From e444936c04643c7a76c7c35d430ca3db5fabb194 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 14 Nov 2025 13:01:39 +0000
Subject: [PATCH 02/21] Add environment variables to override admin panel
 interface settings

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 .../advanced/config/optional-config.md        | 22 ++++++++++++
 src/server/api/admin/interface/index.get.ts   |  3 +-
 src/server/api/admin/interface/index.post.ts  | 15 +++++++-
 src/server/utils/WireGuard.ts                 | 35 ++++++++++++-------
 src/server/utils/config.ts                    | 27 ++++++++++++++
 5 files changed, 87 insertions(+), 15 deletions(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index c58f5636..e2a20da8 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -20,3 +20,25 @@ You will however still see a IPv6 address in the Web UI, but it won't be used.
 This option can be removed in the future, as more devices support IPv6.
 
 ///
+
+## Configuration Overrides
+
+These environment variables allow you to override settings that would normally be configured through the Admin Panel. When set, these values take precedence over database settings and cannot be changed through the Web UI.
+
+| Env                          | Example | Description                                           |
+| ---------------------------- | ------- | ----------------------------------------------------- |
+| `OVERRIDE_INTERFACE_PORT`    | `51820` | Override the WireGuard interface listening port       |
+| `OVERRIDE_INTERFACE_DEVICE`  | `eth1`  | Override the network device/interface                 |
+| `OVERRIDE_INTERFACE_MTU`     | `1420`  | Override the MTU (Maximum Transmission Unit) setting  |
+
+/// warning | Override Behavior
+
+When these override environment variables are set:
+- The specified values will be used instead of database settings
+- Changes made through the Web UI to these fields will not take effect
+- The Web UI will still display the overridden values
+- Updates to these fields via the API will be ignored
+
+These overrides are useful for containerized environments where configuration should be controlled externally.
+
+///
diff --git a/src/server/api/admin/interface/index.get.ts b/src/server/api/admin/interface/index.get.ts
index 7161aecc..d0ddceff 100644
--- a/src/server/api/admin/interface/index.get.ts
+++ b/src/server/api/admin/interface/index.get.ts
@@ -1,8 +1,9 @@
 export default definePermissionEventHandler('admin', 'any', async () => {
   const wgInterface = await Database.interfaces.get();
+  const wgInterfaceWithOverrides = applyInterfaceOverrides(wgInterface);
 
   return {
-    ...wgInterface,
+    ...wgInterfaceWithOverrides,
     privateKey: undefined,
   };
 });
diff --git a/src/server/api/admin/interface/index.post.ts b/src/server/api/admin/interface/index.post.ts
index d6beedbe..ba5bda29 100644
--- a/src/server/api/admin/interface/index.post.ts
+++ b/src/server/api/admin/interface/index.post.ts
@@ -8,7 +8,20 @@ export default definePermissionEventHandler(
       event,
       validateZod(InterfaceUpdateSchema, event)
     );
-    await Database.interfaces.update(data);
+
+    // Remove overridden fields from the update data
+    const updateData = { ...data };
+    if (WG_OVERRIDE_ENV.INTERFACE_PORT !== undefined) {
+      delete updateData.port;
+    }
+    if (WG_OVERRIDE_ENV.INTERFACE_DEVICE !== undefined) {
+      delete updateData.device;
+    }
+    if (WG_OVERRIDE_ENV.INTERFACE_MTU !== undefined) {
+      delete updateData.mtu;
+    }
+
+    await Database.interfaces.update(updateData);
     await WireGuard.saveConfig();
     return { success: true };
   }
diff --git a/src/server/utils/WireGuard.ts b/src/server/utils/WireGuard.ts
index 2da26fce..61101249 100644
--- a/src/server/utils/WireGuard.ts
+++ b/src/server/utils/WireGuard.ts
@@ -14,8 +14,9 @@ class WireGuard {
    */
   async saveConfig() {
     const wgInterface = await Database.interfaces.get();
-    await this.#saveWireguardConfig(wgInterface);
-    await this.#syncWireguardConfig(wgInterface);
+    const wgInterfaceWithOverrides = applyInterfaceOverrides(wgInterface);
+    await this.#saveWireguardConfig(wgInterfaceWithOverrides);
+    await this.#syncWireguardConfig(wgInterfaceWithOverrides);
   }
 
   /**
@@ -151,6 +152,7 @@ class WireGuard {
 
   async getClientConfiguration({ clientId }: { clientId: ID }) {
     const wgInterface = await Database.interfaces.get();
+    const wgInterfaceWithOverrides = applyInterfaceOverrides(wgInterface);
     const userConfig = await Database.userConfigs.get();
 
     const client = await Database.clients.get(clientId);
@@ -159,9 +161,14 @@ class WireGuard {
       throw new Error('Client not found');
     }
 
-    return wg.generateClientConfig(wgInterface, userConfig, client, {
-      enableIpv6: !WG_ENV.DISABLE_IPV6,
-    });
+    return wg.generateClientConfig(
+      wgInterfaceWithOverrides,
+      userConfig,
+      client,
+      {
+        enableIpv6: !WG_ENV.DISABLE_IPV6,
+      }
+    );
   }
 
   async getClientQRCodeSVG({ clientId }: { clientId: ID }) {
@@ -217,25 +224,27 @@ class WireGuard {
       Database.interfaces.update(wgInterface);
     }
 
-    WG_DEBUG(`Starting Wireguard Interface ${wgInterface.name}...`);
-    await this.#saveWireguardConfig(wgInterface);
-    await wg.down(wgInterface.name).catch(() => {});
-    await wg.up(wgInterface.name).catch((err) => {
+    const wgInterfaceWithOverrides = applyInterfaceOverrides(wgInterface);
+
+    WG_DEBUG(`Starting Wireguard Interface ${wgInterfaceWithOverrides.name}...`);
+    await this.#saveWireguardConfig(wgInterfaceWithOverrides);
+    await wg.down(wgInterfaceWithOverrides.name).catch(() => {});
+    await wg.up(wgInterfaceWithOverrides.name).catch((err) => {
       if (
         err &&
         err.message &&
-        err.message.includes(`Cannot find device "${wgInterface.name}"`)
+        err.message.includes(`Cannot find device "${wgInterfaceWithOverrides.name}"`)
       ) {
         throw new Error(
-          `WireGuard exited with the error: Cannot find device "${wgInterface.name}"\nThis usually means that your host's kernel does not support WireGuard!`,
+          `WireGuard exited with the error: Cannot find device "${wgInterfaceWithOverrides.name}"\nThis usually means that your host's kernel does not support WireGuard!`,
           { cause: err.message }
         );
       }
 
       throw err;
     });
-    await this.#syncWireguardConfig(wgInterface);
-    WG_DEBUG(`Wireguard Interface ${wgInterface.name} started successfully.`);
+    await this.#syncWireguardConfig(wgInterfaceWithOverrides);
+    WG_DEBUG(`Wireguard Interface ${wgInterfaceWithOverrides.name} started successfully.`);
 
     WG_DEBUG('Starting Cron Job...');
     await this.startCronJob();
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index 322b7ae6..e6d63079 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -54,6 +54,19 @@ export const WG_INITIAL_ENV = {
     : undefined,
 };
 
+export const WG_OVERRIDE_ENV = {
+  /** Override the WireGuard interface port */
+  INTERFACE_PORT: process.env.OVERRIDE_INTERFACE_PORT
+    ? Number.parseInt(process.env.OVERRIDE_INTERFACE_PORT, 10)
+    : undefined,
+  /** Override the network device/interface */
+  INTERFACE_DEVICE: process.env.OVERRIDE_INTERFACE_DEVICE,
+  /** Override the MTU setting */
+  INTERFACE_MTU: process.env.OVERRIDE_INTERFACE_MTU
+    ? Number.parseInt(process.env.OVERRIDE_INTERFACE_MTU, 10)
+    : undefined,
+};
+
 function assertEnv<T extends string>(env: T) {
   const val = process.env[env];
 
@@ -63,3 +76,17 @@ function assertEnv<T extends string>(env: T) {
 
   return val;
 }
+
+/**
+ * Apply environment variable overrides to an interface object
+ */
+export function applyInterfaceOverrides<
+  T extends { port: number; device: string; mtu: number },
+>(wgInterface: T): T {
+  return {
+    ...wgInterface,
+    port: WG_OVERRIDE_ENV.INTERFACE_PORT ?? wgInterface.port,
+    device: WG_OVERRIDE_ENV.INTERFACE_DEVICE ?? wgInterface.device,
+    mtu: WG_OVERRIDE_ENV.INTERFACE_MTU ?? wgInterface.mtu,
+  };
+}

From 5fd3ee9843ca84788a54ad3cc4cb0ccb26e973c8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 14 Nov 2025 13:04:57 +0000
Subject: [PATCH 03/21] Format documentation with prettier

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 docs/content/advanced/config/optional-config.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index e2a20da8..791acbe3 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -25,15 +25,16 @@ This option can be removed in the future, as more devices support IPv6.
 
 These environment variables allow you to override settings that would normally be configured through the Admin Panel. When set, these values take precedence over database settings and cannot be changed through the Web UI.
 
-| Env                          | Example | Description                                           |
-| ---------------------------- | ------- | ----------------------------------------------------- |
-| `OVERRIDE_INTERFACE_PORT`    | `51820` | Override the WireGuard interface listening port       |
-| `OVERRIDE_INTERFACE_DEVICE`  | `eth1`  | Override the network device/interface                 |
-| `OVERRIDE_INTERFACE_MTU`     | `1420`  | Override the MTU (Maximum Transmission Unit) setting  |
+| Env                         | Example | Description                                          |
+| --------------------------- | ------- | ---------------------------------------------------- |
+| `OVERRIDE_INTERFACE_PORT`   | `51820` | Override the WireGuard interface listening port      |
+| `OVERRIDE_INTERFACE_DEVICE` | `eth1`  | Override the network device/interface                |
+| `OVERRIDE_INTERFACE_MTU`    | `1420`  | Override the MTU (Maximum Transmission Unit) setting |
 
 /// warning | Override Behavior
 
 When these override environment variables are set:
+
 - The specified values will be used instead of database settings
 - Changes made through the Web UI to these fields will not take effect
 - The Web UI will still display the overridden values

From 67185192fde84a979d2022508f4bd1eab03479e9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 14 Nov 2025 13:25:22 +0000
Subject: [PATCH 04/21] Refactor environment variables with shorter names and
 add comprehensive override support

- Rename OVERRIDE_INTERFACE_* to WG_* (shorter, non-conflicting)
- Add interface overrides: WG_PORT, WG_DEVICE, WG_MTU, WG_IPV4_CIDR, WG_IPV6_CIDR, WG_ENABLED
- Add client config overrides: WG_HOST, WG_CLIENT_PORT, WG_DEFAULT_DNS, WG_DEFAULT_ALLOWED_IPS, WG_DEFAULT_MTU, WG_DEFAULT_PERSISTENT_KEEPALIVE
- Add general config overrides: WG_SESSION_TIMEOUT, WG_METRICS_PROMETHEUS, WG_METRICS_JSON
- Update all API endpoints to apply and filter overrides
- Update documentation with all new environment variables
- Exclude AmneziaWG parameters (j*, s*, i*, h*) as requested

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 .../advanced/config/optional-config.md        | 42 +++++++-
 src/server/api/admin/general.get.ts           |  3 +-
 src/server/api/admin/general.post.ts          | 15 ++-
 src/server/api/admin/interface/cidr.post.ts   | 11 ++-
 src/server/api/admin/interface/index.post.ts  | 15 ++-
 src/server/api/admin/userconfig.get.ts        |  3 +-
 src/server/api/admin/userconfig.post.ts       | 24 ++++-
 src/server/utils/WireGuard.ts                 |  3 +-
 src/server/utils/config.ts                    | 96 +++++++++++++++++--
 9 files changed, 189 insertions(+), 23 deletions(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index 791acbe3..acaa89f5 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -25,11 +25,35 @@ This option can be removed in the future, as more devices support IPv6.
 
 These environment variables allow you to override settings that would normally be configured through the Admin Panel. When set, these values take precedence over database settings and cannot be changed through the Web UI.
 
-| Env                         | Example | Description                                          |
-| --------------------------- | ------- | ---------------------------------------------------- |
-| `OVERRIDE_INTERFACE_PORT`   | `51820` | Override the WireGuard interface listening port      |
-| `OVERRIDE_INTERFACE_DEVICE` | `eth1`  | Override the network device/interface                |
-| `OVERRIDE_INTERFACE_MTU`    | `1420`  | Override the MTU (Maximum Transmission Unit) setting |
+### Interface Settings
+
+| Env            | Example           | Description                        |
+| -------------- | ----------------- | ---------------------------------- |
+| `WG_PORT`      | `51820`           | WireGuard interface listening port |
+| `WG_DEVICE`    | `eth0`            | Network device/interface           |
+| `WG_MTU`       | `1420`            | Maximum Transmission Unit          |
+| `WG_IPV4_CIDR` | `10.8.0.0/24`     | IPv4 CIDR range                    |
+| `WG_IPV6_CIDR` | `fdcc::/112`      | IPv6 CIDR range                    |
+| `WG_ENABLED`   | `true` or `false` | Whether the interface is enabled   |
+
+### Client Connection Settings
+
+| Env                               | Example           | Description                              |
+| --------------------------------- | ----------------- | ---------------------------------------- |
+| `WG_HOST`                         | `vpn.example.com` | Host clients will connect to             |
+| `WG_CLIENT_PORT`                  | `51820`           | Port clients will connect to             |
+| `WG_DEFAULT_DNS`                  | `1.1.1.1,8.8.8.8` | Default DNS servers for clients          |
+| `WG_DEFAULT_ALLOWED_IPS`          | `0.0.0.0/0,::/0`  | Default allowed IPs for clients          |
+| `WG_DEFAULT_MTU`                  | `1420`            | Default MTU for clients                  |
+| `WG_DEFAULT_PERSISTENT_KEEPALIVE` | `25`              | Default persistent keepalive for clients |
+
+### General Settings
+
+| Env                     | Example           | Description                |
+| ----------------------- | ----------------- | -------------------------- |
+| `WG_SESSION_TIMEOUT`    | `3600`            | Session timeout in seconds |
+| `WG_METRICS_PROMETHEUS` | `true` or `false` | Enable Prometheus metrics  |
+| `WG_METRICS_JSON`       | `true` or `false` | Enable JSON metrics        |
 
 /// warning | Override Behavior
 
@@ -43,3 +67,11 @@ When these override environment variables are set:
 These overrides are useful for containerized environments where configuration should be controlled externally.
 
 ///
+
+/// note | Note on Port Variables
+
+- `WG_PORT` - The port WireGuard listens on (interface port)
+- `WG_CLIENT_PORT` - The port clients connect to (endpoint port, usually same as `WG_PORT`)
+- `PORT` - The port the Web UI listens on (HTTP server port)
+
+///
diff --git a/src/server/api/admin/general.get.ts b/src/server/api/admin/general.get.ts
index 075eefce..c99f77f7 100644
--- a/src/server/api/admin/general.get.ts
+++ b/src/server/api/admin/general.get.ts
@@ -1,4 +1,5 @@
 export default definePermissionEventHandler('admin', 'any', async () => {
   const generalConfig = await Database.general.getConfig();
-  return generalConfig;
+  const generalConfigWithOverrides = applyGeneralOverrides(generalConfig);
+  return generalConfigWithOverrides;
 });
diff --git a/src/server/api/admin/general.post.ts b/src/server/api/admin/general.post.ts
index 414af6d7..f43f47fc 100644
--- a/src/server/api/admin/general.post.ts
+++ b/src/server/api/admin/general.post.ts
@@ -8,7 +8,20 @@ export default definePermissionEventHandler(
       event,
       validateZod(GeneralUpdateSchema, event)
     );
-    await Database.general.update(data);
+
+    // Remove overridden fields from the update data
+    const updateData = { ...data };
+    if (WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT !== undefined) {
+      delete updateData.sessionTimeout;
+    }
+    if (WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS !== undefined) {
+      delete updateData.metricsPrometheus;
+    }
+    if (WG_GENERAL_OVERRIDE_ENV.METRICS_JSON !== undefined) {
+      delete updateData.metricsJson;
+    }
+
+    await Database.general.update(updateData);
     return { success: true };
   }
 );
diff --git a/src/server/api/admin/interface/cidr.post.ts b/src/server/api/admin/interface/cidr.post.ts
index 95e239cf..2c4f4096 100644
--- a/src/server/api/admin/interface/cidr.post.ts
+++ b/src/server/api/admin/interface/cidr.post.ts
@@ -9,7 +9,16 @@ export default definePermissionEventHandler(
       validateZod(InterfaceCidrUpdateSchema, event)
     );
 
-    await Database.interfaces.updateCidr(data);
+    // Remove overridden fields from the update data
+    const updateData = { ...data };
+    if (WG_OVERRIDE_ENV.IPV4_CIDR !== undefined) {
+      delete updateData.ipv4Cidr;
+    }
+    if (WG_OVERRIDE_ENV.IPV6_CIDR !== undefined) {
+      delete updateData.ipv6Cidr;
+    }
+
+    await Database.interfaces.updateCidr(updateData);
     await WireGuard.saveConfig();
     return { success: true };
   }
diff --git a/src/server/api/admin/interface/index.post.ts b/src/server/api/admin/interface/index.post.ts
index ba5bda29..7a19eed5 100644
--- a/src/server/api/admin/interface/index.post.ts
+++ b/src/server/api/admin/interface/index.post.ts
@@ -11,15 +11,24 @@ export default definePermissionEventHandler(
 
