;
+        tags?: string[];
+        description?: string;
+    };
+    response: {
+        success: boolean;
+        client?: IVpnClient;
+        /** WireGuard .conf file content (only returned at creation) */
+        wireguardConfig?: string;
+        message?: string;
+    };
+}
+/**
+ * Delete a VPN client.
+ */
+export interface IReq_DeleteVpnClient extends plugins.typedrequestInterfaces.implementsTR<plugins.typedrequestInterfaces.ITypedRequest, IReq_DeleteVpnClient> {
+    method: 'deleteVpnClient';
+    request: {
+        identity: authInterfaces.IIdentity;
+        clientId: string;
+    };
+    response: {
+        success: boolean;
+        message?: string;
+    };
+}
+/**
+ * Enable a VPN client.
+ */
+export interface IReq_EnableVpnClient extends plugins.typedrequestInterfaces.implementsTR<plugins.typedrequestInterfaces.ITypedRequest, IReq_EnableVpnClient> {
+    method: 'enableVpnClient';
+    request: {
+        identity: authInterfaces.IIdentity;
+        clientId: string;
+    };
+    response: {
+        success: boolean;
+        message?: string;
+    };
+}
+/**
+ * Disable a VPN client.
+ */
+export interface IReq_DisableVpnClient extends plugins.typedrequestInterfaces.implementsTR<plugins.typedrequestInterfaces.ITypedRequest, IReq_DisableVpnClient> {
+    method: 'disableVpnClient';
+    request: {
+        identity: authInterfaces.IIdentity;
+        clientId: string;
+    };
+    response: {
+        success: boolean;
+        message?: string;
+    };
+}
+/**
+ * Rotate a VPN client's keys. Returns the new config bundle.
+ */
+export interface IReq_RotateVpnClientKey extends plugins.typedrequestInterfaces.implementsTR<plugins.typedrequestInterfaces.ITypedRequest, IReq_RotateVpnClientKey> {
+    method: 'rotateVpnClientKey';
+    request: {
+        identity: authInterfaces.IIdentity;
+        clientId: string;
+    };
+    response: {
+        success: boolean;
+        /** WireGuard .conf file content with new keys */
+        wireguardConfig?: string;
+        message?: string;
+    };
+}
+/**
+ * Export a VPN client config.
+ */
+export interface IReq_ExportVpnClientConfig extends plugins.typedrequestInterfaces.implementsTR<plugins.typedrequestInterfaces.ITypedRequest, IReq_ExportVpnClientConfig> {
+    method: 'exportVpnClientConfig';
+    request: {
+        identity: authInterfaces.IIdentity;
+        clientId: string;
+        format: 'smartvpn' | 'wireguard';
+    };
+    response: {
+        success: boolean;
+        config?: string;
+        message?: string;
+    };
+}
+/**
+ * Get telemetry for a specific VPN client.
+ */
+export interface IReq_GetVpnClientTelemetry extends plugins.typedrequestInterfaces.implementsTR<plugins.typedrequestInterfaces.ITypedRequest, IReq_GetVpnClientTelemetry> {
+    method: 'getVpnClientTelemetry';
+    request: {
+        identity: authInterfaces.IIdentity;
+        clientId: string;
+    };
+    response: {
+        success: boolean;
+        telemetry?: IVpnClientTelemetry;
+        message?: string;
+    };
+}

package/dist_ts_interfaces/requests/vpn.js

@@ -0,0 +1,3 @@
+import * as plugins from '../plugins.js';
+import * as authInterfaces from '../data/auth.js';
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidnBuLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vdHNfaW50ZXJmYWNlcy9yZXF1ZXN0cy92cG4udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxLQUFLLE9BQU8sTUFBTSxlQUFlLENBQUM7QUFDekMsT0FBTyxLQUFLLGNBQWMsTUFBTSxpQkFBaUIsQ0FBQyJ9

package/dist_ts_web/00_commitinfo_data.js

@@ -3,7 +3,7 @@
  */
 export const commitinfo = {
     name: '@serve.zone/dcrouter',
-    version: '11.12.4',
+    version: '11.13.0',
     description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 };
 //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiMDBfY29tbWl0aW5mb19kYXRhLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vdHNfd2ViLzAwX2NvbW1pdGluZm9fZGF0YS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7R0FFRztBQUNILE1BQU0sQ0FBQyxNQUFNLFVBQVUsR0FBRztJQUN4QixJQUFJLEVBQUUsc0JBQXNCO0lBQzVCLE9BQU8sRUFBRSxTQUFTO0lBQ2xCLFdBQVcsRUFBRSwwRUFBMEU7Q0FDeEYsQ0FBQSJ9

package/dist_ts_web/appstate.d.ts

@@ -182,6 +182,28 @@ export declare const toggleRemoteIngressAction: plugins.deesElement.domtools.plu
     id: string;
     enabled: boolean;
 }>;
+export interface IVpnState {
+    clients: interfaces.data.IVpnClient[];
+    status: interfaces.data.IVpnServerStatus | null;
+    isLoading: boolean;
+    error: string | null;
+    lastUpdated: number;
+    /** WireGuard config shown after create/rotate (only shown once) */
+    newClientConfig: string | null;
+}
+export declare const vpnStatePart: plugins.deesElement.domtools.plugins.smartstate.StatePart<string, IVpnState>;
+export declare const fetchVpnAction: plugins.deesElement.domtools.plugins.smartstate.StateAction<IVpnState, unknown>;
+export declare const createVpnClientAction: plugins.deesElement.domtools.plugins.smartstate.StateAction<IVpnState, {
+    clientId: string;
+    tags?: string[];
+    description?: string;
+}>;
+export declare const deleteVpnClientAction: plugins.deesElement.domtools.plugins.smartstate.StateAction<IVpnState, string>;
+export declare const toggleVpnClientAction: plugins.deesElement.domtools.plugins.smartstate.StateAction<IVpnState, {
+    clientId: string;
+    enabled: boolean;
+}>;
+export declare const clearNewClientConfigAction: plugins.deesElement.domtools.plugins.smartstate.StateAction<IVpnState, unknown>;
 export declare const fetchMergedRoutesAction: plugins.deesElement.domtools.plugins.smartstate.StateAction<IRouteManagementState, unknown>;
 export declare const createRouteAction: plugins.deesElement.domtools.plugins.smartstate.StateAction<IRouteManagementState, {
     route: any;