From 0a45144c4e7798e84eed49cd0b8ce0cb90b95074 Mon Sep 17 00:00:00 2001
From: Konstantinos Spartalis <scoon405@gmail.com>
Date: Tue, 28 Apr 2026 16:48:39 +0300
Subject: [PATCH] netbird: add option/auth banner (#5404)

---
 security/netbird/Makefile                     |  2 +-
 .../Netbird/Api/AuthenticationController.php  | 22 ++++----
 .../OPNsense/Netbird/forms/authentication.xml |  1 +
 .../OPNsense/Netbird/forms/settings.xml       |  8 +++
 .../OPNsense/Netbird/Authentication.xml       |  5 +-
 .../app/models/OPNsense/Netbird/Settings.php  |  1 +
 .../app/models/OPNsense/Netbird/Settings.xml  |  5 ++
 .../OPNsense/Netbird/authentication.volt      | 54 ++++++++++++-------
 8 files changed, 62 insertions(+), 36 deletions(-)

diff --git a/security/netbird/Makefile b/security/netbird/Makefile
index f7c2e956f..5d9e3ccd0 100644
--- a/security/netbird/Makefile
+++ b/security/netbird/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		netbird
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_DEPENDS=		netbird
 PLUGIN_COMMENT=		Peer-to-peer VPN that seamlessly connects your devices
 PLUGIN_MAINTAINER=	dev@netbird.io
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
index 4691c3668..1e75efa08 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/Api/AuthenticationController.php
@@ -48,23 +48,21 @@ class AuthenticationController extends ApiMutableModelControllerBase
     {
         $mdl = new Authentication();
 
-        $managementUrl = $mdl->managementUrl->__toString();
-        $setupKey = $mdl->setupKey->__toString();
+        $managementUrl = $mdl->managementUrl->getValue();
+        $setupKey = $mdl->setupKey->getValue();
 
-        $defaultKey = '00000000-0000-0000-0000-000000000000';
-        if (!empty($setupKey) && $setupKey !== $defaultKey) {
-            $visiblePart = substr($setupKey, 0, 4);
-            $maskedKey = $visiblePart . str_repeat('*', max(4, strlen($setupKey) - 4));
-        } else {
-            $maskedKey = $defaultKey;
-        }
-
-        return [
+        $result = [
             'authentication' => [
                 'managementUrl' => $managementUrl,
-                'setupKey' => $maskedKey
+                'setupKey' => '',
             ]
         ];
+
+        if (!empty($setupKey)) {
+            $result['authentication']['%setupKey'] = substr($setupKey, 0, 5) . str_repeat('*', max(0, strlen($setupKey) - 7));
+        }
+
+        return $result;
     }
 
     public function upAction()
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml
index 75111fdaf..ad5139f22 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/authentication.xml
@@ -9,6 +9,7 @@
         <id>authentication.setupKey</id>
         <label>Setup Key</label>
         <type>text</type>
+        <hint>XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</hint>
         <help>Set the authentication setup key</help>
     </field>
 </form>
diff --git a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
index 7a2cb69c7..0094cffdb 100644
--- a/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/controllers/OPNsense/Netbird/forms/settings.xml
@@ -15,6 +15,14 @@
         <type>text</type>
         <help>Wireguard interface listening port</help>
     </field>
+    <field>
+        <id>settings.general.ipmapping</id>
+        <label>Force IP Mapping</label>
+        <type>text</type>
+        <hint>12.34.56.78</hint>
+        <help>Forces external IPs maps between local addresses and interfaces. You can specify a comma-separated list with a single IP or IP/IP or IP/Interface Name. Leave empty for automatic mapping.</help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <type>header</type>
         <label>Client Firewall</label>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
index b9ac20dd2..1886653c2 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Authentication.xml
@@ -5,10 +5,9 @@
     <items>
         <managementUrl type="UrlField">
             <Required>Y</Required>
-            <Default>https://api.netbird.io:443</Default>
+            <Default>https://api.netbird.io</Default>
         </managementUrl>
-        <setupKey type="TextField">
-            <!-- XXX fails migration for obvious reasons <Required>Y</Required> -->
+        <setupKey type="UpdateOnlyTextField">
             <Mask>/^[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}$/i</Mask>
             <ValidationMessage>Please specify a valid setup key.</ValidationMessage>
         </setupKey>
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
index 4d3a3b4c4..f0ea65e07 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.php
@@ -46,6 +46,7 @@ class Settings extends BaseModel
 
