vpn-split 21.0.13 → 21.0.16

package/lib-prod/vpn-split.backend.js

@@ -1,742 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.VpnSplit = void 0;
-// TODO I am using TCP ugrade not UDP!
-const dgram = require("dgram"); // <-- For UDP sockets
-const http = require("http");
-const axios_1 = require("axios");
-const express = require("express");
-const httpProxy = require("http-proxy");
-const lib_prod_1 = require("ng2-logger/lib-prod");
-const lib_prod_2 = require("tnp-core/lib-prod");
-const lib_prod_3 = require("tnp-core/lib-prod");
-const lib_prod_4 = require("tnp-core/lib-prod");
-const lib_prod_5 = require("tnp-helpers/lib-prod");
-const hostile_backend_1 = require("./hostile.backend");
-const models_1 = require("./models");
-const child_process_1 = require("child_process");
-const HOST_FILE_PATH = (0, lib_prod_3.UtilsNetwork_getEtcHostsPath)();
-const log = lib_prod_1.Log.create('vpn-split', lib_prod_1.Level.INFO);
-//#endregion
-//#region consts
-const GENERATED = '#GENERATED_BY_CLI#';
-const EOL = process.platform === 'win32' ? '\r\n' : '\n';
-const SERVERS_PATH = '/$$$$servers$$$$';
-const HOST_FILE_PATHUSER = (0, lib_prod_3.crossPlatformPath)([
-    (0, lib_prod_3.UtilsOs_getRealHomeDir)(),
-    'hosts-file__vpn-split',
-]);
-const from = models_1.HostForServer.From;
-const DefaultEtcHosts = {
-    'localhost alias': from({
-        ipOrDomain: '127.0.0.1',
-        aliases: 'localhost',
-        isDefault: true,
-    }),
-    broadcasthost: from({
-        ipOrDomain: '255.255.255.255',
-        aliases: 'broadcasthost',
-        isDefault: true,
-    }),
-    'localhost alias ipv6': from({
-        ipOrDomain: '::1',
-        aliases: 'localhost',
-        isDefault: true,
-    }),
-};
-//#endregion
-class VpnSplit {
-    portsToPass;
-    hosts;
-    cwd;
-    //#region getters
-    get hostsArr() {
-        const hosts = this.hosts;
-        return lib_prod_3._.keys(hosts).map(hostName => {
-            const v = hosts[hostName];
-            v.name = hostName;
-            return v;
-        });
-    }
-    get hostsArrWithoutDefault() {
-        return this.hostsArr.filter(f => !f.isDefault);
-    }
-    get serveKeyName() {
-        return 'tmp-' + lib_prod_2.config.file.server_key;
-    }
-    get serveKeyPath() {
-        return lib_prod_3.path.join(this.cwd, this.serveKeyName);
-    }
-    get serveCertName() {
-        return 'tmp-' + lib_prod_2.config.file.server_cert;
-    }
-    get serveCertPath() {
-        return lib_prod_3.path.join(this.cwd, this.serveCertName);
-    }
-    get serveCertChainName() {
-        return 'tmp-' + lib_prod_2.config.file.server_chain_cert;
-    }
-    get serveCertChainPath() {
-        return lib_prod_3.path.join(this.cwd, this.serveCertChainName);
-    }
-    //#endregion
-    //#region fields
-    __hostile;
-    //#endregion
-    //#region singleton
-    static _instances = {};
-    constructor(portsToPass, hosts, cwd) {
-        this.portsToPass = portsToPass;
-        this.hosts = hosts;
-        this.cwd = cwd;
-        this.__hostile = new hostile_backend_1.Hostile();
-    }
-    static async Instance({ ports = [80, 443, 4443, 22, 2222, 8180, 8080, 4407, 7999, 9443], additionalDefaultHosts = {}, cwd = process.cwd(), allowNotSudo = false, } = {}) {
-        if (!(await (0, lib_prod_3.isElevated)()) && !allowNotSudo) {
-            lib_prod_5.Helpers.error(`[vpn-split] Please run this program as sudo (or admin on windows)`, false, true);
-        }
-        if (!VpnSplit._instances[cwd]) {
-            VpnSplit._instances[cwd] = new VpnSplit(ports, lib_prod_3._.merge(DefaultEtcHosts, additionalDefaultHosts), cwd);
-        }
-        return VpnSplit._instances[cwd];
-    }
-    //#endregion
-    //#region start server
-    async startServer(saveHostInUserFolder = false) {
