From 2d5796d161117c03b97b0f628165e68e19d0c4ef Mon Sep 17 00:00:00 2001
From: Noxcis <shamarakeillee@gmail.com>
Date: Fri, 23 Aug 2024 16:49:54 -0500
Subject: [PATCH] Added Auto Config Creation

Reimplemented Automatic Wireguard Configuration Generation

Setting global Env Vars via the docker image build is still insecure, better to pass to dashboard before init.
---
 Dockerfile                    | 14 +++++-----
 compose.yaml                  |  5 +++-
 docker/wgd.sh                 | 48 ++++++++++++++++++++++++++++-------
 src/entrypoint.sh             | 14 +++++-----
 src/iptable-rules/postdown.sh | 13 ++++++++++
 src/iptable-rules/postup.sh   | 26 +++++++++++++++++++
 6 files changed, 96 insertions(+), 24 deletions(-)
 create mode 100644 src/iptable-rules/postdown.sh
 create mode 100644 src/iptable-rules/postup.sh

diff --git a/Dockerfile b/Dockerfile
index 73da4cc..c520706 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,22 +3,22 @@ FROM alpine:latest
 LABEL maintainer="dselen@nerthus.nl"
 ENV PYTHONPATH="/usr/bin/python"
 
-WORKDIR /home/app 
+WORKDIR /opt/wireguarddashboard/src
 RUN    apk update && \
     apk add --no-cache py3-bcrypt py3-psutil && \
     apk add --no-cache wireguard-tools && \
     apk add --no-cache net-tools iproute2 iptables ip6tables  && \
     apk add --no-cache inotify-tools procps openresolv  && \
-    mkdir /home/app/master-key 
+    mkdir /opt/wireguarddashboard/src/master-key 
     
-COPY ./src /home/app
-COPY ./docker/wgd.sh /home/app/
-COPY ./docker/requirements.txt /home/app/
+COPY ./src /opt/wireguarddashboard/src/
+COPY ./docker/wgd.sh /opt/wireguarddashboard/src/
+COPY ./docker/requirements.txt /opt/wireguarddashboard/src/
 
-RUN   chmod u+x /home/app/entrypoint.sh 
+RUN   chmod u+x /opt/wireguarddashboard/src/entrypoint.sh 
 
 
 # Defining a way for Docker to check the health of the container. In this case: checking the login URL.
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl -f http://localhost:10086/signin || exit 1
 
-ENTRYPOINT ["/home/app/entrypoint.sh"]
\ No newline at end of file
+ENTRYPOINT ["/opt/wireguarddashboard/src/entrypoint.sh"]
\ No newline at end of file
diff --git a/compose.yaml b/compose.yaml
index 7003626..a75ef45 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -7,9 +7,12 @@ services:
       - NET_ADMIN
       - SYS_MODULE
     restart: unless-stopped
+    environment:
+      - wg_net=10.0.0.1/24
+      - wg_port=51820
     volumes:
       - wgd_configs:/etc/wireguard
-      - wgd_app:/home/app
+      - wgd_app:/opt/wireguarddashboard/src
     ports:
       - 10086:10086/tcp
       - 51820:51820/udp
diff --git a/docker/wgd.sh b/docker/wgd.sh
index 624e9de..f0556cc 100644
--- a/docker/wgd.sh
+++ b/docker/wgd.sh
@@ -271,14 +271,11 @@ gunicorn_start () {
     printf "[ERROR] Gunicorn executable not found or not executable.\n"
     return 1
   fi
-
-
-  gunicorn -c ./gunicorn.conf.py 
-  # line below exsits after execution when using docker
-  #"$venv_gunicorn" --config ./gunicorn.conf.py &
-
-  sleep 5
-  
+    start_core
+    gunicorn -c ./gunicorn.conf.py 
+    # line below exsits after execution when using docker
+    #"$venv_gunicorn" --config ./gunicorn.conf.py &
+    sleep 5
   checkPIDExist=0
   while [ $checkPIDExist -eq 0 ]; do
     if test -f './gunicorn.pid'; then
@@ -289,7 +286,6 @@ gunicorn_start () {
     fi
     sleep 2
   done
-
   printf "[WGDashboard] WGDashboard w/ Gunicorn started successfully\n"
   printf "%s\n" "$dashes"
 }
@@ -301,6 +297,9 @@ gunicorn_stop () {
 start_wgd () {
 	_checkWireguard
     gunicorn_start
+    
+    
+    
 }
 
 stop_wgd() {
@@ -344,7 +343,38 @@ update_wgd() {
   fi
 }
 
+start_core () {
+  local config_files=$(find /etc/wireguard -type f -name "*.conf")
+  local iptable_dir="/opt/wireguarddashboard/src/iptable-rules"
 
