Merge remote-tracking branch 'upstream/master'

* Small code quality improvements

- Fix misleading JSDoc comment in cache.ts
- Mitigate timing-based username enumeration in Basic auth
- Extract duplicated TOTP configuration into private method
- Replace manual peer counter with clients.length in Prometheus metrics
- Simplify isValidPasswordHash return expression

* reset session.ts

this is currently worked on in the dev-oauth branch

* reset password.ts

no need to change

* specify unit for cache function

* remove type assertion

---------

Co-authored-by: Anghios <Anghios@users.noreply.github.com>
Co-authored-by: Bernd Storath <bernd@berndstorath.de>

.github/dependabot.yml

@@ -5,13 +5,3 @@ updates:
     schedule:
       interval: "weekly"
     rebase-strategy: "auto"
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    rebase-strategy: "auto"
-  - package-ecosystem: "npm"
-    directory: "/src/"
-    schedule:
-      interval: "weekly"
-    rebase-strategy: "auto"

.github/workflows/codeql.yml

@@ -27,7 +27,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4

.github/workflows/deploy-development.yml

@@ -18,10 +18,10 @@ jobs:
             os: ubuntu-latest
           - platform: linux/arm64
             os: ubuntu-24.04-arm
-          - platform: linux/arm/v7
-            os: ubuntu-24.04-arm
+          # - platform: linux/arm/v7
+          #   os: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Prepare
         run: |
@@ -30,7 +30,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ghcr.io/wg-easy/wg-easy
@@ -38,21 +38,21 @@ jobs:
             latest=false
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push by digest
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: ${{ matrix.arch.platform }}
@@ -69,7 +69,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: digests-${{ env.PLATFORM_PAIR }}
           path: ${{ runner.temp }}/digests/*
@@ -85,32 +85,32 @@ jobs:
     needs: docker-build
     steps:
       - name: Download digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*
           merge-multiple: true
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Codeberg
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: codeberg.org
           username: ${{ secrets.CODEBERG_USER }}
           password: ${{ secrets.CODEBERG_PASS }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ghcr.io/wg-easy/wg-easy
@@ -138,7 +138,7 @@ jobs:
       contents: write
     needs: docker-merge
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Setup Python
         uses: actions/setup-python@v6

.github/workflows/deploy-edge.yml

@@ -25,10 +25,10 @@ jobs:
             os: ubuntu-latest
           - platform: linux/arm64
             os: ubuntu-24.04-arm
-          - platform: linux/arm/v7
-            os: ubuntu-24.04-arm
+          # - platform: linux/arm/v7
+          #   os: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: master
 
@@ -39,7 +39,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ghcr.io/wg-easy/wg-easy
@@ -47,21 +47,21 @@ jobs:
             latest=false
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push by digest
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: ${{ matrix.arch.platform }}
@@ -78,7 +78,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: digests-${{ env.PLATFORM_PAIR }}
           path: ${{ runner.temp }}/digests/*
@@ -94,32 +94,32 @@ jobs:
     needs: docker-build
     steps:
       - name: Download digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*
           merge-multiple: true
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Codeberg
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: codeberg.org
           username: ${{ secrets.CODEBERG_USER }}
           password: ${{ secrets.CODEBERG_PASS }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ghcr.io/wg-easy/wg-easy
@@ -147,7 +147,7 @@ jobs:
       contents: write
     needs: docker-merge
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: master
 

.github/workflows/deploy-pr.yml

@@ -21,10 +21,10 @@ jobs:
             os: ubuntu-latest
           - platform: linux/arm64
             os: ubuntu-24.04-arm
-          - platform: linux/arm/v7
-            os: ubuntu-24.04-arm
+          # - platform: linux/arm/v7
+          #   os: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Prepare
         run: |
@@ -32,20 +32,20 @@ jobs:
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           push: false

.github/workflows/deploy.yml

@@ -26,10 +26,10 @@ jobs:
             os: ubuntu-latest
           - platform: linux/arm64
             os: ubuntu-24.04-arm
-          - platform: linux/arm/v7
-            os: ubuntu-24.04-arm
+          # - platform: linux/arm/v7
+          #   os: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Prepare
         run: |
@@ -38,7 +38,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ghcr.io/wg-easy/wg-easy
@@ -46,21 +46,21 @@ jobs:
             latest=false
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Build and push by digest
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: ${{ matrix.arch.platform }}
@@ -77,7 +77,7 @@ jobs:
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
 
       - name: Upload digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v7
         with:
           name: digests-${{ env.PLATFORM_PAIR }}
           path: ${{ runner.temp }}/digests/*
@@ -95,32 +95,32 @@ jobs:
     needs: docker-build
     steps:
       - name: Download digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v8
         with:
           path: ${{ runner.temp }}/digests
           pattern: digests-*
           merge-multiple: true
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Codeberg
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: codeberg.org
           username: ${{ secrets.CODEBERG_USER }}
           password: ${{ secrets.CODEBERG_PASS }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ghcr.io/wg-easy/wg-easy
@@ -152,7 +152,7 @@ jobs:
       contents: write
     needs: docker-merge
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       - name: Setup Python
         uses: actions/setup-python@v6

.github/workflows/lint.yml

@@ -14,9 +14,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@v6
         name: Install pnpm
         with:
           run_install: false
@@ -24,7 +24,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v6
         with:
-          node-version: "lts/jod"
+          node-version: "lts/krypton"
           check-latest: true
           cache: "pnpm"
 
@@ -47,9 +47,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@v6
         name: Install pnpm
         with:
           run_install: false
@@ -57,7 +57,7 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v6
         with:
-          node-version: "lts/jod"
+          node-version: "lts/krypton"
           check-latest: true
           cache: "pnpm"
 

.vscode/extensions.json

@@ -3,7 +3,6 @@
     "aaron-bond.better-comments",
     "dbaeumer.vscode-eslint",
     "antfu.goto-alias",
-    "visualstudioexptteam.vscodeintellicode",
     "esbenp.prettier-vscode",
     "yoavbls.pretty-ts-errors",
     "bradlc.vscode-tailwindcss",

CHANGELOG.md

@@ -7,19 +7,67 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## Added
+### Added
+
+- AWG: support for H1-H4 ranges (https://github.com/wg-easy/wg-easy/pull/2480)
+- Client Firewall (https://github.com/wg-easy/wg-easy/pull/2418)
+- CLI: Show QR code (https://github.com/wg-easy/wg-easy/pull/2518)
+- Copy QR code to clipboard / save as png (https://github.com/wg-easy/wg-easy/pull/2521)
+
+### Fixed
+
+- Add trailing newline to Prometheus metrics output (https://github.com/wg-easy/wg-easy/pull/2573)
+- Correctly use DEBUG env var (https://github.com/wg-easy/wg-easy/pull/2619)
+
+### Changed
+
+- Hooks are now Textareas (https://github.com/wg-easy/wg-easy/pull/2522)
+- Update to Node Krypton (24) (https://github.com/wg-easy/wg-easy/pull/2536)
+- Mobile UI (https://github.com/wg-easy/wg-easy/pull/2569)
+- Prevent enabling client when expired (https://github.com/wg-easy/wg-easy/pull/2594)
+
+## [15.2.2] - 2026-02-06
+
+### Added
+
+- Added Userspace WireGuard support (https://github.com/wg-easy/wg-easy/pull/2419)
+
+### Fixed
+
+- LangSelector overlapping with Buttons (https://github.com/wg-easy/wg-easy/pull/2434)
+- AmnzeziaWG config parameters (https://github.com/wg-easy/wg-easy/pull/2440)
+- OpenMetrics help string format (https://github.com/wg-easy/wg-easy/pull/2453)
+- Reset 2fa when resetting admin password (https://github.com/wg-easy/wg-easy/pull/2461)
+
+### Docs
+
+- Replace Watchtower with maintained fork (https://github.com/wg-easy/wg-easy/pull/2456)
+
+## [15.2.1] - 2026-01-14
+
+### Fixed
+
+- Icon in Searchbar (https://github.com/wg-easy/wg-easy/commit/458f66818a400f181e2c6326ede077c8793d71f2)
+- Interface save not working (https://github.com/wg-easy/wg-easy/commit/48f3fbd715a889e2425702a8a46332f2752aef91)
+- Error Messages in Setup (https://github.com/wg-easy/wg-easy/commit/32a055093a76342c40858d8dcf563b0700a8bd48)
+
+## [15.2.0] - 2026-01-12
+
+### Added
 
 - AmneziaWG integration (https://github.com/wg-easy/wg-easy/pull/2102, https://github.com/wg-easy/wg-easy/pull/2226)
 - Search / filter box (https://github.com/wg-easy/wg-easy/pull/2170)
 - `INIT_ALLOWED_IPS` env var (https://github.com/wg-easy/wg-easy/pull/2164)
 - Show client endpoint (https://github.com/wg-easy/wg-easy/pull/2058)
+- Add option to view and copy config (https://github.com/wg-easy/wg-easy/pull/2289)
 
-## Fixed
+### Fixed
 
 - Fix download as conf.txt (https://github.com/wg-easy/wg-easy/pull/2269)
 - Clean filename for OTL download (https://github.com/wg-easy/wg-easy/pull/2253)
+- Text color in admin menu in light mode (https://github.com/wg-easy/wg-easy/pull/2307)
 
-## Changed
+### Changed
 
 - Allow lower MTU (https://github.com/wg-easy/wg-easy/pull/2228)
 - Use /32 and /128 for client Cidr (https://github.com/wg-easy/wg-easy/pull/2217)
@@ -27,11 +75,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Publish on Codeberg (https://github.com/wg-easy/wg-easy/pull/2160)
 - Allow empty DNS (https://github.com/wg-easy/wg-easy/pull/2052, https://github.com/wg-easy/wg-easy/pull/2057)
 - Don't include keys in API responses (https://github.com/wg-easy/wg-easy/pull/2015)
+- Try all QR ecc levels (https://github.com/wg-easy/wg-easy/pull/2288)
+- Update OneTimeLink expiry on reuse (https://github.com/wg-easy/wg-easy/pull/2370)
+- Removed ARMv7 support (https://github.com/wg-easy/wg-easy/pull/2369)
 
-## Docs
+### Docs
 
 - Add AdGuard Home (https://github.com/wg-easy/wg-easy/pull/2175)
-- Add Routed (No NAT) docs (https://github.com/wg-easy/wg-easy/pull/2181)
+- Add Routed (No NAT) docs (https://github.com/wg-easy/wg-easy/pull/2181, https://github.com/wg-easy/wg-easy/pull/2380)
+- Add AmneziaWG docs (https://github.com/wg-easy/wg-easy/pull/2108, https://github.com/wg-easy/wg-easy/pull/2292)
 
 ## [15.1.0] - 2025-07-01
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/node:jod-alpine AS build
+FROM docker.io/library/node:krypton-alpine AS build
 WORKDIR /app
 
 # update corepack
@@ -7,7 +7,7 @@ RUN npm install --global corepack@latest
 RUN corepack enable pnpm
 
 # Copy Web UI
-COPY src/package.json src/pnpm-lock.yaml ./
+COPY src/package.json src/pnpm-lock.yaml src/pnpm-workspace.yaml ./
 RUN pnpm install
 
 # Build UI
@@ -15,14 +15,22 @@ COPY src ./
 RUN pnpm build
 
 # Build amneziawg-tools
-RUN apk add linux-headers build-base git && \
+RUN apk add linux-headers build-base go git && \
     git clone https://github.com/amnezia-vpn/amneziawg-tools.git && \
-    cd amneziawg-tools/src && \
-    make
+    git clone https://github.com/amnezia-vpn/amneziawg-go && \
+    cd amneziawg-go && \
+    make && \
+    cd ../amneziawg-tools/src && \
+    make && \
+    sed -i 's|\[\[ $proto == -4 \]\] && cmd sysctl -q net\.ipv4\.conf\.all\.src_valid_mark=1|[[ $proto == -4 ]] \&\& [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) != 1 ]] \&\& cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1|' ./wg-quick/linux.bash
+
+FROM docker.io/library/node:krypton-alpine AS build-libsql
+WORKDIR /app
+RUN npm install --no-save --omit=dev libsql
 
 # Copy build result to a new image.
 # This saves a lot of disk space.
-FROM docker.io/library/node:jod-alpine
+FROM docker.io/library/node:krypton-alpine
 WORKDIR /app
 
 HEALTHCHECK --interval=1m --timeout=5s --retries=3 CMD /usr/bin/timeout 5s /bin/sh -c "/usr/bin/wg show | /bin/grep -q interface || exit 1"
@@ -32,12 +40,14 @@ COPY --from=build /app/.output /app
 # Copy migrations
 COPY --from=build /app/server/database/migrations /app/server/database/migrations
 # libsql (https://github.com/nitrojs/nitro/issues/3328)
-RUN cd /app/server && \
-    npm install --no-save libsql && \
-    npm cache clean --force
+COPY --from=build-libsql /app/node_modules /app/server/node_modules
+
 # cli
 COPY --from=build /app/cli/cli.sh /usr/local/bin/cli
 RUN chmod +x /usr/local/bin/cli
+# Copy amneziawg-go
+COPY --from=build /app/amneziawg-go/amneziawg-go /usr/bin/amneziawg-go
+RUN chmod +x /usr/bin/amneziawg-go
 # Copy amneziawg-tools
 COPY --from=build /app/amneziawg-tools/src/wg /usr/bin/awg
 COPY --from=build /app/amneziawg-tools/src/wg-quick/linux.bash /usr/bin/awg-quick
@@ -52,7 +62,9 @@ RUN apk add --no-cache \
     nftables \
     kmod \
     iptables-legacy \
-    wireguard-tools
+    wireguard-go \
+    wireguard-tools && \
+    sed -i 's|\[\[ $proto == -4 \]\] && cmd sysctl -q net\.ipv4\.conf\.all\.src_valid_mark=1|[[ $proto == -4 ]] \&\& [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) != 1 ]] \&\& cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1|' /usr/bin/wg-quick
 
 RUN mkdir -p /etc/amnezia
 RUN ln -s /etc/wireguard /etc/amnezia/amneziawg
@@ -62,7 +74,7 @@ RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables
 RUN update-alternatives --install /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-legacy 10 --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-legacy-restore --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-legacy-save
 
 # Set Environment
-ENV DEBUG=Server,WireGuard,Database,CMD
+ENV DEBUG=Server,WireGuard,Database,CMD,Firewall
 ENV PORT=51821
 ENV HOST=0.0.0.0
 ENV INSECURE=false

Dockerfile.dev

@@ -1,4 +1,4 @@
-FROM docker.io/library/node:jod-alpine
+FROM docker.io/library/node:krypton-alpine
 WORKDIR /app
 
 # update corepack
@@ -16,6 +16,7 @@ RUN apk add --no-cache \
     ip6tables \
     kmod \
     iptables-legacy \
+    wireguard-go \
     wireguard-tools
 
 # Use iptables-legacy
@@ -23,7 +24,7 @@ RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables
 RUN update-alternatives --install /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-legacy 10 --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/ip6tables-legacy-restore --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/ip6tables-legacy-save
 
 # Set Environment
-ENV DEBUG=Server,WireGuard,Database,CMD
+ENV DEBUG=Server,WireGuard,Database,CMD,Firewall
 ENV PORT=51821
 ENV HOST=0.0.0.0
 ENV INSECURE=true
@@ -31,7 +32,7 @@ ENV INIT_ENABLED=false
 ENV DISABLE_IPV6=false
 
 # Install Dependencies
-COPY src/package.json src/pnpm-lock.yaml ./
+COPY src/package.json src/pnpm-lock.yaml src/pnpm-workspace.yaml ./
 RUN pnpm install
 
 # Copy Project

README.md

@@ -1,16 +1,14 @@
 # WireGuard Easy
 
-[![Build & Publish latest Image](https://github.com/wg-easy/wg-easy/actions/workflows/deploy.yml/badge.svg?branch=production)](https://github.com/wg-easy/wg-easy/actions/workflows/deploy.yml)
+[![Build & Publish latest Image](https://github.com/wg-easy/wg-easy/actions/workflows/deploy.yml/badge.svg)](https://github.com/wg-easy/wg-easy/actions/workflows/deploy.yml)
 [![Lint](https://github.com/wg-easy/wg-easy/actions/workflows/lint.yml/badge.svg?branch=master)](https://github.com/wg-easy/wg-easy/actions/workflows/lint.yml)
 [![GitHub Stars](https://img.shields.io/github/stars/wg-easy/wg-easy)](https://github.com/wg-easy/wg-easy/stargazers)
 [![License](https://img.shields.io/github/license/wg-easy/wg-easy)](LICENSE)
 [![GitHub Release](https://img.shields.io/github/v/release/wg-easy/wg-easy)](https://github.com/wg-easy/wg-easy/releases/latest)
-[![Image Pulls](https://img.shields.io/badge/image_pulls-12M+-blue)](https://github.com/wg-easy/wg-easy/pkgs/container/wg-easy)
+[![Image Pulls](https://img.shields.io/badge/image_pulls-28M+-blue)](https://github.com/wg-easy/wg-easy/pkgs/container/wg-easy)
 
 You have found the easiest way to install & manage WireGuard on any Linux host!
 
-<!-- TOOD: update screenshot -->
-
 <p align="center">
   <img src="./assets/screenshot.png" width="802" alt="wg-easy Screenshot" />
 </p>
@@ -33,6 +31,7 @@ You have found the easiest way to install & manage WireGuard on any Linux host!
 - IPv6 support
 - CIDR support
 - 2FA support
+- Per-client firewall filtering (requires iptables)
 
 > [!NOTE]
 > To better manage documentation for this project, it has its own site here: [https://wg-easy.github.io/wg-easy/latest](https://wg-easy.github.io/wg-easy/latest)

assets/icons/wireguard-logo.icon/icon.json

@@ -0,0 +1,63 @@
+{
+  "fill" : {
+    "automatic-gradient" : "display-p3:0.48853,0.13220,0.12335,1.00000"
+  },
+  "groups" : [
+    {
+      "layers" : [
+        {
+          "fill" : {
+            "automatic-gradient" : "srgb:1.00000,1.00000,1.00000,1.00000"
+          },
+          "image-name" : "wireguard-logo.png",
+          "name" : "wireguard-logo",
+          "position" : {
+            "scale" : 0.5,
+            "translation-in-points" : [
+              255.828125,
+              -225.5
+            ]
+          }
+        },
+        {
+          "fill-specializations" : [
+            {
+              "value" : {
+                "automatic-gradient" : "srgb:1.00000,1.00000,1.00000,1.00000"
+              }
+            },
+            {
+              "appearance" : "dark",
+              "value" : {
+                "automatic-gradient" : "display-p3:0.48853,0.13220,0.12335,1.00000"
+              }
+            }
+          ],
+          "image-name" : "ticket.png",
+          "name" : "ticket",
+          "position" : {
+            "scale" : 1.2,
+            "translation-in-points" : [
+              -119.91562499999998,
+              165.65625
+            ]
+          }
+        }
+      ],
+      "shadow" : {
+        "kind" : "neutral",
+        "opacity" : 0.5
+      },
+      "translucency" : {
+        "enabled" : true,
+        "value" : 0.5
+      }
+    }
+  ],
+  "supported-platforms" : {
+    "circles" : [
+      "watchOS"
+    ],
+    "squares" : "shared"
+  }
+}

docs/content/advanced/config/amnezia.md

@@ -2,7 +2,9 @@
 title: AmneziaWG
 ---
 
-Experimental support for AmneziaWG can be enabled by setting the `EXPERIMENTAL_AWG` environment variable to `true`. This feature is still under development and may change in future releases.
+## Introduction
+
+**AmneziaWG** is a modified version of the WireGuard protocol with enhanced traffic obfuscation capabilities. AmneziaWG's primary goal is to counter deep packet inspection (DPI) systems and bypass VPN blocking.
 