         $config["WgPort"] = (int)$this->general->wireguardPort->__toString();
         $config["ServerSSHAllowed"] = $this->ssh->enable->__toString() == 1;
+        $config["IpMapping"] = $this->general->ipmapping->__toString();
         $config["EnableSSHRoot"] = $this->ssh->enableRoot->__toString() == 1;
         $config["EnableSSHSFTP"] = $this->ssh->enableSFTP->__toString() == 1;
         $config["EnableSSHLocalPortForwarding"] = $this->ssh->enableLocalPortForwarding->__toString() == 1;
diff --git a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
index b606c6f75..a271bd6d4 100644
--- a/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
+++ b/security/netbird/src/opnsense/mvc/app/models/OPNsense/Netbird/Settings.xml
@@ -15,6 +15,11 @@
                 <maximum>65535</maximum>
                 <ValidationMessage>Please specify a valid port.</ValidationMessage>
             </wireguardPort>
+            <ipmapping type="TextField">
+                <MaskPerItem>Y</MaskPerItem>
+                <Mask>/^(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}(?:\/(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}|[a-zA-Z][a-zA-Z0-9_.-]*))?$/u</Mask>
+                <ValidationMessage>Invalid syntax. E.g. 12.34.56.78 or 12.34.56.78/10.0.0.1 or 12.34.56.200,12.34.56.78/10.0.0.1,12.34.56.80/eth1</ValidationMessage>
+            </ipmapping>
         </general>
         <firewall>
             <allowConfig type="BooleanField">
diff --git a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt
index 7d2652c4d..96ec7ea57 100644
--- a/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt
+++ b/security/netbird/src/opnsense/mvc/app/views/OPNsense/Netbird/authentication.volt
@@ -1,4 +1,5 @@
 {#
+ # Copyright (C) 2026 Konstantinos Spartalis <cspartalis@potatonetworks.com>
  # Copyright (C) 2025 Ralph Moser, PJ Monitoring GmbH
  # Copyright (C) 2025 squared GmbH
  # Copyright (C) 2025 Christopher Linn, BackendMedia IT-Services GmbH
@@ -29,20 +30,39 @@
 
 <script>
     function updateNetBirdStatusUI() {
-        ajaxGet('/api/netbird/status/status', {}, (data) => {
-            const $connectBtn = $("#connectBtn");
-            const $disconnectBtn = $("#disconnectBtn");
+        ajaxGet('/api/netbird/settings/get', {}, (settings) => {
+            const isEnabled = settings.settings?.general?.enable === '1';
 
-            $("#netbird-actions").removeClass("hidden");
+            const updateUI = (isConnected) => {
+                const $connectBtn = $("#connectBtn");
+                const $disconnectBtn = $("#disconnectBtn");
 
-            const isConnected = data.management?.connected === true;
-            const message = isConnected ? "NetBird is connected" : "NetBird is not connected";
-            const type = isConnected ? "info" : "warning";
+                $("#netbird-actions").removeClass("hidden");
 
-            $connectBtn.toggleClass("hidden", isConnected);
-            $disconnectBtn.toggleClass("hidden", !isConnected);
+                let message;
+                let type;
+                if (!isEnabled) {
+                    message = "Enable NetBird first";
+                    type = "warning";
+                } else {
+                    message = isConnected ? "NetBird is connected" : "NetBird is not connected";
+                    type = isConnected ? "info" : "warning";
+                }
 
-            $("#status").removeClass().addClass("alert alert-" + type).text(message).show();
+                $connectBtn.toggleClass("hidden", isConnected);
+                $disconnectBtn.toggleClass("hidden", !isConnected);
+
+                $("#status").removeClass().addClass("alert alert-" + type).text(message).show();
+            };
+
+            if (!isEnabled) {
+                updateUI(false);
+            } else {
+                ajaxGet('/api/netbird/status/status', {}, (data) => {
+                    const isConnected = data.management?.connected === true;
+                    updateUI(isConnected);
+                });
+            }
         });
     }
 
@@ -57,17 +77,11 @@
         $("#connectBtn").SimpleActionButton({
             onPreAction: () => {
                 const dfObj = new $.Deferred();
-                const setupKey = $("#authentication\\.setupKey").val();
-
-                if (setupKey.includes("*")) {
+                saveFormToEndpoint("/api/netbird/authentication/set", 'frmAuthentication', () => {
                     dfObj.resolve();
-                } else {
-                    saveFormToEndpoint("/api/netbird/authentication/set", 'frmAuthentication', () => {
-                        dfObj.resolve();
-                    }, true, () => {
-                        dfObj.reject();
-                    });
-                }
+                }, true, () => {
+                    dfObj.reject();
+                });
                 return dfObj;
             },
             onAction: () => {