[fix] Ensure VpnClient.post_delete fires on VPN template removal openwisp#1221

Replaced QuerySet.delete() with per-instance deletion in all three
locations where VpnClient objects are bulk-deleted so that post_delete
signals fire for every instance, ensuring:
- VPN peer cache is invalidated on the affected VPN server
- Client certificates are revoked (OpenVPN, auto_cert=True)
- IP addresses are released (Wireguard)

Also fixed the serializers.py cleanup logic: vpn_list was built from
the old templates so .exclude(vpn__in=vpn_list) never matched the
client being removed. Now uses new_vpn_ids from config_templates (the
incoming new set) so PATCH with an empty templates list also works.

Added select_related("vpn", "cert", "ip") to all deletion querysets
to avoid N+1 queries triggered by the post_delete signal handler.
Wrapped deletion loops in transaction.atomic() to prevent partial
deletions on failure.

Fixes openwisp#1221

Author: mn-ram

openwisp_controller/config/api/serializers.py

@@ -200,9 +200,15 @@ def _update_config(self, device, config_data):
             old_templates = list(config.templates.values_list("id", flat=True))
             if config_templates != old_templates:
                 with transaction.atomic():
-                    vpn_list = config.templates.filter(type="vpn").values_list("vpn")
-                    if vpn_list:
-                        config.vpnclient_set.exclude(vpn__in=vpn_list).delete()
+                    new_vpn_ids = Template.objects.filter(
+                        pk__in=config_templates, type="vpn"
+                    ).values_list("vpn", flat=True)
+                    for vpnclient in (
+                        config.vpnclient_set.select_related("vpn", "cert", "ip")
+                        .exclude(vpn__in=new_vpn_ids)
+                        .iterator()
+                    ):
+                        vpnclient.delete()
                     config.templates.set(config_templates, clear=True)
             config.save()
         except ValidationError as error:

openwisp_controller/config/base/config.py

@@ -338,7 +338,11 @@ def manage_vpn_clients(cls, action, instance, pk_set, **kwargs):
             if instance.is_deactivating_or_deactivated():
                 # If the device is deactivated or in the process of deactivating, then
                 # delete all vpn clients and return.
-                instance.vpnclient_set.all().delete()
+                with transaction.atomic():
+                    for vpnclient in instance.vpnclient_set.select_related(
+                        "vpn", "cert", "ip"
+                    ).iterator():
+                        vpnclient.delete()
             return
 
         vpn_client_model = cls.vpn.through
@@ -370,9 +374,15 @@ def manage_vpn_clients(cls, action, instance, pk_set, **kwargs):
             # signal is triggered again—after all templates, including the required
             # ones, have been fully added. At that point, we can identify and
             # delete VpnClient objects not linked to the final template set.
-            instance.vpnclient_set.exclude(
-                template_id__in=instance.templates.values_list("id", flat=True)
-            ).delete()
+            with transaction.atomic():
+                for vpnclient in (
+                    instance.vpnclient_set.select_related("vpn", "cert", "ip")
+                    .exclude(
+                        template_id__in=instance.templates.values_list("id", flat=True)
+                    )
+                    .iterator()
+                ):
+                    vpnclient.delete()
 
         if action == "post_add":
             for template in templates.filter(type="vpn"):