-        this.createCertificateIfNotExists();
-        const hostsForCert = this.hosts;
-        // const domainsForCert: string[] = Utils_uniqArray(
-        //   Object.keys(hostsForCert).reduce((prev, curr) => {
-        //     const host = hostsForCert[curr] as HostForServer;
-        //     host.aliases.forEach(alias => {
-        //       if (!host.isDefault) {
-        //         prev.push(alias);
-        //       }
-        //     });
-        //     return prev;
-        //   }, [] as string[]),
-        // );
-        // this.ensureMkcertCertificate(domainsForCert);
-        //#region modify /etc/host to direct traffic appropriately
-        saveHosts(hostsForCert, { saveHostInUserFolder });
-        //#endregion
-        // Start TCP/HTTPS passthrough
-        for (const portToPassthrough of this.portsToPass) {
-            await this.serverPassthrough(portToPassthrough);
-        }
-        // Start UDP passthrough
-        for (const portToPassthrough of this.portsToPass) {
-            await this.serverUdpPassthrough(portToPassthrough);
-        }
-        lib_prod_5.Helpers.info(`Activated (server).`);
-    }
-    //#endregion
-    //#region apply hosts
-    applyHosts(hosts) {
-        // console.log(hosts);
-        saveHosts(hosts);
-    }
-    applyHostsLocal(hosts) {
-        // console.log(hosts);
-        saveHostsLocal(hosts);
-    }
-    //#endregion
-    //#region start client
-    async startClient(vpnServerTargets, options) {
-        options = options || {};
-        const { saveHostInUserFolder } = options;
-        if (!Array.isArray(vpnServerTargets)) {
-            vpnServerTargets = [vpnServerTargets];
-        }
-        for (const vpnServerTarget of vpnServerTargets) {
-            await this.preventBadTargetForClient(vpnServerTarget);
-        }
-        this.createCertificateIfNotExists();
-        // Get remote host definitions from remote server
-        const hosts = [];
-        for (const vpnServerTarget of vpnServerTargets) {
-            const newHosts = await this.getRemoteHosts(vpnServerTarget);
-            for (const host of newHosts) {
-                // Mark the original VPN server domain
-                host.originHostname = vpnServerTarget.hostname;
-                hosts.push(host);
-            }
-        }
-        // Merge with original, redirecting all non-default entries to 127.0.0.1
-        const originalHosts = this.hostsArr;
-        const combinedHostsObj = lib_prod_3._.values([
-            ...originalHosts,
-            ...hosts.map(h => models_1.HostForServer.From({
-                aliases: h.alias,
-                ipOrDomain: h.ip,
-                originHostname: h.originHostname,
-            }, `external host ${h.alias} ${h.ip}`)),
-        ]
-            .map(c => {
-            let copy = c.clone();
-            if (!copy.isDefault) {
-                copy.ip = `127.0.0.1`;
-            }
-            return copy;
-        })
-            .reduce((prev, curr) => {
-            return lib_prod_3._.merge(prev, {
-                [curr.aliases.join(' ')]: curr,
-            });
-        }, {}));
-        const hostsForCert = options.useHost ? options.useHost : combinedHostsObj;
-        // const domainsForCert: string[] = Utils_uniqArray(
-        //   Object.keys(hostsForCert).reduce((prev, curr) => {
-        //     const host = hostsForCert[curr] as HostForServer;
-        //     host.aliases.forEach(alias => {
-        //       if (!host.isDefault) {
-        //         prev.push(alias);
-        //       }
-        //     });
-        //     return prev;
-        //   }, [] as string[]),
-        // );
-        // this.ensureMkcertCertificate(domainsForCert);
-        saveHosts(hostsForCert, {
-            saveHostInUserFolder,
-        });
