From 00611ef9dca2def6ad882cc703621fa03dc548a7 Mon Sep 17 00:00:00 2001 From: Dselen Date: Tue, 20 Aug 2024 09:58:25 -0500 Subject: [PATCH 01/25] Progress so far. --- docker/Dockerfile | 68 +++++++++++++---------- docker/{Docker-explain.md => README.md} | 0 docker/compose.yaml | 6 +- docker/entrypoint.sh | 73 +++++++++++++++++-------- 4 files changed, 90 insertions(+), 57 deletions(-) rename docker/{Docker-explain.md => README.md} (100%) diff --git a/docker/Dockerfile b/docker/Dockerfile index fb373d2..7070a5c 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,5 @@ # Pull from small Debian stable image. -FROM debian:stable-slim +FROM debian:stable-slim AS build LABEL maintainer="dselen@nerthus.nl" # Declaring environment variables, change Peernet to an address you like, standard is a 24 bit subnet. @@ -9,46 +9,52 @@ ENV wg_net="10.0.0.1" # Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info. ENV tz="Europe/Amsterdam" ENV global_dns="1.1.1.1" -ENV enable_wg0="false" +ENV enable="(`none`)" ENV isolated_peers="true" ENV public_ip="0.0.0.0" # Doing basic system maintenance. Change the timezone to the desired timezone. RUN ln -sf /usr/share/zoneinfo/${tz} /etc/localtime -# Doing package management operations, such as upgrading -RUN apt-get update && apt-get upgrade -y \ - && apt-get install -y --no-install-recommends curl \ - git \ - iproute2 \ - iptables \ - iputils-ping \ - openresolv \ - procps \ - python3 \ - python3-pip \ - python3-venv \ - traceroute \ - wireguard \ - wireguard-tools \ - && apt-get remove linux-image-* --autoremove -y \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* -# Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. - # Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. ENV WGDASH=/opt/wireguarddashboard -RUN python3 -m venv ${WGDASH}/venv + +# Doing package management operations, such as upgrading +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + curl \ + git \ + iproute2 \ + iptables \ + iputils-ping \ + openresolv \ + procps \ + python3 \ + python3-pip \ + python3-venv \ + traceroute \ + wireguard \ + wireguard-tools \ + sudo && \ + apt-get remove -y linux-image-* && \ + apt-get autoremove -y && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +# Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. # Doing WireGuard Dashboard installation measures. Modify the git clone command to get the preferred version, with a specific branch for example. -RUN . ${WGDASH}/venv/bin/activate \ - && git clone https://github.com/donaldzou/WGDashboard.git ${WGDASH}/app \ - && pip3 install -r ${WGDASH}/app/src/requirements.txt \ - && chmod +x ${WGDASH}/app/src/wgd.sh \ - && .${WGDASH}/app/src/wgd.sh install +RUN git clone https://github.com/donaldzou/WGDashboard.git ${WGDASH} \ + && rm ${WGDASH}/.git -rdf \ + && python3 -m venv ${WGDASH}/src/venv \ + && . ${WGDASH}/src/venv/bin/activate \ + && chmod +x ${WGDASH}/src/wgd.sh \ + && cd ${WGDASH}/src \ + && ./wgd.sh install -# Set the volume to be used for persistency. +# Set the volume to be used for WireGuard configuration persistency. VOLUME /etc/wireguard +VOLUME ${WGDASH} # Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency. # Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006. @@ -67,7 +73,9 @@ RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ && rm /etc/wireguard/wg0_privatekey # Defining a way for Docker to check the health of the container. In this case: checking the login URL. -HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl -f http://localhost:10086/signin || exit 1 +HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ + CMD [ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:10086/)" -eq "200" ] || exit 1 + # Copy the basic entrypoint.sh script. COPY entrypoint.sh /entrypoint.sh diff --git a/docker/Docker-explain.md b/docker/README.md similarity index 100% rename from docker/Docker-explain.md rename to docker/README.md diff --git a/docker/compose.yaml b/docker/compose.yaml index 9d7509f..c79b5a5 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -1,12 +1,12 @@ services: wireguard-dashboard: - image: repo.nerthus.nl/app/wireguard-dashboard:latest + image: dselen/wgdashboard:dev restart: unless-stopped container_name: wire-dash environment: #- tz= # <--- Set container timezone, default: Europe/Amsterdam. #- global_dns= # <--- Set global DNS address, default: 1.1.1.1. - - enable_wg0=true # <--- If true, wg0 will be started on container startup. default: false. + - enable=wg0,wg1 # <--- If true, wg0 will be started on container startup. default: false. - isolated_peers=false # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: @@ -14,7 +14,7 @@ services: - 51820:51820/udp volumes: - conf:/etc/wireguard - - app:/opt/wireguarddashboard/app + - app:/opt/wireguarddashboard cap_add: - NET_ADMIN diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 118e9ef..6316ab7 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,30 +1,48 @@ #!/bin/bash echo "Starting the WireGuard Dashboard Docker container." +# === CLEAN UP === clean_up() { + echo "--------------------- CLEAN UP -----------------------" # Cleaning out previous data such as the .pid file and starting the WireGuard Dashboard. Making sure to use the python venv. echo "Looking for remains of previous instances..." - if [ -f "/opt/wireguarddashboard/app/src/gunicorn.pid" ]; then + local pid_file="${WGDASH}/src/gunicorn.pid" + if [ -f $pid_file ]; then echo "Found old .pid file, removing." - rm /opt/wireguarddashboard/app/src/gunicorn.pid + rm $pid_file else - echo "No remains found, continuing." + echo "No pid remains found, continuing." + fi + + local pycache="${WGDASH}/src/__pycache__" + if [ -d "$pycache" ]; then + local pycache_filecount=$(find "$pycache" -maxdepth 1 -type f | wc -l) + if [ "$pycache_filecount" -gt 0 ]; then + echo "Found old pycaches, removing." + rm -rf "$pycache"/* + else + echo "No pycaches found, continuing." + fi + else + echo "No pycaches found, continuing." fi } +# === CORE SERVICES === start_core() { + echo "--------------------- STARTING CORE -----------------------" + # This first step is to ensure the wg0.conf file exists, and if not, then its copied over from the ephemeral container storage. if [ ! -f "/etc/wireguard/wg0.conf" ]; then cp "/wg0.conf" "/etc/wireguard/wg0.conf" - echo "WireGuard interface file copied over." + echo "Standard WG0 Configuration file not found, grabbing template." else - echo "WireGuard interface file looks to already be existing." + echo "Standard WG0 Configuration file found, using that." fi echo "Activating Python venv and executing the WireGuard Dashboard service." - - . "${WGDASH}"/venv/bin/activate - cd "${WGDASH}"/app/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. + . "${WGDASH}"/src/venv/bin/activate + cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. bash wgd.sh start # The following section takes care of the firewall rules regarding the 'isolated_peers' feature, which allows or drops packets destined from the wg0 to the wg0 interface. @@ -45,17 +63,22 @@ start_core() { fi - # The following section takes care of - if [ "${enable_wg0,,}" = "true" ]; then - echo "Preference for wg0 to be turned on found." - - wg-quick up wg0 - else - echo "Preference for wg0 to be turned off found." - fi + # The following section takes care of enabling wireguard interfaces on startup. + IFS=',' read -r -a enable_array <<< "${enable}" + for interface in "${enable_array[@]}"; do + echo "Preference for $interface to be turned on found." + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Found corresponding configuration file, activating..." + wg-quick up $interface + else + echo "No corresponding configuration file found for $interface doing nothing." + fi + done } +# === SET ENV VARS === set_envvars() { + echo "------------------------------------------------------------" echo "Setting relevant variables for operation." # If the timezone is different, for example in North-America or Asia. @@ -67,11 +90,11 @@ set_envvars() { fi # Changing the DNS used for clients and the dashboard itself. - if [ "${global_dns}" != "$(grep "peer_global_dns = " /opt/wireguarddashboard/app/src/wg-dashboard.ini | awk '{print $NF}')" ]; then + if [ "${global_dns}" != "$(grep "peer_global_dns = " /opt/wireguarddashboard/src/wg-dashboard.ini | awk '{print $NF}')" ]; then echo "Changing default dns." #sed -i "s/^DNS = .*/DNS = ${global_dns}/" /etc/wireguard/wg0.conf # Uncomment if you want to have DNS on server-level. - sed -i "s/^peer_global_dns = .*/peer_global_dns = ${global_dns}/" /opt/wireguarddashboard/app/src/wg-dashboard.ini + sed -i "s/^peer_global_dns = .*/peer_global_dns = ${global_dns}/" /opt/wireguarddashboard/src/wg-dashboard.ini fi # Setting the public IP of the WireGuard Dashboard container host. If not defined, it will trying fetching it using a curl to ifconfig.me. @@ -79,22 +102,24 @@ set_envvars() { default_ip=$(curl -s ifconfig.me) echo "Trying to fetch the Public-IP using ifconfig.me: ${default_ip}" - sed -i "s/^remote_endpoint = .*/remote_endpoint = ${default_ip}/" /opt/wireguarddashboard/app/src/wg-dashboard.ini - elif [ "${public_ip}" != "$(grep "remote_endpoint = " /opt/wireguarddashboard/app/src/wg-dashboard.ini | awk '{print $NF}')" ]; then + sed -i "s/^remote_endpoint = .*/remote_endpoint = ${default_ip}/" /opt/wireguarddashboard/src/wg-dashboard.ini + elif [ "${public_ip}" != "$(grep "remote_endpoint = " /opt/wireguarddashboard/src/wg-dashboard.ini | awk '{print $NF}')" ]; then echo "Setting the Public-IP using given variable: ${public_ip}" - sed -i "s/^remote_endpoint = .*/remote_endpoint = ${public_ip}/" /opt/wireguarddashboard/app/src/wg-dashboard.ini + sed -i "s/^remote_endpoint = .*/remote_endpoint = ${public_ip}/" /opt/wireguarddashboard/src/wg-dashboard.ini fi } +# === CLEAN UP === ensure_blocking() { + echo "------------------------------------------------------------" sleep 1s echo "Ensuring container continuation." # This function checks if the latest error log is created and tails it for docker logs uses. - if find "/opt/wireguarddashboard/app/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then - latestErrLog=$(find /opt/wireguarddashboard/app/src/log -name "error_*.log" | head -n 1) - latestAccLog=$(find /opt/wireguarddashboard/app/src/log -name "access_*.log" | head -n 1) + if find "/opt/wireguarddashboard/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then + latestErrLog=$(find /opt/wireguarddashboard/src/log -name "error_*.log" | head -n 1) + latestAccLog=$(find /opt/wireguarddashboard/src/log -name "access_*.log" | head -n 1) tail -f "${latestErrLog}" "${latestAccLog}" fi From 6991039640f56067e865729f6824caa7dc223efc Mon Sep 17 00:00:00 2001 From: Dselen Date: Tue, 20 Aug 2024 12:58:30 -0500 Subject: [PATCH 02/25] Working prototype. --- docker/Dockerfile | 6 ++--- docker/compose.yaml | 4 +-- docker/entrypoint.sh | 60 +++++++++++++++++++++++++++++++++----------- 3 files changed, 50 insertions(+), 20 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 7070a5c..dda699b 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -9,8 +9,8 @@ ENV wg_net="10.0.0.1" # Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info. ENV tz="Europe/Amsterdam" ENV global_dns="1.1.1.1" -ENV enable="(`none`)" -ENV isolated_peers="true" +ENV enable="none" +ENV isolate="none" ENV public_ip="0.0.0.0" # Doing basic system maintenance. Change the timezone to the desired timezone. @@ -66,7 +66,7 @@ RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /wg0.conf \ && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /wg0.conf \ && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /wg0.conf \ - && echo "PreDown = iptables -t nat -D POSTROUTING 1" >> /wg0.conf \ + && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /wg0.conf \ && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /wg0.conf \ && echo "ListenPort = 51820" >> /wg0.conf \ #&& echo "DNS = ${global_dns}" >> /wg0.conf \ diff --git a/docker/compose.yaml b/docker/compose.yaml index c79b5a5..ba429f2 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -6,8 +6,8 @@ services: environment: #- tz= # <--- Set container timezone, default: Europe/Amsterdam. #- global_dns= # <--- Set global DNS address, default: 1.1.1.1. - - enable=wg0,wg1 # <--- If true, wg0 will be started on container startup. default: false. - - isolated_peers=false # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. + - enable=wg0,wg1 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. + - isolate=wg0 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: - 10086:10086/tcp diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 6316ab7..e6d48c0 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -8,7 +8,7 @@ clean_up() { echo "Looking for remains of previous instances..." local pid_file="${WGDASH}/src/gunicorn.pid" if [ -f $pid_file ]; then - echo "Found old .pid file, removing." + echo "Found old pid file, removing." rm $pid_file else echo "No pid remains found, continuing." @@ -45,26 +45,56 @@ start_core() { cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. bash wgd.sh start - # The following section takes care of the firewall rules regarding the 'isolated_peers' feature, which allows or drops packets destined from the wg0 to the wg0 interface. - if [ "${isolated_peers,,}" = "false" ]; then - echo "Isolated peers disabled, adjusting." + # Isolated peers + local configurations=(/etc/wireguard/*) + IFS=',' read -r -a do_isolate <<< "${isolate}" + non_isolate=() - sed -i '/PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP/d' /etc/wireguard/wg0.conf - sed -i '/PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP/d' /etc/wireguard/wg0.conf - elif [ "${isolated_peers,,}" = "true" ]; then - upblocking=$(grep -c "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" /etc/wireguard/wg0.conf) - downblocking=$(grep -c "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" /etc/wireguard/wg0.conf) - if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then - echo "Isolated peers enabled, adjusting." - - sed -i '/PostUp = iptables -t nat -I POSTROUTING 1 -s/a PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP' /etc/wireguard/wg0.conf - sed -i '/PreDown = iptables -t nat -D POSTROUTING 1 -s/a PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP' /etc/wireguard/wg0.conf + for config in "${configurations[@]}"; do + local config=$(echo "$config" | sed -e 's|.*/etc/wireguard/||' -e 's|\.conf$||') + found=false + for interface in "${do_isolate[@]}"; do + if [[ "$config" == "$interface" ]]; then + found=true + break + fi + done + if [ "$found" = false ]; then + non_isolate+=("$config") fi + done - fi + echo "Isolate configurations: ${do_isolate[@]}" + echo "Non-Isolate configurations: ${non_isolate[@]}" + + for interface in "${do_isolate[@]}"; do + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Isolating:" $interface + upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + + if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then + sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + fi + else + echo "Configuration for $interface does not seem to exist, continuing." + fi + done + + for interface in "${non_isolate[@]}"; do + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Removing Isolation for:" $interface + sed -i "/PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf + sed -i "/PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf + else + echo "Configuration for $interface does not seem to exist, continuing." + fi + done # The following section takes care of enabling wireguard interfaces on startup. IFS=',' read -r -a enable_array <<< "${enable}" + for interface in "${enable_array[@]}"; do echo "Preference for $interface to be turned on found." if [ -f "/etc/wireguard/${interface}.conf" ]; then From 68d0ae40027d4cee1fc4bd73eca76ea0a67aec0a Mon Sep 17 00:00:00 2001 From: Dselen Date: Tue, 20 Aug 2024 13:54:49 -0500 Subject: [PATCH 03/25] Added context and refined code. --- docker/Dockerfile | 2 +- docker/README.md | 53 ++++++++++++++++++++++++++++++-------------- docker/compose.yaml | 4 ++-- docker/entrypoint.sh | 16 ++++++------- 4 files changed, 47 insertions(+), 28 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index dda699b..03b6775 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -10,7 +10,7 @@ ENV wg_net="10.0.0.1" ENV tz="Europe/Amsterdam" ENV global_dns="1.1.1.1" ENV enable="none" -ENV isolate="none" +ENV isolate="wg0" ENV public_ip="0.0.0.0" # Doing basic system maintenance. Change the timezone to the desired timezone. diff --git a/docker/README.md b/docker/README.md index dd7bfe8..7da87cd 100644 --- a/docker/README.md +++ b/docker/README.md @@ -1,20 +1,20 @@ -# WG-Dashboard Docker Explanation: +# WGDashboard Docker Explanation: Author: DaanSelen
-This document delves into how the WG-Dashboard Docker container has been built.