     // Remove overridden fields from the update data
     const updateData = { ...data };
-    if (WG_OVERRIDE_ENV.INTERFACE_PORT !== undefined) {
+    if (WG_OVERRIDE_ENV.PORT !== undefined) {
       delete updateData.port;
     }
-    if (WG_OVERRIDE_ENV.INTERFACE_DEVICE !== undefined) {
+    if (WG_OVERRIDE_ENV.DEVICE !== undefined) {
       delete updateData.device;
     }
-    if (WG_OVERRIDE_ENV.INTERFACE_MTU !== undefined) {
+    if (WG_OVERRIDE_ENV.MTU !== undefined) {
       delete updateData.mtu;
     }
+    if (WG_OVERRIDE_ENV.IPV4_CIDR !== undefined) {
+      delete updateData.ipv4Cidr;
+    }
+    if (WG_OVERRIDE_ENV.IPV6_CIDR !== undefined) {
+      delete updateData.ipv6Cidr;
+    }
+    if (WG_OVERRIDE_ENV.ENABLED !== undefined) {
+      delete updateData.enabled;
+    }
 
     await Database.interfaces.update(updateData);
     await WireGuard.saveConfig();
diff --git a/src/server/api/admin/userconfig.get.ts b/src/server/api/admin/userconfig.get.ts
index b41a81bd..acac9086 100644
--- a/src/server/api/admin/userconfig.get.ts
+++ b/src/server/api/admin/userconfig.get.ts
@@ -1,4 +1,5 @@
 export default definePermissionEventHandler('admin', 'any', async () => {
   const userConfig = await Database.userConfigs.get();
-  return userConfig;
+  const userConfigWithOverrides = applyUserConfigOverrides(userConfig);
+  return userConfigWithOverrides;
 });
diff --git a/src/server/api/admin/userconfig.post.ts b/src/server/api/admin/userconfig.post.ts
index ff150b0c..68d63de4 100644
--- a/src/server/api/admin/userconfig.post.ts
+++ b/src/server/api/admin/userconfig.post.ts
@@ -8,7 +8,29 @@ export default definePermissionEventHandler(
       event,
       validateZod(UserConfigUpdateSchema, event)
     );
-    await Database.userConfigs.update(data);
+
+    // Remove overridden fields from the update data
+    const updateData = { ...data };
+    if (WG_CLIENT_OVERRIDE_ENV.HOST !== undefined) {
+      delete updateData.host;
+    }
+    if (WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT !== undefined) {
+      delete updateData.port;
+    }
+    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_DNS !== undefined) {
+      delete updateData.defaultDns;
+    }
+    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS !== undefined) {
+      delete updateData.defaultAllowedIps;
+    }
+    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_MTU !== undefined) {
+      delete updateData.defaultMtu;
+    }
+    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_PERSISTENT_KEEPALIVE !== undefined) {
+      delete updateData.defaultPersistentKeepalive;
+    }
+
+    await Database.userConfigs.update(updateData);
     await WireGuard.saveConfig();
     return { success: true };
   }
diff --git a/src/server/utils/WireGuard.ts b/src/server/utils/WireGuard.ts
index 61101249..27dbad50 100644
--- a/src/server/utils/WireGuard.ts
+++ b/src/server/utils/WireGuard.ts
@@ -154,6 +154,7 @@ class WireGuard {
     const wgInterface = await Database.interfaces.get();
     const wgInterfaceWithOverrides = applyInterfaceOverrides(wgInterface);
     const userConfig = await Database.userConfigs.get();
+    const userConfigWithOverrides = applyUserConfigOverrides(userConfig);
 
     const client = await Database.clients.get(clientId);
 
@@ -163,7 +164,7 @@ class WireGuard {
 
     return wg.generateClientConfig(
       wgInterfaceWithOverrides,
-      userConfig,
+      userConfigWithOverrides,
       client,
       {
         enableIpv6: !WG_ENV.DISABLE_IPV6,
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index e6d63079..d72cf997 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -56,15 +56,59 @@ export const WG_INITIAL_ENV = {
 
 export const WG_OVERRIDE_ENV = {
   /** Override the WireGuard interface port */
-  INTERFACE_PORT: process.env.OVERRIDE_INTERFACE_PORT
-    ? Number.parseInt(process.env.OVERRIDE_INTERFACE_PORT, 10)
+  PORT: process.env.WG_PORT
+    ? Number.parseInt(process.env.WG_PORT, 10)
     : undefined,
   /** Override the network device/interface */
-  INTERFACE_DEVICE: process.env.OVERRIDE_INTERFACE_DEVICE,
+  DEVICE: process.env.WG_DEVICE,
   /** Override the MTU setting */
-  INTERFACE_MTU: process.env.OVERRIDE_INTERFACE_MTU
-    ? Number.parseInt(process.env.OVERRIDE_INTERFACE_MTU, 10)
+  MTU: process.env.WG_MTU
+    ? Number.parseInt(process.env.WG_MTU, 10)
     : undefined,
+  /** Override the IPv4 CIDR */
+  IPV4_CIDR: process.env.WG_IPV4_CIDR,
+  /** Override the IPv6 CIDR */
+  IPV6_CIDR: process.env.WG_IPV6_CIDR,
+  /** Override the enabled status */
+  ENABLED: process.env.WG_ENABLED === 'true' ? true :
+           process.env.WG_ENABLED === 'false' ? false :
+           undefined,
+};
+
+export const WG_CLIENT_OVERRIDE_ENV = {
+  /** Override the client connection host */
+  HOST: process.env.WG_HOST,
+  /** Override the client connection port (different from WG_PORT which is the interface port) */
+  CLIENT_PORT: process.env.WG_CLIENT_PORT
+    ? Number.parseInt(process.env.WG_CLIENT_PORT, 10)
+    : undefined,
+  /** Override default client DNS servers */
+  DEFAULT_DNS: process.env.WG_DEFAULT_DNS?.split(',').map((x) => x.trim()),
+  /** Override default client allowed IPs */
+  DEFAULT_ALLOWED_IPS: process.env.WG_DEFAULT_ALLOWED_IPS?.split(',').map((x) => x.trim()),
+  /** Override default client MTU */
+  DEFAULT_MTU: process.env.WG_DEFAULT_MTU
+    ? Number.parseInt(process.env.WG_DEFAULT_MTU, 10)
+    : undefined,
+  /** Override default client persistent keepalive */
+  DEFAULT_PERSISTENT_KEEPALIVE: process.env.WG_DEFAULT_PERSISTENT_KEEPALIVE
+    ? Number.parseInt(process.env.WG_DEFAULT_PERSISTENT_KEEPALIVE, 10)
+    : undefined,
+};
+
+export const WG_GENERAL_OVERRIDE_ENV = {
+  /** Override session timeout */
+  SESSION_TIMEOUT: process.env.WG_SESSION_TIMEOUT
+    ? Number.parseInt(process.env.WG_SESSION_TIMEOUT, 10)
+    : undefined,
+  /** Override metrics Prometheus enabled status */
+  METRICS_PROMETHEUS: process.env.WG_METRICS_PROMETHEUS === 'true' ? true :
+                       process.env.WG_METRICS_PROMETHEUS === 'false' ? false :
+                       undefined,
+  /** Override metrics JSON enabled status */
+  METRICS_JSON: process.env.WG_METRICS_JSON === 'true' ? true :
+                 process.env.WG_METRICS_JSON === 'false' ? false :
+                 undefined,
 };
 
 function assertEnv<T extends string>(env: T) {
@@ -81,12 +125,46 @@ function assertEnv<T extends string>(env: T) {
  * Apply environment variable overrides to an interface object
  */
 export function applyInterfaceOverrides<
-  T extends { port: number; device: string; mtu: number },
+  T extends { port: number; device: string; mtu: number; ipv4Cidr: string; ipv6Cidr: string; enabled: boolean },
 >(wgInterface: T): T {
   return {
     ...wgInterface,
-    port: WG_OVERRIDE_ENV.INTERFACE_PORT ?? wgInterface.port,
-    device: WG_OVERRIDE_ENV.INTERFACE_DEVICE ?? wgInterface.device,
-    mtu: WG_OVERRIDE_ENV.INTERFACE_MTU ?? wgInterface.mtu,
+    port: WG_OVERRIDE_ENV.PORT ?? wgInterface.port,
+    device: WG_OVERRIDE_ENV.DEVICE ?? wgInterface.device,
+    mtu: WG_OVERRIDE_ENV.MTU ?? wgInterface.mtu,
+    ipv4Cidr: WG_OVERRIDE_ENV.IPV4_CIDR ?? wgInterface.ipv4Cidr,
+    ipv6Cidr: WG_OVERRIDE_ENV.IPV6_CIDR ?? wgInterface.ipv6Cidr,
+    enabled: WG_OVERRIDE_ENV.ENABLED ?? wgInterface.enabled,
+  };
+}
+
+/**
+ * Apply environment variable overrides to a user config object
+ */
+export function applyUserConfigOverrides<
+  T extends { host: string; port: number; defaultDns: string[]; defaultAllowedIps: string[]; defaultMtu: number; defaultPersistentKeepalive: number },
+>(userConfig: T): T {
+  return {
+    ...userConfig,
+    host: WG_CLIENT_OVERRIDE_ENV.HOST ?? userConfig.host,
+    port: WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT ?? userConfig.port,
+    defaultDns: WG_CLIENT_OVERRIDE_ENV.DEFAULT_DNS ?? userConfig.defaultDns,
+    defaultAllowedIps: WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS ?? userConfig.defaultAllowedIps,
+    defaultMtu: WG_CLIENT_OVERRIDE_ENV.DEFAULT_MTU ?? userConfig.defaultMtu,
+    defaultPersistentKeepalive: WG_CLIENT_OVERRIDE_ENV.DEFAULT_PERSISTENT_KEEPALIVE ?? userConfig.defaultPersistentKeepalive,
+  };
+}
+
+/**
+ * Apply environment variable overrides to a general config object
+ */
+export function applyGeneralOverrides<
+  T extends { sessionTimeout: number; metricsPrometheus: boolean; metricsJson: boolean },
+>(generalConfig: T): T {
+  return {
+    ...generalConfig,
+    sessionTimeout: WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT ?? generalConfig.sessionTimeout,
+    metricsPrometheus: WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS ?? generalConfig.metricsPrometheus,
+    metricsJson: WG_GENERAL_OVERRIDE_ENV.METRICS_JSON ?? generalConfig.metricsJson,
   };
 }

From 11ab71b5d2cfc996f259f781d24106957bbd30af Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 14 Nov 2025 13:41:33 +0000
Subject: [PATCH 05/21] Allow admin panel updates to be saved while overrides
 remain effective; remove WG_ENABLED

- Remove WG_ENABLED environment variable (interface cannot be disabled)
- Allow all admin panel updates to be saved to database
- Environment variable overrides take precedence at runtime only
- Users can now update values in admin panel even when overridden
- Updated documentation to clarify override behavior

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 .../advanced/config/optional-config.md        | 51 +++++++++----------
 src/server/api/admin/general.post.ts          | 16 ++----
 src/server/api/admin/interface/cidr.post.ts   | 13 ++---
 src/server/api/admin/interface/index.post.ts  | 25 ++-------
 src/server/api/admin/userconfig.post.ts       | 25 ++-------
 src/server/utils/config.ts                    |  7 +--
 6 files changed, 38 insertions(+), 99 deletions(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index acaa89f5..805f3f16 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -23,46 +23,45 @@ This option can be removed in the future, as more devices support IPv6.
 
 ## Configuration Overrides
 
-These environment variables allow you to override settings that would normally be configured through the Admin Panel. When set, these values take precedence over database settings and cannot be changed through the Web UI.
+These environment variables allow you to override settings that would normally be configured through the Admin Panel. When set, these values take precedence over database settings at runtime.
 
 ### Interface Settings
 
-| Env            | Example           | Description                        |
-| -------------- | ----------------- | ---------------------------------- |
-| `WG_PORT`      | `51820`           | WireGuard interface listening port |
-| `WG_DEVICE`    | `eth0`            | Network device/interface           |
-| `WG_MTU`       | `1420`            | Maximum Transmission Unit          |
-| `WG_IPV4_CIDR` | `10.8.0.0/24`     | IPv4 CIDR range                    |
-| `WG_IPV6_CIDR` | `fdcc::/112`      | IPv6 CIDR range                    |
-| `WG_ENABLED`   | `true` or `false` | Whether the interface is enabled   |
+| Env            | Example       | Description               |
+| -------------- | ------------- | ------------------------- |
+| `WG_PORT`      | `51820`       | WireGuard interface port  |
+| `WG_DEVICE`    | `eth0`        | Network device/interface  |
+| `WG_MTU`       | `1420`        | Maximum Transmission Unit |
+| `WG_IPV4_CIDR` | `10.8.0.0/24` | IPv4 CIDR range           |
+| `WG_IPV6_CIDR` | `fdcc::/112`  | IPv6 CIDR range           |
 
 ### Client Connection Settings
 
-| Env                               | Example           | Description                              |
-| --------------------------------- | ----------------- | ---------------------------------------- |
-| `WG_HOST`                         | `vpn.example.com` | Host clients will connect to             |
-| `WG_CLIENT_PORT`                  | `51820`           | Port clients will connect to             |
-| `WG_DEFAULT_DNS`                  | `1.1.1.1,8.8.8.8` | Default DNS servers for clients          |
-| `WG_DEFAULT_ALLOWED_IPS`          | `0.0.0.0/0,::/0`  | Default allowed IPs for clients          |
-| `WG_DEFAULT_MTU`                  | `1420`            | Default MTU for clients                  |
-| `WG_DEFAULT_PERSISTENT_KEEPALIVE` | `25`              | Default persistent keepalive for clients |
+| Env                               | Example           | Description                     |
+| --------------------------------- | ----------------- | ------------------------------- |
+| `WG_HOST`                         | `vpn.example.com` | Host clients will connect to    |
+| `WG_CLIENT_PORT`                  | `51820`           | Port clients will connect to    |
+| `WG_DEFAULT_DNS`                  | `1.1.1.1,8.8.8.8` | Default DNS servers for clients |
+| `WG_DEFAULT_ALLOWED_IPS`          | `0.0.0.0/0,::/0`  | Default allowed IPs for clients |
+| `WG_DEFAULT_MTU`                  | `1420`            | Default MTU for clients         |
+| `WG_DEFAULT_PERSISTENT_KEEPALIVE` | `25`              | Default persistent keepalive    |
 
 ### General Settings
 
-| Env                     | Example           | Description                |
-| ----------------------- | ----------------- | -------------------------- |
-| `WG_SESSION_TIMEOUT`    | `3600`            | Session timeout in seconds |
-| `WG_METRICS_PROMETHEUS` | `true` or `false` | Enable Prometheus metrics  |
-| `WG_METRICS_JSON`       | `true` or `false` | Enable JSON metrics        |
+| Env                     | Example           | Description               |
+| ----------------------- | ----------------- | ------------------------- |
+| `WG_SESSION_TIMEOUT`    | `3600`            | Session timeout (seconds) |
+| `WG_METRICS_PROMETHEUS` | `true` or `false` | Enable Prometheus metrics |
+| `WG_METRICS_JSON`       | `true` or `false` | Enable JSON metrics       |
 
 /// warning | Override Behavior
 
 When these override environment variables are set:
 
-- The specified values will be used instead of database settings
-- Changes made through the Web UI to these fields will not take effect
-- The Web UI will still display the overridden values
-- Updates to these fields via the API will be ignored
+- The specified values will be used at runtime instead of database settings
+- You can still update these fields through the Web UI and they will be saved to the database
+- However, the overridden values from environment variables will always take precedence
+- The Web UI will display the overridden (effective) values
 
 These overrides are useful for containerized environments where configuration should be controlled externally.
 
diff --git a/src/server/api/admin/general.post.ts b/src/server/api/admin/general.post.ts
index f43f47fc..606c73fb 100644
--- a/src/server/api/admin/general.post.ts
+++ b/src/server/api/admin/general.post.ts
@@ -9,19 +9,9 @@ export default definePermissionEventHandler(
       validateZod(GeneralUpdateSchema, event)
     );
 
-    // Remove overridden fields from the update data
-    const updateData = { ...data };
-    if (WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT !== undefined) {
-      delete updateData.sessionTimeout;
-    }
-    if (WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS !== undefined) {
-      delete updateData.metricsPrometheus;
-    }
-    if (WG_GENERAL_OVERRIDE_ENV.METRICS_JSON !== undefined) {
-      delete updateData.metricsJson;
-    }
-
-    await Database.general.update(updateData);
+    // Allow all updates to be saved to database
+    // Overrides will be applied when reading/using the values
+    await Database.general.update(data);
     return { success: true };
   }
 );
diff --git a/src/server/api/admin/interface/cidr.post.ts b/src/server/api/admin/interface/cidr.post.ts
index 2c4f4096..00bd4048 100644
--- a/src/server/api/admin/interface/cidr.post.ts
+++ b/src/server/api/admin/interface/cidr.post.ts
@@ -9,16 +9,9 @@ export default definePermissionEventHandler(
       validateZod(InterfaceCidrUpdateSchema, event)
     );
 
-    // Remove overridden fields from the update data
-    const updateData = { ...data };
-    if (WG_OVERRIDE_ENV.IPV4_CIDR !== undefined) {
-      delete updateData.ipv4Cidr;
-    }
-    if (WG_OVERRIDE_ENV.IPV6_CIDR !== undefined) {
-      delete updateData.ipv6Cidr;
-    }
-
-    await Database.interfaces.updateCidr(updateData);
+    // Allow all updates to be saved to database
+    // Overrides will be applied when reading/using the values
+    await Database.interfaces.updateCidr(data);
     await WireGuard.saveConfig();
     return { success: true };
   }
diff --git a/src/server/api/admin/interface/index.post.ts b/src/server/api/admin/interface/index.post.ts
index 7a19eed5..a2658378 100644
--- a/src/server/api/admin/interface/index.post.ts
+++ b/src/server/api/admin/interface/index.post.ts
@@ -9,28 +9,9 @@ export default definePermissionEventHandler(
       validateZod(InterfaceUpdateSchema, event)
     );
 