-        // Start TCP/HTTPS passthrough
-        for (const portToPassthrough of this.portsToPass) {
-            await this.clientPassthrough(portToPassthrough, vpnServerTargets, combinedHostsObj);
-        }
-        // Start UDP passthrough
-        for (const portToPassthrough of this.portsToPass) {
-            await this.clientUdpPassthrough(portToPassthrough, vpnServerTargets, combinedHostsObj);
-        }
-        lib_prod_5.Helpers.info(`Client activated`);
-    }
-    //#endregion
-    //#region private methods / get remote hosts
-    async getRemoteHosts(vpnServerTarget) {
-        try {
-            const url = `http://${vpnServerTarget.hostname}${SERVERS_PATH}`;
-            const response = await (0, axios_1.default)({ url, method: 'GET' });
-            return response.data;
-        }
-        catch (err) {
-            lib_prod_5.Helpers.error(`Remote server: ${vpnServerTarget.hostname} may be inactive...`, true, true);
-            return [];
-        }
-    }
-    //#endregion
-    //#region private methods / create certificate
-    createCertificateIfNotExists() {
-        if (!lib_prod_5.Helpers.exists(this.serveKeyPath) ||
-            !lib_prod_5.Helpers.exists(this.serveCertPath)) {
-            lib_prod_5.Helpers.info(`[vpn-split] Generating new self-signed certificate for localhost...`);
-            const commandGen = (0, lib_prod_3.UtilsOs_isRunningInWindowsPowerShell)()
-                ? `powershell -Command "& 'C:\\Program Files\\Git\\usr\\bin\\openssl.exe' req -nodes -new -x509 -keyout ${this.serveKeyName} -out ${this.serveCertName}"`
-                : `openssl req -nodes -new -x509 -keyout ${this.serveKeyName} -out ${this.serveCertName}`;
-            lib_prod_5.Helpers.run(commandGen, { cwd: this.cwd, output: true }).sync();
-        }
-    }
-    //#endregion
-    //#region private methods / TCP & HTTPS passthrough
-    getTarget({ req, res, port, hostname, }) {
-        return `${req.protocol}://${hostname}:${port}`;
-    }
-    getProxyConfig({ req, res, port, hostname, isHttps, }) {
-        const serverPassthrough = !!hostname;
-        const target = this.getTarget({
-            req,
-            res,
-            port,
-            hostname: serverPassthrough ? hostname : req.hostname,
-        });
-        // console.log({
-        //   target,
-        //   port,
-        //   hostname,
-        //   reqHostname: req.hostname,
-        //   serverPassthrough,
-        // });
-        return isHttps
-            ? {
-                target,
-                ssl: {
-                    key: lib_prod_3.fse.readFileSync(this.serveKeyPath),
-                    cert: lib_prod_3.fse.readFileSync(this.serveCertPath),
-                },
-                // agent: new https.Agent({
-                //   secureOptions: crypto.constants.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION,
-                // }),
-                // changeOrigin: true,
-                secure: true,
-            }
-            : { target };
-    }
-    getNotFoundMsg(req, res, port, type) {
-        return `[vpn-split] You are requesting a URL that is not in proxy reach [${type}]
-Protocol: ${req.protocol}
-Hostname: ${req.hostname}
-OriginalUrl: ${req.originalUrl}
-Req.method: ${req.method}
-Port: ${port}
-SERVERS_PATH: ${SERVERS_PATH}`;
-    }
-    getMaybeChangeOriginTrueMsg(req, res, port, type) {
-        return `[vpn-split] Possibly need changeOrigin: true in your proxy config
-Protocol: ${req.protocol}
-Hostname: ${req.hostname}
-OriginalUrl: ${req.originalUrl}
-Req.method: ${req.method}
-Port: ${port}`;
-    }
-    filterHeaders(req, res) {
-        // If you have any headers to remove, do it here:
-        const headersToRemove = [
-        // 'Strict-Transport-Security',
-        // 'Content-Security-Policy',
-        // ...
