feat: VPS WireGuard gateway auto-configuration (ph4)

- uci-defaults: WG keygen, vps_gateway interface+zone+forwarding
- heartbeat: sends wg_public_key, parses VPS config, calls vps-setup
- parahub-vps-setup: new script for auto-configuring VPS tunnel with
  OTA bootstrap support and idempotent state tracking
- parahub-mullvad: setup disables vps_gateway, remove re-enables it
  (fixes bug referencing non-existent vpn_tunnel interface)
- parahub-gw-check: works with both vps_gateway and mullvad_local
- sysupgrade.conf: preserves WG VPS keys across upgrades
- build.sh: bump PARAHUB_BUILD to 4

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

files/etc/uci-defaults/99-parahub-mesh

@@ -81,6 +81,15 @@ echo -e "${ROOT_PASSWORD}\n${ROOT_PASSWORD}" | passwd root >/dev/null 2>&1
 # Ensure dropbear directory has strict permissions (required for key auth)
 chmod 700 /etc/dropbear
 
+# Generate WireGuard keypair for VPS gateway (Bumblebee only)
+if [ "$ROLE" != "bee" ]; then
+    if [ ! -f /etc/parahub/wg_vps_private.key ]; then
+        umask 077
+        wg genkey > /etc/parahub/wg_vps_private.key
+        wg pubkey < /etc/parahub/wg_vps_private.key > /etc/parahub/wg_vps_public.key
+    fi
+fi
+
 # ============================================================================
 # 4. NETWORK CONFIGURATION
 # ============================================================================
@@ -229,7 +238,15 @@ set network.wan=interface
 set network.wan.device='${WAN_DEV}'
 set network.wan.proto='dhcp'
 
-# --- Policy routing: guest traffic → Mullvad table 100 ---
+# --- VPS gateway WireGuard (disabled until heartbeat activates it) ---
+set network.vps_gateway=interface
+set network.vps_gateway.proto='wireguard'
+set network.vps_gateway.private_key_file='/etc/parahub/wg_vps_private.key'
+set network.vps_gateway.mtu='1420'
+set network.vps_gateway.ip4table='100'
+set network.vps_gateway.auto='0'
+
+# --- Policy routing: guest traffic → table 100 ---
 add network rule
 set network.@rule[-1].src='${GUEST_SUBNET}/24'
 set network.@rule[-1].lookup='100'
@@ -476,9 +493,20 @@ add firewall forwarding
 set firewall.@forwarding[-1].src='lan'
 set firewall.@forwarding[-1].dest='wan'
 
-# NOTE: guest → mullvad_local forwarding is added by parahub-mullvad setup.
-# Without Mullvad configured, guests have NO internet (kill switch by design).
-# parahub-gw-check monitors Mullvad and sets gw_mode accordingly.
+# --- Zone: vps_gateway (default VPN exit for guests, activated by heartbeat) ---
+add firewall zone
+set firewall.@zone[-1].name='vps_gateway'
+set firewall.@zone[-1].input='REJECT'
+set firewall.@zone[-1].output='ACCEPT'
+set firewall.@zone[-1].forward='REJECT'
+set firewall.@zone[-1].masq='1'
+set firewall.@zone[-1].mtu_fix='1'
+add_list firewall.@zone[-1].network='vps_gateway'
+
+# --- Forwarding: guest → vps_gateway (active once heartbeat enables interface) ---
+add firewall forwarding
+set firewall.@forwarding[-1].src='guest'
+set firewall.@forwarding[-1].dest='vps_gateway'
 
 # --- Rule: guest DHCP (allow guests to get IP) ---
 add firewall rule
@@ -773,6 +801,7 @@ fi
 chmod +x /usr/bin/parahub-heartbeat
 chmod +x /usr/bin/parahub-autoupdate
 chmod +x /usr/bin/parahub-gw-check
+chmod +x /usr/bin/parahub-vps-setup
 
 # Cron: heartbeat every 5 min, gateway health check every 2 min, OTA nightly
 echo "*/5 * * * * /usr/bin/parahub-heartbeat" >> /etc/crontabs/root
@@ -797,10 +826,10 @@ else
     logger -t parahub-mesh "Guest: ${PUBLIC_SSID} @ ${GUEST_IP}/24"
     logger -t parahub-mesh "Mesh ID: ${MESH_ID}"
     logger -t parahub-mesh "Yggdrasil: ${YGG_ADDR}"
-    logger -t parahub-mesh "Guest internet: via local Mullvad (parahub-mullvad setup required)"
-    logger -t parahub-mesh "Kill switch: guest blocked without Mullvad (by design)"
+    logger -t parahub-mesh "Guest internet: VPS gateway (auto-configured via heartbeat)"
+    logger -t parahub-mesh "Optional: parahub-mullvad setup for lower latency"
     logger -t parahub-mesh "Guest IPv6: Yggdrasil SLAAC (full speed, firewall restricted)"
-    logger -t parahub-mesh "bat0 gw_mode: client (promoted to server by gw-check when Mullvad active)"
+    logger -t parahub-mesh "bat0 gw_mode: client (promoted to server by gw-check when WireGuard active)"
 fi
 
 exit 0