From 4eecb39747affa93a5046c9da5817d8310230e84 Mon Sep 17 00:00:00 2001
From: Edward Viaene <ward@in4it.io>
Date: Tue, 20 Aug 2024 11:16:58 -0500
Subject: [PATCH 1/8] split and add vpn configuration in UI

---
 pkg/rest/router.go                       |   3 +-
 pkg/rest/setup.go                        |  55 ++++-
 pkg/rest/types.go                        |  13 +-
 webapp/src/Routes/Setup/GeneralSetup.tsx | 195 +++++++++++++++++
 webapp/src/Routes/Setup/Setup.tsx        | 257 +++--------------------
 webapp/src/Routes/Setup/VPNSetup.tsx     | 214 +++++++++++++++++++
 6 files changed, 503 insertions(+), 234 deletions(-)
 create mode 100644 webapp/src/Routes/Setup/GeneralSetup.tsx
 create mode 100644 webapp/src/Routes/Setup/VPNSetup.tsx

diff --git a/pkg/rest/router.go b/pkg/rest/router.go
index f10e858..07bbc5c 100644
--- a/pkg/rest/router.go
+++ b/pkg/rest/router.go
@@ -53,7 +53,8 @@ func (c *Context) getRouter(assets fs.FS, indexHtml []byte) *http.ServeMux {
 	mux.Handle("/api/oidc", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.oidcProviderHandler)))))
 	mux.Handle("/api/oidc-renew-tokens", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.oidcRenewTokensHandler)))))
 	mux.Handle("/api/oidc/{id}", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.oidcProviderElementHandler)))))
-	mux.Handle("/api/setup", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.setupHandler)))))
+	mux.Handle("/api/setup/general", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.setupHandler)))))
+	mux.Handle("/api/setup/vpn", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.vpnSetupHandler)))))
 	mux.Handle("/api/scim-setup", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.scimSetupHandler)))))
 	mux.Handle("/api/saml-setup", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.samlSetupHandler)))))
 	mux.Handle("/api/saml-setup/{id}", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.samlSetupElementHandler)))))
diff --git a/pkg/rest/setup.go b/pkg/rest/setup.go
index 1be5cde..06fc9eb 100644
--- a/pkg/rest/setup.go
+++ b/pkg/rest/setup.go
@@ -100,21 +100,14 @@ func (c *Context) contextHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func (c *Context) setupHandler(w http.ResponseWriter, r *http.Request) {
-	vpnConfig, err := wireguard.GetVPNConfig(c.Storage.Client)
-	if err != nil {
-		c.returnError(w, fmt.Errorf("could not get vpn config: %s", err), http.StatusBadRequest)
-		return
-	}
 	switch r.Method {
 	case http.MethodGet:
-		setupRequest := SetupRequest{
+		setupRequest := GeneralSetupRequest{
 			Hostname:               c.Hostname,
 			EnableTLS:              c.EnableTLS,
 			RedirectToHttps:        c.RedirectToHttps,
 			DisableLocalAuth:       c.LocalAuthDisabled,
 			EnableOIDCTokenRenewal: c.EnableOIDCTokenRenewal,
-			Routes:                 strings.Join(vpnConfig.ClientRoutes, ", "),
-			VPNEndpoint:            vpnConfig.Endpoint,
 		}
 		out, err := json.Marshal(setupRequest)
 		if err != nil {
@@ -123,7 +116,7 @@ func (c *Context) setupHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		c.write(w, out)
 	case http.MethodPost:
-		var setupRequest SetupRequest
+		var setupRequest GeneralSetupRequest
 		decoder := json.NewDecoder(r.Body)
 		decoder.Decode(&setupRequest)
 		if c.Hostname != setupRequest.Hostname {
@@ -145,6 +138,50 @@ func (c *Context) setupHandler(w http.ResponseWriter, r *http.Request) {
 			c.EnableOIDCTokenRenewal = setupRequest.EnableOIDCTokenRenewal
 			c.OIDCRenewal.SetEnabled(c.EnableOIDCTokenRenewal)
 		}
+		err := SaveConfig(c)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("could not save config to disk: %s", err), http.StatusBadRequest)
+			return
+		}
+		out, err := json.Marshal(setupRequest)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("could not marshal SetupRequest: %s", err), http.StatusBadRequest)
+			return
+		}
+		c.write(w, out)
+	default:
+		c.returnError(w, fmt.Errorf("method not supported"), http.StatusBadRequest)
+	}
+}
+
+func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
+	vpnConfig, err := wireguard.GetVPNConfig(c.Storage.Client)
+	if err != nil {
+		c.returnError(w, fmt.Errorf("could not get vpn config: %s", err), http.StatusBadRequest)
+		return
+	}
+	switch r.Method {
+	case http.MethodGet:
+		setupRequest := VPNSetupRequest{
+			Routes:              strings.Join(vpnConfig.ClientRoutes, ", "),
+			VPNEndpoint:         vpnConfig.Endpoint,
+			AddressRange:        vpnConfig.AddressRange.String(),
+			ClientAddressPrefix: vpnConfig.ClientAddressPrefix,
+			Port:                vpnConfig.Port,
+			ExternalInterface:   vpnConfig.ExternalInterface,
+			Nameservers:         strings.Join(vpnConfig.Nameservers, ","),
+			DisableNAT:          vpnConfig.DisableNAT,
+		}
+		out, err := json.Marshal(setupRequest)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("could not marshal SetupRequest: %s", err), http.StatusBadRequest)
+			return
+		}
+		c.write(w, out)
+	case http.MethodPost:
+		var setupRequest VPNSetupRequest
+		decoder := json.NewDecoder(r.Body)
+		decoder.Decode(&setupRequest)
 		if strings.Join(vpnConfig.ClientRoutes, ", ") != setupRequest.Routes {
 			networks := strings.Split(setupRequest.Routes, ",")
 			validatedNetworks := []string{}
diff --git a/pkg/rest/types.go b/pkg/rest/types.go
index 67c3578..1131f79 100644
--- a/pkg/rest/types.go
+++ b/pkg/rest/types.go
@@ -93,7 +93,7 @@ type UserInfoResponse struct {
 	UserType string `json:"userType"`
 }
 
-type SetupRequest struct {
+type GeneralSetupRequest struct {
 	Hostname               string `json:"hostname"`
 	EnableTLS              bool   `json:"enableTLS"`
 	RedirectToHttps        bool   `json:"redirectToHttps"`
@@ -103,6 +103,17 @@ type SetupRequest struct {
 	VPNEndpoint            string `json:"vpnEndpoint"`
 }
 
+type VPNSetupRequest struct {
+	Routes              string `json:"routes"`
+	VPNEndpoint         string `json:"vpnEndpoint"`
+	AddressRange        string `json:"addressRange"`
+	ClientAddressPrefix string `json:"clientAddressPrefix"`
+	Port                int    `json:"port"`
+	ExternalInterface   string `json:"externalInterface"`
+	Nameservers         string `json:"nameservers"`
+	DisableNAT          bool   `json:"disableNAT"`
+}
+
 type NewConnectionResponse struct {
 	Name string `json:"name"`
 }
diff --git a/webapp/src/Routes/Setup/GeneralSetup.tsx b/webapp/src/Routes/Setup/GeneralSetup.tsx
new file mode 100644
index 0000000..a19963e
--- /dev/null
+++ b/webapp/src/Routes/Setup/GeneralSetup.tsx
@@ -0,0 +1,195 @@
+import { Text, Checkbox, Container, UnstyledButton, Tooltip, Center, rem, TextInput, Space, Button, Alert } from "@mantine/core";
+import classes from './Setup.module.css';
+import { useEffect, useState } from "react";
+import { IconInfoCircle } from "@tabler/icons-react";
+import { AppSettings } from "../../Constants/Constants";
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import { useAuthContext } from "../../Auth/Auth";
+import { useForm } from '@mantine/form';
+import axios, { AxiosError } from "axios";
+
+type GeneralSetupRequest = {
+  hostname: string;
+  enableTLS: boolean;
+  redirectToHttps: boolean;
+  disableLocalAuth: boolean;
+  enableOIDCTokenRenewal: boolean;
+};
+export function GeneralSetup() {
+    const [saved, setSaved] = useState(false)
+    const [saveError, setSaveError] = useState("")
+    const {authInfo} = useAuthContext();
+    const queryClient = useQueryClient()
+    const { isPending, error, data, isSuccess } = useQuery({
+      queryKey: ['general-setup'],
+      queryFn: () =>
+        fetch(AppSettings.url + '/setup/general', {
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": "Bearer " + authInfo.token
+          },
+        }).then((res) => {
+          return res.json()
+          }
+          
+        ),
+    })
+    const form = useForm({
+      mode: 'uncontrolled',
+      initialValues: {
+        hostname: "",
+        enableTLS: false,
+        redirectToHttps: false,
+        disableLocalAuth: false,
+        enableOIDCTokenRenewal: false,
+      },
+    });
+    const alertIcon = <IconInfoCircle />;
+    const setupMutation = useMutation({
+      mutationFn: (setupRequest: GeneralSetupRequest) => {
+        return axios.post(AppSettings.url + '/setup', setupRequest, {
+          headers: {
+              "Authorization": "Bearer " + authInfo.token
+          },
+        })
+      },
+      onSuccess: () => {
+          queryClient.invalidateQueries({ queryKey: ['users'] })
+          setSaved(true)
+      },
+      onError: (error:AxiosError) => {
+          setSaveError("Error: "+ error.message)
+      }
+    })
+
+
+    useEffect(() => {
+      if (isSuccess) {
+        form.setValues({ ...data });
+      }
+    }, [isSuccess]); 
+  
+
+    const hostnameTooltip = (
+      <Tooltip
+        label="The server hostname. This hostname will be use to request Let's encrypt TLS certificates when TLS is enabled"
+        position="top-end"
+        withArrow
+        transitionProps={{ transition: 'pop-bottom-right' }}
+      >
+        <Text component="div" c="dimmed" style={{ cursor: 'help' }}>
+          <Center>
+            <IconInfoCircle style={{ width: rem(18), height: rem(18) }} stroke={1.5} />
+          </Center>
+        </Text>
+      </Tooltip>
+    );
+
+    if(isPending) return "Loading..."
+    if(error) return 'A backend error has occurred: ' + error.message
+
+    return (
+        <Container my={40} size="40rem">
+          {saved ? <Alert variant="light" color="green" title="Update!" icon={alertIcon}>Settings Saved!</Alert> : null}
+          {saveError !== "" ? saveError : null}
+          <form onSubmit={form.onSubmit((values: GeneralSetupRequest) => setupMutation.mutate(values))}>
+          <TextInput
+          rightSection={hostnameTooltip}
+          label="VPN Server Hostname"
+          placeholder="Hostname"
+          key={form.key('hostname')}
+          {...form.getInputProps('hostname')}
+          />
+          <Space h="md" />
+            <UnstyledButton className={classes.button} onClick={() => form.setFieldValue("enableTLS", !form.getValues().enableTLS )}>
+              <Checkbox
+                tabIndex={-1}
+                size="md"
+                mr="xl"
+                styles={{ input: { cursor: 'pointer' } }}
+                aria-hidden
+                key={form.key('enableTLS')}
+                {...form.getInputProps('enableTLS', { type: 'checkbox' })}
+              />
+              <div>
+                <Text fw={500} mb={7} lh={1}>
+                  Enable TLS (https)
+                </Text>
+                <Text fz="sm" c="dimmed">
+                Enable TLS (https) using Let's Encrypt (recommended)
+                </Text>
+              </div>
+            </UnstyledButton>
+            <Space h="md" />
+            <UnstyledButton className={classes.button} onClick={() => window.location.protocol === "https:" ? form.setFieldValue("redirectToHttps", !form.getValues().redirectToHttps) : null }>
+              <Checkbox
+                tabIndex={-1}
+                size="md"
+                mr="xl"
+                styles={{ input: { cursor: 'pointer' } }}
+                aria-hidden
+                disabled={ window.location.protocol === "https:" ? false : true }
+                key={form.key('redirectToHttps')}
+                {...form.getInputProps('redirectToHttps', { type: 'checkbox' })}
+              />
+              <div>
+                <Text fw={500} mb={7} lh={1}>
+                  Redirect http to https
+                </Text>
+                <Text fz="sm" c="dimmed">
+                  Redirect http requests to https.
+                  Not needed when terminating TLS on an external LoadBalancer.
+                  Can only be enabled once this page is requested through https.
+                </Text>
+              </div>
+            </UnstyledButton>
+            <Space h="md" />
+            <UnstyledButton className={classes.button} onClick={() => form.setFieldValue("disableLocalAuth", !form.getValues().disableLocalAuth )}>
+              <Checkbox
+                tabIndex={-1}
+                size="md"
+                mr="xl"
+                styles={{ input: { cursor: 'pointer' } }}
+                aria-hidden
+                key={form.key('disableLocalAuth')}
+                {...form.getInputProps('disableLocalAuth', { type: 'checkbox' })}
+              />
+              <div>
+                <Text fw={500} mb={7} lh={1}>
+                  Disable local auth
+                </Text>
+                <Text fz="sm" c="dimmed">
+                  Once an OIDC Connection is setup, you can disable local authentication. Make sure to have assigned a new admin role.
+                </Text>
+              </div>
+            </UnstyledButton>
+            <Space h="md" />
+            <UnstyledButton className={classes.button} onClick={() => form.setFieldValue("enableOIDCTokenRenewal", !form.getValues().enableOIDCTokenRenewal )}>
+              <Checkbox
+                tabIndex={-1}
+                size="md"
+                mr="xl"
+                styles={{ input: { cursor: 'pointer' } }}
+                aria-hidden
+                key={form.key('enableOIDCTokenRenewal')}
+                {...form.getInputProps('enableOIDCTokenRenewal', { type: 'checkbox' })}
+              />
+              <div>
+                <Text fw={500} mb={7} lh={1}>
+                  Deactivate a user's VPN connection on OIDC token renewal failure
+                </Text>
+                <Text fz="sm" c="dimmed">
+                  OIDC Tokens can be refreshed when expired.
+                  The OIDC tokens will be renewed, and on renewal failure, the VPN connection of that user will be disabled until the user logs in again.
+                </Text>
+                <Text fz="sm" c="dimmed" style={{marginTop: 5}}>Note: Only use this when SCIM provisioning is not possible in your setup. </Text>
+              </div>
+            </UnstyledButton>
+            <Button type="submit" mt="md">
+              Submit
+            </Button>
+            </form>
+        </Container>
+
+    )
+}
\ No newline at end of file
diff --git a/webapp/src/Routes/Setup/Setup.tsx b/webapp/src/Routes/Setup/Setup.tsx
index 2057366..5ff1f70 100644
--- a/webapp/src/Routes/Setup/Setup.tsx
+++ b/webapp/src/Routes/Setup/Setup.tsx
@@ -1,229 +1,40 @@
-import { Text, Checkbox, Container, Title, UnstyledButton, Tooltip, Center, rem, TextInput, Space, Button, Alert, Divider, InputWrapper } from "@mantine/core";
+import { Container, Tabs, Title, rem } from "@mantine/core";
 import classes from './Setup.module.css';
-import { useEffect, useState } from "react";
-import { IconInfoCircle } from "@tabler/icons-react";
-import { AppSettings } from "../../Constants/Constants";
-import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
-import { useAuthContext } from "../../Auth/Auth";
-import { useForm } from '@mantine/form';
-import axios, { AxiosError } from "axios";
+import { IconFile, IconNetwork, IconSettings } from "@tabler/icons-react";
+import { GeneralSetup } from "./GeneralSetup";
+import { VPNSetup } from "./VPNSetup";
 
