From 928363d6944a4d8235d15d38c8cc7470236be3cf Mon Sep 17 00:00:00 2001 From: aptalca Date: Tue, 26 Oct 2021 13:05:08 -0400 Subject: [PATCH 1/7] allow setting server AllowedIPs for specific peers --- README.md | 9 ++++++++- readme-vars.yml | 9 ++++++++- root/etc/cont-init.d/30-config | 13 ++++++++++++- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 058c524..0f774c2 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,13 @@ To display the QR codes of active peers again, you can use the following command The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container. +## Site-to-site VPN +Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually. + +In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`. + +Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary. + ## Client Mode Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. @@ -176,7 +183,7 @@ Container images are configured using parameters passed at runtime (such as thos | `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London | | `-e SERVERURL=wireguard.domain.com` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically | | `-e SERVERPORT=51820` | External port for docker host. Used in server mode. | -| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet... | +| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only) | | `-e PEERDNS=auto` | DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward. | | `-e INTERNAL_SUBNET=10.13.13.0` | Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode. | | `-e ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. | diff --git a/readme-vars.yml b/readme-vars.yml index fb5fa2f..6fa65e5 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -44,7 +44,7 @@ opt_param_usage_include_env: true opt_param_env_vars: - { env_var: "SERVERURL", env_value: "wireguard.domain.com", desc: "External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically"} - { env_var: "SERVERPORT", env_value: "51820", desc: "External port for docker host. Used in server mode."} - - { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet..."} + - { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only)"} - { env_var: "PEERDNS", env_value: "auto", desc: "DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward."} - { env_var: "INTERNAL_SUBNET", env_value: "10.13.13.0", desc: "Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode."} - { env_var: "ALLOWEDIPS", env_value: "0.0.0.0/0", desc: "The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1."} @@ -74,6 +74,13 @@ app_setup_block: | The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container. + ## Site-to-site VPN + Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually. + + In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`. + + Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary. + ## Client Mode Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config index 7bf238c..d0425fd 100644 --- a/root/etc/cont-init.d/30-config +++ b/root/etc/cont-init.d/30-config @@ -201,13 +201,24 @@ DUDE" cat < /config/${PEER_ID}/${PEER_ID}.conf `cat /config/templates/peer.conf` DUDE" - cat <> /config/wg0.conf + SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${PEER_ID} + if [ -n "${!SERVER_ALLOWEDIPS}" ]; then + cat <> /config/wg0.conf +[Peer] +# ${PEER_ID} +PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) +AllowedIPs = ${!SERVER_ALLOWEDIPS} + +DUDE + else + cat <> /config/wg0.conf [Peer] # ${PEER_ID} PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) AllowedIPs = ${CLIENT_IP}/32 DUDE + fi echo "PEER ${i} QR code:" qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf From 79bbfddb98bdc7fadb3fe848ed59bc0374d86d78 Mon Sep 17 00:00:00 2001 From: aptalca Date: Tue, 26 Oct 2021 13:55:02 -0400 Subject: [PATCH 2/7] exclude peer ip --- README.md | 4 +++- readme-vars.yml | 4 +++- root/etc/cont-init.d/30-config | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0f774c2..321fbe5 100644 --- a/README.md +++ b/README.md @@ -80,7 +80,9 @@ The templates used for server and peer confs are saved under `/config/templates` ## Site-to-site VPN Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually. -In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`. +In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var). + +`SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`. Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary. diff --git a/readme-vars.yml b/readme-vars.yml index 6fa65e5..9c171d6 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -77,7 +77,9 @@ app_setup_block: | ## Site-to-site VPN Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually. - In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`. + In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var). + + `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`. Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary. diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config index d0425fd..22ddec1 100644 --- a/root/etc/cont-init.d/30-config +++ b/root/etc/cont-init.d/30-config @@ -207,7 +207,7 @@ DUDE" [Peer] # ${PEER_ID} PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) -AllowedIPs = ${!SERVER_ALLOWEDIPS} +AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS} DUDE else From 81381d2f25ed2cd2bd376d23fa5de074b7306ea8 Mon Sep 17 00:00:00 2001 From: aptalca Date: Tue, 26 Oct 2021 15:15:50 -0400 Subject: [PATCH 3/7] fix peer name --- README.md | 2 +- readme-vars.yml | 2 +- root/etc/cont-init.d/30-config | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 321fbe5..0cb6585 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ In order to customize the `AllowedIPs` statement for a specific peer in `wg0.con `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`. -Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary. +Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary. ## Client Mode Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. diff --git a/readme-vars.yml b/readme-vars.yml index 9c171d6..1a39b12 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -81,7 +81,7 @@ app_setup_block: | `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`. - Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary. + Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary. ## Client Mode Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config index 22ddec1..0ad49c7 100644 --- a/root/etc/cont-init.d/30-config +++ b/root/etc/cont-init.d/30-config @@ -201,8 +201,9 @@ DUDE" cat < /config/${PEER_ID}/${PEER_ID}.conf `cat /config/templates/peer.conf` DUDE" - SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${PEER_ID} + SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${i} if [ -n "${!SERVER_ALLOWEDIPS}" ]; then + echo "Adding ${!SERVER_ALLOWEDIPS} to wg0.conf's AllowedIPs for peer ${i}" cat <> /config/wg0.conf [Peer] # ${PEER_ID} From cca4336768610859441d6b063961d9330c263491 Mon Sep 17 00:00:00 2001 From: aptalca Date: Tue, 26 Oct 2021 16:24:40 -0400 Subject: [PATCH 4/7] update readme --- README.md | 23 ++++++++++++++--------- readme-vars.yml | 24 +++++++++++++++--------- 2 files changed, 29 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 0cb6585..a24a6f4 100644 --- a/README.md +++ b/README.md @@ -77,15 +77,6 @@ To display the QR codes of active peers again, you can use the following command The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container. -## Site-to-site VPN -Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually. - -In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var). - -`SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`. - -Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary. - ## Client Mode Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. @@ -113,6 +104,20 @@ When routing via Wireguard from another container using the `service` option in PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT ``` +## Site-to-site VPN + +** Note: This is not a supported configuration by Linuxserver.io - use at your own risk. + +Site-to-site VPN in server mode requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually. + +In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var). + +For instance `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`. + +Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary. + +Don't forget to set the necessary POSTUP and POSTDOWN rules in your client's peer conf for lan access. + ## Usage Here are some example snippets to help you get started creating a container. diff --git a/readme-vars.yml b/readme-vars.yml index 1a39b12..ab87f18 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -74,15 +74,6 @@ app_setup_block: | The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container. - ## Site-to-site VPN - Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually. - - In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var). - - `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`. - - Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary. - ## Client Mode Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. @@ -109,7 +100,22 @@ app_setup_block: | PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT; iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT ``` + + ## Site-to-site VPN + + ** Note: This is not a supported configuration by Linuxserver.io - use at your own risk. + + Site-to-site VPN in server mode requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually. + + In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `` with either the name or number of a