Skip to content

feat: add allowed_subnets for VPN relay/site-to-site configuration#3

Closed
fherbert wants to merge 3 commits into
bartei:devfrom
fherbert:dev
Closed

feat: add allowed_subnets for VPN relay/site-to-site configuration#3
fherbert wants to merge 3 commits into
bartei:devfrom
fherbert:dev

Conversation

@fherbert

@fherbert fherbert commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This adds support to add devices in site to site mode - ie as vpn relays.
Features:

  • Extends device SQLModel to include allowed_subnets list
  • Adds optional routed subnets (allowed_subnets) field to device configuration (both under user and admin view)
Screenshot 2026-06-05 at 2 10 42 PM
  • If device has allowed_subnets configured:
    • The list of subnets will be appended on the server side peer allowed ip config
Screenshot 2026-06-05 at 2 25 15 PM
  • Any traffic coming from these subnets will be forwarded to the users chain
Screenshot 2026-06-05 at 2 19 49 PM
  • routes will be added to the routing table for each subnet
Screenshot 2026-06-05 at 2 20 28 PM

Happy to discuss this PR and can start conversation from here :-)

@bartei

bartei commented Jun 7, 2026

Copy link
Copy Markdown
Owner

This looks great! I was planning on adding something similar already, I'll take a look and test it on my instances as soon as I find some time.

Thank you for the kind contribution, the clean PR and the comprehensive test suite included with it.

@bartei bartei mentioned this pull request Jun 26, 2026
Merged
bartei added a commit that referenced this pull request Jun 26, 2026
@bartei
Merge PR #3: allowed_subnets for site-to-site/relay devices
ebb4320 
Integrates fherbert's relay-subnet feature (routed subnets -> peer allowed-ips,
ip routes, and forward-chain jumps) with hardening before merge:
- rebase migration onto current head (was branching, causing two alembic heads)
- validate/normalize subnets via parse_subnet_list (rejects non-CIDR, blocks nft injection)
- restrict relay subnets to the admin device page only (removed from user page)
- drop the contributor's semantic-release version bump and CHANGELOG
bartei added a commit that referenced this pull request Jun 26, 2026
@bartei
Merge pull request #4 from bartei/feat/allowed-subnets-relay
9a5c09f 
feat: allowed_subnets for site-to-site/relay (integrates #3, hardened)
@bartei

bartei commented Jun 26, 2026

Copy link
Copy Markdown
Owner

Thanks for this, @fherbert — really useful capability, and the implementation was clean and well-tested. 🙌

We've merged your work into main via #4 (merge commit 9a5c09f), which preserves your original commits. A few changes were applied on top during integration:

  • Migration rebased onto the current head — your migration branched off b7e2f4a1c903, which would have created two Alembic heads after some unrelated migrations landed and broken alembic upgrade head on startup.
  • CIDR validation added (parse_subnet_list): routed subnets are validated + normalized before they reach nft/ip route, which rejects malformed input (prevents one bad entry from failing the whole firewall rebuild, and closes a command-injection vector).
  • Scoped to admins: the routed-subnets field was moved off the end-user device page — declaring relays is an admin capability.
  • Route reconciliation: building on your add_routes/remove_routes, we added sync_routes so device delete/edit and startup reconcile prune orphaned routes (and preserve subnets still used by other devices), with unit tests for the new paths. Your add_routes/remove_routes tests carried over.
  • Dropped the semantic-release version bump + CHANGELOG that rode along on the branch (our release pipeline owns versioning).

Closing this PR since the feature is now in main via #4. Thanks again for the contribution!

@bartei bartei closed this Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fherbert @bartei