@serve.zone/dcrouter 13.20.0 → 13.21.0

package/ts/monitoring/classes.metricsmanager.ts

@@ -560,7 +560,9 @@ export class MetricsManager {
           requestsPerSecond: 0,
           requestsTotal: 0,
           backends: [] as Array<any>,
-          domainActivity: [] as Array<{ domain: string; bytesInPerSecond: number; bytesOutPerSecond: number; activeConnections: number; routeCount: number; requestCount: number }>,
+          domainActivity: [] as Array<{ domain: string; bytesInPerSecond: number; bytesOutPerSecond: number; activeConnections: number; routeCount: number; requestCount: number; requestsPerSecond?: number; requestsLastMinute?: number }>,
+          frontendProtocols: null,
+          backendProtocols: null,
         };
       }
 
@@ -592,6 +594,7 @@ export class MetricsManager {
       // Get HTTP request rates
       const requestsPerSecond = proxyMetrics.requests.perSecond();
       const requestsTotal = proxyMetrics.requests.total();
+      const domainRequestRates = proxyMetrics.requests.byDomain();
 
       // Get frontend/backend protocol distribution
       const frontendProtocols = proxyMetrics.connections.frontendProtocols() ?? null;
@@ -619,47 +622,48 @@ export class MetricsManager {
       const seenCacheKeys = new Set<string>();
 
       for (const [key, bm] of backendMetrics) {
+        backends.push({
+          id: `backend:${key}`,
+          backend: key,
+          domain: null,
+          protocol: bm.protocol,
+          activeConnections: bm.activeConnections,
+          totalConnections: bm.totalConnections,
+          connectErrors: bm.connectErrors,
+          handshakeErrors: bm.handshakeErrors,
+          requestErrors: bm.requestErrors,
+          avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
+          poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
+          h2Failures: bm.h2Failures,
+          h2Suppressed: false,
+          h3Suppressed: false,
+          h2CooldownRemainingSecs: null,
+          h3CooldownRemainingSecs: null,
+          h2ConsecutiveFailures: null,
+          h3ConsecutiveFailures: null,
+          h3Port: null,
+          cacheAgeSecs: null,
+        });
+
         const cacheEntries = cacheByBackend.get(key);
-        if (!cacheEntries || cacheEntries.length === 0) {
-          // No protocol cache entry — emit one row with backend metrics only
-          backends.push({
-            backend: key,
-            domain: null,
-            protocol: bm.protocol,
-            activeConnections: bm.activeConnections,
-            totalConnections: bm.totalConnections,
-            connectErrors: bm.connectErrors,
-            handshakeErrors: bm.handshakeErrors,
-            requestErrors: bm.requestErrors,
-            avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
-            poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
-            h2Failures: bm.h2Failures,
-            h2Suppressed: false,
-            h3Suppressed: false,
-            h2CooldownRemainingSecs: null,
-            h3CooldownRemainingSecs: null,
-            h2ConsecutiveFailures: null,
-            h3ConsecutiveFailures: null,
-            h3Port: null,
-            cacheAgeSecs: null,
-          });
-        } else {
-          // One row per domain, each enriched with the shared backend metrics
+        if (cacheEntries && cacheEntries.length > 0) {
+          // Protocol cache rows are domain-scoped metadata, not live backend connections.
           for (const cache of cacheEntries) {
             const compositeKey = `${cache.host}:${cache.port}:${cache.domain ?? ''}`;
             seenCacheKeys.add(compositeKey);
             backends.push({
+              id: `cache:${compositeKey}`,
               backend: key,
               domain: cache.domain ?? null,
               protocol: cache.protocol ?? bm.protocol,
-              activeConnections: bm.activeConnections,
-              totalConnections: bm.totalConnections,
-              connectErrors: bm.connectErrors,
-              handshakeErrors: bm.handshakeErrors,
-              requestErrors: bm.requestErrors,
-              avgConnectTimeMs: Math.round(bm.avgConnectTimeMs * 10) / 10,
-              poolHitRate: Math.round(bm.poolHitRate * 1000) / 1000,
-              h2Failures: bm.h2Failures,
+              activeConnections: 0,
+              totalConnections: 0,
+              connectErrors: 0,
+              handshakeErrors: 0,
+              requestErrors: 0,
+              avgConnectTimeMs: 0,
+              poolHitRate: 0,
+              h2Failures: 0,
               h2Suppressed: cache.h2Suppressed,
               h3Suppressed: cache.h3Suppressed,
               h2CooldownRemainingSecs: cache.h2CooldownRemainingSecs,
@@ -678,6 +682,7 @@ export class MetricsManager {
         const compositeKey = `${entry.host}:${entry.port}:${entry.domain ?? ''}`;
         if (!seenCacheKeys.has(compositeKey)) {
           backends.push({
+            id: `cache:${compositeKey}`,
             backend: `${entry.host}:${entry.port}`,
             domain: entry.domain,
             protocol: entry.protocol,
@@ -750,6 +755,9 @@ export class MetricsManager {
 