+This document delves into how the WGDashboard Docker container has been built.
Of course there are two stages, one before run-time and one at/after run-time.
The `Dockerfile` describes how the container image is made, and the `entrypoint.sh` is executed after running the container.
-In this example, WireGuard is integrated into the container itself, so it should be a run-and-go.
+In this example, WireGuard is integrated into the container itself, so it should be a run-and-go/out-of-the-box.
For more details on the source-code specific to this Docker image, refer to the source files, they have lots of comments. -I have tried to embed some new features such as `isolated_peers` and interface startup on container-start (through `enable_wg0`). +I have tried to embed some new features such as `isolate` and interface startup on container-start (through `enable`). I hope you enjoy! -WG-Dashboard Logo +WG-Dashboard Logo ## Getting the container running: -To get the container running you either pull the image from the repository, at the moment: `repo.nerthus.nl/app/wireguard-dashboard:latest`.
+To get the container running you either pull the image from the repository, `dselen/wgdashboard:latest`.
From there either use the environment variables describe below as parameters or use the Docker Compose file: `compose.yaml`. An example of a simple command to get the container running is show below:
@@ -28,7 +28,7 @@ docker run -d \ -p 10086:10086/tcp \ -p 51820:51820/udp \ --cap-add NET_ADMIN \ - repo.nerthus.nl/app/wireguard-dashboard:latest + dselen/wgdashboard:latest ```
If you want to use Compose instead of a raw Docker command, refer to the example in the `compose.yaml` or the one pasted below: @@ -37,14 +37,14 @@ If you want to use Compose instead of a raw Docker command, refer to the example ```yaml services: wireguard-dashboard: - image: repo.nerthus.nl/app/wireguard-dashboard:latest + image: dselen/wgdashboard:latest restart: unless-stopped container_name: wire-dash environment: #- tz= #- global_dns= - - enable_wg0=true - - isolated_peers=false + - enable=none + - isolate=wg0 #- public_ip= ports: - 10086:10086/tcp @@ -69,14 +69,33 @@ This setup is just generic and will use the Docker volumes. Once the container is running, the installation process is essentially the same as running it on bare-metal.
So go to the assign TCP port in this case HTTP, like the default 10086 one in the example and log into the WEB-GUI.
-| Environment variable | Accepted arguments | Default value | Verbose | -| -------------- | ------- | ------- | ------- | -| tz | Europe/Amsterdam or any confirming timezone notation. | Europe/Amsterdam | Sets the timezone of the Docker container. This is to timesync the container to any other processes which would need it. | -| global_dns | Any IPv4 address, such as my personal recommendation: 9.9.9.9 (QUAD9) | 1.1.1.1 | Set the default DNS given to clients once they connect to the WireGuard tunnel (VPN). -| enable_wg0 | `true` or `false` | `false` | Enables or disables the starting of the WireGuard interface on container 'boot-up'. -| isolated_peers | `true` or `false` | `true` | For security the default is true, and it disables peers to ping or reach eachother, the WireGuard interface IS able to reach the peers (Done through `iptables`). -| public_ip | Any IPv4 (public recommended) address, such as the one returned by default | Default uses the return of `curl ifconfig.me` | To reach your VPN from outside your own network, you need WG-Dashboard to know what your public IP-address is, otherwise it will generate faulty config files for clients. +| Environment variable | Accepted arguments | Default value | Example value | Verbose | +| -------------- | ------- | ------- | ------- | ------- | +| tz | Europe/Amsterdam or any confirming timezone notation. | `Europe/Amsterdam` | `America/New_York` | Sets the timezone of the Docker container. This is to timesync the container to any other processes which would need it. | +| global_dns | Any IPv4 address, such as my personal recommendation: 9.9.9.9 (QUAD9). | `1.1.1.1` | `8.8.8.8` or any IP-Address that resolves DNS-names, and of course is reachable | Set the default DNS given to clients once they connect to the WireGuard tunnel, and for new peers, set to Cloudflare DNS for reliability. +| enable | Anything, preferably an existing WireGuard interface name. | `none` | `wg0,wg2,wg13` | Enables or disables the starting of the WireGuard interface on container 'boot-up'. +| isolate | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package). +| public_ip | Any IPv4 (public recommended) address, such as the one returned by default | Default uses the return of `curl ifconfig.me` | `23.50.131.156` | To reach your VPN from outside your own network, you need WG-Dashboard to know what your public IP-address is, otherwise it will generate faulty config files for clients. This happends because it is inside a Docker/Kubernetes container. In or outside of NAT is not relevant as long as the given IP-address is reachable from the internet or the target network. + +## Be careful with: + +When you are going to work with multiple WireGuard interfaces, you need to also open them up to the Docker host. This done by either adding the port mappings like: `51821:51821/udp` in the Docker Compose file, or to open a range like: `51820-51830:51820-51830/udp`
+The latter opens up UDP ports from 51820 to 51830, so all ports in between as well! Be careful, it is good security practise to open only needed ports! + +## Building the image yourself: + +To build the image yourself, you need to do a couple things:
+1. Clone the Github repository containing the source code of WGDashboard including the docker directory. For example do: `git clone https://github.com/donaldzou/WGDashboard.git` +1. Navigate into the docker directory. +1. (Make sure you have Docker correctly installed, if not: [Click here](https://docs.docker.com/engine/install/)) and run: `docker build . -t :` as an example: `docker build . -t dselen/wgdashboard:latest`.
This will make Docker compile the image from the resources in the directory you mention, in this case the current one. Let it compile, it takes about a minute or maximally two. +1. If all went well, see your image with `docker images`. Example below: +``` +dselen@dev-mach:~/development/WGDashboard/docker$ docker images +REPOSITORY TAG IMAGE ID CREATED SIZE +dselen/wgdashboard dev c96fd96ee3b3 42 minutes ago 314MB +``` ## Closing remarks: +Excuse the large image size, whoops! Debian's big... sometimes.
For feedback please submit an issue to the repository. Or message dselen@nerthus.nl. diff --git a/docker/compose.yaml b/docker/compose.yaml index ba429f2..83f86b7 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -6,8 +6,8 @@ services: environment: #- tz= # <--- Set container timezone, default: Europe/Amsterdam. #- global_dns= # <--- Set global DNS address, default: 1.1.1.1. - - enable=wg0,wg1 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. - - isolate=wg0 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. + - enable=wg0,wg2 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. + - isolate=wg0,wg1 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: - 10086:10086/tcp diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index e6d48c0..84b9f7f 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -26,6 +26,9 @@ clean_up() { else echo "No pycaches found, continuing." fi + + echo "Setting permissions to not be world-accesible." + chmod 640 /etc/wireguard/* } # === CORE SERVICES === @@ -45,7 +48,7 @@ start_core() { cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. bash wgd.sh start - # Isolated peers + # Isolated peers feature: local configurations=(/etc/wireguard/*) IFS=',' read -r -a do_isolate <<< "${isolate}" non_isolate=() @@ -64,9 +67,6 @@ start_core() { fi done - echo "Isolate configurations: ${do_isolate[@]}" - echo "Non-Isolate configurations: ${non_isolate[@]}" - for interface in "${do_isolate[@]}"; do if [ -f "/etc/wireguard/${interface}.conf" ]; then echo "Isolating:" $interface @@ -84,7 +84,7 @@ start_core() { for interface in "${non_isolate[@]}"; do if [ -f "/etc/wireguard/${interface}.conf" ]; then - echo "Removing Isolation for:" $interface + echo "Removing Isolation if present for:" $interface sed -i "/PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf sed -i "/PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf else @@ -108,8 +108,7 @@ start_core() { # === SET ENV VARS === set_envvars() { - echo "------------------------------------------------------------" - echo "Setting relevant variables for operation." + echo "------------- SETTING ENVIRONMENT VARIABLES ----------------" # If the timezone is different, for example in North-America or Asia. if [ "${tz}" != "$(cat /etc/timezone)" ]; then @@ -142,7 +141,7 @@ set_envvars() { # === CLEAN UP === ensure_blocking() { - echo "------------------------------------------------------------" + echo "-------------- ENSURING CONTAINER CONTINUATION -------------" sleep 1s echo "Ensuring container continuation." @@ -159,6 +158,7 @@ ensure_blocking() { # Execute functions for the WireGuard Dashboard services, then set the environment variables clean_up +repair start_core set_envvars ensure_blocking \ No newline at end of file From bd3aa28523f036f771eae83fd81f09e40a37a51d Mon Sep 17 00:00:00 2001 From: Dselen Date: Tue, 20 Aug 2024 14:48:36 -0500 Subject: [PATCH 04/25] Changed readme and compose for templating. --- docker/README.md | 9 +++++---- docker/compose.yaml | 4 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/docker/README.md b/docker/README.md index 7da87cd..ced5362 100644 --- a/docker/README.md +++ b/docker/README.md @@ -23,8 +23,8 @@ An example of a simple command to get the container running is show below:
docker run -d \ --name wireguard-dashboard \ --restart unless-stopped \ - -e enable_wg0=true \ - -e isolated_peers=true \ + -e enable=wg0 \ + -e isolate=wg0 \ -p 10086:10086/tcp \ -p 51820:51820/udp \ --cap-add NET_ADMIN \ @@ -89,10 +89,11 @@ To build the image yourself, you need to do a couple things:
1. Navigate into the docker directory. 1. (Make sure you have Docker correctly installed, if not: [Click here](https://docs.docker.com/engine/install/)) and run: `docker build . -t :` as an example: `docker build . -t dselen/wgdashboard:latest`.
