OpenWrt's WireGuard proto handler doesn't support private_key_file —
it auto-generates a new key, causing mismatch with the heartbeat pubkey.
Read key from file and set as inline private_key instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- uci-defaults: WG keygen, vps_gateway interface+zone+forwarding
- heartbeat: sends wg_public_key, parses VPS config, calls vps-setup
- parahub-vps-setup: new script for auto-configuring VPS tunnel with
OTA bootstrap support and idempotent state tracking
- parahub-mullvad: setup disables vps_gateway, remove re-enables it
(fixes bug referencing non-existent vpn_tunnel interface)
- parahub-gw-check: works with both vps_gateway and mullvad_local
- sysupgrade.conf: preserves WG VPS keys across upgrades
- build.sh: bump PARAHUB_BUILD to 4
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
