@serve.zone/dcrouter 13.34.0 → 13.35.0

package/ts/config/classes.target-profile-manager.ts

@@ -5,7 +5,7 @@ import type { ITargetProfile, ITargetProfileTarget } from '../../ts_interfaces/d
 import type { IDcRouterRouteConfig } from '../../ts_interfaces/data/remoteingress.js';
 import type { IRoute } from '../../ts_interfaces/data/route-management.js';
 
-type TIpAllowEntry = string | { ip: string; domains?: string[] };
+type TVpnClientAllowEntry = string | { clientId: string; domains: string[] };
 
 /**
  * Manages TargetProfiles (target-side: what can be accessed).
@@ -206,37 +206,35 @@ export class TargetProfileManager {
   }
 
   // =========================================================================
-  // Core matching: route → client IPs
+  // Core matching: route → VPN client grants
   // =========================================================================
 
   /**
-   * For a vpnOnly route, find all enabled VPN clients whose assigned TargetProfile
-   * matches the route. Returns IP allow entries for injection into ipAllowList.
+   * Find all enabled VPN clients whose assigned TargetProfile matches the route.
+   * Returns SmartProxy VPN client allow entries for authenticated metadata checks.
    *
    * Entries are domain-scoped when a profile matches via specific domains that are
    * a subset of the route's wildcard. Plain IPs are returned for routeRef/target matches
    * or when profile domains exactly equal the route's domains. Profiles can also opt
-   * into source-IP matching against non-vpnOnly route security.
+   * into source-policy routes; SmartProxy evaluates the real source IP per connection.
    */
-  public getMatchingClientIps(
+  public getMatchingVpnClients(
     route: IDcRouterRouteConfig,
     routeId: string | undefined,
     clients: VpnClientDoc[],
     allRoutes: Map<string, IRoute> = new Map(),
-    clientSourceIps: Map<string, string> = new Map(),
-  ): Array<string | { ip: string; domains: string[] }> {
-    const entries: Array<string | { ip: string; domains: string[] }> = [];
+  ): TVpnClientAllowEntry[] {
+    const entries: TVpnClientAllowEntry[] = [];
     const routeDomains = this.getRouteDomains(route);
     const routeNameIndex = this.buildRouteNameIndex(allRoutes);
 
     for (const client of clients) {
-      if (!client.enabled || !client.assignedIp) continue;
+      if (!client.enabled || !client.clientId) continue;
       if (!client.targetProfileIds?.length) continue;
 
       // Collect scoped domains from all matching profiles for this client
       let fullAccess = false;
       const scopedDomains = new Set<string>();
-      const clientSourceIp = clientSourceIps.get(client.clientId);
 
       for (const profileId of client.targetProfileIds) {
         const profile = this.profiles.get(profileId);
@@ -258,10 +256,8 @@ export class TargetProfileManager {
         }
 
         if (
-          !route.vpnOnly
-          && profile.allowRoutesByClientSourceIp === true
-          && clientSourceIp
-          && this.routeAllowsSourceIp(route, clientSourceIp, routeDomains)
+          profile.allowRoutesByClientSourceIp === true
+          && this.routeHasSourcePolicy(route)
         ) {
           fullAccess = true;
           break;
@@ -269,9 +265,9 @@ export class TargetProfileManager {
       }
 
       if (fullAccess) {
-        entries.push(client.assignedIp);
+        entries.push(client.clientId);
       } else if (scopedDomains.size > 0) {
-        entries.push({ ip: client.assignedIp, domains: [...scopedDomains] });
+        entries.push({ clientId: client.clientId, domains: [...scopedDomains] });
       }
     }
 
@@ -285,7 +281,6 @@ export class TargetProfileManager {
   public getClientAccessSpec(
     targetProfileIds: string[],
     allRoutes: Map<string, IRoute>,
-    clientSourceIp?: string,
   ): { domains: string[]; targetIps: string[] } {
     const domains = new Set<string>();
     const targetIps = new Set<string>();
@@ -322,9 +317,7 @@ export class TargetProfileManager {
           routeNameIndex,
         );
         const sourceIpMatchesRoute = profile.allowRoutesByClientSourceIp === true
-          && clientSourceIp
-          && !dcRoute.vpnOnly
-          && this.routeAllowsSourceIp(dcRoute, clientSourceIp, routeDomains);
+          && this.routeHasSourcePolicy(dcRoute);
         if (profileMatchesRoute || sourceIpMatchesRoute) {
           for (const d of routeDomains) {
             domains.add(d);
@@ -450,197 +443,14 @@ export class TargetProfileManager {
     return false;
   }
 