-    // Remove overridden fields from the update data
-    const updateData = { ...data };
-    if (WG_OVERRIDE_ENV.PORT !== undefined) {
-      delete updateData.port;
-    }
-    if (WG_OVERRIDE_ENV.DEVICE !== undefined) {
-      delete updateData.device;
-    }
-    if (WG_OVERRIDE_ENV.MTU !== undefined) {
-      delete updateData.mtu;
-    }
-    if (WG_OVERRIDE_ENV.IPV4_CIDR !== undefined) {
-      delete updateData.ipv4Cidr;
-    }
-    if (WG_OVERRIDE_ENV.IPV6_CIDR !== undefined) {
-      delete updateData.ipv6Cidr;
-    }
-    if (WG_OVERRIDE_ENV.ENABLED !== undefined) {
-      delete updateData.enabled;
-    }
-
-    await Database.interfaces.update(updateData);
+    // Allow all updates to be saved to database
+    // Overrides will be applied when reading/using the values
+    await Database.interfaces.update(data);
     await WireGuard.saveConfig();
     return { success: true };
   }
diff --git a/src/server/api/admin/userconfig.post.ts b/src/server/api/admin/userconfig.post.ts
index 68d63de4..d023c460 100644
--- a/src/server/api/admin/userconfig.post.ts
+++ b/src/server/api/admin/userconfig.post.ts
@@ -9,28 +9,9 @@ export default definePermissionEventHandler(
       validateZod(UserConfigUpdateSchema, event)
     );
 
-    // Remove overridden fields from the update data
-    const updateData = { ...data };
-    if (WG_CLIENT_OVERRIDE_ENV.HOST !== undefined) {
-      delete updateData.host;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT !== undefined) {
-      delete updateData.port;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_DNS !== undefined) {
-      delete updateData.defaultDns;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS !== undefined) {
-      delete updateData.defaultAllowedIps;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_MTU !== undefined) {
-      delete updateData.defaultMtu;
-    }
-    if (WG_CLIENT_OVERRIDE_ENV.DEFAULT_PERSISTENT_KEEPALIVE !== undefined) {
-      delete updateData.defaultPersistentKeepalive;
-    }
-
-    await Database.userConfigs.update(updateData);
+    // Allow all updates to be saved to database
+    // Overrides will be applied when reading/using the values
+    await Database.userConfigs.update(data);
     await WireGuard.saveConfig();
     return { success: true };
   }
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index d72cf997..5e93e51e 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -69,10 +69,6 @@ export const WG_OVERRIDE_ENV = {
   IPV4_CIDR: process.env.WG_IPV4_CIDR,
   /** Override the IPv6 CIDR */
   IPV6_CIDR: process.env.WG_IPV6_CIDR,
-  /** Override the enabled status */
-  ENABLED: process.env.WG_ENABLED === 'true' ? true :
-           process.env.WG_ENABLED === 'false' ? false :
-           undefined,
 };
 
 export const WG_CLIENT_OVERRIDE_ENV = {
@@ -125,7 +121,7 @@ function assertEnv<T extends string>(env: T) {
  * Apply environment variable overrides to an interface object
  */
 export function applyInterfaceOverrides<
-  T extends { port: number; device: string; mtu: number; ipv4Cidr: string; ipv6Cidr: string; enabled: boolean },
+  T extends { port: number; device: string; mtu: number; ipv4Cidr: string; ipv6Cidr: string },
 >(wgInterface: T): T {
   return {
     ...wgInterface,
@@ -134,7 +130,6 @@ export function applyInterfaceOverrides<
     mtu: WG_OVERRIDE_ENV.MTU ?? wgInterface.mtu,
     ipv4Cidr: WG_OVERRIDE_ENV.IPV4_CIDR ?? wgInterface.ipv4Cidr,
     ipv6Cidr: WG_OVERRIDE_ENV.IPV6_CIDR ?? wgInterface.ipv6Cidr,
-    enabled: WG_OVERRIDE_ENV.ENABLED ?? wgInterface.enabled,
   };
 }
 

From 268916782d47abe9a6a163adb6bb5c9aa131a4ad Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 14 Nov 2025 13:52:54 +0000
Subject: [PATCH 06/21] Return database values in GET endpoints; add overrides
 info route; remove comments

- GET endpoints now return raw database values (not overridden values)
- Created /api/admin/overrides route that returns which fields are overridden by env vars
- Removed comments from POST endpoints
- Admin panel can now show database values and display indicators for overridden fields

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 src/server/api/admin/general.get.ts          |  3 +--
 src/server/api/admin/general.post.ts         |  3 ---
 src/server/api/admin/interface/cidr.post.ts  |  3 ---
 src/server/api/admin/interface/index.get.ts  |  3 +--
 src/server/api/admin/interface/index.post.ts |  3 ---
 src/server/api/admin/overrides.get.ts        | 24 ++++++++++++++++++++
 src/server/api/admin/userconfig.get.ts       |  3 +--
 src/server/api/admin/userconfig.post.ts      |  3 ---
 8 files changed, 27 insertions(+), 18 deletions(-)
 create mode 100644 src/server/api/admin/overrides.get.ts

diff --git a/src/server/api/admin/general.get.ts b/src/server/api/admin/general.get.ts
index c99f77f7..075eefce 100644
--- a/src/server/api/admin/general.get.ts
+++ b/src/server/api/admin/general.get.ts
@@ -1,5 +1,4 @@
 export default definePermissionEventHandler('admin', 'any', async () => {
   const generalConfig = await Database.general.getConfig();
-  const generalConfigWithOverrides = applyGeneralOverrides(generalConfig);
-  return generalConfigWithOverrides;
+  return generalConfig;
 });
diff --git a/src/server/api/admin/general.post.ts b/src/server/api/admin/general.post.ts
index 606c73fb..414af6d7 100644
--- a/src/server/api/admin/general.post.ts
+++ b/src/server/api/admin/general.post.ts
@@ -8,9 +8,6 @@ export default definePermissionEventHandler(
       event,
       validateZod(GeneralUpdateSchema, event)
     );
-
-    // Allow all updates to be saved to database
-    // Overrides will be applied when reading/using the values
     await Database.general.update(data);
     return { success: true };
   }
diff --git a/src/server/api/admin/interface/cidr.post.ts b/src/server/api/admin/interface/cidr.post.ts
index 00bd4048..a9abcdfc 100644
--- a/src/server/api/admin/interface/cidr.post.ts
+++ b/src/server/api/admin/interface/cidr.post.ts
@@ -8,9 +8,6 @@ export default definePermissionEventHandler(
       event,
       validateZod(InterfaceCidrUpdateSchema, event)
     );
-
-    // Allow all updates to be saved to database
-    // Overrides will be applied when reading/using the values
     await Database.interfaces.updateCidr(data);
     await WireGuard.saveConfig();
     return { success: true };
diff --git a/src/server/api/admin/interface/index.get.ts b/src/server/api/admin/interface/index.get.ts
index d0ddceff..7161aecc 100644
--- a/src/server/api/admin/interface/index.get.ts
+++ b/src/server/api/admin/interface/index.get.ts
@@ -1,9 +1,8 @@
 export default definePermissionEventHandler('admin', 'any', async () => {
   const wgInterface = await Database.interfaces.get();
-  const wgInterfaceWithOverrides = applyInterfaceOverrides(wgInterface);
 
   return {
-    ...wgInterfaceWithOverrides,
+    ...wgInterface,
     privateKey: undefined,
   };
 });
diff --git a/src/server/api/admin/interface/index.post.ts b/src/server/api/admin/interface/index.post.ts
index a2658378..d6beedbe 100644
--- a/src/server/api/admin/interface/index.post.ts
+++ b/src/server/api/admin/interface/index.post.ts
@@ -8,9 +8,6 @@ export default definePermissionEventHandler(
       event,
       validateZod(InterfaceUpdateSchema, event)
     );
-
-    // Allow all updates to be saved to database
-    // Overrides will be applied when reading/using the values
     await Database.interfaces.update(data);
     await WireGuard.saveConfig();
     return { success: true };
diff --git a/src/server/api/admin/overrides.get.ts b/src/server/api/admin/overrides.get.ts
new file mode 100644
index 00000000..dda4bb8a
--- /dev/null
+++ b/src/server/api/admin/overrides.get.ts
@@ -0,0 +1,24 @@
+export default definePermissionEventHandler('admin', 'any', async () => {
+  return {
+    interface: {
+      port: WG_OVERRIDE_ENV.PORT !== undefined,
+      device: WG_OVERRIDE_ENV.DEVICE !== undefined,
+      mtu: WG_OVERRIDE_ENV.MTU !== undefined,
+      ipv4Cidr: WG_OVERRIDE_ENV.IPV4_CIDR !== undefined,
+      ipv6Cidr: WG_OVERRIDE_ENV.IPV6_CIDR !== undefined,
+    },
+    userConfig: {
+      host: WG_CLIENT_OVERRIDE_ENV.HOST !== undefined,
+      port: WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT !== undefined,
+      defaultDns: WG_CLIENT_OVERRIDE_ENV.DEFAULT_DNS !== undefined,
+      defaultAllowedIps: WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS !== undefined,
+      defaultMtu: WG_CLIENT_OVERRIDE_ENV.DEFAULT_MTU !== undefined,
+      defaultPersistentKeepalive: WG_CLIENT_OVERRIDE_ENV.DEFAULT_PERSISTENT_KEEPALIVE !== undefined,
+    },
+    general: {
+      sessionTimeout: WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT !== undefined,
+      metricsPrometheus: WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS !== undefined,
+      metricsJson: WG_GENERAL_OVERRIDE_ENV.METRICS_JSON !== undefined,
+    },
+  };
+});
diff --git a/src/server/api/admin/userconfig.get.ts b/src/server/api/admin/userconfig.get.ts
index acac9086..b41a81bd 100644
--- a/src/server/api/admin/userconfig.get.ts
+++ b/src/server/api/admin/userconfig.get.ts
@@ -1,5 +1,4 @@
 export default definePermissionEventHandler('admin', 'any', async () => {
   const userConfig = await Database.userConfigs.get();
-  const userConfigWithOverrides = applyUserConfigOverrides(userConfig);
-  return userConfigWithOverrides;
+  return userConfig;
 });
diff --git a/src/server/api/admin/userconfig.post.ts b/src/server/api/admin/userconfig.post.ts
index d023c460..ff150b0c 100644
--- a/src/server/api/admin/userconfig.post.ts
+++ b/src/server/api/admin/userconfig.post.ts
@@ -8,9 +8,6 @@ export default definePermissionEventHandler(
       event,
       validateZod(UserConfigUpdateSchema, event)
     );
-
-    // Allow all updates to be saved to database
-    // Overrides will be applied when reading/using the values
     await Database.userConfigs.update(data);
     await WireGuard.saveConfig();
     return { success: true };

From c1d5822f417c61f9d7bab3baa15c7dbb8bf5dd48 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 14 Nov 2025 14:10:07 +0000
Subject: [PATCH 07/21] Add hooks overrides support with environment variables

- Added WG_PRE_UP, WG_POST_UP, WG_PRE_DOWN, WG_POST_DOWN environment variables
- Created applyHooksOverrides() helper function
- Updated WireGuard service to apply hooks overrides when generating config
- Updated /api/admin/overrides endpoint to include hooks override information
- Updated documentation with hooks environment variables

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 .../advanced/config/optional-config.md        |  9 +++++++
 src/server/api/admin/overrides.get.ts         |  6 +++++
 src/server/utils/WireGuard.ts                 |  3 ++-
 src/server/utils/config.ts                    | 26 +++++++++++++++++++
 4 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index 805f3f16..967e64a0 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -54,6 +54,15 @@ These environment variables allow you to override settings that would normally b
 | `WG_METRICS_PROMETHEUS` | `true` or `false` | Enable Prometheus metrics |
 | `WG_METRICS_JSON`       | `true` or `false` | Enable JSON metrics       |
 
+### Hooks
+
+| Env            | Example                   | Description           |
+| -------------- | ------------------------- | --------------------- |
+| `WG_PRE_UP`    | `echo "Starting WG"`      | PreUp hook command    |
+| `WG_POST_UP`   | `iptables -A FORWARD ...` | PostUp hook command   |
+| `WG_PRE_DOWN`  | `echo "Stopping WG"`      | PreDown hook command  |
+| `WG_POST_DOWN` | `iptables -D FORWARD ...` | PostDown hook command |
+
 /// warning | Override Behavior
 
 When these override environment variables are set:
diff --git a/src/server/api/admin/overrides.get.ts b/src/server/api/admin/overrides.get.ts
index dda4bb8a..ae3b2ef0 100644
--- a/src/server/api/admin/overrides.get.ts
+++ b/src/server/api/admin/overrides.get.ts
@@ -20,5 +20,11 @@ export default definePermissionEventHandler('admin', 'any', async () => {
       metricsPrometheus: WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS !== undefined,
       metricsJson: WG_GENERAL_OVERRIDE_ENV.METRICS_JSON !== undefined,
     },
+    hooks: {
+      preUp: WG_HOOKS_OVERRIDE_ENV.PRE_UP !== undefined,
+      postUp: WG_HOOKS_OVERRIDE_ENV.POST_UP !== undefined,
+      preDown: WG_HOOKS_OVERRIDE_ENV.PRE_DOWN !== undefined,
+      postDown: WG_HOOKS_OVERRIDE_ENV.POST_DOWN !== undefined,
+    },
   };
 });
diff --git a/src/server/utils/WireGuard.ts b/src/server/utils/WireGuard.ts
index 27dbad50..8f4d875a 100644
--- a/src/server/utils/WireGuard.ts
+++ b/src/server/utils/WireGuard.ts
@@ -27,10 +27,11 @@ class WireGuard {
   async #saveWireguardConfig(wgInterface: InterfaceType) {
     const clients = await Database.clients.getAll();
     const hooks = await Database.hooks.get();
+    const hooksWithOverrides = applyHooksOverrides(hooks);
 
     const result = [];
     result.push(
-      wg.generateServerInterface(wgInterface, hooks, {
+      wg.generateServerInterface(wgInterface, hooksWithOverrides, {
         enableIpv6: !WG_ENV.DISABLE_IPV6,
       })
     );
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index 5e93e51e..0a8e29fd 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -107,6 +107,17 @@ export const WG_GENERAL_OVERRIDE_ENV = {
                  undefined,
 };
 
+export const WG_HOOKS_OVERRIDE_ENV = {
+  /** Override PreUp hook */
+  PRE_UP: process.env.WG_PRE_UP,
+  /** Override PostUp hook */
+  POST_UP: process.env.WG_POST_UP,
+  /** Override PreDown hook */
+  PRE_DOWN: process.env.WG_PRE_DOWN,
+  /** Override PostDown hook */
+  POST_DOWN: process.env.WG_POST_DOWN,
+};
+
 function assertEnv<T extends string>(env: T) {
   const val = process.env[env];
 
@@ -163,3 +174,18 @@ export function applyGeneralOverrides<
     metricsJson: WG_GENERAL_OVERRIDE_ENV.METRICS_JSON ?? generalConfig.metricsJson,
   };
 }
+
+/**
+ * Apply environment variable overrides to a hooks object
+ */
+export function applyHooksOverrides<
+  T extends { preUp: string; postUp: string; preDown: string; postDown: string },
+>(hooks: T): T {
+  return {
+    ...hooks,
+    preUp: WG_HOOKS_OVERRIDE_ENV.PRE_UP ?? hooks.preUp,
+    postUp: WG_HOOKS_OVERRIDE_ENV.POST_UP ?? hooks.postUp,
+    preDown: WG_HOOKS_OVERRIDE_ENV.PRE_DOWN ?? hooks.preDown,
+    postDown: WG_HOOKS_OVERRIDE_ENV.POST_DOWN ?? hooks.postDown,
+  };
+}

From fbf24410dbd1ab8b7c49d139d6696552dcb511de Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 14 Nov 2025 14:30:56 +0000
Subject: [PATCH 08/21] Add metrics password override and implement frontend UI
 indicators

Backend changes:
- Added WG_METRICS_PASSWORD environment variable override
- Updated applyGeneralOverrides() to include metrics password
- Updated /api/admin/overrides endpoint to include metrics password

Frontend changes:
- Added override indicators (warning icons with tooltips) to all form fields
- Updated TextField, NumberField, NullTextField, SwitchField, HostField, ArrayField components
- Added overridden prop support to all form components
- Fetched /api/admin/overrides in all admin pages (interface, general, config, hooks)
- Warning icon displays when field is overridden by environment variable
- ArrayField shows banner when overridden
- Updated documentation with WG_METRICS_PASSWORD

