Fix removeAllowedIP (#1913)

Current implementation of removeAllowedIP recreates the wg iface,
killing all open ports and connections. This is due to that "lines" is
the complete output of `get` from wg-usp and not the specific interface
which changes should be applied to.

iface/wg_configurer_usp.go

@@ -132,7 +132,13 @@ func (c *wgUSPConfigurer) removeAllowedIP(peerKey string, ip string) error {
 
 	lines := strings.Split(ipc, "\n")
 
-	output := ""
+	peer := wgtypes.PeerConfig{
+		PublicKey:         peerKeyParsed,
+		UpdateOnly:        true,
+		ReplaceAllowedIPs: true,
+		AllowedIPs:        []net.IPNet{},
+	}
+
 	foundPeer := false
 	removedAllowedIP := false
 	for _, line := range lines {
@@ -156,19 +162,23 @@ func (c *wgUSPConfigurer) removeAllowedIP(peerKey string, ip string) error {
 		}
 
 		// Append the line to the output string
-		if strings.HasPrefix(line, "private_key=") || strings.HasPrefix(line, "listen_port=") ||
+		if foundPeer && strings.HasPrefix(line, "allowed_ip=") {
-			strings.HasPrefix(line, "public_key=") || strings.HasPrefix(line, "preshared_key=") ||
+			allowedIP := strings.TrimPrefix(line, "allowed_ip=")
-			strings.HasPrefix(line, "endpoint=") || strings.HasPrefix(line, "persistent_keepalive_interval=") ||
+			_, ipNet, err := net.ParseCIDR(allowedIP)
-			strings.HasPrefix(line, "allowed_ip=") {
+			if err != nil {
-			output += line + "\n"
+				return err
+			}
+			peer.AllowedIPs = append(peer.AllowedIPs, *ipNet)
 		}
 	}
 
 	if !removedAllowedIP {
 		return fmt.Errorf("allowedIP not found")
-	} else {
-		return c.device.IpcSet(output)
 	}
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
 // startUAPI starts the UAPI listener for managing the WireGuard interface via external tool