Fix server WireGuard setup and separate WG port from hole punch

- Derive server node ID from identity pubkey when no server cert exists,
  so genesis servers get a tunnel IP without requiring --enroll-server
- Add dedicated wg_port (default 51820) separate from udp_port (51940)
  to prevent WireGuard and hole punch from fighting over the same socket
- Update /api/join to return wg_port in the WireGuard endpoint
- Publish wg= field in DNS _config TXT record
- Add --wg-port CLI flag, SP_WG_PORT env var, JSON config support

Author: Geramy

projects/LemonadeNexus/include/LemonadeNexus/Core/ServerConfig.hpp

@@ -11,7 +11,8 @@ namespace nexus::core {
 struct ServerConfig {
     // Network
     uint16_t    http_port{9100};
-    uint16_t    udp_port{51940};  // WireGuard + hole-punch (shared UDP port)
+    uint16_t    udp_port{51940};  // UDP hole-punch
+    uint16_t    wg_port{51820};   // WireGuard listen port
     uint16_t    gossip_port{9102};
     uint16_t    stun_port{3478};
     uint16_t    relay_port{9103};

projects/LemonadeNexus/include/LemonadeNexus/Network/DnsService.hpp

@@ -145,6 +145,7 @@ class DnsService : public core::IService<DnsService>,
     struct PortConfig {
         uint16_t http_port{9100};
         uint16_t udp_port{51940};
+        uint16_t wg_port{51820};
         uint16_t gossip_port{9102};
         uint16_t stun_port{3478};
         uint16_t relay_port{9103};

projects/LemonadeNexus/src/Api/TreeApiHandler.cpp

@@ -171,10 +171,10 @@ void TreeApiHandler::do_register_routes(httplib::Server& pub, httplib::Server& p
             }
         }
 
-        // Build the WireGuard endpoint: public_ip:udp_port
+        // Build the WireGuard endpoint: public_ip:wg_port
         std::string wg_endpoint;
         if (!ctx_.server_public_ip.empty()) {
-            wg_endpoint = ctx_.server_public_ip + ":" + std::to_string(ctx_.config.udp_port);
+            wg_endpoint = ctx_.server_public_ip + ":" + std::to_string(ctx_.config.wg_port);
         }
 
         nlohmann::json resp = {

projects/LemonadeNexus/src/Core/ServerConfig.cpp

@@ -20,6 +20,7 @@ void to_json(json& j, const ServerConfig& c) {
     j = json{
         {"http_port",           c.http_port},
         {"udp_port",            c.udp_port},
+        {"wg_port",             c.wg_port},
         {"gossip_port",         c.gossip_port},
         {"stun_port",           c.stun_port},
         {"relay_port",          c.relay_port},
@@ -68,6 +69,7 @@ void to_json(json& j, const ServerConfig& c) {
 void from_json(const json& j, ServerConfig& c) {
     if (j.contains("http_port"))           j.at("http_port").get_to(c.http_port);
     if (j.contains("udp_port"))            j.at("udp_port").get_to(c.udp_port);
+    if (j.contains("wg_port"))             j.at("wg_port").get_to(c.wg_port);
     if (j.contains("gossip_port"))         j.at("gossip_port").get_to(c.gossip_port);
     if (j.contains("stun_port"))           j.at("stun_port").get_to(c.stun_port);
     if (j.contains("relay_port"))          j.at("relay_port").get_to(c.relay_port);
@@ -122,7 +124,8 @@ void print_usage(const char* prog) {
     spdlog::info("Options:");
     spdlog::info("  --config <path>            JSON config file (default: lemonade-nexus.json)");
     spdlog::info("  --http-port <N>            HTTP port (default: 9100)");
-    spdlog::info("  --udp-port <N>             WireGuard + hole-punch UDP port (default: 51940)");
+    spdlog::info("  --udp-port <N>             UDP hole-punch port (default: 51940)");
+    spdlog::info("  --wg-port <N>              WireGuard listen port (default: 51820)");
     spdlog::info("  --gossip-port <N>          Gossip protocol UDP port (default: 9102)");
     spdlog::info("  --stun-port <N>            STUN UDP port (default: 3478)");
     spdlog::info("  --relay-port <N>           Relay UDP port (default: 9103)");
@@ -200,6 +203,8 @@ ServerConfig load_config(int argc, char* argv[]) {
             config.http_port = static_cast<uint16_t>(std::atoi(argv[++i]));
         } else if (std::strcmp(argv[i], "--udp-port") == 0 && i + 1 < argc) {
             config.udp_port = static_cast<uint16_t>(std::atoi(argv[++i]));
+        } else if (std::strcmp(argv[i], "--wg-port") == 0 && i + 1 < argc) {
+            config.wg_port = static_cast<uint16_t>(std::atoi(argv[++i]));
         } else if (std::strcmp(argv[i], "--gossip-port") == 0 && i + 1 < argc) {
             config.gossip_port = static_cast<uint16_t>(std::atoi(argv[++i]));
         } else if (std::strcmp(argv[i], "--stun-port") == 0 && i + 1 < argc) {
@@ -280,6 +285,7 @@ ServerConfig load_config(int argc, char* argv[]) {
     if (const char* v = std::getenv("SP_LOG_LEVEL"))   config.log_level   = v;
     if (const char* v = std::getenv("SP_HTTP_PORT"))    config.http_port   = static_cast<uint16_t>(std::atoi(v));
     if (const char* v = std::getenv("SP_UDP_PORT"))     config.udp_port    = static_cast<uint16_t>(std::atoi(v));
+    if (const char* v = std::getenv("SP_WG_PORT"))      config.wg_port     = static_cast<uint16_t>(std::atoi(v));
     if (const char* v = std::getenv("SP_GOSSIP_PORT"))  config.gossip_port = static_cast<uint16_t>(std::atoi(v));
     if (const char* v = std::getenv("SP_STUN_PORT"))    config.stun_port   = static_cast<uint16_t>(std::atoi(v));
     if (const char* v = std::getenv("SP_RELAY_PORT"))   config.relay_port  = static_cast<uint16_t>(std::atoi(v));
@@ -346,18 +352,19 @@ bool validate_config(const ServerConfig& config) {
     };
     check_port(config.http_port, "http_port");
     check_port(config.udp_port, "udp_port");
+    check_port(config.wg_port, "wg_port");
     check_port(config.gossip_port, "gossip_port");
     check_port(config.stun_port, "stun_port");
     check_port(config.relay_port, "relay_port");
     check_port(config.dns_port, "dns_port");
 