       // Resolve wildcards using domains seen in request metrics
       const allKnownDomains = new Set<string>(domainRequestTotals.keys());
+      for (const domain of domainRequestRates.keys()) {
+        allKnownDomains.add(domain);
+      }
       for (const entry of protocolCache) {
         if (entry.domain) allKnownDomains.add(entry.domain);
       }
@@ -775,11 +783,20 @@ export class MetricsManager {
         }
       }
 
-      // For each route, compute the total request count across all its resolved domains
-      // so we can distribute throughput/connections proportionally
+      const hasLiveDomainRates = domainRequestRates.size > 0;
+      const getDomainWeight = (domain: string): number => {
+        const liveRate = domainRequestRates.get(domain);
+        return hasLiveDomainRates
+          ? (liveRate?.lastMinute ?? 0)
+          : (domainRequestTotals.get(domain) || 0);
+      };
+
+      // For each route, compute the total activity weight across all resolved domains
+      // so we can distribute route-level throughput/connections. Prefer live domain
+      // request rates from SmartProxy 27.8+, falling back to lifetime counters.
       const routeTotalRequests = new Map<string, number>();
       for (const [domain, routeKeys] of domainToRoutes) {
-        const reqs = domainRequestTotals.get(domain) || 0;
+        const reqs = getDomainWeight(domain);
         for (const routeKey of routeKeys) {
           routeTotalRequests.set(routeKey, (routeTotalRequests.get(routeKey) || 0) + reqs);
         }
@@ -792,10 +809,13 @@ export class MetricsManager {
         bytesOutPerSec: number;
         routeCount: number;
         requestCount: number;
+        requestsPerSecond: number;
+        requestsLastMinute: number;
       }>();
 
       for (const [domain, routeKeys] of domainToRoutes) {
-        const domainReqs = domainRequestTotals.get(domain) || 0;
+        const domainReqs = getDomainWeight(domain);
+        const requestRate = domainRequestRates.get(domain);
         let totalConns = 0;
         let totalIn = 0;
         let totalOut = 0;
@@ -816,7 +836,9 @@ export class MetricsManager {
           bytesInPerSec: totalIn,
           bytesOutPerSec: totalOut,
           routeCount: routeKeys.length,
-          requestCount: domainReqs,
+          requestCount: domainRequestTotals.get(domain) || 0,
+          requestsPerSecond: requestRate?.perSecond ?? 0,
+          requestsLastMinute: requestRate?.lastMinute ?? 0,
         });
       }
 
@@ -828,8 +850,17 @@ export class MetricsManager {
           activeConnections: data.activeConnections,
           routeCount: data.routeCount,
           requestCount: data.requestCount,
+          requestsPerSecond: data.requestsPerSecond,
+          requestsLastMinute: data.requestsLastMinute,
         }))
-        .sort((a, b) => (b.bytesInPerSecond + b.bytesOutPerSecond) - (a.bytesInPerSecond + a.bytesOutPerSecond));
+        .sort((a, b) => {
+          if (hasLiveDomainRates) {
+            return (b.requestsPerSecond - a.requestsPerSecond) ||
+              (b.requestsLastMinute - a.requestsLastMinute) ||
+              ((b.bytesInPerSecond + b.bytesOutPerSecond) - (a.bytesInPerSecond + a.bytesOutPerSecond));
+          }
+          return (b.bytesInPerSecond + b.bytesOutPerSecond) - (a.bytesInPerSecond + a.bytesOutPerSecond);
+        });
 