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 docs/content/advanced/config/optional-config.md |  1 +
 src/app/components/Form/ArrayField.vue          | 10 +++++++++-
 src/app/components/Form/HostField.vue           |  4 ++++
 src/app/components/Form/NullTextField.vue       |  4 ++++
 src/app/components/Form/NumberField.vue         | 10 +++++++++-
 src/app/components/Form/SwitchField.vue         | 10 +++++++++-
 src/app/components/Form/TextField.vue           |  4 ++++
 src/app/pages/admin/config.vue                  | 17 ++++++++++++++++-
 src/app/pages/admin/general.vue                 | 11 +++++++++++
 src/app/pages/admin/hooks.vue                   | 10 ++++++++++
 src/app/pages/admin/interface.vue               |  9 +++++++++
 src/server/api/admin/overrides.get.ts           |  1 +
 src/server/utils/config.ts                      |  5 ++++-
 13 files changed, 91 insertions(+), 5 deletions(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index 967e64a0..436703e1 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -51,6 +51,7 @@ These environment variables allow you to override settings that would normally b
 | Env                     | Example           | Description               |
 | ----------------------- | ----------------- | ------------------------- |
 | `WG_SESSION_TIMEOUT`    | `3600`            | Session timeout (seconds) |
+| `WG_METRICS_PASSWORD`   | `mypassword123`   | Metrics endpoint password |
 | `WG_METRICS_PROMETHEUS` | `true` or `false` | Enable Prometheus metrics |
 | `WG_METRICS_JSON`       | `true` or `false` | Enable JSON metrics       |
 
diff --git a/src/app/components/Form/ArrayField.vue b/src/app/components/Form/ArrayField.vue
index 497949ca..745e2414 100644
--- a/src/app/components/Form/ArrayField.vue
+++ b/src/app/components/Form/ArrayField.vue
@@ -1,5 +1,9 @@
 <template>
   <div class="flex flex-col gap-2">
+    <div v-if="overridden" class="flex items-center gap-2 p-2 bg-amber-50 dark:bg-amber-900/20 rounded-lg text-amber-700 dark:text-amber-400 text-sm">
+      <IconsWarning class="size-4" />
+      <span>This field is overridden by an environment variable</span>
+    </div>
     <div v-if="data?.length === 0">
       {{ emptyText || $t('form.noItems') }}
     </div>
@@ -35,7 +39,11 @@
 
 <script lang="ts" setup>
 const data = defineModel<string[]>();
-defineProps<{ emptyText?: string[]; name: string }>();
+defineProps<{
+  emptyText?: string[];
+  name: string;
+  overridden?: boolean;
+}>();
 
 function update(e: Event, i: number) {
   const v = (e.target as HTMLInputElement).value;
diff --git a/src/app/components/Form/HostField.vue b/src/app/components/Form/HostField.vue
index 9d15817b..9dd0ddc8 100644
--- a/src/app/components/Form/HostField.vue
+++ b/src/app/components/Form/HostField.vue
@@ -6,6 +6,9 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
+    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
+      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    </BaseTooltip>
   </div>
   <div class="flex gap-1">
     <BaseInput
@@ -38,6 +41,7 @@ defineProps<{
   description?: string;
   placeholder?: string;
   url: '/api/admin/ip-info' | '/api/setup/4';
+  overridden?: boolean;
 }>();
 
 const data = defineModel<string | null>({
diff --git a/src/app/components/Form/NullTextField.vue b/src/app/components/Form/NullTextField.vue
index 352e1201..dae45aef 100644
--- a/src/app/components/Form/NullTextField.vue
+++ b/src/app/components/Form/NullTextField.vue
@@ -6,6 +6,9 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
+    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
+      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    </BaseTooltip>
   </div>
   <BaseInput
     :id="id"
@@ -24,6 +27,7 @@ defineProps<{
   description?: string;
   autocomplete?: string;
   placeholder?: string;
+  overridden?: boolean;
 }>();
 
 const data = defineModel<string | null>({
diff --git a/src/app/components/Form/NumberField.vue b/src/app/components/Form/NumberField.vue
index 07ad5872..1693f5d9 100644
--- a/src/app/components/Form/NumberField.vue
+++ b/src/app/components/Form/NumberField.vue
@@ -6,12 +6,20 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
+    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
+      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    </BaseTooltip>
   </div>
   <BaseInput :id="id" v-model.number="data" :name="id" type="number" />
 </template>
 
 <script lang="ts" setup>
-defineProps<{ id: string; label: string; description?: string }>();
+defineProps<{
+  id: string;
+  label: string;
+  description?: string;
+  overridden?: boolean;
+}>();
 
 const data = defineModel<number>();
 </script>
diff --git a/src/app/components/Form/SwitchField.vue b/src/app/components/Form/SwitchField.vue
index 43eaf3f8..e5b3bbf3 100644
--- a/src/app/components/Form/SwitchField.vue
+++ b/src/app/components/Form/SwitchField.vue
@@ -6,11 +6,19 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
+    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
+      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    </BaseTooltip>
   </div>
   <BaseSwitch :id="id" v-model="data" />
 </template>
 
 <script lang="ts" setup>
-defineProps<{ id: string; label: string; description?: string }>();
+defineProps<{
+  id: string;
+  label: string;
+  description?: string;
+  overridden?: boolean;
+}>();
 const data = defineModel<boolean>();
 </script>
diff --git a/src/app/components/Form/TextField.vue b/src/app/components/Form/TextField.vue
index e62de448..3c442f62 100644
--- a/src/app/components/Form/TextField.vue
+++ b/src/app/components/Form/TextField.vue
@@ -6,6 +6,9 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
+    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
+      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    </BaseTooltip>
   </div>
   <BaseInput
     :id="id"
@@ -24,6 +27,7 @@ defineProps<{
   description?: string;
   autocomplete?: string;
   disabled?: boolean;
+  overridden?: boolean;
 }>();
 
 const data = defineModel<string>();
diff --git a/src/app/pages/admin/config.vue b/src/app/pages/admin/config.vue
index 40146ae2..84e7e0e6 100644
--- a/src/app/pages/admin/config.vue
+++ b/src/app/pages/admin/config.vue
@@ -9,12 +9,14 @@
           :label="$t('general.host')"
           :description="$t('admin.config.hostDesc')"
           url="/api/admin/ip-info"
+          :overridden="overrides.host"
         />
         <FormNumberField
           id="port"
           v-model="data.port"
           :label="$t('general.port')"
           :description="$t('admin.config.portDesc')"
+          :overridden="overrides.port"
         />
       </FormGroup>
       <FormGroup>
@@ -24,13 +26,18 @@
         <FormArrayField
           v-model="data.defaultAllowedIps"
           name="defaultAllowedIps"
+          :overridden="overrides.defaultAllowedIps"
         />
       </FormGroup>
       <FormGroup>
         <FormHeading :description="$t('admin.config.dnsDesc')">
           {{ $t('general.dns') }}
         </FormHeading>
-        <FormArrayField v-model="data.defaultDns" name="defaultDns" />
+        <FormArrayField
+          v-model="data.defaultDns"
+          name="defaultDns"
+          :overridden="overrides.defaultDns"
+        />
       </FormGroup>
       <FormGroup>
         <FormHeading>{{ $t('form.sectionAdvanced') }}</FormHeading>
@@ -39,12 +46,14 @@
           v-model="data.defaultMtu"
           :label="$t('general.mtu')"
           :description="$t('admin.config.mtuDesc')"
+          :overridden="overrides.defaultMtu"
         />
         <FormNumberField
           id="defaultPersistentKeepalive"
           v-model="data.defaultPersistentKeepalive"
           :label="$t('general.persistentKeepalive')"
           :description="$t('admin.config.persistentKeepaliveDesc')"
+          :overridden="overrides.defaultPersistentKeepalive"
         />
       </FormGroup>
       <FormGroup v-if="globalStore.information?.isAwg">
@@ -118,6 +127,12 @@ const { data: _data, refresh } = await useFetch(`/api/admin/userconfig`, {
   method: 'get',
 });
 
+const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
+  method: 'get',
+});
+
+const overrides = computed(() => overridesData.value?.userConfig || {});
+
 const data = toRef(_data.value);
 
 const _submit = useSubmit(
diff --git a/src/app/pages/admin/general.vue b/src/app/pages/admin/general.vue
index 9515e456..49a57cd0 100644
--- a/src/app/pages/admin/general.vue
+++ b/src/app/pages/admin/general.vue
@@ -7,6 +7,7 @@
           v-model="data.sessionTimeout"
           :label="$t('admin.general.sessionTimeout')"
           :description="$t('admin.general.sessionTimeoutDesc')"
+          :overridden="overrides.sessionTimeout"
         />
       </FormGroup>
       <FormGroup>
@@ -16,18 +17,21 @@
           v-model="data.metricsPassword"
           :label="$t('admin.general.metricsPassword')"
           :description="$t('admin.general.metricsPasswordDesc')"
+          :overridden="overrides.metricsPassword"
         />
         <FormSwitchField
           id="prometheus"
           v-model="data.metricsPrometheus"
           :label="$t('admin.general.prometheus')"
           :description="$t('admin.general.prometheusDesc')"
+          :overridden="overrides.metricsPrometheus"
         />
         <FormSwitchField
           id="json"
           v-model="data.metricsJson"
           :label="$t('admin.general.json')"
           :description="$t('admin.general.jsonDesc')"
+          :overridden="overrides.metricsJson"
         />
       </FormGroup>
       <FormGroup>
@@ -43,6 +47,13 @@
 const { data: _data, refresh } = await useFetch(`/api/admin/general`, {
   method: 'get',
 });
+
+const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
+  method: 'get',
+});
+
+const overrides = computed(() => overridesData.value?.general || {});
+
 const data = toRef(_data.value);
 
 const _submit = useSubmit(
diff --git a/src/app/pages/admin/hooks.vue b/src/app/pages/admin/hooks.vue
index b8dda4b6..19d81bf4 100644
--- a/src/app/pages/admin/hooks.vue
+++ b/src/app/pages/admin/hooks.vue
@@ -6,21 +6,25 @@
           id="PreUp"
           v-model="data.preUp"
           :label="$t('hooks.preUp')"
+          :overridden="overrides.preUp"
         />
         <FormTextField
           id="PostUp"
           v-model="data.postUp"
           :label="$t('hooks.postUp')"
+          :overridden="overrides.postUp"
         />
         <FormTextField
           id="PreDown"
           v-model="data.preDown"
           :label="$t('hooks.preDown')"
+          :overridden="overrides.preDown"
         />
         <FormTextField
           id="PostDown"
           v-model="data.postDown"
           :label="$t('hooks.postDown')"
+          :overridden="overrides.postDown"
         />
       </FormGroup>
       <FormGroup>
@@ -37,6 +41,12 @@ const { data: _data, refresh } = await useFetch(`/api/admin/hooks`, {
   method: 'get',
 });
 
+const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
+  method: 'get',
+});
+
+const overrides = computed(() => overridesData.value?.hooks || {});
+
 const data = toRef(_data.value);
 
 const _submit = useSubmit(
diff --git a/src/app/pages/admin/interface.vue b/src/app/pages/admin/interface.vue
index fd4d7eeb..6d5c56e4 100644
--- a/src/app/pages/admin/interface.vue
+++ b/src/app/pages/admin/interface.vue
@@ -7,18 +7,21 @@
           v-model="data.mtu"
           :label="$t('general.mtu')"
           :description="$t('admin.interface.mtuDesc')"
+          :overridden="overrides.mtu"
         />
         <FormNumberField
           id="port"
           v-model="data.port"
           :label="$t('general.port')"
           :description="$t('admin.interface.portDesc')"
+          :overridden="overrides.port"
         />
         <FormTextField
           id="device"
           v-model="data.device"
           :label="$t('admin.interface.device')"
           :description="$t('admin.interface.deviceDesc')"
+          :overridden="overrides.device"
         />
       </FormGroup>
       <FormGroup v-if="globalStore.information?.isAwg">
@@ -164,6 +167,12 @@ const { data: _data, refresh } = await useFetch(`/api/admin/interface`, {
   method: 'get',
 });
 
+const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
+  method: 'get',
+});
+
+const overrides = computed(() => overridesData.value?.interface || {});
+
 const data = toRef(_data.value);
 
 const _submit = useSubmit(
diff --git a/src/server/api/admin/overrides.get.ts b/src/server/api/admin/overrides.get.ts
index ae3b2ef0..45e3bbce 100644
--- a/src/server/api/admin/overrides.get.ts
+++ b/src/server/api/admin/overrides.get.ts
@@ -17,6 +17,7 @@ export default definePermissionEventHandler('admin', 'any', async () => {
     },
     general: {
       sessionTimeout: WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT !== undefined,
+      metricsPassword: WG_GENERAL_OVERRIDE_ENV.METRICS_PASSWORD !== undefined,
       metricsPrometheus: WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS !== undefined,
       metricsJson: WG_GENERAL_OVERRIDE_ENV.METRICS_JSON !== undefined,
     },
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index 0a8e29fd..0eb3bd1b 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -97,6 +97,8 @@ export const WG_GENERAL_OVERRIDE_ENV = {
   SESSION_TIMEOUT: process.env.WG_SESSION_TIMEOUT
     ? Number.parseInt(process.env.WG_SESSION_TIMEOUT, 10)
     : undefined,
+  /** Override metrics password */
+  METRICS_PASSWORD: process.env.WG_METRICS_PASSWORD,
   /** Override metrics Prometheus enabled status */
   METRICS_PROMETHEUS: process.env.WG_METRICS_PROMETHEUS === 'true' ? true :
                        process.env.WG_METRICS_PROMETHEUS === 'false' ? false :
@@ -165,11 +167,12 @@ export function applyUserConfigOverrides<
  * Apply environment variable overrides to a general config object
  */
 export function applyGeneralOverrides<
-  T extends { sessionTimeout: number; metricsPrometheus: boolean; metricsJson: boolean },
+  T extends { sessionTimeout: number; metricsPassword: string | null; metricsPrometheus: boolean; metricsJson: boolean },
 >(generalConfig: T): T {
   return {
     ...generalConfig,
     sessionTimeout: WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT ?? generalConfig.sessionTimeout,
+    metricsPassword: WG_GENERAL_OVERRIDE_ENV.METRICS_PASSWORD ?? generalConfig.metricsPassword,
     metricsPrometheus: WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS ?? generalConfig.metricsPrometheus,
     metricsJson: WG_GENERAL_OVERRIDE_ENV.METRICS_JSON ?? generalConfig.metricsJson,
   };

From 993c130f65b837b2ccc43d01e34d97854d5f376c Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Fri, 14 Nov 2025 15:41:48 +0100
Subject: [PATCH 09/21] format code

---
 src/app/components/Form/ArrayField.vue    |  5 +-
 src/app/components/Form/HostField.vue     |  7 +-
 src/app/components/Form/NullTextField.vue |  7 +-
 src/app/components/Form/NumberField.vue   |  7 +-
 src/app/components/Form/SwitchField.vue   |  7 +-
 src/app/components/Form/TextField.vue     |  7 +-
 src/server/api/admin/overrides.get.ts     |  9 ++-
 src/server/utils/WireGuard.ts             | 12 +++-
 src/server/utils/config.ts                | 78 +++++++++++++++++------
 9 files changed, 102 insertions(+), 37 deletions(-)

diff --git a/src/app/components/Form/ArrayField.vue b/src/app/components/Form/ArrayField.vue
index 745e2414..d7de0195 100644
--- a/src/app/components/Form/ArrayField.vue
+++ b/src/app/components/Form/ArrayField.vue
@@ -1,6 +1,9 @@
 <template>
   <div class="flex flex-col gap-2">
-    <div v-if="overridden" class="flex items-center gap-2 p-2 bg-amber-50 dark:bg-amber-900/20 rounded-lg text-amber-700 dark:text-amber-400 text-sm">
+    <div
+      v-if="overridden"
+      class="flex items-center gap-2 rounded-lg bg-amber-50 p-2 text-sm text-amber-700 dark:bg-amber-900/20 dark:text-amber-400"
+    >
       <IconsWarning class="size-4" />
       <span>This field is overridden by an environment variable</span>
     </div>
diff --git a/src/app/components/Form/HostField.vue b/src/app/components/Form/HostField.vue
index 9dd0ddc8..2e2d1ea6 100644
--- a/src/app/components/Form/HostField.vue
+++ b/src/app/components/Form/HostField.vue
@@ -6,8 +6,11 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
-      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    <BaseTooltip
+      v-if="overridden"
+      text="This field is overridden by an environment variable"
+    >
+      <IconsWarning class="ml-1 size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <div class="flex gap-1">
diff --git a/src/app/components/Form/NullTextField.vue b/src/app/components/Form/NullTextField.vue
index dae45aef..a9c01f26 100644
--- a/src/app/components/Form/NullTextField.vue
+++ b/src/app/components/Form/NullTextField.vue
@@ -6,8 +6,11 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
-      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    <BaseTooltip
+      v-if="overridden"
+      text="This field is overridden by an environment variable"
+    >
+      <IconsWarning class="ml-1 size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <BaseInput
diff --git a/src/app/components/Form/NumberField.vue b/src/app/components/Form/NumberField.vue
index 1693f5d9..d826ef1d 100644
--- a/src/app/components/Form/NumberField.vue
+++ b/src/app/components/Form/NumberField.vue
@@ -6,8 +6,11 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
-      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    <BaseTooltip
+      v-if="overridden"
+      text="This field is overridden by an environment variable"
+    >
+      <IconsWarning class="ml-1 size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <BaseInput :id="id" v-model.number="data" :name="id" type="number" />
diff --git a/src/app/components/Form/SwitchField.vue b/src/app/components/Form/SwitchField.vue
index e5b3bbf3..1824cbd8 100644
--- a/src/app/components/Form/SwitchField.vue
+++ b/src/app/components/Form/SwitchField.vue
@@ -6,8 +6,11 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
-      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    <BaseTooltip
+      v-if="overridden"
+      text="This field is overridden by an environment variable"
+    >
+      <IconsWarning class="ml-1 size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <BaseSwitch :id="id" v-model="data" />
diff --git a/src/app/components/Form/TextField.vue b/src/app/components/Form/TextField.vue
index 3c442f62..8a226805 100644
--- a/src/app/components/Form/TextField.vue
+++ b/src/app/components/Form/TextField.vue
@@ -6,8 +6,11 @@
     <BaseTooltip v-if="description" :text="description">
       <IconsInfo class="size-4" />
     </BaseTooltip>
-    <BaseTooltip v-if="overridden" text="This field is overridden by an environment variable">
-      <IconsWarning class="size-4 ml-1 text-amber-500" />
+    <BaseTooltip
+      v-if="overridden"
+      text="This field is overridden by an environment variable"
+    >
+      <IconsWarning class="ml-1 size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <BaseInput
diff --git a/src/server/api/admin/overrides.get.ts b/src/server/api/admin/overrides.get.ts
index 45e3bbce..ad9a6d53 100644
--- a/src/server/api/admin/overrides.get.ts
+++ b/src/server/api/admin/overrides.get.ts
@@ -11,14 +11,17 @@ export default definePermissionEventHandler('admin', 'any', async () => {
       host: WG_CLIENT_OVERRIDE_ENV.HOST !== undefined,
       port: WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT !== undefined,
       defaultDns: WG_CLIENT_OVERRIDE_ENV.DEFAULT_DNS !== undefined,
-      defaultAllowedIps: WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS !== undefined,
+      defaultAllowedIps:
+        WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS !== undefined,
       defaultMtu: WG_CLIENT_OVERRIDE_ENV.DEFAULT_MTU !== undefined,
-      defaultPersistentKeepalive: WG_CLIENT_OVERRIDE_ENV.DEFAULT_PERSISTENT_KEEPALIVE !== undefined,
+      defaultPersistentKeepalive:
+        WG_CLIENT_OVERRIDE_ENV.DEFAULT_PERSISTENT_KEEPALIVE !== undefined,
     },
     general: {
       sessionTimeout: WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT !== undefined,
       metricsPassword: WG_GENERAL_OVERRIDE_ENV.METRICS_PASSWORD !== undefined,
-      metricsPrometheus: WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS !== undefined,
+      metricsPrometheus:
+        WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS !== undefined,
       metricsJson: WG_GENERAL_OVERRIDE_ENV.METRICS_JSON !== undefined,
     },
     hooks: {
diff --git a/src/server/utils/WireGuard.ts b/src/server/utils/WireGuard.ts
index 8f4d875a..8a562660 100644
--- a/src/server/utils/WireGuard.ts
+++ b/src/server/utils/WireGuard.ts
@@ -228,14 +228,18 @@ class WireGuard {
 
     const wgInterfaceWithOverrides = applyInterfaceOverrides(wgInterface);
 
