Added Auto Config Creation
Reimplemented Automatic Wireguard Configuration Generation Setting global Env Vars via the docker image build is still insecure, better to pass to dashboard before init.pull/334/head
Noxcis
parent
acf4f3fbf0
commit
2d5796d161
14
Dockerfile
14
Dockerfile
|
|
@ -3,22 +3,22 @@ FROM alpine:latest
|
|||
LABEL maintainer="dselen@nerthus.nl"
|
||||
ENV PYTHONPATH="/usr/bin/python"
|
||||
|
||||
WORKDIR /home/app
|
||||
WORKDIR /opt/wireguarddashboard/src
|
||||
RUN apk update && \
|
||||
apk add --no-cache py3-bcrypt py3-psutil && \
|
||||
apk add --no-cache wireguard-tools && \
|
||||
apk add --no-cache net-tools iproute2 iptables ip6tables && \
|
||||
apk add --no-cache inotify-tools procps openresolv && \
|
||||
mkdir /home/app/master-key
|
||||
mkdir /opt/wireguarddashboard/src/master-key
|
||||
|
||||
COPY ./src /home/app
|
||||
COPY ./docker/wgd.sh /home/app/
|
||||
COPY ./docker/requirements.txt /home/app/
|
||||
COPY ./src /opt/wireguarddashboard/src/
|
||||
COPY ./docker/wgd.sh /opt/wireguarddashboard/src/
|
||||
COPY ./docker/requirements.txt /opt/wireguarddashboard/src/
|
||||
|
||||
RUN chmod u+x /home/app/entrypoint.sh
|
||||
RUN chmod u+x /opt/wireguarddashboard/src/entrypoint.sh
|
||||
|
||||
|
||||
# Defining a way for Docker to check the health of the container. In this case: checking the login URL.
|
||||
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl -f http://localhost:10086/signin || exit 1
|
||||
|
||||
ENTRYPOINT ["/home/app/entrypoint.sh"]
|
||||
ENTRYPOINT ["/opt/wireguarddashboard/src/entrypoint.sh"]
|
||||
|
|
@ -7,9 +7,12 @@ services:
|
|||
- NET_ADMIN
|
||||
- SYS_MODULE
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- wg_net=10.0.0.1/24
|
||||
- wg_port=51820
|
||||
volumes:
|
||||
- wgd_configs:/etc/wireguard
|
||||
- wgd_app:/home/app
|
||||
- wgd_app:/opt/wireguarddashboard/src
|
||||
ports:
|
||||
- 10086:10086/tcp
|
||||
- 51820:51820/udp
|
||||
|
|
|
|||
|
|
@ -271,14 +271,11 @@ gunicorn_start () {
|
|||
printf "[ERROR] Gunicorn executable not found or not executable.\n"
|
||||
return 1
|
||||
fi
|
||||
|
||||
|
||||
gunicorn -c ./gunicorn.conf.py
|
||||
# line below exsits after execution when using docker
|
||||
#"$venv_gunicorn" --config ./gunicorn.conf.py &
|
||||
|
||||
sleep 5
|
||||
|
||||
start_core
|
||||
gunicorn -c ./gunicorn.conf.py
|
||||
# line below exsits after execution when using docker
|
||||
#"$venv_gunicorn" --config ./gunicorn.conf.py &
|
||||
sleep 5
|
||||
checkPIDExist=0
|
||||
while [ $checkPIDExist -eq 0 ]; do
|
||||
if test -f './gunicorn.pid'; then
|
||||
|
|
@ -289,7 +286,6 @@ gunicorn_start () {
|
|||
fi
|
||||
sleep 2
|
||||
done
|
||||
|
||||
printf "[WGDashboard] WGDashboard w/ Gunicorn started successfully\n"
|
||||
printf "%s\n" "$dashes"
|
||||
}
|
||||
|
|
@ -301,6 +297,9 @@ gunicorn_stop () {
|
|||
start_wgd () {
|
||||
_checkWireguard
|
||||
gunicorn_start
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
stop_wgd() {
|
||||
|
|
@ -344,7 +343,38 @@ update_wgd() {
|
|||
fi
|
||||
}
|
||||
|
||||
start_core () {
|
||||
local config_files=$(find /etc/wireguard -type f -name "*.conf")
|
||||
local iptable_dir="/opt/wireguarddashboard/src/iptable-rules"
|
||||
|
||||
newconf_wgd
|
||||
find /etc/wireguard -type f -name "*.conf" -exec chmod 600 {} \;
|
||||
find "$iptable_dir" -type f -name "*.sh" -exec chmod +x {} \;
|
||||
|
||||
|
||||
for file in $config_files; do
|
||||
config_name=$(basename "$file" ".conf")
|
||||
{ date; wg-quick up "$config_name"; printf "\n\n"; } >> /opt/wireguarddashboard/src/log/install.txt 2>&1
|
||||
done
|
||||
}
|
||||
|
||||
newconf_wgd() {
|
||||
local wg_port_listen=$wg_port
|
||||
local wg_addr_range=$wg_net
|
||||
private_key=$(wg genkey)
|
||||
public_key=$(echo "$private_key" | wg pubkey)
|
||||
cat <<EOF >"/etc/wireguard/wg0.conf"
|
||||
[Interface]
|
||||
PrivateKey = $private_key
|
||||
Address = $wg_addr_range
|
||||
ListenPort = $wg_port_listen
|
||||
SaveConfig = true
|
||||
PostUp = /opt/wireguarddashboard/src/iptable-rules/postup.sh
|
||||
PreDown = /opt/wireguarddashboard/src/iptable-rules/postdown.sh
|
||||
|
||||
|
||||
EOF
|
||||
}
|
||||
|
||||
if [ "$#" != 1 ];
|
||||
then
|
||||
|
|
|
|||
|
|
@ -19,9 +19,9 @@ ensure_blocking() {
|
|||
echo "Ensuring container continuation."