This will make Docker compile the image from the resources in the directory you mention, in this case the current one. Let it compile, it takes about a minute or maximally two. 1. If all went well, see your image with `docker images`. Example below: -``` + +```shell dselen@dev-mach:~/development/WGDashboard/docker$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -dselen/wgdashboard dev c96fd96ee3b3 42 minutes ago 314MB +dselen/wgdashboard latest c96fd96ee3b3 42 minutes ago 314MB ``` ## Closing remarks: diff --git a/docker/compose.yaml b/docker/compose.yaml index 83f86b7..3d6c082 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -1,6 +1,6 @@ services: wireguard-dashboard: - image: dselen/wgdashboard:dev + image: dselen/wgdashboard:latest restart: unless-stopped container_name: wire-dash environment: @@ -11,7 +11,7 @@ services: #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: - 10086:10086/tcp - - 51820:51820/udp + - 51830:51820/udp volumes: - conf:/etc/wireguard - app:/opt/wireguarddashboard From 47ac4388444f9cae3ee23687ceb7894ffb856496 Mon Sep 17 00:00:00 2001 From: dselen <80752476+DaanSelen@users.noreply.github.com> Date: Thu, 22 Aug 2024 16:24:07 +0200 Subject: [PATCH 05/25] Update README.md Rearranged Ubuntu match other descending formats. --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1750489..2f9e8c1 100644 --- a/README.md +++ b/README.md @@ -126,9 +126,9 @@ | Ubuntu | Debian | Red Hat Enterprise Linux | CentOS | Fedora | |-----------|--------|--------------------------|----------|--------| -| 20.04 LTS | 12.6 | 9.4 | 9-Stream | 40 | +| 24.02 LTS | 12.6 | 9.4 | 9-Stream | 40 | | 22.04 LTS | 11.10 | | | 39 | -| 24.02 LTS | | | | 38 | +| 20.04 LTS | | | | 38 | > [!TIP] > If you installed WGDashboard on other systems without any issues, please let me know. Thank you! From 8703798ca0a09773332a1c702f6c420b29b7ec5b Mon Sep 17 00:00:00 2001 From: Dselen Date: Thu, 22 Aug 2024 13:38:29 -0500 Subject: [PATCH 06/25] Modified all files and have a working product, awaiting feedback! --- docker/Dockerfile | 40 ++++----- docker/README.md | 4 +- docker/compose.yaml | 12 +-- docker/entrypoint.sh | 208 ++++++++++++++++++++++++++----------------- 4 files changed, 153 insertions(+), 111 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 03b6775..479681e 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -3,8 +3,9 @@ FROM debian:stable-slim AS build LABEL maintainer="dselen@nerthus.nl" # Declaring environment variables, change Peernet to an address you like, standard is a 24 bit subnet. -ENV wg_net="10.0.0.1" -# wg_net is used functionally as an ARG for its environment variable nature, do not change unless you know what you are doing. +ARG Git_Url="https://github.com/donaldzou/WGDashboard.git" +ARG wg_net="10.0.0.1" +ARG wg_port="51820" # Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info. ENV tz="Europe/Amsterdam" @@ -12,6 +13,7 @@ ENV global_dns="1.1.1.1" ENV enable="none" ENV isolate="wg0" ENV public_ip="0.0.0.0" +ENV update="yes" # Doing basic system maintenance. Change the timezone to the desired timezone. RUN ln -sf /usr/share/zoneinfo/${tz} /etc/localtime @@ -20,8 +22,7 @@ RUN ln -sf /usr/share/zoneinfo/${tz} /etc/localtime ENV WGDASH=/opt/wireguarddashboard # Doing package management operations, such as upgrading -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ +RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ git \ iproute2 \ @@ -44,13 +45,8 @@ RUN apt-get update && \ # Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. # Doing WireGuard Dashboard installation measures. Modify the git clone command to get the preferred version, with a specific branch for example. -RUN git clone https://github.com/donaldzou/WGDashboard.git ${WGDASH} \ - && rm ${WGDASH}/.git -rdf \ - && python3 -m venv ${WGDASH}/src/venv \ - && . ${WGDASH}/src/venv/bin/activate \ - && chmod +x ${WGDASH}/src/wgd.sh \ - && cd ${WGDASH}/src \ - && ./wgd.sh install +RUN mkdir -p /setup/conf && mkdir /setup/app && mkdir ${WGDASH} \ + && git clone ${Git_Url} /setup/app # Set the volume to be used for WireGuard configuration persistency. VOLUME /etc/wireguard @@ -60,20 +56,20 @@ VOLUME ${WGDASH} # Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006. SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ - && echo "[Interface]" > /wg0.conf \ - && echo "SaveConfig = true" >> /wg0.conf \ - && echo "Address = ${wg_net}/24" >> /wg0.conf \ - && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /wg0.conf \ - && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /wg0.conf \ - && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /wg0.conf \ - && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /wg0.conf \ - && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /wg0.conf \ - && echo "ListenPort = 51820" >> /wg0.conf \ - #&& echo "DNS = ${global_dns}" >> /wg0.conf \ + && echo "[Interface]" > /setup/conf/wg0.conf \ + && echo "Address = ${wg_net}/24" >> /setup/conf/wg0.conf \ + && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /setup/conf/wg0.conf \ + && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ + && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ + && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ + && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ + && echo "ListenPort = ${wg_port}" >> /setup/conf/wg0.conf \ + && echo "SaveConfig = true" >> /setup/conf/wg0.conf \ + && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf \ && rm /etc/wireguard/wg0_privatekey # Defining a way for Docker to check the health of the container. In this case: checking the login URL. -HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ +HEALTHCHECK --interval=2m --timeout=1m --start-period=5s --retries=3 \ CMD [ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:10086/)" -eq "200" ] || exit 1 diff --git a/docker/README.md b/docker/README.md index ced5362..8d2a315 100644 --- a/docker/README.md +++ b/docker/README.md @@ -15,7 +15,9 @@ I have tried to embed some new features such as `isolate` and interface startup ## Getting the container running: To get the container running you either pull the image from the repository, `dselen/wgdashboard:latest`.
-From there either use the environment variables describe below as parameters or use the Docker Compose file: `compose.yaml`. +From there either use the environment variables describe below as parameters or use the Docker Compose file: `compose.yaml`.
+Be careful, the default generated WireGuard configuration file uses port 51820/udp. So use this port if you want to use it out of the box.
+Otherwise edit the configuration file in `/etc/wireguard/wg0.conf`. An example of a simple command to get the container running is show below:
diff --git a/docker/compose.yaml b/docker/compose.yaml index 3d6c082..6d4f2bd 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -2,22 +2,22 @@ services: wireguard-dashboard: image: dselen/wgdashboard:latest restart: unless-stopped - container_name: wire-dash + container_name: wgdashboard environment: #- tz= # <--- Set container timezone, default: Europe/Amsterdam. #- global_dns= # <--- Set global DNS address, default: 1.1.1.1. - - enable=wg0,wg2 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. - - isolate=wg0,wg1 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. + - enable=wg0 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. + - isolate=wg0 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: - 10086:10086/tcp - - 51830:51820/udp + - 51820:51820/udp volumes: - - conf:/etc/wireguard - app:/opt/wireguarddashboard + - conf:/etc/wireguard cap_add: - NET_ADMIN volumes: - conf: app: + conf: diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 84b9f7f..b3595b8 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,9 +1,40 @@ #!/bin/bash + +echo "------------------------- START ----------------------------" echo "Starting the WireGuard Dashboard Docker container." +ensure_installation() { + # When using a custom directory to store the files, this part moves over and makes sure the installation continues. + echo "Checking if everything is present." + + if [ -z "$(ls -A ${WGDASH})" ]; then + echo "Detected empty directory, moving over..." + + mv /setup/app/* ${WGDASH} + python3 -m venv ${WGDASH}/src/venv + . "${WGDASH}/src/venv/bin/activate" + chmod +x ${WGDASH}/src/wgd.sh + cd ${WGDASH}/src + ./wgd.sh install + + echo "Looks like the installation succesfully moved over." + else + echo "Looks like everything is present." + fi + + # This first step is to ensure the wg0.conf file exists, and if not, then its copied over from the ephemeral container storage. + if [ ! -f "/etc/wireguard/wg0.conf" ]; then + echo "Standard wg0 Configuration file not found, grabbing template." + cp "/setup/conf/wg0.conf" "/etc/wireguard/wg0.conf" + else + echo "Standard wg0 Configuration file found, using that." + fi +} + # === CLEAN UP === clean_up() { - echo "--------------------- CLEAN UP -----------------------" + printf "\n------------------------ CLEAN UP --------------------------\n" + # Cleaning out previous data such as the .pid file and starting the WireGuard Dashboard. Making sure to use the python venv. echo "Looking for remains of previous instances..." local pid_file="${WGDASH}/src/gunicorn.pid" @@ -14,6 +45,7 @@ clean_up() { echo "No pid remains found, continuing." fi + # Also check for Python caches (pycache) inspired by https://github.com/shuricksumy local pycache="${WGDASH}/src/__pycache__" if [ -d "$pycache" ]; then local pycache_filecount=$(find "$pycache" -maxdepth 1 -type f | wc -l) @@ -26,89 +58,22 @@ clean_up() { else echo "No pycaches found, continuing." fi - - echo "Setting permissions to not be world-accesible." - chmod 640 /etc/wireguard/* } -# === CORE SERVICES === -start_core() { - echo "--------------------- STARTING CORE -----------------------" - - # This first step is to ensure the wg0.conf file exists, and if not, then its copied over from the ephemeral container storage. - if [ ! -f "/etc/wireguard/wg0.conf" ]; then - cp "/wg0.conf" "/etc/wireguard/wg0.conf" - echo "Standard WG0 Configuration file not found, grabbing template." - else - echo "Standard WG0 Configuration file found, using that." - fi - - echo "Activating Python venv and executing the WireGuard Dashboard service." - . "${WGDASH}"/src/venv/bin/activate - cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. - bash wgd.sh start - - # Isolated peers feature: - local configurations=(/etc/wireguard/*) - IFS=',' read -r -a do_isolate <<< "${isolate}" - non_isolate=() - - for config in "${configurations[@]}"; do - local config=$(echo "$config" | sed -e 's|.*/etc/wireguard/||' -e 's|\.conf$||') - found=false - for interface in "${do_isolate[@]}"; do - if [[ "$config" == "$interface" ]]; then - found=true - break - fi - done - if [ "$found" = false ]; then - non_isolate+=("$config") - fi - done - - for interface in "${do_isolate[@]}"; do - if [ -f "/etc/wireguard/${interface}.conf" ]; then - echo "Isolating:" $interface - upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) - downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) - - if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then - sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf - sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf - fi - else - echo "Configuration for $interface does not seem to exist, continuing." - fi - done - - for interface in "${non_isolate[@]}"; do - if [ -f "/etc/wireguard/${interface}.conf" ]; then - echo "Removing Isolation if present for:" $interface - sed -i "/PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf - sed -i "/PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf - else - echo "Configuration for $interface does not seem to exist, continuing." - fi - done - - # The following section takes care of enabling wireguard interfaces on startup. - IFS=',' read -r -a enable_array <<< "${enable}" - - for interface in "${enable_array[@]}"; do - echo "Preference for $interface to be turned on found." - if [ -f "/etc/wireguard/${interface}.conf" ]; then - echo "Found corresponding configuration file, activating..." - wg-quick up $interface - else - echo "No corresponding configuration file found for $interface doing nothing." - fi - done -} +#update_checker() { + #if [ "$update" = "yes" ]; then + # echo "Activating Python venv and executing the WireGuard Dashboard service." + # . "${WGDASH}/src/venv/bin/activate" + # cd "${WGDASH}"/src || exit + # bash wgd.sh update + #else + # echo "Auto Updater disabled" + #fi +#} # === SET ENV VARS === set_envvars() { - echo "------------- SETTING ENVIRONMENT VARIABLES ----------------" + printf "\n------------- SETTING ENVIRONMENT VARIABLES ----------------\n" # If the timezone is different, for example in North-America or Asia. if [ "${tz}" != "$(cat /etc/timezone)" ]; then @@ -139,9 +104,86 @@ set_envvars() { fi } +# === CORE SERVICES === +start_core() { + printf "\n---------------------- STARTING CORE -----------------------\n" + + echo "Activating Python venv and executing the WireGuard Dashboard service." + . "${WGDASH}"/src/venv/bin/activate + cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. + bash wgd.sh start + + # Isolated peers feature, first converting the existing configuration files and the given names to arrays. + local configurations=(/etc/wireguard/*) + IFS=',' read -r -a do_isolate <<< "${isolate}" + non_isolate=() + + # Checking if there are matches between the two arrays. + for config in "${configurations[@]}"; do + local config=$(echo "$config" | sed -e 's|.*/etc/wireguard/||' -e 's|\.conf$||') + found=false + for interface in "${do_isolate[@]}"; do + if [[ "$config" == "$interface" ]]; then + found=true + break + fi + done + if [ "$found" = false ]; then + non_isolate+=("$config") + fi + done + + # Isolating the matches. + for interface in "${do_isolate[@]}"; do + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Isolating interface:" $interface + upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + + if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then + sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + fi + else + echo "Configuration for $interface does not seem to exist, continuing." + fi + done + + # Removing isolation for the configurations that did not match. + for interface in "${non_isolate[@]}"; do + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Removing Isolation if present for:" $interface + sed -i "/PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf + sed -i "/PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf + else + echo "Configuration for $interface does not seem to exist, continuing." + fi + done + + # The following section takes care of enabling wireguard interfaces on startup. Using arrays and given arguments. + IFS=',' read -r -a enable_array <<< "${enable}" + + for interface in "${enable_array[@]}"; do + echo "Enabling interface:" $interface + + local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf) + if [ $fileperms -eq 644 ]; then + echo "Configuration is world accessible, adjusting." + chmod 600 "/etc/wireguard/${interface}.conf" + fi + + if [ -f "/etc/wireguard/${interface}.conf" ]; then + wg-quick up $interface + else + echo "No corresponding configuration file found for $interface doing nothing." + fi + done +} + # === CLEAN UP === ensure_blocking() { - echo "-------------- ENSURING CONTAINER CONTINUATION -------------" + printf "\n-------------- ENSURING CONTAINER CONTINUATION -------------\n" + sleep 1s echo "Ensuring container continuation." @@ -149,6 +191,7 @@ ensure_blocking() { if find "/opt/wireguarddashboard/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then latestErrLog=$(find /opt/wireguarddashboard/src/log -name "error_*.log" | head -n 1) latestAccLog=$(find /opt/wireguarddashboard/src/log -name "access_*.log" | head -n 1) + tail -f "${latestErrLog}" "${latestAccLog}" fi @@ -157,8 +200,9 @@ ensure_blocking() { } # Execute functions for the WireGuard Dashboard services, then set the environment variables +ensure_installation clean_up -repair -start_core +#update_checker set_envvars +start_core ensure_blocking \ No newline at end of file From 4b8b3acd391a728149fdf9df412508de94975417 Mon Sep 17 00:00:00 2001 From: Dselen Date: Thu, 22 Aug 2024 14:00:55 -0500 Subject: [PATCH 07/25] Small readme change --- docker/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker/README.md b/docker/README.md index 8d2a315..65825dd 100644 --- a/docker/README.md +++ b/docker/README.md @@ -102,3 +102,7 @@ dselen/wgdashboard latest c96fd96ee3b3 42 minutes ago 314MB Excuse the large image size, whoops! Debian's big... sometimes.