       return {
         connectionsByIP,

package/ts/opsserver/handlers/security.handler.ts

@@ -50,19 +50,21 @@ export class SecurityHandler {
             localAddress: conn.destination.ip,
             startTime: conn.startTime,
             protocol: conn.type === 'http' ? 'https' : conn.type as any,
-            state: conn.status as any,
+            state: conn.status === 'active' ? 'connected' : conn.status as any,
             bytesReceived: (conn as any)._throughputIn || 0,
             bytesSent: (conn as any)._throughputOut || 0,
+            connectionCount: conn.bytesTransferred || 1,
           }));
+          const totalConnections = connectionInfos.reduce((sum, conn) => sum + (conn.connectionCount || 1), 0);
           
           const summary = {
-            total: connectionInfos.length,
+            total: totalConnections,
             byProtocol: connectionInfos.reduce((acc, conn) => {
-              acc[conn.protocol] = (acc[conn.protocol] || 0) + 1;
+              acc[conn.protocol] = (acc[conn.protocol] || 0) + (conn.connectionCount || 1);
               return acc;
             }, {} as { [protocol: string]: number }),
             byState: connectionInfos.reduce((acc, conn) => {
-              acc[conn.state] = (acc[conn.state] || 0) + 1;
+              acc[conn.state] = (acc[conn.state] || 0) + (conn.connectionCount || 1);
               return acc;
             }, {} as { [state: string]: number }),
           };
@@ -104,6 +106,8 @@ export class SecurityHandler {
               requestsPerSecond: networkStats.requestsPerSecond || 0,
               requestsTotal: networkStats.requestsTotal || 0,
               backends: networkStats.backends || [],
+              frontendProtocols: networkStats.frontendProtocols || null,
+              backendProtocols: networkStats.backendProtocols || null,
             };
           }
 
@@ -120,6 +124,8 @@ export class SecurityHandler {
             requestsPerSecond: 0,
             requestsTotal: 0,
             backends: [],
+            frontendProtocols: null,
+            backendProtocols: null,
           };
         }
       )
@@ -335,4 +341,4 @@ export class SecurityHandler {
       limits: [],
     };
   }
-}
+}

package/ts/opsserver/handlers/stats.handler.ts

@@ -302,6 +302,7 @@ export class StatsHandler {
                     startTime: 0,
                     bytesIn: tp?.in || 0,
                     bytesOut: tp?.out || 0,
+                    connectionCount: count,
                   });
                 }
 

package/ts/readme.md

@@ -1,8 +1,6 @@
 # @serve.zone/dcrouter
 
-The core DcRouter package — a unified datacenter gateway orchestrator. 🚀
-
-This is the main entry point for DcRouter. It provides the `DcRouter` class that wires together SmartProxy, smartmta, SmartDNS, SmartRadius, RemoteIngress, and the OpsServer dashboard into a single cohesive service.
+The `ts/` directory is the main dcrouter runtime package. It exposes the `DcRouter` orchestrator, `IDcRouterOptions`, `runCli()`, and the server-side exports that matter when you want to boot the full router stack from code.
 
 ## Issue Reporting and Security
 
@@ -14,7 +12,19 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 pnpm add @serve.zone/dcrouter
 ```
 
-## Usage
+## Core Exports
+
+| Export | Purpose |
+| --- | --- |
+| `DcRouter` | Main orchestrator for proxying, DNS, email, VPN, RADIUS, remote ingress, DB, and OpsServer |
+| `IDcRouterOptions` | Top-level configuration shape |
+| `runCli()` | Bootstrap helper; uses OCI env-driven config when `DCROUTER_MODE=OCI_CONTAINER` |
+| `UnifiedEmailServer` and smartmta types | Re-exported email server primitives |
+| `RadiusServer` and related types | RADIUS server runtime exports |
+| `RemoteIngressManager` and `TunnelManager` | Remote ingress orchestration exports |
+| `IHttp3Config` | HTTP/3 configuration for qualifying HTTPS routes |
+
+## Quick Start
 