-        ];
-        headersToRemove.forEach(headerName => {
-            delete req.headers[headerName];
-            res.setHeader(headerName, '');
-        });
-    }
-    isHttpsPort(port) {
-        // Decide your logic for “is HTTPS” here
-        return [443, 4443, 9443].includes(port);
-    }
-    //#region server passthrough (TCP/HTTPS)
-    async serverPassthrough(portToPassthrough) {
-        const isHttps = this.isHttpsPort(portToPassthrough);
-        process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
-        const app = express();
-        const proxy = httpProxy.createProxyServer({});
-        const localIp = await (0, lib_prod_3.UtilsNetwork_getLocalIpAddresses)();
-        const currentLocalIps = [
-            lib_prod_4.CoreModels_localhostDomain,
-            lib_prod_4.CoreModels_localhostIp127,
-            ...localIp.map(a => a.address),
-        ];
-        app.use((req, res, next) => {
-            this.filterHeaders(req, res);
-            if (currentLocalIps.includes(req.hostname)) {
-                if (req.method === 'GET' && req.originalUrl === SERVERS_PATH) {
-                    res.send(JSON.stringify(this.hostsArrWithoutDefault.map(h => ({
-                        ip: h.ip,
-                        alias: lib_prod_5.Helpers.arrays.from(h.aliases).join(' '),
-                    }))));
-                }
-                else {
-                    const msg = this.getNotFoundMsg(req, res, portToPassthrough, 'server');
-                    log.d(msg);
-                    res.send(msg);
-                }
-                next();
-            }
-            else {
-                proxy.web(req, res, this.getProxyConfig({ req, res, port: portToPassthrough, isHttps }), next);
-            }
-        });
-        const server = isHttps
-            ? lib_prod_3.https.createServer({
-                key: lib_prod_3.fse.readFileSync(this.serveKeyPath),
-                cert: lib_prod_3.fse.readFileSync(this.serveCertPath),
-            }, app)
-            : http.createServer(app);
-        await lib_prod_5.Helpers.killProcessByPort(portToPassthrough, { silent: true });
-        await new Promise((resolve, reject) => {
-            server.listen(portToPassthrough, () => {
-                console.log(`TCP/HTTPS server listening on port ${portToPassthrough} (secure=${isHttps})`);
-                resolve();
-            });
-        });
-    }
-    //#endregion
-    //#region client passthrough (TCP/HTTPS)
-    async clientPassthrough(portToPassthrough, vpnServerTargets, hostsArr) {
-        // Map from an alias => the “real” origin hostname (the server domain)
-        const aliasToOriginHostname = {};
-        for (const h of hostsArr) {
-            for (const alias of h.aliases) {
-                aliasToOriginHostname[alias] = h.originHostname;
-            }
-        }
-        // Remove defaults from the map so we don't cause collisions
-        delete aliasToOriginHostname['localhost'];
-        delete aliasToOriginHostname['broadcasthost'];
-        // Build a dictionary from originHostname => URL (for quick lookup)
-        const originToUrlMap = {};
-        for (const url of vpnServerTargets) {
-            originToUrlMap[url.hostname] = url;
-        }
-        const isHttps = this.isHttpsPort(portToPassthrough);
-        process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
-        const app = express();
-        const proxy = httpProxy.createProxyServer({});
-        app.use((req, res, next) => {
-            this.filterHeaders(req, res);
-            // Identify the real origin server based on alias
-            const originHostname = aliasToOriginHostname[req.hostname];
-            if (!originHostname) {
-                // Not one of our known aliases
-                const msg = this.getMaybeChangeOriginTrueMsg(req, res, portToPassthrough, 'client');
-                res.send(msg);
-                next();
-                return;
-            }
-            // Proxy onward to the real server domain at the same port
-            const targetUrlObj = originToUrlMap[originHostname];
-            if (!targetUrlObj) {
-                const notFoundMsg = this.getNotFoundMsg(req, res, portToPassthrough, 'client');
-                res.send(notFoundMsg);