 AmneziaWG adds multi-level transport-layer obfuscation by:
 
@@ -12,6 +14,12 @@ AmneziaWG adds multi-level transport-layer obfuscation by:
 
 These measures make it harder for third parties to analyze or identify your traffic, enhancing both privacy and security.
 
+## Activating AmneziaWG
+
+You must install the [AmneziaWG kernel module](https://github.com/amnezia-vpn/amneziawg-linux-kernel-module) on the host system.
+
+Experimental support for AmneziaWG can be enabled by setting the `EXPERIMENTAL_AWG` environment variable to `true`. Starting from wg-easy version 16, this setting will be enabled by default. This feature is still under development and may change in future releases.
+
 When enabled, wg-easy will automatically detect whether the AmneziaWG kernel module is available. If it is not, the system will fall back to the standard WireGuard module.
 
 To override this automatic detection, set the `OVERRIDE_AUTO_AWG` environment variable. By default, this variable is unset.
@@ -21,17 +29,51 @@ Possible values:
 - `awg` — Force use of AmneziaWG
 - `wg` — Force use of standard WireGuard
 
-To be able to connect to wg-easy if AmneziaWG is enabled, you must have a AmneziaWG-compatible client.
+## AmneziaWG Parameters
+
+Parameter descriptions can be found in the [AmneziaWG documentation](https://docs.amnezia.org/documentation/amnezia-wg) and on the [kernel module page](https://github.com/amnezia-vpn/amneziawg-linux-kernel-module).
+
+All parameters except I1-I5 will be set at first startup. For information on how to set I1-I5 parameters, refer to the [AmneziaWG documentation](https://docs.amnezia.org/documentation/instructions/new-amneziawg-selfhosted/#how-to-extract-a-protocol-signature-for-amneziawg-15-manually).
+
+If a parameter is not set, it will not be added to the configuration. If all AmneziaWG-specific parameters are absent, AmneziaWG will be fully compatible with standard WireGuard.
+
+### Parameter Compatibility Table
+
+| Parameter | Can differ between server and client | Configurable on server | Configurable on client  |
+| --------- | ------------------------------------ | ---------------------- | ----------------------- |
+| Jc        | ✅ Yes                               | ✅                     | ✅                      |
+| Jmin      | ✅ Yes                               | ✅                     | ✅                      |
+| Jmax      | ✅ Yes                               | ✅                     | ✅                      |
+| S1-S4     | ❌ No, must match                    | ✅                     | ❌ (copied from server) |
+| H1-H4     | ❌ No, must match                    | ✅                     | ❌ (copied from server) |
+| I1-I5     | ✅ Yes                               | ✅                     | ✅                      |
+
+## Client Applications
+
+To be able to connect to wg-easy if AmneziaWG is enabled, you must have an AmneziaWG-compatible client. Where an AmneziaWG app is available for your platform, it is recommended to use it rather than Amnezia VPN.
 
 Android:
 
-- [AmneziaWG](https://play.google.com/store/apps/details?id=org.amnezia.awg) - Official Client
+- [AmneziaWG](https://play.google.com/store/apps/details?id=org.amnezia.awg) - AmneziaWG Official Client
 - [WG Tunnel](https://play.google.com/store/apps/details?id=com.zaneschepke.wireguardautotunnel) - Third Party Client
+- [Amnezia VPN](https://play.google.com/store/apps/details?id=org.amnezia.vpn) - Amnezia VPN Official Client
 
 iOS and macOS:
 
-- [AmneziaWG](https://apps.apple.com/us/app/amneziawg/id6478942365) - Official Client
+- [AmneziaWG](https://apps.apple.com/us/app/amneziawg/id6478942365) - AmneziaWG Official Client
+- [Amnezia VPN](https://apps.apple.com/us/app/amneziavpn/id1600529900) - Amnezia VPN Official Client
 
 Windows:
 
-- [AmneziaWG](https://github.com/amnezia-vpn/amneziawg-windows-client/releases) - Official Client
+- [AmneziaWG](https://github.com/amnezia-vpn/amneziawg-windows-client/releases) - AmneziaWG Official Client (Requires building from source code)
+- [Amnezia VPN](https://amnezia.org/downloads) - Amnezia VPN Official Client
+
+Linux:
+
+- [Amnezia VPN](https://amnezia.org/downloads) - Amnezia VPN Official Client
+- [amneziawg-tools](https://github.com/amnezia-vpn/amneziawg-tools) - AmneziaWG Tools
+
+OpenWRT:
+
+- [AmneziaWG OpenWRT](https://github.com/Slava-Shchipunov/awg-openwrt) - AmneziaWG OpenWRT Packages
+- [AmneziaWG OpenWRT](https://github.com/lolo6oT/awg-openwrt) - AmneziaWG OpenWRT Packages

docs/content/advanced/config/optional-config.md

@@ -4,12 +4,13 @@ title: Optional Configuration
 
 You can set these environment variables to configure the container. They are not required, but can be useful in some cases.
 
-| Env            | Default   | Example     | Description                        |
-| -------------- | --------- | ----------- | ---------------------------------- |
-| `PORT`         | `51821`   | `6789`      | TCP port for Web UI.               |
-| `HOST`         | `0.0.0.0` | `localhost` | IP address web UI binds to.        |
-| `INSECURE`     | `false`   | `true`      | If access over http is allowed     |
-| `DISABLE_IPV6` | `false`   | `true`      | If IPv6 support should be disabled |
+| Env                     | Default   | Example     | Description                             |
+| ----------------------- | --------- | ----------- | --------------------------------------- |
+| `PORT`                  | `51821`   | `6789`      | TCP port for Web UI.                    |
+| `HOST`                  | `0.0.0.0` | `localhost` | IP address web UI binds to.             |
+| `INSECURE`              | `false`   | `true`      | If access over http is allowed          |
+| `DISABLE_IPV6`          | `false`   | `true`      | If IPv6 support should be disabled      |
+| `DISABLE_VERSION_CHECK` | `false`   | `true`      | If wg-easy should check for new updates |
 
 /// note | IPv6 Caveats
 
@@ -20,74 +21,3 @@ You will however still see a IPv6 address in the Web UI, but it won't be used.
 This option can be removed in the future, as more devices support IPv6.
 
 ///
-
-## Configuration Overrides
-
-These environment variables allow you to override settings that would normally be configured through the Admin Panel. When set, these values take precedence over database settings at runtime.
-
-### Interface Settings
-
-| Env            | Example       | Description               |
-| -------------- | ------------- | ------------------------- |
-| `WG_PORT`      | `51820`       | WireGuard interface port  |
-| `WG_DEVICE`    | `eth0`        | Network device/interface  |
-| `WG_MTU`       | `1420`        | Maximum Transmission Unit |
-| `WG_IPV4_CIDR` | `10.8.0.0/24` | IPv4 CIDR range           |
-| `WG_IPV6_CIDR` | `fdcc::/112`  | IPv6 CIDR range           |
-
-### Client Connection Settings
-
-| Env                               | Example           | Description                     |
-| --------------------------------- | ----------------- | ------------------------------- |
-| `WG_HOST`                         | `vpn.example.com` | Host clients will connect to    |
-| `WG_CLIENT_PORT`                  | `51820`           | Port clients will connect to    |
-| `WG_DEFAULT_DNS`                  | `1.1.1.1,8.8.8.8` | Default DNS servers for clients |
-| `WG_DEFAULT_ALLOWED_IPS`          | `0.0.0.0/0,::/0`  | Default allowed IPs for clients |
-| `WG_DEFAULT_MTU`                  | `1420`            | Default MTU for clients         |
-| `WG_DEFAULT_PERSISTENT_KEEPALIVE` | `25`              | Default persistent keepalive    |
-
-### General Settings
-
-| Env                     | Example           | Description               |
-| ----------------------- | ----------------- | ------------------------- |
-| `WG_SESSION_TIMEOUT`    | `3600`            | Session timeout (seconds) |
-| `WG_METRICS_PASSWORD`   | `mypassword123`   | Metrics endpoint password |
-| `WG_METRICS_PROMETHEUS` | `true` or `false` | Enable Prometheus metrics |
-| `WG_METRICS_JSON`       | `true` or `false` | Enable JSON metrics       |
-
-### Hooks
-
-| Env            | Example                   | Description           |
-| -------------- | ------------------------- | --------------------- |
-| `WG_PRE_UP`    | `echo "Starting WG"`      | PreUp hook command    |
-| `WG_POST_UP`   | `iptables -A FORWARD ...` | PostUp hook command   |
-| `WG_PRE_DOWN`  | `echo "Stopping WG"`      | PreDown hook command  |
-| `WG_POST_DOWN` | `iptables -D FORWARD ...` | PostDown hook command |
-
-/// warning | Override Behavior
-
-When these override environment variables are set:
-
-- The specified values will be used at runtime instead of database settings
-- You can still update these fields through the Web UI and they will be saved to the database
-- However, the overridden values from environment variables will always take precedence at runtime
-- The Web UI will display the database values with warning indicators showing which fields are overridden
-- On first start, if no database values exist, some overridden values will be saved to the database
-
-Some overrides will not be applied to existing clients until they are manually edited.
-
-- `WG_DEFAULT_*` settings will only apply to new clients
-- `WG_IPV4_CIDR` and `WG_IPV6_CIDR` changes will require clients to be manually edited to take effect
-
-///
-
-/// note | Note on Port Variables
-
-- `WG_PORT` - The port WireGuard listens on (interface port)
-- `WG_CLIENT_PORT` - The port clients connect to (endpoint port, uses `WG_PORT` if not set)
-- `PORT` - The port the Web UI listens on (HTTP server port)
-
-In most cases you will only need to set `WG_PORT` to change the WireGuard port.
-Keep in mind that you have to adjust both sides of the port publish option in your docker setup.
-
-///

docs/content/advanced/config/unattended-setup.md

@@ -11,20 +11,18 @@ These will only be used during the first start of the container. After that, the
 | `INIT_ENABLED`     | `true`                       | Enables the below env vars                                | 0     |
 | `INIT_USERNAME`    | `admin`                      | Sets admin username                                       | 1     |
 | `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password                                       | 1     |
-| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                              | 2     |
-| `INIT_PORT`        | `51820`                      | Port clients will connect to and WireGuard will listen on | 2     |
-| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                                   | 3     |
-| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                            | 4     |
-| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                            | 4     |
-| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs                                   | 5     |
+| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                              | 1     |
+| `INIT_PORT`        | `51820`                      | Port clients will connect to and wireguard will listen on | 1     |
+| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                                   | 2     |
+| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                            | 3     |
+| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                            | 3     |
+| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs                                   | 4     |
 
 /// warning | Variables have to be used together
 
 If variables are in the same group, you have to set all of them. For example, if you set `INIT_IPV4_CIDR`, you also have to set `INIT_IPV6_CIDR`.
 
-To skip the setup process, you must configure groups `1` and `2`. You can alternatively use `WG_HOST` and `WG_PORT` to set group `2` without using the `INIT_` variables.
-
-Avoid setting both `INIT_` and `WG_` variables for the same setting to prevent confusion.
+If you want to skip the setup process, you have to configure group `1`
 ///
 
 /// note | Security

docs/content/advanced/migrate/from-14-to-15.md

@@ -7,7 +7,7 @@ This guide will help you migrate from `v14` to version `v15` of `wg-easy`.
 ## Changes
 
 - This is a complete rewrite of the `wg-easy` project, therefore the configuration files and the way you interact with the project have changed.
-- If you use armv6, you unfortunately won't be able to migrate to `v15`.
+- If you use armv6 or armv7, you unfortunately won't be able to migrate to `v15`.
 - If you are connecting to the Web UI via HTTP, you need to set the `INSECURE` environment variable to `true` in the new container.
 
 ## Migration
@@ -51,9 +51,7 @@ In the setup wizard, select that you already have a configuration file and uploa
 
 ### Environment Variables
 
-v15 does use some of the environment variables as v14. View [Configuration Overrides](../config/optional-config.md#configuration-overrides) to see which environment variables are supported in v15.
-
-If you want to be able to change settings through the Web UI, do not set the corresponding environment variables, as they will override the database settings. Instead, manually change the settings through the Web UI after the migration.
+v15 does not use the same environment variables as v14, most of them have been moved to the Admin Panel in the Web UI.
 
 ### Done
 

docs/content/examples/tutorials/auto-updates.md

@@ -20,7 +20,7 @@ File: `/etc/docker/containers/watchtower/docker-compose.yml`
 ```yaml
 services:
     watchtower:
-        image: containrrr/watchtower:latest
+        image: nickfedor/watchtower:latest
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock
         env_file:

docs/content/examples/tutorials/basic-installation.md

@@ -8,7 +8,7 @@ title: Basic Installation
 
 1. You need to have a host that you can manage
 2. You need to have a domain name or a public IP address
-3. You need a supported architecture (x86_64, arm64, armv7)
+3. You need a supported architecture (x86_64, arm64)
 4. You need curl installed on your host
 
 ## Install Docker

docs/content/examples/tutorials/routed.md

@@ -93,3 +93,19 @@ PostDown
 ```shell
 iptables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; ip6tables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -o wg0 -j ACCEPT
 ```
+
+/// warning | Important: When using nftables use the following hooks instead.
+
+PostUp
+
+```shell
+nft add chain ip filter WG_EASY; nft add rule ip filter DOCKER-USER jump WG_EASY; nft add rule ip filter WG_EASY iifname {{device}} accept; nft add rule ip filter WG_EASY oifname {{device}} accept; nft add chain ip6 filter WG_EASY; nft add rule ip6 filter DOCKER-USER jump WG_EASY; nft add rule ip6 filter WG_EASY iifname {{device}} accept; nft add rule ip6 filter WG_EASY oifname {{device}} accept;
+```
+
+PostDown
+
+```shell
+nft delete rule ip filter DOCKER-USER handle $(nft -a list chain ip filter DOCKER-USER | awk '/jump WG_EASY/ {print $NF}'); nft flush chain ip filter WG_EASY; nft delete chain ip filter WG_EASY; nft delete rule ip6 filter DOCKER-USER handle $(nft -a list chain ip6 filter DOCKER-USER | awk '/jump WG_EASY/ {print $NF}'); nft flush chain ip6 filter WG_EASY; nft delete chain ip6 filter WG_EASY
+```
+
+///

docs/content/faq.md

@@ -6,6 +6,20 @@ hide:
 
 Here are some frequently asked questions or errors about `wg-easy`. If you have a question that is not answered here, please feel free to open a discussion on GitHub.
 
+## How do I restrict client access to specific networks or servers?
+
+Use the **Per-Client Firewall** feature to enforce server-side restrictions on what each client can access.
+
+**Requirements:** This feature requires `iptables` (and `ip6tables` for IPv6) to be installed on the host system.
+
+1. Enable "Per-Client Firewall" in **Admin Panel → Interface**
+2. Edit a client and configure "Firewall Allowed IPs"
+3. Specify which destinations the client should be allowed to access
+
+Unlike "Allowed IPs" which only controls client-side routing, firewall rules are enforced by the server and cannot be bypassed.
+
+See the [Admin Panel Guide](./guides/admin.md#per-client-firewall) and [Client Guide](./guides/clients.md#firewall-allowed-ips) for detailed configuration.
+
 ## Error: WireGuard exited with the error: Cannot find device "wg0"
 
 This error indicates that the WireGuard interface `wg0` does not exist. This can happen if the WireGuard kernel module is not loaded or if the interface was not created properly.
@@ -95,3 +109,31 @@ To resolve this issue, you can try the following steps:
     ```shell
      echo "ip6table_filter" | sudo tee -a /etc/modules
     ```
+
+## Clients lose connectivity after restarting the container when using multiple networks?
+
+When you attach multiple Docker networks (e.g., `wg` and a reverse proxy network like `traefik` or `nginx`) to the `wg-easy` container, Docker might assign the network interfaces randomly (e.g., swapping `eth0` and `eth1`). Since `wg-easy` expects the wireguard interface to act as `eth0` and configures `POSTROUTING` rules for it, connectivity will break if the interfaces are swapped upon container restart.
+
+To solve this, specify the `interface_name` and `gw_priority` explicitly in your `docker-compose.yml` file to guarantee that the `wg` network always binds to `eth0` and acts as the default gateway.
+
+**Example `docker-compose.yml`:**
+
+```yaml
+services:
+    wg-easy:
+        # ... other configuration ...
+        networks:
+            wg:
+                interface_name: eth0
+                gw_priority: 1
+                ipv4_address: 10.42.42.42
+            nginx:
+                interface_name: eth1
+                gw_priority: 0
+
+networks:
+    wg:
+        # ... wg network config ...
+    nginx:
+        external: true
+```

docs/content/getting-started.md

@@ -12,7 +12,7 @@ Before you can get started with deploying your own VPN, there are some requireme
 
 1. You need to have a host that you can manage
 2. You need to have a domain name or a public IP address
-3. You need a supported architecture (x86_64, arm64, armv7)
+3. You need a supported architecture (x86_64, arm64)
 
 ### Host Setup
 
@@ -45,15 +45,15 @@ All workflows are using the tagging convention listed below. It is subsequently
 | tag           | Type                            | Example                                                       | Description                                                                   |
 | ------------- | ------------------------------- | ------------------------------------------------------------- | ----------------------------------------------------------------------------- |
 | `15`          | latest minor for that major tag | `ghcr.io/wg-easy/wg-easy:15`                                  | latest features for specific major versions, no breaking changes, recommended |
-| `latest`      | latest tag                      | `ghcr.io/wg-easy/wg-easy:latest` or `ghcr.io/wg-easy/wg-easy` | points to latest release, can include breaking changes                        |
 | `15.0`        | latest patch for that minor tag | `ghcr.io/wg-easy/wg-easy:15.0`                                | latest patches for specific minor version                                     |
 | `15.0.0`      | specific tag                    | `ghcr.io/wg-easy/wg-easy:15.0.0`                              | specific release, no updates                                                  |
 | `edge`        | push to `master`                | `ghcr.io/wg-easy/wg-easy:edge`                                | mostly unstable, gets frequent package and code updates                       |
 | `development` | pull requests                   | `ghcr.io/wg-easy/wg-easy:development`                         | used for development, testing code from PRs                                   |
+| `latest`      | latest tag                      | `ghcr.io/wg-easy/wg-easy:latest` or `ghcr.io/wg-easy/wg-easy` | points to the v14 release, should be avoided                                  |
 
 <!-- ref: major version (check links too) -->
 
-When publishing a tag we follow the [Semantic Versioning][semver] specification. The `latest` tag is always pointing to the latest stable release. If you want to avoid breaking changes, use the major version tag (e.g. `15`).
+When publishing a tag we follow the [Semantic Versioning][semver] specification. Pin to the latest major version to avoid breaking changes (e.g. `15`), avoid using the `latest` tag.
 
 [github-ci]: https://github.com/wg-easy/wg-easy/actions
 [ghcr-image]: https://github.com/wg-easy/wg-easy/pkgs/container/wg-easy

docs/content/guides/admin.md

@@ -2,4 +2,42 @@
 title: Admin Panel
 ---
 
-TODO
+## Interface Settings
+
+### Per-Client Firewall
+
+Enable server-side firewall filtering to enforce network access restrictions per client.
+
+When enabled, each client can have custom "Firewall Allowed IPs" configured that restrict which destinations they can access through the VPN. These restrictions are enforced by the server using iptables/ip6tables and cannot be bypassed by the client.
+
+/// warning | Experimental Feature
+
+This feature is currently experimental. While functional, it should be thoroughly tested in your environment before relying on it for production security requirements. Always verify that firewall rules are working as expected using test traffic or by manually inspecting the rules.
+
+///
+
+**Requirements:**
+
+- `iptables` must be installed on the host system
+- `ip6tables` must be installed if IPv6 is enabled (default)
+- The feature cannot be enabled if these tools are not available
+
+/// note
+Most Linux distributions include iptables by default. If you're running in a minimal container environment, you may need to install the `iptables` package on the host system.
+///
+
+**Enable this feature if you want to:**
+
+- Restrict certain clients to only access specific servers or networks
+- Prevent clients from accessing the internet while allowing LAN access
+- Enforce port-based restrictions (e.g., only allow HTTP/HTTPS)
+- Separate routing configuration from security enforcement
+
+**How it works:**
+
+1. Enable "Per-Client Firewall" in Admin Panel → Interface
+2. Edit any client to see the new "Firewall Allowed IPs" field
+3. Specify allowed destinations (IPs, subnets, ports) for that client
+4. Server enforces these rules automatically
+
+See [Edit Client → Firewall Allowed IPs](./clients.md#firewall-allowed-ips) for detailed configuration syntax and examples.

docs/content/guides/cli.md

@@ -41,3 +41,31 @@ docker compose exec -it wg-easy cli db:admin:reset --password <new_password>
 ```
 