+  newconf_wgd
+    find /etc/wireguard -type f -name "*.conf" -exec chmod 600 {} \;
+    find "$iptable_dir" -type f -name "*.sh" -exec chmod +x {} \;
+  
+  
+      for file in $config_files; do
+        config_name=$(basename "$file" ".conf")
+        { date; wg-quick up "$config_name"; printf "\n\n"; } >> /opt/wireguarddashboard/src/log/install.txt 2>&1
+      done
+}
+
+newconf_wgd() {
+    local wg_port_listen=$wg_port
+    local wg_addr_range=$wg_net
+    private_key=$(wg genkey)
+    public_key=$(echo "$private_key" | wg pubkey)
+    cat <<EOF >"/etc/wireguard/wg0.conf"
+[Interface]
+PrivateKey = $private_key
+Address = $wg_addr_range
+ListenPort = $wg_port_listen
+SaveConfig = true
+PostUp = /opt/wireguarddashboard/src/iptable-rules/postup.sh
+PreDown = /opt/wireguarddashboard/src/iptable-rules/postdown.sh
+
+
+EOF
+}
 
 if [ "$#" != 1 ];
   then
diff --git a/src/entrypoint.sh b/src/entrypoint.sh
index 4f71815..6c79033 100644
--- a/src/entrypoint.sh
+++ b/src/entrypoint.sh
@@ -19,9 +19,9 @@ ensure_blocking() {
   echo "Ensuring container continuation."
 
   # This function checks if the latest error log is created and tails it for docker logs uses.
-  if find "/home/app/wireguarddashboard/app/log" -mindepth 1 -maxdepth 1 -type f | read -r; then
-    latestErrLog=$(find /home/app/wireguarddashboard/app/log -name "error_*.log" | head -n 1)
-    latestAccLog=$(find /home/app/wireguarddashboard/app/log -name "access_*.log" | head -n 1)
+  if find "/opt/wireguarddashboard/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then
+    latestErrLog=$(find /opt/wireguarddashboard/src/log -name "error_*.log" | head -n 1)
+    latestAccLog=$(find /opt/wireguarddashboard/src/log -name "access_*.log" | head -n 1)
     tail -f "${latestErrLog}" "${latestAccLog}"
   fi
 
@@ -32,10 +32,10 @@ ensure_blocking() {
 # Execute functions for the WireGuard Dashboard services, then set the environment variables
 clean_up
 
-chmod u+x /home/app/wgd.sh
-if [ ! -f "/home/app/wg-dashboard.ini" ]; then
-  /home/app/wgd.sh install
+chmod u+x /opt/wireguarddashboard/src/wgd.sh
+if [ ! -f "/opt/wireguarddashboard/src/wg-dashboard.ini" ]; then
+  /opt/wireguarddashboard/src/wgd.sh install
   
 fi
-/home/app/wgd.sh start
+/opt/wireguarddashboard/src/wgd.sh start
 ensure_blocking
diff --git a/src/iptable-rules/postdown.sh b/src/iptable-rules/postdown.sh
new file mode 100644
index 0000000..962772a
--- /dev/null
+++ b/src/iptable-rules/postdown.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+WIREGUARD_INTERFACE=ADMINS
+WIREGUARD_LAN=10.0.0.1/24
+MASQUERADE_INTERFACE=eth0
+
+CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
+
+iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
+
+# Remove and delete the WIREGUARD_wg0 chain
+iptables -D FORWARD -j $CHAIN_NAME
+iptables -F $CHAIN_NAME
+iptables -X $CHAIN_NAME
\ No newline at end of file
diff --git a/src/iptable-rules/postup.sh b/src/iptable-rules/postup.sh
new file mode 100644
index 0000000..0fc8b87
--- /dev/null
+++ b/src/iptable-rules/postup.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+WIREGUARD_INTERFACE=ADMINS
+WIREGUARD_LAN=10.0.0.1/24
+MASQUERADE_INTERFACE=eth0
+
+iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
+
+# Add a WIREGUARD_wg0 chain to the FORWARD chain
+CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
+iptables -N $CHAIN_NAME
+iptables -A FORWARD -j $CHAIN_NAME
+
+# Accept related or established traffic
+iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept traffic from any Wireguard IP address connected to the Wireguard server
+iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -j ACCEPT
+
+# Allow traffic to the local loopback interface
+iptables -A $CHAIN_NAME -o lo -j ACCEPT
+
+# Drop everything else coming through the Wireguard interface
+iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP
+
+# Return to FORWARD chain
+iptables -A $CHAIN_NAME -j RETURN
\ No newline at end of file