For feedback please submit an issue to the repository. Or message dselen@nerthus.nl. + +## In Progress: + +Auto-Updating Capabilities, together with Donald I am working on it. \ No newline at end of file From 2e9ac00a42f76242efe52500f4bccf91fba6d593 Mon Sep 17 00:00:00 2001 From: Dselen Date: Thu, 22 Aug 2024 16:31:47 -0500 Subject: [PATCH 08/25] modified all and patched security vulnerability issue #333 --- docker/Dockerfile | 26 ++++++------------ docker/README.md | 2 +- docker/compose.yaml | 2 +- docker/entrypoint.sh | 65 +++++++++++++++++++++++++++++--------------- 4 files changed, 53 insertions(+), 42 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 479681e..a52e29f 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -23,19 +23,11 @@ ENV WGDASH=/opt/wireguarddashboard # Doing package management operations, such as upgrading RUN apt-get update && apt-get install -y --no-install-recommends \ - curl \ - git \ - iproute2 \ - iptables \ - iputils-ping \ - openresolv \ - procps \ - python3 \ - python3-pip \ - python3-venv \ - traceroute \ - wireguard \ - wireguard-tools \ + curl git iproute2 \ + iptables iputils-ping \ + openresolv procps traceroute \ + python3 python3-pip python3-venv \ + wireguard wireguard-tools \ sudo && \ apt-get remove -y linux-image-* && \ apt-get autoremove -y && \ @@ -55,18 +47,16 @@ VOLUME ${WGDASH} # Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency. # Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006. SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ - && echo "[Interface]" > /setup/conf/wg0.conf \ +RUN echo "[Interface]" > /setup/conf/wg0.conf \ && echo "Address = ${wg_net}/24" >> /setup/conf/wg0.conf \ - && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /setup/conf/wg0.conf \ + && echo "PrivateKey =" >> /setup/conf/wg0.conf \ && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ && echo "ListenPort = ${wg_port}" >> /setup/conf/wg0.conf \ && echo "SaveConfig = true" >> /setup/conf/wg0.conf \ - && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf \ - && rm /etc/wireguard/wg0_privatekey + && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf # Defining a way for Docker to check the health of the container. In this case: checking the login URL. HEALTHCHECK --interval=2m --timeout=1m --start-period=5s --retries=3 \ diff --git a/docker/README.md b/docker/README.md index 65825dd..e31933e 100644 --- a/docker/README.md +++ b/docker/README.md @@ -76,7 +76,7 @@ So go to the assign TCP port in this case HTTP, like the default 10086 one in th | tz | Europe/Amsterdam or any confirming timezone notation. | `Europe/Amsterdam` | `America/New_York` | Sets the timezone of the Docker container. This is to timesync the container to any other processes which would need it. | | global_dns | Any IPv4 address, such as my personal recommendation: 9.9.9.9 (QUAD9). | `1.1.1.1` | `8.8.8.8` or any IP-Address that resolves DNS-names, and of course is reachable | Set the default DNS given to clients once they connect to the WireGuard tunnel, and for new peers, set to Cloudflare DNS for reliability. | enable | Anything, preferably an existing WireGuard interface name. | `none` | `wg0,wg2,wg13` | Enables or disables the starting of the WireGuard interface on container 'boot-up'. -| isolate | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package). +| isolate | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=none` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package). | public_ip | Any IPv4 (public recommended) address, such as the one returned by default | Default uses the return of `curl ifconfig.me` | `23.50.131.156` | To reach your VPN from outside your own network, you need WG-Dashboard to know what your public IP-address is, otherwise it will generate faulty config files for clients. This happends because it is inside a Docker/Kubernetes container. In or outside of NAT is not relevant as long as the given IP-address is reachable from the internet or the target network. ## Be careful with: diff --git a/docker/compose.yaml b/docker/compose.yaml index 6d4f2bd..a921a23 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -1,6 +1,6 @@ services: wireguard-dashboard: - image: dselen/wgdashboard:latest + image: dselen/wgdashboard:dev restart: unless-stopped container_name: wgdashboard environment: diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index b3595b8..02e51c6 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -26,8 +26,14 @@ ensure_installation() { if [ ! -f "/etc/wireguard/wg0.conf" ]; then echo "Standard wg0 Configuration file not found, grabbing template." cp "/setup/conf/wg0.conf" "/etc/wireguard/wg0.conf" + + echo "Setting a secure private key." + local privateKey=$(wg genkey) + sed -i "s|^PrivateKey =$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf + sed -i "s|^PrivateKey *=.*$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf + echo "Done setting template." else - echo "Standard wg0 Configuration file found, using that." + echo "Existing wg0 configuration file found, using that." fi } @@ -58,6 +64,11 @@ clean_up() { else echo "No pycaches found, continuing." fi + + local logdir="${WGDASH}/src/log" + echo "Cleaning log directory." + rm ${logdir}/access_*.log ${logdir}/error_*.log + echo "Removed unneeded logs!" } #update_checker() { @@ -135,17 +146,22 @@ start_core() { # Isolating the matches. for interface in "${do_isolate[@]}"; do - if [ -f "/etc/wireguard/${interface}.conf" ]; then - echo "Isolating interface:" $interface - upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) - downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) - - if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then - sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf - sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf - fi + if [ "$interface" = "none" ]; then + echo "Found: $interface, stopping isolation checking." + break else - echo "Configuration for $interface does not seem to exist, continuing." + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Isolating interface:" $interface + upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + + if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then + sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + fi + else + echo "Configuration for $interface does not seem to exist, continuing." + fi fi done @@ -164,18 +180,23 @@ start_core() { IFS=',' read -r -a enable_array <<< "${enable}" for interface in "${enable_array[@]}"; do - echo "Enabling interface:" $interface - - local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf) - if [ $fileperms -eq 644 ]; then - echo "Configuration is world accessible, adjusting." - chmod 600 "/etc/wireguard/${interface}.conf" - fi - - if [ -f "/etc/wireguard/${interface}.conf" ]; then - wg-quick up $interface + if [ "$interface" = "none" ]; then + echo "Found: $interface, stopping enabling checking." + break else - echo "No corresponding configuration file found for $interface doing nothing." + echo "Enabling interface:" $interface + + local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf) + if [ $fileperms -eq 644 ]; then + echo "Configuration is world accessible, adjusting." + chmod 600 "/etc/wireguard/${interface}.conf" + fi + + if [ -f "/etc/wireguard/${interface}.conf" ]; then + wg-quick up $interface + else + echo "No corresponding configuration file found for $interface doing nothing." + fi fi done } From e3771a1c5336a9c025261fddfb5c98ebd6a553f5 Mon Sep 17 00:00:00 2001 From: Dselen Date: Thu, 22 Aug 2024 16:58:29 -0500 Subject: [PATCH 09/25] Refined logging output a bit. --- docker/Dockerfile | 2 +- docker/entrypoint.sh | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index a52e29f..fe6a54d 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -59,7 +59,7 @@ RUN echo "[Interface]" > /setup/conf/wg0.conf \ && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf # Defining a way for Docker to check the health of the container. In this case: checking the login URL. -HEALTHCHECK --interval=2m --timeout=1m --start-period=5s --retries=3 \ +HEALTHCHECK --interval=2m --timeout=1m --start-period=20s --retries=3 \ CMD [ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:10086/)" -eq "200" ] || exit 1 diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 02e51c6..30fa9cc 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -67,7 +67,8 @@ clean_up() { local logdir="${WGDASH}/src/log" echo "Cleaning log directory." - rm ${logdir}/access_*.log ${logdir}/error_*.log + find /opt/wireguarddashboard/src/log -name 'access_*.log' -exec rm {} + + find /opt/wireguarddashboard/src/log -name 'error_*.log' -exec rm {} + echo "Removed unneeded logs!" } @@ -92,6 +93,8 @@ set_envvars() { ln -sf /usr/share/zoneinfo/"${tz}" /etc/localtime echo "${tz}" > /etc/timezone + else + echo "Timezone is set correctly." fi # Changing the DNS used for clients and the dashboard itself. @@ -100,6 +103,8 @@ set_envvars() { #sed -i "s/^DNS = .*/DNS = ${global_dns}/" /etc/wireguard/wg0.conf # Uncomment if you want to have DNS on server-level. sed -i "s/^peer_global_dns = .*/peer_global_dns = ${global_dns}/" /opt/wireguarddashboard/src/wg-dashboard.ini + else + echo "DNS is set correctly." fi # Setting the public IP of the WireGuard Dashboard container host. If not defined, it will trying fetching it using a curl to ifconfig.me. @@ -224,6 +229,6 @@ ensure_blocking() { ensure_installation clean_up #update_checker -set_envvars start_core +set_envvars ensure_blocking \ No newline at end of file From 518e29118cea71229053e3dbd602a853b67b57de Mon Sep 17 00:00:00 2001 From: Dselen Date: Fri, 23 Aug 2024 07:46:41 -0500 Subject: [PATCH 10/25] Reoganise the documents and added experimental Alpine Linux support in wgd.sh --- docker/alpine/Dockerfile | 62 ++++++++ docker/{ => alpine}/compose.yaml | 0 docker/alpine/entrypoint.sh | 237 ++++++++++++++++++++++++++++++ docker/{ => debian}/Dockerfile | 10 +- docker/debian/compose.yaml | 23 +++ docker/{ => debian}/entrypoint.sh | 19 ++- src/wgd.sh | 49 ++++-- 7 files changed, 372 insertions(+), 28 deletions(-) create mode 100644 docker/alpine/Dockerfile rename docker/{ => alpine}/compose.yaml (100%) create mode 100644 docker/alpine/entrypoint.sh rename docker/{ => debian}/Dockerfile (92%) create mode 100644 docker/debian/compose.yaml rename docker/{ => debian}/entrypoint.sh (96%) diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile new file mode 100644 index 0000000..540a2dc --- /dev/null +++ b/docker/alpine/Dockerfile @@ -0,0 +1,62 @@ +# Pull from small Debian stable image. +FROM alpine:latest AS build +LABEL maintainer="dselen@nerthus.nl" + +# Declaring environment variables, change Peernet to an address you like, standard is a 24 bit subnet. +ARG Git_Url="https://github.com/donaldzou/WGDashboard.git" +ARG wg_net="10.0.0.1" +ARG wg_port="51820" + +# Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info. +ENV TZ="Europe/Amsterdam" +ENV global_dns="1.1.1.1" +ENV enable="none" +ENV isolate="wg0" +ENV public_ip="0.0.0.0" +ENV update="yes" + +# Doing package management operations, such as upgrading +RUN apk update \ + && apk add --no-cache bash git curl tzdata \ + wireguard-tools sudo \ + gcc py3-pip python3-dev musl-dev linux-headers + +# Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. +ENV WGDASH=/opt/wireguarddashboard + +# Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. + +# Doing WireGuard Dashboard installation measures. Modify the git clone command to get the preferred version, with a specific branch for example. +RUN mkdir -p /setup/conf && mkdir /setup/app && mkdir ${WGDASH} + #&& git clone ${Git_Url} /setup/app +COPY src /setup/app/src + +# Set the volume to be used for WireGuard configuration persistency. +VOLUME /etc/wireguard +VOLUME ${WGDASH} + +# Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency. +# Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006. +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +RUN echo "[Interface]" > /setup/conf/wg0.conf \ + && echo "Address = ${wg_net}/24" >> /setup/conf/wg0.conf \ + && echo "PrivateKey =" >> /setup/conf/wg0.conf \ + && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ + && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ + && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ + && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ + && echo "ListenPort = ${wg_port}" >> /setup/conf/wg0.conf \ + && echo "SaveConfig = true" >> /setup/conf/wg0.conf \ + && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf + +# Defining a way for Docker to check the health of the container. In this case: checking the login URL. +HEALTHCHECK --interval=2m --timeout=1m --start-period=20s --retries=3 \ + CMD [ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:10086/)" -eq "200" ] || exit 1 + + +# Copy the basic entrypoint.sh script. +COPY entrypoint.sh /entrypoint.sh + +# Exposing the default WireGuard Dashboard port for web access. +EXPOSE 10086 +ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] \ No newline at end of file diff --git a/docker/compose.yaml b/docker/alpine/compose.yaml similarity index 100% rename from docker/compose.yaml rename to docker/alpine/compose.yaml diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh new file mode 100644 index 0000000..3593159 --- /dev/null +++ b/docker/alpine/entrypoint.sh @@ -0,0 +1,237 @@ +#!