mirror of
https://github.com/donaldzou/WGDashboard.git
synced 2024-11-22 07:10:09 +01:00
modified all and patched security vulnerability issue #333
This commit is contained in:
parent
4b8b3acd39
commit
2e9ac00a42
@ -23,19 +23,11 @@ ENV WGDASH=/opt/wireguarddashboard
|
||||
|
||||
# Doing package management operations, such as upgrading
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
curl \
|
||||
git \
|
||||
iproute2 \
|
||||
iptables \
|
||||
iputils-ping \
|
||||
openresolv \
|
||||
procps \
|
||||
python3 \
|
||||
python3-pip \
|
||||
python3-venv \
|
||||
traceroute \
|
||||
wireguard \
|
||||
wireguard-tools \
|
||||
curl git iproute2 \
|
||||
iptables iputils-ping \
|
||||
openresolv procps traceroute \
|
||||
python3 python3-pip python3-venv \
|
||||
wireguard wireguard-tools \
|
||||
sudo && \
|
||||
apt-get remove -y linux-image-* && \
|
||||
apt-get autoremove -y && \
|
||||
@ -55,18 +47,16 @@ VOLUME ${WGDASH}
|
||||
# Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency.
|
||||
# Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006.
|
||||
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
|
||||
RUN wg genkey | tee /etc/wireguard/wg0_privatekey \
|
||||
&& echo "[Interface]" > /setup/conf/wg0.conf \
|
||||
RUN echo "[Interface]" > /setup/conf/wg0.conf \
|
||||
&& echo "Address = ${wg_net}/24" >> /setup/conf/wg0.conf \
|
||||
&& echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /setup/conf/wg0.conf \
|
||||
&& echo "PrivateKey =" >> /setup/conf/wg0.conf \
|
||||
&& echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \
|
||||
&& echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \
|
||||
&& echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \
|
||||
&& echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \
|
||||
&& echo "ListenPort = ${wg_port}" >> /setup/conf/wg0.conf \
|
||||
&& echo "SaveConfig = true" >> /setup/conf/wg0.conf \
|
||||
&& echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf \
|
||||
&& rm /etc/wireguard/wg0_privatekey
|
||||
&& echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf
|
||||
|
||||
# Defining a way for Docker to check the health of the container. In this case: checking the login URL.
|
||||
HEALTHCHECK --interval=2m --timeout=1m --start-period=5s --retries=3 \
|
||||
|
@ -76,7 +76,7 @@ So go to the assign TCP port in this case HTTP, like the default 10086 one in th
|
||||
| tz | Europe/Amsterdam or any confirming timezone notation. | `Europe/Amsterdam` | `America/New_York` | Sets the timezone of the Docker container. This is to timesync the container to any other processes which would need it. |
|
||||
| global_dns | Any IPv4 address, such as my personal recommendation: 9.9.9.9 (QUAD9). | `1.1.1.1` | `8.8.8.8` or any IP-Address that resolves DNS-names, and of course is reachable | Set the default DNS given to clients once they connect to the WireGuard tunnel, and for new peers, set to Cloudflare DNS for reliability.
|
||||
| enable | Anything, preferably an existing WireGuard interface name. | `none` | `wg0,wg2,wg13` | Enables or disables the starting of the WireGuard interface on container 'boot-up'.
|
||||
| isolate | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package).
|
||||
| isolate | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=none` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package).
|
||||
| public_ip | Any IPv4 (public recommended) address, such as the one returned by default | Default uses the return of `curl ifconfig.me` | `23.50.131.156` | To reach your VPN from outside your own network, you need WG-Dashboard to know what your public IP-address is, otherwise it will generate faulty config files for clients. This happends because it is inside a Docker/Kubernetes container. In or outside of NAT is not relevant as long as the given IP-address is reachable from the internet or the target network.