-  private routeAllowsSourceIp(
-    route: IDcRouterRouteConfig,
-    sourceIp: string,
-    routeDomains: string[],
-  ): boolean {
+  private routeHasSourcePolicy(route: IDcRouterRouteConfig): boolean {
     const security = (route as any).security;
-    const ipAllowList = this.normalizeIpEntries(security?.ipAllowList);
-    const ipBlockList = this.normalizeIpEntries(security?.ipBlockList);
-
-    if (this.ipEntriesMatchSource(ipBlockList, sourceIp, routeDomains)) {
-      return false;
-    }
-
-    if (!ipAllowList.length) {
-      return true;
-    }
-
-    return this.ipEntriesMatchSource(ipAllowList, sourceIp, routeDomains);
-  }
-
-  private normalizeIpEntries(entries: unknown): TIpAllowEntry[] {
-    if (!entries) return [];
-    if (Array.isArray(entries)) return entries as TIpAllowEntry[];
-    return [entries as TIpAllowEntry];
-  }
-
-  private ipEntriesMatchSource(
-    entries: TIpAllowEntry[],
-    sourceIp: string,
-    routeDomains: string[],
-  ): boolean {
-    return entries.some((entry) => this.ipEntryMatchesSource(entry, sourceIp, routeDomains));
-  }
-
-  private ipEntryMatchesSource(
-    entry: TIpAllowEntry,
-    sourceIp: string,
-    routeDomains: string[],
-  ): boolean {
-    const ipPattern = typeof entry === 'string' ? entry : entry.ip;
-    if (typeof ipPattern !== 'string') return false;
-    if (!this.ipPatternMatchesSource(ipPattern, sourceIp)) {
-      return false;
-    }
-
-    if (typeof entry === 'string' || !entry.domains?.length) {
-      return true;
-    }
-
-    if (!routeDomains.length) {
-      return false;
-    }
-
-    return routeDomains.some((routeDomain) =>
-      entry.domains!.some((entryDomain) =>
-        this.domainMatchesPattern(routeDomain, entryDomain)
-        || this.domainMatchesPattern(entryDomain, routeDomain),
-      ),
-    );
-  }
-
-  private ipPatternMatchesSource(pattern: string, sourceIp: string): boolean {
-    const trimmedPattern = pattern.trim();
-    const trimmedSourceIp = sourceIp.trim();
-    if (!trimmedPattern || !trimmedSourceIp) return false;
-    if (trimmedPattern === '*') return true;
-    if (trimmedPattern === trimmedSourceIp) return true;
-
-    if (trimmedPattern.includes('/')) {
-      return this.ipMatchesCidr(trimmedSourceIp, trimmedPattern);
-    }
-
-    if (trimmedPattern.includes('-')) {
-      return this.ipMatchesRange(trimmedSourceIp, trimmedPattern);
-    }
-
-    if (trimmedPattern.includes('*')) {
-      return this.ipMatchesWildcard(trimmedSourceIp, trimmedPattern);
-    }
-
-    return false;
-  }
-
-  private ipMatchesCidr(sourceIp: string, cidr: string): boolean {
-    const [networkIp, prefixString] = cidr.split('/');
-    if (!networkIp || !prefixString) return false;
-    const source = this.ipToComparable(sourceIp);
-    const network = this.ipToComparable(networkIp);
-    const prefix = Number(prefixString);
-    if (!source || !network || source.version !== network.version) return false;
-
-    const bitCount = source.version === 4 ? 32 : 128;
-    if (!Number.isInteger(prefix) || prefix < 0 || prefix > bitCount) return false;
-    if (prefix === 0) return true;
-
-    const shift = BigInt(bitCount - prefix);
-    return (source.value >> shift) === (network.value >> shift);
-  }
-
-  private ipMatchesRange(sourceIp: string, range: string): boolean {
-    const [startIp, endIp] = range.split('-').map((part) => part.trim());
-    if (!startIp || !endIp) return false;
-    const source = this.ipToComparable(sourceIp);
-    const start = this.ipToComparable(startIp);
-    const end = this.ipToComparable(endIp);
-    if (!source || !start || !end) return false;