 This will reset the password for the admin user to the new password you provided. If you include special characters in the password, make sure to escape them properly.
+
+### Show Clients
+
+List all clients that are currently configured with details such as client ID, Name, Public Key, and enabled status.
+
+```shell
+cli clients:list
+```
+
+### Show Client QR Code
+
+Display the QR code for a specific client, which can be scanned by a compatible app to import the client's configuration.
+
+```shell
+cli clients:qr <client_id>
+```
+
+Replace `<client_id>` with the actual client ID you want to show the QR code for.
+
+/// warning | IPv6 Support
+
+IPv6 support is enabled by default, even if you disabled it using environment variables. To disable it pass the `--no-ipv6` flag when running the CLI.
+
+```shell
+cli clients:qr <client_id> --no-ipv6
+```
+
+///

docs/content/guides/clients.md

@@ -19,7 +19,58 @@ Which IPs will be routed through the VPN.
 
 This will not prevent the user from modifying it locally and accessing IP ranges that they should not be able to access.
 
-Use firewall rules to prevent access to IP ranges that the user should not be able to access.
+Use the Firewall Allowed IPs feature to prevent access to IP ranges that the user should not be able to access.
+
+## Firewall Allowed IPs
+
+/// note | Attention
+
+This field only appears when **Per-Client Firewall** is enabled in the Admin Panel → Interface settings.
+
+///
+
+Server-side firewall rules that restrict which destinations the client can access, regardless of their local configuration.
+
+Unlike "Allowed IPs" which only controls routing on the client side, these rules are enforced by the server using iptables/ip6tables and cannot be bypassed by the client.
+
+**Supported Formats:**
+
+- `10.10.0.3`, `2001:db8::1` - Allow access to a single IP address
+- `10.10.0.0/24`, `2001:db8::/32` - Allow access to an entire subnet
+- `192.168.1.5:443` - Allow access to specific port (TCP+UDP)
+- `192.168.1.5:443/tcp` - Allow access to specific port (TCP only)
+- `192.168.1.5:443/udp` - Allow access to specific port (UDP only)
+- `10.10.0.0/24:443` - Allow access to an entire subnet on a specific port (TCP+UDP)
+- `10.10.0.0/24:443/tcp` - Allow access to an entire subnet on a specific port (TCP only)
+- `10.10.0.0/24:443/udp` - Allow access to an entire subnet on a specific port (UDP only)
+- `[2001:db8::1]:443` - IPv6 address with port (brackets required)
+- `[2001:db8::/32]:443/tcp` - IPv6 CIDR with port and protocol
+
+/// warning | Invalid Formats
+
+Protocol specifiers (`/tcp` or `/udp`) require a port number. The following formats are **not supported** and will result in an error:
+
+- `10.10.0.3/tcp` (use `10.10.0.3:443/tcp` instead)
+- `10.10.0.0/24/udp` (use `10.10.0.0/24:53/udp` instead)
+
+///
+
+**Behavior:**
+
+- **Empty**: Falls back to the client's "Allowed IPs" setting
+- **Specified**: Only listed destinations are accessible (allow-only, everything else is blocked)
+- **Disable for specific client**: To disable firewall filtering for a single client while keeping it enabled for others, add `0.0.0.0/0, ::/0` to allow all traffic
+
+/// note
+To allow clients to reach the VPN server itself (e.g. for DNS), include the server's VPN address in the firewall allowed IPs.
+///
+
+**Use Case Examples**:
+
+- Allow only specific servers: `10.10.0.5`
+- Allow only internal network: `10.10.0.0/24, 192.168.1.0/24`
+- Allow only web browsing: `0.0.0.0/0:80, 0.0.0.0/0:443, [::/0]:80, [::/0]:443`
+- Block internet, allow LAN: Leave "Allowed IPs" as `0.0.0.0/0, ::/0` but set Firewall IPs to `10.0.0.0/8, 192.168.0.0/16`
 
 ## Server Allowed IPs
 

docs/content/index.md

@@ -8,7 +8,7 @@ hide:
 
 /// info | This Documentation is Versioned
 
-**Make sure** to select the correct version of this documentation! It should match the version of the image you are using. The default version corresponds to the `:latest` image tag - [the most recent stable release][docs-tagging].
+**Make sure** to select the correct version of this documentation! It should match the version of the image you are using. The default version corresponds to [the most recent stable release][docs-tagging].
 ///
 
 This documentation provides you not only with the basic setup and configuration of `wg-easy` but also with advanced configuration, elaborate usage scenarios, detailed examples, hints and more.

package.json

@@ -7,10 +7,11 @@
     "build": "docker build -t wg-easy .",
     "docs:preview": "docker run --rm -it -p 8080:8080 -v ./docs:/docs squidfunk/mkdocs-material serve -a 0.0.0.0:8080",
     "scripts:version": "bash scripts/version.sh",
+    "scripts:i18n": "bash scripts/i18n.sh",
     "format:check:docs": "prettier --check docs"
   },
   "devDependencies": {
-    "prettier": "^3.6.2"
+    "prettier": "^3.8.3"
   },
-  "packageManager": "pnpm@10.21.0"
+  "packageManager": "pnpm@11.5.0"
 }

pnpm-lock.yaml

@@ -9,16 +9,16 @@ importers:
   .:
     devDependencies:
       prettier:
-        specifier: ^3.6.2
-        version: 3.6.2
+        specifier: ^3.8.3
+        version: 3.8.3
 
 packages:
 
-  prettier@3.6.2:
-    resolution: {integrity: sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ==}
+  prettier@3.8.3:
+    resolution: {integrity: sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw==}
     engines: {node: '>=14'}
     hasBin: true
 
 snapshots:
 
-  prettier@3.6.2: {}
+  prettier@3.8.3: {}

scripts/version.sh

@@ -30,6 +30,7 @@ echo "Updated package.json to version $new_version"
 
 echo "----"
 echo "If you changed the major version, remember to update the docker-compose.yml file and docs (search for: ref: major version)"
+echo "Make sure to stage any changes before proceeding (e.g. Changelog updates)."
 echo "----"
 
 echo "If you did everything press 'y' to commit the changes and create a new tag"

src/.gitignore

@@ -23,4 +23,6 @@ logs
 .env.*
 !.env.example
 
+coverage/
+
 wg-easy.db

src/.nuxtrc

@@ -0,0 +1 @@
+setups.@nuxt/test-utils="4.0.3"

src/app/app.css

@@ -0,0 +1,7 @@
+:root {
+  color-scheme: light;
+}
+
+.dark {
+  color-scheme: dark;
+}

src/app/components/Base/CodeBlock.vue

@@ -0,0 +1,29 @@
+<template>
+  <div class="overflow-x-auto rounded border-2 border-red-800 py-2">
+    <pre
+      class="mx-2 inline-block"
+      @click="selectCode"
+    ><code ref="codeBlock">{{ code }}</code></pre>
+  </div>
+</template>
+
+<script setup lang="ts">
+defineProps<{
+  code: string;
+}>();
+
+const codeBlock = useTemplateRef('codeBlock');
+
+function selectCode() {
+  // TODO: keyboard support?
+  if (codeBlock.value) {
+    const range = document.createRange();
+    range.selectNodeContents(codeBlock.value);
+    const sel = window.getSelection();
+    if (sel) {
+      sel.removeAllRanges();
+      sel.addRange(range);
+    }
+  }
+}
+</script>

src/app/components/Base/Dialog.vue

@@ -18,7 +18,7 @@
         >
           <slot name="description" />
         </DialogDescription>
-        <div class="mt-6 flex justify-end gap-2">
+        <div class="mt-6 flex flex-wrap justify-end gap-2">
           <slot name="actions" />
         </div>
       </DialogContent>

src/app/components/Base/TextArea.vue

@@ -0,0 +1,10 @@
+<template>
+  <textarea
+    v-model="data"
+    class="rounded-lg border-2 border-gray-100 text-gray-500 focus:border-red-800 focus:outline-0 focus:ring-0 dark:border-neutral-800 dark:bg-neutral-700 dark:text-neutral-200 dark:placeholder:text-neutral-400"
+  />
+</template>
+
+<script lang="ts" setup>
+const data = defineModel<string>();
+</script>

src/app/components/ClientCard/Charts.vue

@@ -16,7 +16,7 @@
 </template>
 
 <script setup lang="ts">
-import type { ApexOptions } from 'apexcharts';
+import type { ApexChart, ApexOptions } from 'apexcharts';
 
 defineProps<{
   client: LocalClient;

src/app/components/ClientCard/ClientCard.vue

@@ -1,7 +1,7 @@
 <template>
   <ClientCardCharts :client="client" />
   <div
-    class="relative z-10 flex flex-col justify-between gap-3 px-3 py-3 sm:flex-row md:py-5"
+    class="relative flex flex-col justify-between gap-3 px-3 py-3 sm:flex-row md:py-5"
   >
     <div class="flex w-full items-center gap-3 md:gap-4">
       <ClientCardAvatar :client="client" />
@@ -9,7 +9,7 @@
         <div class="flex flex-grow flex-col gap-1">
           <ClientCardName :client="client" />
           <div
-            class="flex flex-col pb-1 text-xs text-gray-500 md:inline-block md:pb-0 dark:text-neutral-400"
+            class="flex flex-col text-xs text-gray-500 dark:text-neutral-400"
           >
             <div>
               <ClientCardAddress :client="client" />

src/app/components/ClientCard/ExpireDate.vue

@@ -1,7 +1,5 @@
 <template>
-  <div
-    class="block pb-1 text-xs text-gray-500 md:inline-block md:pb-0 dark:text-neutral-400"
-  >
+  <div class="block text-xs text-gray-500 dark:text-neutral-400">
     <span class="inline-block">{{ expiredDateFormat(client.expiresAt) }}</span>
   </div>
 </template>

src/app/components/ClientCard/Name.vue

@@ -1,11 +1,9 @@
 <template>
   <div
-    class="text-sm text-gray-700 md:text-base dark:text-neutral-200"
+    class="break-all text-sm text-gray-700 md:text-base dark:text-neutral-200"
     :title="$t('client.createdOn') + $d(new Date(client.createdAt))"
   >
-    <span class="border-b-2 border-t-2 border-transparent">
-      {{ client.name }}
-    </span>
+    {{ client.name }}
   </div>
 </template>
 

src/app/components/ClientCard/OneTimeLinkBtn.vue

@@ -14,10 +14,11 @@ const props = defineProps<{ client: LocalClient }>();
 const clientsStore = useClientsStore();
 
 const _showOneTimeLink = useSubmit(
-  `/api/client/${props.client.id}/generateOneTimeLink`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/client/${props.client.id}/generateOneTimeLink`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async () => {
       await clientsStore.refresh();

src/app/components/ClientCard/Switch.vue

@@ -18,10 +18,11 @@ const enabled = ref(props.client.enabled);
 const clientsStore = useClientsStore();
 
 const _disableClient = useSubmit(
-  `/api/client/${props.client.id}/disable`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/client/${props.client.id}/disable`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async () => {
       await clientsStore.refresh();
@@ -31,10 +32,11 @@ const _disableClient = useSubmit(
 );
 
 const _enableClient = useSubmit(
-  `/api/client/${props.client.id}/enable`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/client/${props.client.id}/enable`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async () => {
       await clientsStore.refresh();

src/app/components/Clients/ConfigDialog.vue

@@ -0,0 +1,74 @@
+<template>
+  <BaseDialog :trigger-class="triggerClass">
+    <template #trigger>
+      <slot />
+    </template>
+    <template #title>
+      {{ $t('client.config') }}
+    </template>
+    <template #description>
+      <div v-if="status === 'success'">
+        <BaseCodeBlock :code="config ?? ''" />
+      </div>
+      <div v-else>
+        <span>{{ $t('general.loading') }}</span>
+      </div>
+    </template>
+    <template #actions>
+      <DialogClose as-child>
+        <BaseSecondaryButton>{{ $t('dialog.cancel') }}</BaseSecondaryButton>
+      </DialogClose>
+      <DialogClose as-child>
+        <BasePrimaryButton @click="copyCode">
+          {{ $t('copy.copy') }}
+        </BasePrimaryButton>
+      </DialogClose>
+    </template>
+  </BaseDialog>
+</template>
+
+<script setup lang="ts">
+const props = defineProps<{ triggerClass?: string; clientId: number }>();
+
+const toast = useToast();
+const { copied, copy, isSupported } = useClipboard({
+  // fallback does not work
+  legacy: false,
+});
+
+const { data: config, status } = useFetch(
+  `/api/client/${props.clientId}/configuration`,
+  {
+    responseType: 'text',
+    server: false,
+  }
+);
+
+async function copyCode() {
+  if (status.value !== 'success') {
+    return;
+  }
+
+  if (!isSupported.value) {
+    toast.showToast({
+      type: 'error',
+      message: $t('copy.notSupported'),
+    });
+    return;
+  }
+
+  await copy(config.value ?? '');
+
+  if (copied.value) {
+    toast.showToast({
+      type: 'success',
+      message: $t('copy.copied'),
+    });
+  } else {
+    toast.showToast({
+      type: 'error',
+      message: $t('copy.failed'),
+    });
+  }
+}
+</script>

src/app/components/Clients/CreateDialog.vue

@@ -43,10 +43,11 @@ function createClient() {
 }
 
 const _createClient = useSubmit(
-  '/api/client',
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch('/api/client', {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: () => clientsStore.refresh(),
     successMsg: t('client.created'),

src/app/components/Clients/Empty.vue

@@ -3,7 +3,7 @@
     {{ $t('client.empty') }}<br /><br />
     <ClientsCreateDialog>
       <BaseSecondaryButton as="span">
-        <IconsPlus class="w-4 md:mr-2" />
+        <IconsPlus class="mr-2 w-4" />
         <span class="text-sm">{{ $t('client.new') }}</span>
       </BaseSecondaryButton>
     </ClientsCreateDialog>

src/app/components/Clients/New.vue

@@ -1,8 +1,8 @@
 <template>
   <ClientsCreateDialog>
     <BaseSecondaryButton as="span">
-      <IconsPlus class="w-4 md:mr-2" />
-      <span class="text-sm max-md:hidden">{{ $t('client.newShort') }}</span>
+      <IconsPlus class="mr-2 w-4" />
+      <span class="text-sm">{{ $t('client.newShort') }}</span>
     </BaseSecondaryButton>
   </ClientsCreateDialog>
 </template>

src/app/components/Clients/QRCodeDialog.vue

@@ -5,11 +5,25 @@
     </template>
     <template #description>
       <div class="bg-white">
-        <img :src="qrCode" />
+        <img ref="img" :src="qrCode" />
       </div>
     </template>
     <template #actions>
-      <DialogClose>
+      <BaseSecondaryButton
+        class="flex items-center gap-2"
+        :title="$t('client.copyPng')"
+        @click="copyPng"
+      >
+        <IconsCopy class="size-5" /> PNG
+      </BaseSecondaryButton>
+      <BaseSecondaryButton
+        class="flex items-center gap-2"
+        :title="$t('client.downloadPng')"
+        @click="downloadPng"
+      >
+        <IconsDownload class="size-5" /> PNG
+      </BaseSecondaryButton>
+      <DialogClose as-child>
         <BaseSecondaryButton>{{ $t('dialog.cancel') }}</BaseSecondaryButton>
       </DialogClose>
     </template>
@@ -18,4 +32,87 @@
 