/bin/bash + +echo "------------------------- START ----------------------------" +echo "Starting the WireGuard Dashboard Docker container." + +ensure_installation() { + # When using a custom directory to store the files, this part moves over and makes sure the installation continues. + echo "Checking if everything is present." + + if [ -z "$(ls -A "${WGDASH}")" ]; then + echo "Detected empty directory, moving over..." + + mv /setup/app/* "${WGDASH}" + python3 -m venv "${WGDASH}"/src/venv + . "${WGDASH}/src/venv/bin/activate" + chmod +x "${WGDASH}"/src/wgd.sh + cd "${WGDASH}"/src || exit + ./wgd.sh install + + echo "Looks like the installation succesfully moved over." + else + echo "Looks like everything is present." + fi + + # This first step is to ensure the wg0.conf file exists, and if not, then its copied over from the ephemeral container storage. + if [ ! -f "/etc/wireguard/wg0.conf" ]; then + echo "Standard wg0 Configuration file not found, grabbing template." + cp "/setup/conf/wg0.conf" "/etc/wireguard/wg0.conf" + + echo "Setting a secure private key." + + local privateKey + privateKey=$(wg genkey) + + sed -i "s|^PrivateKey =$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf + sed -i "s|^PrivateKey *=.*$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf + echo "Done setting template." + else + echo "Existing wg0 configuration file found, using that." + fi +} + +# === CLEAN UP === +clean_up() { + printf "\n------------------------ CLEAN UP --------------------------\n" + + # Cleaning out previous data such as the .pid file and starting the WireGuard Dashboard. Making sure to use the python venv. + echo "Looking for remains of previous instances..." + local pid_file="${WGDASH}/src/gunicorn.pid" + if [ -f "$pid_file" ]; then + echo "Found old pid file, removing." + rm $pid_file + else + echo "No pid remains found, continuing." + fi + + # Also check for Python caches (pycache) inspired by https://github.com/shuricksumy + local pycache="${WGDASH}/src/__pycache__" + if [ -d "$pycache" ]; then + local pycache_filecount=$(find "$pycache" -maxdepth 1 -type f | wc -l) + if [ "$pycache_filecount" -gt 0 ]; then + echo "Found old pycaches, removing." + rm -rf "$pycache"/* + else + echo "No pycaches found, continuing." + fi + else + echo "No pycaches found, continuing." + fi + + local logdir="${WGDASH}/src/log" + echo "Cleaning log directory." + find /opt/wireguarddashboard/src/log -name 'access_*.log' -exec rm {} + + find /opt/wireguarddashboard/src/log -name 'error_*.log' -exec rm {} + + echo "Removed unneeded logs!" +} + +#update_checker() { + #if [ "$update" = "yes" ]; then + # echo "Activating Python venv and executing the WireGuard Dashboard service." + # . "${WGDASH}/src/venv/bin/activate" + # cd "${WGDASH}"/src || exit + # bash wgd.sh update + #else + # echo "Auto Updater disabled" + #fi +#} + +# === SET ENV VARS === +set_envvars() { + printf "\n------------- SETTING ENVIRONMENT VARIABLES ----------------\n" + + # If the timezone is different, for example in North-America or Asia. + if [ "${TZ}" != "$(cat /etc/localtime)" ]; then + echo "Changing timezone." + + ln -sf /usr/share/zoneinfo/"${TZ}" /etc/localtime + echo "${TZ}" > /etc/timezone + else + echo "Timezone is set correctly." + fi + + # Changing the DNS used for clients and the dashboard itself. + if [ "${global_dns}" != "$(grep "peer_global_dns = " /opt/wireguarddashboard/src/wg-dashboard.ini | awk '{print $NF}')" ]; then + echo "Changing default dns." + + #sed -i "s/^DNS = .*/DNS = ${global_dns}/" /etc/wireguard/wg0.conf # Uncomment if you want to have DNS on server-level. + sed -i "s/^peer_global_dns = .*/peer_global_dns = ${global_dns}/" /opt/wireguarddashboard/src/wg-dashboard.ini + else + echo "DNS is set correctly." + fi + + # Setting the public IP of the WireGuard Dashboard container host. If not defined, it will trying fetching it using a curl to ifconfig.me. + if [ "${public_ip}" = "0.0.0.0" ]; then + default_ip=$(curl -s ifconfig.me) + echo "Trying to fetch the Public-IP using ifconfig.me: ${default_ip}" + + sed -i "s/^remote_endpoint = .*/remote_endpoint = ${default_ip}/" /opt/wireguarddashboard/src/wg-dashboard.ini + elif [ "${public_ip}" != "$(grep "remote_endpoint = " /opt/wireguarddashboard/src/wg-dashboard.ini | awk '{print $NF}')" ]; then + echo "Setting the Public-IP using given variable: ${public_ip}" + + sed -i "s/^remote_endpoint = .*/remote_endpoint = ${public_ip}/" /opt/wireguarddashboard/src/wg-dashboard.ini + fi +} + +# === CORE SERVICES === +start_core() { + printf "\n---------------------- STARTING CORE -----------------------\n" + + echo "Activating Python venv and executing the WireGuard Dashboard service." + . "${WGDASH}"/src/venv/bin/activate + cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. + bash wgd.sh start + + # Isolated peers feature, first converting the existing configuration files and the given names to arrays. + local configurations=(/etc/wireguard/*) + IFS=',' read -r -a do_isolate <<< "${isolate}" + non_isolate=() + + # Checking if there are matches between the two arrays. + for config in "${configurations[@]}"; do + local config=$(echo "$config" | sed -e 's|.*/etc/wireguard/||' -e 's|\.conf$||') + found=false + for interface in "${do_isolate[@]}"; do + if [[ "$config" == "$interface" ]]; then + found=true + break + fi + done + if [ "$found" = false ]; then + non_isolate+=("$config") + fi + done + + # Isolating the matches. + for interface in "${do_isolate[@]}"; do + if [ "$interface" = "none" ]; then + echo "Found: $interface, stopping isolation checking." + break + else + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Isolating interface:" $interface + upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + + if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then + sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + fi + else + echo "Configuration for $interface does not seem to exist, continuing." + fi + fi + done + + # Removing isolation for the configurations that did not match. + for interface in "${non_isolate[@]}"; do + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Removing Isolation if present for:" $interface + sed -i "/PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf + sed -i "/PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP/d" /etc/wireguard/${interface}.conf + else + echo "Configuration for $interface does not seem to exist, continuing." + fi + done + + # The following section takes care of enabling wireguard interfaces on startup. Using arrays and given arguments. + IFS=',' read -r -a enable_array <<< "${enable}" + + for interface in "${enable_array[@]}"; do + if [ "$interface" = "none" ]; then + echo "Found: $interface, stopping enabling checking." + break + else + echo "Enabling interface:" $interface + + local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf) + if [ $fileperms -eq 644 ]; then + echo "Configuration is world accessible, adjusting." + chmod 600 "/etc/wireguard/${interface}.conf" + fi + + if [ -f "/etc/wireguard/${interface}.conf" ]; then + wg-quick up $interface + else + echo "No corresponding configuration file found for $interface doing nothing." + fi + fi + done +} + +# === CLEAN UP === +ensure_blocking() { + printf "\n-------------- ENSURING CONTAINER CONTINUATION -------------\n" + + sleep 1s + echo "Ensuring container continuation." + + # This function checks if the latest error log is created and tails it for docker logs uses. + if find "/opt/wireguarddashboard/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then + latestErrLog=$(find /opt/wireguarddashboard/src/log -name "error_*.log" | head -n 1) + latestAccLog=$(find /opt/wireguarddashboard/src/log -name "access_*.log" | head -n 1) + + tail -f "${latestErrLog}" "${latestAccLog}" + fi + + # Blocking command in case of erroring. So the container does not quit. + sleep infinity +} + +# Execute functions for the WireGuard Dashboard services, then set the environment variables +ensure_installation +clean_up +#update_checker +start_core +set_envvars +ensure_blocking \ No newline at end of file diff --git a/docker/Dockerfile b/docker/debian/Dockerfile similarity index 92% rename from docker/Dockerfile rename to docker/debian/Dockerfile index fe6a54d..7e4e46a 100644 --- a/docker/Dockerfile +++ b/docker/debian/Dockerfile @@ -8,7 +8,7 @@ ARG wg_net="10.0.0.1" ARG wg_port="51820" # Following ENV variables are changable on container runtime because /entrypoint.sh handles that. See compose.yaml for more info. -ENV tz="Europe/Amsterdam" +ENV TZ="Europe/Amsterdam" ENV global_dns="1.1.1.1" ENV enable="none" ENV isolate="wg0" @@ -16,17 +16,15 @@ ENV public_ip="0.0.0.0" ENV update="yes" # Doing basic system maintenance. Change the timezone to the desired timezone. -RUN ln -sf /usr/share/zoneinfo/${tz} /etc/localtime +RUN ln -sf /usr/share/zoneinfo/${TZ} /etc/localtime # Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. ENV WGDASH=/opt/wireguarddashboard # Doing package management operations, such as upgrading RUN apt-get update && apt-get install -y --no-install-recommends \ - curl git iproute2 \ - iptables iputils-ping \ - openresolv procps traceroute \ - python3 python3-pip python3-venv \ + curl git \ + iptables python3 \ wireguard wireguard-tools \ sudo && \ apt-get remove -y linux-image-* && \ diff --git a/docker/debian/compose.yaml b/docker/debian/compose.yaml new file mode 100644 index 0000000..a921a23 --- /dev/null +++ b/docker/debian/compose.yaml @@ -0,0 +1,23 @@ +services: + wireguard-dashboard: + image: dselen/wgdashboard:dev + restart: unless-stopped + container_name: wgdashboard + environment: + #- tz= # <--- Set container timezone, default: Europe/Amsterdam. + #- global_dns= # <--- Set global DNS address, default: 1.1.1.1. + - enable=wg0 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. + - isolate=wg0 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. + #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. + ports: + - 10086:10086/tcp + - 51820:51820/udp + volumes: + - app:/opt/wireguarddashboard + - conf:/etc/wireguard + cap_add: + - NET_ADMIN + +volumes: + app: + conf: diff --git a/docker/entrypoint.sh b/docker/debian/entrypoint.sh similarity index 96% rename from docker/entrypoint.sh rename to docker/debian/entrypoint.sh index 30fa9cc..8ebcd8c 100644 --- a/docker/entrypoint.sh +++ b/docker/debian/entrypoint.sh @@ -7,14 +7,14 @@ ensure_installation() { # When using a custom directory to store the files, this part moves over and makes sure the installation continues. echo "Checking if everything is present." - if [ -z "$(ls -A ${WGDASH})" ]; then + if [ -z "$(ls -A "${WGDASH}")" ]; then echo "Detected empty directory, moving over..." - mv /setup/app/* ${WGDASH} - python3 -m venv ${WGDASH}/src/venv + mv /setup/app/* "${WGDASH}" + python3 -m venv "${WGDASH}"/src/venv . "${WGDASH}/src/venv/bin/activate" - chmod +x ${WGDASH}/src/wgd.sh - cd ${WGDASH}/src + chmod +x "${WGDASH}"/src/wgd.sh + cd "${WGDASH}"/src || exit ./wgd.sh install echo "Looks like the installation succesfully moved over." @@ -28,7 +28,10 @@ ensure_installation() { cp "/setup/conf/wg0.conf" "/etc/wireguard/wg0.conf" echo "Setting a secure private key." - local privateKey=$(wg genkey) + + local privateKey + privateKey=$(wg genkey) + sed -i "s|^PrivateKey =$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf sed -i "s|^PrivateKey *=.