fix(wireguard): allocate client IPs in the existing peer subnet

defaultWireguardClients always allocated new tunnel addresses from the
hardcoded 10.0.0.0/24 base, so a legacy or migrated inbound whose peers
live in a different subnet (e.g. 172.16.0.0/24) got new clients in an
unrelated, unroutable range. Derive the allocation base from the existing
peers' /24 and fall back to 10.0.0.0/24 only when there are none.

internal/web/service/client_wireguard.go

@@ -33,6 +33,19 @@ func wireguardHostAddr(s string) netip.Addr {
 	return netip.Addr{}
 }
 
+func wireguardAllocationBase(used []string, fallback string) string {
+	for _, u := range used {
+		a := wireguardHostAddr(u)
+		if !a.IsValid() || !a.Is4() || a.IsUnspecified() {
+			continue
+		}
+		if p, err := a.Prefix(24); err == nil {
+			return p.String()
+		}
+	}
+	return fallback
+}
+
 // allocateWireguardAddress returns the first free /32 host address in base that
 // is not already present in used. The server holds the first host (.1), so
 // allocation starts at the second host (.2).
@@ -71,6 +84,7 @@ func defaultWireguardClients(existing, clients []model.Client, interfaceClients
 	for i := range existing {
 		used = append(used, existing[i].AllowedIPs...)
 	}
+	base := wireguardAllocationBase(used, defaultWireguardBase)
 	for i := range clients {
 		c := &clients[i]
 		if c.PrivateKey == "" && c.PublicKey == "" {
@@ -88,7 +102,7 @@ func defaultWireguardClients(existing, clients []model.Client, interfaceClients
 			c.PublicKey = pub
 		}
 		if len(c.AllowedIPs) == 0 {
-			addr, err := allocateWireguardAddress(used, defaultWireguardBase)
+			addr, err := allocateWireguardAddress(used, base)
 			if err != nil {
 				return err
 			}

internal/web/service/client_wireguard_test.go

@@ -98,6 +98,38 @@ func TestDefaultWireguardClientsPreservesProvided(t *testing.T) {
 	}
 }
 
+func TestWireguardAllocationBase(t *testing.T) {
+	tests := []struct {
+		name     string
+		used     []string
+		fallback string
+		want     string
+	}{
+		{name: "no peers uses fallback", used: nil, fallback: "10.0.0.0/24", want: "10.0.0.0/24"},
+		{name: "derives subnet from existing peer", used: []string{"172.16.0.2/32"}, fallback: "10.0.0.0/24", want: "172.16.0.0/24"},
+		{name: "skips catch-all and ipv6", used: []string{"0.0.0.0/0", "::/0", "fd00::2/128", "192.168.5.7/32"}, fallback: "10.0.0.0/24", want: "192.168.5.0/24"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := wireguardAllocationBase(tt.used, tt.fallback); got != tt.want {
+				t.Fatalf("got %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestDefaultWireguardClientsHonorsExistingSubnet(t *testing.T) {
+	existing := []model.Client{{Email: "old@wg", AllowedIPs: []string{"172.16.0.2/32"}}}
+	clients := []model.Client{{Email: "new@wg"}}
+	ifaces := []any{map[string]any{"email": "new@wg"}}
+	if err := defaultWireguardClients(existing, clients, ifaces); err != nil {
+		t.Fatalf("defaultWireguardClients: %v", err)
+	}
+	if got := clients[0].AllowedIPs[0]; got != "172.16.0.3/32" {
+		t.Fatalf("new client address = %q, want 172.16.0.3/32 in existing subnet", got)
+	}
+}
+
 func TestDefaultWireguardClientsAllocatesDistinctIPs(t *testing.T) {
 	clients := []model.Client{{Email: "x@wg"}, {Email: "y@wg"}}
 	ifaces := []any{map[string]any{"email": "x@wg"}, map[string]any{"email": "y@wg"}}