-    WG_DEBUG(`Starting Wireguard Interface ${wgInterfaceWithOverrides.name}...`);
+    WG_DEBUG(
+      `Starting Wireguard Interface ${wgInterfaceWithOverrides.name}...`
+    );
     await this.#saveWireguardConfig(wgInterfaceWithOverrides);
     await wg.down(wgInterfaceWithOverrides.name).catch(() => {});
     await wg.up(wgInterfaceWithOverrides.name).catch((err) => {
       if (
         err &&
         err.message &&
-        err.message.includes(`Cannot find device "${wgInterfaceWithOverrides.name}"`)
+        err.message.includes(
+          `Cannot find device "${wgInterfaceWithOverrides.name}"`
+        )
       ) {
         throw new Error(
           `WireGuard exited with the error: Cannot find device "${wgInterfaceWithOverrides.name}"\nThis usually means that your host's kernel does not support WireGuard!`,
@@ -246,7 +250,9 @@ class WireGuard {
       throw err;
     });
     await this.#syncWireguardConfig(wgInterfaceWithOverrides);
-    WG_DEBUG(`Wireguard Interface ${wgInterfaceWithOverrides.name} started successfully.`);
+    WG_DEBUG(
+      `Wireguard Interface ${wgInterfaceWithOverrides.name} started successfully.`
+    );
 
     WG_DEBUG('Starting Cron Job...');
     await this.startCronJob();
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index 0eb3bd1b..a961148c 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -62,9 +62,7 @@ export const WG_OVERRIDE_ENV = {
   /** Override the network device/interface */
   DEVICE: process.env.WG_DEVICE,
   /** Override the MTU setting */
-  MTU: process.env.WG_MTU
-    ? Number.parseInt(process.env.WG_MTU, 10)
-    : undefined,
+  MTU: process.env.WG_MTU ? Number.parseInt(process.env.WG_MTU, 10) : undefined,
   /** Override the IPv4 CIDR */
   IPV4_CIDR: process.env.WG_IPV4_CIDR,
   /** Override the IPv6 CIDR */
@@ -81,7 +79,9 @@ export const WG_CLIENT_OVERRIDE_ENV = {
   /** Override default client DNS servers */
   DEFAULT_DNS: process.env.WG_DEFAULT_DNS?.split(',').map((x) => x.trim()),
   /** Override default client allowed IPs */
-  DEFAULT_ALLOWED_IPS: process.env.WG_DEFAULT_ALLOWED_IPS?.split(',').map((x) => x.trim()),
+  DEFAULT_ALLOWED_IPS: process.env.WG_DEFAULT_ALLOWED_IPS?.split(',').map((x) =>
+    x.trim()
+  ),
   /** Override default client MTU */
   DEFAULT_MTU: process.env.WG_DEFAULT_MTU
     ? Number.parseInt(process.env.WG_DEFAULT_MTU, 10)
@@ -100,13 +100,19 @@ export const WG_GENERAL_OVERRIDE_ENV = {
   /** Override metrics password */
   METRICS_PASSWORD: process.env.WG_METRICS_PASSWORD,
   /** Override metrics Prometheus enabled status */
-  METRICS_PROMETHEUS: process.env.WG_METRICS_PROMETHEUS === 'true' ? true :
-                       process.env.WG_METRICS_PROMETHEUS === 'false' ? false :
-                       undefined,
+  METRICS_PROMETHEUS:
+    process.env.WG_METRICS_PROMETHEUS === 'true'
+      ? true
+      : process.env.WG_METRICS_PROMETHEUS === 'false'
+        ? false
+        : undefined,
   /** Override metrics JSON enabled status */
-  METRICS_JSON: process.env.WG_METRICS_JSON === 'true' ? true :
-                 process.env.WG_METRICS_JSON === 'false' ? false :
-                 undefined,
+  METRICS_JSON:
+    process.env.WG_METRICS_JSON === 'true'
+      ? true
+      : process.env.WG_METRICS_JSON === 'false'
+        ? false
+        : undefined,
 };
 
 export const WG_HOOKS_OVERRIDE_ENV = {
@@ -134,7 +140,13 @@ function assertEnv<T extends string>(env: T) {
  * Apply environment variable overrides to an interface object
  */
 export function applyInterfaceOverrides<
-  T extends { port: number; device: string; mtu: number; ipv4Cidr: string; ipv6Cidr: string },
+  T extends {
+    port: number;
+    device: string;
+    mtu: number;
+    ipv4Cidr: string;
+    ipv6Cidr: string;
+  },
 >(wgInterface: T): T {
   return {
     ...wgInterface,
@@ -150,16 +162,27 @@ export function applyInterfaceOverrides<
  * Apply environment variable overrides to a user config object
  */
 export function applyUserConfigOverrides<
-  T extends { host: string; port: number; defaultDns: string[]; defaultAllowedIps: string[]; defaultMtu: number; defaultPersistentKeepalive: number },
+  T extends {
+    host: string;
+    port: number;
+    defaultDns: string[];
+    defaultAllowedIps: string[];
+    defaultMtu: number;
+    defaultPersistentKeepalive: number;
+  },
 >(userConfig: T): T {
   return {
     ...userConfig,
     host: WG_CLIENT_OVERRIDE_ENV.HOST ?? userConfig.host,
     port: WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT ?? userConfig.port,
     defaultDns: WG_CLIENT_OVERRIDE_ENV.DEFAULT_DNS ?? userConfig.defaultDns,
-    defaultAllowedIps: WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS ?? userConfig.defaultAllowedIps,
+    defaultAllowedIps:
+      WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS ??
+      userConfig.defaultAllowedIps,
     defaultMtu: WG_CLIENT_OVERRIDE_ENV.DEFAULT_MTU ?? userConfig.defaultMtu,
-    defaultPersistentKeepalive: WG_CLIENT_OVERRIDE_ENV.DEFAULT_PERSISTENT_KEEPALIVE ?? userConfig.defaultPersistentKeepalive,
+    defaultPersistentKeepalive:
+      WG_CLIENT_OVERRIDE_ENV.DEFAULT_PERSISTENT_KEEPALIVE ??
+      userConfig.defaultPersistentKeepalive,
   };
 }
 
@@ -167,14 +190,24 @@ export function applyUserConfigOverrides<
  * Apply environment variable overrides to a general config object
  */
 export function applyGeneralOverrides<
-  T extends { sessionTimeout: number; metricsPassword: string | null; metricsPrometheus: boolean; metricsJson: boolean },
+  T extends {
+    sessionTimeout: number;
+    metricsPassword: string | null;
+    metricsPrometheus: boolean;
+    metricsJson: boolean;
+  },
 >(generalConfig: T): T {
   return {
     ...generalConfig,
-    sessionTimeout: WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT ?? generalConfig.sessionTimeout,
-    metricsPassword: WG_GENERAL_OVERRIDE_ENV.METRICS_PASSWORD ?? generalConfig.metricsPassword,
-    metricsPrometheus: WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS ?? generalConfig.metricsPrometheus,
-    metricsJson: WG_GENERAL_OVERRIDE_ENV.METRICS_JSON ?? generalConfig.metricsJson,
+    sessionTimeout:
+      WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT ?? generalConfig.sessionTimeout,
+    metricsPassword:
+      WG_GENERAL_OVERRIDE_ENV.METRICS_PASSWORD ?? generalConfig.metricsPassword,
+    metricsPrometheus:
+      WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS ??
+      generalConfig.metricsPrometheus,
+    metricsJson:
+      WG_GENERAL_OVERRIDE_ENV.METRICS_JSON ?? generalConfig.metricsJson,
   };
 }
 
@@ -182,7 +215,12 @@ export function applyGeneralOverrides<
  * Apply environment variable overrides to a hooks object
  */
 export function applyHooksOverrides<
-  T extends { preUp: string; postUp: string; preDown: string; postDown: string },
+  T extends {
+    preUp: string;
+    postUp: string;
+    preDown: string;
+    postDown: string;
+  },
 >(hooks: T): T {
   return {
     ...hooks,

From e42f7313ab7236485ed7721605071bde03811604 Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Mon, 17 Nov 2025 09:37:06 +0100
Subject: [PATCH 10/21] fixes

---
 src/app/pages/admin/config.vue    | 14 +++++-----
 src/app/pages/admin/general.vue   | 10 +++----
 src/app/pages/admin/hooks.vue     | 10 +++----
 src/app/pages/admin/interface.vue |  8 +++---
 src/server/utils/WireGuard.ts     | 44 ++++++++++++++++---------------
 src/server/utils/config.ts        | 29 ++++++++++++--------
 src/server/utils/handler.ts       |  4 ++-
 src/server/utils/session.ts       | 10 +++++--
 8 files changed, 73 insertions(+), 56 deletions(-)

diff --git a/src/app/pages/admin/config.vue b/src/app/pages/admin/config.vue
index 84e7e0e6..a290bed6 100644
--- a/src/app/pages/admin/config.vue
+++ b/src/app/pages/admin/config.vue
@@ -9,14 +9,14 @@
           :label="$t('general.host')"
           :description="$t('admin.config.hostDesc')"
           url="/api/admin/ip-info"
-          :overridden="overrides.host"
+          :overridden="overrides?.host"
         />
         <FormNumberField
           id="port"
           v-model="data.port"
           :label="$t('general.port')"
           :description="$t('admin.config.portDesc')"
-          :overridden="overrides.port"
+          :overridden="overrides?.port"
         />
       </FormGroup>
       <FormGroup>
@@ -26,7 +26,7 @@
         <FormArrayField
           v-model="data.defaultAllowedIps"
           name="defaultAllowedIps"
-          :overridden="overrides.defaultAllowedIps"
+          :overridden="overrides?.defaultAllowedIps"
         />
       </FormGroup>
       <FormGroup>
@@ -36,7 +36,7 @@
         <FormArrayField
           v-model="data.defaultDns"
           name="defaultDns"
-          :overridden="overrides.defaultDns"
+          :overridden="overrides?.defaultDns"
         />
       </FormGroup>
       <FormGroup>
@@ -46,14 +46,14 @@
           v-model="data.defaultMtu"
           :label="$t('general.mtu')"
           :description="$t('admin.config.mtuDesc')"
-          :overridden="overrides.defaultMtu"
+          :overridden="overrides?.defaultMtu"
         />
         <FormNumberField
           id="defaultPersistentKeepalive"
           v-model="data.defaultPersistentKeepalive"
           :label="$t('general.persistentKeepalive')"
           :description="$t('admin.config.persistentKeepaliveDesc')"
-          :overridden="overrides.defaultPersistentKeepalive"
+          :overridden="overrides?.defaultPersistentKeepalive"
         />
       </FormGroup>
       <FormGroup v-if="globalStore.information?.isAwg">
@@ -131,7 +131,7 @@ const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
   method: 'get',
 });
 
-const overrides = computed(() => overridesData.value?.userConfig || {});
+const overrides = computed(() => overridesData.value?.userConfig);
 
 const data = toRef(_data.value);
 
diff --git a/src/app/pages/admin/general.vue b/src/app/pages/admin/general.vue
index 49a57cd0..8036e84a 100644
--- a/src/app/pages/admin/general.vue
+++ b/src/app/pages/admin/general.vue
@@ -7,7 +7,7 @@
           v-model="data.sessionTimeout"
           :label="$t('admin.general.sessionTimeout')"
           :description="$t('admin.general.sessionTimeoutDesc')"
-          :overridden="overrides.sessionTimeout"
+          :overridden="overrides?.sessionTimeout"
         />
       </FormGroup>
       <FormGroup>
@@ -17,21 +17,21 @@
           v-model="data.metricsPassword"
           :label="$t('admin.general.metricsPassword')"
           :description="$t('admin.general.metricsPasswordDesc')"
-          :overridden="overrides.metricsPassword"
+          :overridden="overrides?.metricsPassword"
         />
         <FormSwitchField
           id="prometheus"
           v-model="data.metricsPrometheus"
           :label="$t('admin.general.prometheus')"
           :description="$t('admin.general.prometheusDesc')"
-          :overridden="overrides.metricsPrometheus"
+          :overridden="overrides?.metricsPrometheus"
         />
         <FormSwitchField
           id="json"
           v-model="data.metricsJson"
           :label="$t('admin.general.json')"
           :description="$t('admin.general.jsonDesc')"
-          :overridden="overrides.metricsJson"
+          :overridden="overrides?.metricsJson"
         />
       </FormGroup>
       <FormGroup>
@@ -52,7 +52,7 @@ const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
   method: 'get',
 });
 
-const overrides = computed(() => overridesData.value?.general || {});
+const overrides = computed(() => overridesData.value?.general);
 
 const data = toRef(_data.value);
 
diff --git a/src/app/pages/admin/hooks.vue b/src/app/pages/admin/hooks.vue
index 19d81bf4..e016f848 100644
--- a/src/app/pages/admin/hooks.vue
+++ b/src/app/pages/admin/hooks.vue
@@ -6,25 +6,25 @@
           id="PreUp"
           v-model="data.preUp"
           :label="$t('hooks.preUp')"
-          :overridden="overrides.preUp"
+          :overridden="overrides?.preUp"
         />
         <FormTextField
           id="PostUp"
           v-model="data.postUp"
           :label="$t('hooks.postUp')"
-          :overridden="overrides.postUp"
+          :overridden="overrides?.postUp"
         />
         <FormTextField
           id="PreDown"
           v-model="data.preDown"
           :label="$t('hooks.preDown')"
-          :overridden="overrides.preDown"
+          :overridden="overrides?.preDown"
         />
         <FormTextField
           id="PostDown"
           v-model="data.postDown"
           :label="$t('hooks.postDown')"
-          :overridden="overrides.postDown"
+          :overridden="overrides?.postDown"
         />
       </FormGroup>
       <FormGroup>
@@ -45,7 +45,7 @@ const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
   method: 'get',
 });
 
-const overrides = computed(() => overridesData.value?.hooks || {});
+const overrides = computed(() => overridesData.value?.hooks);
 
 const data = toRef(_data.value);
 
diff --git a/src/app/pages/admin/interface.vue b/src/app/pages/admin/interface.vue
index 6d5c56e4..e746d2e9 100644
--- a/src/app/pages/admin/interface.vue
+++ b/src/app/pages/admin/interface.vue
@@ -7,21 +7,21 @@
           v-model="data.mtu"
           :label="$t('general.mtu')"
           :description="$t('admin.interface.mtuDesc')"
-          :overridden="overrides.mtu"
+          :overridden="overrides?.mtu"
         />
         <FormNumberField
           id="port"
           v-model="data.port"
           :label="$t('general.port')"
           :description="$t('admin.interface.portDesc')"
-          :overridden="overrides.port"
+          :overridden="overrides?.port"
         />
         <FormTextField
           id="device"
           v-model="data.device"
           :label="$t('admin.interface.device')"
           :description="$t('admin.interface.deviceDesc')"
-          :overridden="overrides.device"
+          :overridden="overrides?.device"
         />
       </FormGroup>
       <FormGroup v-if="globalStore.information?.isAwg">
@@ -171,7 +171,7 @@ const { data: overridesData } = await useFetch(`/api/admin/overrides`, {
   method: 'get',
 });
 