 ```typescript
 import { DcRouter } from '@serve.zone/dcrouter';
@@ -23,120 +33,53 @@ const router = new DcRouter({
   smartProxyConfig: {
     routes: [
       {
-        name: 'web-app',
-        match: { domains: ['example.com'], ports: [443] },
+        name: 'local-app',
+        match: {
+          domains: ['localhost'],
+          ports: [18080],
+        },
         action: {
           type: 'forward',
-          targets: [{ host: '192.168.1.10', port: 8080 }],
-          tls: { mode: 'terminate', certificate: 'auto' }
-        }
-      }
+          targets: [{ host: '127.0.0.1', port: 3001 }],
+        },
+      },
     ],
-    acme: { email: 'admin@example.com', enabled: true, useProduction: true }
-  }
+  },
+  opsServerPort: 3000,
 });
 
 await router.start();
-// OpsServer dashboard at http://localhost:3000 (configurable via opsServerPort)
-
-// Graceful shutdown
-await router.stop();
-```
-
-## Module Structure
-
-```
-ts/
-├── index.ts                        # Main exports (DcRouter, re-exported smartmta types)
-├── classes.dcrouter.ts             # DcRouter orchestrator class + IDcRouterOptions
-├── classes.cert-provision-scheduler.ts  # Per-domain cert backoff scheduler
-├── classes.storage-cert-manager.ts # SmartAcme cert manager backed by StorageManager
-├── logger.ts                       # Structured logging utility
-├── paths.ts                        # Centralized data directory paths
-├── plugins.ts                      # All dependency imports
-├── cache/                          # Cache database (smartdata + LocalTsmDb)
-│   ├── classes.cachedb.ts          # CacheDb singleton
-│   ├── classes.cachecleaner.ts     # TTL-based cleanup
-│   └── documents/                  # Cached document models
-├── config/                         # Configuration utilities
-├── errors/                         # Error classes and retry logic
-├── http3/                          # HTTP/3 (QUIC) route augmentation
-│   ├── index.ts                    # Barrel export
-│   └── http3-route-augmentation.ts # Pure utility: augmentRoutesWithHttp3(), IHttp3Config
-├── monitoring/                     # MetricsManager (SmartMetrics integration)
-├── opsserver/                      # OpsServer dashboard + API handlers
-│   ├── classes.opsserver.ts        # HTTP server + TypedRouter setup
-│   └── handlers/                   # TypedRequest handlers by domain
-│       ├── admin.handler.ts        # Auth (login/logout/verify)
-│       ├── stats.handler.ts        # Statistics + health
-│       ├── config.handler.ts       # Configuration (read-only)
-│       ├── logs.handler.ts         # Log retrieval
-│       ├── email.handler.ts        # Email operations
-│       ├── certificate.handler.ts  # Certificate management
-│       ├── radius.handler.ts       # RADIUS management
-│       ├── remoteingress.handler.ts # Remote ingress edge + token management
-│       ├── route-management.handler.ts # Programmatic route CRUD
-│       ├── api-token.handler.ts    # API token management
-│       └── security.handler.ts     # Security metrics + connections
-├── radius/                         # RADIUS server integration
-├── remoteingress/                  # Remote ingress hub integration
-│   ├── classes.remoteingress-manager.ts  # Edge CRUD + port derivation
-│   └── classes.tunnel-manager.ts   # Rust hub lifecycle + status tracking
-├── security/                       # Security utilities
-├── sms/                            # SMS integration
-└── storage/                        # StorageManager (filesystem/custom/memory)
-```
-
-## Exports
-
-```typescript
-// Main class
-export { DcRouter, IDcRouterOptions } from './classes.dcrouter.js';
-
-// Re-exported from smartmta
-export { UnifiedEmailServer } from '@push.rocks/smartmta';
-export type { IUnifiedEmailServerOptions, IEmailRoute, IEmailDomainConfig } from '@push.rocks/smartmta';
-
-// RADIUS
-export { RadiusServer, IRadiusServerConfig } from './radius/index.js';
-
-// Remote Ingress
-export { RemoteIngressManager, TunnelManager } from './remoteingress/index.js';
-
-// HTTP/3
-export type { IHttp3Config } from './http3/index.js';
 ```
 
-## Key Classes