 <script setup lang="ts">
 defineProps<{ qrCode: string }>();
+
+const toast = useToast();
+const img = useTemplateRef('img');
+
+async function svgToPng() {
+  if (!img.value || !img.value.complete || img.value.naturalWidth === 0) {
+    throw new Error('image is not loaded');
+  }
+
+  const width = 1000;
+  const height = 1000;
+
+  const canvas = document.createElement('canvas');
+  canvas.width = width;
+  canvas.height = height;
+  const ctx = canvas.getContext('2d');
+  if (!ctx) {
+    throw new Error('was not able to create 2d context');
+  }
+  ctx.drawImage(img.value!, 0, 0, width, height);
+
+  return new Promise<Blob>((res, rej) => {
+    canvas.toBlob((blob) => {
+      if (!blob) {
+        return rej(new Error('was not able to create blob'));
+      }
+      return res(blob);
+    }, 'image/png');
+  });
+}
+
+async function downloadPng() {
+  try {
+    const blob = await svgToPng();
+
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url;
+    a.download = 'client-config.png';
+    document.body.appendChild(a);
+    a.click();
+    document.body.removeChild(a);
+    URL.revokeObjectURL(url);
+  } catch (e) {
+    console.error('failed to download png', e);
+    toast.showToast({
+      type: 'error',
+      message: $t('toast.unknown'),
+    });
+  }
+}
+
+async function copyPng() {
+  const blob = await svgToPng().catch((e) => {
+    console.error('failed to convert svg to png', e);
+    toast.showToast({
+      type: 'error',
+      message: $t('toast.unknown'),
+    });
+  });
+  if (!blob) {
+    return;
+  }
+
+  try {
+    await navigator.clipboard.write([
+      new ClipboardItem({
+        [blob.type]: blob,
+      }),
+    ]);
+
+    toast.showToast({
+      type: 'success',
+      message: $t('copy.copied'),
+    });
+  } catch (e) {
+    console.error('failed to copy png', e);
+    toast.showToast({
+      type: 'error',
+      message: $t('copy.failed'),
+    });
+  }
+}
 </script>

src/app/components/Clients/Search.vue

@@ -1,14 +1,14 @@
 <template>
-  <div class="relative w-60 md:mr-2">
+  <div class="relative">
     <div class="relative flex h-full items-center">
-      <MagnifyingGlassIcon
+      <IconsMagnifyingGlass
         class="absolute left-2.5 h-4 w-4 text-gray-400 dark:text-neutral-500"
       />
       <input
         v-model="searchQuery"
         type="text"
         :placeholder="$t('client.search')"
-        class="w-full rounded bg-white py-2 pr-8 text-sm text-gray-900 shadow-sm ring-1 ring-gray-300 transition-all placeholder:text-gray-400 focus:border-transparent focus:outline-none focus:ring-2 focus:ring-red-600 dark:bg-neutral-800 dark:text-white dark:ring-neutral-700 dark:placeholder:text-neutral-500 dark:focus:ring-red-700"
+        class="w-full rounded bg-white px-8 py-2 text-sm text-gray-900 shadow-sm ring-1 ring-gray-300 transition-all placeholder:text-gray-400 focus:border-transparent focus:outline-none focus:ring-2 focus:ring-red-600 dark:bg-neutral-800 dark:text-white dark:ring-neutral-700 dark:placeholder:text-neutral-500 dark:focus:ring-red-700"
         @input="updateSearch"
       />
       <button

src/app/components/Clients/Sort.vue

@@ -1,11 +1,8 @@
 <template>
   <BasePrimaryButton @click="toggleSort">
-    <IconsArrowDown
-      v-if="globalStore.sortClient === true"
-      class="w-4 md:mr-2"
-    />
-    <IconsArrowUp v-else class="w-4 md:mr-2" />
-    <span class="text-sm max-md:hidden"> {{ $t('client.sort') }}</span>
+    <IconsArrowDown v-if="globalStore.sortClient === true" class="mr-2 w-4" />
+    <IconsArrowUp v-else class="mr-2 w-4" />
+    <span class="text-sm">{{ $t('client.sort') }}</span>
   </BasePrimaryButton>
 </template>
 

src/app/components/Form/ArrayField.vue

@@ -1,12 +1,5 @@
 <template>
   <div class="flex flex-col gap-2">
-    <div
-      v-if="overridden"
-      class="flex w-fit items-center gap-2 rounded-lg bg-amber-50 p-2 text-sm text-amber-700 dark:bg-amber-900/20 dark:text-amber-400"
-    >
-      <IconsWarning class="size-4" />
-      <span>This field is overridden by an environment variable</span>
-    </div>
     <div v-if="data?.length === 0">
       {{ emptyText || $t('form.noItems') }}
     </div>
@@ -19,34 +12,22 @@
           class="rounded-lg border-2 border-gray-100 text-gray-500 focus:border-red-800 focus:outline-0 focus:ring-0 dark:border-neutral-800 dark:bg-neutral-700 dark:text-neutral-200 dark:placeholder:text-neutral-400"
           @input="update($event, i)"
         />
-        <BaseSecondaryButton
-          as="input"
-          type="button"
-          class="rounded-lg"
-          value="-"
-          @click="del(i)"
-        />
+        <BaseSecondaryButton type="button" class="rounded-lg" @click="del(i)">
+          {{ '-' }}
+        </BaseSecondaryButton>
       </div>
     </div>
     <div class="mt-2">
-      <BasePrimaryButton
-        as="input"
-        type="button"
-        class="rounded-lg"
-        :value="$t('form.add')"
-        @click="add"
-      />
+      <BasePrimaryButton type="button" class="rounded-lg" @click="add">
+        {{ $t('form.add') }}
+      </BasePrimaryButton>
     </div>
   </div>
 </template>
 
 <script lang="ts" setup>
 const data = defineModel<string[]>();
-defineProps<{
-  emptyText?: string[];
-  name: string;
-  overridden?: boolean;
-}>();
+defineProps<{ emptyText?: string[]; name: string }>();
 
 function update(e: Event, i: number) {
   const v = (e.target as HTMLInputElement).value;

src/app/components/Form/Heading.vue

@@ -1,10 +1,10 @@
 <template>
-  <h4 class="col-span-full flex items-center py-6 text-2xl">
+  <h3 class="col-span-full flex items-center py-6 text-2xl">
     <slot />
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-  </h4>
+  </h3>
 </template>
 
 <script lang="ts" setup>

src/app/components/Form/HostField.vue

@@ -6,12 +6,6 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip
-      v-if="overridden"
-      text="This field is overridden by an environment variable"
-    >
-      <IconsWarning class="size-4 text-amber-500" />
-    </BaseTooltip>
   </div>
   <div class="flex gap-1">
     <BaseInput
@@ -44,7 +38,6 @@ defineProps<{
   description?: string;
   placeholder?: string;
   url: '/api/admin/ip-info' | '/api/setup/4';
-  overridden?: boolean;
 }>();
 
 const data = defineModel<string | null>({

src/app/components/Form/Label.vue

@@ -1,7 +1,7 @@
 <template>
-  <RLabel :for="props.for" class="md:align-middle md:leading-10"
-    ><slot
-  /></RLabel>
+  <RLabel :for="props.for" class="md:leading-[2.75rem]">
+    <slot />
+  </RLabel>
 </template>
 
 <script lang="ts" setup>

src/app/components/Form/NullArrayField.vue

@@ -12,23 +12,15 @@
           class="rounded-lg border-2 border-gray-100 text-gray-500 focus:border-red-800 focus:outline-0 focus:ring-0 dark:border-neutral-800 dark:bg-neutral-700 dark:text-neutral-200 dark:placeholder:text-neutral-400"
           @input="update($event, i)"
         />
-        <BaseSecondaryButton
-          as="input"
-          type="button"
-          class="rounded-lg"
-          value="-"
-          @click="del(i)"
-        />
+        <BaseSecondaryButton type="button" class="rounded-lg" @click="del(i)">
+          {{ '-' }}
+        </BaseSecondaryButton>
       </div>
     </div>
     <div class="mt-2">
-      <BasePrimaryButton
-        as="input"
-        type="button"
-        class="rounded-lg"
-        :value="$t('form.add')"
-        @click="add"
-      />
+      <BasePrimaryButton type="button" class="rounded-lg" @click="add">
+        {{ $t('form.add') }}
+      </BasePrimaryButton>
     </div>
   </div>
 </template>

src/app/components/Form/NullTextField.vue

@@ -6,12 +6,6 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip
-      v-if="overridden"
-      text="This field is overridden by an environment variable"
-    >
-      <IconsWarning class="size-4 text-amber-500" />
-    </BaseTooltip>
   </div>
   <BaseInput
     :id="id"
@@ -30,7 +24,6 @@ defineProps<{
   description?: string;
   autocomplete?: string;
   placeholder?: string;
-  overridden?: boolean;
 }>();
 
 const data = defineModel<string | null>({

src/app/components/Form/NumberField.vue

@@ -6,23 +6,12 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip
-      v-if="overridden"
-      text="This field is overridden by an environment variable"
-    >
-      <IconsWarning class="size-4 text-amber-500" />
-    </BaseTooltip>
   </div>
   <BaseInput :id="id" v-model.number="data" :name="id" type="number" />
 </template>
 
 <script lang="ts" setup>
-defineProps<{
-  id: string;
-  label: string;
-  description?: string;
-  overridden?: boolean;
-}>();
+defineProps<{ id: string; label: string; description?: string }>();
 
 const data = defineModel<number>();
 </script>

src/app/components/Form/SwitchField.vue

@@ -6,22 +6,13 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip
-      v-if="overridden"
-      text="This field is overridden by an environment variable"
-    >
-      <IconsWarning class="size-4 text-amber-500" />
-    </BaseTooltip>
   </div>
-  <BaseSwitch :id="id" v-model="data" />
+  <div class="my-auto">
+    <BaseSwitch :id="id" v-model="data" />
+  </div>
 </template>
 
 <script lang="ts" setup>
-defineProps<{
-  id: string;
-  label: string;
-  description?: string;
-  overridden?: boolean;
-}>();
+defineProps<{ id: string; label: string; description?: string }>();
 const data = defineModel<boolean>();
 </script>

src/app/components/Form/TextArea.vue

@@ -0,0 +1,29 @@
+<template>
+  <div class="flex items-center">
+    <FormLabel :for="id">
+      {{ label }}
+    </FormLabel>
+    <BaseTooltip v-if="description" :text="description">
+      <IconsInfo class="size-4" />
+    </BaseTooltip>
+  </div>
+  <BaseTextArea
+    :id="id"
+    v-model.trim="data"
+    :name="id"
+    :autocomplete="autocomplete"
+    :disabled="disabled"
+  />
+</template>
+
+<script lang="ts" setup>
+defineProps<{
+  id: string;
+  label: string;
+  description?: string;
+  autocomplete?: string;
+  disabled?: boolean;
+}>();
+
+const data = defineModel<string>();
+</script>

src/app/components/Form/TextField.vue

@@ -6,12 +6,6 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip
-      v-if="overridden"
-      text="This field is overridden by an environment variable"
-    >
-      <IconsWarning class="size-4 text-amber-500" />
-    </BaseTooltip>
   </div>
   <BaseInput
     :id="id"
@@ -30,7 +24,6 @@ defineProps<{
   description?: string;
   autocomplete?: string;
   disabled?: boolean;
-  overridden?: boolean;
 }>();
 
 const data = defineModel<string>();

src/app/components/Header/ChartToggle.vue

@@ -1,12 +1,12 @@
 <template>
   <Toggle
     :pressed="globalStore.uiShowCharts"
-    class="group inline-flex h-8 w-8 cursor-pointer items-center justify-center whitespace-nowrap rounded-full bg-gray-200 transition hover:bg-gray-300 dark:bg-neutral-700 dark:hover:bg-neutral-600"
+    class="group flex h-8 w-8 items-center justify-center rounded-full bg-gray-200 transition hover:bg-gray-300 dark:bg-neutral-700 dark:hover:bg-neutral-600"
     :title="$t('layout.toggleCharts')"
     @update:pressed="globalStore.toggleCharts"
   >
     <IconsChart
-      class="h-5 w-5 fill-gray-400 transition group-data-[state=on]:fill-gray-600 dark:fill-neutral-600 dark:group-data-[state=on]:fill-neutral-400"
+      class="h-5 w-5 transition group-data-[state=on]:fill-gray-600 dark:text-neutral-400 dark:group-data-[state=on]:fill-gray-300"
     />
   </Toggle>
 </template>

src/app/components/Header/Logo.vue

@@ -1,5 +1,5 @@
 <template>
-  <NuxtLink to="/" class="mb-4">
+  <NuxtLink to="/" class="max-sm:mb-4">
     <h1 class="text-4xl font-medium dark:text-neutral-200">
       <img
         src="/logo.png"

src/app/components/Header/Update.vue

@@ -5,7 +5,7 @@
       authStore.userData &&
       hasPermissions(authStore.userData, 'admin', 'any')
     "
-    class="font-small mb-10 rounded-md bg-red-800 p-4 text-sm text-white shadow-lg dark:bg-red-100 dark:text-red-600"
+    class="font-small rounded-md bg-red-800 p-4 text-sm text-white shadow-lg dark:bg-red-100 dark:text-red-600"
     :title="`v${globalStore.information.currentRelease} → v${globalStore.information.latestRelease.version}`"
   >
     <div class="container mx-auto flex flex-auto flex-row items-center">

src/app/components/Icons/Copy.vue

@@ -0,0 +1,7 @@
+<template>
+  <ClipboardDocumentIcon />
+</template>
+
+<script lang="ts" setup>
+import ClipboardDocumentIcon from '@heroicons/vue/24/outline/esm/ClipboardDocumentIcon';
+</script>

src/app/components/Icons/MagnifyingGlass.vue

@@ -0,0 +1,7 @@
+<template>
+  <MagnifyingGlassIcon />
+</template>
+
+<script lang="ts" setup>
+import MagnifyingGlassIcon from '@heroicons/vue/24/outline/esm/MagnifyingGlassIcon';
+</script>

src/app/components/Panel/Panel.vue

@@ -1,7 +1,9 @@
 <template>
-  <div
-    class="container mx-auto max-w-3xl overflow-hidden rounded-lg bg-white px-3 text-gray-700 shadow-md md:px-0 dark:bg-neutral-700 dark:text-neutral-200"
-  >
-    <slot />
+  <div class="container mx-auto max-w-3xl">
+    <div
+      class="mx-3 overflow-hidden rounded-lg bg-white text-gray-700 shadow-md dark:bg-neutral-700 dark:text-neutral-200"
+    >
+      <slot />
+    </div>
   </div>
 </template>

src/app/components/Panel/head/Boat.vue

@@ -1,5 +1,5 @@
 <template>
-  <div class="flex flex-shrink-0 items-center space-x-2">
+  <div class="flex flex-shrink-0 flex-col items-center gap-2 sm:flex-row">
     <slot />
   </div>
 </template>

src/app/components/Panel/head/Head.vue

@@ -1,6 +1,6 @@
 <template>
   <div
-    class="flex flex-auto flex-grow flex-row items-center border-b-2 border-gray-100 p-3 px-5 dark:border-neutral-600"
+    class="flex flex-col items-center gap-2 border-b-2 border-gray-100 p-3 px-5 sm:flex-row dark:border-neutral-600"
   >
     <slot />
   </div>

src/app/components/Panel/head/Title.vue

@@ -1,11 +1,5 @@
 <template>
-  <h2 class="flex-1 text-2xl font-medium">
-    {{ text }}
+  <h2 class="flex-1 break-all text-2xl font-medium">
+    <slot />
   </h2>
 </template>
-
-<script setup lang="ts">
-const { text } = defineProps<{
-  text: string;
-}>();
-</script>

src/app/components/Ui/Footer.vue

@@ -7,7 +7,7 @@
         href="https://github.com/wg-easy/wg-easy"
         >WireGuard Easy</a
       >
-      ({{ globalStore.information?.currentRelease }}) © 2021-2025 by
+      ({{ globalStore.information?.currentRelease }}) © 2021-2026 by
       <a
         class="hover:underline"
         target="_blank"

src/app/components/Ui/UserMenu.vue

@@ -70,10 +70,11 @@ const authStore = useAuthStore();
 const toggleState = ref(false);
 
 const _submit = useSubmit(
-  '/api/session',
-  {
-    method: 'delete',
-  },
+  (data) =>
+    $fetch('/api/session', {
+      method: 'delete',
+      body: data,
+    }),
   {
     revert: async () => {
       await navigateTo('/login');

src/app/composables/useSubmit.ts

@@ -1,49 +1,24 @@
-import type {
-  NitroFetchRequest,
-  NitroFetchOptions,
-  TypedInternalResponse,
-  ExtractedRouteMethod,
-} from 'nitropack/types';
 import { FetchError } from 'ofetch';
 
-type RevertFn<
-  R extends NitroFetchRequest,
-  T = unknown,
-  O extends NitroFetchOptions<R> = NitroFetchOptions<R>,
-> = (
-  success: boolean,
-  data:
-    | TypedInternalResponse<
-        R,
-        T,
-        NitroFetchOptions<R> extends O ? 'get' : ExtractedRouteMethod<R, O>
-      >
-    | undefined
-) => Promise<void>;
+type RevertFn<T> = (success: boolean, data: T | undefined) => Promise<void>;
 
-type SubmitOpts<
-  R extends NitroFetchRequest,
-  T = unknown,
-  O extends NitroFetchOptions<R> = NitroFetchOptions<R>,
-> = {
-  revert: RevertFn<R, T, O>;
+type SubmitOpts<T> = {
+  revert: RevertFn<T>;
   successMsg?: string;
   noSuccessToast?: boolean;
 };
 
-export function useSubmit<
-  R extends NitroFetchRequest,
-  O extends NitroFetchOptions<R> & { body?: never },
-  T = unknown,
->(url: R, options: O, opts: SubmitOpts<R, T, O>) {
+type Body = Record<string, unknown> | null | undefined;
+
+export function useSubmit<T>(
+  fetcher: (data: Body) => Promise<T>,
+  opts: SubmitOpts<T>
+) {
   const toast = useToast();
 
-  return async (data: unknown) => {
+  return async (data: Body) => {
     try {
-      const res = await $fetch(url, {
-        ...options,
-        body: data,
-      });
+      const res = await fetcher(data);
 
       if (!opts.noSuccessToast) {
         toast.showToast({

src/app/layouts/default.vue

@@ -1,6 +1,8 @@
 <template>
   <div>
-    <header class="mx-auto mt-4 flex max-w-3xl flex-col justify-center">
+    <header
+      class="mx-auto my-4 flex max-w-3xl flex-col justify-center max-md:px-3"
+    >
       <div
         class="mb-5 w-full"
         :class="
@@ -17,7 +19,7 @@
           <UiUserMenu v-if="loggedIn" />
         </div>
       </div>
-      <HeaderUpdate class="mt-4" />
+      <HeaderUpdate class="my-4" />
     </header>
     <slot />
     <UiFooter />

src/app/middleware/auth.global.ts

@@ -4,25 +4,27 @@ export default defineNuxtRouteMiddleware(async (to) => {
     return;
   }
 
+  const event = useRequestEvent();
+
   const authStore = useAuthStore();
-  const userData = await authStore.getSession();
+  authStore.userData = await authStore.getSession(event);
 
   // skip login if already logged in
   if (to.path === '/login') {
-    if (userData?.username) {
+    if (authStore.userData?.username) {
       return navigateTo('/', { redirectCode: 302 });
     }
     return;
   }
 
   // Require auth for every page other than Login
-  if (!userData?.username) {
+  if (!authStore.userData?.username) {
     return navigateTo('/login', { redirectCode: 302 });
   }
 