*$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf echo "Done setting template." @@ -44,7 +47,7 @@ clean_up() { # Cleaning out previous data such as the .pid file and starting the WireGuard Dashboard. Making sure to use the python venv. echo "Looking for remains of previous instances..." local pid_file="${WGDASH}/src/gunicorn.pid" - if [ -f $pid_file ]; then + if [ -f "$pid_file" ]; then echo "Found old pid file, removing." rm $pid_file else @@ -88,7 +91,7 @@ set_envvars() { printf "\n------------- SETTING ENVIRONMENT VARIABLES ----------------\n" # If the timezone is different, for example in North-America or Asia. - if [ "${tz}" != "$(cat /etc/timezone)" ]; then + if [ "${tz}" != "$(cat /etc/localtime)" ]; then echo "Changing timezone." ln -sf /usr/share/zoneinfo/"${tz}" /etc/localtime diff --git a/src/wgd.sh b/src/wgd.sh index 32f8080..d301009 100755 --- a/src/wgd.sh +++ b/src/wgd.sh @@ -65,10 +65,12 @@ _determineOS(){ OS=$ID elif [ -f /etc/redhat-release ]; then OS="redhat" + elif [ -f /etc/alpine-release ]; then + OS="alpine" # elif [ -f /etc/arch-release ]; then # OS="arch" else - printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS." "$heavy_crossmark" + printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" printf "%s\n" "$helpMsg" kill $TOP_PID fi @@ -87,6 +89,9 @@ _installPython(){ { sudo yum install -y python3 net-tools ; printf "\n\n"; } >> ./log/install.txt fi ;; + alpine) + { sudo apk update; sudo apk add python3 net-tools; printf "\n\n"; } >> ./log/install.txt + ;; esac if ! python3 --version > /dev/null 2>&1 @@ -112,8 +117,11 @@ _installPythonVenv(){ { sudo yum install -y python3-virtualenv; printf "\n\n"; } >> ./log/install.txt fi ;; + alpine) + { sudo apk update; sudo apk add py3-virtualenv ; printf "\n\n"; } >> ./log/install.txt + ;; *) - printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS.\n" "$heavy_crossmark" + printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" printf "%s\n" "$helpMsg" kill $TOP_PID ;; @@ -166,8 +174,11 @@ _installPythonPip(){ { sudo dnf install -y ${pythonExecutable}-pip; printf "\n\n"; } >> ./log/install.txt fi ;; + alpine) + { sudo apk update; sudo apk add py3-pip ; printf "\n\n"; } >> ./log/install.txt + ;; *) - printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS.\n" "$heavy_crossmark" + printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" printf "%s\n" "$helpMsg" kill $TOP_PID ;; @@ -185,15 +196,28 @@ _installPythonPip(){ } _checkWireguard(){ - if ! wg -h > /dev/null 2>&1 + if [ ! wg -h > /dev/null 2>&1 ] || [ ! wg-quick -h > /dev/null 2>&1 ] then - printf "[WGDashboard] %s WireGuard is not installed. Please follow instruction on https://www.wireguard.com/install/ to install. \n" "$heavy_crossmark" - kill $TOP_PID - fi - if ! wg-quick -h > /dev/null 2>&1 - then - printf "[WGDashboard] %s WireGuard is not installed. Please follow instruction on https://www.wireguard.com/install/ to install. \n" "$heavy_crossmark" - kill $TOP_PID + case "$OS" in + ubuntu|debian) + { sudo apt update ; sudo apt-get install -y wireguard; printf "\n\n"; } &>> ./log/install.txt + ;; + #centos|fedora|redhat|rhel) + # if [ "$pythonExecutable" = "python3" ]; then + # { sudo dnf install -y python3-pip; printf "\n\n"; } >> ./log/install.txt + # else + # { sudo dnf install -y ${pythonExecutable}-pip; printf "\n\n"; } >> ./log/install.txt + # fi + #;; + alpine) + { sudo apk update; sudo apk add wireguard-tools ; printf "\n\n"; } >> ./log/install.txt + ;; + *) + printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" + printf "%s\n" "$helpMsg" + kill $TOP_PID + ;; + esac fi } @@ -247,9 +271,6 @@ install_wgd(){ _installPythonVenv _installPythonPip - - - if [ ! -d "db" ] then printf "[WGDashboard] Creating ./db folder\n" From 30126190496f079749a00726885bd7277c5ac4b0 Mon Sep 17 00:00:00 2001 From: Dselen Date: Fri, 23 Aug 2024 11:58:14 -0500 Subject: [PATCH 11/25] testing --- docker/alpine/Dockerfile | 10 +++---- docker/alpine/entrypoint.sh | 6 ++-- src/wgd.sh | 57 ++++++++++++++++++++++++------------- 3 files changed, 45 insertions(+), 28 deletions(-) diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile index 540a2dc..629dc38 100644 --- a/docker/alpine/Dockerfile +++ b/docker/alpine/Dockerfile @@ -3,7 +3,7 @@ FROM alpine:latest AS build LABEL maintainer="dselen@nerthus.nl" # Declaring environment variables, change Peernet to an address you like, standard is a 24 bit subnet. -ARG Git_Url="https://github.com/donaldzou/WGDashboard.git" +ARG Git_Url="https://github.com/DaanSelen/WGDashboard.git" ARG wg_net="10.0.0.1" ARG wg_port="51820" @@ -19,7 +19,7 @@ ENV update="yes" RUN apk update \ && apk add --no-cache bash git curl tzdata \ wireguard-tools sudo \ - gcc py3-pip python3-dev musl-dev linux-headers + py3-pip python3-dev # Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. ENV WGDASH=/opt/wireguarddashboard @@ -27,9 +27,9 @@ ENV WGDASH=/opt/wireguarddashboard # Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. # Doing WireGuard Dashboard installation measures. Modify the git clone command to get the preferred version, with a specific branch for example. -RUN mkdir -p /setup/conf && mkdir /setup/app && mkdir ${WGDASH} - #&& git clone ${Git_Url} /setup/app -COPY src /setup/app/src +RUN mkdir -p /setup/conf && mkdir /setup/app && mkdir ${WGDASH} \ + && git clone ${Git_Url} /setup/app +#COPY src /setup/app/src # Set the volume to be used for WireGuard configuration persistency. VOLUME /etc/wireguard diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh index 3593159..8ebcd8c 100644 --- a/docker/alpine/entrypoint.sh +++ b/docker/alpine/entrypoint.sh @@ -91,11 +91,11 @@ set_envvars() { printf "\n------------- SETTING ENVIRONMENT VARIABLES ----------------\n" # If the timezone is different, for example in North-America or Asia. - if [ "${TZ}" != "$(cat /etc/localtime)" ]; then + if [ "${tz}" != "$(cat /etc/localtime)" ]; then echo "Changing timezone." - ln -sf /usr/share/zoneinfo/"${TZ}" /etc/localtime - echo "${TZ}" > /etc/timezone + ln -sf /usr/share/zoneinfo/"${tz}" /etc/localtime + echo "${tz}" > /etc/timezone else echo "Timezone is set correctly." fi diff --git a/src/wgd.sh b/src/wgd.sh index d301009..f07cc9d 100755 --- a/src/wgd.sh +++ b/src/wgd.sh @@ -199,25 +199,25 @@ _checkWireguard(){ if [ ! wg -h > /dev/null 2>&1 ] || [ ! wg-quick -h > /dev/null 2>&1 ] then case "$OS" in - ubuntu|debian) - { sudo apt update ; sudo apt-get install -y wireguard; printf "\n\n"; } &>> ./log/install.txt - ;; - #centos|fedora|redhat|rhel) - # if [ "$pythonExecutable" = "python3" ]; then - # { sudo dnf install -y python3-pip; printf "\n\n"; } >> ./log/install.txt - # else - # { sudo dnf install -y ${pythonExecutable}-pip; printf "\n\n"; } >> ./log/install.txt - # fi - #;; - alpine) - { sudo apk update; sudo apk add wireguard-tools ; printf "\n\n"; } >> ./log/install.txt - ;; - *) - printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" - printf "%s\n" "$helpMsg" - kill $TOP_PID - ;; - esac + ubuntu|debian) + { sudo apt update ; sudo apt-get install -y wireguard; printf "\n\n"; } &>> ./log/install.txt + ;; + #centos|fedora|redhat|rhel) + # if [ "$pythonExecutable" = "python3" ]; then + # { sudo dnf install -y python3-pip; printf "\n\n"; } >> ./log/install.txt + # else + # { sudo dnf install -y ${pythonExecutable}-pip; printf "\n\n"; } >> ./log/install.txt + # fi + #;; + alpine) + { sudo apk update; sudo apk add wireguard-tools ; printf "\n\n"; } >> ./log/install.txt + ;; + *) + printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" + printf "%s\n" "$helpMsg" + kill $TOP_PID + ;; + esac fi } @@ -280,7 +280,24 @@ install_wgd(){ printf "[WGDashboard] Upgrading Python Package Manage (PIP)\n" { date; python3 -m pip install --upgrade pip; printf "\n\n"; } >> ./log/install.txt printf "[WGDashboard] Installing latest Python dependencies\n" - { date; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt + + printf "$OS" + case "$OS" in + ubuntu|debian) + echo "Lol" + { date; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt + ;; + ## TO DO ADD RHEL and ROCKY SUPPORT + alpine) + printf "[WGDashboard] Grabbing Alpine dependencies.\n" + { date; sudo apk add gcc python3-dev musl-dev linux-headers ; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt + ;; + *) + printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" + printf "%s\n" "$helpMsg" + kill $TOP_PID + ;; + esac printf "[WGDashboard] WGDashboard installed successfully!\n" printf "[WGDashboard] Enter ./wgd.sh start to start the dashboard\n" } From 27c7e33773f6a38ad0a168f00c7ac261ad1b61b5 Mon Sep 17 00:00:00 2001 From: Dselen Date: Fri, 23 Aug 2024 12:27:41 -0500 Subject: [PATCH 12/25] added RHEL etc workings. --- docker/WGDashboard | 1 + docker/alpine/entrypoint.sh | 12 +----------- docker/debian/entrypoint.sh | 14 ++------------ src/dashboard.py | 2 +- src/wgd.sh | 8 ++------ 5 files changed, 7 insertions(+), 30 deletions(-) create mode 160000 docker/WGDashboard diff --git a/docker/WGDashboard b/docker/WGDashboard new file mode 160000 index 0000000..3012619 --- /dev/null +++ b/docker/WGDashboard @@ -0,0 +1 @@ +Subproject commit 30126190496f079749a00726885bd7277c5ac4b0 diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh index 8ebcd8c..4d66feb 100644 --- a/docker/alpine/entrypoint.sh +++ b/docker/alpine/entrypoint.sh @@ -10,7 +10,7 @@ ensure_installation() { if [ -z "$(ls -A "${WGDASH}")" ]; then echo "Detected empty directory, moving over..." - mv /setup/app/* "${WGDASH}" + mv /setup/app/{.[!.],}* "${WGDASH}" python3 -m venv "${WGDASH}"/src/venv . "${WGDASH}/src/venv/bin/activate" chmod +x "${WGDASH}"/src/wgd.sh @@ -90,16 +90,6 @@ clean_up() { set_envvars() { printf "\n------------- SETTING ENVIRONMENT VARIABLES ----------------\n" - # If the timezone is different, for example in North-America or Asia. - if [ "${tz}" != "$(cat /etc/localtime)" ]; then - echo "Changing timezone." - - ln -sf /usr/share/zoneinfo/"${tz}" /etc/localtime - echo "${tz}" > /etc/timezone - else - echo "Timezone is set correctly." - fi - # Changing the DNS used for clients and the dashboard itself. if [ "${global_dns}" != "$(grep "peer_global_dns = " /opt/wireguarddashboard/src/wg-dashboard.ini | awk '{print $NF}')" ]; then echo "Changing default dns." diff --git a/docker/debian/entrypoint.sh b/docker/debian/entrypoint.sh index 8ebcd8c..1ece541 100644 --- a/docker/debian/entrypoint.sh +++ b/docker/debian/entrypoint.sh @@ -10,7 +10,7 @@ ensure_installation() { if [ -z "$(ls -A "${WGDASH}")" ]; then echo "Detected empty directory, moving over..." - mv /setup/app/* "${WGDASH}" + mv /setup/app/{.[!.],}* "${WGDASH}" python3 -m venv "${WGDASH}"/src/venv . "${WGDASH}/src/venv/bin/activate" chmod +x "${WGDASH}"/src/wgd.sh @@ -89,17 +89,7 @@ clean_up() { # === SET ENV VARS === set_envvars() { printf "\n------------- SETTING ENVIRONMENT VARIABLES ----------------\n" - - # If the timezone is different, for example in North-America or Asia. - if [ "${tz}" != "$(cat /etc/localtime)" ]; then - echo "Changing timezone." - - ln -sf /usr/share/zoneinfo/"${tz}" /etc/localtime - echo "${tz}" > /etc/timezone - else - echo "Timezone is set correctly." - fi - + # Changing the DNS used for clients and the dashboard itself. if [ "${global_dns}" != "$(grep "peer_global_dns = " /opt/wireguarddashboard/src/wg-dashboard.ini | awk '{print $NF}')" ]; then echo "Changing default dns." diff --git a/src/dashboard.py b/src/dashboard.py index fca6bc0..369b919 100644 --- a/src/dashboard.py +++ b/src/dashboard.py @@ -1074,7 +1074,7 @@ def regex_match(regex, text): def iPv46RegexCheck(ip): return re.match( - '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$))', + r'((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9a-f]{1,4}:){7}([0-9a-f]{1,4}|:))|(([0-9a-f]{1,4}:){6}(:[0-9a-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){5}(((:[0-9a-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9a-f]{1,4}:){4}(((:[0-9a-f]{1,4}){1,3})|((:[0-9a-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){3}(((:[0-9a-f]{1,4}){1,4})|((:[0-9a-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){2}(((:[0-9a-f]{1,4}){1,5})|((:[0-9a-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9a-f]{1,4}:){1}(((:[0-9a-f]{1,4}){1,6})|((:[0-9a-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9a-f]{1,4}){1,7})|((:[0-9a-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$))', ip) class DashboardAPIKey: diff --git a/src/wgd.sh b/src/wgd.sh index f07cc9d..a443f06 100755 --- a/src/wgd.sh +++ b/src/wgd.sh @@ -281,15 +281,11 @@ install_wgd(){ { date; python3 -m pip install --upgrade pip; printf "\n\n"; } >> ./log/install.txt printf "[WGDashboard] Installing latest Python dependencies\n" - printf "$OS" case "$OS" in - ubuntu|debian) - echo "Lol" - { date; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt + ubuntu|debian|centos|fedora|redhat|rhel) + { date; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt #This all works on the default installation. ;; - ## TO DO ADD RHEL and ROCKY SUPPORT alpine) - printf "[WGDashboard] Grabbing Alpine dependencies.