-
-### `DcRouter`
-
-The central orchestrator. Accepts `IDcRouterOptions` and manages the lifecycle of all sub-services:
+## What `DcRouter` Manages
 
-| Config Section | Service Started | Package |
-|----------------|----------------|---------|
-| `smartProxyConfig` | SmartProxy (HTTP/HTTPS/TCP/SNI) | `@push.rocks/smartproxy` |
-| `emailConfig` | UnifiedEmailServer (SMTP) | `@push.rocks/smartmta` |
-| `dnsNsDomains` + `dnsScopes` | DnsServer (UDP + DoH) | `@push.rocks/smartdns` |
-| `radiusConfig` | RadiusServer (auth + accounting) | `@push.rocks/smartradius` |
-| `remoteIngressConfig` | RemoteIngressManager + TunnelManager | `@serve.zone/remoteingress` |
-| `tls` + `dnsChallenge` | SmartAcme (ACME cert provisioning) | `@push.rocks/smartacme` |
-| `http3` | HTTP/3 route augmentation (enabled by default) | built-in |
-| `cacheConfig` | CacheDb (embedded MongoDB) | `@push.rocks/smartdata` |
-| *(always)* | OpsServer (dashboard + API) | `@api.global/typedserver` |
-| *(always)* | MetricsManager | `@push.rocks/smartmetrics` |
+- SmartProxy for HTTP/HTTPS/TCP routes
+- `UnifiedEmailServer` for SMTP ingress and delivery when `emailConfig` is present
+- DB-backed managers for routes, API tokens, target profiles, domains, records, ACME config, and email domains when the DB is enabled
+- embedded authoritative DNS and DoH route generation from `dnsNsDomains` and `dnsScopes`
+- VPN, RADIUS, and remote ingress services when their config blocks are enabled
+- OpsServer and the dashboard, which start on every boot
 
-### `RemoteIngressManager`
+## Important Runtime Behavior
 
-Manages CRUD for remote ingress edge registrations. Persists edges via StorageManager. Provides port derivation from routes tagged with `remoteIngress.enabled`.
+- The DB is enabled by default and uses an embedded local database when no external MongoDB URL is provided.
+- System routes from config, email, and DNS are persisted with stable ownership and are toggle-only.
+- API-created routes are the only routes intended for full CRUD from the dashboard or client SDK.
+- Qualifying HTTPS forward routes on port `443` get HTTP/3 augmentation by default.
+- `runCli()` is the supported code-level bootstrap entrypoint; the package does not expose a separate npm `bin` command.
 
-### `TunnelManager`
+## Use Another Module When...
 
-Manages the Rust-based RemoteIngressHub lifecycle. Syncs allowed edges, tracks connection status, and exposes edge statuses (connected, publicIp, activeTunnels, lastHeartbeat).
+| Need | Module |
+| --- | --- |
+| A higher-level client SDK for a running router | `@serve.zone/dcrouter-apiclient` or `@serve.zone/dcrouter/apiclient` |
+| Raw TypedRequest request/data contracts | `@serve.zone/dcrouter-interfaces` or `@serve.zone/dcrouter/interfaces` |
+| The standalone migration runner | `@serve.zone/dcrouter-migrations` |
+| The browser dashboard module boundary | `@serve.zone/dcrouter-web` |
 
 ## License and Legal Information
 
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](../license) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](../license) file.
 
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 
@@ -148,7 +91,7 @@ Use of these trademarks must comply with Task Venture Capital GmbH's Trademark G
 
 ### Company Information
 
-Task Venture Capital GmbH
+Task Venture Capital GmbH  
 Registered at District Court Bremen HRB 35230 HB, Germany
 
 For any legal inquiries or further information, please contact us via email at hello@task.vc.

package/ts/vpn/classes.vpn-manager.ts

@@ -112,14 +112,11 @@ export class VpnManager {
     const subnet = this.getSubnet();
     const wgListenPort = this.config.wgListenPort ?? 51820;
 
-    // Auto-detect hybrid mode: if any persisted client uses host IP and mode is
-    // 'socket' (or unset), upgrade to 'hybrid' so the daemon can handle both
-    let configuredMode = this.forwardingModeOverride ?? this.config.forwardingMode ?? 'socket';
-    if (anyClientUsesHostIp && configuredMode === 'socket') {
-      configuredMode = 'hybrid';
+    const desiredForwardingMode = this.getDesiredForwardingMode(anyClientUsesHostIp);