-    if (source.version !== start.version || source.version !== end.version) return false;
-    return source.value >= start.value && source.value <= end.value;
-  }
-
-  private ipMatchesWildcard(sourceIp: string, pattern: string): boolean {
-    const sourceParts = sourceIp.split('.');
-    const patternParts = pattern.split('.');
-    if (sourceParts.length !== 4 || patternParts.length !== 4) return false;
-
-    return patternParts.every((patternPart, index) => {
-      if (patternPart === '*') return true;
-      return patternPart === sourceParts[index];
-    });
-  }
-
-  private ipToComparable(ip: string): { version: 4 | 6; value: bigint } | undefined {
-    const normalizedIp = this.normalizeIpLiteral(ip);
-    const ipVersion = plugins.net.isIP(normalizedIp);
-    if (ipVersion === 4) {
-      const parts = normalizedIp.split('.').map((part) => Number(part));
-      if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) {
-        return undefined;
-      }
-      return {
-        version: 4,
-        value: parts.reduce((value, part) => (value << 8n) + BigInt(part), 0n),
-      };
-    }
-
-    if (ipVersion === 6) {
-      const parts = this.expandIpv6(normalizedIp);
-      if (!parts) return undefined;
-      return {
-        version: 6,
-        value: parts.reduce((value, part) => (value << 16n) + BigInt(part), 0n),
-      };
-    }
-
-    return undefined;
-  }
-
-  private normalizeIpLiteral(ip: string): string {
-    const trimmed = ip.trim().replace(/^\[|\]$/g, '');
-    const zoneIndex = trimmed.indexOf('%');
-    const withoutZone = zoneIndex === -1 ? trimmed : trimmed.slice(0, zoneIndex);
-    const ipv4MappedPrefix = '::ffff:';
-    if (withoutZone.toLowerCase().startsWith(ipv4MappedPrefix)) {
-      const mappedIpv4 = withoutZone.slice(ipv4MappedPrefix.length);
-      if (plugins.net.isIP(mappedIpv4) === 4) return mappedIpv4;
-    }
-    return withoutZone;
-  }
-
-  private expandIpv6(ip: string): number[] | undefined {
-    let normalizedIp = ip.toLowerCase();
-    if (normalizedIp.includes('.')) {
-      const lastColonIndex = normalizedIp.lastIndexOf(':');
-      const ipv4Part = normalizedIp.slice(lastColonIndex + 1);
-      const ipv4Comparable = this.ipToComparable(ipv4Part);
-      if (!ipv4Comparable || ipv4Comparable.version !== 4) return undefined;
-      const high = Number((ipv4Comparable.value >> 16n) & 0xffffn).toString(16);
-      const low = Number(ipv4Comparable.value & 0xffffn).toString(16);
-      normalizedIp = `${normalizedIp.slice(0, lastColonIndex)}:${high}:${low}`;
-    }
-
-    const doubleColonParts = normalizedIp.split('::');
-    if (doubleColonParts.length > 2) return undefined;
-
-    const head = doubleColonParts[0] ? doubleColonParts[0].split(':') : [];
-    const tail = doubleColonParts[1] ? doubleColonParts[1].split(':') : [];
-    const missingCount = 8 - head.length - tail.length;
-    if (missingCount < 0 || (doubleColonParts.length === 1 && missingCount !== 0)) return undefined;
-
-    const parts = [
-      ...head,
-      ...Array(missingCount).fill('0'),
-      ...tail,
-    ];
-    if (parts.length !== 8) return undefined;
-
-    const numbers = parts.map((part) => Number.parseInt(part || '0', 16));
-    if (numbers.some((part) => !Number.isInteger(part) || part < 0 || part > 0xffff)) {
-      return undefined;
-    }
-    return numbers;
+    const blockEntries = Array.isArray(security?.ipBlockList)
+      ? security.ipBlockList
+      : security?.ipBlockList
+        ? [security.ipBlockList]
+        : [];
+    return !blockEntries.some((entry: unknown) => typeof entry === 'string' && entry.trim() === '*');
   }
 
