From 0938f5ab7113854c391d62c7e2fe646a5c7d028b Mon Sep 17 00:00:00 2001
From: Daan <dselen@systemec.nl>
Date: Tue, 4 Jun 2024 22:49:17 +0200
Subject: [PATCH] Container deployed with working VPN server built-in. Missing
 is persistency among recreations, looking into that...

---
 docker/Dockerfile    | 19 ++++++++++++++-----
 docker/compose.yaml  | 18 ++++++++++++++++++
 docker/entrypoint.sh | 18 ++++++++++++++----
 3 files changed, 46 insertions(+), 9 deletions(-)
 create mode 100644 docker/compose.yaml

diff --git a/docker/Dockerfile b/docker/Dockerfile
index d6d4fc3..3c6a800 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -5,9 +5,11 @@ LABEL maintainer="dselen@nerthus.nl"
 # Copy the basic entrypoint.sh script.
 COPY entrypoint.sh /entrypoint.sh
 
-# Declaring environment variables
+# Declaring environment variables, change Peernet to an address you like, standard is a 24 bit subnet.
 ENV tz=Europe/Amsterdam
-ENV WGPEERNET=10.0.0.1
+ENV public_ip=0.0.0.0
+ENV wg_net=10.0.0.1
+ENV global_dns=1.1.1.1
 
 # Doing basic system maintenance. Change the timezone to the desired timezone.
 RUN ln -sf /usr/share/zoneinfo/${tz} /etc/localtime \
@@ -18,7 +20,7 @@ RUN ln -sf /usr/share/zoneinfo/${tz} /etc/localtime \
 # Removing the linux-image package to preserve space on the container.
 
 # Installing needed packages for installation.
-RUN apt-get install -y --no-install-recommends git wireguard wireguard-tools python3 python3-pip python3-venv iproute2 openresolv procps
+RUN apt-get install -y --no-install-recommends git wireguard wireguard-tools python3 python3-pip python3-venv iproute2 openresolv procps iptables curl
 
 ENV WGDASH=/opt/wireguardashboard
 RUN python3 -m venv ${WGDASH}/venv
@@ -33,9 +35,16 @@ RUN . ${WGDASH}/venv/bin/activate \
 # Set the volume to be used for persistency.
 VOLUME /etc/wireguard
 
-# Generate basic WireGuard interface. Change Peernet to CIDR you would like.
+# Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency.
 RUN wg genkey | tee /etc/wireguard/wg0_privatekey \
-  && echo "[Interface]\nSaveConfig = true\nAddress = ${WGPEERNET}/24\nPrivateKey = $(cat /etc/wireguard/wg0_privatekey)\nListenPort = 51820\nDNS = 8.8.8.8" > /etc/wireguard/wg0.conf \
+  && echo "[Interface]" > /etc/wireguard/wg0.conf \
+  && echo "SaveConfig = true" >> /etc/wireguard/wg0.conf \
+  && echo "Address = ${wg_net}/24" >> /etc/wireguard/wg0.conf \
+  && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /etc/wireguard/wg0.conf \
+  && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /etc/wireguard/wg0.conf \
+  && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /etc/wireguard/wg0.conf \
+  && echo "ListenPort = 51820" >> /etc/wireguard/wg0.conf \
+  && echo "DNS = ${global_dns}" >> /etc/wireguard/wg0.conf \
   && rm /etc/wireguard/wg0_privatekey
 
 # Exposing the default WireGuard Dashboard port for web access.
diff --git a/docker/compose.yaml b/docker/compose.yaml
new file mode 100644
index 0000000..3b6ca95
--- /dev/null
+++ b/docker/compose.yaml
@@ -0,0 +1,18 @@
+services:
+  wireguard-dashboard:
+    image: repo.nerthus.nl/app/wireguard-dashboard:latest
+    restart: unless-stopped
+    container_name: wire-dash
+    environment:
+      #- tz=Europe/Amsterdam # <--- is default
+      - public_ip=212.124.66.17
+    ports:
+      - 10086:10086/tcp
+      - 51820:51820/udp
+    volumes:
+      - wireguard_confs:/etc/wireguard
+    cap_add:
+      - NET_ADMIN
+
+volumes:
+  wireguard_confs:
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index ed61833..1009e56 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -1,10 +1,8 @@
 echo "Starting the WireGuard Dashboard."
 
-outgoing=$(ip -o -4 route show to default | awk '{print $NF}')
-echo $outgoing
-
+# Starting the WireGuard Dashboard Web-UI.
 . ${WGDASH}/venv/bin/activate
-cd /opt/wireguardashboard/app/src
+cd ${WGDASH}/app/src
 bash ./wgd.sh start
 
 if [ "$tz" != "Europe/Amsterdam" ]; then
@@ -12,6 +10,18 @@ if [ "$tz" != "Europe/Amsterdam" ]; then
   ln -sf /usr/share/zoneinfo/$tz /etc/localtime
 fi
 
+if [ "$global_dns" != "1.1.1.1" ]; then # Changing the DNS used for clients. Had to change it in 2 locations.
+  echo "Changing default dns..."
+  sed -i 's/^DNS = .*/DNS = ${global_dns}/' /etc/wireguard/wg0.conf
+  sed -i "s/^peer_global_dns = .*/peer_global_dns = $global_dns/" /opt/wireguardashboard/app/src/wg-dashboard.ini
+fi
+
+if [ "$public_ip" != "0.0.0.0" ]; then # Setting the public IP of the WireGuard Dashboard container host. If not defined, it will be tried using ifconfig.me.
+  sed -i "s/^remote_endpoint = .*/remote_endpoint = $public_ip/" /opt/wireguardashboard/app/src/wg-dashboard.ini
+else
+  sed -i "s/^remote_endpoint = .*/remote_endpoint = $(curl ifconfig.me)/" /opt/wireguardashboard/app/src/wg-dashboard.ini
+fi
+
 sleep 3s
 tail -f /opt/wireguardashboard/app/src/log/*.log