-type SetupRequest = {
-  hostname: string;
-  enableTLS: boolean;
-  redirectToHttps: boolean;
-  disableLocalAuth: boolean;
-  enableOIDCTokenRenewal: boolean;
-  routes: string;
-  vpnEndpoint: string;
-};
 export function Setup() {
-    const [saved, setSaved] = useState(false)
-    const [saveError, setSaveError] = useState("")
-    const {authInfo} = useAuthContext();
-    const queryClient = useQueryClient()
-    const { isPending, error, data, isSuccess } = useQuery({
-      queryKey: ['setup'],
-      queryFn: () =>
-        fetch(AppSettings.url + '/setup', {
-          headers: {
-            "Content-Type": "application/json",
-            "Authorization": "Bearer " + authInfo.token
-          },
-        }).then((res) => {
-          return res.json()
-          }
-          
-        ),
-    })
-    const form = useForm({
-      mode: 'uncontrolled',
-      initialValues: {
-        hostname: "",
-        enableTLS: false,
-        redirectToHttps: false,
-        disableLocalAuth: false,
-        enableOIDCTokenRenewal: false,
-        routes: "",
-        vpnEndpoint: "",
-      },
-    });
-    const alertIcon = <IconInfoCircle />;
-    const setupMutation = useMutation({
-      mutationFn: (setupRequest: SetupRequest) => {
-        return axios.post(AppSettings.url + '/setup', setupRequest, {
-          headers: {
-              "Authorization": "Bearer " + authInfo.token
-          },
-        })
-      },
-      onSuccess: () => {
-          queryClient.invalidateQueries({ queryKey: ['users'] })
-          setSaved(true)
-      },
-      onError: (error:AxiosError) => {
-          setSaveError("Error: "+ error.message)
-      }
-    })
+  const iconStyle = { width: rem(12), height: rem(12) };
+  return (
+      <Container my={40}>
 
+        <Title ta="center" className={classes.title} style={{marginBottom: 20}}>
+          VPN Setup
+        </Title>
+        <Tabs defaultValue="general">
+          <Tabs.List grow={true}>
+            <Tabs.Tab value="general" leftSection={<IconSettings style={iconStyle} />}>
+              General
+            </Tabs.Tab>
+            <Tabs.Tab value="vpn" leftSection={<IconNetwork style={iconStyle} />}>
+              VPN
+            </Tabs.Tab>
+            <Tabs.Tab value="templates" leftSection={<IconFile style={iconStyle} />}>
+              Templates
+            </Tabs.Tab>
+          </Tabs.List>
+          <Tabs.Panel value="general" style={{marginTop: 25}}>
+            <GeneralSetup />
+          </Tabs.Panel>
+          <Tabs.Panel value="vpn" style={{marginTop: 25}}>
+            <VPNSetup />
+          </Tabs.Panel>
+          <Tabs.Panel value="templates" style={{marginTop: 25}}>          
+            Templates will go here
+          </Tabs.Panel>
+        </Tabs>
+      </Container>
 
-    useEffect(() => {
-      if (isSuccess) {
-        form.setValues({ ...data });
-      }
-    }, [isSuccess]); 
-  
-
-    const hostnameTooltip = (
-      <Tooltip
-        label="The server hostname. This hostname will be use to request Let's encrypt TLS certificates when TLS is enabled"
-        position="top-end"
-        withArrow
-        transitionProps={{ transition: 'pop-bottom-right' }}
-      >
-        <Text component="div" c="dimmed" style={{ cursor: 'help' }}>
-          <Center>
-            <IconInfoCircle style={{ width: rem(18), height: rem(18) }} stroke={1.5} />
-          </Center>
-        </Text>
-      </Tooltip>
-    );
-
-    if(isPending) return "Loading..."
-    if(error) return 'A backend error has occurred: ' + error.message
-
-    return (
-        <Container my={40} size="40rem">
-          <Title ta="center" className={classes.title}>
-            VPN Server Setup
-          </Title>
-          <Space h="md" />
-          {saved ? <Alert variant="light" color="green" title="Update!" icon={alertIcon}>Settings Saved!</Alert> : null}
-          {saveError !== "" ? saveError : null}
-          <form onSubmit={form.onSubmit((values: SetupRequest) => setupMutation.mutate(values))}>
-          <TextInput
-          rightSection={hostnameTooltip}
-          label="VPN Server Hostname"
-          placeholder="Hostname"
-          key={form.key('hostname')}
-          {...form.getInputProps('hostname')}
-          />
-          <Space h="md" />
-            <UnstyledButton className={classes.button} onClick={() => form.setFieldValue("enableTLS", !form.getValues().enableTLS )}>
-              <Checkbox
-                tabIndex={-1}
-                size="md"
-                mr="xl"
-                styles={{ input: { cursor: 'pointer' } }}
-                aria-hidden
-                key={form.key('enableTLS')}
-                {...form.getInputProps('enableTLS', { type: 'checkbox' })}
-              />
-              <div>
-                <Text fw={500} mb={7} lh={1}>
-                  Enable TLS (https)
-                </Text>
-                <Text fz="sm" c="dimmed">
-                Enable TLS (https) using Let's Encrypt (recommended)
-                </Text>
-              </div>
-            </UnstyledButton>
-            <Space h="md" />
-            <UnstyledButton className={classes.button} onClick={() => window.location.protocol === "https:" ? form.setFieldValue("redirectToHttps", !form.getValues().redirectToHttps) : null }>
-              <Checkbox
-                tabIndex={-1}
-                size="md"
-                mr="xl"
-                styles={{ input: { cursor: 'pointer' } }}
-                aria-hidden
-                disabled={ window.location.protocol === "https:" ? false : true }
-                key={form.key('redirectToHttps')}
-                {...form.getInputProps('redirectToHttps', { type: 'checkbox' })}
-              />
-              <div>
-                <Text fw={500} mb={7} lh={1}>
-                  Redirect http to https
-                </Text>
-                <Text fz="sm" c="dimmed">
-                  Redirect http requests to https.
-                  Not needed when terminating TLS on an external LoadBalancer.
-                  Can only be enabled once this page is requested through https.
-                </Text>
-              </div>
-            </UnstyledButton>
-            <Space h="md" />
-            <UnstyledButton className={classes.button} onClick={() => form.setFieldValue("disableLocalAuth", !form.getValues().disableLocalAuth )}>
-              <Checkbox
-                tabIndex={-1}
-                size="md"
-                mr="xl"
-                styles={{ input: { cursor: 'pointer' } }}
-                aria-hidden
-                key={form.key('disableLocalAuth')}
-                {...form.getInputProps('disableLocalAuth', { type: 'checkbox' })}
-              />
-              <div>
-                <Text fw={500} mb={7} lh={1}>
-                  Disable local auth
-                </Text>
-                <Text fz="sm" c="dimmed">
-                  Once an OIDC Connection is setup, you can disable local authentication. Make sure to have assigned a new admin role.
-                </Text>
-              </div>
-            </UnstyledButton>
-            <Space h="md" />
-            <UnstyledButton className={classes.button} onClick={() => form.setFieldValue("enableOIDCTokenRenewal", !form.getValues().enableOIDCTokenRenewal )}>
-              <Checkbox
-                tabIndex={-1}
-                size="md"
-                mr="xl"
-                styles={{ input: { cursor: 'pointer' } }}
-                aria-hidden
-                key={form.key('enableOIDCTokenRenewal')}
-                {...form.getInputProps('enableOIDCTokenRenewal', { type: 'checkbox' })}
-              />
-              <div>
-                <Text fw={500} mb={7} lh={1}>
-                  Deactivate a user's VPN connection on OIDC token renewal failure
-                </Text>
-                <Text fz="sm" c="dimmed">
-                  OIDC Tokens can be refreshed when expired.
-                  The OIDC tokens will be renewed, and on renewal failure, the VPN connection of that user will be disabled until the user logs in again.
-                </Text>
-                <Text fz="sm" c="dimmed" style={{marginTop: 5}}>Note: Only use this when SCIM provisioning is not possible in your setup. </Text>
-              </div>
-            </UnstyledButton>
-            <Divider my="md" label="Wireguard® Configuration" labelPosition="center" />
-            <InputWrapper
-              id="input-vpn-endpoint"
-              label="VPN Endpoint to use"
-              description="Clients will connect to this hostname. Usually the same as the VPN Server Hostname above."
-            >
-            <TextInput
-              style={{ marginTop: 5 }}
-              placeholder="hostname"
-              key={form.key('vpnEndpoint')}
-              {...form.getInputProps('vpnEndpoint')}
-              />
-            </InputWrapper>
-            <InputWrapper
-              id="input-route-input"
-              label="VPN Client Routes for clients to use"
-              description="Network address should be comma separated. Enter '0.0.0.0/0, ::/0' to route all traffic."
-              
-            >
-            <TextInput
-              style={{ marginTop: 5 }}
-              placeholder="list of comma separated routes"
-              key={form.key('routes')}
-              {...form.getInputProps('routes')}
-              />
-            </InputWrapper>
-            <Button type="submit" mt="md">
-              Submit
-            </Button>
-            </form>
-        </Container>
-
-    )
+  )
 }
\ No newline at end of file
diff --git a/webapp/src/Routes/Setup/VPNSetup.tsx b/webapp/src/Routes/Setup/VPNSetup.tsx
new file mode 100644
index 0000000..da25f67
--- /dev/null
+++ b/webapp/src/Routes/Setup/VPNSetup.tsx
@@ -0,0 +1,214 @@
+
+import { Container, TextInput, Alert, InputWrapper, Button, Space, UnstyledButton, Checkbox, Text } from "@mantine/core";
+import { useEffect, useState } from "react";
+import classes from './Setup.module.css';
+import { IconInfoCircle } from "@tabler/icons-react";
+import { AppSettings } from "../../Constants/Constants";
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import { useAuthContext } from "../../Auth/Auth";
+import { useForm } from '@mantine/form';
+import axios, { AxiosError } from "axios";
+
+type VPNSetupRequest = {
+    routes: string;
+    vpnEndpoint: string;
+    addressRange: string,
+    clientAddressPrefix: string,
+    port: number,
+    externalInterface: string,
+    nameservers: string,
+    disableNAT: boolean,
+};
+export function VPNSetup() {
+    const [saved, setSaved] = useState(false)
+    const [saveError, setSaveError] = useState("")
+    const {authInfo} = useAuthContext();
+    const queryClient = useQueryClient()
+    const { isPending, error, data, isSuccess } = useQuery({
+      queryKey: ['vpn-setup'],
+      queryFn: () =>
+        fetch(AppSettings.url + '/setup/vpn', {
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": "Bearer " + authInfo.token
+          },
+        }).then((res) => {
+          return res.json()
+          }
+          
+        ),
+    })
+    const form = useForm({
+      mode: 'uncontrolled',
+      initialValues: {
+        routes: "",
+        vpnEndpoint: "",
+        addressRange: "",
+        clientAddressPrefix: "",
+        port: 0,
+        externalInterface: "",
+        nameservers: "",
+        disableNAT: false,   
+      },
+    });
+    const setupMutation = useMutation({
+      mutationFn: (setupRequest: VPNSetupRequest) => {
+        return axios.post(AppSettings.url + '/setup', setupRequest, {
+          headers: {
+              "Authorization": "Bearer " + authInfo.token
+          },
+        })
+      },
+      onSuccess: () => {
+          queryClient.invalidateQueries({ queryKey: ['users'] })
+          setSaved(true)
+      },
+      onError: (error:AxiosError) => {
+          setSaveError("Error: "+ error.message)
+      }
+    })
+
+    const alertIcon = <IconInfoCircle />;
+
+    useEffect(() => {
+      if (isSuccess) {
+        form.setValues({ ...data });
+      }
+    }, [isSuccess]); 
+  
+
+    if(isPending) return "Loading..."
+    if(error) return 'A backend error has occurred: ' + error.message
+
+    return (
+        <Container my={40} size="40rem">
+            {saved ? <Alert variant="light" color="green" title="Update!" icon={alertIcon}>Settings Saved!</Alert> : null}
+            {saveError !== "" ? saveError : null}
+
+            <form onSubmit={form.onSubmit((values: VPNSetupRequest) => setupMutation.mutate(values))}>
+                <InputWrapper
+                id="input-vpn-endpoint"
+                label="VPN Endpoint to use"
+                description="Clients will connect to this hostname. Usually the same as the VPN Server Hostname above."
+                >
+                <TextInput
+                style={{ marginTop: 5 }}
+                placeholder="hostname"
+                key={form.key('vpnEndpoint')}
+                {...form.getInputProps('vpnEndpoint')}
+                />
+                </InputWrapper>
+
+                <InputWrapper
+                id="input-route-input"
+                label="VPN Client Routes for clients to use"
+                description="Network address should be comma separated. Enter '0.0.0.0/0, ::/0' to route all traffic."
+                style={{marginTop: 10}}
+                >
+                <TextInput
+                style={{ marginTop: 5 }}
+                placeholder="list of comma separated routes"
+                key={form.key('routes')}
+                {...form.getInputProps('routes')}
+                />
+                </InputWrapper>
+
+                <InputWrapper
+                id="input-addressrange-input"
+                label="Address range"
+                description="Should be an address range in the format address/prefix. This is the address range that the VPN will use. It needs to be large enough to contain all IP addresses for every client assigned."
+                style={{marginTop: 10}}
+
+                >
+                <TextInput
+                style={{ marginTop: 5 }}
+                placeholder="1.2.3.4/21"
+                key={form.key('addressRange')}
+                {...form.getInputProps('addressRange')}
+                />
+                </InputWrapper>
+
+                <InputWrapper
+                id="input-client-address-prefix-input"
+                label="Client Address Prefix"
+                description="Address prefix for the VPN Client to use. /32 means it'll not be able to communicate to other VPN clients."
+                style={{marginTop: 10}}
+                >
+                <TextInput
+                style={{ marginTop: 5 }}
+                placeholder="/32"
+                key={form.key('clientAddressPrefix')}
+                {...form.getInputProps('clientAddressPrefix')}
+                />
+                </InputWrapper>
+
+                <InputWrapper
+                id="input-port-input"
+                label="VPN Port"
+                description="VPN port to use. 51820 is the default WireGuard® port."
+                style={{marginTop: 10}}
+                >
+                <TextInput
+                style={{ marginTop: 5 }}
+                placeholder="51820"
+                key={form.key('port')}
+                {...form.getInputProps('port')}
+                />
+                </InputWrapper>
+
+                <InputWrapper
+                id="input-external-interface-input"
+                label="External Interface"
+                description="External Interface on the instance to route external VPN traffic over. Auto-detected by using the interface that has 0.0.0.0/0 route assigned."
+                style={{marginTop: 10}}
+                >
+                <TextInput
+                style={{ marginTop: 5 }}
+                placeholder="interface"
+                key={form.key('externalInterface')}
+                {...form.getInputProps('externalInterface')}
+                />
+                </InputWrapper>
+
+                <InputWrapper
+                id="input-nameservers-input"
+                label="Nameservers"
+                description="Nameserver IP address to use in the VPN Client. Comma separated if multiple."
+                style={{marginTop: 10}}
+                >
+                <TextInput
+                style={{ marginTop: 5 }}
+                placeholder="nameserver1, nameserver2"
+                key={form.key('nameservers')}
+                {...form.getInputProps('nameservers')}
+                />
+                </InputWrapper>
+                <Space h="md" />
+                <UnstyledButton className={classes.button} onClick={() => form.setFieldValue("disableNAT", !form.getValues().disableNAT )}>
+                    <Checkbox
+                    tabIndex={-1}
+                    size="md"
+                    mr="xl"
+                    styles={{ input: { cursor: 'pointer' } }}
+                    aria-hidden
+                    key={form.key('disableNAT')}
+                    {...form.getInputProps('disableNAT', { type: 'checkbox' })}
+                    />
+                    <div>
+                    <Text fw={500} mb={7} lh={1}>
+                        Disable NAT
+                    </Text>
+                    <Text fz="sm" c="dimmed">
+                        Packets will be routed to anywhere on the network, using Network Address Translation (NAT). If the VPN clients only need to access the VPN server and not other devices in the network, you can disable NAT.
+                    </Text>
+                    </div>
+                </UnstyledButton>
+
+
+                <Button type="submit" mt="md">
+                Submit
+                </Button>
+            </form>
+        </Container>
+    )
+}
\ No newline at end of file