-const overrides = computed(() => overridesData.value?.interface || {});
+const overrides = computed(() => overridesData.value?.interface);
 
 const data = toRef(_data.value);
 
diff --git a/src/server/utils/WireGuard.ts b/src/server/utils/WireGuard.ts
index 8a562660..9b9f6c42 100644
--- a/src/server/utils/WireGuard.ts
+++ b/src/server/utils/WireGuard.ts
@@ -13,10 +13,12 @@ class WireGuard {
    * Save and sync config
    */
   async saveConfig() {
-    const wgInterface = await Database.interfaces.get();
-    const wgInterfaceWithOverrides = applyInterfaceOverrides(wgInterface);
-    await this.#saveWireguardConfig(wgInterfaceWithOverrides);
-    await this.#syncWireguardConfig(wgInterfaceWithOverrides);
+    const wgInterface = applyInterfaceOverrides(
+      await Database.interfaces.get()
+    );
+
+    await this.#saveWireguardConfig(wgInterface);
+    await this.#syncWireguardConfig(wgInterface);
   }
 
   /**
@@ -26,12 +28,11 @@ class WireGuard {
    */
   async #saveWireguardConfig(wgInterface: InterfaceType) {
     const clients = await Database.clients.getAll();
-    const hooks = await Database.hooks.get();
-    const hooksWithOverrides = applyHooksOverrides(hooks);
+    const hooks = applyHooksOverrides(await Database.hooks.get());
 
     const result = [];
     result.push(
-      wg.generateServerInterface(wgInterface, hooksWithOverrides, {
+      wg.generateServerInterface(wgInterface, hooks, {
         enableIpv6: !WG_ENV.DISABLE_IPV6,
       })
     );
@@ -152,10 +153,12 @@ class WireGuard {
   }
 
   async getClientConfiguration({ clientId }: { clientId: ID }) {
-    const wgInterface = await Database.interfaces.get();
-    const wgInterfaceWithOverrides = applyInterfaceOverrides(wgInterface);
-    const userConfig = await Database.userConfigs.get();
-    const userConfigWithOverrides = applyUserConfigOverrides(userConfig);
+    const wgInterface = applyInterfaceOverrides(
+      await Database.interfaces.get()
+    );
+    const userConfig = applyUserConfigOverrides(
+      await Database.userConfigs.get()
+    );
 
     const client = await Database.clients.get(clientId);
 
@@ -163,14 +166,9 @@ class WireGuard {
       throw new Error('Client not found');
     }
 
-    return wg.generateClientConfig(
-      wgInterfaceWithOverrides,
-      userConfigWithOverrides,
-      client,
-      {
-        enableIpv6: !WG_ENV.DISABLE_IPV6,
-      }
-    );
+    return wg.generateClientConfig(wgInterface, userConfig, client, {
+      enableIpv6: !WG_ENV.DISABLE_IPV6,
+    });
   }
 
   async getClientQRCodeSVG({ clientId }: { clientId: ID }) {
@@ -271,12 +269,16 @@ class WireGuard {
 
   // Shutdown wireguard
   async Shutdown() {
-    const wgInterface = await Database.interfaces.get();
+    const wgInterface = applyInterfaceOverrides(
+      await Database.interfaces.get()
+    );
     await wg.down(wgInterface.name).catch(() => {});
   }
 
   async Restart() {
-    const wgInterface = await Database.interfaces.get();
+    const wgInterface = applyInterfaceOverrides(
+      await Database.interfaces.get()
+    );
     await wg.restart(wgInterface.name);
   }
 
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index a961148c..3f5081ae 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -189,25 +189,32 @@ export function applyUserConfigOverrides<
 /**
  * Apply environment variable overrides to a general config object
  */
-export function applyGeneralOverrides<
+export function applySessionOverrides<
   T extends {
     sessionTimeout: number;
-    metricsPassword: string | null;
-    metricsPrometheus: boolean;
-    metricsJson: boolean;
   },
 >(generalConfig: T): T {
   return {
     ...generalConfig,
     sessionTimeout:
       WG_GENERAL_OVERRIDE_ENV.SESSION_TIMEOUT ?? generalConfig.sessionTimeout,
-    metricsPassword:
-      WG_GENERAL_OVERRIDE_ENV.METRICS_PASSWORD ?? generalConfig.metricsPassword,
-    metricsPrometheus:
-      WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS ??
-      generalConfig.metricsPrometheus,
-    metricsJson:
-      WG_GENERAL_OVERRIDE_ENV.METRICS_JSON ?? generalConfig.metricsJson,
+  };
+}
+
+export function applyMetricsOverrides<
+  T extends {
+    password: string | null;
+    prometheus: boolean;
+    json: boolean;
+  },
+>(metricsConfig: T): T {
+  return {
+    ...metricsConfig,
+    password:
+      WG_GENERAL_OVERRIDE_ENV.METRICS_PASSWORD ?? metricsConfig.password,
+    prometheus:
+      WG_GENERAL_OVERRIDE_ENV.METRICS_PROMETHEUS ?? metricsConfig.prometheus,
+    json: WG_GENERAL_OVERRIDE_ENV.METRICS_JSON ?? metricsConfig.json,
   };
 }
 
diff --git a/src/server/utils/handler.ts b/src/server/utils/handler.ts
index 5f0baa08..ca26b69a 100644
--- a/src/server/utils/handler.ts
+++ b/src/server/utils/handler.ts
@@ -138,7 +138,9 @@ export const defineMetricsHandler = <
   handler: MetricsHandler<TReq, TRes>
 ) => {
   return defineEventHandler(async (event) => {
-    const metricsConfig = await Database.general.getMetricsConfig();
+    const metricsConfig = applyMetricsOverrides(
+      await Database.general.getMetricsConfig()
+    );
 
     if (metricsConfig.password) {
       const auth = getHeader(event, 'Authorization');
diff --git a/src/server/utils/session.ts b/src/server/utils/session.ts
index 1a144cea..c690d038 100644
--- a/src/server/utils/session.ts
+++ b/src/server/utils/session.ts
@@ -8,7 +8,10 @@ export type WGSession = Partial<{
 const name = 'wg-easy';
 
 export async function useWGSession(event: H3Event, rememberMe = false) {
-  const sessionConfig = await Database.general.getSessionConfig();
+  const sessionConfig = applySessionOverrides(
+    await Database.general.getSessionConfig()
+  );
+
   return useSession<WGSession>(event, {
     password: sessionConfig.sessionPassword,
     name,
@@ -22,7 +25,10 @@ export async function useWGSession(event: H3Event, rememberMe = false) {
 }
 
 export async function getWGSession(event: H3Event) {
-  const sessionConfig = await Database.general.getSessionConfig();
+  const sessionConfig = applySessionOverrides(
+    await Database.general.getSessionConfig()
+  );
+
   return getSession<WGSession>(event, {
     password: sessionConfig.sessionPassword,
     name,

From 015f3c5ba28f687cdfdcf78bef534ea8fcdd72cc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 17 Nov 2025 08:44:54 +0000
Subject: [PATCH 11/21] Fix documentation discrepancy about UI behavior

- Corrected override behavior description in optional-config.md
- Web UI displays database values with warning indicators, not overridden values
- Clarified that overrides take precedence at runtime, not in the UI display

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 docs/content/advanced/config/optional-config.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index 436703e1..0bba7b3e 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -70,8 +70,8 @@ When these override environment variables are set:
 
 - The specified values will be used at runtime instead of database settings
 - You can still update these fields through the Web UI and they will be saved to the database
-- However, the overridden values from environment variables will always take precedence
-- The Web UI will display the overridden (effective) values
+- However, the overridden values from environment variables will always take precedence at runtime
+- The Web UI will display the database values with warning indicators showing which fields are overridden
 
 These overrides are useful for containerized environments where configuration should be controlled externally.
 

From d12045e10cdc5c39e01c3d9e595e6d2dd03c4912 Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Mon, 17 Nov 2025 10:15:22 +0100
Subject: [PATCH 12/21] fix ui, fix client

---
 .../advanced/config/optional-config.md        |  5 ++++-
 src/app/components/Form/ArrayField.vue        |  2 +-
 src/app/components/Form/HostField.vue         |  2 +-
 src/app/components/Form/NullTextField.vue     |  2 +-
 src/app/components/Form/NumberField.vue       |  2 +-
 src/app/components/Form/SwitchField.vue       |  2 +-
 src/app/components/Form/TextField.vue         |  2 +-
 .../database/repositories/client/service.ts   | 21 ++++++++++++-------
 8 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index 0bba7b3e..ab9969f0 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -73,7 +73,10 @@ When these override environment variables are set:
 - However, the overridden values from environment variables will always take precedence at runtime
 - The Web UI will display the database values with warning indicators showing which fields are overridden
 
-These overrides are useful for containerized environments where configuration should be controlled externally.
+Some overrides will not be applied to existing clients until they are manually edited.
+
+- `WG_DEFAULT_*` settings will only apply to new clients
+- `WG_IPV4_CIDR` and `WG_IPV6_CIDR` changes will require clients to be manually edited to take effect
 
 ///
 
diff --git a/src/app/components/Form/ArrayField.vue b/src/app/components/Form/ArrayField.vue
index d7de0195..80bd86e2 100644
--- a/src/app/components/Form/ArrayField.vue
+++ b/src/app/components/Form/ArrayField.vue
@@ -2,7 +2,7 @@
   <div class="flex flex-col gap-2">
     <div
       v-if="overridden"
-      class="flex items-center gap-2 rounded-lg bg-amber-50 p-2 text-sm text-amber-700 dark:bg-amber-900/20 dark:text-amber-400"
+      class="flex w-fit items-center gap-2 rounded-lg bg-amber-50 p-2 text-sm text-amber-700 dark:bg-amber-900/20 dark:text-amber-400"
     >
       <IconsWarning class="size-4" />
       <span>This field is overridden by an environment variable</span>
diff --git a/src/app/components/Form/HostField.vue b/src/app/components/Form/HostField.vue
index 2e2d1ea6..eec76a36 100644
--- a/src/app/components/Form/HostField.vue
+++ b/src/app/components/Form/HostField.vue
@@ -10,7 +10,7 @@
       v-if="overridden"
       text="This field is overridden by an environment variable"
     >
-      <IconsWarning class="ml-1 size-4 text-amber-500" />
+      <IconsWarning class="size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <div class="flex gap-1">
diff --git a/src/app/components/Form/NullTextField.vue b/src/app/components/Form/NullTextField.vue
index a9c01f26..d3387ef6 100644
--- a/src/app/components/Form/NullTextField.vue
+++ b/src/app/components/Form/NullTextField.vue
@@ -10,7 +10,7 @@
       v-if="overridden"
       text="This field is overridden by an environment variable"
     >
-      <IconsWarning class="ml-1 size-4 text-amber-500" />
+      <IconsWarning class="size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <BaseInput
diff --git a/src/app/components/Form/NumberField.vue b/src/app/components/Form/NumberField.vue
index d826ef1d..af1b8275 100644
--- a/src/app/components/Form/NumberField.vue
+++ b/src/app/components/Form/NumberField.vue
@@ -10,7 +10,7 @@
       v-if="overridden"
       text="This field is overridden by an environment variable"
     >
-      <IconsWarning class="ml-1 size-4 text-amber-500" />
+      <IconsWarning class="size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <BaseInput :id="id" v-model.number="data" :name="id" type="number" />
diff --git a/src/app/components/Form/SwitchField.vue b/src/app/components/Form/SwitchField.vue
index 1824cbd8..43cc8d26 100644
--- a/src/app/components/Form/SwitchField.vue
+++ b/src/app/components/Form/SwitchField.vue
@@ -10,7 +10,7 @@
       v-if="overridden"
       text="This field is overridden by an environment variable"
     >
-      <IconsWarning class="ml-1 size-4 text-amber-500" />
+      <IconsWarning class="size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <BaseSwitch :id="id" v-model="data" />
diff --git a/src/app/components/Form/TextField.vue b/src/app/components/Form/TextField.vue
index 8a226805..4f99dba4 100644
--- a/src/app/components/Form/TextField.vue
+++ b/src/app/components/Form/TextField.vue
@@ -10,7 +10,7 @@
       v-if="overridden"
       text="This field is overridden by an environment variable"
     >
-      <IconsWarning class="ml-1 size-4 text-amber-500" />
+      <IconsWarning class="size-4 text-amber-500" />
     </BaseTooltip>
   </div>
   <BaseInput
diff --git a/src/server/database/repositories/client/service.ts b/src/server/database/repositories/client/service.ts
index 97953cda..cff161b8 100644
--- a/src/server/database/repositories/client/service.ts
+++ b/src/server/database/repositories/client/service.ts
@@ -175,26 +175,30 @@ export class ClientService {
 
     return this.#db.transaction(async (tx) => {
       const clients = await tx.query.client.findMany().execute();
-      const clientInterface = await tx.query.wgInterface
+      const _clientInterface = await tx.query.wgInterface
         .findFirst({
           where: eq(wgInterface.name, 'wg0'),
         })
         .execute();
 
-      if (!clientInterface) {
+      if (!_clientInterface) {
         throw new Error('WireGuard interface not found');
       }
 
-      const clientConfig = await tx.query.userConfig
+      const clientInterface = applyInterfaceOverrides(_clientInterface);
+
+      const _clientConfig = await tx.query.userConfig
         .findFirst({
           where: eq(userConfig.id, clientInterface.name),
         })
         .execute();
 
-      if (!clientConfig) {
+      if (!_clientConfig) {
         throw new Error('WireGuard interface configuration not found');
       }
 
+      const clientConfig = applyUserConfigOverrides(_clientConfig);
+
       const ipv4Cidr = parseCidr(clientInterface.ipv4Cidr);
       const ipv4Address = nextIP(4, ipv4Cidr, clients);
       const ipv6Cidr = parseCidr(clientInterface.ipv6Cidr);
@@ -241,16 +245,18 @@ export class ClientService {
 
   update(id: ID, data: UpdateClientType) {
     return this.#db.transaction(async (tx) => {
-      const clientInterface = await tx.query.wgInterface
+      const _clientInterface = await tx.query.wgInterface
         .findFirst({
           where: eq(wgInterface.name, 'wg0'),
         })
         .execute();
 
-      if (!clientInterface) {
+      if (!_clientInterface) {
         throw new Error('WireGuard interface not found');
       }
 
+      const clientInterface = applyInterfaceOverrides(_clientInterface);
+
       if (!containsCidr(clientInterface.ipv4Cidr, data.ipv4Address)) {
         throw new Error('IPv4 address is not within the CIDR range');
       }
@@ -272,7 +278,8 @@ export class ClientService {
     privateKey,
     publicKey,
   }: ClientCreateFromExistingType) {
-    const clientConfig = await Database.userConfigs.get();
+    const _clientConfig = await Database.userConfigs.get();
+    const clientConfig = applyUserConfigOverrides(_clientConfig);
 
     return this.#db
       .insert(client)

From 432e7a81975dbd5b918ae4665a10896cdafdf2f2 Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Mon, 17 Nov 2025 10:18:58 +0100
Subject: [PATCH 13/21] update migration guide

---
 docs/content/advanced/migrate/from-14-to-15.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/content/advanced/migrate/from-14-to-15.md b/docs/content/advanced/migrate/from-14-to-15.md
index c0e2bd16..6485eb40 100644
--- a/docs/content/advanced/migrate/from-14-to-15.md
+++ b/docs/content/advanced/migrate/from-14-to-15.md
@@ -51,7 +51,9 @@ In the setup wizard, select that you already have a configuration file and uploa
 
 ### Environment Variables
 
-v15 does not use the same environment variables as v14, most of them have been moved to the Admin Panel in the Web UI.
+v15 does use some of the environment variables as v14. View [Configuration Overrides](../config/optional-config.md#configuration-overrides) to see which environment variables are supported in v15.
+
+If you want to be able to change settings through the Web UI, do not set the corresponding environment variables, as they will override the database settings. Instead, manually change the settings through the Web UI after the migration.
 
 ### Done
 

From 7fbc1cef68ea9919479b66b924150a2f2005cfc6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 17 Nov 2025 09:34:01 +0000
Subject: [PATCH 14/21] Allow override vars to skip initial setup; split
 username/password from host/port in groups

- Modified initialSetup to use WG_* override vars as fallback for INIT_* vars
- Split group 1: USERNAME and PASSWORD remain in group 1
- Moved HOST and PORT to group 2 (can use WG_HOST and WG_CLIENT_PORT)
- DNS moved to group 3 (can use WG_DEFAULT_DNS)
- CIDR moved to group 4 (can use WG_IPV4_CIDR and WG_IPV6_CIDR)
- Allowed IPs moved to group 5 (can use WG_DEFAULT_ALLOWED_IPS)
- Updated documentation to explain override fallback behavior
- Setup can now be skipped with INIT_USERNAME, INIT_PASSWORD, and override vars

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 .../advanced/config/unattended-setup.md       | 31 +++++++++------
 src/server/database/sqlite.ts                 | 38 +++++++++++++------
 2 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/docs/content/advanced/config/unattended-setup.md b/docs/content/advanced/config/unattended-setup.md
index b0444d93..46a86363 100644
--- a/docs/content/advanced/config/unattended-setup.md
+++ b/docs/content/advanced/config/unattended-setup.md
@@ -6,23 +6,30 @@ If you want to run the setup without any user interaction, e.g. with a tool like
 
 These will only be used during the first start of the container. After that, the setup will be disabled.
 