-                next();
-                return;
-            }
-            // Forward
-            proxy.web(req, res, this.getProxyConfig({
-                req,
-                res,
-                port: portToPassthrough,
-                isHttps,
-                hostname: targetUrlObj.hostname,
-            }), next);
-        });
-        const server = isHttps
-            ? lib_prod_3.https.createServer({
-                key: lib_prod_3.fse.readFileSync(this.serveKeyPath),
-                cert: lib_prod_3.fse.readFileSync(this.serveCertPath),
-            }, app)
-            : http.createServer(app);
-        await lib_prod_5.Helpers.killProcessByPort(portToPassthrough, { silent: true });
-        await new Promise((resolve, reject) => {
-            server.listen(portToPassthrough, () => {
-                log.i(`TCP/HTTPS client listening on port ${portToPassthrough} (secure=${isHttps})`);
-                resolve();
-            });
-        });
-    }
-    //#endregion
-    //#region UDP passthrough
-    /**
-     * Start a UDP socket for “server” mode on a given port.
-     * This example forwards inbound messages right back to the sender,
-     * or you can forward them to an external IP:port if desired.
-     */
-    async serverUdpPassthrough(port) {
-        return;
-        // Example of a simple “echo-style” server or forwarder
-        const socket = dgram.createSocket('udp4');
-        // (Optionally) kill existing processes on that port – though for UDP
-        // we might not have a direct “listener process.” Adjust as needed.
-        // await Helpers.killProcessByPort(port, { silent: true }).catch(() => {});
-        socket.on('message', (msg, rinfo) => {
-            // rinfo contains { address, port } of the sender
-            // In a typical “server” scenario, you might:
-            // 1. Inspect msg
-            // 2. Possibly forward to some real backend if needed
-            // 3. Or just echo it back
-            // For a real forward, do something like:
-            // const backendHost = 'some-other-host-or-ip';
-            // const backendPort = 9999;
-            // socket.send(msg, 0, msg.length, backendPort, backendHost);
-            // For a basic echo server:
-            socket.send(msg, 0, msg.length, rinfo.port, rinfo.address, err => {
-                if (err) {
-                    log.er(`UDP server send error: ${err}`);
-                }
-            });
-        });
-        socket.on('listening', () => {
-            const address = socket.address();
-            log.i(`UDP server listening at ${address.address}:${address.port}`);
-        });
-        socket.bind(port);
-    }
-    /**
-     * Start a UDP socket for “client” mode on a given port.
-     * This example also just does a trivial pass-through or echo,
-     * but you can adapt to forward to a remote server.
-     */
-    async clientUdpPassthrough(port, vpnServerTargets, hostsArr) {
-        return;
-        // console.log(`Client UDP passthrough, port ${port}` );
-        // In client mode, we typically intercept local UDP traffic on “port”
-        // and forward it to the remote server. Then we forward the remote
-        // server's response back to the local client.
-        const socket = dgram.createSocket('udp4');
-        // await Helpers.killProcessByPort(port, { silent: true }).catch(() => {});
-        // For simplicity, pick the first server from the array
-        // Or add your own logic to choose among multiple.
-        const primaryTarget = vpnServerTargets[0];
-        const targetHost = primaryTarget.hostname;
-        // Choose the same port or a custom port
-        const targetPort = port;
-        // A map to remember who originally sent us a packet,
-        // so we can route the response back properly.
-        // Key could be “targetHost:targetPort => { address, port }”
-        // or “clientAddress:clientPort” => { remoteAddress, remotePort }.
-        // Adapt to your scenario.
-        const clientMap = new Map();
-        socket.on('message', (msg, rinfo) => {
-            //
-            // If the message is from a local client, forward to server.
-            // If the message is from the server, forward back to the correct client.
