fix: advertise WireGuard endpoint by domain, and reach linked cells over HTTPS
Unit Tests / test (push) Successful in 9m50s
Unit Tests / test (push) Successful in 9m50s
Three related cell-link/peer-config fixes (the peer and cell endpoints were showing the raw external IP, which confused public-vs-internal addressing): 1. Peer WireGuard configs now embed the cell's effective domain (DDNS/ACME modes) instead of the detected external IP, via the new WireGuardManager.get_advertised_endpoint(). A name that resolves to the public IP survives IP changes and lets the datacenter forward each cell's WG port to the right host. LAN mode still falls back to the IP; an admin wireguard_endpoint override still wins. 2. Cell invites advertise <effective-domain>:<this cell's WG port> (was the external IP + a default/possibly-wrong port), so a remote cell pairs to the right host and port over the public path. 3. Cross-cell peer-sync no longer targets http://<ip>:3000 (the API binds 127.0.0.1 and is unreachable across cells). It targets the remote's Caddy on HTTPS/443 — which the WireGuard server already DNATs over the tunnel — and the initial pre-tunnel invite push goes to https://<endpoint-host>/... ; legacy http://<ip>:3000 link URLs migrate to https on load. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -90,11 +90,13 @@ class TestWireGuardEndpoints(unittest.TestCase):
|
||||
'endpoint': '1.2.3.4:51820',
|
||||
'port': 51820,
|
||||
}
|
||||
mock_wg.get_advertised_endpoint.return_value = '1.2.3.4:51820'
|
||||
r = self.client.get('/api/wireguard/server-config')
|
||||
self.assertEqual(r.status_code, 200)
|
||||
data = json.loads(r.data)
|
||||
self.assertIn('public_key', data)
|
||||
self.assertIn('endpoint', data)
|
||||
self.assertEqual(data.get('effective_endpoint'), '1.2.3.4:51820')
|
||||
|
||||
@patch('app.wireguard_manager')
|
||||
def test_server_config_returns_500_on_exception(self, mock_wg):
|
||||
|
||||
Reference in New Issue
Block a user