From 1db8f2c70bfb84c51bec47d8aa30320bbf43c970 Mon Sep 17 00:00:00 2001
From: Tobias Leuschner <info@leuschner.dev>
Date: Sat, 9 May 2026 12:25:46 +0200
Subject: [PATCH] =?UTF-8?q?feat:=20Hotspot-Routing-Regeln=20auf=20lokale?=
 =?UTF-8?q?=20Subnetze=20umgestellt=20und=20Versionsnummer=20auf=201.0.29?=
 =?UTF-8?q?=20erh=C3=B6ht?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app.py      | 70 ++++++++++++++++++++++++++++++++++++++++-------------
 version.txt |  2 +-
 2 files changed, 54 insertions(+), 18 deletions(-)

diff --git a/app.py b/app.py
index 5e5f188..82b7d7b 100644
--- a/app.py
+++ b/app.py
@@ -327,25 +327,61 @@ def wg_update_state():
                         error=None, has_config=has_conf)
 
 
-_AP_SUBNET = '10.42.0.0/24'  # NetworkManager Hotspot-Standard
+import ipaddress as _ipaddress
+
+_wg_managed_subnets: list = []  # beim Connect gemerkte Subnetze für sauberes Cleanup
 
 
-def _wg_add_hotspot_routes():
-    """Hotspot-Subnet vom WireGuard-Tunnel ausschließen (höhere Priorität als wg-quick-Regeln)."""
-    subprocess.run(['ip', 'rule', 'add', 'from', _AP_SUBNET,
-                    'table', 'main', 'priority', '100'], capture_output=True)
-    subprocess.run(['ip', 'rule', 'add', 'to', _AP_SUBNET,
-                    'table', 'main', 'priority', '101'], capture_output=True)
-    log.info('Hotspot-Routing-Regeln gesetzt (Prio 100/101)')
+def _local_subnets() -> list:
+    """Alle direkt verbundenen IPv4-Subnetze außer WireGuard-Interface und Loopback."""
+    r = subprocess.run(['ip', '-4', 'route', 'show', 'table', 'main'],
+                       capture_output=True, text=True)
+    seen, result = set(), []
+    for line in r.stdout.splitlines():
+        parts = line.split()
+        if not parts or parts[0] in ('default', 'unreachable', 'prohibit'):
+            continue
+        if 'dev' not in parts:
+            continue
+        dev = parts[parts.index('dev') + 1]
+        if dev == WG_IFACE:
+            continue
+        try:
+            net = str(_ipaddress.IPv4Network(parts[0], strict=False))
+            if net not in seen and not _ipaddress.IPv4Network(net).is_loopback:
+                seen.add(net)
+                result.append(net)
+        except ValueError:
+            pass
+    return result
 
 
-def _wg_remove_hotspot_routes():
-    """Hotspot-Routing-Regeln wieder entfernen."""
-    subprocess.run(['ip', 'rule', 'del', 'from', _AP_SUBNET,
-                    'table', 'main', 'priority', '100'], capture_output=True)
-    subprocess.run(['ip', 'rule', 'del', 'to', _AP_SUBNET,
-                    'table', 'main', 'priority', '101'], capture_output=True)
-    log.info('Hotspot-Routing-Regeln entfernt')
+def _wg_add_local_routes():
+    """Alle lokalen Subnetze (Hotspot, WLAN, LAN) vom VPN-Tunnel ausschließen."""
+    global _wg_managed_subnets
+    _wg_managed_subnets = _local_subnets()
+    for i, subnet in enumerate(_wg_managed_subnets):
+        prio_from = 100 + i * 2
+        prio_to   = 101 + i * 2
+        subprocess.run(['ip', 'rule', 'add', 'from', subnet,
+                        'table', 'main', 'priority', str(prio_from)], capture_output=True)
+        subprocess.run(['ip', 'rule', 'add', 'to', subnet,
+                        'table', 'main', 'priority', str(prio_to)], capture_output=True)
+    log.info(f'Lokale Routing-Regeln gesetzt: {_wg_managed_subnets}')
+
+
+def _wg_remove_local_routes():
+    """Routing-Regeln wieder entfernen."""
+    global _wg_managed_subnets
+    for i, subnet in enumerate(_wg_managed_subnets):
+        prio_from = 100 + i * 2
+        prio_to   = 101 + i * 2
+        subprocess.run(['ip', 'rule', 'del', 'from', subnet,
+                        'table', 'main', 'priority', str(prio_from)], capture_output=True)
+        subprocess.run(['ip', 'rule', 'del', 'to', subnet,
+                        'table', 'main', 'priority', str(prio_to)], capture_output=True)
+    log.info(f'Lokale Routing-Regeln entfernt: {_wg_managed_subnets}')
+    _wg_managed_subnets = []
 
 
 def wg_connect():
@@ -357,7 +393,7 @@ def wg_connect():
                        capture_output=True, text=True, timeout=30)
     if r.returncode == 0:
         time.sleep(1)
-        _wg_add_hotspot_routes()
+        _wg_add_local_routes()
         wg_update_state()
         log.info('WireGuard verbunden')
         return True
@@ -374,7 +410,7 @@ def wg_connect():
 
 
 def wg_disconnect():
-    _wg_remove_hotspot_routes()
+    _wg_remove_local_routes()
     r = subprocess.run(['wg-quick', 'down', WG_IFACE],
                        capture_output=True, text=True, timeout=15)
     with wg_lock:
diff --git a/version.txt b/version.txt
index f8536a4..fa7e3ca 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-1.0.28
\ No newline at end of file
+1.0.29
\ No newline at end of file