Merge branch 'dev'

Author: anonvector

README.md

@@ -79,7 +79,7 @@ slipgate stats                  # Live dashboard (CPU, RAM, traffic, connections
 
 # Tunnel management
 slipgate tunnel add             # Add tunnel(s) — supports multi-select and "both" backend
-slipgate tunnel edit [tag]      # Edit tunnel settings (MTU, keys)
+slipgate tunnel edit [tag]      # Edit tunnel settings (tag, MTU, keys)
 slipgate tunnel remove [tag]    # Remove a tunnel
 slipgate tunnel start [tag]     # Start a tunnel
 slipgate tunnel stop [tag]      # Stop a tunnel
@@ -168,6 +168,9 @@ sudo slipgate tunnel add \
 sudo slipgate tunnel add --transport direct-ssh --tag myssh
 sudo slipgate tunnel add --transport direct-socks5 --tag mysocks
 
+# Rename a tunnel
+sudo slipgate tunnel edit --tag mydnstt --new-tag my-tunnel
+
 # Change MTU on a DNSTT tunnel
 sudo slipgate tunnel edit --tag mydnstt --mtu 1232
 

internal/actions/tunnel.go

@@ -83,6 +83,7 @@ func init() {
 		Category: "tunnel",
 		Inputs: []InputField{
 			{Key: "tag", Label: "Tunnel tag", Required: true},
+			{Key: "new-tag", Label: "New tag name"},
 			{Key: "domain", Label: "Domain"},
 			{Key: "mtu", Label: "MTU"},
 			{Key: "private-key", Label: "Private key (hex)"},

internal/config/config.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"encoding/json"
+	"fmt"
 	"os"
 	"path/filepath"
 	"sync"
@@ -123,6 +124,20 @@ func (c *Config) GetTunnel(tag string) *TunnelConfig {
 	return nil
 }
 
+// UniqueTag returns a tag that doesn't conflict with existing tunnels.
+// If base is available it is returned as-is, otherwise a numeric suffix is appended.
+func (c *Config) UniqueTag(base string) string {
+	if c.GetTunnel(base) == nil {
+		return base
+	}
+	for i := 2; ; i++ {
+		candidate := fmt.Sprintf("%s-%d", base, i)
+		if c.GetTunnel(candidate) == nil {
+			return candidate
+		}
+	}
+}
+
 // AddTunnel adds a tunnel to the config.
 func (c *Config) AddTunnel(t TunnelConfig) {
 	c.mu.Lock()

internal/config/validation.go

@@ -76,6 +76,11 @@ func (c *Config) ValidateNewTunnel(t *TunnelConfig) error {
 	return validateTransportBackend(t.Transport, t.Backend)
 }
 
+// ValidateTagName checks if a tag name is valid.
+func ValidateTagName(tag string) error {
+	return validateTag(tag)
+}
+
 func validateTag(tag string) error {
 	if tag == "" {
 		return fmt.Errorf("tag is required")

internal/dnsrouter/service.go

@@ -9,7 +9,7 @@ import (
 
 const serviceName = "slipgate-dnsrouter"
 
-// CreateRouterService creates the systemd service for the DNS router.
+// CreateRouterService creates and enables the systemd service for the DNS router.
 func CreateRouterService() error {
 	execPath, err := os.Executable()
 	if err != nil {
@@ -26,7 +26,10 @@ func CreateRouterService() error {
 		Restart:     "always",
 	}
 
-	return service.Create(unit)
+	if err := service.Create(unit); err != nil {
+		return err
+	}
+	return service.Start(serviceName)
 }
 
 // StartRouterService starts the DNS router service.

internal/handlers/quick_wizard.go

@@ -224,11 +224,11 @@ func handleQuickWizard(ctx *actions.Context) error {
 
 	for _, s := range allSettings {
 		for _, b := range s.backends {
-			tag := s.transport
+			tag := cfg.UniqueTag(s.transport)
 			tunnelDomain := s.domain
 
 			if s.backend == "both" {
-				tag = s.transport + "-" + b
+				tag = cfg.UniqueTag(s.transport + "-" + b)
 				if b == config.BackendSSH && s.transport != config.TransportNaive {
 					parentDomain := baseDomain(s.domain)
 					sshHint := "ts." + parentDomain

internal/handlers/system_install.go

@@ -131,10 +131,13 @@ func handleSystemInstall(ctx *actions.Context) error {
 		}
 	}
 