\n" { date; sudo apk add gcc python3-dev musl-dev linux-headers ; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt ;; *) From 6e9d71fcf8150003aa883aba444aa2b466770ee8 Mon Sep 17 00:00:00 2001 From: Dselen Date: Fri, 23 Aug 2024 12:48:16 -0500 Subject: [PATCH 13/25] Added reverted some no longer needed changes --- docker/alpine/Dockerfile | 5 +++-- docker/alpine/entrypoint.sh | 5 +++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile index 629dc38..6894545 100644 --- a/docker/alpine/Dockerfile +++ b/docker/alpine/Dockerfile @@ -19,7 +19,7 @@ ENV update="yes" RUN apk update \ && apk add --no-cache bash git curl tzdata \ wireguard-tools sudo \ - py3-pip python3-dev + py3-pip py3-psutil py3-bcrypt python3-dev # Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. ENV WGDASH=/opt/wireguarddashboard @@ -59,4 +59,5 @@ COPY entrypoint.sh /entrypoint.sh # Exposing the default WireGuard Dashboard port for web access. EXPOSE 10086 -ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] \ No newline at end of file +ENTRYPOINT [ "sleep", "infinity" ] +#ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] \ No newline at end of file diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh index 4d66feb..4cda068 100644 --- a/docker/alpine/entrypoint.sh +++ b/docker/alpine/entrypoint.sh @@ -13,6 +13,11 @@ ensure_installation() { mv /setup/app/{.[!.],}* "${WGDASH}" python3 -m venv "${WGDASH}"/src/venv . "${WGDASH}/src/venv/bin/activate" + + # Extra step for Alpine + mv /usr/lib/python3.12/site-packages/psutil* "${WGDASH}"/src/venv/lib/python3.12/site-packages + mv /usr/lib/python3.12/site-packages/bcrypt* "${WGDASH}"/src/venv/lib/python3.12/site-packages + chmod +x "${WGDASH}"/src/wgd.sh cd "${WGDASH}"/src || exit ./wgd.sh install From 49502235b536c2a7525f58d1f24291f8fec9d19d Mon Sep 17 00:00:00 2001 From: Dselen Date: Fri, 23 Aug 2024 12:48:33 -0500 Subject: [PATCH 14/25] These needed to be added. --- docker/alpine/Dockerfile | 2 +- src/wgd.sh | 15 +-------------- 2 files changed, 2 insertions(+), 15 deletions(-) diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile index 6894545..cb2f3bb 100644 --- a/docker/alpine/Dockerfile +++ b/docker/alpine/Dockerfile @@ -19,7 +19,7 @@ ENV update="yes" RUN apk update \ && apk add --no-cache bash git curl tzdata \ wireguard-tools sudo \ - py3-pip py3-psutil py3-bcrypt python3-dev + py3-pip py3-psutil py3-bcrypt # Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. ENV WGDASH=/opt/wireguarddashboard diff --git a/src/wgd.sh b/src/wgd.sh index a443f06..ed8e8c0 100755 --- a/src/wgd.sh +++ b/src/wgd.sh @@ -280,20 +280,7 @@ install_wgd(){ printf "[WGDashboard] Upgrading Python Package Manage (PIP)\n" { date; python3 -m pip install --upgrade pip; printf "\n\n"; } >> ./log/install.txt printf "[WGDashboard] Installing latest Python dependencies\n" - - case "$OS" in - ubuntu|debian|centos|fedora|redhat|rhel) - { date; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt #This all works on the default installation. - ;; - alpine) - { date; sudo apk add gcc python3-dev musl-dev linux-headers ; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt - ;; - *) - printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" - printf "%s\n" "$helpMsg" - kill $TOP_PID - ;; - esac + { date; python3 -m pip install -r requirements.txt ; printf "\n\n"; } >> ./log/install.txt #This all works on the default installation. printf "[WGDashboard] WGDashboard installed successfully!\n" printf "[WGDashboard] Enter ./wgd.sh start to start the dashboard\n" } From 1d20dc9fcbc3fbd40509ae2dcbf04066a5756ff6 Mon Sep 17 00:00:00 2001 From: Dselen Date: Fri, 23 Aug 2024 13:01:50 -0500 Subject: [PATCH 15/25] Looking like a promising end of this task. --- docker/WGDashboard | 1 - docker/alpine/Dockerfile | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) delete mode 160000 docker/WGDashboard diff --git a/docker/WGDashboard b/docker/WGDashboard deleted file mode 160000 index 3012619..0000000 --- a/docker/WGDashboard +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 30126190496f079749a00726885bd7277c5ac4b0 diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile index cb2f3bb..38ec84d 100644 --- a/docker/alpine/Dockerfile +++ b/docker/alpine/Dockerfile @@ -59,5 +59,4 @@ COPY entrypoint.sh /entrypoint.sh # Exposing the default WireGuard Dashboard port for web access. EXPOSE 10086 -ENTRYPOINT [ "sleep", "infinity" ] -#ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] \ No newline at end of file From bc29b89a16b7828cffdb5336bb46000660c3b226 Mon Sep 17 00:00:00 2001 From: Dselen Date: Mon, 26 Aug 2024 13:07:42 -0500 Subject: [PATCH 16/25] Rebased and going further --- docker/alpine/Dockerfile | 3 +- docker/alpine/entrypoint.sh | 11 ------- src/wgd.sh | 62 +++++++++++++++++++++---------------- 3 files changed, 36 insertions(+), 40 deletions(-) diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile index 38ec84d..ad6b58a 100644 --- a/docker/alpine/Dockerfile +++ b/docker/alpine/Dockerfile @@ -18,8 +18,7 @@ ENV update="yes" # Doing package management operations, such as upgrading RUN apk update \ && apk add --no-cache bash git curl tzdata \ - wireguard-tools sudo \ - py3-pip py3-psutil py3-bcrypt + sudo py3-psutil py3-bcrypt # Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. ENV WGDASH=/opt/wireguarddashboard diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh index 4cda068..5d815b5 100644 --- a/docker/alpine/entrypoint.sh +++ b/docker/alpine/entrypoint.sh @@ -80,17 +80,6 @@ clean_up() { echo "Removed unneeded logs!" } -#update_checker() { - #if [ "$update" = "yes" ]; then - # echo "Activating Python venv and executing the WireGuard Dashboard service." - # . "${WGDASH}/src/venv/bin/activate" - # cd "${WGDASH}"/src || exit - # bash wgd.sh update - #else - # echo "Auto Updater disabled" - #fi -#} - # === SET ENV VARS === set_envvars() { printf "\n------------- SETTING ENVIRONMENT VARIABLES ----------------\n" diff --git a/src/wgd.sh b/src/wgd.sh index ed8e8c0..680698d 100755 --- a/src/wgd.sh +++ b/src/wgd.sh @@ -156,7 +156,6 @@ _installPythonVenv(){ } _installPythonPip(){ - if ! $pythonExecutable -m pip -h > /dev/null 2>&1 then case "$OS" in @@ -195,34 +194,43 @@ _installPythonPip(){ fi } -_checkWireguard(){ - if [ ! wg -h > /dev/null 2>&1 ] || [ ! wg-quick -h > /dev/null 2>&1 ] - then - case "$OS" in - ubuntu|debian) - { sudo apt update ; sudo apt-get install -y wireguard; printf "\n\n"; } &>> ./log/install.txt - ;; - #centos|fedora|redhat|rhel) - # if [ "$pythonExecutable" = "python3" ]; then - # { sudo dnf install -y python3-pip; printf "\n\n"; } >> ./log/install.txt - # else - # { sudo dnf install -y ${pythonExecutable}-pip; printf "\n\n"; } >> ./log/install.txt - # fi - #;; - alpine) - { sudo apk update; sudo apk add wireguard-tools ; printf "\n\n"; } >> ./log/install.txt - ;; - *) - printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" - printf "%s\n" "$helpMsg" - kill $TOP_PID - ;; - esac - fi +checkWireguard(){ + # Check if wg and wg-quick are installed + if ! command -v wg > /dev/null 2>&1 || ! command -v wg-quick > /dev/null 2>&1 + then + case "$OS" in + ubuntu|debian) + { + sudo apt update && sudo apt-get install -y wireguard; + printf "\nWireGuard installed on %s.\n\n" "$OS"; + } &>> ./log/install.txt + ;; + centos|fedora|redhat|rhel) + { + sudo dnf install -y wireguard-tools; + printf "\nWireGuard installed on %s.\n\n" "$OS"; + } &>> ./log/install.txt + ;; + alpine) + { + sudo apk update && sudo apk add wireguard-tools; + printf "\nWireGuard installed on %s.\n\n" "$OS"; + } &>> ./log/install.txt + ;; + *) + printf "[WGDashboard] %s Sorry, your OS is not supported. Currently, the install script only supports Debian-based, Red Hat-based, and Alpine Linux.\n" "$heavy_crossmark" + printf "%s\n" "$helpMsg" + kill $TOP_PID + ;; + esac + else + printf "WireGuard is already installed.\n" + fi } + _checkPythonVersion(){ version_pass=$($pythonExecutable -c 'import sys; print("1") if (sys.version_info.major == 3 and sys.version_info.minor >= 10) else print("0");') version=$($pythonExecutable --version) @@ -250,8 +258,6 @@ _checkPythonVersion(){ install_wgd(){ printf "[WGDashboard] Starting to install WGDashboard\n" - _checkWireguard - sudo chmod -R 755 /etc/wireguard/ if [ ! -d "log" ] then @@ -270,6 +276,8 @@ install_wgd(){ _checkPythonVersion _installPythonVenv _installPythonPip + _checkWireguard + sudo chmod -R 755 /etc/wireguard/ if [ ! -d "db" ] then From 2ec3ee2734ce2f49a5c7752f760b98bc9094a000 Mon Sep 17 00:00:00 2001 From: Dselen Date: Mon, 26 Aug 2024 13:42:08 -0500 Subject: [PATCH 17/25] Fixed typo --- src/wgd.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wgd.sh b/src/wgd.sh index 680698d..d27710f 100755 --- a/src/wgd.sh +++ b/src/wgd.sh @@ -194,7 +194,7 @@ _installPythonPip(){ fi } -checkWireguard(){ +_checkWireguard(){ # Check if wg and wg-quick are installed if ! command -v wg > /dev/null 2>&1 || ! command -v wg-quick > /dev/null 2>&1 then From 40f39e918dcc50458998720e047698fcacc12ca4 Mon Sep 17 00:00:00 2001 From: Dselen Date: Mon, 26 Aug 2024 15:28:27 -0500 Subject: [PATCH 18/25] Finished work for now on the alpine docker image. --- docker/alpine/Dockerfile | 8 ++++---- docker/alpine/compose.yaml | 2 +- src/wgd.sh | 17 ++++++++--------- 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile index ad6b58a..b9addcf 100644 --- a/docker/alpine/Dockerfile +++ b/docker/alpine/Dockerfile @@ -13,11 +13,11 @@ ENV global_dns="1.1.1.1" ENV enable="none" ENV isolate="wg0" ENV public_ip="0.0.0.0" -ENV update="yes" # Doing package management operations, such as upgrading RUN apk update \ - && apk add --no-cache bash git curl tzdata \ + && apk add --no-cache bash git tzdata \ + iptables ip6tables curl openrc wireguard-tools \ sudo py3-psutil py3-bcrypt # Using WGDASH -- like wg_net functionally as a ARG command. But it is needed in entrypoint.sh so it needs to be exported as environment variable. @@ -49,8 +49,8 @@ RUN echo "[Interface]" > /setup/conf/wg0.conf \ && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf # Defining a way for Docker to check the health of the container. In this case: checking the login URL. -HEALTHCHECK --interval=2m --timeout=1m --start-period=20s --retries=3 \ - CMD [ "$(curl -s -o /dev/null -w '%{http_code}' http://localhost:10086/)" -eq "200" ] || exit 1 +HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ + CMD sh -c 'pgrep gunicorn > /dev/null && pgrep tail > /dev/null' || exit 1 # Copy the basic entrypoint.sh script. diff --git a/docker/alpine/compose.yaml b/docker/alpine/compose.yaml index a921a23..ae26b90 100644 --- a/docker/alpine/compose.yaml +++ b/docker/alpine/compose.yaml @@ -1,6 +1,6 @@ services: wireguard-dashboard: - image: dselen/wgdashboard:dev + image: dselen:alpine restart: unless-stopped container_name: wgdashboard environment: diff --git a/src/wgd.sh b/src/wgd.sh index d27710f..9f89e0e 100755 --- a/src/wgd.sh +++ b/src/wgd.sh @@ -90,7 +90,7 @@ _installPython(){ fi ;; alpine) - { sudo apk update; sudo apk add python3 net-tools; printf "\n\n"; } >> ./log/install.txt + { sudo apk update; sudo apk add python3 net-tools --no-cache; printf "\n\n"; } >> ./log/install.txt ;; esac @@ -174,7 +174,7 @@ _installPythonPip(){ fi ;; alpine) - { sudo apk update; sudo apk add py3-pip ; printf "\n\n"; } >> ./log/install.txt + { sudo apk update; sudo apk add py3-pip --no-cache; printf "\n\n"; } >> ./log/install.txt ;; *) printf "[WGDashboard] %s Sorry, your OS is not supported. Currently the install script only support Debian-based, Red Hat-based OS. With experimental support for Alpine Linux.