Archives
/
docker-wireguard
mirror of https://github.com/linuxserver/docker-wireguard
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #134 from linuxserver/site-to-site

Browse Source 
Add site to site support, update readme
pull/154/head
aptalca 3 years ago committed by GitHub
parent 373827dd04 ae7266b8af
commit 05dfef089c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 189 additions and 140 deletions
Show Stats Download Patch File Download Diff File

23
README.md
Unescape Escape View File

@ -58,11 +58,13 @@ The architectures supported by this image are:
## Application Setup
This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module.
During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container.
If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed.
If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv).
With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
This can be run as a server or a client, based on the parameters used.
@ -104,6 +106,20 @@ When routing via Wireguard from another container using the `service` option in
PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT
```
## Site-to-site VPN
** Note: This is not a supported configuration by Linuxserver.io - use at your own risk.
Site-to-site VPN in server mode requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var).
For instance `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`.
Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary.
Don't forget to set the necessary POSTUP and POSTDOWN rules in your client's peer conf for lan access.
## Usage
Here are some example snippets to help you get started creating a container.
@ -176,7 +192,7 @@ Container images are configured using parameters passed at runtime (such as thos
| `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London |
| `-e SERVERURL=wireguard.domain.com` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically |
| `-e SERVERPORT=51820` | External port for docker host. Used in server mode. |
| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet... |
| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only) |
| `-e PEERDNS=auto` | DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward. |
| `-e INTERNAL_SUBNET=10.13.13.0` | Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode. |
| `-e ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. |
@ -293,6 +309,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
## Versions
* **28.10.21:** - Add site-to-site vpn support.
* **11.02.21:** - Fix bug related to changing internal subnet and named peer confs not updating.
* **06.10.20:** - Disable CoreDNS in client mode, or if port 53 is already in use in server mode.
* **04.10.20:** - Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart

24
readme-vars.yml
Unescape Escape View File

@ -44,7 +44,7 @@ opt_param_usage_include_env: true
opt_param_env_vars:
- { env_var: "SERVERURL", env_value: "wireguard.domain.com", desc: "External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically"}
- { env_var: "SERVERPORT", env_value: "51820", desc: "External port for docker host. Used in server mode."}
- { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet..."}
- { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only)"}
- { env_var: "PEERDNS", env_value: "auto", desc: "DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward."}
- { env_var: "INTERNAL_SUBNET", env_value: "10.13.13.0", desc: "Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode."}
- { env_var: "ALLOWEDIPS", env_value: "0.0.0.0/0", desc: "The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1."}
@ -55,11 +55,13 @@ optional_block_1_items: ""
# application setup block
app_setup_block_enabled: true
app_setup_block: |
This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module.
During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container.
If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed.
If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv).
With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
This can be run as a server or a client, based on the parameters used.
@ -100,9 +102,25 @@ app_setup_block: |
PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT; iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT
```
## Site-to-site VPN
** Note: This is not a supported configuration by Linuxserver.io - use at your own risk.
Site-to-site VPN in server mode requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var).
For instance `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`.
Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary.
Don't forget to set the necessary POSTUP and POSTDOWN rules in your client's peer conf for lan access.
# changelog
changelogs:
- { date: "28.10.21:", desc: "Add site-to-site vpn support." }
- { date: "11.02.21:", desc: "Fix bug related to changing internal subnet and named peer confs not updating." }
- { date: "06.10.20:", desc: "Disable CoreDNS in client mode, or if port 53 is already in use in server mode." }
- { date: "04.10.20:", desc: "Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart" }

134
root/etc/cont-init.d/30-config → root/etc/cont-init.d/30-module
Unescape Escape View File

@ -151,137 +151,3 @@ DUDE
fi
fi
# prepare symlinks
rm -rf /etc/wireguard
mkdir -p /etc/wireguard
ln -s /config/wg0.conf /etc/wireguard/wg0.conf
# prepare templates
[[ ! -f /config/templates/server.conf ]] && \
cp /defaults/server.conf /config/templates/server.conf
[[ ! -f /config/templates/peer.conf ]] && \
cp /defaults/peer.conf /config/templates/peer.conf
generate_confs () {
mkdir -p /config/server
if [ ! -f /config/server/privatekey-server ]; then
umask 077
wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server
fi
eval "`printf %s`
cat <<DUDE > /config/wg0.conf
`cat /config/templates/server.conf`
DUDE"
for i in ${PEERS_ARRAY[@]}; do
if [[ "${i}" =~ ^[0-9]+$ ]]; then
PEER_ID="peer${i}"
else
PEER_ID="peer_${i//[^[:alnum:]_-]/}"
fi
mkdir -p /config/${PEER_ID}
if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then
umask 077
wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID}
fi
if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then
CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}')
if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then
CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|")
fi
else
for idx in {2..254}; do
PROPOSED_IP="${INTERFACE}.${idx}"
if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then
CLIENT_IP="${PROPOSED_IP}"
break
fi
done
fi
eval "`printf %s`
cat <<DUDE > /config/${PEER_ID}/${PEER_ID}.conf
`cat /config/templates/peer.conf`
DUDE"
cat <<DUDE >> /config/wg0.conf
[Peer]
# ${PEER_ID}
PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
AllowedIPs = ${CLIENT_IP}/32
DUDE
echo "PEER ${i} QR code:"
qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf
qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf
done
}
save_vars () {
cat <<DUDE > /config/.donoteditthisfile
ORIG_SERVERURL="$SERVERURL"
ORIG_SERVERPORT="$SERVERPORT"
ORIG_PEERDNS="$PEERDNS"
ORIG_PEERS="$PEERS"
ORIG_INTERFACE="$INTERFACE"
ORIG_ALLOWEDIPS="$ALLOWEDIPS"
DUDE
}
if [ -n "$PEERS" ]; then
echo "**** Server mode is selected ****"
if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then
PEERS_ARRAY=($(seq 1 $PEERS))
else
PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' '))
fi
PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}")
if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then
SERVERURL=$(curl -s icanhazip.com)
echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****"
else
echo "**** External server address is set to $SERVERURL ****"
fi
SERVERPORT=${SERVERPORT:-51820}
echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****"
INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0}
echo "**** Internal subnet is set to $INTERNAL_SUBNET ****"
INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--')
ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0}
echo "**** AllowedIPs for peers $ALLOWEDIPS ****"
if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then
PEERDNS="${INTERFACE}.1"
echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****"
else
echo "**** Peer DNS servers will be set to $PEERDNS ****"
fi
if [ ! -f /config/wg0.conf ]; then
echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****"
generate_confs
save_vars
else
echo "**** Server mode is selected ****"
[[ -f /config/.donoteditthisfile ]] && \
. /config/.donoteditthisfile
if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then
echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****"
generate_confs
save_vars
else
echo "**** No changes to parameters. Existing configs are used. ****"
fi
fi
else
echo "**** Client mode selected. ****"
if [ ! -f /config/wg0.conf ]; then
echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****"
sleep infinity
fi
echo "**** Disabling CoreDNS ****"
rm -rf /etc/services.d/coredns
fi
# set up CoreDNS
[[ ! -f /config/coredns/Corefile ]] && \
cp /defaults/Corefile /config/coredns/Corefile
# permissions
chown -R abc:abc \
/config