From 3d3b706137d6b76a58de4be78ac3d2c668690bef Mon Sep 17 00:00:00 2001
From: Edward Viaene <ward@in4it.io>
Date: Tue, 20 Aug 2024 13:58:55 -0500
Subject: [PATCH 2/8] vpn configuration

---
 pkg/rest/setup.go                    | 82 ++++++++++++++++++++++------
 webapp/src/Routes/Setup/VPNSetup.tsx |  4 +-
 2 files changed, 69 insertions(+), 17 deletions(-)

diff --git a/pkg/rest/setup.go b/pkg/rest/setup.go
index 06fc9eb..04b1715 100644
--- a/pkg/rest/setup.go
+++ b/pkg/rest/setup.go
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
+	"reflect"
 	"strings"
 
 	"github.com/google/uuid"
@@ -179,7 +181,12 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		c.write(w, out)
 	case http.MethodPost:
-		var setupRequest VPNSetupRequest
+		var (
+			writeVPNConfig       bool
+			rewriteClientConfigs bool
+			rewriteServerConfig  bool
+			setupRequest         VPNSetupRequest
+		)
 		decoder := json.NewDecoder(r.Body)
 		decoder.Decode(&setupRequest)
 		if strings.Join(vpnConfig.ClientRoutes, ", ") != setupRequest.Routes {
@@ -196,11 +203,66 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 				}
 			}
 			vpnConfig.ClientRoutes = validatedNetworks
+			writeVPNConfig = true
+			rewriteClientConfigs = true
+		}
+		if vpnConfig.Endpoint != setupRequest.VPNEndpoint {
+			vpnConfig.Endpoint = setupRequest.VPNEndpoint
+			writeVPNConfig = true
+			rewriteClientConfigs = true
+		}
+		addressRangeParsed, err := netip.ParsePrefix(setupRequest.AddressRange)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("AddressRange in wrong format: %s", err), http.StatusBadRequest)
+			return
+		}
+		if addressRangeParsed.String() != vpnConfig.AddressRange.String() {
+			vpnConfig.AddressRange = addressRangeParsed
+			writeVPNConfig = true
+			rewriteClientConfigs = true
+			rewriteServerConfig = true
+		}
+		if setupRequest.ClientAddressPrefix != vpnConfig.ClientAddressPrefix {
+			vpnConfig.ClientAddressPrefix = setupRequest.ClientAddressPrefix
+			writeVPNConfig = true
+			rewriteClientConfigs = true
+		}
+		if setupRequest.Port != vpnConfig.Port {
+			vpnConfig.Port = setupRequest.Port
+			writeVPNConfig = true
+			rewriteClientConfigs = true
+			rewriteServerConfig = true
+		}
+
+		nameservers := strings.Split(setupRequest.Nameservers, ",")
+		for k := range nameservers {
+			nameservers[k] = strings.TrimSpace(nameservers[k])
+		}
+		if !reflect.DeepEqual(nameservers, vpnConfig.Nameservers) {
+			vpnConfig.ExternalInterface = setupRequest.ExternalInterface
+			writeVPNConfig = true
+			rewriteClientConfigs = true
+		}
+		if setupRequest.ExternalInterface != vpnConfig.ExternalInterface { // don't rewrite client config
+			vpnConfig.ExternalInterface = setupRequest.ExternalInterface
+			writeVPNConfig = true
+			rewriteServerConfig = true
+		}
+		if setupRequest.DisableNAT != vpnConfig.DisableNAT { // don't rewrite client config
+			vpnConfig.DisableNAT = setupRequest.DisableNAT
+			writeVPNConfig = true
+			rewriteServerConfig = true
+		}
+
+		// write vpn config if config has changed
+		if writeVPNConfig {
 			err = wireguard.WriteVPNConfig(c.Storage.Client, vpnConfig)
 			if err != nil {
 				c.returnError(w, fmt.Errorf("could write vpn config: %s", err), http.StatusBadRequest)
 				return
 			}
+		}
+		if rewriteClientConfigs {
 			// rewrite client configs
 			err = wireguard.UpdateClientsConfig(c.Storage.Client)
 			if err != nil {
@@ -208,26 +270,14 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 		}
-		if vpnConfig.Endpoint != setupRequest.VPNEndpoint {
-			vpnConfig.Endpoint = setupRequest.VPNEndpoint
-			err = wireguard.WriteVPNConfig(c.Storage.Client, vpnConfig)
-			if err != nil {
-				c.SetupCompleted = false
-				c.returnError(w, fmt.Errorf("unable to write vpn-config: %s", err), http.StatusBadRequest)
-				return
-			}
-			// rewrite client configs
-			err = wireguard.UpdateClientsConfig(c.Storage.Client)
+		if rewriteServerConfig {
+			// rewrite server config
+			err = wireguard.WriteWireGuardServerConfig(c.Storage.Client)
 			if err != nil {
 				c.returnError(w, fmt.Errorf("could not update client vpn configs: %s", err), http.StatusBadRequest)
 				return
 			}
 		}
-		err := SaveConfig(c)
-		if err != nil {
-			c.returnError(w, fmt.Errorf("could not save config to disk: %s", err), http.StatusBadRequest)
-			return
-		}
 		out, err := json.Marshal(setupRequest)
 		if err != nil {
 			c.returnError(w, fmt.Errorf("could not marshal SetupRequest: %s", err), http.StatusBadRequest)
diff --git a/webapp/src/Routes/Setup/VPNSetup.tsx b/webapp/src/Routes/Setup/VPNSetup.tsx
index da25f67..12a0177 100644
--- a/webapp/src/Routes/Setup/VPNSetup.tsx
+++ b/webapp/src/Routes/Setup/VPNSetup.tsx
@@ -82,6 +82,7 @@ export function VPNSetup() {
 
     return (
         <Container my={40} size="40rem">
+            <Alert variant="light" color="blue" title="Note!" icon={alertIcon}>Changes to Address Range, Port, External Interface, or NAT will need a wireguard reload. You can click the "Reload Wireguard" button at the bottom after submitting the changes. This will disconnect active VPN clients.</Alert>
             {saved ? <Alert variant="light" color="green" title="Update!" icon={alertIcon}>Settings Saved!</Alert> : null}
             {saveError !== "" ? saveError : null}
 
@@ -89,7 +90,8 @@ export function VPNSetup() {
                 <InputWrapper
                 id="input-vpn-endpoint"
                 label="VPN Endpoint to use"
-                description="Clients will connect to this hostname. Usually the same as the VPN Server Hostname above."
+                description="VPN clients will have this hostname configured in their configuration file. Usually the same as the VPN Server Hostname in the general tab."
+                style={{marginTop: 10}}
                 >
                 <TextInput
                 style={{ marginTop: 5 }}

From 574638e7f5d16d51ffded16d068af627f88dbb14 Mon Sep 17 00:00:00 2001
From: Edward Viaene <ward@in4it.io>
Date: Tue, 20 Aug 2024 16:35:53 -0500
Subject: [PATCH 3/8] vpn config, template config

---
 pkg/configmanager/handlers.go             |  20 ++++
 pkg/configmanager/router.go               |   1 +
 pkg/configmanager/start_darwin.go         |   5 +
 pkg/configmanager/start_linux.go          |   4 +
 pkg/rest/router.go                        |   1 +
 pkg/rest/setup.go                         |  98 +++++++++++++++++--
 pkg/rest/types.go                         |   9 +-
 pkg/wireguard/startup.go                  |  19 +++-
 pkg/wireguard/wireguardclientconfig.go    |  29 ++++--
 pkg/wireguard/wireguardserverconfig.go    |  27 +++++-
 webapp/src/Routes/Setup/GeneralSetup.tsx  |  19 +++-
 webapp/src/Routes/Setup/Setup.tsx         |   3 +-
 webapp/src/Routes/Setup/TemplateSetup.tsx | 111 ++++++++++++++++++++++
 webapp/src/Routes/Setup/VPNSetup.tsx      |  27 ++++--
 14 files changed, 337 insertions(+), 36 deletions(-)
 create mode 100644 webapp/src/Routes/Setup/TemplateSetup.tsx

diff --git a/pkg/configmanager/handlers.go b/pkg/configmanager/handlers.go
index fd36f51..351a024 100644
--- a/pkg/configmanager/handlers.go
+++ b/pkg/configmanager/handlers.go
@@ -117,6 +117,26 @@ func (c *ConfigManager) version(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func (c *ConfigManager) restartVpn(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case http.MethodPost:
+		err := stopVPN(c.Storage)
+		if err != nil { // don't exit, as the VPN might be down already.
+			fmt.Println("========= Warning =========")
+			fmt.Printf("Warning: vpn stop error: %s\n", err)
+			fmt.Println("=========================")
+		}
+		err = startVPN(c.Storage)
+		if err != nil {
+			returnError(w, fmt.Errorf("vpn start error: %s", err), http.StatusBadRequest)
+			return
+		}
+		w.WriteHeader(http.StatusAccepted)
+	default:
+		returnError(w, fmt.Errorf("method not supported"), http.StatusBadRequest)
+	}
+}
+
 func returnError(w http.ResponseWriter, err error, statusCode int) {
 	fmt.Println("========= ERROR =========")
 	fmt.Printf("Error: %s\n", err)
diff --git a/pkg/configmanager/router.go b/pkg/configmanager/router.go
index 662bd3d..59a32d8 100644
--- a/pkg/configmanager/router.go
+++ b/pkg/configmanager/router.go
@@ -8,6 +8,7 @@ func (c *ConfigManager) getRouter() *http.ServeMux {
 	mux.Handle("/pubkey", http.HandlerFunc(c.getPubKey))
 	mux.Handle("/refresh-clients", http.HandlerFunc(c.refreshClients))
 	mux.Handle("/upgrade", http.HandlerFunc(c.upgrade))
+	mux.Handle("/restart-vpn", http.HandlerFunc(c.restartVpn))
 	mux.Handle("/version", http.HandlerFunc(c.version))
 
 	return mux
diff --git a/pkg/configmanager/start_darwin.go b/pkg/configmanager/start_darwin.go
index 963b023..47864ee 100644
--- a/pkg/configmanager/start_darwin.go
+++ b/pkg/configmanager/start_darwin.go
@@ -13,3 +13,8 @@ func startVPN(storage storage.Iface) error {
 	fmt.Printf("Warning: startVPN is not implemented in darwin\n")
 	return nil
 }
+
+func stopVPN(storage storage.Iface) error {
+	fmt.Printf("Warning: startVPN is not implemented in darwin\n")
+	return nil
+}
diff --git a/pkg/configmanager/start_linux.go b/pkg/configmanager/start_linux.go
index c1bbe27..5516755 100644
--- a/pkg/configmanager/start_linux.go
+++ b/pkg/configmanager/start_linux.go
@@ -17,3 +17,7 @@ func startVPN(storage storage.Iface) error {
 	}
 	return wireguard.StartVPN()
 }
+
+func stopVPN(storage storage.Iface) error {
+	return wireguard.StopVPN()
+}
diff --git a/pkg/rest/router.go b/pkg/rest/router.go
index 07bbc5c..2197538 100644
--- a/pkg/rest/router.go
+++ b/pkg/rest/router.go
@@ -55,6 +55,7 @@ func (c *Context) getRouter(assets fs.FS, indexHtml []byte) *http.ServeMux {
 	mux.Handle("/api/oidc/{id}", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.oidcProviderElementHandler)))))
 	mux.Handle("/api/setup/general", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.setupHandler)))))
 	mux.Handle("/api/setup/vpn", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.vpnSetupHandler)))))
+	mux.Handle("/api/setup/templates", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.templateSetupHandler)))))
 	mux.Handle("/api/scim-setup", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.scimSetupHandler)))))
 	mux.Handle("/api/saml-setup", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.samlSetupHandler)))))
 	mux.Handle("/api/saml-setup/{id}", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.samlSetupElementHandler)))))
diff --git a/pkg/rest/setup.go b/pkg/rest/setup.go
index 04b1715..3367e13 100644
--- a/pkg/rest/setup.go
+++ b/pkg/rest/setup.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/netip"
 	"reflect"
+	"strconv"
 	"strings"
 