-            //
-            // Check if it’s from local or remote by address. This is simplistic:
-            const isFromLocal = !lib_prod_3._.includes(hostsArr.map(h => h.ipOrDomain), rinfo.address);
-            if (isFromLocal) {
-                // Received from local => forward to “server” (the VPN server)
-                // Keep track of who we got this from (the local client)
-                const key = `local-${rinfo.address}:${rinfo.port}`;
-                clientMap.set(key, rinfo);
-                // Forward to remote
-                socket.send(msg, 0, msg.length, targetPort, targetHost, err => {
-                    if (err) {
-                        log.er(`UDP client forward error: ${err}`);
-                    }
-                });
-            }
-            else {
-                // Probably from remote => forward back to whichever local client sent it
-                // In a more advanced scenario, parse the payload or maintain a bigger table
-                // with NAT-like sessions.
-                //
-                // For now, we guess it’s from the “VPN server”
-                // We'll just route it back to the single local client that we stored
-                // or do multiple if we had a better NAT map.
-                // If you have multi-target or multi-client logic, adapt here.
-                // For example, search clientMap by something in the msg or a NAT key.
-                clientMap.forEach((localRinfo, key) => {
-                    socket.send(msg, 0, msg.length, localRinfo.port, localRinfo.address, err => {
-                        if (err) {
-                            log.er(`UDP client re-send error: ${err}`);
-                        }
-                    });
-                });
-            }
-        });
-        socket.on('listening', () => {
-            const address = socket.address();
-            log.i(`UDP client listening at ${address.address}:${address.port}, forwarding to ${targetHost}:${targetPort}`);
-        });
-        socket.bind(port);
-    }
-    //#endregion
-    //#region private methods / get port from request
-    getPortFromRequest(req) {
-        const host = req.headers.host;
-        const protocol = req.protocol;
-        if (host) {
-            const hostParts = host.split(':');
-            if (hostParts.length === 2) {
-                return Number(hostParts[1]);
-            }
-            else {
-                return protocol === 'https' ? 443 : 80;
-            }
-        }
-        return 80;
-    }
-    //#endregion
-    // Put this method in your VpnSplit class (or outside as a static helper)
-    ensureMkcertCertificate(domains) {
-        //#region @backendFunc
-        // console.log('Domains for cert:', domains);
-        // Helpers.error(``,false,true);
-        if (!(0, lib_prod_3.UtilsOs_commandExistsSync)('mkcert')) {
-            lib_prod_5.Helpers.error('[vpn-split] mkcert is not installed.', false, true);
-        }
-        const certPath = this.serveCertPath; // e.g. .../tmp-server_cert
-        const keyPath = this.serveKeyPath; // e.g. .../tmp-server_key
-        const allNames = [
-            'localhost',
-            '127.0.0.1',
-            // '::1',
-            // optional: common local networks so the cert also works for raw IP access
-            // '10.0.0.0/8',
-            // '172.16.0.0/12',
-            // '192.168.0.0/16',
-            ...domains, // <-- your 120+ domains here
-        ];
-        // Helper: run mkcert and capture output
-        const runMkcert = (args) => {
-            try {
-                return (0, child_process_1.execSync)(`mkcert ${args}`, { stdio: 'pipe' }).toString().trim();
-            }
-            catch (err) {
-                const stderr = err.stderr?.toString() || '';
-                if (stderr.includes('command not found')) {