   private getRouteDomains(route: IDcRouterRouteConfig): string[] {

package/ts/vpn/classes.vpn-manager.ts

@@ -152,6 +152,8 @@ export class VpnManager {
       wgListenPort,
       clients: clientEntries,
       socketForwardProxyProtocol: !isBridge,
+      socketForwardProxyProtocolSource: 'remoteIp',
+      socketForwardProxyProtocolVpnMetadata: true,
       destinationPolicy: this.getServerDestinationPolicy(forwardingMode, defaultDestinationPolicy),
       serverEndpoint,
       clientAllowedIPs: [subnet],

package/ts_web/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '13.34.0',
+  version: '13.35.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/elements/network/ops-view-targetprofiles.ts

@@ -97,7 +97,7 @@ export class OpsViewTargetProfiles extends DeesElement {
             'Route Refs': profile.routeRefs?.length
               ? html`${profile.routeRefs.map(r => html`<span class="tagBadge">${this.formatRouteRef(r)}</span>`)}`
               : '-',
-            'Client Source IP Routes': profile.allowRoutesByClientSourceIp ? 'Yes' : 'No',
+            'Source-Policy Route Grants': profile.allowRoutesByClientSourceIp ? 'Yes' : 'No',
             Created: new Date(profile.createdAt).toLocaleDateString(),
           })}
           .dataActions=${[
@@ -224,7 +224,7 @@ export class OpsViewTargetProfiles extends DeesElement {
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'e.g. *.example.com'} .allowFreeform=${true}></dees-input-list>
           <dees-input-list .key=${'targets'} .label=${'Targets'} .description=${'Format: ip:port, e.g. 10.0.0.1:443'} .placeholder=${'e.g. 10.0.0.1:443'} .allowFreeform=${true}></dees-input-list>
           <dees-input-list .key=${'routeRefs'} .label=${'Route Refs'} .placeholder=${'Type to search routes...'} .candidates=${routeCandidates} .allowFreeform=${true}></dees-input-list>
-          <dees-input-checkbox .key=${'allowRoutesByClientSourceIp'} .label=${'Allow routes by VPN client source IP'} .description=${'Also grant access to non-VPN-only routes that would allow the client\'s real connecting IP'} .value=${false}></dees-input-checkbox>
+          <dees-input-checkbox .key=${'allowRoutesByClientSourceIp'} .label=${'Allow source-policy route grants'} .description=${'Grant these VPN clients to source-policy routes; SmartProxy still checks their real connecting IP per connection'} .value=${false}></dees-input-checkbox>
         </dees-form>
       `,
       menuOptions: [
@@ -287,7 +287,7 @@ export class OpsViewTargetProfiles extends DeesElement {
           <dees-input-list .key=${'domains'} .label=${'Domains'} .placeholder=${'e.g. *.example.com'} .allowFreeform=${true} .value=${currentDomains}></dees-input-list>
           <dees-input-list .key=${'targets'} .label=${'Targets'} .description=${'Format: ip:port, e.g. 10.0.0.1:443'} .placeholder=${'e.g. 10.0.0.1:443'} .allowFreeform=${true} .value=${currentTargets}></dees-input-list>
           <dees-input-list .key=${'routeRefs'} .label=${'Route Refs'} .placeholder=${'Type to search routes...'} .candidates=${routeCandidates} .allowFreeform=${true} .value=${currentRouteRefs}></dees-input-list>
-          <dees-input-checkbox .key=${'allowRoutesByClientSourceIp'} .label=${'Allow routes by VPN client source IP'} .description=${'Also grant access to non-VPN-only routes that would allow the client\'s real connecting IP'} .value=${profile.allowRoutesByClientSourceIp === true}></dees-input-checkbox>
+          <dees-input-checkbox .key=${'allowRoutesByClientSourceIp'} .label=${'Allow source-policy route grants'} .description=${'Grant these VPN clients to source-policy routes; SmartProxy still checks their real connecting IP per connection'} .value=${profile.allowRoutesByClientSourceIp === true}></dees-input-checkbox>
         </dees-form>
       `,
       menuOptions: [