 	"github.com/google/uuid"
@@ -169,7 +170,7 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 			VPNEndpoint:         vpnConfig.Endpoint,
 			AddressRange:        vpnConfig.AddressRange.String(),
 			ClientAddressPrefix: vpnConfig.ClientAddressPrefix,
-			Port:                vpnConfig.Port,
+			Port:                strconv.Itoa(vpnConfig.Port),
 			ExternalInterface:   vpnConfig.ExternalInterface,
 			Nameservers:         strings.Join(vpnConfig.Nameservers, ","),
 			DisableNAT:          vpnConfig.DisableNAT,
@@ -196,10 +197,12 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 				if strings.TrimSpace(network) == "::/0" {
 					validatedNetworks = append(validatedNetworks, "::/0")
 				} else {
-					_, ipnet, err := net.ParseCIDR(network)
-					if err == nil {
-						validatedNetworks = append(validatedNetworks, ipnet.String())
+					_, ipnet, err := net.ParseCIDR(strings.TrimSpace(network))
+					if err != nil {
+						c.returnError(w, fmt.Errorf("client route %s in wrong format: %s", strings.TrimSpace(network), err), http.StatusBadRequest)
+						return
 					}
+					validatedNetworks = append(validatedNetworks, ipnet.String())
 				}
 			}
 			vpnConfig.ClientRoutes = validatedNetworks
@@ -227,8 +230,13 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 			writeVPNConfig = true
 			rewriteClientConfigs = true
 		}
-		if setupRequest.Port != vpnConfig.Port {
-			vpnConfig.Port = setupRequest.Port
+		port, err := strconv.Atoi(setupRequest.Port)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("port in wrong format: %s", err), http.StatusBadRequest)
+			return
+		}
+		if port != vpnConfig.Port {
+			vpnConfig.Port = port
 			writeVPNConfig = true
 			rewriteClientConfigs = true
 			rewriteServerConfig = true
@@ -239,7 +247,7 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 			nameservers[k] = strings.TrimSpace(nameservers[k])
 		}
 		if !reflect.DeepEqual(nameservers, vpnConfig.Nameservers) {
-			vpnConfig.ExternalInterface = setupRequest.ExternalInterface
+			vpnConfig.Nameservers = nameservers
 			writeVPNConfig = true
 			rewriteClientConfigs = true
 		}
@@ -274,7 +282,7 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 			// rewrite server config
 			err = wireguard.WriteWireGuardServerConfig(c.Storage.Client)
 			if err != nil {
-				c.returnError(w, fmt.Errorf("could not update client vpn configs: %s", err), http.StatusBadRequest)
+				c.returnError(w, fmt.Errorf("could not write wireguard server config: %s", err), http.StatusBadRequest)
 				return
 			}
 		}
@@ -289,6 +297,80 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func (c *Context) templateSetupHandler(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case http.MethodGet:
+		clientTemplate, err := wireguard.GetClientTemplate(c.Storage.Client)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("could not retrieve client template: %s", err), http.StatusBadRequest)
+			return
+		}
+		serverTemplate, err := wireguard.GetServerTemplate(c.Storage.Client)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("could not retrieve server template: %s", err), http.StatusBadRequest)
+			return
+		}
+		setupRequest := TemplateSetupRequest{
+			ClientTemplate: string(clientTemplate),
+			ServerTemplate: string(serverTemplate),
+		}
+		out, err := json.Marshal(setupRequest)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("could not marshal SetupRequest: %s", err), http.StatusBadRequest)
+			return
+		}
+		c.write(w, out)
+	case http.MethodPost:
+		var templateSetupRequest TemplateSetupRequest
+		decoder := json.NewDecoder(r.Body)
+		decoder.Decode(&templateSetupRequest)
+		clientTemplate, err := wireguard.GetClientTemplate(c.Storage.Client)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("could not retrieve client template: %s", err), http.StatusBadRequest)
+			return
+		}
+		serverTemplate, err := wireguard.GetServerTemplate(c.Storage.Client)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("could not retrieve server template: %s", err), http.StatusBadRequest)
+			return
+		}
+		if string(clientTemplate) != templateSetupRequest.ClientTemplate {
+			err = wireguard.WriteClientTemplate(c.Storage.Client, []byte(templateSetupRequest.ClientTemplate))
+			if err != nil {
+				c.returnError(w, fmt.Errorf("WriteClientTemplate error: %s", err), http.StatusBadRequest)
+				return
+			}
+			// rewrite client configs
+			err = wireguard.UpdateClientsConfig(c.Storage.Client)
+			if err != nil {
+				c.returnError(w, fmt.Errorf("could not update client vpn configs: %s", err), http.StatusBadRequest)
+				return
+			}
+		}
+		if string(serverTemplate) != templateSetupRequest.ServerTemplate {
+			err = wireguard.WriteServerTemplate(c.Storage.Client, []byte(templateSetupRequest.ServerTemplate))
+			if err != nil {
+				c.returnError(w, fmt.Errorf("WriteServerTemplate error: %s", err), http.StatusBadRequest)
+				return
+			}
+			// rewrite server config
+			err = wireguard.WriteWireGuardServerConfig(c.Storage.Client)
+			if err != nil {
+				c.returnError(w, fmt.Errorf("could not write wireguard server config: %s", err), http.StatusBadRequest)
+				return
+			}
+		}
+		out, err := json.Marshal(templateSetupRequest)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("could not marshal SetupRequest: %s", err), http.StatusBadRequest)
+			return
+		}
+		c.write(w, out)
+	default:
+		c.returnError(w, fmt.Errorf("method not supported"), http.StatusBadRequest)
+	}
+}
+
 func (c *Context) scimSetupHandler(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case http.MethodGet:
diff --git a/pkg/rest/types.go b/pkg/rest/types.go
index 1131f79..d4287ac 100644
--- a/pkg/rest/types.go
+++ b/pkg/rest/types.go
@@ -99,8 +99,6 @@ type GeneralSetupRequest struct {
 	RedirectToHttps        bool   `json:"redirectToHttps"`
 	DisableLocalAuth       bool   `json:"disableLocalAuth"`
 	EnableOIDCTokenRenewal bool   `json:"enableOIDCTokenRenewal"`
-	Routes                 string `json:"routes"`
-	VPNEndpoint            string `json:"vpnEndpoint"`
 }
 
 type VPNSetupRequest struct {
@@ -108,12 +106,17 @@ type VPNSetupRequest struct {
 	VPNEndpoint         string `json:"vpnEndpoint"`
 	AddressRange        string `json:"addressRange"`
 	ClientAddressPrefix string `json:"clientAddressPrefix"`
-	Port                int    `json:"port"`
+	Port                string `json:"port"`
 	ExternalInterface   string `json:"externalInterface"`
 	Nameservers         string `json:"nameservers"`
 	DisableNAT          bool   `json:"disableNAT"`
 }
 
+type TemplateSetupRequest struct {
+	ClientTemplate string `json:"clientTemplate"`
+	ServerTemplate string `json:"serverTemplate"`
+}
+
 type NewConnectionResponse struct {
 	Name string `json:"name"`
 }
diff --git a/pkg/wireguard/startup.go b/pkg/wireguard/startup.go
index 40f1770..708b7dc 100644
--- a/pkg/wireguard/startup.go
+++ b/pkg/wireguard/startup.go
@@ -14,10 +14,27 @@ func StartVPN() error {
 
 	if err := cmd.Wait(); err != nil {
 		if exiterr, ok := err.(*exec.ExitError); ok {
-			return fmt.Errorf("exit Status: %d", exiterr.ExitCode())
+			return fmt.Errorf("start vpn exit Status: %d", exiterr.ExitCode())
 		} else {
 			return fmt.Errorf("error while waiting for the VPN to start: %v", err)
 		}
 	}
 	return nil
 }
+
+func StopVPN() error {
+	cmd := exec.Command("wg-quick", "down", "vpn")
+
+	if err := cmd.Start(); err != nil {
+		return fmt.Errorf("VPN stop error: %v", err)
+	}
+
+	if err := cmd.Wait(); err != nil {
+		if exiterr, ok := err.(*exec.ExitError); ok {
+			return fmt.Errorf("stop vpn exit Status: %d", exiterr.ExitCode())
+		} else {
+			return fmt.Errorf("error while waiting for the VPN to stop: %v", err)
+		}
+	}
+	return nil
+}
diff --git a/pkg/wireguard/wireguardclientconfig.go b/pkg/wireguard/wireguardclientconfig.go
index 4c7ee49..952b917 100644
--- a/pkg/wireguard/wireguardclientconfig.go
+++ b/pkg/wireguard/wireguardclientconfig.go
@@ -159,9 +159,7 @@ func getPeerConfig(storage storage.Iface, connectionID string) (PeerConfig, erro
 	return peerConfig, nil
 }
 
-func GenerateNewClientConfig(storage storage.Iface, connectionID, userID string) ([]byte, error) {
-	clientConfigMutex.Lock()
-	defer clientConfigMutex.Unlock()
+func GetClientTemplate(storage storage.Iface) ([]byte, error) {
 	filename := storage.ConfigPath("templates/client.tmpl")
 	err := storage.EnsurePath(storage.ConfigPath("templates"))
 	if err != nil {
@@ -173,6 +171,25 @@ func GenerateNewClientConfig(storage storage.Iface, connectionID, userID string)
 			return nil, fmt.Errorf("could not create initial client template: %s", err)
 		}
 	}
+	data, err := storage.ReadFile(filename)
+	if err != nil {
+		return nil, fmt.Errorf("could not read client template: %s", err)
+	}
+	return data, err
+}
+
+func WriteClientTemplate(storage storage.Iface, body []byte) error {
+	filename := storage.ConfigPath("templates/client.tmpl")
+	err := storage.WriteFile(filename, body)
+	if err != nil {
+		return fmt.Errorf("could not write client template: %s", err)
+	}
+	return nil
+}
+
+func GenerateNewClientConfig(storage storage.Iface, connectionID, userID string) ([]byte, error) {
+	clientConfigMutex.Lock()
+	defer clientConfigMutex.Unlock()
 
 	// parse template
 	privateKey, publicKey, err := GenerateKeys()
@@ -208,12 +225,12 @@ func GenerateNewClientConfig(storage storage.Iface, connectionID, userID string)
 		AllowedIPs:      peerConfig.ClientAllowedIPs,
 	}
 
-	templatefileContents, err := storage.ReadFile(filename)
+	templatefileContents, err := GetClientTemplate(storage)
 	if err != nil {
-		return nil, fmt.Errorf("could not read client template: %s", err)
+		return nil, fmt.Errorf("could not get client template: %s", err)
 	}
 
-	tmpl, err := template.New(path.Base(filename)).Funcs(template.FuncMap{"StringsJoin": strings.Join}).Parse(string(templatefileContents))
+	tmpl, err := template.New("client.tmpl").Funcs(template.FuncMap{"StringsJoin": strings.Join}).Parse(string(templatefileContents))
 	if err != nil {
 		return nil, fmt.Errorf("could not parse client template: %s", err)
 	}
diff --git a/pkg/wireguard/wireguardserverconfig.go b/pkg/wireguard/wireguardserverconfig.go
index d06df6f..be0155a 100644
--- a/pkg/wireguard/wireguardserverconfig.go
+++ b/pkg/wireguard/wireguardserverconfig.go
@@ -23,7 +23,7 @@ func WriteWireGuardServerConfig(storage storage.Iface) error {
 	return nil
 }
 
-func generateWireGuardServerConfig(storage storage.Iface) ([]byte, error) {
+func GetServerTemplate(storage storage.Iface) ([]byte, error) {
 	templatefile := storage.ConfigPath(path.Join(WIREGUARD_TEMPLATE_DIR, WIREGUARD_TEMPLATE_SERVER))
 	err := storage.EnsurePath(storage.ConfigPath(WIREGUARD_TEMPLATE_DIR))
 	if err != nil {
@@ -45,6 +45,25 @@ func generateWireGuardServerConfig(storage storage.Iface) ([]byte, error) {
 		}
 	}
 
+	templateContents, err := storage.ReadFile(templatefile)
+	if err != nil {
+		return nil, fmt.Errorf("cannot read template file (%s): %s", templatefile, err)
+	}
+	return templateContents, nil
+}
+
+func WriteServerTemplate(storage storage.Iface, body []byte) error {
+	templatefile := storage.ConfigPath(path.Join(WIREGUARD_TEMPLATE_DIR, WIREGUARD_TEMPLATE_SERVER))
+
+	err := storage.WriteFile(templatefile, body)
+	if err != nil {
+		return fmt.Errorf("could not write template (%s): %s", templatefile, err)
+	}
+
+	return nil
+}
+
+func generateWireGuardServerConfig(storage storage.Iface) ([]byte, error) {
 	vpnConfig, err := GetVPNConfig(storage)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get vpn config: %s", err)
@@ -61,11 +80,11 @@ func generateWireGuardServerConfig(storage storage.Iface) ([]byte, error) {
 		ExternalInterface: vpnConfig.ExternalInterface,
 	}
 
-	templateContents, err := storage.ReadFile(templatefile)
+	templateContents, err := GetServerTemplate(storage)
 	if err != nil {
-		return nil, fmt.Errorf("cannot read template file (%s): %s", templatefile, err)
+		return nil, fmt.Errorf("cannot get template file: %s", err)
 	}
-	tmpl, err := template.New(path.Base(templatefile)).Parse(string(templateContents))
+	tmpl, err := template.New(WIREGUARD_TEMPLATE_SERVER).Parse(string(templateContents))
 	if err != nil {
 		return nil, fmt.Errorf("could not parse client template: %s", err)
 	}
diff --git a/webapp/src/Routes/Setup/GeneralSetup.tsx b/webapp/src/Routes/Setup/GeneralSetup.tsx
index a19963e..ee17276 100644
--- a/webapp/src/Routes/Setup/GeneralSetup.tsx
+++ b/webapp/src/Routes/Setup/GeneralSetup.tsx
@@ -8,6 +8,10 @@ import { useAuthContext } from "../../Auth/Auth";
 import { useForm } from '@mantine/form';
 import axios, { AxiosError } from "axios";
 
+type GeneralSetupError = {
+    error: string;
+}
+
 type GeneralSetupRequest = {
   hostname: string;
   enableTLS: boolean;
@@ -47,7 +51,7 @@ export function GeneralSetup() {
     const alertIcon = <IconInfoCircle />;
     const setupMutation = useMutation({
       mutationFn: (setupRequest: GeneralSetupRequest) => {
-        return axios.post(AppSettings.url + '/setup', setupRequest, {
+        return axios.post(AppSettings.url + '/setup/general', setupRequest, {
           headers: {
               "Authorization": "Bearer " + authInfo.token
           },
@@ -56,9 +60,15 @@ export function GeneralSetup() {
       onSuccess: () => {
           queryClient.invalidateQueries({ queryKey: ['users'] })
           setSaved(true)
+          setSaveError("")
       },
       onError: (error:AxiosError) => {
-          setSaveError("Error: "+ error.message)
+        const errorMessage = error.response?.data as GeneralSetupError
+        if(errorMessage?.error === undefined) {
+            setSaveError("Error: "+ error.message)
+        } else {
+            setSaveError("Error: "+ errorMessage.error)
+        }
       }
     })
 
@@ -90,8 +100,9 @@ export function GeneralSetup() {
 
     return (
         <Container my={40} size="40rem">
-          {saved ? <Alert variant="light" color="green" title="Update!" icon={alertIcon}>Settings Saved!</Alert> : null}
-          {saveError !== "" ? saveError : null}
+          {saved && saveError === "" ? <Alert variant="light" color="green" title="Update!" icon={alertIcon}>Settings Saved!</Alert> : null}
+          {saveError !== "" ? <Alert variant="light" color="red" title="Error!" icon={alertIcon} style={{marginTop: 10}}>{saveError}</Alert> : null}
+
           <form onSubmit={form.onSubmit((values: GeneralSetupRequest) => setupMutation.mutate(values))}>
           <TextInput
           rightSection={hostnameTooltip}
diff --git a/webapp/src/Routes/Setup/Setup.tsx b/webapp/src/Routes/Setup/Setup.tsx
index 5ff1f70..f97e5e3 100644
--- a/webapp/src/Routes/Setup/Setup.tsx
+++ b/webapp/src/Routes/Setup/Setup.tsx
@@ -3,6 +3,7 @@ import classes from './Setup.module.css';
 import { IconFile, IconNetwork, IconSettings } from "@tabler/icons-react";
 import { GeneralSetup } from "./GeneralSetup";
 import { VPNSetup } from "./VPNSetup";
+import { TemplateSetup } from "./TemplateSetup";
 