|
||||
|
||||
# This function checks if the latest error log is created and tails it for docker logs uses.
|
||||
if find "/home/app/wireguarddashboard/app/log" -mindepth 1 -maxdepth 1 -type f | read -r; then
|
||||
latestErrLog=$(find /home/app/wireguarddashboard/app/log -name "error_*.log" | head -n 1)
|
||||
latestAccLog=$(find /home/app/wireguarddashboard/app/log -name "access_*.log" | head -n 1)
|
||||
if find "/opt/wireguarddashboard/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then
|
||||
latestErrLog=$(find /opt/wireguarddashboard/src/log -name "error_*.log" | head -n 1)
|
||||
latestAccLog=$(find /opt/wireguarddashboard/src/log -name "access_*.log" | head -n 1)
|
||||
tail -f "${latestErrLog}" "${latestAccLog}"
|
||||
fi
|
||||
|
||||
|
|
@ -32,10 +32,10 @@ ensure_blocking() {
|
|||
# Execute functions for the WireGuard Dashboard services, then set the environment variables
|
||||
clean_up
|
||||
|
||||
chmod u+x /home/app/wgd.sh
|
||||
if [ ! -f "/home/app/wg-dashboard.ini" ]; then
|
||||
/home/app/wgd.sh install
|
||||
chmod u+x /opt/wireguarddashboard/src/wgd.sh
|
||||
if [ ! -f "/opt/wireguarddashboard/src/wg-dashboard.ini" ]; then
|
||||
/opt/wireguarddashboard/src/wgd.sh install
|
||||
|
||||
fi
|
||||
/home/app/wgd.sh start
|
||||
/opt/wireguarddashboard/src/wgd.sh start
|
||||
ensure_blocking
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
#!/bin/bash
|
||||
WIREGUARD_INTERFACE=ADMINS
|
||||
WIREGUARD_LAN=10.0.0.1/24
|
||||
MASQUERADE_INTERFACE=eth0
|
||||
|
||||
CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
|
||||
|
||||
iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
|
||||
|
||||
# Remove and delete the WIREGUARD_wg0 chain
|
||||
iptables -D FORWARD -j $CHAIN_NAME
|
||||
iptables -F $CHAIN_NAME
|
||||
iptables -X $CHAIN_NAME
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
#!/bin/bash
|
||||
WIREGUARD_INTERFACE=ADMINS
|
||||
WIREGUARD_LAN=10.0.0.1/24
|
||||
MASQUERADE_INTERFACE=eth0
|
||||
|
||||
iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
|
||||
|
||||
# Add a WIREGUARD_wg0 chain to the FORWARD chain
|
||||
CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
|
||||
iptables -N $CHAIN_NAME
|
||||
iptables -A FORWARD -j $CHAIN_NAME
|
||||
|
||||
# Accept related or established traffic
|
||||
iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# Accept traffic from any Wireguard IP address connected to the Wireguard server
|
||||
iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -j ACCEPT
|
||||
|
||||
# Allow traffic to the local loopback interface
|
||||
iptables -A $CHAIN_NAME -o lo -j ACCEPT
|
||||
|
||||
# Drop everything else coming through the Wireguard interface
|
||||
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP
|
||||
|
||||
# Return to FORWARD chain
|
||||
iptables -A $CHAIN_NAME -j RETURN
|
||||
Loading…
Reference in New Issue