\n" "$heavy_crossmark" @@ -195,26 +195,25 @@ _installPythonPip(){ } _checkWireguard(){ - # Check if wg and wg-quick are installed if ! command -v wg > /dev/null 2>&1 || ! command -v wg-quick > /dev/null 2>&1 then case "$OS" in ubuntu|debian) { sudo apt update && sudo apt-get install -y wireguard; - printf "\nWireGuard installed on %s.\n\n" "$OS"; + printf "\n[WGDashboard] WireGuard installed on %s.\n\n" "$OS"; } &>> ./log/install.txt ;; centos|fedora|redhat|rhel) { sudo dnf install -y wireguard-tools; - printf "\nWireGuard installed on %s.\n\n" "$OS"; + printf "\n[WGDashboard] WireGuard installed on %s.\n\n" "$OS"; } &>> ./log/install.txt ;; alpine) { - sudo apk update && sudo apk add wireguard-tools; - printf "\nWireGuard installed on %s.\n\n" "$OS"; + sudo apk update && sudo apk add wireguard-tools --no-cache; + printf "\n[WGDashboard] WireGuard installed on %s.\n\n" "$OS"; } &>> ./log/install.txt ;; *) @@ -224,7 +223,7 @@ _checkWireguard(){ ;; esac else - printf "WireGuard is already installed.\n" + printf "[WGDashboard] WireGuard is already installed.\n" fi } @@ -413,7 +412,7 @@ if [ "$#" != 1 ]; printf "%s\n" "$dashes" printf "[WGDashboard] WGDashboard is already running.\n" printf "%s\n" "$dashes" - else + else start_wgd fi elif [ "$1" = "stop" ]; then From ef028659d8ff51158fb5e818dac6a894b9ae0ff0 Mon Sep 17 00:00:00 2001 From: Dselen Date: Mon, 26 Aug 2024 15:46:17 -0500 Subject: [PATCH 19/25] Testing improvement --- docker/alpine/entrypoint.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh index 5d815b5..3068ffa 100644 --- a/docker/alpine/entrypoint.sh +++ b/docker/alpine/entrypoint.sh @@ -105,6 +105,10 @@ set_envvars() { sed -i "s/^remote_endpoint = .*/remote_endpoint = ${public_ip}/" /opt/wireguarddashboard/src/wg-dashboard.ini fi + + echo "Restarting service for good measure" + cd "${WGDASH}"/src || exit + ./wgd.sh restart } # === CORE SERVICES === From f6e5d9675a4aca488db44215b1432f2909fd7d20 Mon Sep 17 00:00:00 2001 From: Dselen Date: Mon, 26 Aug 2024 15:53:53 -0500 Subject: [PATCH 20/25] Alternative testing. --- docker/alpine/entrypoint.sh | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh index 3068ffa..f452f14 100644 --- a/docker/alpine/entrypoint.sh +++ b/docker/alpine/entrypoint.sh @@ -22,9 +22,13 @@ ensure_installation() { cd "${WGDASH}"/src || exit ./wgd.sh install + echo "Generating some files..." + ./wgd.sh start + ./wgd.sh stop + echo "Looks like the installation succesfully moved over." else - echo "Looks like everything is present." + echo "Looks like everything is present. Or the directory is not empty." fi # This first step is to ensure the wg0.conf file exists, and if not, then its copied over from the ephemeral container storage. @@ -106,9 +110,9 @@ set_envvars() { sed -i "s/^remote_endpoint = .*/remote_endpoint = ${public_ip}/" /opt/wireguarddashboard/src/wg-dashboard.ini fi - echo "Restarting service for good measure" - cd "${WGDASH}"/src || exit - ./wgd.sh restart + #echo "Restarting service for good measure" + #cd "${WGDASH}"/src || exit + #./wgd.sh restart } # === CORE SERVICES === From c0ef41a9bbcd272c50e2a5bada26115e7956d789 Mon Sep 17 00:00:00 2001 From: Dselen Date: Mon, 26 Aug 2024 15:54:27 -0500 Subject: [PATCH 21/25] Forgot to reorder --- docker/alpine/entrypoint.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh index f452f14..955fcb5 100644 --- a/docker/alpine/entrypoint.sh +++ b/docker/alpine/entrypoint.sh @@ -223,7 +223,6 @@ ensure_blocking() { # Execute functions for the WireGuard Dashboard services, then set the environment variables ensure_installation clean_up -#update_checker -start_core set_envvars +start_core ensure_blocking \ No newline at end of file From a76e9ed98b02822d9e021e2556c6ae814c0cb2a8 Mon Sep 17 00:00:00 2001 From: Dselen Date: Mon, 26 Aug 2024 16:16:09 -0500 Subject: [PATCH 22/25] Testing more changes for better handling of variables. --- docker/alpine/compose.yaml | 6 +++--- docker/alpine/entrypoint.sh | 18 +++++++----------- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/docker/alpine/compose.yaml b/docker/alpine/compose.yaml index ae26b90..20945ee 100644 --- a/docker/alpine/compose.yaml +++ b/docker/alpine/compose.yaml @@ -1,14 +1,14 @@ services: wireguard-dashboard: - image: dselen:alpine + image: dselen/wgdashboard:alpine restart: unless-stopped container_name: wgdashboard environment: #- tz= # <--- Set container timezone, default: Europe/Amsterdam. - #- global_dns= # <--- Set global DNS address, default: 1.1.1.1. + - global_dns=9.9.9.9 # <--- Set global DNS address, default: 1.1.1.1. - enable=wg0 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. - isolate=wg0 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. - #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. + - public_ip=212.124.66.17 # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: - 10086:10086/tcp - 51820:51820/udp diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh index 955fcb5..b2ff69e 100644 --- a/docker/alpine/entrypoint.sh +++ b/docker/alpine/entrypoint.sh @@ -22,10 +22,6 @@ ensure_installation() { cd "${WGDASH}"/src || exit ./wgd.sh install - echo "Generating some files..." - ./wgd.sh start - ./wgd.sh stop - echo "Looks like the installation succesfully moved over." else echo "Looks like everything is present. Or the directory is not empty." @@ -109,10 +105,6 @@ set_envvars() { sed -i "s/^remote_endpoint = .*/remote_endpoint = ${public_ip}/" /opt/wireguarddashboard/src/wg-dashboard.ini fi - - #echo "Restarting service for good measure" - #cd "${WGDASH}"/src || exit - #./wgd.sh restart } # === CORE SERVICES === @@ -121,8 +113,8 @@ start_core() { echo "Activating Python venv and executing the WireGuard Dashboard service." . "${WGDASH}"/src/venv/bin/activate - cd "${WGDASH}"/src || return # If changing the directory fails (permission or presence error), then bash will exist this function, causing the WireGuard Dashboard to not be succesfully launched. - bash wgd.sh start + cd "${WGDASH}"/src || return + bash wgd.sh start &>> /dev/null # Isolated peers feature, first converting the existing configuration files and the given names to arrays. local configurations=(/etc/wireguard/*) @@ -205,6 +197,10 @@ start_core() { ensure_blocking() { printf "\n-------------- ENSURING CONTAINER CONTINUATION -------------\n" + . "${WGDASH}"/src/venv/bin/activate + cd "${WGDASH}"/src || return + bash wgd.sh restart + sleep 1s echo "Ensuring container continuation." @@ -223,6 +219,6 @@ ensure_blocking() { # Execute functions for the WireGuard Dashboard services, then set the environment variables ensure_installation clean_up -set_envvars start_core +set_envvars ensure_blocking \ No newline at end of file From 548f3db33df745084b291e458c17085fc8c9fe9d Mon Sep 17 00:00:00 2001 From: Dselen Date: Mon, 26 Aug 2024 16:16:43 -0500 Subject: [PATCH 23/25] quickfix --- docker/alpine/compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/alpine/compose.yaml b/docker/alpine/compose.yaml index 20945ee..0d84bea 100644 --- a/docker/alpine/compose.yaml +++ b/docker/alpine/compose.yaml @@ -8,7 +8,7 @@ services: - global_dns=9.9.9.9 # <--- Set global DNS address, default: 1.1.1.1. - enable=wg0 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. - isolate=wg0 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. - - public_ip=212.124.66.17 # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. + - public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: - 10086:10086/tcp - 51820:51820/udp From c3cda05d9847ef659b83329c5d5ea6e6cd856819 Mon Sep 17 00:00:00 2001 From: Dselen Date: Tue, 27 Aug 2024 02:26:19 -0500 Subject: [PATCH 24/25] Move fix. --- docker/alpine/Dockerfile | 6 +++--- docker/alpine/compose.yaml | 8 ++++---- docker/alpine/entrypoint.sh | 7 ++++--- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile index b9addcf..5828b34 100644 --- a/docker/alpine/Dockerfile +++ b/docker/alpine/Dockerfile @@ -26,9 +26,9 @@ ENV WGDASH=/opt/wireguarddashboard # Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. # Doing WireGuard Dashboard installation measures. Modify the git clone command to get the preferred version, with a specific branch for example. -RUN mkdir -p /setup/conf && mkdir /setup/app && mkdir ${WGDASH} \ - && git clone ${Git_Url} /setup/app -#COPY src /setup/app/src +RUN mkdir -p /setup/conf && mkdir /setup/app && mkdir ${WGDASH} + #&& git clone ${Git_Url} /setup/app +COPY src /setup/app/src # Set the volume to be used for WireGuard configuration persistency. VOLUME /etc/wireguard diff --git a/docker/alpine/compose.yaml b/docker/alpine/compose.yaml index 0d84bea..341fa27 100644 --- a/docker/alpine/compose.yaml +++ b/docker/alpine/compose.yaml @@ -1,6 +1,6 @@ services: wireguard-dashboard: - image: dselen/wgdashboard:alpine + image: dselen:alpine restart: unless-stopped container_name: wgdashboard environment: @@ -8,13 +8,13 @@ services: - global_dns=9.9.9.9 # <--- Set global DNS address, default: 1.1.1.1. - enable=wg0 # <--- Set the interfaces that will be enabled on startup, default: none. The option "off" is also allowed. - isolate=wg0 # <--- When set to true, it disallows peers to talk to eachother, setting to false, allows it, default: true. - - public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. + #- public_ip= # <--- Set public IP to ensure the correct one is chosen, defaulting to the IP give by ifconfig.me. ports: - 10086:10086/tcp - 51820:51820/udp volumes: - - app:/opt/wireguarddashboard - - conf:/etc/wireguard + - ./app:/opt/wireguarddashboard + - ./conf:/etc/wireguard cap_add: - NET_ADMIN diff --git a/docker/alpine/entrypoint.sh b/docker/alpine/entrypoint.sh index b2ff69e..20c2711 100644 --- a/docker/alpine/entrypoint.sh +++ b/docker/alpine/entrypoint.sh @@ -10,7 +10,8 @@ ensure_installation() { if [ -z "$(ls -A "${WGDASH}")" ]; then echo "Detected empty directory, moving over..." - mv /setup/app/{.[!.],}* "${WGDASH}" + mv /setup/app/* "${WGDASH}" + mv /setup/app/.* "${WGDASH}" python3 -m venv "${WGDASH}"/src/venv . "${WGDASH}/src/venv/bin/activate" @@ -82,7 +83,7 @@ clean_up() { # === SET ENV VARS === set_envvars() { - printf "\n------------- SETTING ENVIRONMENT VARIABLES ----------------\n" + #printf "\n------------- SETTING ENVIRONMENT VARIABLES ----------------\n" # Changing the DNS used for clients and the dashboard itself. if [ "${global_dns}" != "$(grep "peer_global_dns = " /opt/wireguarddashboard/src/wg-dashboard.ini | awk '{print $NF}')" ]; then @@ -195,7 +196,7 @@ start_core() { # === CLEAN UP === ensure_blocking() { - printf "\n-------------- ENSURING CONTAINER CONTINUATION -------------\n" + #printf "\n-------------- ENSURING CONTAINER CONTINUATION -------------\n" . "${WGDASH}"/src/venv/bin/activate cd "${WGDASH}"/src || return From 40e6fce28135eb5ae7050b08ab73dd4c5697aea1 Mon Sep 17 00:00:00 2001 From: Dselen Date: Tue, 27 Aug 2024 02:30:01 -0500 Subject: [PATCH 25/25] Fix typos --- docker/alpine/Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile index 5828b34..73c893e 100644 --- a/docker/alpine/Dockerfile +++ b/docker/alpine/Dockerfile @@ -26,9 +26,9 @@ ENV WGDASH=/opt/wireguarddashboard # Removing the Linux Image package to preserve space on the image, for this reason also deleting apt lists, to be able to install packages: run apt update. # Doing WireGuard Dashboard installation measures. Modify the git clone command to get the preferred version, with a specific branch for example. -RUN mkdir -p /setup/conf && mkdir /setup/app && mkdir ${WGDASH} - #&& git clone ${Git_Url} /setup/app -COPY src /setup/app/src +RUN mkdir -p /setup/conf && mkdir /setup/app && mkdir ${WGDASH} \ + && git clone ${Git_Url} /setup/app +#COPY src /setup/app/src # Set the volume to be used for WireGuard configuration persistency. VOLUME /etc/wireguard @@ -58,4 +58,4 @@ COPY entrypoint.sh /entrypoint.sh # Exposing the default WireGuard Dashboard port for web access. EXPOSE 10086 -ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]