|
||||
|
||||
## Be careful with:
|
||||
|
@ -1,6 +1,6 @@
|
||||
services:
|
||||
wireguard-dashboard:
|
||||
image: dselen/wgdashboard:latest
|
||||
image: dselen/wgdashboard:dev
|
||||
restart: unless-stopped
|
||||
container_name: wgdashboard
|
||||
environment:
|
||||
|
@ -26,8 +26,14 @@ ensure_installation() {
|
||||
if [ ! -f "/etc/wireguard/wg0.conf" ]; then
|
||||
echo "Standard wg0 Configuration file not found, grabbing template."
|
||||
cp "/setup/conf/wg0.conf" "/etc/wireguard/wg0.conf"
|
||||
|
||||
echo "Setting a secure private key."
|
||||
local privateKey=$(wg genkey)
|
||||
sed -i "s|^PrivateKey =$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf
|
||||
sed -i "s|^PrivateKey *=.*$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf
|
||||
echo "Done setting template."
|
||||
else
|
||||
echo "Standard wg0 Configuration file found, using that."
|
||||
echo "Existing wg0 configuration file found, using that."
|
||||
fi
|
||||
}
|
||||
|
||||
@ -58,6 +64,11 @@ clean_up() {
|
||||
else
|
||||
echo "No pycaches found, continuing."
|
||||
fi
|
||||
|
||||
local logdir="${WGDASH}/src/log"
|
||||
echo "Cleaning log directory."
|
||||
rm ${logdir}/access_*.log ${logdir}/error_*.log
|
||||
echo "Removed unneeded logs!"
|
||||
}
|
||||
|
||||
#update_checker() {
|
||||
@ -135,17 +146,22 @@ start_core() {
|
||||
|
||||
# Isolating the matches.
|
||||
for interface in "${do_isolate[@]}"; do
|
||||
if [ -f "/etc/wireguard/${interface}.conf" ]; then
|
||||
echo "Isolating interface:" $interface
|
||||
upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
|
||||
downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
|
||||
|
||||
if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then
|
||||
sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
|
||||
sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
|
||||
fi
|
||||
if [ "$interface" = "none" ]; then
|
||||
echo "Found: $interface, stopping isolation checking."
|
||||
break
|
||||
else
|
||||
echo "Configuration for $interface does not seem to exist, continuing."
|
||||
if [ -f "/etc/wireguard/${interface}.conf" ]; then
|
||||
echo "Isolating interface:" $interface
|
||||
upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
|
||||
downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
|
||||
|
||||
if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then
|
||||
sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
|
||||
sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
|
||||
fi
|
||||
else
|
||||
echo "Configuration for $interface does not seem to exist, continuing."
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
@ -164,18 +180,23 @@ start_core() {
|
||||
IFS=',' read -r -a enable_array <<< "${enable}"
|
||||
|
||||
for interface in "${enable_array[@]}"; do
|
||||
echo "Enabling interface:" $interface
|
||||
|
||||
local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf)
|
||||
if [ $fileperms -eq 644 ]; then
|
||||
echo "Configuration is world accessible, adjusting."
|
||||
chmod 600 "/etc/wireguard/${interface}.conf"
|
||||
fi
|
||||
|
||||
if [ -f "/etc/wireguard/${interface}.conf" ]; then
|
||||
wg-quick up $interface
|
||||
if [ "$interface" = "none" ]; then
|
||||
echo "Found: $interface, stopping enabling checking."
|
||||
break
|
||||
else
|
||||
echo "No corresponding configuration file found for $interface doing nothing."
|
||||
echo "Enabling interface:" $interface
|
||||
|
||||
local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf)
|
||||
if [ $fileperms -eq 644 ]; then
|
||||
echo "Configuration is world accessible, adjusting."
|
||||
chmod 600 "/etc/wireguard/${interface}.conf"
|
||||
fi
|
||||
|
||||
if [ -f "/etc/wireguard/${interface}.conf" ]; then
|
||||
wg-quick up $interface
|
||||
else
|
||||
echo "No corresponding configuration file found for $interface doing nothing."
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user