peer (whichever is used in the `PEERS` var). + For instance `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`. + + Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary. + + Don't forget to set the necessary POSTUP and POSTDOWN rules in your client's peer conf for lan access. + + # changelog changelogs: - { date: "11.02.21:", desc: "Fix bug related to changing internal subnet and named peer confs not updating." } From 5cbb0403820e33371366d7bbf40d1e3607ef8105 Mon Sep 17 00:00:00 2001 From: aptalca Date: Thu, 28 Oct 2021 14:59:11 -0400 Subject: [PATCH 5/7] split up kernel module and conf generation --- README.md | 6 +- readme-vars.yml | 6 +- root/etc/cont-init.d/{30-config => 30-module} | 146 ----------------- root/etc/cont-init.d/40-confs | 148 ++++++++++++++++++ 4 files changed, 156 insertions(+), 150 deletions(-) rename root/etc/cont-init.d/{30-config => 30-module} (56%) create mode 100644 root/etc/cont-init.d/40-confs diff --git a/README.md b/README.md index a24a6f4..8636e04 100644 --- a/README.md +++ b/README.md @@ -58,11 +58,13 @@ The architectures supported by this image are: ## Application Setup -This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module. +During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container. + +If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed. If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv). -With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). +With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). This can be run as a server or a client, based on the parameters used. diff --git a/readme-vars.yml b/readme-vars.yml index ab87f18..2b5e74f 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -55,11 +55,13 @@ optional_block_1_items: "" # application setup block app_setup_block_enabled: true app_setup_block: | - This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module. + During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container. + + If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed. If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv). - With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). + With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). This can be run as a server or a client, based on the parameters used. diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-module similarity index 56% rename from root/etc/cont-init.d/30-config rename to root/etc/cont-init.d/30-module index 0ad49c7..da079e3 100644 --- a/root/etc/cont-init.d/30-config +++ b/root/etc/cont-init.d/30-module @@ -151,149 +151,3 @@ DUDE fi fi -# prepare symlinks -rm -rf /etc/wireguard -mkdir -p /etc/wireguard -ln -s /config/wg0.conf /etc/wireguard/wg0.conf -# prepare templates -[[ ! -f /config/templates/server.conf ]] && \ - cp /defaults/server.conf /config/templates/server.conf -[[ ! -f /config/templates/peer.conf ]] && \ - cp /defaults/peer.conf /config/templates/peer.conf - -generate_confs () { - mkdir -p /config/server - if [ ! -f /config/server/privatekey-server ]; then - umask 077 - wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server - fi - eval "`printf %s` - cat < /config/wg0.conf -`cat /config/templates/server.conf` - -DUDE" - for i in ${PEERS_ARRAY[@]}; do - if [[ "${i}" =~ ^[0-9]+$ ]]; then - PEER_ID="peer${i}" - else - PEER_ID="peer_${i//[^[:alnum:]_-]/}" - fi - mkdir -p /config/${PEER_ID} - if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then - umask 077 - wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID} - fi - if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then - CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}') - if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then - CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|") - fi - else - for idx in {2..254}; do - PROPOSED_IP="${INTERFACE}.${idx}" - if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then - CLIENT_IP="${PROPOSED_IP}" - break - fi - done - fi - eval "`printf %s` - cat < /config/${PEER_ID}/${PEER_ID}.conf -`cat /config/templates/peer.conf` -DUDE" - SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${i} - if [ -n "${!SERVER_ALLOWEDIPS}" ]; then - echo "Adding ${!SERVER_ALLOWEDIPS} to wg0.conf's AllowedIPs for peer ${i}" - cat <> /config/wg0.conf -[Peer] -# ${PEER_ID} -PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) -AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS} - -DUDE - else - cat <> /config/wg0.conf -[Peer] -# ${PEER_ID} -PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) -AllowedIPs = ${CLIENT_IP}/32 - -DUDE - fi - echo "PEER ${i} QR code:" - qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf - qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf - done -} - -save_vars () { - cat < /config/.donoteditthisfile -ORIG_SERVERURL="$SERVERURL" -ORIG_SERVERPORT="$SERVERPORT" -ORIG_PEERDNS="$PEERDNS" -ORIG_PEERS="$PEERS" -ORIG_INTERFACE="$INTERFACE" -ORIG_ALLOWEDIPS="$ALLOWEDIPS" -DUDE -} - -if [ -n "$PEERS" ]; then - echo "**** Server mode is selected ****" - if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then - PEERS_ARRAY=($(seq 1 $PEERS)) - else - PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' ')) - fi - PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}") - if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then - SERVERURL=$(curl -s icanhazip.com) - echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****" - else - echo "**** External server address is set to $SERVERURL ****" - fi - SERVERPORT=${SERVERPORT:-51820} - echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****" - INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0} - echo "**** Internal subnet is set to $INTERNAL_SUBNET ****" - INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--') - ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0} - echo "**** AllowedIPs for peers $ALLOWEDIPS ****" - if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then - PEERDNS="${INTERFACE}.1" - echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****" - else - echo "**** Peer DNS servers will be set to $PEERDNS ****" - fi - if [ ! -f /config/wg0.conf ]; then - echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****" - generate_confs - save_vars - else - echo "**** Server mode is selected ****" - [[ -f /config/.donoteditthisfile ]] && \ - . /config/.donoteditthisfile - if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then - echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****" - generate_confs - save_vars - else - echo "**** No changes to parameters. Existing configs are used. ****" - fi - fi -else - echo "**** Client mode selected. ****" - if [ ! -f /config/wg0.conf ]; then - echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****" - sleep infinity - fi - echo "**** Disabling CoreDNS ****" - rm -rf /etc/services.d/coredns -fi - -# set up CoreDNS -[[ ! -f /config/coredns/Corefile ]] && \ - cp /defaults/Corefile /config/coredns/Corefile - -# permissions -chown -R abc:abc \ - /config diff --git a/root/etc/cont-init.d/40-confs b/root/etc/cont-init.d/40-confs new file mode 100644 index 0000000..71bc311 --- /dev/null +++ b/root/etc/cont-init.d/40-confs @@ -0,0 +1,148 @@ +#!/usr/bin/with-contenv bash + +# prepare symlinks +rm -rf /etc/wireguard +mkdir -p /etc/wireguard +ln -s /config/wg0.conf /etc/wireguard/wg0.conf +# prepare templates +[[ ! -f /config/templates/server.conf ]] && \ + cp /defaults/server.conf /config/templates/server.conf +[[ ! -f /config/templates/peer.conf ]] && \ + cp /defaults/peer.conf /config/templates/peer.conf + +generate_confs () { + mkdir -p /config/server + if [ ! -f /config/server/privatekey-server ]; then + umask 077 + wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server + fi + eval "`printf %s` + cat < /config/wg0.conf +`cat /config/templates/server.conf` + +DUDE" + for i in ${PEERS_ARRAY[@]}; do + if [[ "${i}" =~ ^[0-9]+$ ]]; then + PEER_ID="peer${i}" + else + PEER_ID="peer_${i//[^[:alnum:]_-]/}" + fi + mkdir -p /config/${PEER_ID} + if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then + umask 077 + wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID} + fi + if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then + CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}') + if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then + CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|") + fi + else + for idx in {2..254}; do + PROPOSED_IP="${INTERFACE}.${idx}" + if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then + CLIENT_IP="${PROPOSED_IP}" + break + fi + done + fi + eval "`printf %s` + cat < /config/${PEER_ID}/${PEER_ID}.conf +`cat /config/templates/peer.conf` +DUDE" + SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${i} + if [ -n "${!SERVER_ALLOWEDIPS}" ]; then + echo "Adding ${!SERVER_ALLOWEDIPS} to wg0.conf's AllowedIPs for peer ${i}" + cat <> /config/wg0.conf +[Peer] +# ${PEER_ID} +PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) +AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS} + +DUDE + else + cat <> /config/wg0.conf +[Peer] +# ${PEER_ID} +PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) +AllowedIPs = ${CLIENT_IP}/32 + +DUDE + fi + echo "PEER ${i} QR code:" + qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf + qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf + done +} + +save_vars () { + cat < /config/.donoteditthisfile +ORIG_SERVERURL="$SERVERURL" +ORIG_SERVERPORT="$SERVERPORT" +ORIG_PEERDNS="$PEERDNS" +ORIG_PEERS="$PEERS" +ORIG_INTERFACE="$INTERFACE" +ORIG_ALLOWEDIPS="$ALLOWEDIPS" +DUDE +} + +if [ -n "$PEERS" ]; then + echo "**** Server mode is selected ****" + if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then + PEERS_ARRAY=($(seq 1 $PEERS)) + else + PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' ')) + fi + PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}") + if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then + SERVERURL=$(curl -s icanhazip.com) + echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****" + else + echo "**** External server address is set to $SERVERURL ****" + fi + SERVERPORT=${SERVERPORT:-51820} + echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****" + INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0} + echo "**** Internal subnet is set to $INTERNAL_SUBNET ****" + INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--') + ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0} + echo "**** AllowedIPs for peers $ALLOWEDIPS ****" + if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then + PEERDNS="${INTERFACE}.1" + echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****" + else + echo "**** Peer DNS servers will be set to $PEERDNS ****" + fi + if [ ! -f /config/wg0.conf ]; then + echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****" + generate_confs + save_vars + else + echo "**** Server mode is selected ****" + [[ -f /config/.donoteditthisfile ]] && \ + . /config/.donoteditthisfile + if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then + echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****" + generate_confs + save_vars + else + echo "**** No changes to parameters. Existing configs are used. ****" + fi + fi +else + echo "**** Client mode selected. ****" + if [ ! -f /config/wg0.conf ]; then + echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****" + sleep infinity + fi + echo "**** Disabling CoreDNS ****" + rm -rf /etc/services.d/coredns +fi + +# set up CoreDNS +[[ ! -f /config/coredns/Corefile ]] && \ + cp /defaults/Corefile /config/coredns/Corefile + +# permissions +chown -R abc:abc \ + /config \ No newline at end of file From 0101801b4666889e3813c805729560f978b5e38f Mon Sep 17 00:00:00 2001 From: aptalca Date: Thu, 28 Oct 2021 15:04:25 -0400 Subject: [PATCH 6/7] update changelog --- README.md | 1 + readme-vars.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 8636e04..7dbe263 100644 --- a/README.md +++ b/README.md @@ -309,6 +309,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **28.11.21:** - Add site-to-site vpn support. * **11.02.21:** - Fix bug related to changing internal subnet and named peer confs not updating. * **06.10.20:** - Disable CoreDNS in client mode, or if port 53 is already in use in server mode. * **04.10.20:** - Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart diff --git a/readme-vars.yml b/readme-vars.yml index 2b5e74f..5e31b3b 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -120,6 +120,7 @@ app_setup_block: | # changelog changelogs: + - { date: "28.11.21:", desc: "Add site-to-site vpn support." } - { date: "11.02.21:", desc: "Fix bug related to changing internal subnet and named peer confs not updating." } - { date: "06.10.20:", desc: "Disable CoreDNS in client mode, or if port 53 is already in use in server mode." } - { date: "04.10.20:", desc: "Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart" } From ae7266b8af6ad2aa892e64616a6a24dd559bf125 Mon Sep 17 00:00:00 2001 From: aptalca Date: Thu, 28 Oct 2021 15:05:13 -0400 Subject: [PATCH 7/7] fix typo --- README.md | 2 +- readme-vars.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7dbe263..c5a1f4c 100644 --- a/README.md +++ b/README.md @@ -309,7 +309,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions -* **28.11.21:** - Add site-to-site vpn support. +* **28.10.21:** - Add site-to-site vpn support. * **11.02.21:** - Fix bug related to changing internal subnet and named peer confs not updating. * **06.10.20:** - Disable CoreDNS in client mode, or if port 53 is already in use in server mode. * **04.10.20:** - Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart diff --git a/readme-vars.yml b/readme-vars.yml index 5e31b3b..1146346 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -120,7 +120,7 @@ app_setup_block: | # changelog changelogs: - - { date: "28.11.21:", desc: "Add site-to-site vpn support." } + - { date: "28.10.21:", desc: "Add site-to-site vpn support." } - { date: "11.02.21:", desc: "Fix bug related to changing internal subnet and named peer confs not updating." } - { date: "06.10.20:", desc: "Disable CoreDNS in client mode, or if port 53 is already in use in server mode." } - { date: "04.10.20:", desc: "Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart" }