From 463db029e1e5a275a64d4ddcdaf43fbf2d48de74 Mon Sep 17 00:00:00 2001
From: Dmitrii Iurco <dmitrii.iurco@gmail.com>
Date: Sat, 6 Jun 2026 07:42:49 -0400
Subject: [PATCH] Fix: expose listen_port in WG status API and add HTTPS DNAT
 to PostUp/PreDown
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds listen_port to /api/wireguard/status response so e2e test conftest
picks up the actual port (51821) instead of defaulting to 51820.

Extends PostUp/PreDown in generate_config to also DNAT and forward port
443 (HTTPS) through to cell-caddy — mirrors the ensure_service_dnat fix
so HTTPS works even after a WireGuard container restart without an API
restart. Updates _is_dnat_rule to recognize 443 rules.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 api/wireguard_manager.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/api/wireguard_manager.py b/api/wireguard_manager.py
index c31e2c2..0807428 100644
--- a/api/wireguard_manager.py
+++ b/api/wireguard_manager.py
@@ -155,7 +155,9 @@ class WireGuardManager(BaseServiceManager):
             f'iptables -t nat -A PREROUTING -i %i -d {server_ip} -p udp --dport 53 -j DNAT --to-destination {dns_ip}:53; '
             f'iptables -t nat -A PREROUTING -i %i -d {server_ip} -p tcp --dport 53 -j DNAT --to-destination {dns_ip}:53; '
             f'iptables -t nat -A PREROUTING -i %i -d {server_ip} -p tcp --dport 80 -j DNAT --to-destination {caddy_ip}:80; '
+            f'iptables -t nat -A PREROUTING -i %i -d {server_ip} -p tcp --dport 443 -j DNAT --to-destination {caddy_ip}:443; '
             f'iptables -I FORWARD -i %i -o eth0 -p tcp --dport 80 -j ACCEPT; '
+            f'iptables -I FORWARD -i %i -o eth0 -p tcp --dport 443 -j ACCEPT; '
             f'iptables -I FORWARD -i %i -o eth0 -p udp --dport 53 -j ACCEPT; '
             f'iptables -I FORWARD -i %i -o eth0 -p tcp --dport 53 -j ACCEPT; '
             f'iptables -I FORWARD -i eth0 -o %i -s 172.20.0.0/16 -j ACCEPT; '
@@ -165,7 +167,9 @@ class WireGuardManager(BaseServiceManager):
             f'iptables -t nat -D PREROUTING -i %i -d {server_ip} -p udp --dport 53 -j DNAT --to-destination {dns_ip}:53 2>/dev/null || true; '
             f'iptables -t nat -D PREROUTING -i %i -d {server_ip} -p tcp --dport 53 -j DNAT --to-destination {dns_ip}:53 2>/dev/null || true; '
             f'iptables -t nat -D PREROUTING -i %i -d {server_ip} -p tcp --dport 80 -j DNAT --to-destination {caddy_ip}:80 2>/dev/null || true; '
+            f'iptables -t nat -D PREROUTING -i %i -d {server_ip} -p tcp --dport 443 -j DNAT --to-destination {caddy_ip}:443 2>/dev/null || true; '
             f'iptables -D FORWARD -i %i -o eth0 -p tcp --dport 80 -j ACCEPT 2>/dev/null || true; '
+            f'iptables -D FORWARD -i %i -o eth0 -p tcp --dport 443 -j ACCEPT 2>/dev/null || true; '
             f'iptables -D FORWARD -i %i -o eth0 -p udp --dport 53 -j ACCEPT 2>/dev/null || true; '
             f'iptables -D FORWARD -i %i -o eth0 -p tcp --dport 53 -j ACCEPT 2>/dev/null || true; '
             f'iptables -D FORWARD -i eth0 -o %i -s 172.20.0.0/16 -j ACCEPT 2>/dev/null || true; '
@@ -194,11 +198,11 @@ class WireGuardManager(BaseServiceManager):
         t = token.strip()
         if not t.startswith('iptables'):
             return False
-        # PREROUTING DNAT on ports 53 or 80 (scoped or unscoped — we replace both)
-        if 'PREROUTING' in t and 'DNAT' in t and ('--dport 53' in t or '--dport 80' in t):
+        # PREROUTING DNAT on ports 53, 80, or 443 (scoped or unscoped — we replace both)
+        if 'PREROUTING' in t and 'DNAT' in t and ('--dport 53' in t or '--dport 80' in t or '--dport 443' in t):
             return True
-        # FORWARD accept to eth0 for ports 53 or 80 (service traffic forwarding)
-        if 'FORWARD' in t and '-o eth0' in t and ('--dport 53' in t or '--dport 80' in t):
+        # FORWARD accept to eth0 for ports 53, 80, or 443 (service traffic forwarding)
+        if 'FORWARD' in t and '-o eth0' in t and ('--dport 53' in t or '--dport 80' in t or '--dport 443' in t):
             return True
         # Docker-to-WG FORWARD: eth0 → wg0 for 172.20.0.0/16
         if 'FORWARD' in t and '-i eth0' in t and '172.20.0.0/16' in t:
@@ -1084,6 +1088,7 @@ class WireGuardManager(BaseServiceManager):
                 'running': running,
                 'status': 'online' if running else 'offline',
                 'interface': 'wg0',
+                'listen_port': self._get_configured_port(),
                 'ip_info': {'address': SERVER_ADDRESS} if running else {},
                 'peers_count': len(self.get_peers()),
                 'timestamp': datetime.utcnow().isoformat(),