donaldzou/WGDashboard
1
1
Fork 0
mirror of https://github.com/donaldzou/WGDashboard.git synced 2024-09-20 15:26:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

modified all and patched security vulnerability issue #333

Browse source
This commit is contained in:
Dselen 2024-08-22 16:31:47 -05:00
parent 4b8b3acd39
commit 2e9ac00a42
4 changed files with 53 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
docker/Dockerfile
View file

@ -23,19 +23,11 @@ ENV WGDASH=/opt/wireguarddashboard
# Doing package management operations, such as upgrading # Doing package management operations, such as upgrading
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get install -y --no-install-recommends \
curl \ curl git iproute2 \
git \ iptables iputils-ping \
iproute2 \ openresolv procps traceroute \
iptables \ python3 python3-pip python3-venv \
iputils-ping \ wireguard wireguard-tools \
openresolv \
procps \
python3 \
python3-pip \
python3-venv \
traceroute \
wireguard \
wireguard-tools \
sudo && \ sudo && \
apt-get remove -y linux-image-* && \ apt-get remove -y linux-image-* && \
apt-get autoremove -y && \ apt-get autoremove -y && \
@ -55,18 +47,16 @@ VOLUME ${WGDASH}
# Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency. # Generate basic WireGuard interface. Echoing the WireGuard interface config for readability, adjust if you want it for efficiency.
# Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006. # Also setting the pipefail option, verbose: https://github.com/hadolint/hadolint/wiki/DL4006.
SHELL ["/bin/bash", "-o", "pipefail", "-c"] SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wg genkey | tee /etc/wireguard/wg0_privatekey \ RUN echo "[Interface]" > /setup/conf/wg0.conf \
&& echo "[Interface]" > /setup/conf/wg0.conf \
&& echo "Address = ${wg_net}/24" >> /setup/conf/wg0.conf \ && echo "Address = ${wg_net}/24" >> /setup/conf/wg0.conf \
&& echo "PrivateKey = $(cat /etc/wireguard/wg0_privatekey)" >> /setup/conf/wg0.conf \ && echo "PrivateKey =" >> /setup/conf/wg0.conf \
&& echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ && echo "PostUp = iptables -t nat -I POSTROUTING 1 -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \
&& echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ && echo "PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \
&& echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \ && echo "PreDown = iptables -t nat -D POSTROUTING -s ${wg_net}/24 -o $(ip -o -4 route show to default | awk '{print $NF}') -j MASQUERADE" >> /setup/conf/wg0.conf \
&& echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \ && echo "PreDown = iptables -D FORWARD -i wg0 -o wg0 -j DROP" >> /setup/conf/wg0.conf \
&& echo "ListenPort = ${wg_port}" >> /setup/conf/wg0.conf \ && echo "ListenPort = ${wg_port}" >> /setup/conf/wg0.conf \
&& echo "SaveConfig = true" >> /setup/conf/wg0.conf \ && echo "SaveConfig = true" >> /setup/conf/wg0.conf \
&& echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf \ && echo "DNS = ${global_dns}" >> /setup/conf/wg0.conf
&& rm /etc/wireguard/wg0_privatekey
# Defining a way for Docker to check the health of the container. In this case: checking the login URL. # Defining a way for Docker to check the health of the container. In this case: checking the login URL.
HEALTHCHECK --interval=2m --timeout=1m --start-period=5s --retries=3 \ HEALTHCHECK --interval=2m --timeout=1m --start-period=5s --retries=3 \

2
docker/README.md
View file

@ -76,7 +76,7 @@ So go to the assign TCP port in this case HTTP, like the default 10086 one in th
| tz | Europe/Amsterdam or any confirming timezone notation. | `Europe/Amsterdam` | `America/New_York` | Sets the timezone of the Docker container. This is to timesync the container to any other processes which would need it. | | tz | Europe/Amsterdam or any confirming timezone notation. | `Europe/Amsterdam` | `America/New_York` | Sets the timezone of the Docker container. This is to timesync the container to any other processes which would need it. |
| global_dns | Any IPv4 address, such as my personal recommendation: 9.9.9.9 (QUAD9). | `1.1.1.1` | `8.8.8.8` or any IP-Address that resolves DNS-names, and of course is reachable | Set the default DNS given to clients once they connect to the WireGuard tunnel, and for new peers, set to Cloudflare DNS for reliability. | global_dns | Any IPv4 address, such as my personal recommendation: 9.9.9.9 (QUAD9). | `1.1.1.1` | `8.8.8.8` or any IP-Address that resolves DNS-names, and of course is reachable | Set the default DNS given to clients once they connect to the WireGuard tunnel, and for new peers, set to Cloudflare DNS for reliability.
| enable | Anything, preferably an existing WireGuard interface name. | `none` | `wg0,wg2,wg13` | Enables or disables the starting of the WireGuard interface on container 'boot-up'. | enable | Anything, preferably an existing WireGuard interface name. | `none` | `wg0,wg2,wg13` | Enables or disables the starting of the WireGuard interface on container 'boot-up'.
| isolate | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package). | isolate | Anything, preferably an existing WireGuard interface name. | `wg0` | `wg1,wg0` | For security premade `wg0` interface comes with this feature enabled by default. Declaring `isolate=none` in the Docker Compose file will remove this. The WireGuard interface itself IS able to reach the peers (Done through the `iptables` package).
| public_ip | Any IPv4 (public recommended) address, such as the one returned by default | Default uses the return of `curl ifconfig.me` | `23.50.131.156` | To reach your VPN from outside your own network, you need WG-Dashboard to know what your public IP-address is, otherwise it will generate faulty config files for clients. This happends because it is inside a Docker/Kubernetes container. In or outside of NAT is not relevant as long as the given IP-address is reachable from the internet or the target network. | public_ip | Any IPv4 (public recommended) address, such as the one returned by default | Default uses the return of `curl ifconfig.me` | `23.50.131.156` | To reach your VPN from outside your own network, you need WG-Dashboard to know what your public IP-address is, otherwise it will generate faulty config files for clients. This happends because it is inside a Docker/Kubernetes container. In or outside of NAT is not relevant as long as the given IP-address is reachable from the internet or the target network.
## Be careful with: ## Be careful with:

2
docker/compose.yaml
View file

@ -1,6 +1,6 @@
services: services:
wireguard-dashboard: wireguard-dashboard:
image: dselen/wgdashboard:latest image: dselen/wgdashboard:dev
restart: unless-stopped restart: unless-stopped
container_name: wgdashboard container_name: wgdashboard
environment: environment:

65
docker/entrypoint.sh
View file

@ -26,8 +26,14 @@ ensure_installation() {
if [ ! -f "/etc/wireguard/wg0.conf" ]; then if [ ! -f "/etc/wireguard/wg0.conf" ]; then
echo "Standard wg0 Configuration file not found, grabbing template." echo "Standard wg0 Configuration file not found, grabbing template."
cp "/setup/conf/wg0.conf" "/etc/wireguard/wg0.conf" cp "/setup/conf/wg0.conf" "/etc/wireguard/wg0.conf"
echo "Setting a secure private key."
local privateKey=$(wg genkey)
sed -i "s|^PrivateKey =$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf
sed -i "s|^PrivateKey *=.*$|PrivateKey = ${privateKey}|g" /etc/wireguard/wg0.conf
echo "Done setting template."
else else
echo "Standard wg0 Configuration file found, using that." echo "Existing wg0 configuration file found, using that."
fi fi
} }
@ -58,6 +64,11 @@ clean_up() {
else else
echo "No pycaches found, continuing." echo "No pycaches found, continuing."
fi fi
local logdir="${WGDASH}/src/log"
echo "Cleaning log directory."
rm ${logdir}/access_*.log ${logdir}/error_*.log
echo "Removed unneeded logs!"
} }
#update_checker() { #update_checker() {
@ -135,17 +146,22 @@ start_core() {
# Isolating the matches. # Isolating the matches.
for interface in "${do_isolate[@]}"; do for interface in "${do_isolate[@]}"; do
if [ -f "/etc/wireguard/${interface}.conf" ]; then if [ "$interface" = "none" ]; then
echo "Isolating interface:" $interface echo "Found: $interface, stopping isolation checking."
upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf) break
downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then
sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
fi
else else
echo "Configuration for $interface does not seem to exist, continuing." if [ -f "/etc/wireguard/${interface}.conf" ]; then
echo "Isolating interface:" $interface
upblocking=$(grep -c "PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
downblocking=$(grep -c "PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf)
if [ "$upblocking" -lt 1 ] && [ "$downblocking" -lt 1 ]; then
sed -i "/PostUp =/a PostUp = iptables -I FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
sed -i "/PreDown =/a PreDown = iptables -D FORWARD -i ${interface} -o ${interface} -j DROP" /etc/wireguard/${interface}.conf
fi
else
echo "Configuration for $interface does not seem to exist, continuing."
fi
fi fi
done done
@ -164,18 +180,23 @@ start_core() {
IFS=',' read -r -a enable_array <<< "${enable}" IFS=',' read -r -a enable_array <<< "${enable}"
for interface in "${enable_array[@]}"; do for interface in "${enable_array[@]}"; do
echo "Enabling interface:" $interface if [ "$interface" = "none" ]; then
echo "Found: $interface, stopping enabling checking."
local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf) break
if [ $fileperms -eq 644 ]; then
echo "Configuration is world accessible, adjusting."
chmod 600 "/etc/wireguard/${interface}.conf"
fi
if [ -f "/etc/wireguard/${interface}.conf" ]; then
wg-quick up $interface
else else
echo "No corresponding configuration file found for $interface doing nothing." echo "Enabling interface:" $interface
local fileperms=$(stat -c "%a" /etc/wireguard/${interface}.conf)
if [ $fileperms -eq 644 ]; then
echo "Configuration is world accessible, adjusting."
chmod 600 "/etc/wireguard/${interface}.conf"
fi
if [ -f "/etc/wireguard/${interface}.conf" ]; then
wg-quick up $interface
else
echo "No corresponding configuration file found for $interface doing nothing."
fi
fi fi
done done
} }