feat: add network secret for registration validation

src/args_config.rs

@@ -15,6 +15,7 @@ use vnt_ipc::port_mapping::PortMapping;
 pub struct FileConfig {
     pub server: Option<Vec<String>>,
     pub network_code: Option<String>,
+    pub network_secret: Option<String>,
     pub ip: Option<Ipv4Addr>,
     pub no_punch: Option<bool>,
     pub rtx: Option<bool>,
@@ -91,6 +92,9 @@ pub struct Args {
     pub network_code: Option<String>,
     #[clap(short = 'k', long, hide = true)]
     pub token: Option<String>,
+    /// Network join secret used for registration validation
+    #[clap(long)]
+    pub network_secret: Option<String>,
     /// 自定义虚拟IP
     #[clap(long)]
     pub ip: Option<Ipv4Addr>,
@@ -235,6 +239,7 @@ fn build_from_args_and_file(args: Args, file: FileConfig) -> anyhow::Result<(Con
     let config = Config {
         server_addr,
         network_code,
+        network_secret: args.network_secret.or_else(|| file.network_secret.clone()),
         ip: args.ip.or(file.ip),
         no_punch: args.no_punch || file.no_punch.unwrap_or(false),
         rtx: args.rtx || file.rtx.unwrap_or(false),
@@ -276,6 +281,7 @@ fn build_from_args_only(args: Args) -> anyhow::Result<(Config, CtrlConfig)> {
         network_code: args
             .network_code
             .ok_or_else(|| anyhow!("network_code is required"))?,
+        network_secret: args.network_secret,
         ip: args.ip,
         no_punch: args.no_punch,
         rtx: args.rtx,
@@ -335,6 +341,7 @@ fn build_from_file_only(file: FileConfig) -> anyhow::Result<(Config, CtrlConfig)
         network_code: file
             .network_code
             .ok_or_else(|| anyhow!("network_code is required"))?,
+        network_secret: file.network_secret.clone(),
         ip: file.ip,
         no_punch: file.no_punch.unwrap_or(false),
         rtx: file.rtx.unwrap_or(false),
@@ -450,6 +457,10 @@ server = ["quic://1.2.3.4:29872"]
 # --- 安全配置 ---
 
 # 加密密码 (可选)
+# Join secret for server-side admission control (optional)
+# network_secret = "replace_with_a_long_random_secret"
+
+# Data-plane packet encryption password (optional)
 # password = "123456"
 
 # 证书校验方式：

src/main_cli.rs

@@ -74,8 +74,11 @@ async fn main0() -> anyhow::Result<()> {
         log::info!("Sub network output:{x}");
     }
 
-    if let Some(password_sign) = config.key_sign() {
-        log::info!("password sign: {:?}", password_sign);
+    if config.network_secret.is_some() {
+        log::info!("network authentication: enabled");
+    }
+    if config.password.is_some() {
+        log::info!("payload encryption: enabled");
     }
 
     let group_manager = TaskGroupManager::new();

vnt-core/src/context/config.rs

@@ -1,4 +1,3 @@
-use crate::crypto::PacketCrypto;
 use crate::nat::NetInput;
 use crate::port_mapping::PortMapping;
 use crate::tls::verifier::CertValidationMode;
@@ -19,6 +18,7 @@ pub struct Config {
     pub server_addr: Vec<ProtocolAddress>,
     pub cert_mode: CertValidationMode,
     pub network_code: String,
+    pub network_secret: Option<String>,
     pub device_id: String,
     pub device_name: String,
     pub tun_name: Option<String>,
@@ -85,17 +85,17 @@ impl Config {
         Ok(())
     }
     pub fn key_sign(&self) -> Option<String> {
-        self.password.as_ref().map(|p| PacketCrypto::key_sign(p))
+        self.network_secret.clone()
     }
     pub(crate) fn to_connect_config(&self, index: usize) -> ConnectRegConfig {
         ConnectRegConfig {
             server_addr: self.server_addr[index].clone(),
             cert_mode: self.cert_mode.clone(),
             network_code: self.network_code.clone(),
+            key_sign: self.key_sign(),
             device_id: self.device_id.clone(),
             device_name: self.device_name.clone(),
             ip: self.ip,
-            key_sign: self.key_sign(),
             ip_variable: self.ip.is_none(),
         }
     }

