feat: add network secret for registration validation

.dockerignore

@@ -0,0 +1,6 @@
+.git
+.github
+target
+data
+logs
+*.log

Dockerfile

@@ -0,0 +1,34 @@
+ARG RUST_VERSION=1.93.1
+
+FROM rust:${RUST_VERSION}-bookworm AS builder
+WORKDIR /build
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends protobuf-compiler pkg-config \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY .cargo ./.cargo
+COPY Cargo.toml Cargo.lock ./
+COPY src ./src
+COPY vnt-core ./vnt-core
+COPY vnt-ipc ./vnt-ipc
+COPY vnt-jni ./vnt-jni
+COPY vnt-web ./vnt-web
+
+RUN cargo build --release --locked --bin vnt2_web --features vnt-web
+
+FROM debian:bookworm-slim AS runtime
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app/data
+
+COPY --from=builder /build/target/release/vnt2_web /usr/local/bin/vnt2_web
+
+VOLUME ["/app/data"]
+
+EXPOSE 19099/tcp
+
+CMD ["vnt2_web", "--addr", "0.0.0.0:19099"]

data/config.example.toml

@@ -0,0 +1,52 @@
+# Display name shown in the client web UI.
+config_name = "default"
+
+# One or more control servers. Supported schemes: quic:// tcp:// wss:// dynamic://
+server = ["quic://YOUR_SERVER_IP:29872"]
+
+# Must match a network_code known by the server.
+network_code = "default"
+
+# Must match the server-side secret configured for that network_code.
+network_secret = "replace_with_the_server_side_network_secret"
+
+# Packet/data encryption inside the virtual network.
+# Leave commented out to disable payload encryption.
+# password = "optional_packet_password"
+
+# Quick-start setting for self-signed server certificates.
+# Use "finger:<hex>" or "standard" in production.
+cert_mode = "skip"
+
+# Optional fixed overlay IP inside the selected network CIDR.
+# ip = "172.16.57.10"
+
+# Optional device identity.
+device_name = "docker-client"
+# device_id = "docker-client-01"
+# tun_name = "vnt-tun"
+
+# Transport tuning.
+# rtx = true
+# fec = false
+# compress = false
+# no_punch = false
+
+# For a registration-only smoke test on a host without /dev/net/tun, uncomment:
+# no_tun = true
+
+# Optional fixed UDP port for P2P traffic.
+# If you set this in Docker, publish the same UDP port in docker-compose.yml.
+# tunnel_port = 30001
+
+# Optional subnet/gateway features.
+# input = ["192.168.10.0/24,172.16.57.10"]
+# output = ["0.0.0.0/0"]
+# no_nat = false
+# mtu = 1380
+# port_mapping = ["tcp://0.0.0.0:8080-172.16.57.20-172.16.57.20:80"]
+# allow_mapping = false
+
+# Optional STUN overrides.
+# udp_stun = ["stun.chat.bilibili.com:3478"]
+# tcp_stun = ["stun.nextcloud.com:443"]

docker-compose.yml

@@ -0,0 +1,26 @@
+services:
+  vnt-client:
+    build:
+      context: .
+      args:
+        RUST_VERSION: 1.93.1
+    image: vnt2-client:local
+    container_name: vnt2-client
+    restart: unless-stopped
+    command: ["vnt2_web", "--addr", "0.0.0.0:19099", "--conf", "/app/data/config.toml"]
+    # Share the host network namespace so the TUN device and routes live on the host.
+    # This is required if remote VNT peers should reach services running on the host
+    # instead of only services inside the container namespace.
+    network_mode: host
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    volumes:
+      # The app writes config.toml, vnt_config/, vnt_current_config.txt and logs
+      # relative to its working directory. Persist all of them in ./data.
+      - ./data:/app/data
+    # With host networking, do not publish ports here.
+    # 19099 is now bound directly on the host by vnt2_web itself.
+    # If you enable TUN mode in /app/data/config.toml, the VNT interface also lives on the host.