 export function Setup() {
   const iconStyle = { width: rem(12), height: rem(12) };
@@ -31,7 +32,7 @@ export function Setup() {
             <VPNSetup />
           </Tabs.Panel>
           <Tabs.Panel value="templates" style={{marginTop: 25}}>          
-            Templates will go here
+            <TemplateSetup />
           </Tabs.Panel>
         </Tabs>
       </Container>
diff --git a/webapp/src/Routes/Setup/TemplateSetup.tsx b/webapp/src/Routes/Setup/TemplateSetup.tsx
new file mode 100644
index 0000000..db0486d
--- /dev/null
+++ b/webapp/src/Routes/Setup/TemplateSetup.tsx
@@ -0,0 +1,111 @@
+import { Container, Button, Alert, Textarea, Space } from "@mantine/core";
+import { useEffect, useState } from "react";
+import { IconInfoCircle } from "@tabler/icons-react";
+import { AppSettings } from "../../Constants/Constants";
+import { useMutation, useQuery } from "@tanstack/react-query";
+import { useAuthContext } from "../../Auth/Auth";
+import { useForm } from '@mantine/form';
+import axios, { AxiosError } from "axios";
+
+type TemplateSetupError = {
+    error: string;
+}
+
+type TemplateSetupRequest = {
+   clientTemplate: string;
+   serverTemplate: string;
+};
+export function TemplateSetup() {
+    const [saved, setSaved] = useState(false)
+    const [saveError, setSaveError] = useState("")
+    const {authInfo} = useAuthContext();
+    const { isPending, error, data, isSuccess } = useQuery({
+      queryKey: ['templates-setup'],
+      queryFn: () =>
+        fetch(AppSettings.url + '/setup/templates', {
+          headers: {
+            "Content-Type": "application/json",
+            "Authorization": "Bearer " + authInfo.token
+          },
+        }).then((res) => {
+          return res.json()
+          }
+          
+        ),
+    })
+    const form = useForm({
+      mode: 'uncontrolled',
+      initialValues: {
+        clientTemplate: "",
+        serverTemplate: "",
+      },
+    });
+    const alertIcon = <IconInfoCircle />;
+    const setupMutation = useMutation({
+      mutationFn: (setupRequest: TemplateSetupRequest) => {
+        return axios.post(AppSettings.url + '/setup/templates', setupRequest, {
+          headers: {
+              "Authorization": "Bearer " + authInfo.token
+          },
+        })
+      },
+      onSuccess: () => {
+          setSaved(true)
+          setSaveError("")
+      },
+      onError: (error:AxiosError) => {
+        const errorMessage = error.response?.data as TemplateSetupError
+        if(errorMessage?.error === undefined) {
+            setSaveError("Error: "+ error.message)
+        } else {
+            setSaveError("Error: "+ errorMessage.error)
+        }
+      }
+    })
+
+
+    useEffect(() => {
+      if (isSuccess) {
+        form.setValues({ ...data });
+      }
+    }, [isSuccess]); 
+  
+
+    if(isPending) return "Loading..."
+    if(error) return 'A backend error has occurred: ' + error.message
+
+    return (
+        <Container my={40} size="80rem">
+          <Alert variant="light" color="blue" title="Note" icon={alertIcon}>The template files use the Golang template package (see also <a href="https://pkg.go.dev/text/template" target="_blank">https://pkg.go.dev/text/template</a>).</Alert>
+          <Space h="md" />
+          {saved && saveError === "" ? <Alert variant="light" color="green" title="Update!" icon={alertIcon}>Settings Saved!</Alert> : null}
+          {saveError !== "" ? <Alert variant="light" color="red" title="Error!" icon={alertIcon} style={{marginTop: 10}}>{saveError}</Alert> : null}
+
+          <form onSubmit={form.onSubmit((values: TemplateSetupRequest) => setupMutation.mutate(values))}>
+            <Textarea
+                label="VPN Client config template"
+                key={form.key('clientTemplate')}
+                {...form.getInputProps('clientTemplate')}
+                autosize
+                minRows={2}
+                maxRows={20}
+                resize="both"
+            />
+            <Space h="md" />
+            <Textarea
+                label="VPN Server config template"
+                key={form.key('serverTemplate')}
+                {...form.getInputProps('serverTemplate')}
+                autosize
+                minRows={2}
+                maxRows={20}
+                resize="both"
+            />
+            <Button type="submit" mt="md">
+              Save
+            </Button>
+            </form>
+        </Container>
+
+    )
+}
\ No newline at end of file
diff --git a/webapp/src/Routes/Setup/VPNSetup.tsx b/webapp/src/Routes/Setup/VPNSetup.tsx
index 12a0177..c05090a 100644
--- a/webapp/src/Routes/Setup/VPNSetup.tsx
+++ b/webapp/src/Routes/Setup/VPNSetup.tsx
@@ -4,17 +4,22 @@ import { useEffect, useState } from "react";
 import classes from './Setup.module.css';
 import { IconInfoCircle } from "@tabler/icons-react";
 import { AppSettings } from "../../Constants/Constants";
-import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import { useMutation, useQuery } from "@tanstack/react-query";
 import { useAuthContext } from "../../Auth/Auth";
 import { useForm } from '@mantine/form';
 import axios, { AxiosError } from "axios";
 
+
+type VPNSetupError = {
+    error: string;
+}
+
 type VPNSetupRequest = {
     routes: string;
     vpnEndpoint: string;
     addressRange: string,
     clientAddressPrefix: string,
-    port: number,
+    port: string,
     externalInterface: string,
     nameservers: string,
     disableNAT: boolean,
@@ -23,7 +28,6 @@ export function VPNSetup() {
     const [saved, setSaved] = useState(false)
     const [saveError, setSaveError] = useState("")
     const {authInfo} = useAuthContext();
-    const queryClient = useQueryClient()
     const { isPending, error, data, isSuccess } = useQuery({
       queryKey: ['vpn-setup'],
       queryFn: () =>
@@ -45,7 +49,7 @@ export function VPNSetup() {
         vpnEndpoint: "",
         addressRange: "",
         clientAddressPrefix: "",
-        port: 0,
+        port: "",
         externalInterface: "",
         nameservers: "",
         disableNAT: false,   
@@ -53,18 +57,23 @@ export function VPNSetup() {
     });
     const setupMutation = useMutation({
       mutationFn: (setupRequest: VPNSetupRequest) => {
-        return axios.post(AppSettings.url + '/setup', setupRequest, {
+        return axios.post(AppSettings.url + '/setup/vpn', setupRequest, {
           headers: {
               "Authorization": "Bearer " + authInfo.token
           },
         })
       },
       onSuccess: () => {
-          queryClient.invalidateQueries({ queryKey: ['users'] })
           setSaved(true)
+          setSaveError("")
       },
       onError: (error:AxiosError) => {
-          setSaveError("Error: "+ error.message)
+        const errorMessage = error.response?.data as VPNSetupError
+        if(errorMessage?.error === undefined) {
+            setSaveError("Error: "+ error.message)
+        } else {
+            setSaveError("Error: "+ errorMessage.error)
+        }      
       }
     })
 
@@ -83,8 +92,8 @@ export function VPNSetup() {
     return (
         <Container my={40} size="40rem">
             <Alert variant="light" color="blue" title="Note!" icon={alertIcon}>Changes to Address Range, Port, External Interface, or NAT will need a wireguard reload. You can click the "Reload Wireguard" button at the bottom after submitting the changes. This will disconnect active VPN clients.</Alert>
-            {saved ? <Alert variant="light" color="green" title="Update!" icon={alertIcon}>Settings Saved!</Alert> : null}
-            {saveError !== "" ? saveError : null}
+            {saved && saveError === "" ? <Alert variant="light" color="green" title="Update!" icon={alertIcon} style={{marginTop: 10}}>Settings Saved!</Alert> : null}
+            {saveError !== "" ? <Alert variant="light" color="red" title="Error!" icon={alertIcon} style={{marginTop: 10}}>{saveError}</Alert> : null}
 
             <form onSubmit={form.onSubmit((values: VPNSetupRequest) => setupMutation.mutate(values))}>
                 <InputWrapper

From 5c06c14bd1b582cc393258b61df104050c2c16ea Mon Sep 17 00:00:00 2001
From: Edward Viaene <ward@in4it.io>
Date: Tue, 20 Aug 2024 16:54:12 -0500
Subject: [PATCH 4/8] restart vpn

---
 pkg/rest/router.go                  |  1 +
 pkg/rest/setup.go                   | 40 ++++++++++++++++++++++
 webapp/src/Routes/Setup/Restart.tsx | 52 +++++++++++++++++++++++++++++
 webapp/src/Routes/Setup/Setup.tsx   |  9 ++++-
 4 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 webapp/src/Routes/Setup/Restart.tsx

diff --git a/pkg/rest/router.go b/pkg/rest/router.go
index 2197538..9c11787 100644
--- a/pkg/rest/router.go
+++ b/pkg/rest/router.go
@@ -56,6 +56,7 @@ func (c *Context) getRouter(assets fs.FS, indexHtml []byte) *http.ServeMux {
 	mux.Handle("/api/setup/general", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.setupHandler)))))
 	mux.Handle("/api/setup/vpn", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.vpnSetupHandler)))))
 	mux.Handle("/api/setup/templates", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.templateSetupHandler)))))
+	mux.Handle("/api/setup/restart-vpn", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.restartVPNHandler)))))
 	mux.Handle("/api/scim-setup", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.scimSetupHandler)))))
 	mux.Handle("/api/saml-setup", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.samlSetupHandler)))))
 	mux.Handle("/api/saml-setup/{id}", c.authMiddleware(c.injectUserMiddleware(c.isAdminMiddleware(http.HandlerFunc(c.samlSetupElementHandler)))))
diff --git a/pkg/rest/setup.go b/pkg/rest/setup.go
index 3367e13..a754123 100644
--- a/pkg/rest/setup.go
+++ b/pkg/rest/setup.go
@@ -4,12 +4,14 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net"
 	"net/http"
 	"net/netip"
 	"reflect"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/google/uuid"
 	"github.com/in4it/wireguard-server/pkg/auth/oidc"
@@ -371,6 +373,44 @@ func (c *Context) templateSetupHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func (c *Context) restartVPNHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		c.returnError(w, fmt.Errorf("unsupported method"), http.StatusBadRequest)
+		return
+	}
+	client := http.Client{
+		Timeout: 10 * time.Second,
+	}
+	req, err := http.NewRequest(r.Method, "http://"+wireguard.CONFIGMANAGER_URI+"/restart-vpn", nil)
+	if err != nil {
+		c.returnError(w, fmt.Errorf("restart request error: %s", err), http.StatusBadRequest)
+		return
+	}
+	resp, err := client.Do(req)
+	if err != nil {
+		c.returnError(w, fmt.Errorf("restart error: %s", err), http.StatusBadRequest)
+		return
+	}
+	if resp.StatusCode != http.StatusAccepted {
+		bodyBytes, err := io.ReadAll(resp.Body)
+		if err != nil {
+			c.returnError(w, fmt.Errorf("restart error: got status code: %d. Response: %s", resp.StatusCode, bodyBytes), http.StatusBadRequest)
+			return
+		}
+		c.returnError(w, fmt.Errorf("restart error: got status code: %d. Couldn't get response", resp.StatusCode), http.StatusBadRequest)
+		return
+	}
+
+	defer resp.Body.Close()
+	bodyBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		c.returnError(w, fmt.Errorf("body read error: %s", err), http.StatusBadRequest)
+		return
+	}
+
+	c.write(w, bodyBytes)
+}
+
 func (c *Context) scimSetupHandler(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case http.MethodGet:
diff --git a/webapp/src/Routes/Setup/Restart.tsx b/webapp/src/Routes/Setup/Restart.tsx
new file mode 100644
index 0000000..01f69d9
--- /dev/null
+++ b/webapp/src/Routes/Setup/Restart.tsx
@@ -0,0 +1,52 @@
+import { Container, Button, Alert, Space } from "@mantine/core";
+import { useState } from "react";
+import { IconInfoCircle } from "@tabler/icons-react";
+import { AppSettings } from "../../Constants/Constants";
+import { useMutation } from "@tanstack/react-query";
+import { useAuthContext } from "../../Auth/Auth";
+import axios, { AxiosError } from "axios";
+
+type RestartError = {
+    error: string;
+}
+
+export function Restart() {
+    const [saved, setSaved] = useState(false)
+    const [saveError, setSaveError] = useState("")
+    const {authInfo} = useAuthContext();
+    const alertIcon = <IconInfoCircle />;
+    const setupMutation = useMutation({
+      mutationFn: () => {
+        return axios.post(AppSettings.url + '/setup/restart-vpn', {}, {
+          headers: {
+              "Authorization": "Bearer " + authInfo.token
+          },
+        })
+      },
+      onSuccess: () => {
+          setSaved(true)
+          setSaveError("")
+      },
+      onError: (error:AxiosError) => {
+        const errorMessage = error.response?.data as RestartError
+        if(errorMessage?.error === undefined) {
+            setSaveError("Error: "+ error.message)
+        } else {
+            setSaveError("Error: "+ errorMessage.error)
+        }
+      }
+    })
+  
+    return (
+        <Container my={40} size="80rem">
+          <Alert variant="light" color="blue" title="Note" icon={alertIcon}>This button will reload the WireGuard® Configuration. VPN Clients will be disconnected during the reload. If the configuration has changed, clients might have to download new configuration files (for example if the port or address range has changed). The VPN Server admin UI will not be restarted.</Alert>
+          <Space h="md" />
+          {saved && saveError === "" ? <Alert variant="light" color="green" title="Restarted!" icon={alertIcon}>VPN Restarted!</Alert> : null}
+          {saveError !== "" ? <Alert variant="light" color="red" title="Error!" icon={alertIcon} style={{marginTop: 10}}>{saveError}</Alert> : null}
+            <Button type="submit" mt="md" onClick={() =>  setupMutation.mutate()}>
+              Reload WireGuard® VPN
+            </Button>
+        </Container>
+
+    )
+}
\ No newline at end of file
diff --git a/webapp/src/Routes/Setup/Setup.tsx b/webapp/src/Routes/Setup/Setup.tsx
index f97e5e3..d21bd88 100644
--- a/webapp/src/Routes/Setup/Setup.tsx
+++ b/webapp/src/Routes/Setup/Setup.tsx
@@ -1,9 +1,10 @@
 import { Container, Tabs, Title, rem } from "@mantine/core";
 import classes from './Setup.module.css';
-import { IconFile, IconNetwork, IconSettings } from "@tabler/icons-react";
+import { IconFile, IconNetwork, IconRestore, IconRewindBackward10, IconSettings } from "@tabler/icons-react";
 import { GeneralSetup } from "./GeneralSetup";
 import { VPNSetup } from "./VPNSetup";
 import { TemplateSetup } from "./TemplateSetup";
+import { Restart } from "./Restart";
 
 export function Setup() {
   const iconStyle = { width: rem(12), height: rem(12) };
@@ -24,6 +25,9 @@ export function Setup() {
             <Tabs.Tab value="templates" leftSection={<IconFile style={iconStyle} />}>
               Templates
             </Tabs.Tab>
+            <Tabs.Tab value="restart" leftSection={<IconRestore style={iconStyle} />}>
+              Restart
+            </Tabs.Tab>
           </Tabs.List>
           <Tabs.Panel value="general" style={{marginTop: 25}}>
             <GeneralSetup />
@@ -34,6 +38,9 @@ export function Setup() {
           <Tabs.Panel value="templates" style={{marginTop: 25}}>          
             <TemplateSetup />
           </Tabs.Panel>
+          <Tabs.Panel value="restart" style={{marginTop: 25}}>          
+            <Restart />
+          </Tabs.Panel>
         </Tabs>
       </Container>
 

From 81e3ddafac8fe4f6669b9ba8225afa8bab7a9551 Mon Sep 17 00:00:00 2001
From: Edward Viaene <ward@in4it.io>
Date: Wed, 21 Aug 2024 11:07:06 -0500
Subject: [PATCH 5/8] version bump

---
 latest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/latest b/latest
index 4f45e65..795460f 100644
--- a/latest
+++ b/latest
@@ -1 +1 @@
-v1.0.41
+v1.1.0

From 26732b169cd66c06c4f3e49b6b8550be3d2026f9 Mon Sep 17 00:00:00 2001
From: Edward Viaene <ward@in4it.io>
Date: Wed, 21 Aug 2024 11:07:27 -0500
Subject: [PATCH 6/8] upgrade version fix, rewrite client config when ip range
 changes