vnt-core/src/tunnel_core/p2p/inbound.rs

@@ -280,10 +280,8 @@ impl P2pInboundHandler {
             }
             MsgType::RelayProbeReply => {
                 let metric = ctx.max_ttl - ctx.ttl;
-                self.route_table.add_route(
-                    ctx.src_ip,
-                    Route::from_default_rt(route_key, metric),
-                );
+                self.route_table
+                    .add_route(ctx.src_ip, Route::from_default_rt(route_key, metric));
             }
             _ => {}
         }

vnt-core/src/tunnel_core/p2p/transport/task.rs

@@ -145,10 +145,7 @@ pub async fn ping_all(
         }
     }
 }
-pub async fn route_timeout_task(
-    route_table: RouteTable,
-    packet_loss_stats: PacketLossStats,
-) {
+pub async fn route_timeout_task(route_table: RouteTable, packet_loss_stats: PacketLossStats) {
     loop {
         tokio::time::sleep(Duration::from_secs(10)).await;
         let expired_time = std::time::Instant::now() - Duration::from_secs(10);

vnt-jni/java_example/AndroidVpnExample.java

@@ -38,7 +38,8 @@ private void startVpn() throws Exception {
         VntConfig config = new VntConfig.Builder()
                 .addServer("tcp://101.35.230.139:6660")
                 .setNetworkCode("your_network_code")
-                .setPassword("123456")
+                .setNetworkSecret("replace_with_a_long_random_secret")
+                .setPassword("optional_packet_password")
                 .setDeviceName("AndroidDevice")
                 .setCompress(true)
                 .setMtu(1380)

vnt-jni/java_example/com/vnt/VntConfig.java

@@ -14,6 +14,7 @@ public class VntConfig {
 
     private final List<String> servers;
     private final String networkCode;
+    private final String networkSecret;
     private final String password;
     private final String deviceId;
     private final String deviceName;
@@ -35,6 +36,7 @@ public class VntConfig {
     private VntConfig(Builder builder) {
         this.servers = builder.servers;
         this.networkCode = builder.networkCode;
+        this.networkSecret = builder.networkSecret;
         this.password = builder.password;
         this.deviceId = builder.deviceId;
         this.deviceName = builder.deviceName;
@@ -69,6 +71,7 @@ String toJson() {
         json.put("network_code", networkCode);
 
         // 可选项
+        if (networkSecret != null) json.put("network_secret", networkSecret);
         if (password != null) json.put("password", password);
         if (deviceId != null) json.put("device_id", deviceId);
         if (deviceName != null) json.put("device_name", deviceName);
@@ -120,6 +123,7 @@ String toJson() {
     public static class Builder {
         private List<String> servers = new ArrayList<>();
         private String networkCode;
+        private String networkSecret;
         private String password;
         private String deviceId;
         private String deviceName;
@@ -157,7 +161,15 @@ public Builder setNetworkCode(String networkCode) {
         }
 
         /**
-         * 设置密码（可选）
+         * Set the join secret used for network admission validation.
+         */
+        public Builder setNetworkSecret(String networkSecret) {
+            this.networkSecret = networkSecret;
+            return this;
+        }
+
+        /**
+         * Set the optional packet encryption password.
          */
         public Builder setPassword(String password) {
             this.password = password;

vnt-jni/src/lib.rs

@@ -812,6 +812,8 @@ fn parse_config_from_json(json_str: &str) -> anyhow::Result<Config> {
         server: Vec<String>,
         network_code: String,
         #[serde(default)]
+        network_secret: Option<String>,
+        #[serde(default)]
         device_id: Option<String>,
         #[serde(default)]
         device_name: Option<String>,
@@ -910,6 +912,7 @@ fn parse_config_from_json(json_str: &str) -> anyhow::Result<Config> {
     Ok(Config {
         server_addr: server_addrs,
         network_code: cfg.network_code,
+        network_secret: cfg.network_secret,
         ip: cfg.ip,
         no_punch: cfg.no_punch,
         rtx: cfg.rtx,

