diff --git a/docker/Dockerfile b/docker/Dockerfile index 479681e..a52e29f 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -23,19 +23,11 @@ ENV WGDASH=/opt/wireguarddashboard # Doing package management operations, such as upgrading RUN apt-get update && apt-get install -y --no-install-recommends \ - curl \ - git \ - iproute2 \ - iptables \ - iputils-ping \ - openresolv \ - procps \ - python3 \ - python3-pip \ - python3-venv \ - traceroute \ - wireguard \ - wireguard-tools \ + curl git iproute2 \ + iptables iputils-ping \ + openresolv procps traceroute \ + python3 python3-pip python3-venv \ + wireguard wireguard-tools \ sudo && \ apt-get remove -y linux-image-* && \ apt-get autoremove -y && \ @@ -55,18 +47,16 @@ VOLUME ${WGDASH} # Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency. # Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006. SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ - && echo "[Interface]" > /setup/conf/wg0.conf \ +RUN echo "[Interface]" > /setup/conf/wg0.conf \ && echo "Address = ${wg_net}/24" >> /setup/conf/wg0.conf \ - && echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /setup/conf/wg0.conf \ + && echo "PrivateKey =" >> /setup/conf/wg0.conf \ && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ && echo "ListenPort = ${wg_port}" >> /setup/conf/wg0.conf \ && echo "SaveConfig = true" >> /setup/conf/wg0.conf \ - && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf \ - && rm /etc/wireguard/wg0_privatekey + && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf # Defining a way for Docker to check the health of the container. In this case: checking the login URL. HEALTHCHECK --interval=2m --timeout=1m --start-period=5s --retries=3 \ diff --git a/docker/README.md b/docker/README.md index 65825dd..e31933e 100644 --- a/docker/README.md +++ b/docker/README.md @@ -76,7 +76,7 @@ So go to the assign TCP port in this case HTTP, like the default 10086 one in th | tz | Europe/Amsterdam or any confirming timezone notation. | `Europe/Amsterdam` | `America/New_York` | Sets the timezone of the Docker container. This is to timesync the container to any other processes which would need it. | | global_dns | Any IPv4 address, such as my personal recommendation: 9.9.9.9 (QUAD9). | `1.1.1.1` | `8.8.8.8` or any IP-Address that resolves DNS-names, and of course is reachable | Set the default DNS given to clients once they connect to the WireGuard tunnel, and for new peers, set to Cloudflare DNS for reliability. | enable | Anything, preferably an existing WireGuard interface name. | `none` | `wg0,wg2,wg13` | Enables or disables the starting of the WireGuard interface on container 'boot-up'. -| isolate | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package). +| isolate | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=none` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package). | public_ip | Any IPv4 (public recommended) address, such as the one returned by default | Default uses the return of `curl ifconfig.me` | `23.50.131.156` | To reach your VPN from outside your own network, you need WG-Dashboard to know what your public IP-address is, otherwise it will generate faulty config files for clients. This happends because it is inside a Docker/Kubernetes container. In or outside of NAT is not relevant as long as the given IP-address is reachable from the internet or the target network. ## Be careful with: diff --git a/docker/compose.yaml b/docker/compose.yaml index 6d4f2bd..a921a23 100644 --- a/docker/compose.yaml +++ b/docker/compose.yaml @@ -1,6 +1,6 @@ services: wireguard-dashboard: - image: dselen/wgdashboard:latest + image: dselen/wgdashboard:dev restart: unless-stopped container_name: wgdashboard environment: diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index b3595b8..02e51c6 100644 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -26,8 +26,14 @@ ensure_installation() { if [ ! -f "/etc/wireguard/wg0.conf" ]; then echo "Standard wg0 Configuration file not found, grabbing template." cp "/setup/conf/wg0.conf" "/etc/wireguard/wg0.conf" + + echo "Setting a secure private key." + local privateKey=$(wg genkey) + sed -i "s|^PrivateKey =$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf + sed -i "s|^PrivateKey *=.*$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf + echo "Done setting template." else - echo "Standard wg0 Configuration file found, using that." + echo "Existing wg0 configuration file found, using that." fi } @@ -58,6 +64,11 @@ clean_up() { else echo "No pycaches found, continuing." fi + + local logdir="${WGDASH}/src/log" + echo "Cleaning log directory." + rm ${logdir}/access_*.log ${logdir}/error_*.log + echo "Removed unneeded logs!" } #update_checker() { @@ -135,17 +146,22 @@ start_core() { # Isolating the matches. for interface in "${do_isolate[@]}"; do - if [ -f "/etc/wireguard/${interface}.conf" ]; then - echo "Isolating interface:" $interface - upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) - downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) - - if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then - sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf - sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf - fi + if [ "$interface" = "none" ]; then + echo "Found: $interface, stopping isolation checking." + break else - echo "Configuration for $interface does not seem to exist, continuing." + if [ -f "/etc/wireguard/${interface}.conf" ]; then + echo "Isolating interface:" $interface + upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) + + if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then + sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf + fi + else + echo "Configuration for $interface does not seem to exist, continuing." + fi fi done @@ -164,18 +180,23 @@ start_core() { IFS=',' read -r -a enable_array <<< "${enable}" for interface in "${enable_array[@]}"; do - echo "Enabling interface:" $interface - - local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf) - if [ $fileperms -eq 644 ]; then - echo "Configuration is world accessible, adjusting." - chmod 600 "/etc/wireguard/${interface}.conf" - fi - - if [ -f "/etc/wireguard/${interface}.conf" ]; then - wg-quick up $interface + if [ "$interface" = "none" ]; then + echo "Found: $interface, stopping enabling checking." + break else - echo "No corresponding configuration file found for $interface doing nothing." + echo "Enabling interface:" $interface + + local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf) + if [ $fileperms -eq 644 ]; then + echo "Configuration is world accessible, adjusting." + chmod 600 "/etc/wireguard/${interface}.conf" + fi + + if [ -f "/etc/wireguard/${interface}.conf" ]; then + wg-quick up $interface + else + echo "No corresponding configuration file found for $interface doing nothing." + fi fi done }