Working prototype.

docker/Dockerfile

@@ -9,8 +9,8 @@ ENV wg_net="10.0.0.1"
 # Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info.
 ENV tz="Europe/Amsterdam"
 ENV global_dns="1.1.1.1"
-ENV enable="(`none`)"
-ENV isolated_peers="true"
+ENV enable="none"
+ENV isolate="none"
 ENV public_ip="0.0.0.0"
 
 # Doing basic system maintenance. Change the timezone to the desired timezone.
@@ -66,7 +66,7 @@ RUN wg genkey | tee /etc/wireguard/wg0_privatekey \
   && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /wg0.conf \
   && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /wg0.conf \
   && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /wg0.conf \
-  && echo "PreDown = iptables -t nat -D POSTROUTING 1" >> /wg0.conf \
+  && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /wg0.conf \
   && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /wg0.conf \
   && echo "ListenPort = 51820" >> /wg0.conf \
   #&& echo "DNS = ${global_dns}" >> /wg0.conf \

docker/compose.yaml

@@ -6,8 +6,8 @@ services:
     environment:
       #- tz=                # <--- Set container timezone, default: Europe/Amsterdam.
       #- global_dns=        # <--- Set global DNS address, default: 1.1.1.1.
-      - enable=wg0,wg1      # <--- If true, wg0 will be started on container startup. default: false.
-      - isolated_peers=false     # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true.
+      - enable=wg0,wg1   # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed.
+      - isolate=wg0         # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true.
       #- public_ip=         # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me.
     ports:
       - 10086:10086/tcp

docker/entrypoint.sh

@@ -8,7 +8,7 @@ clean_up() {
   echo "Looking for remains of previous instances..."
   local pid_file="${WGDASH}/src/gunicorn.pid"
   if [ -f $pid_file ]; then
-    echo "Found old .pid file, removing."
+    echo "Found old pid file, removing."
     rm $pid_file
   else
     echo "No pid remains found, continuing."
@@ -45,26 +45,56 @@ start_core() {
   cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched.
   bash wgd.sh start
 
-  # The following section takes care of the firewall rules regarding the 'isolated_peers' feature, which allows or drops packets destined from the wg0 to the wg0 interface.
-  if [ "${isolated_peers,,}" = "false" ]; then
-    echo "Isolated peers disabled, adjusting."
+  # Isolated peers
+  local configurations=(/etc/wireguard/*)
+  IFS=',' read -r -a do_isolate <<< "${isolate}"
+  non_isolate=()
+
+  for config in "${configurations[@]}"; do
+    local config=$(echo "$config" | sed -e 's|.*/etc/wireguard/||' -e 's|\.conf$||')
+    found=false
+    for interface in "${do_isolate[@]}"; do
+      if [[ "$config" == "$interface" ]]; then
+        found=true
+        break
+      fi
+    done
+    if [ "$found" = false ]; then
+      non_isolate+=("$config")
+    fi
+  done
+
+  echo "Isolate configurations: ${do_isolate[@]}"
+  echo "Non-Isolate configurations: ${non_isolate[@]}"
+
+  for interface in "${do_isolate[@]}"; do
+    if [ -f "/etc/wireguard/${interface}.conf" ]; then
+      echo "Isolating:" $interface
+      upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
+      downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
 
-    sed -i '/PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP/d' /etc/wireguard/wg0.conf
-    sed -i '/PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP/d' /etc/wireguard/wg0.conf
-  elif [ "${isolated_peers,,}" = "true" ]; then
-    upblocking=$(grep -c "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" /etc/wireguard/wg0.conf)
-    downblocking=$(grep -c "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" /etc/wireguard/wg0.conf)
       if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then
-      echo "Isolated peers enabled, adjusting."
-
-      sed -i '/PostUp = iptables -t nat -I POSTROUTING 1 -s/a PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP' /etc/wireguard/wg0.conf
-      sed -i '/PreDown = iptables -t nat -D POSTROUTING 1 -s/a PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP' /etc/wireguard/wg0.conf
+        sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
+        sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
       fi
-
+    else
+      echo "Configuration for $interface does not seem to exist, continuing."
     fi
+  done
+  
+  for interface in "${non_isolate[@]}"; do
+    if [ -f "/etc/wireguard/${interface}.conf" ]; then
+      echo "Removing Isolation for:" $interface
+      sed -i "/PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf
+      sed -i "/PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf
+    else
+      echo "Configuration for $interface does not seem to exist, continuing."
+    fi
+  done
 
   # The following section takes care of enabling wireguard interfaces on startup.
   IFS=',' read -r -a enable_array <<< "${enable}"
+
   for interface in "${enable_array[@]}"; do
     echo "Preference for $interface to be turned on found."
     if [ -f "/etc/wireguard/${interface}.conf" ]; then