-	// Write default config
-	cfg := config.Default()
-	if err := cfg.Save(); err != nil {
-		return actions.NewError(actions.SystemInstall, "failed to write config", err)
+	// Load existing config or create defaults for fresh install
+	cfg, err := config.Load()
+	if err != nil {
+		cfg = config.Default()
+		if err := cfg.Save(); err != nil {
+			return actions.NewError(actions.SystemInstall, "failed to write config", err)
+		}
 	}
 
 	out.Print("")
@@ -189,7 +192,7 @@ func handleSystemInstall(ctx *actions.Context) error {
 				implicitBackend = config.BackendSOCKS
 			}
 
-			tag := selectedTransport
+			tag := cfg.UniqueTag(selectedTransport)
 			tunnel := config.TunnelConfig{
 				Tag:       tag,
 				Transport: selectedTransport,
@@ -275,10 +278,10 @@ func handleSystemInstall(ctx *actions.Context) error {
 		}
 
 			for bIdx, b := range backends {
-			tag := selectedTransport
+			tag := cfg.UniqueTag(selectedTransport)
 			tunnelDomain := domain
 			if backend == "both" {
-				tag = selectedTransport + "-" + b
+				tag = cfg.UniqueTag(selectedTransport + "-" + b)
 				// SSH backend needs its own subdomain (separate dnstt/slipstream instance)
 				if b == config.BackendSSH && selectedTransport != config.TransportNaive {
 					parentDomain := baseDomain(domain)
@@ -625,6 +628,9 @@ func handleSystemInstall(ctx *actions.Context) error {
 	if len(allTunnels) > 0 && allTunnels[0].DNSTT != nil {
 		out.Print(fmt.Sprintf("    Public Key: %s", allTunnels[0].DNSTT.PublicKey))
 		out.Print(fmt.Sprintf("    MTU       : %d", allTunnels[0].DNSTT.MTU))
+	} else if len(allTunnels) > 0 && allTunnels[0].VayDNS != nil {
+		out.Print(fmt.Sprintf("    Public Key: %s", allTunnels[0].VayDNS.PublicKey))
+		out.Print(fmt.Sprintf("    MTU       : %d", allTunnels[0].VayDNS.MTU))
 	}
 
 	out.Print("")

internal/handlers/system_update.go

@@ -62,12 +62,21 @@ func handleSystemUpdate(ctx *actions.Context) error {
 
 		out.Info(fmt.Sprintf("  Updating %s...", name))
 
-		// Remove old binary and re-download
-		os.Remove(binPath)
+		// Backup old binary before replacing so we can restore on failure
+		backupPath := binPath + ".bak"
+		if err := os.Rename(binPath, backupPath); err != nil {
+			out.Warning(fmt.Sprintf("  Failed to backup %s: %v", name, err))
+			continue
+		}
 		if err := binary.EnsureInstalled(name); err != nil {
-			out.Warning(fmt.Sprintf("  Failed to update %s: %v", name, err))
+			// Restore from backup
+			if restoreErr := os.Rename(backupPath, binPath); restoreErr != nil {
+				out.Warning(fmt.Sprintf("  Failed to restore %s backup: %v", name, restoreErr))
+			}
+			out.Warning(fmt.Sprintf("  Failed to update %s: %v (kept old version)", name, err))
 			continue
 		}
+		os.Remove(backupPath)
 		out.Success(fmt.Sprintf("  %s updated", name))
 	}
 
@@ -140,18 +149,7 @@ func handleSystemUpdate(ctx *actions.Context) error {
 		}
 	}
 