     // Check ports are unique
     std::set<uint16_t> ports = {
-        config.http_port, config.udp_port, config.gossip_port,
+        config.http_port, config.udp_port, config.wg_port, config.gossip_port,
         config.stun_port, config.relay_port, config.dns_port
     };
-    if (ports.size() < 6) {
-        spdlog::error("Config: port conflict — all 6 ports must be unique");
+    if (ports.size() < 7) {
+        spdlog::error("Config: port conflict — all 7 ports must be unique");
         valid = false;
     }
 
@@ -394,8 +401,8 @@ bool validate_config(const ServerConfig& config) {
         spdlog::warn("Config: rp_id is empty — WebAuthn passkeys will not validate");
     }
 
-    spdlog::info("Config: HTTP:{} UDP/WG:{} Gossip:{} STUN:{} Relay:{} DNS:{} data={}",
-                  config.http_port, config.udp_port, config.gossip_port,
+    spdlog::info("Config: HTTP:{} UDP:{} WG:{} Gossip:{} STUN:{} Relay:{} DNS:{} data={}",
+                  config.http_port, config.udp_port, config.wg_port, config.gossip_port,
                   config.stun_port, config.relay_port, config.dns_port,
                   config.data_root);
 

projects/LemonadeNexus/src/Core/ServerIdentity.cpp

@@ -45,13 +45,28 @@ std::string resolve_jwt_secret(
 }
 
 std::string resolve_server_node_id(storage::FileStorageService& storage) {
+    // Prefer server certificate (from --enroll-server)
     auto cert_env = storage.read_file("identity", "server_cert.json");
     if (cert_env) {
         try {
             auto cert_j = nlohmann::json::parse(cert_env->data);
-            return cert_j.value("server_id", "");
+            auto id = cert_j.value("server_id", "");
+            if (!id.empty()) return id;
         } catch (...) {}
     }
+
+    // Fall back to identity pubkey — every server has one after first boot.
+    // Derive a stable node ID so IPAM allocations persist across restarts.
+    auto pk_env = storage.read_file("identity", "keypair.pub");
+    if (pk_env && !pk_env->data.empty()) {
+        // Use first 16 hex chars of the pubkey as a stable server node ID
+        auto pubkey = pk_env->data;
+        if (pubkey.size() > 16) pubkey = pubkey.substr(0, 16);
+        auto node_id = "server-" + pubkey;
+        spdlog::info("Derived server node ID from identity pubkey: {}", node_id);
+        return node_id;
+    }
+
     return {};
 }
 

projects/LemonadeNexus/src/Network/DnsService.cpp

@@ -440,6 +440,7 @@ void DnsService::publish_port_config(const std::string& server_id, const std::st
     std::string txt = "v=sp1"
                       " http=" + std::to_string(port_config_.http_port) +
                       " udp=" + std::to_string(port_config_.udp_port) +
+                      " wg=" + std::to_string(port_config_.wg_port) +
                       " gossip=" + std::to_string(port_config_.gossip_port) +
                       " stun=" + std::to_string(port_config_.stun_port) +
                       " relay=" + std::to_string(port_config_.relay_port) +

projects/LemonadeNexus/src/main.cpp

@@ -351,6 +351,7 @@ int main(int argc, char* argv[]) {
         nexus::network::DnsService::PortConfig dns_ports;
         dns_ports.http_port   = http_port;
         dns_ports.udp_port    = udp_port;
+        dns_ports.wg_port     = config.wg_port;
         dns_ports.gossip_port = gossip_port;
         dns_ports.stun_port   = stun_port;
         dns_ports.relay_port  = relay_port;
@@ -487,11 +488,11 @@ int main(int argc, char* argv[]) {
         nexus::wireguard::WgInterfaceConfig wg_iface;
         wg_iface.private_key = wg_server_privkey_b64;
         wg_iface.address     = tunnel_bind_ip + "/10";  // 10.64.0.0/10 mesh subnet
-        wg_iface.listen_port = config.udp_port;
+        wg_iface.listen_port = config.wg_port;
 
         if (wireguard_service.setup_interface(wg_iface, {})) {
             spdlog::info("WireGuard: wg0 up on :{} with tunnel IP {}/10",
-                          config.udp_port, tunnel_bind_ip);
+                          config.wg_port, tunnel_bind_ip);
         } else {
             spdlog::warn("WireGuard: failed to set up wg0 — clients will not be able to connect. "
                           "Ensure wireguard-tools and kernel module are installed.");