fix: move active configs to /etc/wireguard

Author: parfenovvs

README.md

@@ -11,7 +11,8 @@ The client is in experimental mode, so it is important to know which parts of th
 - Configuration files in user's config directory:
   - Session info: `~/.config/mbvpn/config.yml`
   - Machine ID: `~/.config/mbvpn/machine-id`
-  - WireGuard configurations: `~/.config/mbvpn/servers/*.conf`
+  - WireGuard configuration storage: `~/.config/mbvpn/servers/*.conf`
+- Active WireGuard configurations are copied to `/etc/wireguard/*.conf` during connection
 - `logout` command removes the configuration files but keeps WireGuard interfaces in the system
 
 ## Installation

pkg/config/config_test.go

@@ -48,6 +48,13 @@ func (m *MockDirectoryProvider) GetServersFile() (string, error) {
 	return "", fmt.Errorf("not implemented")
 }
 
+func (m *MockDirectoryProvider) GetWireguardDir() (string, error) {
+	if m.ConfigDirError {
+		return "", fmt.Errorf("simulated error")
+	}
+	return "", fmt.Errorf("not implemented")
+}
+
 // Helper function to setup a test environment
 func setupTestConfig(t *testing.T) (*YamlConfigProvider, func()) {
 	// Create a temporary directory

pkg/config/directory.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 // DirectoryProvider defines the interface for getting application directories and file paths.
@@ -16,6 +17,9 @@ type DirectoryProvider interface {
 	// GetServersDir returns the servers directory (e.g., ~/.config/mbvpn/servers)
 	GetServersDir() (string, error)
 
+	// GetWireguardDir returns the system WireGuard directory (/etc/wireguard)
+	GetWireguardDir() (string, error)
+
 	// GetConfigFile returns the config file path (e.g., ~/.config/mbvpn/config.yml)
 	GetConfigFile() (string, error)
 
@@ -61,6 +65,16 @@ func (d *directoryProvider) GetServersDir() (string, error) {
 	return filepath.Join(configDir, "servers"), nil
 }
 
+// GetWireguardDir returns the system WireGuard directory
+func (d *directoryProvider) GetWireguardDir() (string, error) {
+	// For test environments (temp directories), use test structure
+	if strings.Contains(d.baseDir, os.TempDir()) {
+		return filepath.Join(d.baseDir, "wireguard"), nil
+	}
+	// For production, use standard WireGuard location
+	return "/etc/wireguard", nil
+}
+
 // GetConfigFile returns the config file path
 func (d *directoryProvider) GetConfigFile() (string, error) {
 	configDir, err := d.GetConfigDir()

pkg/config/directory_test.go

@@ -179,6 +179,21 @@ func TestTestDirectoryProvider_Integration(t *testing.T) {
 	}
 }
 
+func TestDefaultDirectoryProvider_GetWireguardDir(t *testing.T) {
+	tempDir := t.TempDir()
+	provider := NewDirectoryProvider(tempDir)
+
+	wireguardDir, err := provider.GetWireguardDir()
+	if err != nil {
+		t.Fatalf("GetWireguardDir should succeed: %v", err)
+	}
+
+	expectedDir := filepath.Join(tempDir, "wireguard")
+	if wireguardDir != expectedDir {
+		t.Errorf("Expected wireguard dir '%s', got '%s'", expectedDir, wireguardDir)
+	}
+}
+
 func TestDirectoryProvider_Interface(t *testing.T) {
 	// Verify the implementation satisfies the interface
 	var _ DirectoryProvider = &directoryProvider{}

pkg/console/console.go

@@ -99,13 +99,20 @@ func sanitizeWgConfigPath(cfgPath string, dirProvider config.DirectoryProvider)
 		return "", fmt.Errorf("config path is not a regular file")
 	}
 