-	// Restart infrastructure services first (DNS router needs port 53 before tunnels)
-	for _, svc := range []string{"slipgate-dnsrouter", "slipgate-socks5"} {
-		if service.Exists(svc) {
-			if err := service.Restart(svc); err != nil {
-				out.Warning(fmt.Sprintf("Failed to restart %s: %v", svc, err))
-			} else {
-				out.Success(fmt.Sprintf("  %s restarted", svc))
-			}
-		}
-	}
-
-	// Then regenerate and restart tunnel services
+	// Regenerate and restart tunnel services first
 	for i := range cfg.Tunnels {
 		t := &cfg.Tunnels[i]
 		if t.IsDirectTransport() {
@@ -174,6 +172,18 @@ func handleSystemUpdate(ctx *actions.Context) error {
 		}
 	}
 
+	// Restart infrastructure services last so tunnels are ready when
+	// the DNS router and SOCKS5 proxy come back up
+	for _, svc := range []string{"slipgate-socks5", "slipgate-dnsrouter"} {
+		if service.Exists(svc) {
+			if err := service.Restart(svc); err != nil {
+				out.Warning(fmt.Sprintf("Failed to restart %s: %v", svc, err))
+			} else {
+				out.Success(fmt.Sprintf("  %s restarted", svc))
+			}
+		}
+	}
+
 	out.Print("")
 	out.Success("Update complete!")
 	return nil

internal/handlers/tunnel_add.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/anonvector/slipgate/internal/actions"
 	"github.com/anonvector/slipgate/internal/certs"
@@ -70,6 +71,8 @@ func handleTunnelAdd(ctx *actions.Context) error {
 		backends = []string{config.BackendSOCKS, config.BackendSSH}
 	}
 
+	var failed, succeeded []string
+	var sharedKeyDir string
 	for _, b := range backends {
 		tunnelTag := tag
 		tunnelDomain := domain
@@ -93,15 +96,31 @@ func handleTunnelAdd(ctx *actions.Context) error {
 			}
 		}
 
-		if err := addSingleTunnel(ctx, cfg, transport_, b, tunnelTag, tunnelDomain); err != nil {
+		if err := addSingleTunnel(ctx, cfg, transport_, b, tunnelTag, tunnelDomain, sharedKeyDir); err != nil {
 			out.Warning(fmt.Sprintf("Failed to add %s: %v", tunnelTag, err))
+			failed = append(failed, tunnelTag)
+		} else {
+			succeeded = append(succeeded, tunnelTag)
+			if sharedKeyDir == "" {
+				sharedKeyDir = config.TunnelDir(tunnelTag)
+			}
 		}
 	}
 
+	// Final summary
+	out.Print("")
+	if len(failed) == 0 {
+		out.Success(fmt.Sprintf("All %d tunnel(s) added successfully", len(succeeded)))
+	} else if len(succeeded) == 0 {
+		return actions.NewError(actions.TunnelAdd, fmt.Sprintf("all %d tunnel(s) failed to add", len(failed)), nil)
+	} else {
+		out.Warning(fmt.Sprintf("%d succeeded, %d failed", len(succeeded), len(failed)))
+	}
+
 	return nil
 }
 
-func addSingleTunnel(ctx *actions.Context, cfg *config.Config, transport_, backend, tag, domain string) error {
+func addSingleTunnel(ctx *actions.Context, cfg *config.Config, transport_, backend, tag, domain, sharedKeyDir string) error {
 	out := ctx.Output
 
