diff --git a/docker/Dockerfile b/docker/Dockerfile index 7070a5c..dda699b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -9,8 +9,8 @@ ENV wg_net="10.0.0.1" # Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info. ENV tz="Europe/Amsterdam" ENV global_dns="1.1.1.1" -ENV enable="(`none`)" -ENV isolated_peers="true" +ENV enable="none" +ENV isolate="none" ENV public_ip="0.0.0.0" # Doing basic system maintenance. Change the timezone to the desired timezone. @@ -66,7 +66,7 @@ RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /wg0.conf \ && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /wg0.conf \ && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /wg0.conf \ - && echo "PreDown = iptables -t nat -D POSTROUTING 1" >> /wg0.conf \ + && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /wg0.conf \ && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /wg0.conf \ && echo "ListenPort = 51820" >> /wg0.conf \ #&& echo "DNS = ${global_dns}" >> /wg0.conf \ diff --git a/docker/compose.yaml b/docker/compose.yaml index c79b5a5..ba429f2 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -6,8 +6,8 @@ services: environment: #- tz= # <--- Set container timezone, default: Europe/Amsterdam. #- global_dns= # <--- Set global DNS address, default: 1.1.1.1. - - enable=wg0,wg1 # <--- If true, wg0 will be started on container startup. default: false. - - isolated_peers=false # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. + - enable=wg0,wg1 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. + - isolate=wg0 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: - 10086:10086/tcp diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 6316ab7..e6d48c0 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -8,7 +8,7 @@ clean_up() { echo "Looking for remains of previous instances..." local pid_file="${WGDASH}/src/gunicorn.pid" if [ -f $pid_file ]; then - echo "Found old .pid file, removing." + echo "Found old pid file, removing." rm $pid_file else echo "No pid remains found, continuing." @@ -45,26 +45,56 @@ start_core() { cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. bash wgd.sh start - # The following section takes care of the firewall rules regarding the 'isolated_peers' feature, which allows or drops packets destined from the wg0 to the wg0 interface. - if [ "${isolated_peers,,}" = "false" ]; then - echo "Isolated peers disabled, adjusting." + # Isolated peers + local configurations=(/etc/wireguard/*) + IFS=',' read -r -a do_isolate <<< "${isolate}" + non_isolate=() - sed -i '/PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP/d' /etc/wireguard/wg0.conf - sed -i '/PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP/d' /etc/wireguard/wg0.conf - elif [ "${isolated_peers,,}" = "true" ]; then - upblocking=$(grep -c "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" /etc/wireguard/wg0.conf) - downblocking=$(grep -c "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" /etc/wireguard/wg0.conf) - if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then - echo "Isolated peers enabled, adjusting." - - sed -i '/PostUp = iptables -t nat -I POSTROUTING 1 -s/a PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP' /etc/wireguard/wg0.conf - sed -i '/PreDown = iptables -t nat -D POSTROUTING 1 -s/a PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP' /etc/wireguard/wg0.conf + for config in "${configurations[@]}"; do + local config=$(echo "$config" | sed -e 's|.*/etc/wireguard/||' -e 's|\.conf$||') + found=false + for interface in "${do_isolate[@]}"; do + if [[ "$config" == "$interface" ]]; then + found=true + break + fi + done + if [ "$found" = false ]; then + non_isolate+=("$config") fi + done - fi + echo "Isolate configurations: ${do_isolate[@]}" + echo "Non-Isolate configurations: ${non_isolate[@]}" + + for interface in "${do_isolate[@]}"; do + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Isolating:" $interface + upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + + if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then + sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + fi + else + echo "Configuration for $interface does not seem to exist, continuing." + fi + done + + for interface in "${non_isolate[@]}"; do + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Removing Isolation for:" $interface + sed -i "/PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf + sed -i "/PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf + else + echo "Configuration for $interface does not seem to exist, continuing." + fi + done # The following section takes care of enabling wireguard interfaces on startup. IFS=',' read -r -a enable_array <<< "${enable}" + for interface in "${enable_array[@]}"; do echo "Preference for $interface to be turned on found." if [ -f "/etc/wireguard/${interface}.conf" ]; then