   // Check for admin access
   if (to.path.startsWith('/admin')) {
-    if (!hasPermissions(userData, 'admin', 'any')) {
+    if (!hasPermissions(authStore.userData, 'admin', 'any')) {
       return abortNavigation('Not allowed to access Admin Panel');
     }
   }

src/app/pages/admin.vue

@@ -2,34 +2,47 @@
   <div>
     <div class="container mx-auto p-4">
       <div class="flex flex-col gap-4 lg:flex-row">
-        <div class="rounded-lg bg-white p-4 lg:w-64 dark:bg-neutral-700">
-          <NuxtLink to="/admin">
-            <h2 class="mb-4 text-xl font-bold dark:text-neutral-200">
-              {{ t('pages.admin.panel') }}
-            </h2>
-          </NuxtLink>
-          <div class="flex flex-col space-y-2">
-            <NuxtLink
-              v-for="(item, index) in menuItems"
-              :key="index"
-              :to="`/admin/${item.id}`"
-              active-class="bg-red-800 rounded"
-            >
-              <BaseSecondaryButton
-                as="span"
-                class="w-full cursor-pointer rounded p-2 font-medium transition-colors duration-200 hover:bg-red-800 dark:text-neutral-200"
+        <div
+          class="overflow-hidden rounded-lg bg-white text-gray-700 shadow-md lg:w-64 dark:bg-neutral-700 dark:text-neutral-200"
+        >
+          <PanelHead>
+            <PanelHeadTitle>
+              <NuxtLink to="/admin">
+                {{ t('pages.admin.panel') }}
+              </NuxtLink>
+            </PanelHeadTitle>
+          </PanelHead>
+          <PanelBody>
+            <nav class="flex flex-col gap-2">
+              <NuxtLink
+                v-for="(item, index) in menuItems"
+                :key="index"
+                :to="`/admin/${item.id}`"
+                class="group rounded"
+                active-class="bg-red-800 active"
               >
-                {{ item.name }}
-              </BaseSecondaryButton>
-            </NuxtLink>
-          </div>
+                <BaseSecondaryButton
+                  as="span"
+                  class="w-full font-medium group-[.active]:text-white"
+                >
+                  {{ item.name }}
+                </BaseSecondaryButton>
+              </NuxtLink>
+            </nav>
+          </PanelBody>
         </div>
 
         <div
-          class="flex-1 rounded-lg bg-white p-6 dark:bg-neutral-700 dark:text-neutral-200"
+          class="flex-1 overflow-hidden rounded-lg bg-white text-gray-700 shadow-md dark:bg-neutral-700 dark:text-neutral-200"
         >
-          <h1 class="mb-6 text-3xl font-bold">{{ activeMenuItem.name }}</h1>
-          <NuxtPage />
+          <PanelHead>
+            <PanelHeadTitle>
+              {{ activeMenuItem.name }}
+            </PanelHeadTitle>
+          </PanelHead>
+          <PanelBody>
+            <NuxtPage />
+          </PanelBody>
         </div>
       </div>
     </div>
@@ -37,9 +50,6 @@
 </template>
 
 <script setup lang="ts">
-const authStore = useAuthStore();
-authStore.update();
-
 const { t } = useI18n();
 
 const route = useRoute();

src/app/pages/admin/config.vue

@@ -9,14 +9,12 @@
           :label="$t('general.host')"
           :description="$t('admin.config.hostDesc')"
           url="/api/admin/ip-info"
-          :overridden="overrides?.host"
         />
         <FormNumberField
           id="port"
           v-model="data.port"
           :label="$t('general.port')"
           :description="$t('admin.config.portDesc')"
-          :overridden="overrides?.port"
         />
       </FormGroup>
       <FormGroup>
@@ -26,18 +24,13 @@
         <FormArrayField
           v-model="data.defaultAllowedIps"
           name="defaultAllowedIps"
-          :overridden="overrides?.defaultAllowedIps"
         />
       </FormGroup>
       <FormGroup>
         <FormHeading :description="$t('admin.config.dnsDesc')">
           {{ $t('general.dns') }}
         </FormHeading>
-        <FormArrayField
-          v-model="data.defaultDns"
-          name="defaultDns"
-          :overridden="overrides?.defaultDns"
-        />
+        <FormArrayField v-model="data.defaultDns" name="defaultDns" />
       </FormGroup>
       <FormGroup>
         <FormHeading>{{ $t('form.sectionAdvanced') }}</FormHeading>
@@ -46,14 +39,12 @@
           v-model="data.defaultMtu"
           :label="$t('general.mtu')"
           :description="$t('admin.config.mtuDesc')"
-          :overridden="overrides?.defaultMtu"
         />
         <FormNumberField
           id="defaultPersistentKeepalive"
           v-model="data.defaultPersistentKeepalive"
           :label="$t('general.persistentKeepalive')"
           :description="$t('admin.config.persistentKeepaliveDesc')"
-          :overridden="overrides?.defaultPersistentKeepalive"
         />
       </FormGroup>
       <FormGroup v-if="globalStore.information?.isAwg">
@@ -127,19 +118,14 @@ const { data: _data, refresh } = await useFetch(`/api/admin/userconfig`, {
   method: 'get',
 });
 
-const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
-  method: 'get',
-});
-
-const overrides = computed(() => overridesData.value?.userConfig);
-
 const data = toRef(_data.value);
 
 const _submit = useSubmit(
-  `/api/admin/userconfig`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/admin/userconfig`, {
+      method: 'post',
+      body: data,
+    }),
   { revert }
 );
 

src/app/pages/admin/general.vue

@@ -7,7 +7,6 @@
           v-model="data.sessionTimeout"
           :label="$t('admin.general.sessionTimeout')"
           :description="$t('admin.general.sessionTimeoutDesc')"
-          :overridden="overrides?.sessionTimeout"
         />
       </FormGroup>
       <FormGroup>
@@ -17,21 +16,18 @@
           v-model="data.metricsPassword"
           :label="$t('admin.general.metricsPassword')"
           :description="$t('admin.general.metricsPasswordDesc')"
-          :overridden="overrides?.metricsPassword"
         />
         <FormSwitchField
           id="prometheus"
           v-model="data.metricsPrometheus"
           :label="$t('admin.general.prometheus')"
           :description="$t('admin.general.prometheusDesc')"
-          :overridden="overrides?.metricsPrometheus"
         />
         <FormSwitchField
           id="json"
           v-model="data.metricsJson"
           :label="$t('admin.general.json')"
           :description="$t('admin.general.jsonDesc')"
-          :overridden="overrides?.metricsJson"
         />
       </FormGroup>
       <FormGroup>
@@ -47,20 +43,14 @@
 const { data: _data, refresh } = await useFetch(`/api/admin/general`, {
   method: 'get',
 });
-
-const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
-  method: 'get',
-});
-
-const overrides = computed(() => overridesData.value?.general);
-
 const data = toRef(_data.value);
 
 const _submit = useSubmit(
-  `/api/admin/general`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/admin/general`, {
+      method: 'post',
+      body: data,
+    }),
   { revert }
 );
 

src/app/pages/admin/hooks.vue

@@ -2,29 +2,25 @@
   <main v-if="data">
     <FormElement @submit.prevent="submit">
       <FormGroup>
-        <FormTextField
+        <FormTextArea
           id="PreUp"
           v-model="data.preUp"
           :label="$t('hooks.preUp')"
-          :overridden="overrides?.preUp"
         />
-        <FormTextField
+        <FormTextArea
           id="PostUp"
           v-model="data.postUp"
           :label="$t('hooks.postUp')"
-          :overridden="overrides?.postUp"
         />
-        <FormTextField
+        <FormTextArea
           id="PreDown"
           v-model="data.preDown"
           :label="$t('hooks.preDown')"
-          :overridden="overrides?.preDown"
         />
-        <FormTextField
+        <FormTextArea
           id="PostDown"
           v-model="data.postDown"
           :label="$t('hooks.postDown')"
-          :overridden="overrides?.postDown"
         />
       </FormGroup>
       <FormGroup>
@@ -41,19 +37,14 @@ const { data: _data, refresh } = await useFetch(`/api/admin/hooks`, {
   method: 'get',
 });
 
-const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
-  method: 'get',
-});
-
-const overrides = computed(() => overridesData.value?.hooks);
-
 const data = toRef(_data.value);
 
 const _submit = useSubmit(
-  `/api/admin/hooks`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/admin/hooks`, {
+      method: 'post',
+      body: data,
+    }),
   { revert }
 );
 

src/app/pages/admin/interface.vue

@@ -7,21 +7,18 @@
           v-model="data.mtu"
           :label="$t('general.mtu')"
           :description="$t('admin.interface.mtuDesc')"
-          :overridden="overrides?.mtu"
         />
         <FormNumberField
           id="port"
           v-model="data.port"
           :label="$t('general.port')"
           :description="$t('admin.interface.portDesc')"
-          :overridden="overrides?.port"
         />
         <FormTextField
           id="device"
           v-model="data.device"
           :label="$t('admin.interface.device')"
           :description="$t('admin.interface.deviceDesc')"
-          :overridden="overrides?.device"
         />
       </FormGroup>
       <FormGroup v-if="globalStore.information?.isAwg">
@@ -72,6 +69,30 @@
           :label="$t('awg.s4Label')"
           :description="$t('awg.s4Description')"
         />
+        <FormNullTextField
+          id="h1"
+          v-model="data.h1"
+          :label="$t('awg.h1Label')"
+          :description="$t('awg.h1Description')"
+        />
+        <FormNullTextField
+          id="h2"
+          v-model="data.h2"
+          :label="$t('awg.h2Label')"
+          :description="$t('awg.h2Description')"
+        />
+        <FormNullTextField
+          id="h3"
+          v-model="data.h3"
+          :label="$t('awg.h3Label')"
+          :description="$t('awg.h3Description')"
+        />
+        <FormNullTextField
+          id="h4"
+          v-model="data.h4"
+          :label="$t('awg.h4Label')"
+          :description="$t('awg.h4Description')"
+        />
         <FormNullTextField
           id="i1"
           v-model="data.i1"
@@ -102,29 +123,14 @@
           :label="$t('awg.i5Label')"
           :description="$t('awg.i5Description')"
         />
-        <FormNullNumberField
-          id="h1"
-          v-model="data.h1"
-          :label="$t('awg.h1Label')"
-          :description="$t('awg.h1Description')"
-        />
-        <FormNullNumberField
-          id="h2"
-          v-model="data.h2"
-          :label="$t('awg.h2Label')"
-          :description="$t('awg.h2Description')"
-        />
-        <FormNullNumberField
-          id="h3"
-          v-model="data.h3"
-          :label="$t('awg.h3Label')"
-          :description="$t('awg.h3Description')"
-        />
-        <FormNullNumberField
-          id="h4"
-          v-model="data.h4"
-          :label="$t('awg.h4Label')"
-          :description="$t('awg.h4Description')"
+      </FormGroup>
+      <FormGroup>
+        <FormHeading>{{ $t('admin.interface.firewall') }}</FormHeading>
+        <FormSwitchField
+          id="firewallEnabled"
+          v-model="data.firewallEnabled"
+          :label="$t('admin.interface.firewallEnabled')"
+          :description="$t('admin.interface.firewallEnabledDesc')"
         />
       </FormGroup>
       <FormGroup>
@@ -167,20 +173,23 @@ const { data: _data, refresh } = await useFetch(`/api/admin/interface`, {
   method: 'get',
 });
 
-const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
-  method: 'get',
-});
-
-const overrides = computed(() => overridesData.value?.interface);
-
 const data = toRef(_data.value);
 
 const _submit = useSubmit(
-  `/api/admin/interface`,
+  (data) =>
+    $fetch(`/api/admin/interface`, {
+      method: 'post',
+      body: data,
+    }),
   {
-    method: 'post',
-  },
-  { revert }
+    revert: async (success) => {
+      await revert();
+      if (success) {
+        // Refresh global store information after successful save
+        await globalStore.refreshInformation();
+      }
+    },
+  }
 );
 
 function submit() {
@@ -193,10 +202,11 @@ async function revert() {
 }
 
 const _changeCidr = useSubmit(
-  `/api/admin/interface/cidr`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/admin/interface/cidr`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert,
     successMsg: t('admin.interface.cidrSuccess'),
@@ -208,10 +218,11 @@ async function changeCidr(ipv4Cidr: string, ipv6Cidr: string) {
 }
 
 const _restartInterface = useSubmit(
-  `/api/admin/interface/restart`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/admin/interface/restart`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert,
     successMsg: t('admin.interface.restartSuccess'),

src/app/pages/clients/[id].vue

@@ -2,7 +2,9 @@
   <main v-if="data">
     <Panel>
       <PanelHead>
-        <PanelHeadTitle :text="data.name" />
+        <PanelHeadTitle>
+          {{ data.name }}
+        </PanelHeadTitle>
       </PanelHead>
       <PanelBody>
         <FormElement @submit.prevent="submit">
@@ -61,6 +63,12 @@
               name="serverAllowedIps"
             />
           </FormGroup>
+          <FormGroup v-if="globalStore.information?.firewallEnabled">
+            <FormHeading :description="$t('client.firewallIpsDesc')">
+              {{ $t('client.firewallIps') }}
+            </FormHeading>
+            <FormNullArrayField v-model="data.firewallIps" name="firewallIps" />
+          </FormGroup>
           <FormGroup>
             <FormHeading :description="$t('client.dnsDesc')">
               {{ $t('general.dns') }}
@@ -141,25 +149,25 @@
             <FormHeading :description="$t('client.hooksDescription')">
               {{ $t('client.hooks') }}
             </FormHeading>
-            <FormTextField
+            <FormTextArea
               id="PreUp"
               v-model="data.preUp"
               :description="$t('client.hooksLeaveEmpty')"
               :label="$t('hooks.preUp')"
             />
-            <FormTextField
+            <FormTextArea
               id="PostUp"
               v-model="data.postUp"
               :description="$t('client.hooksLeaveEmpty')"
               :label="$t('hooks.postUp')"
             />
-            <FormTextField
+            <FormTextArea
               id="PreDown"
               v-model="data.preDown"
               :description="$t('client.hooksLeaveEmpty')"
               :label="$t('hooks.preDown')"
             />
-            <FormTextField
+            <FormTextArea
               id="PostDown"
               v-model="data.postDown"
               :description="$t('client.hooksLeaveEmpty')"
@@ -179,13 +187,25 @@
               @delete="deleteClient"
             >
               <FormSecondaryActionField
-                label="Delete"
+                :label="$t('client.delete')"
                 class="w-full"
                 type="button"
                 tabindex="-1"
                 as="span"
               />
             </ClientsDeleteDialog>
+            <ClientsConfigDialog
+              trigger-class="col-span-2"
+              :client-id="data.id"
+            >
+              <FormSecondaryActionField
+                :label="$t('client.viewConfig')"
+                class="w-full"
+                type="button"
+                tabindex="-1"
+                as="span"
+              />
+            </ClientsConfigDialog>
           </FormGroup>
         </FormElement>
       </PanelBody>
@@ -194,9 +214,7 @@
 </template>
 
 <script lang="ts" setup>
-const authStore = useAuthStore();
 const globalStore = useGlobalStore();
-authStore.update();
 
 const route = useRoute();
 const id = route.params.id as string;
@@ -207,10 +225,11 @@ const { data: _data, refresh } = await useFetch(`/api/client/${id}`, {
 const data = toRef(_data.value);
 
 const _submit = useSubmit(
-  `/api/client/${id}`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/client/${id}`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async (success) => {
       if (success) {
@@ -232,10 +251,11 @@ async function revert() {
 }
 
 const _deleteClient = useSubmit(
-  `/api/client/${id}`,
-  {
-    method: 'delete',
-  },
+  (data) =>
+    $fetch(`/api/client/${id}`, {
+      method: 'delete',
+      body: data,
+    }),
   {
     revert: async () => {
       await navigateTo('/');

src/app/pages/index.vue

@@ -2,11 +2,15 @@
   <main>
     <Panel>
       <PanelHead>
-        <PanelHeadTitle :text="$t('pages.clients')" />
+        <PanelHeadTitle>
+          {{ $t('pages.clients') }}
+        </PanelHeadTitle>
         <PanelHeadBoat>
           <ClientsSearch />
-          <ClientsSort />
-          <ClientsNew />
+          <div class="flex gap-2">
+            <ClientsSort />
+            <ClientsNew />
+          </div>
         </PanelHeadBoat>
       </PanelHead>
 
@@ -29,9 +33,6 @@
 </template>
 
 <script setup lang="ts">
-const authStore = useAuthStore();
-authStore.update();
-
 const globalStore = useGlobalStore();
 const clientsStore = useClientsStore();
 

src/app/pages/login.vue

@@ -67,9 +67,6 @@
 </template>
 
 <script setup lang="ts">
-const authStore = useAuthStore();
-authStore.update();
-
 const toast = useToast();
 const { t } = useI18n();
 
@@ -81,10 +78,11 @@ const totpRequired = ref(false);
 const totp = ref<string>('');
 
 const _submit = useSubmit(
-  '/api/session',
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch('/api/session', {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async (success, data) => {
       if (success) {

src/app/pages/me.vue

@@ -2,7 +2,9 @@
   <main>
     <Panel>
       <PanelHead>
-        <PanelHeadTitle :text="$t('pages.me')" />
+        <PanelHeadTitle>
+          {{ $t('pages.me') }}
+        </PanelHeadTitle>
       </PanelHead>
       <PanelBody class="dark:text-neutral-200">
         <FormElement @submit.prevent="submit">
@@ -120,16 +122,16 @@
 import { encodeQR } from 'qr';
 
 const authStore = useAuthStore();
-authStore.update();
 
 const name = ref(authStore.userData?.name);
 const email = ref(authStore.userData?.email);
 
 const _submit = useSubmit(
-  `/api/me`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/me`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: () => {
       return authStore.update();
@@ -146,10 +148,11 @@ const newPassword = ref('');
 const confirmPassword = ref('');
 
 const _updatePassword = useSubmit(
-  `/api/me/password`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/me/password`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async () => {
       currentPassword.value = '';
@@ -170,10 +173,11 @@ function updatePassword() {
 const twofa = ref<{ key: string; qrcode: string } | null>(null);
 
 const _setup2fa = useSubmit(
-  `/api/me/totp`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/me/totp`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async (success, data) => {
       if (success && data?.type === 'setup') {
@@ -198,10 +202,11 @@ async function setup2fa() {
 const code = ref<string>('');
 
 const _enable2fa = useSubmit(
-  `/api/me/totp`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/me/totp`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async (success, data) => {
       if (success && data?.type === 'created') {
@@ -223,10 +228,11 @@ async function enable2fa() {
 const disable2faPassword = ref('');
 
 const _disable2fa = useSubmit(
-  `/api/me/totp`,
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch(`/api/me/totp`, {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async (success, data) => {
       if (success && data?.type === 'deleted') {

src/app/pages/setup/2.vue

@@ -50,20 +50,15 @@ const password = ref<string>('');
 const confirmPassword = ref<string>('');
 
 const _submit = useSubmit(
-  '/api/setup/2',
+  (data) =>
+    $fetch('/api/setup/2', {
+      method: 'post',
+      body: data,
+    }),
   {
-    method: 'post',
-  },
-  {
-    revert: async (success, data) => {
+    revert: async (success) => {
       if (success) {
-        if (data?.setupDone) {
-          // Setup is complete, redirect to success page
-          await navigateTo('/setup/success');
-        } else {
-          // Continue to step 3
-          await navigateTo('/setup/3');
-        }
+        await navigateTo('/setup/3');
       }
     },
     noSuccessToast: true,

src/app/pages/setup/4.vue

@@ -43,10 +43,11 @@ const host = ref<null | string>(null);
 const port = ref<number>(51820);
 
 const _submit = useSubmit(
-  '/api/setup/4',
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch('/api/setup/4', {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async (success) => {
       if (success) {

src/app/pages/setup/migrate.vue

@@ -36,10 +36,11 @@ function onChangeFile(evt: Event) {
 }
 
 const _submit = useSubmit(
-  '/api/setup/migrate',
-  {
-    method: 'post',
-  },
+  (data) =>
+    $fetch('/api/setup/migrate', {
+      method: 'post',
+      body: data,
+    }),
   {
     revert: async (success) => {
       if (success) {

src/app/stores/auth.ts

@@ -1,18 +1,25 @@
-export const useAuthStore = defineStore('Auth', () => {
-  const { data: userData, refresh: update } = useFetch('/api/session', {
-    method: 'get',
-  });
+import type { H3Event } from 'h3';
+import type { SharedPublicUser } from '~~/shared/utils/permissions';
 