---
 pkg/configmanager/upgrade.go                |   3 +
 pkg/configmanager/upgrade_test.go           |  63 ++++++++++++
 pkg/rest/setup.go                           |  13 ---
 pkg/wireguard/ip.go                         |  13 ++-
 pkg/wireguard/ip_test.go                    |  14 +++
 pkg/wireguard/wireguardclientconfig.go      |  22 ++--
 pkg/wireguard/wireguardclientconfig_test.go | 106 ++++++++++++++++++++
 webapp/src/Routes/Setup/GeneralSetup.tsx    |   2 +
 webapp/src/Routes/Setup/Setup.tsx           |   2 +-
 webapp/src/Routes/Setup/TemplateSetup.tsx   |   5 +-
 webapp/src/Routes/Setup/VPNSetup.tsx        |   7 +-
 11 files changed, 226 insertions(+), 24 deletions(-)

diff --git a/pkg/configmanager/upgrade.go b/pkg/configmanager/upgrade.go
index 19254c1..7cdfc0e 100644
--- a/pkg/configmanager/upgrade.go
+++ b/pkg/configmanager/upgrade.go
@@ -42,6 +42,9 @@ func newVersionAvailable() (bool, string, error) {
 			if i1 > i2 {
 				return true, latestVersion, nil
 			}
+			if i1 < i2 {
+				return false, latestVersion, nil
+			}
 		}
 	}
 	return false, latestVersion, nil
diff --git a/pkg/configmanager/upgrade_test.go b/pkg/configmanager/upgrade_test.go
index 3724bb4..bcc5f18 100644
--- a/pkg/configmanager/upgrade_test.go
+++ b/pkg/configmanager/upgrade_test.go
@@ -145,3 +145,66 @@ func TestNewVersionAvailableBogus2(t *testing.T) {
 		t.Fatalf("expected new version not to be available: %s", version)
 	}
 }
+func TestNewVersionAvailableHigherVersionMajor(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if req.URL.RequestURI() == "/latest" {
+			currentVersionSplit := strings.Split(getVersion(), ".")
+			if len(currentVersionSplit) != 3 {
+				t.Fatalf("unsupported current version: %s", getVersion())
+			}
+			i, err := strconv.Atoi(currentVersionSplit[1])
+			if err != nil {
+				t.Fatalf("unsupported current version: %s", getVersion())
+			}
+			i++
+			newVersion := strings.Join([]string{currentVersionSplit[0], strconv.Itoa(i), "0"}, ".")
+			w.Write([]byte(newVersion))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+
+	defer server.Close()
+
+	BINARIES_URL = server.URL
+
+	available, version, err := newVersionAvailable()
+	if err != nil {
+		t.Fatalf("error: %s", err)
+	}
+	if !available {
+		t.Fatalf("expected new version expected to be available: %s", version)
+	}
+}
+
+func TestNewVersionNotAvailableHigherVersionMajor(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		if req.URL.RequestURI() == "/latest" {
+			currentVersionSplit := strings.Split(getVersion(), ".")
+			if len(currentVersionSplit) != 3 {
+				t.Fatalf("unsupported current version: %s", getVersion())
+			}
+			i, err := strconv.Atoi(currentVersionSplit[1])
+			if err != nil {
+				t.Fatalf("unsupported current version: %s", getVersion())
+			}
+			i--
+			newVersion := strings.Join([]string{currentVersionSplit[0], strconv.Itoa(i), "99"}, ".")
+			w.Write([]byte(newVersion))
+			return
+		}
+		w.WriteHeader(http.StatusNotFound)
+	}))
+
+	defer server.Close()
+
+	BINARIES_URL = server.URL
+
+	available, version, err := newVersionAvailable()
+	if err != nil {
+		t.Fatalf("error: %s", err)
+	}
+	if available {
+		t.Fatalf("expected new version expected not to be available: %s (current version: %s)", version, getVersion())
+	}
+}
diff --git a/pkg/rest/setup.go b/pkg/rest/setup.go
index a754123..844b3d8 100644
--- a/pkg/rest/setup.go
+++ b/pkg/rest/setup.go
@@ -187,7 +187,6 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 		var (
 			writeVPNConfig       bool
 			rewriteClientConfigs bool
-			rewriteServerConfig  bool
 			setupRequest         VPNSetupRequest
 		)
 		decoder := json.NewDecoder(r.Body)
@@ -225,7 +224,6 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 			vpnConfig.AddressRange = addressRangeParsed
 			writeVPNConfig = true
 			rewriteClientConfigs = true
-			rewriteServerConfig = true
 		}
 		if setupRequest.ClientAddressPrefix != vpnConfig.ClientAddressPrefix {
 			vpnConfig.ClientAddressPrefix = setupRequest.ClientAddressPrefix
@@ -241,7 +239,6 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 			vpnConfig.Port = port
 			writeVPNConfig = true
 			rewriteClientConfigs = true
-			rewriteServerConfig = true
 		}
 
 		nameservers := strings.Split(setupRequest.Nameservers, ",")
@@ -256,12 +253,10 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 		if setupRequest.ExternalInterface != vpnConfig.ExternalInterface { // don't rewrite client config
 			vpnConfig.ExternalInterface = setupRequest.ExternalInterface
 			writeVPNConfig = true
-			rewriteServerConfig = true
 		}
 		if setupRequest.DisableNAT != vpnConfig.DisableNAT { // don't rewrite client config
 			vpnConfig.DisableNAT = setupRequest.DisableNAT
 			writeVPNConfig = true
-			rewriteServerConfig = true
 		}
 
 		// write vpn config if config has changed
@@ -280,14 +275,6 @@ func (c *Context) vpnSetupHandler(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 		}
-		if rewriteServerConfig {
-			// rewrite server config
-			err = wireguard.WriteWireGuardServerConfig(c.Storage.Client)
-			if err != nil {
-				c.returnError(w, fmt.Errorf("could not write wireguard server config: %s", err), http.StatusBadRequest)
-				return
-			}
-		}
 		out, err := json.Marshal(setupRequest)
 		if err != nil {
 			c.returnError(w, fmt.Errorf("could not marshal SetupRequest: %s", err), http.StatusBadRequest)
diff --git a/pkg/wireguard/ip.go b/pkg/wireguard/ip.go
index 18f6839..585561b 100644
--- a/pkg/wireguard/ip.go
+++ b/pkg/wireguard/ip.go
@@ -4,13 +4,15 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"net/netip"
 	"path"
 
 	"github.com/in4it/wireguard-server/pkg/storage"
 )
 
-func getNextFreeIP(storage storage.Iface, startIP net.IP) (net.IP, error) {
+func getNextFreeIP(storage storage.Iface, addressRange netip.Prefix) (net.IP, error) {
 	ipList := []string{}
+	startIP := net.IP(addressRange.Addr().AsSlice())
 
 	clients, err := storage.ReadDir(storage.ConfigPath(VPN_CLIENTS_DIR))
 	if err != nil {
@@ -38,6 +40,15 @@ func getNextFreeIP(storage storage.Iface, startIP net.IP) (net.IP, error) {
 		return nil, fmt.Errorf("getNextFreeIPFromList error: %s", err)
 	}
 
+	newIPAddress, err := netip.ParseAddr(newIP.String())
+	if err != nil {
+		return nil, fmt.Errorf("couldn't parse newIP: %s", newIP.String())
+	}
+
+	if !addressRange.Contains(newIPAddress) {
+		return nil, fmt.Errorf("newly allocated IP (%s) is not within address range (%s). Address Range might be too small", newIPAddress.String(), addressRange.String())
+	}
+
 	return newIP, nil
 }
 func getNextFreeIPFromList(startIP net.IP, ipList []string) (net.IP, error) {
diff --git a/pkg/wireguard/ip_test.go b/pkg/wireguard/ip_test.go
index 029a35c..e0ee122 100644
--- a/pkg/wireguard/ip_test.go
+++ b/pkg/wireguard/ip_test.go
@@ -18,3 +18,17 @@ func TestGetNextFreeIPFromLisWithList(t *testing.T) {
 		t.Fatalf("Wrong IP: %s", nextIP)
 	}
 }
+
+func TestGetNextFreeIPFromLisWithList2(t *testing.T) {
+	startIP, _, err := net.ParseCIDR("10.189.184.1/21")
+	if err != nil {
+		t.Fatalf("error: %s", err)
+	}
+	nextIP, err := getNextFreeIPFromList(startIP, []string{"10.190.190.2", "10.189.184.2", "10.190.190.3"})
+	if err != nil {
+		t.Fatalf("error: %s", err)
+	}
+	if nextIP.String() != "10.189.184.3" {
+		t.Fatalf("Wrong IP: %s", nextIP)
+	}
+}
diff --git a/pkg/wireguard/wireguardclientconfig.go b/pkg/wireguard/wireguardclientconfig.go
index 952b917..bbf5c5b 100644
--- a/pkg/wireguard/wireguardclientconfig.go
+++ b/pkg/wireguard/wireguardclientconfig.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
 	"path"
 	"slices"
 	"strconv"
@@ -49,12 +50,7 @@ func NewEmptyClientConfig(storage storage.Iface, userID string) (PeerConfig, err
 	}
 
 	// get next IP address, write in client file
-	addressRangeSplit := strings.Split(vpnConfig.AddressRange.String(), "/")
-	firstIP := net.ParseIP(addressRangeSplit[0])
-	if firstIP == nil {
-		return PeerConfig{}, fmt.Errorf("couldn't determine address range from vpn setup")
-	}
-	nextFreeIP, err := getNextFreeIP(storage, firstIP)
+	nextFreeIP, err := getNextFreeIP(storage, vpnConfig.AddressRange)
 	if err != nil {
 		return PeerConfig{}, fmt.Errorf("getNextFreeIP error: %s", err)
 	}
@@ -130,6 +126,20 @@ func UpdateClientsConfig(storage storage.Iface) error {
 			peerConfig.DNS = strings.Join(vpnConfig.Nameservers, ", ")
 		}
 
+		addressParsed, err := netip.ParsePrefix(peerConfig.Address)
+		if err != nil {
+			return fmt.Errorf("couldn't parse existing address of vpn config %s", clientFilename)
+		}
+		if !vpnConfig.AddressRange.Contains(addressParsed.Addr()) { // client IP address is not in address range (address range might have changed)
+			nextFreeIP, err := getNextFreeIP(storage, vpnConfig.AddressRange)
+			if err != nil {
+				return fmt.Errorf("getNextFreeIP error: %s", err)
+			}
+			peerConfig.Address = nextFreeIP.String() + vpnConfig.ClientAddressPrefix
+			peerConfig.ServerAllowedIPs = []string{nextFreeIP.String() + "/32"}
+			rewriteFile = true
+		}
+
 		if rewriteFile {
 			peerConfigOut, err := json.Marshal(peerConfig)
 			if err != nil {
diff --git a/pkg/wireguard/wireguardclientconfig_test.go b/pkg/wireguard/wireguardclientconfig_test.go
index 3e2c159..2371e9f 100644
--- a/pkg/wireguard/wireguardclientconfig_test.go
+++ b/pkg/wireguard/wireguardclientconfig_test.go
@@ -581,3 +581,109 @@ func TestUpdateClientConfig(t *testing.T) {
 	}
 
 }
+
+func TestUpdateClientConfigNewAddressRange(t *testing.T) {
+	var (
+		l   net.Listener
+		err error
+	)
+	for {
+		l, err = net.Listen("tcp", CONFIGMANAGER_URI)
+		if err != nil {
+			if !strings.HasSuffix(err.Error(), "address already in use") {
+				t.Fatal(err)
+			}
+			time.Sleep(1 * time.Second)
+		} else {
+			break
+		}
+	}
+
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case http.MethodPost:
+			if r.RequestURI == "/refresh-clients" {
+				w.WriteHeader(http.StatusAccepted)
+				w.Write([]byte("OK"))
+				return
+			}
+			w.WriteHeader(http.StatusBadRequest)
+		default:
+			w.WriteHeader(http.StatusBadRequest)
+		}
+	}))
+
+	ts.Listener.Close()
+	ts.Listener = l
+	ts.Start()
+	defer ts.Close()
+	defer l.Close()
+
+	storage := &testingmocks.MockMemoryStorage{}
+
+	// first create a new vpn config
+	vpnconfig, err := CreateNewVPNConfig(storage)
+	if err != nil {
+		t.Fatalf("CreateNewVPNConfig error: %s", err)
+	}
+	prefix, err := netip.ParsePrefix(DEFAULT_VPN_PREFIX)
+	if err != nil {
+		t.Errorf("ParsePrefix error: %s", err)
+	}
+	if vpnconfig.AddressRange.String() != prefix.String() {
+		t.Fatalf("wrong AddressRange: %s vs %s", vpnconfig.AddressRange.String(), prefix.String())
+	}
+	// generate the peerconfig
+	peerConfig, err := NewEmptyClientConfig(storage, "2-2-2-2")
+	if err != nil {
+		t.Fatalf("NewEmptyClientConfig error: %s", err)
+	}
+
+	if peerConfig.ClientAllowedIPs[0] != "0.0.0.0/0" {
+		t.Fatalf("wrong client allowed ips")
+	}
+
+	newClientRoutes := []string{"1.2.3.4/32"}
+	vpnconfig.ClientRoutes = newClientRoutes
+	vpnconfig.AddressRange, err = netip.ParsePrefix("10.190.190.1/21")
+	if err != nil {
+		t.Fatalf("can't parse new ip range")
+	}
+	err = WriteVPNConfig(storage, vpnconfig)
+	if err != nil {
+		t.Fatalf("WriteVPNConfig error: %s", err)
+	}
+	err = UpdateClientsConfig(storage)
+	if err != nil {
+		t.Fatalf("UpdateClientsConfig error: %s", err)
+	}
+
+	peerConfigCurrent, err := getPeerConfig(storage, "2-2-2-2-1")
+	if err != nil {
+		t.Fatalf("getPeerConfig error: %s", err)
+	}
+
+	if peerConfigCurrent.ServerAllowedIPs[0] != "10.190.190.2/32" {
+		t.Fatalf("expected different server allowed IP. Got: %s", strings.Join(peerConfigCurrent.ServerAllowedIPs, ", "))
+	}
+	if peerConfigCurrent.Address != "10.190.190.2/32" {
+		t.Fatalf("expected different client config address. Got: %s", peerConfigCurrent.Address)
+	}
+
+	peerConfig, err = NewEmptyClientConfig(storage, "2-2-2-2")
+	if err != nil {
+		t.Fatalf("NewEmptyClientConfig error: %s", err)
+	}
+
+	if peerConfig.ClientAllowedIPs[0] != "1.2.3.4/32" {
+		t.Fatalf("wrong client allowed ips")
+	}
+
+	if peerConfig.ServerAllowedIPs[0] != "10.190.190.3/32" {
+		t.Fatalf("expected different server allowed IP. Got: %s", strings.Join(peerConfig.ServerAllowedIPs, ", "))
+	}
+	if peerConfig.Address != "10.190.190.3/32" {
+		t.Fatalf("expected different client config address. Got: %s", peerConfig.Address)
+	}
+
+}
diff --git a/webapp/src/Routes/Setup/GeneralSetup.tsx b/webapp/src/Routes/Setup/GeneralSetup.tsx
index ee17276..95e84e0 100644
--- a/webapp/src/Routes/Setup/GeneralSetup.tsx
+++ b/webapp/src/Routes/Setup/GeneralSetup.tsx
@@ -59,8 +59,10 @@ export function GeneralSetup() {
       },
       onSuccess: () => {
           queryClient.invalidateQueries({ queryKey: ['users'] })
+          queryClient.invalidateQueries({ queryKey: ['general-setup'] })
           setSaved(true)
           setSaveError("")
+          window.scrollTo(0, 0)
       },
       onError: (error:AxiosError) => {
         const errorMessage = error.response?.data as GeneralSetupError
diff --git a/webapp/src/Routes/Setup/Setup.tsx b/webapp/src/Routes/Setup/Setup.tsx
index d21bd88..54c236a 100644
--- a/webapp/src/Routes/Setup/Setup.tsx
+++ b/webapp/src/Routes/Setup/Setup.tsx
@@ -1,6 +1,6 @@
 import { Container, Tabs, Title, rem } from "@mantine/core";
 import classes from './Setup.module.css';
-import { IconFile, IconNetwork, IconRestore, IconRewindBackward10, IconSettings } from "@tabler/icons-react";
+import { IconFile, IconNetwork, IconRestore, IconSettings } from "@tabler/icons-react";
 import { GeneralSetup } from "./GeneralSetup";
 import { VPNSetup } from "./VPNSetup";
 import { TemplateSetup } from "./TemplateSetup";
diff --git a/webapp/src/Routes/Setup/TemplateSetup.tsx b/webapp/src/Routes/Setup/TemplateSetup.tsx
index db0486d..243ef01 100644
--- a/webapp/src/Routes/Setup/TemplateSetup.tsx
+++ b/webapp/src/Routes/Setup/TemplateSetup.tsx
@@ -2,7 +2,7 @@ import { Container, Button, Alert, Textarea, Space } from "@mantine/core";
 import { useEffect, useState } from "react";
 import { IconInfoCircle } from "@tabler/icons-react";
 import { AppSettings } from "../../Constants/Constants";
-import { useMutation, useQuery } from "@tanstack/react-query";
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 import { useAuthContext } from "../../Auth/Auth";
 import { useForm } from '@mantine/form';
 import axios, { AxiosError } from "axios";
@@ -19,6 +19,7 @@ export function TemplateSetup() {
     const [saved, setSaved] = useState(false)
     const [saveError, setSaveError] = useState("")
     const {authInfo} = useAuthContext();
+    const queryClient = useQueryClient()
     const { isPending, error, data, isSuccess } = useQuery({
       queryKey: ['templates-setup'],
       queryFn: () =>
@@ -52,6 +53,8 @@ export function TemplateSetup() {
       onSuccess: () => {
           setSaved(true)
           setSaveError("")
+          queryClient.invalidateQueries({ queryKey: ['templates-setup'] })
+          window.scrollTo(0, 0)
       },
       onError: (error:AxiosError) => {
         const errorMessage = error.response?.data as TemplateSetupError
diff --git a/webapp/src/Routes/Setup/VPNSetup.tsx b/webapp/src/Routes/Setup/VPNSetup.tsx
index c05090a..14b78d4 100644
--- a/webapp/src/Routes/Setup/VPNSetup.tsx
+++ b/webapp/src/Routes/Setup/VPNSetup.tsx
@@ -4,7 +4,7 @@ import { useEffect, useState } from "react";
 import classes from './Setup.module.css';
 import { IconInfoCircle } from "@tabler/icons-react";
 import { AppSettings } from "../../Constants/Constants";
-import { useMutation, useQuery } from "@tanstack/react-query";
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 import { useAuthContext } from "../../Auth/Auth";
 import { useForm } from '@mantine/form';
 import axios, { AxiosError } from "axios";
@@ -28,6 +28,7 @@ export function VPNSetup() {
     const [saved, setSaved] = useState(false)
     const [saveError, setSaveError] = useState("")
     const {authInfo} = useAuthContext();
+    const queryClient = useQueryClient()
     const { isPending, error, data, isSuccess } = useQuery({
       queryKey: ['vpn-setup'],
       queryFn: () =>
@@ -66,6 +67,8 @@ export function VPNSetup() {
       onSuccess: () => {
           setSaved(true)
           setSaveError("")
+          queryClient.invalidateQueries({ queryKey: ['vpn-setup'] })
+          window.scrollTo(0, 0)
       },
       onError: (error:AxiosError) => {
         const errorMessage = error.response?.data as VPNSetupError
@@ -91,7 +94,7 @@ export function VPNSetup() {
 