-                    lib_prod_5.Helpers.error('[vpn-split] mkcert is not installed. Install it first: https://github.com/FiloSottile/mkcert', false, true);
-                }
-                throw err;
-            }
-        };
-        // 1. Check if the root CA is already installed
-        let caInstalled = false;
-        try {
-            const output = runMkcert('-CAROOT');
-            // If -CAROOT succeeds and the root files exist → CA is installed
-            const rootDir = (0, lib_prod_3.crossPlatformPath)(output.trim());
-            if (rootDir &&
-                lib_prod_3.fse.pathExistsSync((0, lib_prod_3.crossPlatformPath)([rootDir, 'rootCA.pem']))) {
-                lib_prod_5.Helpers.info('[vpn-split] mkcert local CA is already installed');
-                caInstalled = true;
-            }
-            else {
-                lib_prod_5.Helpers.info('[vpn-split] mkcert local CA is NOT installed');
-            }
-        }
-        catch {
-            lib_prod_5.Helpers.info('[vpn-split] mkcert error checking local CA installation');
-        }
-        // 2. Install the local CA if needed (requires sudo once)
-        if (!caInstalled) {
-            lib_prod_5.Helpers.info('[vpn-split] Installing mkcert local CA (requires sudo once)...');
-            try {
-                (0, child_process_1.execSync)('mkcert -install', { stdio: 'inherit' });
-                lib_prod_5.Helpers.info('[vpn-split] Local CA installed and trusted system-wide');
-            }
-            catch (err) {
-                lib_prod_5.Helpers.error('[vpn-split] Failed to run "mkcert -install". Run it manually with sudo.', false, true);
-            }
-        }
-        const isWindows = process.platform === 'win32';
-        // const maxArgLength = isWindows ? 2000 : 8000; // Conservative limits
-        let tempCertFiles = [];
-        let tempKeyFiles = [];
-        if (allNames.length <= 20 || !isWindows) {
-            // Small list or non-Windows: one shot
-            const namesArg = allNames.map(d => `"${d}"`).join(' ');
-            const mkcertCmd = `-key-file "${keyPath}" -cert-file "${certPath}" ${namesArg}`;
-            lib_prod_3.fse.ensureDirSync(lib_prod_3.path.dirname(certPath));
-            runMkcert(mkcertCmd);
-        }
-        else {
-            // Big list on Windows: Batch into chunks of ~20 domains
-            const chunkSize = 20;
-            lib_prod_3.fse.ensureDirSync(lib_prod_3.path.dirname(certPath));
-            for (let i = 0; i < allNames.length; i += chunkSize) {
-                const chunk = allNames.slice(i, i + chunkSize);
-                const tempCert = `${certPath}.${i}.pem`;
-                const tempKey = `${keyPath}.${i}.pem`;
-                const namesArg = chunk.map(d => `"${d}"`).join(' ');
-                const mkcertCmd = `-key-file "${tempKey}" -cert-file "${tempCert}" ${namesArg}`;
-                lib_prod_5.Helpers.info(`[vpn-split] Generating batch ${Math.floor(i / chunkSize) + 1}/${Math.ceil(allNames.length / chunkSize)}...`);
-                runMkcert(mkcertCmd);
-                tempCertFiles.push(tempCert);
-                tempKeyFiles.push(tempKey);
-            }
-            // 3. Merge all temp certs into one (cert chain + leaves) and pick first key
-            lib_prod_5.Helpers.info('[vpn-split] Merging batches into final cert...');
-            const firstKey = tempKeyFiles[0];
-            lib_prod_3.fse.copySync(firstKey, keyPath); // Use the first key (all are identical)
-            // Concat all certs (mkcert output is already PEM-formatted)
-            const mergedCertContent = tempCertFiles
-                .map(f => lib_prod_3.fse.readFileSync(f, 'utf8'))
-                .join('\n'); // PEM certs stack nicely
-            lib_prod_3.fse.writeFileSync(certPath, mergedCertContent);
-            // Clean up temps
-            tempCertFiles.forEach(f => lib_prod_3.fse.removeSync(f));