-| Env                | Example                      | Description                                               | Group |
-| ------------------ | ---------------------------- | --------------------------------------------------------- | ----- |
-| `INIT_ENABLED`     | `true`                       | Enables the below env vars                                | 0     |
-| `INIT_USERNAME`    | `admin`                      | Sets admin username                                       | 1     |
-| `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password                                       | 1     |
-| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                              | 1     |
-| `INIT_PORT`        | `51820`                      | Port clients will connect to and wireguard will listen on | 1     |
-| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                                   | 2     |
-| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                            | 3     |
-| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                            | 3     |
-| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs                                   | 4     |
+| Env                | Example                      | Description                  | Group |
+| ------------------ | ---------------------------- | ---------------------------- | ----- |
+| `INIT_ENABLED`     | `true`                       | Enables the below env vars   | 0     |
+| `INIT_USERNAME`    | `admin`                      | Sets admin username          | 1     |
+| `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password          | 1     |
+| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to | 2     |
+| `INIT_PORT`        | `51820`                      | Port clients will connect to | 2     |
+| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting      | 3     |
+| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr               | 4     |
+| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr               | 4     |
+| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs      | 5     |
 
 /// warning | Variables have to be used together
 
 If variables are in the same group, you have to set all of them. For example, if you set `INIT_IPV4_CIDR`, you also have to set `INIT_IPV6_CIDR`.
 
-If you want to skip the setup process, you have to configure group `1`
+To skip the setup process, you must configure group `1` (username and password). Groups 2-5 can optionally use the corresponding `WG_*` override environment variables instead (see [Configuration Overrides](/advanced/config/optional-config#configuration-overrides)):
+
+- **Group 2 (Host & Port):** Can use `WG_HOST` and `WG_CLIENT_PORT` instead of `INIT_HOST` and `INIT_PORT`
+- **Group 3 (DNS):** Can use `WG_DEFAULT_DNS` instead of `INIT_DNS`
+- **Group 4 (CIDR):** Can use `WG_IPV4_CIDR` and `WG_IPV6_CIDR` instead of `INIT_IPV4_CIDR` and `INIT_IPV6_CIDR`
+- **Group 5 (Allowed IPs):** Can use `WG_DEFAULT_ALLOWED_IPS` instead of `INIT_ALLOWED_IPS`
+
+This allows you to skip the initial setup while using override variables for runtime configuration.
 ///
 
 /// note | Security
diff --git a/src/server/database/sqlite.ts b/src/server/database/sqlite.ts
index bae94133..47d8a73f 100644
--- a/src/server/database/sqlite.ts
+++ b/src/server/database/sqlite.ts
@@ -79,41 +79,57 @@ async function initialSetup(db: DBServiceType) {
     return;
   }
 
-  if (WG_INITIAL_ENV.IPV4_CIDR && WG_INITIAL_ENV.IPV6_CIDR) {
+  // Use INIT vars or fall back to override vars for CIDR
+  const ipv4Cidr = WG_INITIAL_ENV.IPV4_CIDR ?? WG_OVERRIDE_ENV.IPV4_CIDR;
+  const ipv6Cidr = WG_INITIAL_ENV.IPV6_CIDR ?? WG_OVERRIDE_ENV.IPV6_CIDR;
+  
+  if (ipv4Cidr && ipv6Cidr) {
     DB_DEBUG('Setting initial CIDR...');
     await db.interfaces.updateCidr({
-      ipv4Cidr: WG_INITIAL_ENV.IPV4_CIDR,
-      ipv6Cidr: WG_INITIAL_ENV.IPV6_CIDR,
+      ipv4Cidr,
+      ipv6Cidr,
     });
   }
 
-  if (WG_INITIAL_ENV.DNS) {
+  // Use INIT vars or fall back to override vars for DNS
+  const dns = WG_INITIAL_ENV.DNS ?? WG_CLIENT_OVERRIDE_ENV.DEFAULT_DNS;
+  
+  if (dns) {
     DB_DEBUG('Setting initial DNS...');
     await db.userConfigs.update({
-      defaultDns: WG_INITIAL_ENV.DNS,
+      defaultDns: dns,
     });
   }
 
-  if (WG_INITIAL_ENV.ALLOWED_IPS) {
+  // Use INIT vars or fall back to override vars for Allowed IPs
+  const allowedIps = WG_INITIAL_ENV.ALLOWED_IPS ?? WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS;
+  
+  if (allowedIps) {
     DB_DEBUG('Setting initial Allowed IPs...');
     await db.userConfigs.update({
-      defaultAllowedIps: WG_INITIAL_ENV.ALLOWED_IPS,
+      defaultAllowedIps: allowedIps,
     });
   }
 
+  // Use INIT vars or fall back to override vars for HOST and PORT
+  const host = WG_INITIAL_ENV.HOST ?? WG_CLIENT_OVERRIDE_ENV.HOST;
+  const port = WG_INITIAL_ENV.PORT ?? WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT;
+
+  // Setup completion requires USERNAME and PASSWORD (no overrides for these)
+  // HOST and PORT can come from either INIT vars or override vars
   if (
     WG_INITIAL_ENV.USERNAME &&
     WG_INITIAL_ENV.PASSWORD &&
-    WG_INITIAL_ENV.HOST &&
-    WG_INITIAL_ENV.PORT
+    host &&
+    port
   ) {
     DB_DEBUG('Creating initial user...');
     await db.users.create(WG_INITIAL_ENV.USERNAME, WG_INITIAL_ENV.PASSWORD);
 
     DB_DEBUG('Setting initial host and port...');
     await db.userConfigs.updateHostPort(
-      WG_INITIAL_ENV.HOST,
-      WG_INITIAL_ENV.PORT
+      host,
+      port
     );
 
     await db.general.setSetupStep(0);

From e5cdb2b57aed81bf8063e13f81ba7ca6d14e6223 Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Mon, 17 Nov 2025 10:42:21 +0100
Subject: [PATCH 15/21] update docs

---
 docs/content/advanced/config/optional-config.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index ab9969f0..36cb6d54 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -72,6 +72,7 @@ When these override environment variables are set:
 - You can still update these fields through the Web UI and they will be saved to the database
 - However, the overridden values from environment variables will always take precedence at runtime
 - The Web UI will display the database values with warning indicators showing which fields are overridden
+- On first start, if no database values exist, some overridden values will be saved to the database
 
 Some overrides will not be applied to existing clients until they are manually edited.
 

From 516a3fa72cf74f32bffcea1f535c7125b2891dd9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 17 Nov 2025 09:49:53 +0000
Subject: [PATCH 16/21] Skip setup step 4 (host/port) when override vars are
 set

- Modified setup/2.post.ts to check for WG_HOST and WG_CLIENT_PORT overrides
- If both overrides are set, auto-populate host/port and mark setup as complete
- Updated setup/2.vue to check setup status after user creation and redirect appropriately
- Modified setup middleware to allow access to success page during setup
- Setup now completes after step 2 when host/port are provided via environment variables

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 src/app/pages/setup/2.vue      | 10 +++++++++-
 src/server/api/setup/2.post.ts | 15 ++++++++++++++-
 src/server/middleware/setup.ts |  7 ++++++-
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/src/app/pages/setup/2.vue b/src/app/pages/setup/2.vue
index 7c32e89c..d10f1d99 100644
--- a/src/app/pages/setup/2.vue
+++ b/src/app/pages/setup/2.vue
@@ -57,7 +57,15 @@ const _submit = useSubmit(
   {
     revert: async (success) => {
       if (success) {
-        await navigateTo('/setup/3');
+        // Check if setup is complete (host/port were auto-set from overrides)
+        const setupStatus = await $fetch('/api/general/setup');
+        if (setupStatus.done) {
+          // Setup is complete, redirect to success page
+          await navigateTo('/setup/success');
+        } else {
+          // Continue to step 3
+          await navigateTo('/setup/3');
+        }
       }
     },
     noSuccessToast: true,
diff --git a/src/server/api/setup/2.post.ts b/src/server/api/setup/2.post.ts
index 29c0c769..bfc195be 100644
--- a/src/server/api/setup/2.post.ts
+++ b/src/server/api/setup/2.post.ts
@@ -8,6 +8,19 @@ export default defineSetupEventHandler(2, async ({ event }) => {
 
   await Database.users.create(username, password);
 
-  await Database.general.setSetupStep(3);
+  // If host and port are overridden by environment variables, skip step 4
+  const host = WG_CLIENT_OVERRIDE_ENV.HOST;
+  const port = WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT;
+
+  if (host && port) {
+    // Set the host and port from override variables
+    await Database.userConfigs.updateHostPort(host, port);
+    // Skip to done
+    await Database.general.setSetupStep(0);
+  } else {
+    // Proceed to step 3 (which leads to step 4)
+    await Database.general.setSetupStep(3);
+  }
+
   return { success: true };
 });
diff --git a/src/server/middleware/setup.ts b/src/server/middleware/setup.ts
index c0db75b1..4cadf412 100644
--- a/src/server/middleware/setup.ts
+++ b/src/server/middleware/setup.ts
@@ -9,12 +9,17 @@ export default defineEventHandler(async (event) => {
 
   const { step, done } = await Database.general.getSetupStep();
   if (!done) {
-    const parsedSetup = url.pathname.match(/\/setup\/(\d)/);
+    const parsedSetup = url.pathname.match(/\/setup\/(\d|migrate|success)/);
     if (!parsedSetup) {
       return sendRedirect(event, `/setup/1`, 302);
     }
     const [_, currentSetup] = parsedSetup;
 
+    // Allow access to success page during setup
+    if (currentSetup === 'success') {
+      return;
+    }
+
     if (step.toString() === currentSetup) {
       return;
     }

From b29703af8614b32f874163b3d05aa457492a737d Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Mon, 17 Nov 2025 11:23:51 +0100
Subject: [PATCH 17/21] fix override and init option

---
 .../advanced/config/optional-config.md        |  5 +-
 .../advanced/config/unattended-setup.md       | 21 +++-----
 src/app/pages/setup/2.vue                     |  6 +--
 src/server/api/setup/2.post.ts                | 14 ++---
 src/server/database/sqlite.ts                 | 54 ++++++++-----------
 src/server/utils/config.ts                    | 16 +++---
 6 files changed, 50 insertions(+), 66 deletions(-)

diff --git a/docs/content/advanced/config/optional-config.md b/docs/content/advanced/config/optional-config.md
index 36cb6d54..8ffdc32f 100644
--- a/docs/content/advanced/config/optional-config.md
+++ b/docs/content/advanced/config/optional-config.md
@@ -84,7 +84,10 @@ Some overrides will not be applied to existing clients until they are manually e
 /// note | Note on Port Variables
 
 - `WG_PORT` - The port WireGuard listens on (interface port)
-- `WG_CLIENT_PORT` - The port clients connect to (endpoint port, usually same as `WG_PORT`)
+- `WG_CLIENT_PORT` - The port clients connect to (endpoint port, uses `WG_PORT` if not set)
 - `PORT` - The port the Web UI listens on (HTTP server port)
 
+In most cases you will only need to set `WG_PORT` to change the WireGuard port.
+Keep in mind that you have to adjust both sides of the port publish option in your docker setup.
+
 ///
diff --git a/docs/content/advanced/config/unattended-setup.md b/docs/content/advanced/config/unattended-setup.md
index 46a86363..fe05fc76 100644
--- a/docs/content/advanced/config/unattended-setup.md
+++ b/docs/content/advanced/config/unattended-setup.md
@@ -11,25 +11,20 @@ These will only be used during the first start of the container. After that, the
 | `INIT_ENABLED`     | `true`                       | Enables the below env vars   | 0     |
 | `INIT_USERNAME`    | `admin`                      | Sets admin username          | 1     |
 | `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password          | 1     |
-| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to | 2     |
-| `INIT_PORT`        | `51820`                      | Port clients will connect to | 2     |
-| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting      | 3     |
-| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr               | 4     |
-| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr               | 4     |
-| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs      | 5     |
+| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to | 1\*   |
+| `INIT_PORT`        | `51820`                      | Port clients will connect to | 1\*   |
+| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting      | 2     |
+| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr               | 3     |
+| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr               | 3     |
+| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs      | 4     |
 
 /// warning | Variables have to be used together
 
 If variables are in the same group, you have to set all of them. For example, if you set `INIT_IPV4_CIDR`, you also have to set `INIT_IPV6_CIDR`.
 
-To skip the setup process, you must configure group `1` (username and password). Groups 2-5 can optionally use the corresponding `WG_*` override environment variables instead (see [Configuration Overrides](/advanced/config/optional-config#configuration-overrides)):
+To skip the setup process, you must configure group `1`. You can alternatively use `WG_HOST` and `WG_PORT` to set the host and port without using the `INIT_` variables.
 
-- **Group 2 (Host & Port):** Can use `WG_HOST` and `WG_CLIENT_PORT` instead of `INIT_HOST` and `INIT_PORT`
-- **Group 3 (DNS):** Can use `WG_DEFAULT_DNS` instead of `INIT_DNS`
-- **Group 4 (CIDR):** Can use `WG_IPV4_CIDR` and `WG_IPV6_CIDR` instead of `INIT_IPV4_CIDR` and `INIT_IPV6_CIDR`
-- **Group 5 (Allowed IPs):** Can use `WG_DEFAULT_ALLOWED_IPS` instead of `INIT_ALLOWED_IPS`
-
-This allows you to skip the initial setup while using override variables for runtime configuration.
+Avoid setting both `INIT_` and `WG_` variables for the same setting to prevent confusion.
 ///
 
 /// note | Security
diff --git a/src/app/pages/setup/2.vue b/src/app/pages/setup/2.vue
index d10f1d99..5e5ca0db 100644
--- a/src/app/pages/setup/2.vue
+++ b/src/app/pages/setup/2.vue
@@ -55,11 +55,9 @@ const _submit = useSubmit(
     method: 'post',
   },
   {
-    revert: async (success) => {
+    revert: async (success, data) => {
       if (success) {
-        // Check if setup is complete (host/port were auto-set from overrides)
-        const setupStatus = await $fetch('/api/general/setup');
-        if (setupStatus.done) {
+        if (data?.setupDone) {
           // Setup is complete, redirect to success page
           await navigateTo('/setup/success');
         } else {
diff --git a/src/server/api/setup/2.post.ts b/src/server/api/setup/2.post.ts
index bfc195be..129f0a06 100644
--- a/src/server/api/setup/2.post.ts
+++ b/src/server/api/setup/2.post.ts
@@ -8,13 +8,13 @@ export default defineSetupEventHandler(2, async ({ event }) => {
 
   await Database.users.create(username, password);
 
-  // If host and port are overridden by environment variables, skip step 4
-  const host = WG_CLIENT_OVERRIDE_ENV.HOST;
-  const port = WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT;
+  // If host and port are already set by environment variables, skip step 4
+  const host = WG_INITIAL_ENV.HOST ?? WG_CLIENT_OVERRIDE_ENV.HOST;
+  const port = WG_INITIAL_ENV.PORT ?? WG_INTERFACE_OVERRIDE_ENV.PORT;
 
-  if (host && port) {
-    // Set the host and port from override variables
-    await Database.userConfigs.updateHostPort(host, port);
+  const setupDone = host && port;
+
+  if (setupDone) {
     // Skip to done
     await Database.general.setSetupStep(0);
   } else {
@@ -22,5 +22,5 @@ export default defineSetupEventHandler(2, async ({ event }) => {
     await Database.general.setSetupStep(3);
   }
 
-  return { success: true };
+  return { success: true, setupDone: setupDone };
 });
diff --git a/src/server/database/sqlite.ts b/src/server/database/sqlite.ts
index 47d8a73f..980d7eda 100644
--- a/src/server/database/sqlite.ts
+++ b/src/server/database/sqlite.ts
@@ -79,60 +79,48 @@ async function initialSetup(db: DBServiceType) {
     return;
   }
 
-  // Use INIT vars or fall back to override vars for CIDR
-  const ipv4Cidr = WG_INITIAL_ENV.IPV4_CIDR ?? WG_OVERRIDE_ENV.IPV4_CIDR;
-  const ipv6Cidr = WG_INITIAL_ENV.IPV6_CIDR ?? WG_OVERRIDE_ENV.IPV6_CIDR;
-  
-  if (ipv4Cidr && ipv6Cidr) {
+  if (WG_INITIAL_ENV.IPV4_CIDR && WG_INITIAL_ENV.IPV6_CIDR) {
     DB_DEBUG('Setting initial CIDR...');
     await db.interfaces.updateCidr({
-      ipv4Cidr,
-      ipv6Cidr,
+      ipv4Cidr: WG_INITIAL_ENV.IPV4_CIDR,
+      ipv6Cidr: WG_INITIAL_ENV.IPV6_CIDR,
     });
   }
 
-  // Use INIT vars or fall back to override vars for DNS
-  const dns = WG_INITIAL_ENV.DNS ?? WG_CLIENT_OVERRIDE_ENV.DEFAULT_DNS;
-  
-  if (dns) {
+  if (WG_INITIAL_ENV.DNS) {
     DB_DEBUG('Setting initial DNS...');
     await db.userConfigs.update({
-      defaultDns: dns,
+      defaultDns: WG_INITIAL_ENV.DNS,
     });
   }
 
-  // Use INIT vars or fall back to override vars for Allowed IPs
-  const allowedIps = WG_INITIAL_ENV.ALLOWED_IPS ?? WG_CLIENT_OVERRIDE_ENV.DEFAULT_ALLOWED_IPS;
-  
-  if (allowedIps) {
+  if (WG_INITIAL_ENV.ALLOWED_IPS) {
     DB_DEBUG('Setting initial Allowed IPs...');
     await db.userConfigs.update({
-      defaultAllowedIps: allowedIps,
+      defaultAllowedIps: WG_INITIAL_ENV.ALLOWED_IPS,
     });
   }
 
+  if (WG_INITIAL_ENV.USERNAME && WG_INITIAL_ENV.PASSWORD) {
+    DB_DEBUG('Creating initial user...');
+    await db.users.create(WG_INITIAL_ENV.USERNAME, WG_INITIAL_ENV.PASSWORD);
+
+    await db.general.setSetupStep(3);
+  }
+
   // Use INIT vars or fall back to override vars for HOST and PORT
   const host = WG_INITIAL_ENV.HOST ?? WG_CLIENT_OVERRIDE_ENV.HOST;
-  const port = WG_INITIAL_ENV.PORT ?? WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT;
+  const port = WG_INITIAL_ENV.PORT ?? WG_INTERFACE_OVERRIDE_ENV.PORT;
 