148
root/etc/cont-init.d/40-confs
Unescape Escape View File

@ -0,0 +1,148 @@
#!/usr/bin/with-contenv bash
# prepare symlinks
rm -rf /etc/wireguard
mkdir -p /etc/wireguard
ln -s /config/wg0.conf /etc/wireguard/wg0.conf
# prepare templates
[[ ! -f /config/templates/server.conf ]] && \
cp /defaults/server.conf /config/templates/server.conf
[[ ! -f /config/templates/peer.conf ]] && \
cp /defaults/peer.conf /config/templates/peer.conf
generate_confs () {
mkdir -p /config/server
if [ ! -f /config/server/privatekey-server ]; then
umask 077
wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server
fi
eval "`printf %s`
cat <<DUDE > /config/wg0.conf
`cat /config/templates/server.conf`
DUDE"
for i in ${PEERS_ARRAY[@]}; do
if [[ "${i}" =~ ^[0-9]+$ ]]; then
PEER_ID="peer${i}"
else
PEER_ID="peer_${i//[^[:alnum:]_-]/}"
fi
mkdir -p /config/${PEER_ID}
if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then
umask 077
wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID}
fi
if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then
CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}')
if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then
CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|")
fi
else
for idx in {2..254}; do
PROPOSED_IP="${INTERFACE}.${idx}"
if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then
CLIENT_IP="${PROPOSED_IP}"
break
fi
done
fi
eval "`printf %s`
cat <<DUDE > /config/${PEER_ID}/${PEER_ID}.conf
`cat /config/templates/peer.conf`
DUDE"
SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${i}
if [ -n "${!SERVER_ALLOWEDIPS}" ]; then
echo "Adding ${!SERVER_ALLOWEDIPS} to wg0.conf's AllowedIPs for peer ${i}"
cat <<DUDE >> /config/wg0.conf
[Peer]
# ${PEER_ID}
PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS}
DUDE
else
cat <<DUDE >> /config/wg0.conf
[Peer]
# ${PEER_ID}
PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
AllowedIPs = ${CLIENT_IP}/32
DUDE
fi
echo "PEER ${i} QR code:"
qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf
qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf
done
}
save_vars () {
cat <<DUDE > /config/.donoteditthisfile
ORIG_SERVERURL="$SERVERURL"
ORIG_SERVERPORT="$SERVERPORT"
ORIG_PEERDNS="$PEERDNS"
ORIG_PEERS="$PEERS"
ORIG_INTERFACE="$INTERFACE"
ORIG_ALLOWEDIPS="$ALLOWEDIPS"
DUDE
}
if [ -n "$PEERS" ]; then
echo "**** Server mode is selected ****"
if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then
PEERS_ARRAY=($(seq 1 $PEERS))
else
PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' '))
fi
PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}")
if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then
SERVERURL=$(curl -s icanhazip.com)
echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****"
else
echo "**** External server address is set to $SERVERURL ****"
fi
SERVERPORT=${SERVERPORT:-51820}
echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****"
INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0}
echo "**** Internal subnet is set to $INTERNAL_SUBNET ****"
INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--')
ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0}
echo "**** AllowedIPs for peers $ALLOWEDIPS ****"
if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then
PEERDNS="${INTERFACE}.1"
echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****"
else
echo "**** Peer DNS servers will be set to $PEERDNS ****"
fi
if [ ! -f /config/wg0.conf ]; then
echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****"
generate_confs
save_vars
else
echo "**** Server mode is selected ****"
[[ -f /config/.donoteditthisfile ]] && \
. /config/.donoteditthisfile
if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then
echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****"
generate_confs
save_vars
else
echo "**** No changes to parameters. Existing configs are used. ****"
fi
fi
else
echo "**** Client mode selected. ****"
if [ ! -f /config/wg0.conf ]; then
echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****"
sleep infinity
fi
echo "**** Disabling CoreDNS ****"
rm -rf /etc/services.d/coredns
fi
# set up CoreDNS
[[ ! -f /config/coredns/Corefile ]] && \
cp /defaults/Corefile /config/coredns/Corefile
# permissions
chown -R abc:abc \
/config
Write Preview
Loading…
Cancel
Save