-	// Ensure it's within the expected config directory
+	// Check if it's within the expected config directory OR system wireguard directory
 	expectedBase, err := dirProvider.GetServersDir()
 	if err != nil {
 		return "", fmt.Errorf("failed to get servers directory: %w", err)
 	}
-	if !strings.HasPrefix(absPath, expectedBase) {
-		return "", fmt.Errorf("config file must be within %s", expectedBase)
+
+	wireguardBase, wgErr := dirProvider.GetWireguardDir()
+	if wgErr != nil {
+		return "", fmt.Errorf("failed to get wireguard directory: %w", wgErr)
+	}
+
+	// Path must be in either user config directory or system wireguard directory
+	if !strings.HasPrefix(absPath, expectedBase) && !strings.HasPrefix(absPath, wireguardBase) {
+		return "", fmt.Errorf("config file must be within %s or %s", expectedBase, wireguardBase)
 	}
 
 	// Verify file extension (WireGuard configs must be .conf)

pkg/servers/servers_test.go

@@ -245,6 +245,13 @@ func (m *mockDirectoryProvider) GetServersFile() (string, error) {
 	return "", nil
 }
 
+func (m *mockDirectoryProvider) GetWireguardDir() (string, error) {
+	if m.shouldError {
+		return "", os.ErrPermission
+	}
+	return "", nil
+}
+
 func TestDefaultServerStorage_Get(t *testing.T) {
 	dirProvider, cleanup := setupTestDir(t)
 	defer cleanup()

pkg/vpn/vpn.go

@@ -268,8 +268,14 @@ func (vpn *DefaultVpn) Connect(cfg string) error {
 		return errors.NewVPNError("write config", err)
 	}
 
-	output.PrintMsg(fmt.Sprintf("Calling 'wg-quick up %s'", cfgPath), output.MsgOutput)
-	err = console.WgUp(cfgPath, vpn.dirProvider)
+	// Copy config to /etc/wireguard for wg-quick to use
+	systemCfgPath, err := vpn.copyConfigToSystem(cfgPath, cfgName)
+	if err != nil {
+		return errors.NewVPNError("copy config to system", err)
+	}
+
+	output.PrintMsg(fmt.Sprintf("Calling 'wg-quick up %s'", systemCfgPath), output.MsgOutput)
+	err = console.WgUp(systemCfgPath, vpn.dirProvider)
 	if err != nil {
 		return errors.NewVPNError("connect", err)
 	}
@@ -297,12 +303,13 @@ func (vpn *DefaultVpn) Disconnect(cfg string) error {
 
 	output.PrintMsg(fmt.Sprintf("Disconnecting from %s...", cfg), output.MsgOutput)
 
-	cfgDir, err := vpn.dirProvider.GetServersDir()
+	wireguardDir, err := vpn.dirProvider.GetWireguardDir()
 	if err != nil {
-		return errors.NewConfigError("get servers directory", err)
+		return errors.NewConfigError("get wireguard directory", err)
 	}
 
-	err = console.WgDown(filepath.Join(cfgDir, cfg+".conf"), vpn.dirProvider)
+	systemCfgPath := filepath.Join(wireguardDir, cfg+".conf")
+	err = console.WgDown(systemCfgPath, vpn.dirProvider)
 	if err != nil {
 		return errors.NewVPNError("disconnect", err)
 	}
@@ -417,3 +424,31 @@ func (vpn *DefaultVpn) saveWgConfig(serverName string, configContent string) (st
 	filePath := filepath.Join(configDir, serverName+".conf")
 	return filePath, os.WriteFile(filePath, []byte(configContent), 0o600)
 }
+
+// copyConfigToSystem copies a config file from user directory to /etc/wireguard
+// This requires sudo permissions and is called during connection operations.
+func (vpn *DefaultVpn) copyConfigToSystem(userConfigPath, serverName string) (string, error) {
+	wireguardDir, err := vpn.dirProvider.GetWireguardDir()
+	if err != nil {
+		return "", fmt.Errorf("failed to get wireguard directory: %w", err)
+	}
+
+	// Ensure /etc/wireguard exists with proper permissions
+	if err := os.MkdirAll(wireguardDir, 0o700); err != nil {
+		return "", fmt.Errorf("failed to create wireguard directory: %w", err)
+	}
+
+	// Read source config
+	configData, err := os.ReadFile(userConfigPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to read config: %w", err)
+	}
+
+	// Write to system location
+	systemPath := filepath.Join(wireguardDir, serverName+".conf")
+	if err := os.WriteFile(systemPath, configData, 0o600); err != nil {
+		return "", fmt.Errorf("failed to write system config: %w", err)
+	}
+
+	return systemPath, nil
+}