-  async function getSession() {
+export const useAuthStore = defineStore('Auth', () => {
+  const userData = useState<SharedPublicUser | null>('user-data', () => null);
+
+  async function getSession(event?: H3Event) {
+    const fetch = event?.$fetch || $fetch;
     try {
-      const { data } = await useFetch('/api/session', {
+      const data = await fetch('/api/session', {
         method: 'get',
       });
-      return data.value;
+      return data;
     } catch {
       return null;
     }
   }
 
+  async function update() {
+    const data = await getSession();
+    userData.value = data;
+  }
+
   return { userData, update, getSession };
 });

src/app/stores/clients.ts

@@ -66,10 +66,11 @@ export const useClientsStore = defineStore('Clients', () => {
       const clientPersist = clientsPersist.value[client.id]!;
 
       // Debug
-      // client.transferRx = this.clientsPersist[client.id].transferRxPrevious + Math.random() * 1000;
-      // client.transferTx = this.clientsPersist[client.id].transferTxPrevious + Math.random() * 1000;
-      // client.latestHandshakeAt = new Date();
-      // this.requiresPassword = true;
+      /* client.transferRx =
+        clientPersist.transferRxPrevious + Math.random() * 1000;
+      client.transferTx =
+        clientPersist.transferTxPrevious + Math.random() * 1000;
+      client.latestHandshakeAt = new Date().toISOString(); */
 
       clientPersist.transferRxCurrent =
         (client.transferRx ?? 0) - clientPersist.transferRxPrevious;

src/app/stores/global.ts

@@ -1,7 +1,10 @@
 export const useGlobalStore = defineStore('Global', () => {
-  const { data: information } = useFetch('/api/information', {
-    method: 'get',
-  });
+  const { data: information, refresh: refreshInformation } = useFetch(
+    '/api/information',
+    {
+      method: 'get',
+    }
+  );
 
   const sortClient = ref(true); // Sort clients by name, true = asc, false = desc
 
@@ -22,6 +25,7 @@ export const useGlobalStore = defineStore('Global', () => {
   return {
     sortClient,
     information,
+    refreshInformation,
     uiShowCharts,
     toggleCharts,
     uiChartType,

src/cli/admin/reset.ts

@@ -0,0 +1,71 @@
+import { defineCommand } from 'citty';
+import { consola } from 'consola';
+import { eq } from 'drizzle-orm';
+
+import { db, schema } from '../db';
+import { hashPassword } from '../../server/utils/password';
+
+export default defineCommand({
+  meta: {
+    name: 'db:admin:reset',
+    description: 'Reset the admin user password and TOTP settings',
+  },
+  args: {
+    password: {
+      type: 'string',
+      description: 'New password for the admin user',
+      required: false,
+    },
+  },
+  async run(ctx) {
+    let password = ctx.args.password || undefined;
+    if (!password) {
+      password = await consola.prompt('Please enter a new password:', {
+        type: 'text',
+      });
+    }
+    if (!password) {
+      consola.error('Password is required');
+      return;
+    }
+    if (password.length < 12) {
+      consola.error('Password must be at least 12 characters long');
+      return;
+    }
+    consola.info('Setting new password for admin user...');
+    const hash = await hashPassword(password);
+
+    const user = await db.transaction(async (tx) => {
+      const user = await tx
+        .select()
+        .from(schema.user)
+        .where(eq(schema.user.id, 1))
+        .get();
+
+      if (!user) {
+        consola.error('Admin user not found');
+        return;
+      }
+
+      await tx
+        .update(schema.user)
+        .set({
+          password: hash,
+          totpVerified: false,
+          totpKey: null,
+        })
+        .where(eq(schema.user.id, 1));
+
+      return user;
+    });
+
+    if (!user) {
+      consola.error('Failed to update admin user');
+      return;
+    }
+
+    consola.success(
+      `Successfully updated admin user ${user.id} (${user.username})`
+    );
+  },
+});

src/cli/clients/list.ts

@@ -0,0 +1,29 @@
+import { defineCommand } from 'citty';
+import { consola } from 'consola';
+
+import { db } from '../db';
+
+export default defineCommand({
+  meta: {
+    name: 'clients:list',
+    description: 'List all clients',
+  },
+  async run() {
+    consola.info('Listing all clients...');
+    const clients = await db.query.client.findMany({
+      columns: {
+        id: true,
+        name: true,
+        publicKey: true,
+        enabled: true,
+      },
+    });
+
+    if (clients.length === 0) {
+      consola.info('No clients found');
+      return;
+    }
+
+    console.table(clients);
+  },
+});

src/cli/clients/qr.ts

@@ -0,0 +1,71 @@
+import { defineCommand } from 'citty';
+import { consola } from 'consola';
+import { eq } from 'drizzle-orm';
+
+import { wg } from '../../server/utils/wgHelper';
+import { encodeQRCodeTerm } from '../../server/utils/qr';
+import { db, schema } from '../db';
+
+export default defineCommand({
+  meta: {
+    name: 'clients:qr',
+    description: 'Generate QR code for a client',
+  },
+  args: {
+    id: {
+      required: true,
+      type: 'positional',
+    },
+    ipv6: {
+      required: false,
+      type: 'boolean',
+      default: true,
+    },
+  },
+  async run(ctx) {
+    const clientId = Number(ctx.args.id);
+    const enableIpv6 = ctx.args.ipv6;
+
+    if (Number.isNaN(clientId)) {
+      consola.error('Invalid client ID');
+      return;
+    }
+
+    consola.info('Generating QR code for client...');
+
+    const wgInterface = await db.query.wgInterface.findFirst({
+      where: eq(schema.wgInterface.name, 'wg0'),
+    });
+    if (!wgInterface) {
+      consola.error('WireGuard interface not found');
+      return;
+    }
+
+    const userConfig = await db.query.userConfig.findFirst({
+      where: eq(schema.userConfig.id, 'wg0'),
+    });
+    if (!userConfig) {
+      consola.error('User config not found');
+      return;
+    }
+
+    const client = await db.query.client.findFirst({
+      where: eq(schema.client.id, clientId),
+    });
+    if (!client) {
+      consola.error(`Client with ID ${clientId} not found`);
+      return;
+    }
+
+    const clientConfig = wg.generateClientConfig(
+      wgInterface,
+      userConfig,
+      client,
+      {
+        enableIpv6,
+      }
+    );
+
+    consola.log(encodeQRCodeTerm(clientConfig));
+  },
+});

src/cli/db.ts

@@ -0,0 +1,10 @@
+import { createClient } from '@libsql/client';
+import { drizzle } from 'drizzle-orm/libsql';
+
+import * as schema from '../server/database/schema';
+
+//const client = createClient({ url: 'file:../data/wg-easy.db' });
+const client = createClient({ url: 'file:/etc/wireguard/wg-easy.db' });
+export const db = drizzle({ client, schema });
+
+export { schema };

src/cli/index.ts

@@ -1,82 +1,38 @@
 #!/usr/bin/env node
 
-// ! Auto Imports are not supported in this file
-
-import { drizzle } from 'drizzle-orm/libsql';
-import { createClient } from '@libsql/client';
+import type { Resolvable, SubCommandsDef } from 'citty';
 import { defineCommand, runMain } from 'citty';
-import { consola } from 'consola';
-import { eq } from 'drizzle-orm';
 
 import packageJson from '../package.json';
-import * as schema from '../server/database/schema';
-import { hashPassword } from '../server/utils/password';
 
-const client = createClient({ url: 'file:/etc/wireguard/wg-easy.db' });
-const db = drizzle({ client, schema });
+// Commands
+import dbAdminReset from './admin/reset';
+import clientsList from './clients/list';
+import clientsQr from './clients/qr';
+const subCommands = [dbAdminReset, clientsList, clientsQr] as const;
 
-const dbAdminReset = defineCommand({
-  meta: {
-    name: 'db:admin:reset',
-    description: 'Reset the admin user',
-  },
-  args: {
-    password: {
-      type: 'string',
-      description: 'New password for the admin user',
-      required: false,
-    },
-  },
-  async run(ctx) {
-    let password = ctx.args.password || undefined;
-    if (!password) {
-      password = await consola.prompt('Please enter a new password:', {
-        type: 'text',
-      });
+// from citty
+function resolveValue<T>(input: Resolvable<T>): T | Promise<T> {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  return typeof input === 'function' ? (input as any)() : input;
+}
+
+async function generateSubCommands(): Promise<SubCommandsDef> {
+  const subCommandsMap: Record<string, SubCommandsDef[string]> = {};
+
+  for (const cmd of subCommands) {
+    const cmdMeta = await resolveValue(cmd.meta || {});
+    if (!cmdMeta.name) {
+      console.warn('Skipping command without name:', cmd);
+      continue;
     }
-    if (!password) {
-      consola.error('Password is required');
-      return;
-    }
-    if (password.length < 12) {
-      consola.error('Password must be at least 12 characters long');
-      return;
-    }
-    console.info('Setting new password for admin user...');
-    const hash = await hashPassword(password);
+    subCommandsMap[cmdMeta.name] = cmd;
+  }
 
-    const user = await db.transaction(async (tx) => {
-      const user = await tx
-        .select()
-        .from(schema.user)
-        .where(eq(schema.user.id, 1))
-        .get();
+  return subCommandsMap;
+}
 
-      if (!user) {
-        consola.error('Admin user not found');
-        return;
-      }
-
-      await tx
-        .update(schema.user)
-        .set({
-          password: hash,
-        })
-        .where(eq(schema.user.id, 1));
-
-      return user;
-    });
-
-    if (!user) {
-      consola.error('Failed to update admin user');
-      return;
-    }
-
-    consola.success(
-      `Successfully updated admin user ${user.id} (${user.username})`
-    );
-  },
-});
+const subCommandsMap = await generateSubCommands();
 
 const main = defineCommand({
   meta: {
@@ -84,9 +40,7 @@ const main = defineCommand({
     version: packageJson.version,
     description: 'Command Line Interface',
   },
-  subCommands: {
-    'db:admin:reset': dbAdminReset,
-  },
+  subCommands: subCommandsMap,
 });
 
 runMain(main);

src/cli/tsconfig.json

@@ -0,0 +1,12 @@
+{
+  "compilerOptions": {
+    "lib": ["ESNext"],
+    "module": "esnext",
+    "target": "es2024",
+    "esModuleInterop": true,
+    "strict": true,
+    "skipLibCheck": true,
+    "moduleResolution": "bundler"
+  },
+  "include": ["./**/*.ts"]
+}

src/i18n/i18n.config.ts

@@ -4,15 +4,24 @@ import uk from './locales/uk.json';
 import fr from './locales/fr.json';
 import de from './locales/de.json';
 import it from './locales/it.json';
+import ja from './locales/ja.json';
 import ru from './locales/ru.json';
 import zhhk from './locales/zh-HK.json';
 import zhcn from './locales/zh-CN.json';
+import zhtw from './locales/zh-TW.json';
 import ko from './locales/ko.json';
 import es from './locales/es.json';
 import ptbr from './locales/pt-BR.json';
 import tr from './locales/tr.json';
 import bn from './locales/bn.json';
 import id from './locales/id.json';
+import nl from './locales/nl.json';
+import nb from './locales/nb.json';
+import bg from './locales/bg.json';
+import hi from './locales/hi.json';
+import gl from './locales/gl.json';
+import cs from './locales/cs.json';
+import vi from './locales/vi.json';
 
 export default defineI18nConfig(() => ({
   legacy: false,
@@ -24,14 +33,23 @@ export default defineI18nConfig(() => ({
     fr,
     de,
     it,
+    ja,
     ru,
     'zh-HK': zhhk,
     'zh-CN': zhcn,
+    'zh-TW': zhtw,
     ko,
     es,
     'pt-BR': ptbr,
     tr,
     bn,
     id,
+    nl,
+    nb,
+    bg,
+    hi,
+    gl,
+    cs,
+    vi,
   },
 }));