     return (
         <Container my={40} size="40rem">
-            <Alert variant="light" color="blue" title="Note!" icon={alertIcon}>Changes to Address Range, Port, External Interface, or NAT will need a wireguard reload. You can click the "Reload Wireguard" button at the bottom after submitting the changes. This will disconnect active VPN clients.</Alert>
+            <Alert variant="light" color="blue" title="Note!" icon={alertIcon}>Changes to Address Range, Port, External Interface, or NAT will need a wireguard reload. You can click the "Reload Wireguard" button at the bottom after submitting the changes. This will disconnect active VPN clients, and if the Address Range or Port is changed, all clients will need to download a new VPN Config.</Alert>
             {saved && saveError === "" ? <Alert variant="light" color="green" title="Update!" icon={alertIcon} style={{marginTop: 10}}>Settings Saved!</Alert> : null}
             {saveError !== "" ? <Alert variant="light" color="red" title="Error!" icon={alertIcon} style={{marginTop: 10}}>{saveError}</Alert> : null}
 

From a54e3c44cd0d5e8d8e7e50ab98a0ab245f3db8ce Mon Sep 17 00:00:00 2001
From: Edward Viaene <ward@in4it.io>
Date: Wed, 21 Aug 2024 16:08:44 -0500
Subject: [PATCH 7/8] ensure next IP work with ranges, ensureclients are loaded
 after restart

---
 pkg/configmanager/handlers.go               |   5 +
 pkg/rest/setup.go                           |   6 --
 pkg/wireguard/ip.go                         |  49 +++++----
 pkg/wireguard/ip_test.go                    |  72 ++++++++++++-
 pkg/wireguard/wireguardclientconfig.go      |  11 +-
 pkg/wireguard/wireguardclientconfig_test.go | 106 +++++++++++++++++++-
 webapp/src/Routes/Setup/Restart.tsx         |   5 +-
 webapp/src/Routes/Setup/TemplateSetup.tsx   |   2 +-
 webapp/src/Routes/Setup/VPNSetup.tsx        |   6 +-
 webapp/src/Routes/Users/Users.tsx           |   2 +-
 10 files changed, 223 insertions(+), 41 deletions(-)

diff --git a/pkg/configmanager/handlers.go b/pkg/configmanager/handlers.go
index 351a024..2b8edba 100644
--- a/pkg/configmanager/handlers.go
+++ b/pkg/configmanager/handlers.go
@@ -131,6 +131,11 @@ func (c *ConfigManager) restartVpn(w http.ResponseWriter, r *http.Request) {
 			returnError(w, fmt.Errorf("vpn start error: %s", err), http.StatusBadRequest)
 			return
 		}
+		err = refreshAllClientsAndServer(c.Storage)
+		if err != nil {
+			returnError(w, fmt.Errorf("could not refresh all clients: %s", err), http.StatusBadRequest)
+			return
+		}
 		w.WriteHeader(http.StatusAccepted)
 	default:
 		returnError(w, fmt.Errorf("method not supported"), http.StatusBadRequest)
diff --git a/pkg/rest/setup.go b/pkg/rest/setup.go
index 844b3d8..236c1c9 100644
--- a/pkg/rest/setup.go
+++ b/pkg/rest/setup.go
@@ -342,12 +342,6 @@ func (c *Context) templateSetupHandler(w http.ResponseWriter, r *http.Request) {
 				c.returnError(w, fmt.Errorf("WriteServerTemplate error: %s", err), http.StatusBadRequest)
 				return
 			}
-			// rewrite server config
-			err = wireguard.WriteWireGuardServerConfig(c.Storage.Client)
-			if err != nil {
-				c.returnError(w, fmt.Errorf("could not write wireguard server config: %s", err), http.StatusBadRequest)
-				return
-			}
 		}
 		out, err := json.Marshal(templateSetupRequest)
 		if err != nil {
diff --git a/pkg/wireguard/ip.go b/pkg/wireguard/ip.go
index 585561b..3def8ad 100644
--- a/pkg/wireguard/ip.go
+++ b/pkg/wireguard/ip.go
@@ -6,13 +6,17 @@ import (
 	"net"
 	"net/netip"
 	"path"
+	"strings"
 
 	"github.com/in4it/wireguard-server/pkg/storage"
 )
 
-func getNextFreeIP(storage storage.Iface, addressRange netip.Prefix) (net.IP, error) {
+func getNextFreeIP(storage storage.Iface, addressRange netip.Prefix, addressPrefix string) (net.IP, error) {
 	ipList := []string{}
-	startIP := net.IP(addressRange.Addr().AsSlice())
+	startIP, addressRangeParsed, err := net.ParseCIDR(addressRange.String())
+	if err != nil {
+		return nil, fmt.Errorf("cannot parse address range: %s: %s", addressRange, err)
+	}
 
 	clients, err := storage.ReadDir(storage.ConfigPath(VPN_CLIENTS_DIR))
 	if err != nil {
@@ -28,43 +32,48 @@ func getNextFreeIP(storage storage.Iface, addressRange netip.Prefix) (net.IP, er
 		if err != nil {
 			return nil, fmt.Errorf("cannot unmarshal %s: %s", clientFilename, err)
 		}
-		peerConfigAddress, _, err := net.ParseCIDR(peerConfig.Address)
-		if err != nil {
-			return nil, fmt.Errorf("could not parse peer config address %s: %s", peerConfig.Address, err)
-		}
-		ipList = append(ipList, peerConfigAddress.String())
+		ipList = append(ipList, peerConfig.Address)
 	}
 
-	newIP, err := getNextFreeIPFromList(startIP, ipList)
+	newIP, err := getNextFreeIPFromList(startIP, addressRangeParsed, ipList, addressPrefix)
 	if err != nil {
 		return nil, fmt.Errorf("getNextFreeIPFromList error: %s", err)
 	}
 
-	newIPAddress, err := netip.ParseAddr(newIP.String())
-	if err != nil {
-		return nil, fmt.Errorf("couldn't parse newIP: %s", newIP.String())
-	}
-
-	if !addressRange.Contains(newIPAddress) {
-		return nil, fmt.Errorf("newly allocated IP (%s) is not within address range (%s). Address Range might be too small", newIPAddress.String(), addressRange.String())
-	}
-
 	return newIP, nil
 }
-func getNextFreeIPFromList(startIP net.IP, ipList []string) (net.IP, error) {
+func getNextFreeIPFromList(startIP net.IP, addressRange *net.IPNet, ipList []string, addressPrefix string) (net.IP, error) {
 	nextIPAddress := startIP
 	for i := 0; i < 100000; i++ {
 		nextIPAddress = nextIP(nextIPAddress, 1)
 		ipExists := false
 		for _, ip := range ipList {
-			if nextIPAddress.String() == ip {
+			ipRange := ip
+			if !strings.Contains(ip, "/") {
+				ipRange += addressPrefix
+			}
+			_, ipRangeParsed, err := net.ParseCIDR(ipRange)
+			if err != nil {
+				return nil, fmt.Errorf("cannot parse IP address: %s (ip range %s)", ip, ipRange)
+			}
+			if ipRangeParsed.Contains(nextIPAddress) {
 				ipExists = true
 			}
 		}
 		if !ipExists {
-			return nextIPAddress, nil
+			if !addressRange.Contains(nextIPAddress) {
+				return nil, fmt.Errorf("next IP (%s) is not within address range (%s). Address Range might be too small", nextIPAddress.String(), addressRange.String())
+			}
+			_, ipRangeParsed, err := net.ParseCIDR(nextIPAddress.String() + addressPrefix)
+			if err != nil {
+				return nil, fmt.Errorf("cannot parse new IP address range: %s: %s", nextIPAddress.String()+addressPrefix, err)
+			}
+			if !ipRangeParsed.Contains(startIP) { // don't pick a range where the start ip is in the range
+				return nextIPAddress, nil
+			}
 		}
 	}
+
 	return nil, fmt.Errorf("couldn't determine next ip address")
 }
 
diff --git a/pkg/wireguard/ip_test.go b/pkg/wireguard/ip_test.go
index e0ee122..414fa8c 100644
--- a/pkg/wireguard/ip_test.go
+++ b/pkg/wireguard/ip_test.go
@@ -2,15 +2,16 @@ package wireguard
 
 import (
 	"net"
+	"strings"
 	"testing"
 )
 
 func TestGetNextFreeIPFromLisWithList(t *testing.T) {
-	startIP, _, err := net.ParseCIDR("10.189.184.1/21")
+	startIP, addressRange, err := net.ParseCIDR("10.189.184.1/21")
 	if err != nil {
 		t.Fatalf("error: %s", err)
 	}
-	nextIP, err := getNextFreeIPFromList(startIP, []string{"10.189.184.2"})
+	nextIP, err := getNextFreeIPFromList(startIP, addressRange, []string{"10.189.184.2"}, "/32")
 	if err != nil {
 		t.Fatalf("error: %s", err)
 	}
@@ -20,11 +21,11 @@ func TestGetNextFreeIPFromLisWithList(t *testing.T) {
 }
 
 func TestGetNextFreeIPFromLisWithList2(t *testing.T) {
-	startIP, _, err := net.ParseCIDR("10.189.184.1/21")
+	startIP, addressRange, err := net.ParseCIDR("10.189.184.1/21")
 	if err != nil {
 		t.Fatalf("error: %s", err)
 	}
-	nextIP, err := getNextFreeIPFromList(startIP, []string{"10.190.190.2", "10.189.184.2", "10.190.190.3"})
+	nextIP, err := getNextFreeIPFromList(startIP, addressRange, []string{"10.190.190.2", "10.189.184.2", "10.190.190.3"}, "/32")
 	if err != nil {
 		t.Fatalf("error: %s", err)
 	}
@@ -32,3 +33,66 @@ func TestGetNextFreeIPFromLisWithList2(t *testing.T) {
 		t.Fatalf("Wrong IP: %s", nextIP)
 	}
 }
+
+func TestGetNextFreeIPWithRange(t *testing.T) {
+	startIP, addressRange, err := net.ParseCIDR("10.189.184.1/21")
+	if err != nil {
+		t.Fatalf("error: %s", err)
+	}
+	networkPrefix := []string{
+		"/32",
+		"/32",
+		"/32",
+		"/32",
+		"/32",
+		"/32",
+		"/30",
+		"/30",
+		"/32",
+	}
+	testCases := [][]string{
+		{},
+		{"10.189.184.2"},
+		{"10.189.184.2/32"},
+		{"10.189.184.2", "10.189.184.3", "10.189.184.4/30"},
+		{"10.189.184.2", "10.189.184.3", "10.189.184.4/30", "10.189.184.8/32"},
+		{"10.189.184.1/30", "10.189.184.4/30", "10.189.184.8/30"},
+		{},
+		{"10.189.184.4/30", "10.189.184.8/30"},
+		{"10.189.189.2/32", "10.189.189.3/32", "10.189.189.4/32"},
+	}
+	expected := []string{
+		"10.189.184.2",
+		"10.189.184.3",
+		"10.189.184.3",
+		"10.189.184.8",
+		"10.189.184.9",
+		"10.189.184.12",
+		"10.189.184.4",
+		"10.189.184.12",
+		"10.189.184.2",
+	}
+
+	for k := range testCases {
+		nextIP, err := getNextFreeIPFromList(startIP, addressRange, testCases[k], networkPrefix[k])
+		if err != nil {
+			t.Fatalf("error: %s", err)
+		}
+		if nextIP.String() != expected[k] {
+			t.Fatalf("Wrong IP: %s", nextIP)
+		}
+	}
+
+}
+
+func TestIPNotInRange(t *testing.T) {
+	startIP, addressRange, err := net.ParseCIDR("10.189.184.1/21")
+	if err != nil {
+		t.Fatalf("error: %s", err)
+	}
+	_, err = getNextFreeIPFromList(startIP, addressRange, []string{"10.189.188.0/22"}, "/22")
+	if !strings.Contains(err.Error(), "not within address range") {
+		t.Fatalf("Expected error, got: %s", err)
+	}
+
+}
diff --git a/pkg/wireguard/wireguardclientconfig.go b/pkg/wireguard/wireguardclientconfig.go
index bbf5c5b..9d03f0d 100644
--- a/pkg/wireguard/wireguardclientconfig.go
+++ b/pkg/wireguard/wireguardclientconfig.go
@@ -50,7 +50,7 @@ func NewEmptyClientConfig(storage storage.Iface, userID string) (PeerConfig, err
 	}
 