 	tunnel := config.TunnelConfig{
@@ -147,6 +166,19 @@ func addSingleTunnel(ctx *actions.Context, cfg *config.Config, transport_, backe
 		case privKeyHex != "":
 			out.Info("Importing private key and deriving public key...")
 			pubKey, err = keys.ImportDNSTTKeys(privKeyHex, privKeyPath, pubKeyPath)
+		case sharedKeyDir != "":
+			out.Info("Reusing shared keypair...")
+			if err := copyFile(filepath.Join(sharedKeyDir, "server.key"), privKeyPath); err != nil {
+				return actions.NewError(actions.TunnelAdd, "failed to copy shared private key", err)
+			}
+			if err := copyFile(filepath.Join(sharedKeyDir, "server.pub"), pubKeyPath); err != nil {
+				return actions.NewError(actions.TunnelAdd, "failed to copy shared public key", err)
+			}
+			pubBytes, err := os.ReadFile(pubKeyPath)
+			if err != nil {
+				return actions.NewError(actions.TunnelAdd, "failed to read shared public key", err)
+			}
+			pubKey = strings.TrimSpace(string(pubBytes))
 		default:
 			out.Info("Generating Curve25519 keypair...")
 			pubKey, err = keys.GenerateDNSTTKeys(privKeyPath, pubKeyPath)
@@ -191,6 +223,19 @@ func addSingleTunnel(ctx *actions.Context, cfg *config.Config, transport_, backe
 		case privKeyHex != "":
 			out.Info("Importing private key and deriving public key...")
 			pubKey, err = keys.ImportDNSTTKeys(privKeyHex, privKeyPath, pubKeyPath)
+		case sharedKeyDir != "":
+			out.Info("Reusing shared keypair...")
+			if err := copyFile(filepath.Join(sharedKeyDir, "server.key"), privKeyPath); err != nil {
+				return actions.NewError(actions.TunnelAdd, "failed to copy shared private key", err)
+			}
+			if err := copyFile(filepath.Join(sharedKeyDir, "server.pub"), pubKeyPath); err != nil {
+				return actions.NewError(actions.TunnelAdd, "failed to copy shared public key", err)
+			}
+			pubBytes, err := os.ReadFile(pubKeyPath)
+			if err != nil {
+				return actions.NewError(actions.TunnelAdd, "failed to read shared public key", err)
+			}
+			pubKey = strings.TrimSpace(string(pubBytes))
 		default:
 			out.Info("Generating Curve25519 keypair...")
 			pubKey, err = keys.GenerateDNSTTKeys(privKeyPath, pubKeyPath)

internal/handlers/tunnel_edit.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"fmt"
+	"os"
 	"path/filepath"
 
 	"github.com/anonvector/slipgate/internal/actions"
@@ -32,6 +33,59 @@ func handleTunnelEdit(ctx *actions.Context) error {
 	out.Print(fmt.Sprintf("  Editing tunnel %q (%s/%s)", tag, tunnel.Transport, tunnel.Backend))
 	out.Print(fmt.Sprintf("  Press Enter to keep current value\n"))
 
+	// Tag rename
+	newTag := ctx.GetArg("new-tag")
+	if newTag == "" {
+		var err error
+		newTag, err = prompt.String("Tag", tag)
+		if err != nil {
+			return err
+		}
+	}
+	if newTag != tag {
+		if err := config.ValidateTagName(newTag); err != nil {
+			return actions.NewError(actions.TunnelEdit, "invalid tag name", err)
+		}
+		if cfg.GetTunnel(newTag) != nil {
+			return actions.NewError(actions.TunnelEdit, fmt.Sprintf("tag %q already exists", newTag), nil)
+		}
+
+		// Rename tunnel directory
+		oldDir := config.TunnelDir(tag)
+		newDir := config.TunnelDir(newTag)
+		if _, err := os.Stat(oldDir); err == nil {
+			if err := os.Rename(oldDir, newDir); err != nil {
+				return actions.NewError(actions.TunnelEdit, "failed to rename tunnel directory", err)
+			}
+		}
+
+		// Update key file paths
+		if tunnel.DNSTT != nil {
+			tunnel.DNSTT.PrivateKey = filepath.Join(newDir, "server.key")
+		}
+		if tunnel.VayDNS != nil {
+			tunnel.VayDNS.PrivateKey = filepath.Join(newDir, "server.key")
+		}
+
+		// Stop old systemd service
+		oldSvcName := service.TunnelServiceName(tag)
+		_ = service.Stop(oldSvcName)
+		_ = service.Remove(oldSvcName)
+
+		// Update route references
+		if cfg.Route.Active == tag {
+			cfg.Route.Active = newTag
+		}
+		if cfg.Route.Default == tag {
+			cfg.Route.Default = newTag
+		}
+
+		tunnel.Tag = newTag
+		tag = newTag
+		changed = true
+		out.Success(fmt.Sprintf("Tag renamed to %q", newTag))
+	}
+
 	// Domain (non-direct transports)
 	if !tunnel.IsDirectTransport() {
 		newDomain := ctx.GetArg("domain")