-            tempKeyFiles.slice(1).forEach(f => lib_prod_3.fse.removeSync(f)); // Keep first key as backup if needed
-            lib_prod_5.Helpers.info('[vpn-split] Merged cert ready!');
-        }
-        // Verify
-        if (!lib_prod_3.fse.existsSync(certPath) || !lib_prod_3.fse.existsSync(keyPath)) {
-            lib_prod_5.Helpers.error('[vpn-split] Files missing after generation!', false, true);
-        }
-        else {
-            lib_prod_5.Helpers.info(`[vpn-split] Trusted cert ready: ${allNames.length} hostnames covered`);
-        }
-        //#endregion
-    }
-    //#region private methods / prevent bad target for client
-    async preventBadTargetForClient(vpnServerTarget) {
-        if (!vpnServerTarget) {
-            const currentLocalIp = await (0, lib_prod_3.UtilsNetwork_getFirstIpV4LocalActiveIpAddress)();
-            lib_prod_5.Helpers.error(`[vpn-server] Please provide a correct target server.\n` +
-                `Example:\n` +
-                `vpn-server ${currentLocalIp}\n\n` +
-                `Your local IP is: ${currentLocalIp}`, false, true);
-        }
-    }
-}
-exports.VpnSplit = VpnSplit;
-//#region helper / gen msg
-const genMsg = `
-################################################
-## This file is generated #####################
-################################################
-`.trim() + EOL;
-//#endregion
-//#region helpers / save hosts
-function saveHosts(hosts, options) {
-    const { saveHostInUserFolder } = options || {};
-    if (lib_prod_3._.isArray(hosts)) {
-        hosts = hosts.reduce((prev, curr) => {
-            return lib_prod_3._.merge(prev, {
-                [curr.name]: curr,
-            });
-        }, {});
-    }
-    const toSave = parseHost(hosts, !!saveHostInUserFolder);
-    if (saveHostInUserFolder) {
-        lib_prod_5.Helpers.writeFile(HOST_FILE_PATHUSER, toSave);
-    }
-    else {
-        lib_prod_5.Helpers.writeFile(HOST_FILE_PATH, toSave);
-    }
-}
-function saveHostsLocal(hosts, options) {
-    const { saveHostInUserFolder } = options || {};
-    if (lib_prod_3._.isArray(hosts)) {
-        hosts = hosts.reduce((prev, curr) => {
-            return lib_prod_3._.merge(prev, {
-                [curr.name]: curr,
-            });
-        }, {});
-    }
-    const toSave = parseHost(hosts, !!saveHostInUserFolder, true);
-    if (saveHostInUserFolder) {
-        lib_prod_5.Helpers.writeFile(HOST_FILE_PATHUSER, toSave);
-    }
-    else {
-        lib_prod_5.Helpers.writeFile(HOST_FILE_PATH, toSave);
-    }
-}
-//#endregion
-//#region helpers / parse hosts
-function parseHost(hosts, saveHostInUserFolder, useLocal = false) {
-    // hosts = _.merge(hosts, DefaultEtcHosts);
-    hosts = {
-        ...DefaultEtcHosts,
-        ...hosts,
-    };
-    lib_prod_3._.keys(hosts).forEach(hostName => {
-        const v = hosts[hostName];
-        v.name = hostName;
-    });
-    return (genMsg +
-        EOL +
-        lib_prod_3._.keys(hosts)
-            .map(hostName => {
-            const v = hosts[hostName];
-            if (v.skipUpdateOfServerEtcHosts) {
-                console.warn(`[vpn-split] Skip saving host: ${v.name} (${v.ipOrDomain})`);
-                return `# SKIPPING HOST ${v.ipOrDomain} ${v.aliases.join(' ')} ${GENERATED}`; // Skip saving this host
-            }
-            const aliasesStr = v.aliases.join(' ');
-            if (saveHostInUserFolder) {
-                // For a user-specific hosts file:
-                return useLocal
-                    ? `127.0.0.1 ${aliasesStr}`
-                    : `${v.disabled ? '#' : ''}${v.ipOrDomain} ${aliasesStr}`;
-            }
-            return useLocal
-                ? `127.0.0.1 ${aliasesStr}`
-                : `${v.disabled ? '#' : ''}${v.ipOrDomain} ${aliasesStr} # ${v.name} ${GENERATED}`;
-        })
-            .join(EOL) +
-        EOL +
-        EOL +
-        genMsg);
-}
-//#endregion
-//# sourceMappingURL=vpn-split.backend.js.map