src/i18n/locales/bg.json

@@ -0,0 +1,286 @@
+{
+  "pages": {
+    "me": "Профил",
+    "clients": "Клиенти",
+    "admin": {
+      "panel": "Админ Панел",
+      "general": "Общи",
+      "config": "Конфигурация",
+      "interface": "Интерфейс",
+      "hooks": "Hooks"
+    }
+  },
+  "user": {
+    "email": "Имейл"
+  },
+  "me": {
+    "currentPassword": "Текуща парола",
+    "enable2fa": "Активирай двуфакторна автентикация",
+    "enable2faDesc": "Сканирай QR кода с твоето приложение за автентикатор или въведи ключа ръчно.",
+    "2faKey": "TOTP ключ",
+    "2faCodeDesc": "Въведи кода от твоето приложение за автентикатор.",
+    "disable2fa": "Деактивирай двуфакторна автентикация",
+    "disable2faDesc": "Въведи паролата си, за да деактивираш двуфакторната автентикация."
+  },
+  "general": {
+    "name": "Име",
+    "username": "Потребителско име",
+    "password": "Парола",
+    "newPassword": "Нова парола",
+    "updatePassword": "Обнови парола",
+    "mtu": "MTU",
+    "allowedIps": "Разрешени IP-та",
+    "dns": "DNS",
+    "persistentKeepalive": "Постоянно поддържане на връзката",
+    "logout": "Изход",
+    "continue": "Продължи",
+    "host": "Хост",
+    "port": "Порт",
+    "yes": "Да",
+    "no": "Не",
+    "confirmPassword": "Потвърди парола",
+    "loading": "Зареждане...",
+    "2fa": "Двуфакторна автентикация",
+    "2faCode": "TOTP код"
+  },
+  "setup": {
+    "welcome": "Добре дошъл в първоначалната настройка на wg-easy",
+    "welcomeDesc": "Откри най-лесния начин да инсталираш и управляваш WireGuard на всеки Linux сървър",
+    "existingSetup": "Имаш ли вече съществуваща инсталация?",
+    "createAdminDesc": "Моля, първо въведи администраторско потребителско име и силна сигурна парола. Тези данни ще се използват за вход в административния панел.",
+    "setupConfigDesc": "Моля, въведи хост и порт. Тази информация ще се използва при генериране на клиентски конфигурации за WireGuard.",
+    "setupMigrationDesc": "Ако желаеш да мигрираш данните от предишна версия на wg-easy, качи резервното копие.",
+    "upload": "Качи",
+    "migration": "Възстанови от резервно копие:",
+    "createAccount": "Създай акаунт",
+    "successful": "Настройката е успешна",
+    "hostDesc": "Публично име/адрес, към който клиентите ще се свързват",
+    "portDesc": "Публичен UDP порт, на който клиентите ще се свързват и на който WireGuard слуша"
+  },
+  "update": {
+    "updateAvailable": "Налична е актуализация!",
+    "update": "Актуализирай"
+  },
+  "theme": {
+    "dark": "Тъмна тема",
+    "light": "Светла тема",
+    "system": "Системна тема"
+  },
+  "layout": {
+    "toggleCharts": "Покажи/скрий графики",
+    "donate": "Дарение"
+  },
+  "login": {
+    "signIn": "Вход",
+    "rememberMe": "Запомни ме",
+    "rememberMeDesc": "Остани влязъл след затваряне на браузъра",
+    "insecure": "Не можеш да влезеш през несигурна връзка. Използвай HTTPS.",
+    "2faRequired": "Изисква се двуфакторна автентикация",
+    "2faWrong": "Грешен код за двуфакторна автентикация"
+  },
+  "client": {
+    "empty": "Все още няма клиенти.",
+    "newShort": "Нов",
+    "sort": "Сортирай",
+    "create": "Създай клиент",
+    "created": "Клиентът е създаден",
+    "new": "Нов клиент",
+    "name": "Име",
+    "expireDate": "Дата на изтичане",
+    "expireDateDesc": "Дата, след която клиентът ще бъде деактивиран. Празно = постоянен",
+    "delete": "Изтрий",
+    "deleteClient": "Изтрий клиент",
+    "deleteDialog1": "Сигурен ли си, че искаш да изтриеш",
+    "deleteDialog2": "Това действие е необратимо.",
+    "enabled": "Активен",
+    "address": "Адрес",
+    "serverAllowedIps": "Разрешени IP-та от сървъра",
+    "otlDesc": "Генерирай кратък еднократен линк",
+    "permanent": "Постоянно",
+    "createdOn": "Създаден на ",
+    "lastSeen": "Последно видян на ",
+    "totalDownload": "Общо изтеглени: ",
+    "totalUpload": "Общо качени: ",
+    "newClient": "Нов клиент",
+    "disableClient": "Деактивирай клиент",
+    "enableClient": "Активирай клиент",
+    "noPrivKey": "Този клиент няма известен частен ключ. Не може да се създаде конфигурация.",
+    "showQR": "Покажи QR код",
+    "downloadConfig": "Изтегли конфигурация",
+    "allowedIpsDesc": "Кои IP-та ще се насочват през VPN (замества глобалната настройка)",
+    "serverAllowedIpsDesc": "Кои IP-та сървърът ще насочва към клиента",
+    "mtuDesc": "Задава максималния размер на пакета (MTU) за VPN тунела",
+    "persistentKeepaliveDesc": "Интервал (в секунди) за изпращане на keep-alive пакети. 0 = изключено",
+    "hooks": "Hooks",
+    "hooksDescription": "Hooks работят само с wg-quick",
+    "hooksLeaveEmpty": "Само за wg-quick. В противен случай остави празно",
+    "dnsDesc": "DNS сървър, който клиентите ще използват (замества глобалната настройка)",
+    "notConnected": "Клиентът не е свързан",
+    "endpoint": "Крайна точка",
+    "endpointDesc": "IP адресът на клиента, от който е установена WireGuard връзката",
+    "search": "Търси клиенти...",
+    "config": "Конфигурация",
+    "viewConfig": "Прегледай конфигурацията"
+  },
+  "dialog": {
+    "change": "Промени",
+    "cancel": "Отказ",
+    "create": "Създай"
+  },
+  "toast": {
+    "success": "Успех",
+    "saved": "Запазено",
+    "error": "Грешка"
+  },
+  "form": {
+    "actions": "Действия",
+    "save": "Запази",
+    "revert": "Отмени промените",
+    "sectionGeneral": "Общи",
+    "sectionAdvanced": "Разширени",
+    "noItems": "Няма елементи",
+    "nullNoItems": "Няма елементи. Използва се глобалната конфигурация",
+    "add": "Добави"
+  },
+  "admin": {
+    "general": {
+      "sessionTimeout": "Време на сесията",
+      "sessionTimeoutDesc": "Продължителност на сесията при „Запомни ме“ (в секунди)",
+      "metrics": "Метрики",
+      "metricsPassword": "Парола",
+      "metricsPasswordDesc": "Bearer парола за достъп до metrics ендпойнт (парола или argon2 хеш)",
+      "json": "JSON",
+      "jsonDesc": "Път за метрики в JSON формат",
+      "prometheus": "Prometheus",
+      "prometheusDesc": "Път за Prometheus метрики"
+    },
+    "config": {
+      "connection": "Връзка",
+      "hostDesc": "Публично име/адрес за клиентите (инвалидира конфигурациите)",
+      "portDesc": "Публичен UDP порт за клиентите (инвалидира конфигурациите; вероятно искаш да смениш и порта на интерфейса)",
+      "allowedIpsDesc": "Разрешени IP-та за клиентите (глобална настройка)",
+      "dnsDesc": "DNS сървър за клиентите (глобална настройка)",
+      "mtuDesc": "MTU, който ще ползват клиентите (само за нови клиенти)",
+      "persistentKeepaliveDesc": "Интервал в секунди за keep-alive към сървъра. 0 = изключено (само за нови клиенти)",
+      "suggest": "Предложи",
+      "suggestDesc": "Избери IP адрес или хост за полето Host"
+    },
+    "interface": {
+      "cidrSuccess": "CIDR променен",
+      "device": "Устройство",
+      "deviceDesc": "Мрежово устройство, през което да се препраща WireGuard трафикът",
+      "mtuDesc": "MTU, който ще ползва WireGuard",
+      "portDesc": "UDP порт, на който слуша WireGuard (вероятно искаш да смениш и порта в Config)",
+      "changeCidr": "Смени CIDR",
+      "restart": "Рестартирай интерфейс",
+      "restartDesc": "Рестартиране на WireGuard интерфейса",
+      "restartWarn": "Сигурен ли си, че искаш да рестартираш интерфейса? Всички клиенти ще бъдат изключени.",
+      "restartSuccess": "Интерфейсът е рестартиран"
+    },
+    "introText": "Добре дошъл в административния панел.\n\nТук можеш да управляваш общите настройки, конфигурацията, настройките на интерфейса и hooks.\n\nЗапочни, като избереш някоя от секциите в страничното меню."
+  },
+  "zod": {
+    "generic": {
+      "required": "{0} е задължително",
+      "validNumber": "{0} трябва да е валидно число",
+      "validString": "{0} трябва да е валиден текст",
+      "validBoolean": "{0} трябва да е валидна булева стойност",
+      "validArray": "{0} трябва да е валиден масив",
+      "stringMin": "{0} трябва да съдържа поне {1} символа",
+      "numberMin": "{0} трябва да е поне {1}"
+    },
+    "client": {
+      "id": "ID на клиента",
+      "name": "Име",
+      "expiresAt": "Изтича на",
+      "address4": "IPv4 адрес",
+      "address6": "IPv6 адрес",
+      "serverAllowedIps": "Разрешени IP-та от сървъра"
+    },
+    "user": {
+      "username": "Потребителско име",
+      "password": "Парола",
+      "remember": "Запомни",
+      "name": "Име",
+      "email": "Имейл",
+      "emailInvalid": "Имейлът трябва да е валиден",
+      "passwordMatch": "Паролите трябва да съвпадат",
+      "totpEnable": "Активиране на TOTP",
+      "totpEnableTrue": "TOTP Enable трябва да е true",
+      "totpCode": "TOTP код"
+    },
+    "userConfig": {
+      "host": "Хост"
+    },
+    "general": {
+      "sessionTimeout": "Време на сесията",
+      "metricsEnabled": "Метрики",
+      "metricsPassword": "Парола за метрики"
+    },
+    "interface": {
+      "cidr": "CIDR",
+      "device": "Устройство",
+      "cidrValid": "CIDR трябва да е валиден"
+    },
+    "otl": "Еднократен линк",
+    "stringMalformed": "Невалиден формат на низа",
+    "body": "Тялото трябва да е валиден обект",
+    "hook": "Hook",
+    "enabled": "Активиран",
+    "mtu": "MTU",
+    "port": "Порт",
+    "persistentKeepalive": "Постоянно поддържане на връзката",
+    "address": "IP адрес",
+    "dns": "DNS",
+    "allowedIps": "Разрешени IP-та",
+    "file": "Файл"
+  },
+  "hooks": {
+    "preUp": "PreUp",
+    "postUp": "PostUp",
+    "preDown": "PreDown",
+    "postDown": "PostDown"
+  },
+  "copy": {
+    "notSupported": "Копиране не се поддържа",
+    "copied": "Копирано!",
+    "failed": "Копирането неуспешно",
+    "copy": "Копирай"
+  },
+  "awg": {
+    "jCLabel": "Брой junk пакети (Jc)",
+    "jCDescription": "Брой junk пакети за изпращане (1–128, препоръчително: 4–12)",
+    "jMinLabel": "Минимален размер на junk пакети (Jmin)",
+    "jMinDescription": "Минимален размер на junk пакетите (0–1279*, препоръчително: 8, трябва да е < Jmax)",
+    "jMaxLabel": "Максимален размер на junk пакети (Jmax)",
+    "jMaxDescription": "Максимален размер на junk пакетите (1–1280*, препоръчително: 80, трябва да е > Jmin)",
+    "s1Label": "Размер на junk в init пакета (S1)",
+    "s1Description": "Размер на junk в init пакета (0–1132 [1280*−148=1132], препоръчително: 15–150, S1+56 ≠ S2)",
+    "s2Label": "Размер на junk в отговорния пакет (S2)",
+    "s2Description": "Размер на junk в response пакета (0–1188 [1280*−92=1188], препоръчително: 15–150)",
+    "s3Label": "Размер на junk в cookie reply пакета (S3)",
+    "s3Description": "Размер на junk в cookie reply пакета",
+    "s4Label": "Размер на junk в транспортния пакет (S4)",
+    "s4Description": "Размер на junk в транспортния пакет",
+    "h1Label": "Init magic header (H1)",
+    "h1Description": "Стойност на хедера в init пакета (5–2147483647, уникална спрямо H2–H4)",
+    "h2Label": "Response magic header (H2)",
+    "h2Description": "Стойност на хедера в response пакета (5–2147483647, уникална спрямо H1, H3, H4)",
+    "h3Label": "Cookie reply magic header (H3)",
+    "h3Description": "Стойност на хедера в cookie reply пакета (5–2147483647, уникална спрямо H1, H2, H4)",
+    "h4Label": "Transport magic header (H4)",
+    "h4Description": "Стойност на хедера в транспортния пакет (5–2147483647, уникална спрямо H1–H3)",
+    "i1Label": "Специален junk пакет 1 (I1)",
+    "i1Description": "Пакет за имитация на протокол в hex формат: <b 0x...>",
+    "i2Label": "Специален junk пакет 2 (I2)",
+    "i2Description": "Пакет за имитация на протокол в hex формат: <b 0x...>",
+    "i3Label": "Специален junk пакет 3 (I3)",
+    "i3Description": "Пакет за имитация на протокол в hex формат: <b 0x...>",
+    "i4Label": "Специален junk пакет 4 (I4)",
+    "i4Description": "Пакет за имитация на протокол в hex формат: <b 0x...>",
+    "i5Label": "Специален junk пакет 5 (I5)",
+    "i5Description": "Пакет за имитация на протокол в hex формат: <b 0x...>",
+    "mtuNote": "Стойностите зависят от MTU",
+    "obfuscationParameters": "Параметри за обфускация на AmneziaWG"
+  }
+}

src/i18n/locales/cs.json

@@ -0,0 +1,287 @@
+{
+  "pages": {
+    "me": "Účet",
+    "clients": "Klienti",
+    "admin": {
+      "panel": "Administrace",
+      "general": "Obecné",
+      "config": "Konfigurace",
+      "interface": "Rozhraní",
+      "hooks": "Nastavení reakcí"
+    }
+  },
+  "user": {
+    "email": "E-mail"
+  },
+  "me": {
+    "currentPassword": "Aktuální heslo",
+    "enable2fa": "Zapnout dvoufázové ověření (2FA)",
+    "enable2faDesc": "Naskenujte QR kód ve své autentizační aplikaci nebo zadejte klíč ručně.",
+    "2faKey": "TOTP klíč",
+    "2faCodeDesc": "Zadejte kód z vaší autentizační aplikace.",
+    "disable2fa": "Vypnout dvoufázové ověření",
+    "disable2faDesc": "Pro vypnutí dvoufázového ověření zadejte své heslo."
+  },
+  "general": {
+    "name": "Jméno",
+    "username": "Uživatelské jméno",
+    "password": "Heslo",
+    "newPassword": "Nové heslo",
+    "updatePassword": "Aktualizovat heslo",
+    "mtu": "MTU",
+    "allowedIps": "Povolené IP adresy",
+    "dns": "DNS",
+    "persistentKeepalive": "Persistent Keepalive",
+    "logout": "Odhlásit se",
+    "continue": "Pokračovat",
+    "host": "Hostitel",
+    "port": "Port",
+    "yes": "Ano",
+    "no": "Ne",
+    "confirmPassword": "Potvrdit heslo",
+    "loading": "Načítání...",
+    "2fa": "Dvoufázové ověření",
+    "2faCode": "TOTP kód"
+  },
+  "setup": {
+    "welcome": "Vítejte u první instalace wg-easy",
+    "welcomeDesc": "Našli jste nejjednodušší způsob, jak instalovat a spravovat WireGuard na jakémkoliv Linuxovém hostiteli",
+    "existingSetup": "Máte již existující nastavení?",
+    "createAdminDesc": "Nejprve zadejte uživatelské jméno administrátora a silné heslo. Tyto údaje budou použity pro přihlášení do administrace.",
+    "setupConfigDesc": "Zadejte údaje o hostiteli a portu. Tyto informace budou použity pro konfiguraci klientů při nastavování WireGuard na jejich zařízeních.",
+    "setupMigrationDesc": "Pokud chcete migrovat data z předchozí verze wg-easy do nové instalace, nahrajte soubor se zálohou.",
+    "upload": "Nahrát",
+    "migration": "Obnovit zálohu:",
+    "createAccount": "Vytvořit účet",
+    "successful": "Nastavení bylo úspěšné",
+    "hostDesc": "Veřejný název hostitele, ke kterému se budou klienti připojovat",
+    "portDesc": "Veřejný UDP port, ke kterému se budou klienti připojovat a na kterém bude WireGuard naslouchat"
+  },
+  "update": {
+    "updateAvailable": "Je k dispozici aktualizace!",
+    "update": "Aktualizovat"
+  },
+  "theme": {
+    "dark": "Tmavý režim",
+    "light": "Světlý režim",
+    "system": "Systémové nastavení"
+  },
+  "layout": {
+    "toggleCharts": "Zobrazit/skrýt grafy",
+    "donate": "Přispět"
+  },
+  "login": {
+    "signIn": "Přihlásit se",
+    "rememberMe": "Zapamatovat si mě",
+    "rememberMeDesc": "Zůstat přihlášen i po zavření prohlížeče",
+    "insecure": "Nemůžete se přihlásit přes nezabezpečené připojení. Použijte HTTPS.",
+    "2faRequired": "Je vyžadováno dvoufázové ověření",
+    "2faWrong": "Neplatný kód dvoufázového ověření"
+  },
+  "client": {
+    "empty": "Zatím zde nejsou žádní klienti.",
+    "newShort": "Nový",
+    "sort": "Seřadit",
+    "create": "Vytvořit klienta",
+    "created": "Klient vytvořen",
+    "new": "Nový klient",
+    "name": "Jméno",
+    "expireDate": "Datum vypršení",
+    "expireDateDesc": "Datum, kdy bude klient deaktivován. Ponechte prázdné pro trvalý přístup.",
+    "delete": "Smazat",
+    "deleteClient": "Smazat klienta",
+    "deleteDialog1": "Opravdu chcete smazat uživatele",
+    "deleteDialog2": "Tuto akci nelze vzít zpět.",
+    "enabled": "Aktivní",
+    "address": "Adresa",
+    "serverAllowedIps": "Povolené IP adresy serveru",
+    "otlDesc": "Generovat krátký jednorázový odkaz",
+    "permanent": "Trvalý",
+    "createdOn": "Vytvořeno dne ",
+    "lastSeen": "Naposledy viděn ",
+    "totalDownload": "Celkem staženo: ",
+    "totalUpload": "Celkem nahráno: ",
+    "newClient": "Nový klient",
+    "disableClient": "Deaktivovat klienta",
+    "enableClient": "Aktivovat klienta",
+    "noPrivKey": "Tento klient nemá známý soukromý klíč. Nelze vytvořit konfiguraci.",
+    "showQR": "Zobrazit QR kód",
+    "downloadConfig": "Stáhnout konfiguraci",
+    "allowedIpsDesc": "Které IP adresy budou směrovány přes VPN (přebíjí globální nastavení)",
+    "serverAllowedIpsDesc": "Které IP adresy bude server směrovat ke klientovi",
+    "mtuDesc": "Nastavuje maximální velikost přenášeného paketu (MTU) pro VPN tunel",
+    "persistentKeepaliveDesc": "Nastavuje interval (v sekundách) pro udržovací pakety. 0 pro vypnutí",
+    "hooks": "Hooky",
+    "hooksDescription": "Hooky fungují pouze s wg-quick",
+    "hooksLeaveEmpty": "Pouze pro wg-quick. Jinak ponechte prázdné",
+    "dnsDesc": "DNS server, který budou klienti používat (přebíjí globální nastavení)",
+    "notConnected": "Klient není připojen",
+    "endpoint": "Koncový bod",
+    "endpointDesc": "IP adresa klienta, ze které je navázáno spojení WireGuard",
+    "search": "Hledat klienty...",
+    "config": "Konfigurace",
+    "viewConfig": "Zobrazit konfiguraci"
+  },
+  "dialog": {
+    "change": "Změnit",
+    "cancel": "Zrušit",
+    "create": "Vytvořit"
+  },
+  "toast": {
+    "success": "Úspěch",
+    "saved": "Uloženo",
+    "error": "Chyba"
+  },
+  "form": {
+    "actions": "Akce",
+    "save": "Uložit",
+    "revert": "Vrátit změny",
+    "sectionGeneral": "Obecné",
+    "sectionAdvanced": "Pokročilé",
+    "noItems": "Žádné položky",
+    "nullNoItems": "Žádné položky. Používá se globální konfigurace",
+    "add": "Přidat"
+  },
+  "admin": {
+    "general": {
+      "sessionTimeout": "Vypršení relace",
+      "sessionTimeoutDesc": "Doba trvání relace pro 'Zapamatovat si mě' (sekundy)",
+      "metrics": "Metriky",
+      "metricsPassword": "Heslo",
+      "metricsPasswordDesc": "Bearer heslo pro koncový bod metrik (heslo nebo argon2 hash)",
+      "json": "JSON",
+      "jsonDesc": "Cesta pro metriky ve formátu JSON",
+      "prometheus": "Prometheus",
+      "prometheusDesc": "Cesta pro metriky Prometheus"
+    },
+    "config": {
+      "connection": "Připojení",
+      "hostDesc": "Veřejný název hostitele, ke kterému se klienti připojují (zneplatní stávající konfigurace)",
+      "portDesc": "Veřejný UDP port, ke kterému se klienti připojují (zneplatní stávající konfigurace, pravděpodobně budete chtít změnit i Port rozhraní)",
+      "allowedIpsDesc": "Povolené IP adresy, které budou klienti používat (globální nastavení)",
+      "dnsDesc": "DNS server, který budou klienti používat (globální nastavení)",
+      "mtuDesc": "MTU, které budou klienti používat (pouze pro nové klienty)",
+      "persistentKeepaliveDesc": "Interval v sekundách pro odesílání udržovacích paketů na server. 0 = vypnuto (pouze pro nové klienty)",
+      "suggest": "Navrhnout",
+      "suggestDesc": "Vyberte IP adresu nebo název hostitele pro pole Hostitel"
+    },
+    "interface": {
+      "cidrSuccess": "CIDR změněn",
+      "device": "Zařízení",
+      "deviceDesc": "Ethernetové zařízení, přes které má být provoz WireGuard přeposílán",
+      "mtuDesc": "MTU, které bude WireGuard používat",
+      "portDesc": "UDP port, na kterém bude WireGuard naslouchat (pravděpodobně budete chtít změnit i Konfigurační port)",
+      "changeCidr": "Změnit CIDR",
+      "restart": "Restartovat rozhraní",
+      "restartDesc": "Restartovat rozhraní WireGuard",
+      "restartWarn": "Opravdu chcete restartovat rozhraní? Dojde k odpojení všech klientů.",
+      "restartSuccess": "Rozhraní bylo restartováno"
+    },
+    "introText": "Vítejte v administraci.\n\nZde můžete spravovat obecná nastavení, konfiguraci, nastavení rozhraní a hooky.\n\nZačněte výběrem jedné ze sekcí v bočním panelu."
+  },
+  "zod": {
+    "generic": {
+      "required": "Pole {0} je povinné",
+      "validNumber": "{0} musí být platné číslo",
+      "validNumberRange": "{0} musí být platné číslo nebo rozsah čísel",
+      "validString": "{0} musí být platný řetězec",
+      "validBoolean": "{0} musí být platná logická hodnota",
+      "validArray": "{0} musí být platné pole",
+      "stringMin": "{0} musí mít alespoň {1} znak(ů)",
+      "numberMin": "{0} musí být alespoň {1}"
+    },
+    "client": {
+      "id": "ID klienta",
+      "name": "Jméno",
+      "expiresAt": "Vyprší dne",
+      "address4": "IPv4 adresa",
+      "address6": "IPv6 adresa",
+      "serverAllowedIps": "Povolené IP adresy serveru"
+    },
+    "user": {
+      "username": "Uživatelské jméno",
+      "password": "Heslo",
+      "remember": "Pamatovat si",
+      "name": "Jméno",
+      "email": "E-mail",
+      "emailInvalid": "E-mail musí být platná e-mailová adresa",
+      "passwordMatch": "Hesla se musí shodovat",
+      "totpEnable": "Zapnout TOTP",
+      "totpEnableTrue": "Zapnutí TOTP musí být potvrzeno",
+      "totpCode": "TOTP kód"
+    },
+    "userConfig": {
+      "host": "Hostitel"
+    },
+    "general": {
+      "sessionTimeout": "Vypršení relace",
+      "metricsEnabled": "Metriky",
+      "metricsPassword": "Heslo k metrikám"
+    },
+    "interface": {
+      "cidr": "CIDR",
+      "device": "Zařízení",
+      "cidrValid": "CIDR musí být platný"
+    },
+    "otl": "Jednorázový odkaz",
+    "stringMalformed": "Řetězec má nesprávný formát",
+    "body": "Tělo požadavku musí být platný objekt",
+    "hook": "Hook",
+    "enabled": "Aktivní",
+    "mtu": "MTU",
+    "port": "Port",
+    "persistentKeepalive": "Persistent Keepalive",
+    "address": "IP adresa",
+    "dns": "DNS",
+    "allowedIps": "Povolené IP adresy",
+    "file": "Soubor"
+  },
+  "hooks": {
+    "preUp": "PreUp",
+    "postUp": "PostUp",
+    "preDown": "PreDown",
+    "postDown": "PostDown"
+  },
+  "copy": {
+    "notSupported": "Kopírování není podporováno",
+    "copied": "Zkopírováno!",
+    "failed": "Kopírování selhalo",
+    "copy": "Kopírovat"
+  },
+  "awg": {
+    "jCLabel": "Počet junk paketů (Jc)",
+    "jCDescription": "Počet odesílaných junk paketů (1-128, doporučeno: 4-12)",
+    "jMinLabel": "Min. velikost junk paketu (Jmin)",
+    "jMinDescription": "Minimální velikost junk paketů (0-1279*, doporučeno: 8, musí být < Jmax)",
+    "jMaxLabel": "Max. velikost junk paketu (Jmax)",
+    "jMaxDescription": "Maximální velikost junk paketů (1-1280*, doporučeno: 80, musí být > Jmin)",
+    "s1Label": "Velikost junk dat u Init paketu (S1)",
+    "s1Description": "Velikost junk dat u Init paketu (0-1132, doporučeno: 15-150, S1+56 ≠ S2)",
+    "s2Label": "Velikost junk dat u Response paketu (S2)",
+    "s2Description": "Velikost junk dat u Response paketu (0-1188, doporučeno: 15-150)",
+    "s3Label": "Velikost junk dat u Cookie reply paketu (S3)",
+    "s3Description": "Velikost junk dat u paketu s odpovědí na cookie",
+    "s4Label": "Velikost junk dat u Transport paketu (S4)",
+    "s4Description": "Velikost junk dat u transportního paketu",
+    "h1Label": "Init magic header (H1)",
+    "h1Description": "Hodnota nebo rozsah hlavičky Init paketu (X nebo X-Y, kde X<Y. Min 5, max 2147483647. Nesmí se překrývat s ostatními hlavičkami)",
+    "h2Label": "Response magic header (H2)",
+    "h2Description": "Hodnota nebo rozsah hlavičky Response paketu (X nebo X-Y, kde X<Y. Min 5, max 2147483647. Nesmí se překrývat s ostatními hlavičkami)",
+    "h3Label": "Cookie reply magic header (H3)",
+    "h3Description": "Hodnota nebo rozsah hlavičky Cookie reply paketu (X nebo X-Y, kde X<Y. Min 5, max 2147483647. Nesmí se překrývat s ostatními hlavičkami)",
+    "h4Label": "Transport magic header (H4)",
+    "h4Description": "Hodnota nebo rozsah hlavičky Transport paketu (X nebo X-Y, kde X<Y. Min 5, max 2147483647. Nesmí se překrývat s ostatními hlavičkami)",
+    "i1Label": "Speciální junk paket 1 (I1)",
+    "i1Description": "Paket pro napodobení protokolu v hex formátu: <b 0x...>",
+    "i2Label": "Speciální junk paket 2 (I2)",
+    "i2Description": "Paket pro napodobení protokolu v hex formátu: <b 0x...>",
+    "i3Label": "Speciální junk paket 3 (I3)",
+    "i3Description": "Paket pro napodobení protokolu v hex formátu: <b 0x...>",
+    "i4Label": "Speciální junk paket 4 (I4)",
+    "i4Description": "Paket pro napodobení protokolu v hex formátu: <b 0x...>",
+    "i5Label": "Speciální junk paket 5 (I5)",
+    "i5Description": "Paket pro napodobení protokolu v hex formátu: <b 0x...>",
+    "mtuNote": "Hodnoty závisí na nastavení MTU",
+    "obfuscationParameters": "AmneziaWG parametry obfuskace"
+  }
+}