+    if (anyClientUsesHostIp && desiredForwardingMode === 'hybrid') {
       logger.log('info', 'VPN: Auto-upgrading forwarding mode to hybrid (client with useHostIp detected)');
     }
-    const forwardingMode = configuredMode === 'hybrid' ? 'hybrid' : configuredMode;
+    const forwardingMode = desiredForwardingMode;
     const isBridge = forwardingMode === 'bridge';
     this.resolvedForwardingMode = forwardingMode;
     this.forwardingModeOverride = undefined;
@@ -218,7 +215,7 @@ export class VpnManager {
       throw new Error('VPN server not running');
     }
 
-    await this.ensureForwardingModeForHostIpClient(opts.useHostIp === true);
+    await this.ensureForwardingModeForNextClient(opts.useHostIp === true);
 
     const doc = new VpnClientDoc();
     doc.clientId = opts.clientId;
@@ -298,6 +295,7 @@ export class VpnManager {
     if (doc) {
       await doc.delete();
     }
+    await this.reconcileForwardingMode();
     this.config.onClientChanged?.();
   }
 
@@ -368,8 +366,10 @@ export class VpnManager {
     await this.persistClient(client);
 
     if (this.vpnServer) {
-      await this.ensureForwardingModeForHostIpClient(client.useHostIp === true);
-      await this.vpnServer.updateClient(clientId, this.buildClientRuntimeUpdate(client));
+      const restarted = await this.reconcileForwardingMode();
+      if (!restarted) {
+        await this.vpnServer.updateClient(clientId, this.buildClientRuntimeUpdate(client));
+      }
     }
 
     this.config.onClientChanged?.();
@@ -563,6 +563,28 @@ export class VpnManager {
       ?? 'socket';
   }
 
+  private hasHostIpClients(extraHostIpClient = false): boolean {
+    if (extraHostIpClient) {
+      return true;
+    }
+
+    for (const client of this.clients.values()) {
+      if (client.useHostIp) {
+        return true;
+      }
+    }
+
+    return false;
+  }
+
+  private getDesiredForwardingMode(hasHostIpClients = this.hasHostIpClients()): 'socket' | 'bridge' | 'hybrid' {
+    const configuredMode = this.forwardingModeOverride ?? this.config.forwardingMode ?? 'socket';
+    if (configuredMode !== 'socket') {
+      return configuredMode;
+    }
+    return hasHostIpClients ? 'hybrid' : 'socket';
+  }
+
   private getDefaultDestinationPolicy(
     forwardingMode: 'socket' | 'bridge' | 'hybrid',
     useHostIp = false,
@@ -633,16 +655,45 @@ export class VpnManager {
     };
   }
 
-  private async ensureForwardingModeForHostIpClient(useHostIp: boolean): Promise<void> {
-    if (!useHostIp || !this.vpnServer) return;
-    if (this.getResolvedForwardingMode() !== 'socket') return;
-
-    logger.log('info', 'VPN: Restarting server in hybrid mode to support a host-IP client');
-    this.forwardingModeOverride = 'hybrid';
+  private async restartWithForwardingMode(
+    forwardingMode: 'socket' | 'bridge' | 'hybrid',
+    reason: string,
+  ): Promise<void> {
+    logger.log('info', `VPN: Restarting server in ${forwardingMode} mode ${reason}`);
+    this.forwardingModeOverride = forwardingMode;
     await this.stop();
     await this.start();
   }
 
+  private async ensureForwardingModeForNextClient(useHostIp: boolean): Promise<void> {
+    if (!this.vpnServer) return;
+
+    const desiredForwardingMode = this.getDesiredForwardingMode(this.hasHostIpClients(useHostIp));
+    if (desiredForwardingMode === this.getResolvedForwardingMode()) {
+      return;
+    }
+
+    await this.restartWithForwardingMode(desiredForwardingMode, 'to support a host-IP client');
+  }
+
+  private async reconcileForwardingMode(): Promise<boolean> {
+    if (!this.vpnServer) {
+      return false;
+    }
+
+    const desiredForwardingMode = this.getDesiredForwardingMode();
+    const currentForwardingMode = this.getResolvedForwardingMode();
+    if (desiredForwardingMode === currentForwardingMode) {
+      return false;
+    }
+
+    const reason = desiredForwardingMode === 'socket'
+      ? 'because no host-IP clients remain'
+      : 'to support host-IP clients';
+    await this.restartWithForwardingMode(desiredForwardingMode, reason);
+    return true;
+  }
+
   private async persistClient(client: VpnClientDoc): Promise<void> {
     await client.save();
   }