vnt-web/src/service_http.rs

@@ -165,6 +165,7 @@ pub struct StartConfig {
     pub server: Vec<String>,
     pub cert_mode: Option<String>,
     pub network_code: String,
+    pub network_secret: Option<String>,
     pub device_id: Option<String>,
     pub device_name: Option<String>,
     pub tun_name: Option<String>,
@@ -938,6 +939,7 @@ fn convert_config(cfg: StartConfig) -> anyhow::Result<CoreConfig> {
     Ok(CoreConfig {
         server_addr: server_addrs,
         network_code: cfg.network_code,
+        network_secret: cfg.network_secret,
         ip: cfg.ip,
         no_punch: cfg.no_punch,
         rtx: cfg.rtx,

vnt-web/static/index.html

@@ -1044,8 +1044,11 @@ <h4 class="text-md font-bold text-red-400 mb-4 flex items-center">
                                 <div class="space-y-4">
                                     <div class="grid grid-cols-1 md:grid-cols-2 gap-4">
                                         <div>
-                                            <label class="block text-sm font-medium text-slate-300 mb-2">组网加密密码(连接公共服务器时建议填写，同一组网密码需要相同)</label>
-                                            <input v-model="formData.password" type="password" placeholder="留空则不加密"
+                                            <label class="block text-sm font-medium text-slate-300 mb-2">入网验证密钥</label>
+                                            <input v-model="formData.network_secret" type="password" placeholder="建议使用长随机密钥"
+                                                   class="w-full bg-slate-800 border border-slate-600 rounded-lg px-3 py-2 text-white placeholder-slate-500 focus:ring-2 focus:ring-blue-500 focus:border-transparent mb-4">
+                                            <label class="block text-sm font-medium text-slate-300 mb-2">数据包加密口令</label>
+                                            <input v-model="formData.password" type="password" placeholder="留空则不加密数据"
                                                    class="w-full bg-slate-800 border border-slate-600 rounded-lg px-3 py-2 text-white placeholder-slate-500 focus:ring-2 focus:ring-blue-500 focus:border-transparent">
                                         </div>
                                         <div>
@@ -1743,6 +1746,7 @@ <h2 class="text-xl font-bold text-white">路由表</h2>
                 device_name: "",
                 device_id: "",
                 tun_name: "",
+                network_secret: "",
                 password: "",
                 cert_mode: "skip",
                 fingerprint: "",
@@ -1772,6 +1776,7 @@ <h2 class="text-xl font-bold text-white">路由表</h2>
                     device_name: "",
                     device_id: "",
                     tun_name: "",
+                    network_secret: "",
                     password: "",
                     cert_mode: "skip",
                     fingerprint: "",
@@ -1844,6 +1849,9 @@ <h2 class="text-xl font-bold text-white">路由表</h2>
                     } else if (trimmed.includes('tun_name')) {
                         const match = trimmed.match(/tun_name\s*=\s*"([^"]*)"/);
                         if (match) data.tun_name = match[1];
+                    } else if (trimmed.includes('network_secret')) {
+                        const match = trimmed.match(/network_secret\s*=\s*"([^"]*)"/);
+                        if (match) data.network_secret = match[1];
                     } else if (trimmed.includes('password =')) {
                         const match = trimmed.match(/password\s*=\s*"([^"]*)"/);
                         if (match) data.password = match[1];
@@ -1982,8 +1990,12 @@ <h2 class="text-xl font-bold text-white">路由表</h2>
                 }
 
                 toml += '\n# --- 安全配置 ---\n';
+                if (formData.value.network_secret) {
+                    toml += '\n# Network join secret used for server-side admission control\n';
+                    toml += `network_secret = "${formData.value.network_secret}"\n`;
+                }
                 if (formData.value.password) {
-                    toml += '\n# 组网加密密码 (可选)\n';
+                    toml += '\n# Data-plane packet encryption password\n';
                     toml += `password = "${formData.value.password}"\n`;
                 }
                 if (formData.value.cert_mode && formData.value.cert_mode !== 'skip') {
@@ -2109,6 +2121,7 @@ <h2 class="text-xl font-bold text-white">路由表</h2>
                         device_name: "",
                         device_id: "",
                         tun_name: "",
+                        network_secret: "",
                         password: "",
                         cert_mode: "skip",
                         fingerprint: "",
@@ -2185,6 +2198,10 @@ <h2 class="text-xl font-bold text-white">路由表</h2>
 # --- 安全配置 ---
 
 # 加密密码 (可选)
+# Network join secret used for server-side admission control
+# network_secret = "replace_with_a_long_random_secret"
+
+# Data-plane packet encryption password
 # password = "123456"
 
 # 证书校验方式：