pkg/vpn/vpn_test.go

@@ -62,6 +62,13 @@ func (m *mockDirectoryProvider) GetServersFile() (string, error) {
 	return "", nil
 }
 
+func (m *mockDirectoryProvider) GetWireguardDir() (string, error) {
+	if m.shouldError {
+		return "", os.ErrPermission
+	}
+	return "", nil
+}
+
 func TestGetCountryFlag(t *testing.T) {
 	tests := []struct {
 		name        string
@@ -596,6 +603,76 @@ func TestWriteConfig_Integration(t *testing.T) {
 	}
 }
 
+func TestCopyConfigToSystem(t *testing.T) {
+	dirProvider, cleanup := setupTestDir(t)
+	defer cleanup()
+
+	vpn := &DefaultVpn{dirProvider: dirProvider}
+
+	// First create a config file in user directory
+	server := remote.Server{
+		Hostname:   "test.example.com",
+		IPv4AddrIn: "203.0.113.1",
+		PublicKey:  "server-public-key",
+	}
+
+	userConfigPath, err := vpn.writeConfig("test-server", server, "private-key", "10.0.0.1/32", "2001:db8::1/128")
+	if err != nil {
+		t.Fatalf("writeConfig should succeed: %v", err)
+	}
+
+	// Now copy to system directory
+	systemPath, err := vpn.copyConfigToSystem(userConfigPath, "test-server")
+	if err != nil {
+		t.Fatalf("copyConfigToSystem should succeed: %v", err)
+	}
+
+	// Verify system config file exists
+	if _, err := os.Stat(systemPath); os.IsNotExist(err) {
+		t.Error("System config file should be created")
+	}
+
+	// Verify file contents match
+	userContent, err := os.ReadFile(userConfigPath)
+	if err != nil {
+		t.Fatalf("Failed to read user config file: %v", err)
+	}
+
+	systemContent, err := os.ReadFile(systemPath)
+	if err != nil {
+		t.Fatalf("Failed to read system config file: %v", err)
+	}
+
+	if string(userContent) != string(systemContent) {
+		t.Error("User and system config files should have identical content")
+	}
+
+	// Verify file permissions
+	fileInfo, err := os.Stat(systemPath)
+	if err != nil {
+		t.Fatalf("Failed to stat system config file: %v", err)
+	}
+
+	if fileInfo.Mode().Perm() != 0o600 {
+		t.Errorf("System config file should have 0600 permissions, got %o", fileInfo.Mode().Perm())
+	}
+
+	// Verify directory permissions
+	wireguardDir, err := dirProvider.GetWireguardDir()
+	if err != nil {
+		t.Fatalf("GetWireguardDir should succeed: %v", err)
+	}
+
+	dirInfo, err := os.Stat(wireguardDir)
+	if err != nil {
+		t.Fatalf("Failed to stat wireguard directory: %v", err)
+	}
+
+	if dirInfo.Mode().Perm() != 0o700 {
+		t.Errorf("Wireguard directory should have 0700 permissions, got %o", dirInfo.Mode().Perm())
+	}
+}
+
 // Additional test functions to improve coverage
 func TestGetConnectedServers_EmptyInput(t *testing.T) {
 	// Test with empty string to cover error paths