-  // Setup completion requires USERNAME and PASSWORD (no overrides for these)
   // HOST and PORT can come from either INIT vars or override vars
-  if (
-    WG_INITIAL_ENV.USERNAME &&
-    WG_INITIAL_ENV.PASSWORD &&
-    host &&
-    port
-  ) {
-    DB_DEBUG('Creating initial user...');
-    await db.users.create(WG_INITIAL_ENV.USERNAME, WG_INITIAL_ENV.PASSWORD);
-
+  if (host && port) {
     DB_DEBUG('Setting initial host and port...');
-    await db.userConfigs.updateHostPort(
-      host,
-      port
-    );
+    await db.userConfigs.updateHostPort(host, port);
 
-    await db.general.setSetupStep(0);
+    // Setup completion requires USERNAME and PASSWORD (no overrides for these)
+    if (WG_INITIAL_ENV.USERNAME && WG_INITIAL_ENV.PASSWORD) {
+      await db.general.setSetupStep(0);
+    }
   }
 }
 
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index 3f5081ae..0a8ddfb4 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -54,7 +54,7 @@ export const WG_INITIAL_ENV = {
     : undefined,
 };
 
-export const WG_OVERRIDE_ENV = {
+export const WG_INTERFACE_OVERRIDE_ENV = {
   /** Override the WireGuard interface port */
   PORT: process.env.WG_PORT
     ? Number.parseInt(process.env.WG_PORT, 10)
@@ -72,10 +72,10 @@ export const WG_OVERRIDE_ENV = {
 export const WG_CLIENT_OVERRIDE_ENV = {
   /** Override the client connection host */
   HOST: process.env.WG_HOST,
-  /** Override the client connection port (different from WG_PORT which is the interface port) */
+  /** Override the client connection port (falls back to Interface Port) */
   CLIENT_PORT: process.env.WG_CLIENT_PORT
     ? Number.parseInt(process.env.WG_CLIENT_PORT, 10)
-    : undefined,
+    : WG_INTERFACE_OVERRIDE_ENV.PORT,
   /** Override default client DNS servers */
   DEFAULT_DNS: process.env.WG_DEFAULT_DNS?.split(',').map((x) => x.trim()),
   /** Override default client allowed IPs */
@@ -150,11 +150,11 @@ export function applyInterfaceOverrides<
 >(wgInterface: T): T {
   return {
     ...wgInterface,
-    port: WG_OVERRIDE_ENV.PORT ?? wgInterface.port,
-    device: WG_OVERRIDE_ENV.DEVICE ?? wgInterface.device,
-    mtu: WG_OVERRIDE_ENV.MTU ?? wgInterface.mtu,
-    ipv4Cidr: WG_OVERRIDE_ENV.IPV4_CIDR ?? wgInterface.ipv4Cidr,
-    ipv6Cidr: WG_OVERRIDE_ENV.IPV6_CIDR ?? wgInterface.ipv6Cidr,
+    port: WG_INTERFACE_OVERRIDE_ENV.PORT ?? wgInterface.port,
+    device: WG_INTERFACE_OVERRIDE_ENV.DEVICE ?? wgInterface.device,
+    mtu: WG_INTERFACE_OVERRIDE_ENV.MTU ?? wgInterface.mtu,
+    ipv4Cidr: WG_INTERFACE_OVERRIDE_ENV.IPV4_CIDR ?? wgInterface.ipv4Cidr,
+    ipv6Cidr: WG_INTERFACE_OVERRIDE_ENV.IPV6_CIDR ?? wgInterface.ipv6Cidr,
   };
 }
 

From 3a52e1321b45884c52a178f98f4a462ed9abc480 Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Mon, 17 Nov 2025 11:26:28 +0100
Subject: [PATCH 18/21] fix description

---
 .../advanced/config/unattended-setup.md       | 22 +++++++++----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/docs/content/advanced/config/unattended-setup.md b/docs/content/advanced/config/unattended-setup.md
index fe05fc76..af76940d 100644
--- a/docs/content/advanced/config/unattended-setup.md
+++ b/docs/content/advanced/config/unattended-setup.md
@@ -6,17 +6,17 @@ If you want to run the setup without any user interaction, e.g. with a tool like
 
 These will only be used during the first start of the container. After that, the setup will be disabled.
 
-| Env                | Example                      | Description                  | Group |
-| ------------------ | ---------------------------- | ---------------------------- | ----- |
-| `INIT_ENABLED`     | `true`                       | Enables the below env vars   | 0     |
-| `INIT_USERNAME`    | `admin`                      | Sets admin username          | 1     |
-| `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password          | 1     |
-| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to | 1\*   |
-| `INIT_PORT`        | `51820`                      | Port clients will connect to | 1\*   |
-| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting      | 2     |
-| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr               | 3     |
-| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr               | 3     |
-| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs      | 4     |
+| Env                | Example                      | Description                                               | Group |
+| ------------------ | ---------------------------- | --------------------------------------------------------- | ----- |
+| `INIT_ENABLED`     | `true`                       | Enables the below env vars                                | 0     |
+| `INIT_USERNAME`    | `admin`                      | Sets admin username                                       | 1     |
+| `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password                                       | 1     |
+| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                              | 1\*   |
+| `INIT_PORT`        | `51820`                      | Port clients will connect to and WireGuard will listen on | 1\*   |
+| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                                   | 2     |
+| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                            | 3     |
+| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                            | 3     |
+| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs                                   | 4     |
 
 /// warning | Variables have to be used together
 

From e192855280a5f95173661c16cf7cfa8c046a9145 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 17 Nov 2025 10:31:11 +0000
Subject: [PATCH 19/21] Fix discrepancies: use WG_CLIENT_PORT instead of
 WG_PORT for setup fallback

- Fixed setup/2.post.ts to use WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT instead of WG_INTERFACE_OVERRIDE_ENV.PORT
- Fixed sqlite.ts initialSetup to use WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT for consistency
- Corrected unattended-setup.md documentation:
  - Changed INIT_HOST and INIT_PORT from group "1*" to group "2"
  - Clarified INIT_PORT description as "Port clients will connect to (endpoint port)"
  - Updated group numbers: DNS is group 3, CIDR is group 4, Allowed IPs is group 5
  - Fixed warning text: setup requires groups 1 and 2, and use WG_CLIENT_PORT (not WG_PORT)
- Ensures consistency between code behavior and documentation

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 .../advanced/config/unattended-setup.md       | 24 +++++++++----------
 src/server/api/setup/2.post.ts                |  2 +-
 src/server/database/sqlite.ts                 |  2 +-
 3 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/docs/content/advanced/config/unattended-setup.md b/docs/content/advanced/config/unattended-setup.md
index af76940d..bf974678 100644
--- a/docs/content/advanced/config/unattended-setup.md
+++ b/docs/content/advanced/config/unattended-setup.md
@@ -6,23 +6,23 @@ If you want to run the setup without any user interaction, e.g. with a tool like
 
 These will only be used during the first start of the container. After that, the setup will be disabled.
 
-| Env                | Example                      | Description                                               | Group |
-| ------------------ | ---------------------------- | --------------------------------------------------------- | ----- |
-| `INIT_ENABLED`     | `true`                       | Enables the below env vars                                | 0     |
-| `INIT_USERNAME`    | `admin`                      | Sets admin username                                       | 1     |
-| `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password                                       | 1     |
-| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                              | 1\*   |
-| `INIT_PORT`        | `51820`                      | Port clients will connect to and WireGuard will listen on | 1\*   |
-| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                                   | 2     |
-| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                            | 3     |
-| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                            | 3     |
-| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs                                   | 4     |
+| Env                | Example                      | Description                                        | Group |
+| ------------------ | ---------------------------- | -------------------------------------------------- | ----- |
+| `INIT_ENABLED`     | `true`                       | Enables the below env vars                         | 0     |
+| `INIT_USERNAME`    | `admin`                      | Sets admin username                                | 1     |
+| `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password                                | 1     |
+| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                       | 2     |
+| `INIT_PORT`        | `51820`                      | Port clients will connect to (endpoint port)       | 2     |
+| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                            | 3     |
+| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                     | 4     |
+| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                     | 4     |
+| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs                            | 5     |
 
 /// warning | Variables have to be used together
 
 If variables are in the same group, you have to set all of them. For example, if you set `INIT_IPV4_CIDR`, you also have to set `INIT_IPV6_CIDR`.
 
-To skip the setup process, you must configure group `1`. You can alternatively use `WG_HOST` and `WG_PORT` to set the host and port without using the `INIT_` variables.
+To skip the setup process, you must configure groups `1` and `2`. You can alternatively use `WG_HOST` and `WG_CLIENT_PORT` to set the host and port without using the `INIT_` variables.
 
 Avoid setting both `INIT_` and `WG_` variables for the same setting to prevent confusion.
 ///
diff --git a/src/server/api/setup/2.post.ts b/src/server/api/setup/2.post.ts
index 129f0a06..fba91cc5 100644
--- a/src/server/api/setup/2.post.ts
+++ b/src/server/api/setup/2.post.ts
@@ -10,7 +10,7 @@ export default defineSetupEventHandler(2, async ({ event }) => {
 
   // If host and port are already set by environment variables, skip step 4
   const host = WG_INITIAL_ENV.HOST ?? WG_CLIENT_OVERRIDE_ENV.HOST;
-  const port = WG_INITIAL_ENV.PORT ?? WG_INTERFACE_OVERRIDE_ENV.PORT;
+  const port = WG_INITIAL_ENV.PORT ?? WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT;
 
   const setupDone = host && port;
 
diff --git a/src/server/database/sqlite.ts b/src/server/database/sqlite.ts
index 980d7eda..2207ef31 100644
--- a/src/server/database/sqlite.ts
+++ b/src/server/database/sqlite.ts
@@ -110,7 +110,7 @@ async function initialSetup(db: DBServiceType) {
 
   // Use INIT vars or fall back to override vars for HOST and PORT
   const host = WG_INITIAL_ENV.HOST ?? WG_CLIENT_OVERRIDE_ENV.HOST;
-  const port = WG_INITIAL_ENV.PORT ?? WG_INTERFACE_OVERRIDE_ENV.PORT;
+  const port = WG_INITIAL_ENV.PORT ?? WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT;
 
   // HOST and PORT can come from either INIT vars or override vars
   if (host && port) {

From 8b5e6c4c7a870f434a92836af1c80de9774a0e31 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 17 Nov 2025 10:39:51 +0000
Subject: [PATCH 20/21] Use WG_PORT instead of WG_CLIENT_PORT for INIT_PORT
 fallback to match original behavior

- Changed setup/2.post.ts to use WG_INTERFACE_OVERRIDE_ENV.PORT instead of WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT
- Changed sqlite.ts initialSetup to use WG_INTERFACE_OVERRIDE_ENV.PORT for consistency
- Updated unattended-setup.md documentation:
  - Changed INIT_PORT description to clarify it sets both interface port and endpoint port
  - Updated warning text to reference WG_PORT (not WG_CLIENT_PORT) as the override fallback
- This matches the original INIT_PORT behavior where updateHostPort() sets both ports to the same value

Co-authored-by: kaaax0815 <32197462+kaaax0815@users.noreply.github.com>
---
 docs/content/advanced/config/unattended-setup.md | 4 ++--
 src/server/api/setup/2.post.ts                   | 2 +-
 src/server/database/sqlite.ts                    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/content/advanced/config/unattended-setup.md b/docs/content/advanced/config/unattended-setup.md
index bf974678..8f2ccf7d 100644
--- a/docs/content/advanced/config/unattended-setup.md
+++ b/docs/content/advanced/config/unattended-setup.md
@@ -12,7 +12,7 @@ These will only be used during the first start of the container. After that, the
 | `INIT_USERNAME`    | `admin`                      | Sets admin username                                | 1     |
 | `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password                                | 1     |
 | `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                       | 2     |
-| `INIT_PORT`        | `51820`                      | Port clients will connect to (endpoint port)       | 2     |
+| `INIT_PORT`        | `51820`                      | Port (sets both interface port and endpoint port)  | 2     |
 | `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                            | 3     |
 | `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                     | 4     |
 | `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                     | 4     |
@@ -22,7 +22,7 @@ These will only be used during the first start of the container. After that, the
 
 If variables are in the same group, you have to set all of them. For example, if you set `INIT_IPV4_CIDR`, you also have to set `INIT_IPV6_CIDR`.
 
-To skip the setup process, you must configure groups `1` and `2`. You can alternatively use `WG_HOST` and `WG_CLIENT_PORT` to set the host and port without using the `INIT_` variables.
+To skip the setup process, you must configure groups `1` and `2`. You can alternatively use `WG_HOST` and `WG_PORT` to set the host and port without using the `INIT_` variables.
 
 Avoid setting both `INIT_` and `WG_` variables for the same setting to prevent confusion.
 ///
diff --git a/src/server/api/setup/2.post.ts b/src/server/api/setup/2.post.ts
index fba91cc5..129f0a06 100644
--- a/src/server/api/setup/2.post.ts
+++ b/src/server/api/setup/2.post.ts
@@ -10,7 +10,7 @@ export default defineSetupEventHandler(2, async ({ event }) => {
 
   // If host and port are already set by environment variables, skip step 4
   const host = WG_INITIAL_ENV.HOST ?? WG_CLIENT_OVERRIDE_ENV.HOST;
-  const port = WG_INITIAL_ENV.PORT ?? WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT;
+  const port = WG_INITIAL_ENV.PORT ?? WG_INTERFACE_OVERRIDE_ENV.PORT;
 
   const setupDone = host && port;
 
diff --git a/src/server/database/sqlite.ts b/src/server/database/sqlite.ts
index 2207ef31..980d7eda 100644
--- a/src/server/database/sqlite.ts
+++ b/src/server/database/sqlite.ts
@@ -110,7 +110,7 @@ async function initialSetup(db: DBServiceType) {
 
   // Use INIT vars or fall back to override vars for HOST and PORT
   const host = WG_INITIAL_ENV.HOST ?? WG_CLIENT_OVERRIDE_ENV.HOST;
-  const port = WG_INITIAL_ENV.PORT ?? WG_CLIENT_OVERRIDE_ENV.CLIENT_PORT;
+  const port = WG_INITIAL_ENV.PORT ?? WG_INTERFACE_OVERRIDE_ENV.PORT;
 
   // HOST and PORT can come from either INIT vars or override vars
   if (host && port) {

From da61cb680f8cd767d6283511ab7b1f0e53b089d8 Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Mon, 17 Nov 2025 11:44:21 +0100
Subject: [PATCH 21/21] fix docs

---
 .../advanced/config/unattended-setup.md       | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/docs/content/advanced/config/unattended-setup.md b/docs/content/advanced/config/unattended-setup.md
index 8f2ccf7d..b70a2dc0 100644
--- a/docs/content/advanced/config/unattended-setup.md
+++ b/docs/content/advanced/config/unattended-setup.md
@@ -6,23 +6,23 @@ If you want to run the setup without any user interaction, e.g. with a tool like
 
 These will only be used during the first start of the container. After that, the setup will be disabled.
 
-| Env                | Example                      | Description                                        | Group |
-| ------------------ | ---------------------------- | -------------------------------------------------- | ----- |
-| `INIT_ENABLED`     | `true`                       | Enables the below env vars                         | 0     |
-| `INIT_USERNAME`    | `admin`                      | Sets admin username                                | 1     |
-| `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password                                | 1     |
-| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                       | 2     |
-| `INIT_PORT`        | `51820`                      | Port (sets both interface port and endpoint port)  | 2     |
-| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                            | 3     |
-| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                     | 4     |
-| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                     | 4     |
-| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs                            | 5     |
+| Env                | Example                      | Description                                               | Group |
+| ------------------ | ---------------------------- | --------------------------------------------------------- | ----- |
+| `INIT_ENABLED`     | `true`                       | Enables the below env vars                                | 0     |
+| `INIT_USERNAME`    | `admin`                      | Sets admin username                                       | 1     |
+| `INIT_PASSWORD`    | `Se!ureP%ssw`                | Sets admin password                                       | 1     |
+| `INIT_HOST`        | `vpn.example.com`            | Host clients will connect to                              | 2     |
+| `INIT_PORT`        | `51820`                      | Port clients will connect to and WireGuard will listen on | 2     |
+| `INIT_DNS`         | `1.1.1.1,8.8.8.8`            | Sets global dns setting                                   | 3     |
+| `INIT_IPV4_CIDR`   | `10.8.0.0/24`                | Sets IPv4 cidr                                            | 4     |
+| `INIT_IPV6_CIDR`   | `2001:0DB8::/32`             | Sets IPv6 cidr                                            | 4     |
+| `INIT_ALLOWED_IPS` | `10.8.0.0/24,2001:0DB8::/32` | Sets global Allowed IPs                                   | 5     |
 
 /// warning | Variables have to be used together
 
 If variables are in the same group, you have to set all of them. For example, if you set `INIT_IPV4_CIDR`, you also have to set `INIT_IPV6_CIDR`.
 
-To skip the setup process, you must configure groups `1` and `2`. You can alternatively use `WG_HOST` and `WG_PORT` to set the host and port without using the `INIT_` variables.
+To skip the setup process, you must configure groups `1` and `2`. You can alternatively use `WG_HOST` and `WG_PORT` to set group `2` without using the `INIT_` variables.
 
 Avoid setting both `INIT_` and `WG_` variables for the same setting to prevent confusion.
 ///