 	// get next IP address, write in client file
-	nextFreeIP, err := getNextFreeIP(storage, vpnConfig.AddressRange)
+	nextFreeIP, err := getNextFreeIP(storage, vpnConfig.AddressRange, vpnConfig.ClientAddressPrefix)
 	if err != nil {
 		return PeerConfig{}, fmt.Errorf("getNextFreeIP error: %s", err)
 	}
@@ -75,7 +75,7 @@ func NewEmptyClientConfig(storage storage.Iface, userID string) (PeerConfig, err
 		DNS:              strings.Join(vpnConfig.Nameservers, ", "),
 		Name:             fmt.Sprintf("connection-%d", newConfigNumber),
 		Address:          nextFreeIP.String() + vpnConfig.ClientAddressPrefix,
-		ServerAllowedIPs: []string{nextFreeIP.String() + "/32"},
+		ServerAllowedIPs: []string{nextFreeIP.String() + vpnConfig.ClientAddressPrefix},
 		ClientAllowedIPs: clientAllowedIPs,
 	}
 
@@ -131,7 +131,7 @@ func UpdateClientsConfig(storage storage.Iface) error {
 			return fmt.Errorf("couldn't parse existing address of vpn config %s", clientFilename)
 		}
 		if !vpnConfig.AddressRange.Contains(addressParsed.Addr()) { // client IP address is not in address range (address range might have changed)
-			nextFreeIP, err := getNextFreeIP(storage, vpnConfig.AddressRange)
+			nextFreeIP, err := getNextFreeIP(storage, vpnConfig.AddressRange, vpnConfig.ClientAddressPrefix)
 			if err != nil {
 				return fmt.Errorf("getNextFreeIP error: %s", err)
 			}
@@ -140,6 +140,11 @@ func UpdateClientsConfig(storage storage.Iface) error {
 			rewriteFile = true
 		}
 
+		if !strings.HasSuffix(peerConfig.Address, vpnConfig.ClientAddressPrefix) {
+			rewriteFile = true
+			peerConfig.Address = addressParsed.Addr().String() + vpnConfig.ClientAddressPrefix
+		}
+
 		if rewriteFile {
 			peerConfigOut, err := json.Marshal(peerConfig)
 			if err != nil {
diff --git a/pkg/wireguard/wireguardclientconfig_test.go b/pkg/wireguard/wireguardclientconfig_test.go
index 2371e9f..5c1d346 100644
--- a/pkg/wireguard/wireguardclientconfig_test.go
+++ b/pkg/wireguard/wireguardclientconfig_test.go
@@ -16,9 +16,12 @@ import (
 )
 
 func TestGetNextFreeIPFromList(t *testing.T) {
-	ip := net.ParseIP("10.0.0.1")
+	startIP, addressRange, err := net.ParseCIDR("10.0.0.1/21")
+	if err != nil {
+		t.Fatalf("error: %s", err)
+	}
 	ipList := []string{"10.0.0.2", "10.0.0.3"}
-	nextIP, err := getNextFreeIPFromList(ip, ipList)
+	nextIP, err := getNextFreeIPFromList(startIP, addressRange, ipList, "/32")
 	if err != nil {
 		t.Errorf("next IP error: %s", err)
 	}
@@ -646,6 +649,7 @@ func TestUpdateClientConfigNewAddressRange(t *testing.T) {
 	newClientRoutes := []string{"1.2.3.4/32"}
 	vpnconfig.ClientRoutes = newClientRoutes
 	vpnconfig.AddressRange, err = netip.ParsePrefix("10.190.190.1/21")
+	vpnconfig.Nameservers = []string{"3.4.5.6", "8.8.8.8"}
 	if err != nil {
 		t.Fatalf("can't parse new ip range")
 	}
@@ -669,6 +673,9 @@ func TestUpdateClientConfigNewAddressRange(t *testing.T) {
 	if peerConfigCurrent.Address != "10.190.190.2/32" {
 		t.Fatalf("expected different client config address. Got: %s", peerConfigCurrent.Address)
 	}
+	if peerConfigCurrent.DNS != strings.Join(vpnconfig.Nameservers, ", ") {
+		t.Fatalf("Unexpected DNS Servers: %s (expected %s)", peerConfig.DNS, strings.Join(vpnconfig.Nameservers, ", "))
+	}
 
 	peerConfig, err = NewEmptyClientConfig(storage, "2-2-2-2")
 	if err != nil {
@@ -685,5 +692,100 @@ func TestUpdateClientConfigNewAddressRange(t *testing.T) {
 	if peerConfig.Address != "10.190.190.3/32" {
 		t.Fatalf("expected different client config address. Got: %s", peerConfig.Address)
 	}
+	if peerConfig.DNS != strings.Join(vpnconfig.Nameservers, ", ") {
+		t.Fatalf("Unexpected DNS Servers: %s (expected %s)", peerConfig.DNS, strings.Join(vpnconfig.Nameservers, ", "))
+	}
+}
+
+func TestUpdateClientConfigNewClientAddressPrefix(t *testing.T) {
+	var (
+		l   net.Listener
+		err error
+	)
+	for {
+		l, err = net.Listen("tcp", CONFIGMANAGER_URI)
+		if err != nil {
+			if !strings.HasSuffix(err.Error(), "address already in use") {
+				t.Fatal(err)
+			}
+			time.Sleep(1 * time.Second)
+		} else {
+			break
+		}
+	}
+
+	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.Method {
+		case http.MethodPost:
+			if r.RequestURI == "/refresh-clients" {
+				w.WriteHeader(http.StatusAccepted)
+				w.Write([]byte("OK"))
+				return
+			}
+			w.WriteHeader(http.StatusBadRequest)
+		default:
+			w.WriteHeader(http.StatusBadRequest)
+		}
+	}))
+
+	ts.Listener.Close()
+	ts.Listener = l
+	ts.Start()
+	defer ts.Close()
+	defer l.Close()
+
+	storage := &testingmocks.MockMemoryStorage{}
+
+	// first create a new vpn config
+	vpnconfig, err := CreateNewVPNConfig(storage)
+	if err != nil {
+		t.Fatalf("CreateNewVPNConfig error: %s", err)
+	}
+	prefix, err := netip.ParsePrefix(DEFAULT_VPN_PREFIX)
+	if err != nil {
+		t.Errorf("ParsePrefix error: %s", err)
+	}
+	if vpnconfig.AddressRange.String() != prefix.String() {
+		t.Fatalf("wrong AddressRange: %s vs %s", vpnconfig.AddressRange.String(), prefix.String())
+	}
+	if vpnconfig.ClientAddressPrefix != "/32" {
+		t.Fatalf("unexpected default for address prefix: %s", vpnconfig.ClientAddressPrefix)
+	}
+	// generate the peerconfig
+	peerConfig, err := NewEmptyClientConfig(storage, "2-2-2-2")
+	if err != nil {
+		t.Fatalf("NewEmptyClientConfig error: %s", err)
+	}
+
+	if peerConfig.ClientAllowedIPs[0] != "0.0.0.0/0" {
+		t.Fatalf("wrong client allowed ips")
+	}
+
+	vpnconfig.ClientAddressPrefix = "/30"
+
+	err = WriteVPNConfig(storage, vpnconfig)
+	if err != nil {
+		t.Fatalf("WriteVPNConfig error: %s", err)
+	}
+	err = UpdateClientsConfig(storage)
+	if err != nil {
+		t.Fatalf("UpdateClientsConfig error: %s", err)
+	}
+
+	peerConfigCurrent, err := getPeerConfig(storage, "2-2-2-2-1")
+	if err != nil {
+		t.Fatalf("getPeerConfig error: %s", err)
+	}
+
+	if peerConfigCurrent.Address != "10.189.184.2/30" {
+		t.Fatalf("expected different client address. Got: %s", peerConfigCurrent.Address)
+	}
+	peerConfig, err = NewEmptyClientConfig(storage, "2-2-2-2")
+	if err != nil {
+		t.Fatalf("NewEmptyClientConfig error: %s", err)
+	}
+	if peerConfig.Address != "10.189.184.4/30" {
+		t.Fatalf("expected different client config address. Got: %s", peerConfig.Address)
+	}
 
 }
diff --git a/webapp/src/Routes/Setup/Restart.tsx b/webapp/src/Routes/Setup/Restart.tsx
index 01f69d9..8337bf3 100644
--- a/webapp/src/Routes/Setup/Restart.tsx
+++ b/webapp/src/Routes/Setup/Restart.tsx
@@ -12,6 +12,7 @@ type RestartError = {
 
 export function Restart() {
     const [saved, setSaved] = useState(false)
+    const [pending, setPending] = useState(false)
     const [saveError, setSaveError] = useState("")
     const {authInfo} = useAuthContext();
     const alertIcon = <IconInfoCircle />;
@@ -26,8 +27,10 @@ export function Restart() {
       onSuccess: () => {
           setSaved(true)
           setSaveError("")
+          setTimeout(function() { setPending(false); }, 1000);
       },
       onError: (error:AxiosError) => {
+        setTimeout(function() { setPending(false); }, 1000);
         const errorMessage = error.response?.data as RestartError
         if(errorMessage?.error === undefined) {
             setSaveError("Error: "+ error.message)
@@ -43,7 +46,7 @@ export function Restart() {
           <Space h="md" />
           {saved && saveError === "" ? <Alert variant="light" color="green" title="Restarted!" icon={alertIcon}>VPN Restarted!</Alert> : null}
           {saveError !== "" ? <Alert variant="light" color="red" title="Error!" icon={alertIcon} style={{marginTop: 10}}>{saveError}</Alert> : null}
-            <Button type="submit" mt="md" onClick={() =>  setupMutation.mutate()}>
+            <Button type="submit" mt="md" onClick={() => { setPending(true); setupMutation.mutate() } } disabled={pending}>
               Reload WireGuard® VPN
             </Button>
         </Container>
diff --git a/webapp/src/Routes/Setup/TemplateSetup.tsx b/webapp/src/Routes/Setup/TemplateSetup.tsx
index 243ef01..e96035a 100644
--- a/webapp/src/Routes/Setup/TemplateSetup.tsx
+++ b/webapp/src/Routes/Setup/TemplateSetup.tsx
@@ -96,7 +96,7 @@ export function TemplateSetup() {
             />
             <Space h="md" />
             <Textarea
-                label="VPN Server config template"
+                label="VPN Server config template (WireGuard® Configuration Reload in restart tab required to apply)"
                 key={form.key('serverTemplate')}
                 {...form.getInputProps('serverTemplate')}
                 autosize
diff --git a/webapp/src/Routes/Setup/VPNSetup.tsx b/webapp/src/Routes/Setup/VPNSetup.tsx
index 14b78d4..78b817c 100644
--- a/webapp/src/Routes/Setup/VPNSetup.tsx
+++ b/webapp/src/Routes/Setup/VPNSetup.tsx
@@ -94,7 +94,7 @@ export function VPNSetup() {
 
     return (
         <Container my={40} size="40rem">
-            <Alert variant="light" color="blue" title="Note!" icon={alertIcon}>Changes to Address Range, Port, External Interface, or NAT will need a wireguard reload. You can click the "Reload Wireguard" button at the bottom after submitting the changes. This will disconnect active VPN clients, and if the Address Range or Port is changed, all clients will need to download a new VPN Config.</Alert>
+            <Alert variant="light" color="blue" title="Note!" icon={alertIcon}>Changes to Address Range, Port, External Interface, or NAT will need a wireguard reload. You can click the "Reload Wireguard" button in the Restart tab after submitting the changes. This will disconnect active VPN clients, and if the Address Range or Port is changed, all clients will need to download a new VPN Config.</Alert>
             {saved && saveError === "" ? <Alert variant="light" color="green" title="Update!" icon={alertIcon} style={{marginTop: 10}}>Settings Saved!</Alert> : null}
             {saveError !== "" ? <Alert variant="light" color="red" title="Error!" icon={alertIcon} style={{marginTop: 10}}>{saveError}</Alert> : null}
 
@@ -144,8 +144,8 @@ export function VPNSetup() {
 
                 <InputWrapper
                 id="input-client-address-prefix-input"
-                label="Client Address Prefix"
-                description="Address prefix for the VPN Client to use. /32 means it'll not be able to communicate to other VPN clients."
+                label="Client Address Network Prefix"
+                description="Network prefix for the VPN Client to use. /32 means only one IP address for a client."
                 style={{marginTop: 10}}
                 >
                 <TextInput
diff --git a/webapp/src/Routes/Users/Users.tsx b/webapp/src/Routes/Users/Users.tsx
index 91f6f12..676d457 100644
--- a/webapp/src/Routes/Users/Users.tsx
+++ b/webapp/src/Routes/Users/Users.tsx
@@ -14,7 +14,7 @@ export function Users() {
     const { isPending, error, data } = useQuery({
         queryKey: ['setup'],
         queryFn: () =>
-          fetch(AppSettings.url + '/setup', {
+          fetch(AppSettings.url + '/setup/general', {
             headers: {
               "Content-Type": "application/json",
               "Authorization": "Bearer " + authInfo.token

From ea0aded65d44014a530e84101a6b17743918d18f Mon Sep 17 00:00:00 2001
From: Edward Viaene <ward@in4it.io>
Date: Wed, 21 Aug 2024 16:46:29 -0500
Subject: [PATCH 8/8] changelog and wording changes

---
 docs/release-notes.md                | 7 ++++++-
 webapp/src/Routes/Setup/VPNSetup.tsx | 4 ++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/docs/release-notes.md b/docs/release-notes.md
index cded076..2b79097 100644
--- a/docs/release-notes.md
+++ b/docs/release-notes.md
@@ -1,5 +1,10 @@
 # Release Notes
 
+## Version v1.1.0
+* UI: change VPN configuration within the admin UI
+* UI: ability to reload WireGuard® configuration 
+* UI: modify client/server WireGuard® configuration files using templates
+
 ## Version v1.0.41
 * UI: axios version bump
 * UI: disable https forwarding when request is served over http
@@ -47,4 +52,4 @@ Once upgraded to this release, new upgrades can be done through the UI.
 
 * Local Users Support
 * OIDC Support
-* Wireguard® for VPN Connections
+* WireGuard® for VPN Connections
diff --git a/webapp/src/Routes/Setup/VPNSetup.tsx b/webapp/src/Routes/Setup/VPNSetup.tsx
index 78b817c..952c2c2 100644
--- a/webapp/src/Routes/Setup/VPNSetup.tsx
+++ b/webapp/src/Routes/Setup/VPNSetup.tsx
@@ -94,7 +94,7 @@ export function VPNSetup() {
 
     return (
         <Container my={40} size="40rem">
-            <Alert variant="light" color="blue" title="Note!" icon={alertIcon}>Changes to Address Range, Port, External Interface, or NAT will need a wireguard reload. You can click the "Reload Wireguard" button in the Restart tab after submitting the changes. This will disconnect active VPN clients, and if the Address Range or Port is changed, all clients will need to download a new VPN Config.</Alert>
+            <Alert variant="light" color="blue" title="Note!" icon={alertIcon}>Changes to Address Range, Port, External Interface, or NAT will need a wireguard reload. You can click the "Reload WireGuard" button in the Restart tab after submitting the changes. This will disconnect active VPN clients, and if the Address Range or Port is changed, all clients will need to download a new VPN Config.</Alert>
             {saved && saveError === "" ? <Alert variant="light" color="green" title="Update!" icon={alertIcon} style={{marginTop: 10}}>Settings Saved!</Alert> : null}
             {saveError !== "" ? <Alert variant="light" color="red" title="Error!" icon={alertIcon} style={{marginTop: 10}}>{saveError}</Alert> : null}
 
@@ -213,7 +213,7 @@ export function VPNSetup() {
                         Disable NAT
                     </Text>
                     <Text fz="sm" c="dimmed">
-                        Packets will be routed to anywhere on the network, using Network Address Translation (NAT). If the VPN clients only need to access the VPN server and not other devices in the network, you can disable NAT.
+                        Packets will be routed to anywhere on the network, using Network Address Translation (NAT). If the VPN clients only need to access the VPN server and no other devices in the network, you can disable NAT.
                     </Text>
                     </div>
                 </UnstyledButton>