src/i18n/locales/de.json

@@ -11,12 +11,12 @@
     }
   },
   "user": {
-    "email": "Email"
+    "email": "E-Mail"
   },
   "me": {
     "currentPassword": "Aktuelles Passwort",
-    "enable2fa": "Zwei-Faktor-Authentifizierunng aktivieren",
-    "enable2faDesc": "Scannen Sie den QR-Code mit ihrer Authentifizierungs-App oder geben Sie den Schlüssel manuell ein.",
+    "enable2fa": "Zwei-Faktor-Authentifizierung aktivieren",
+    "enable2faDesc": "Scannen Sie den QR-Code mit Ihrer Authentifizierungs-App oder geben Sie den Schlüssel manuell ein.",
     "2faKey": "TOTP-Schlüssel",
     "2faCodeDesc": "Geben Sie den Code aus Ihrer Authentifizierungs-App ein.",
     "disable2fa": "Zwei-Faktor-Authentifizierung deaktivieren",
@@ -45,26 +45,26 @@
   },
   "setup": {
     "welcome": "Willkommen zur Ersteinrichtung von wg-easy",
-    "welcomeDesc": "Das ist der einfachste Weg, um Wireguard auf jedem Linux-Server zu installieren und zu betreiben.",
+    "welcomeDesc": "Sie haben den einfachsten Weg gefunden, WireGuard auf jedem Linux-Server zu installieren und zu verwalten.",
     "existingSetup": "Haben Sie eine bestehende Einrichtung?",
-    "createAdminDesc": "Bitte geben Sie zuerst einen Admin-Benutzernamen sowie ein starkes, sicheres Passwort ein. Diese Anmeldedaten benötigen Sie, um sich im Admin-Panel anzumelden.",
+    "createAdminDesc": "Bitte geben Sie zuerst einen Admin-Benutzernamen sowie ein starkes, sicheres Passwort ein. Diese Anmeldedaten benötigen Sie, um sich in der Admin-Konsole anzumelden.",
     "setupConfigDesc": "Bitte geben Sie die Host- und Portinformationen ein. Diese werden für die Client-Konfiguration verwendet, wenn Sie WireGuard auf Ihren Geräten einrichten.",
     "setupMigrationDesc": "Bitte halten Sie die Sicherungsdatei bereit, wenn Sie Ihre Daten von Ihrer vorherigen wg-easy Version auf ihre neue Einrichtung migrieren möchten.",
     "upload": "Hochladen",
-    "migration": "Sicherung wiederherstellen:",
+    "migration": "Backup wiederherstellen:",
     "createAccount": "Konto erstellen",
     "successful": "Einrichtung erfolgreich",
     "hostDesc": "Öffentlicher Hostname mit dem sich die Clients verbinden",
-    "portDesc": "Öffentlicher UDP-Port an dem sich die Clients verbinden und auf dem Wireguard läuft"
+    "portDesc": "Öffentlicher UDP-Port an dem sich die Clients verbinden und auf dem WireGuard läuft"
   },
   "update": {
-    "updateAvailable": "Es ist ein neue Aktualisierung verfügbar!",
+    "updateAvailable": "Ein neues Update ist verfügbar!",
     "update": "Aktualisieren"
   },
   "theme": {
     "dark": "Dunkles Thema",
     "light": "Helles Thema",
-    "system": "System-Thema"
+    "system": "System Thema"
   },
   "layout": {
     "toggleCharts": "Statistiken ein-/ausblenden",
@@ -84,16 +84,17 @@
     "sort": "Sortieren",
     "create": "Client erstellen",
     "created": "Client wurde erstellt",
-    "new": "Neuer client",
+    "new": "Neuer Client",
     "name": "Name",
     "expireDate": "Ablaufdatum",
-    "expireDateDesc": "Datum, an dem der Client deaktiviert wird. Leer lassen, damit dies nie passiert.",
+    "expireDateDesc": "Datum, an dem der Client deaktiviert wird. Leer lassen für dauerhaft aktiv.",
+    "delete": "Löschen",
     "deleteClient": "Client löschen",
-    "deleteDialog1": "Sind Sie sicher, dass Sie diesen Client löschen wollen",
+    "deleteDialog1": "Sind Sie sicher, dass Sie diesen Client löschen möchten",
     "deleteDialog2": "Diese Aktion kann nicht rückgängig gemacht werden.",
     "enabled": "Aktiviert",
     "address": "Adresse",
-    "serverAllowedIps": "serverseitig erlaubte IP-Adressen",
+    "serverAllowedIps": "Serverseitig erlaubte IP-Adressen",
     "otlDesc": "Einen kurzen Einmal-Link erzeugen",
     "permanent": "Dauerhaft",
     "createdOn": "Angelegt am ",
@@ -112,8 +113,18 @@
     "persistentKeepaliveDesc": "Legt das Intervall (in Sekunden) für Keepalive-Pakete fest. 0 deaktiviert es",
     "hooks": "Hooks",
     "hooksDescription": "Hooks funktionieren nur mit wg-quick",
-    "hooksLeaveEmpty": "Nur für wg-quick. Sonst leer lassen",
-    "dnsDesc": "DNS-Server, den die Clients benutzen (überschreibt die globale Konfiguration)"
+    "hooksLeaveEmpty": "Nur für wg-quick. Andernfalls leer lassen",
+    "dnsDesc": "DNS-Server, den die Clients benutzen (überschreibt die globale Konfiguration)",
+    "notConnected": "Client nicht verbunden",
+    "endpoint": "Endpunkt",
+    "endpointDesc": "IP-Adresse des Clients, von dem aus die WireGuard-Verbindung hergestellt wird",
+    "search": "Suche Clients...",
+    "config": "Konfiguration",
+    "viewConfig": "Konfiguration anzeigen",
+    "firewallIps": "Firewall erlaubte IPs",
+    "firewallIpsDesc": "Ziel-IPs/CIDRs, auf die dieser Client zugreifen darf (serverseitig erzwingen). Lassen Sie das Feld leer, um die Liste der zugelassenen IPs zu verwenden. Unterstützt optionale Port- und Protokollfilterung. Die Syntax finden Sie in der Dokumentation.",
+    "downloadPng": "Herunterladen PNG",
+    "copyPng": "Kopieren PNG"
   },
   "dialog": {
     "change": "Ändern",
@@ -123,7 +134,8 @@
   "toast": {
     "success": "Erfolg",
     "saved": "Gespeichert",
-    "error": "Fehler"
+    "error": "Fehler",
+    "unknown": "Unbekannter Fehler. Weitere Informationen finden Sie in der Konsole."
   },
   "form": {
     "actions": "Aktionen",
@@ -150,25 +162,28 @@
     "config": {
       "connection": "Verbindung",
       "hostDesc": "Öffentlicher Hostname mit dem sich die Clients verbinden (überschreibt die Konfiguration)",
-      "portDesc": "Öffentlicher UDP-Port an dem sich die Clients verbinden (überschreibt die Konfiguration, vermutlich wollen Sie ebenfalls den Port der Weboberfläche ändern)",
+      "portDesc": "Öffentlicher UDP-Port an dem sich die Clients verbinden (überschreibt die Konfiguration, vermutlich wollen Sie auch den Interface-Port ändern)",
       "allowedIpsDesc": "Erlaubte IP-Adressen, die die Clients nutzen werden (Globale Konfiguration)",
       "dnsDesc": "DNS-Server, den die Clients nutzen werden (Globale Konfiguration)",
       "mtuDesc": "MTU, den die Clients benutzen werden (nur für neue Clients)",
-      "persistentKeepaliveDesc": "Intervall in Sekunden, in dem Keepalive-Packete an den Server gesendet werden. 0 = deaktiviert (nur für neue Clients)",
+      "persistentKeepaliveDesc": "Intervall in Sekunden, in dem Keepalive-Pakete an den Server gesendet werden. 0 = deaktiviert (nur für neue Clients)",
       "suggest": "Vorschlagen",
       "suggestDesc": "Wählen Sie eine IP-Adresse oder einen Hostnamen für das Host-Feld aus"
     },
     "interface": {
       "cidrSuccess": "CIDR wurde geändert",
       "device": "Gerät",
-      "deviceDesc": "Ethernet-Gerät, durch das der Wireguard-Datenverkehr geleitet werden soll",
+      "deviceDesc": "Ethernet-Gerät, durch das der WireGuard-Datenverkehr geleitet werden soll",
       "mtuDesc": "MTU, den WireGuard benutzen wird",
-      "portDesc": "UDP Port, auf dem WireGuard lauschen wird (Sie wollen wahrscheinlich auch den Config-Port ändern)",
+      "portDesc": "UDP-Port, auf dem WireGuard lauschen wird (Sie wollen wahrscheinlich auch den Interface-Port ändern)",
       "changeCidr": "CIDR ändern",
       "restart": "Interface neu starten",
       "restartDesc": "Das WireGuard-Interface neu starten",
-      "restartWarn": "Sind Sie sicher, dass Sie das Interface neu starten wollen? Dies wird die Verbindungen aller Clients trennen.",
-      "restartSuccess": "Interface neu gestartet"
+      "restartWarn": "Sind Sie sicher, dass Sie das Interface neu starten möchten? Dies wird die Verbindungen aller Clients trennen.",
+      "restartSuccess": "Interface neu gestartet",
+      "firewall": "Datenverkehr Filterung",
+      "firewallEnabled": "Firewall pro Client aktivieren",
+      "firewallEnabledDesc": "Beschränken Sie den Client-Datenverkehr mithilfe von iptables auf bestimmte Ziel-IP-Adressen. Bei Aktivierung kann für jeden Client eine Liste der zulässigen Ziele konfiguriert werden."
     },
     "introText": "Willkommen in der Admin-Konsole.\n\nHier können Sie die allgemeinen Einstellungen, die Konfiguration, die Schnittstelleneinstellungen und die Hooks verwalten.\n\nBeginnen Sie, indem Sie einen der Bereiche in der Seitenleiste auswählen."
   },
@@ -176,6 +191,7 @@
     "generic": {
       "required": "{0} ist erforderlich",
       "validNumber": "{0} muss eine Zahl sein",
+      "validNumberRange": "{0} muss eine gültige Zahl oder ein gültiger Zahlenbereich sein",
       "validString": "{0} muss eine Zeichenkette sein",
       "validBoolean": "{0} muss ein Wahrheitswert sein",
       "validArray": "{0} muss eine Liste sein",
@@ -188,15 +204,17 @@
       "expiresAt": "Läuft ab am",
       "address4": "IPv4-Adresse",
       "address6": "IPv6-Adresse",
-      "serverAllowedIps": "serverseitig erlaubte IP-Adressen"
+      "serverAllowedIps": "Serverseitig erlaubte IP-Adressen",
+      "firewallIps": "Von der Firewall zugelassene IP-Adressen",
+      "firewallIpsInvalid": "Ungültiger IP-Eintrag in der Firewall. Informationen zur unterstützten Syntax finden Sie in der Dokumentation."
     },
     "user": {
       "username": "Benutzername",
       "password": "Passwort",
       "remember": "Merken",
       "name": "Name",
-      "email": "Email",
-      "emailInvalid": "Die Email-Adresse muss valide sein",
+      "email": "E-Mail",
+      "emailInvalid": "Die E-Mail-Adresse muss gültig sein",
       "passwordMatch": "Die Passwörter müssen übereinstimmen",
       "totpEnable": "TOTP aktivieren",
       "totpEnableTrue": "\"TOTP aktivieren\" muss ausgewählt sein",
@@ -212,8 +230,8 @@
     },
     "interface": {
       "cidr": "CIDR",
-      "device": "Geräte",
-      "cidrValid": "CIDR muss valide sein"
+      "device": "Gerät",
+      "cidrValid": "CIDR muss gültig sein"
     },
     "otl": "Einmal-Link",
     "stringMalformed": "Zeichenkette ist fehlerhaft",
@@ -233,5 +251,47 @@
     "postUp": "PostUp",
     "preDown": "PreDown",
     "postDown": "PostDown"
+  },
+  "copy": {
+    "notSupported": "Kopieren ist nicht unterstützt",
+    "copied": "Kopiert!",
+    "failed": "Kopieren fehlgeschlagen",
+    "copy": "Kopieren"
+  },
+  "awg": {
+    "jCLabel": "Anzahl der Junk-Pakete (Jc)",
+    "jCDescription": "Anzahl der zu sendenden Junk-Pakete (1-128, empfohlen: 4-12)",
+    "jMinLabel": "Minimale Junk-Paketgröße (Jmin)",
+    "jMinDescription": "Mindestgröße von Junk-Paketen (0-1279*, empfohlen: 8, muss < Jmax sein)",
+    "jMaxLabel": "Maximale Junk-Paketgröße (Jmax)",
+    "jMaxDescription": "Maximalgröße von Junk-Paketen (1-1280*, empfohlen: 80, muss > Jmin sein)",
+    "s1Label": "Junk-Paketgröße des Init-Pakets (S1)",
+    "s1Description": "Junk-Paketgröße des Init-Pakets (0-1132[1280* - 148 = 1132], empfohlen: 15-150, S1+56 ≠ S2)",
+    "s2Label": "Junk-Paketgröße des Antwort-Pakets (S2)",
+    "s2Description": "Junk-Paketgröße des Antwort-Pakets (0-1188[1280* - 92 = 1188], empfohlen: 15-150)",
+    "s3Label": "Junk-Paketgröße des Cookie-Antwort-Pakets (S3)",
+    "s3Description": "Junk-Paketgröße des Cookie-Antwort-Pakets",
+    "s4Label": "Junk-Paketgröße des Transport-Pakets (S4)",
+    "s4Description": "Junk-Paketgröße des Transport-Pakets",
+    "h1Label": "Init-Magic-Header (H1)",
+    "h1Description": "Wert des Init-Paket-Headers (5-2147483647, muss eindeutig zu H2-H4 sein)",
+    "h2Label": "Antwort-Magic-Header (H2)",
+    "h2Description": "Wert des Antwort-Paket-Headers (5-2147483647, muss eindeutig zu H1, H3, H4 sein)",
+    "h3Label": "Cookie-Antwort-Magic-Header (H3)",
+    "h3Description": "Wert des Cookie-Antwort-Paket-Headers (5-2147483647, muss eindeutig zu H1, H2, H4 sein)",
+    "h4Label": "Transport-Magic-Header (H4)",
+    "h4Description": "Wert des Transport-Paket-Headers (5-2147483647, muss eindeutig zu H1-H3 sein)",
+    "i1Label": "Spezial-Junk-Paket 1 (I1)",
+    "i1Description": "Protokoll-Nachahmungspaket im Hex-Format: <b 0x...>",
+    "i2Label": "Spezial-Junk-Paket 2 (I2)",
+    "i2Description": "Protokoll-Nachahmungspaket im Hex-Format: <b 0x...>",
+    "i3Label": "Spezial-Junk-Paket 3 (I3)",
+    "i3Description": "Protokoll-Nachahmungspaket im Hex-Format: <b 0x...>",
+    "i4Label": "Spezial-Junk-Paket 4 (I4)",
+    "i4Description": "Protokoll-Nachahmungspaket im Hex-Format: <b 0x...>",
+    "i5Label": "Spezial-Junk-Paket 5 (I5)",
+    "i5Description": "Protokoll-Nachahmungspaket im Hex-Format: <b 0x...>",
+    "mtuNote": "Werte hängen von der MTU ab",
+    "obfuscationParameters": "AmneziaWG Verschleierungsparameter"
   }
 }