UniqueSoft/WGDashboard
2
0
Fork 0
mirror of https://github.com/donaldzou/WGDashboard synced 2025-02-26 05:58:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added Auto Config Creation

Browse Source 
Reimplemented Automatic Wireguard Configuration Generation

Setting global Env Vars via the docker image build is still insecure, better to pass to dashboard before init.
This commit is contained in:
Noxcis 2024-08-23 16:49:54 -05:00
parent acf4f3fbf0
commit 2d5796d161
6 changed files with 96 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Dockerfile
View File

@ -3,22 +3,22 @@ FROM alpine:latest
LABEL maintainer="dselen@nerthus.nl" LABEL maintainer="dselen@nerthus.nl"
ENV PYTHONPATH="/usr/bin/python" ENV PYTHONPATH="/usr/bin/python"
WORKDIR /home/app WORKDIR /opt/wireguarddashboard/src
RUN apk update && \ RUN apk update && \
apk add --no-cache py3-bcrypt py3-psutil && \ apk add --no-cache py3-bcrypt py3-psutil && \
apk add --no-cache wireguard-tools && \ apk add --no-cache wireguard-tools && \
apk add --no-cache net-tools iproute2 iptables ip6tables && \ apk add --no-cache net-tools iproute2 iptables ip6tables && \
apk add --no-cache inotify-tools procps openresolv && \ apk add --no-cache inotify-tools procps openresolv && \
mkdir /home/app/master-key mkdir /opt/wireguarddashboard/src/master-key
COPY ./src /home/app COPY ./src /opt/wireguarddashboard/src/
COPY ./docker/wgd.sh /home/app/ COPY ./docker/wgd.sh /opt/wireguarddashboard/src/
COPY ./docker/requirements.txt /home/app/ COPY ./docker/requirements.txt /opt/wireguarddashboard/src/
RUN chmod u+x /home/app/entrypoint.sh RUN chmod u+x /opt/wireguarddashboard/src/entrypoint.sh
# Defining a way for Docker to check the health of the container. In this case: checking the login URL. # Defining a way for Docker to check the health of the container. In this case: checking the login URL.
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl -f http://localhost:10086/signin || exit 1 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl -f http://localhost:10086/signin || exit 1
ENTRYPOINT ["/home/app/entrypoint.sh"] ENTRYPOINT ["/opt/wireguarddashboard/src/entrypoint.sh"]

5
compose.yaml
View File

@ -7,9 +7,12 @@ services:
- NET_ADMIN - NET_ADMIN
- SYS_MODULE - SYS_MODULE
restart: unless-stopped restart: unless-stopped
environment:
- wg_net=10.0.0.1/24
- wg_port=51820
volumes: volumes:
- wgd_configs:/etc/wireguard - wgd_configs:/etc/wireguard
- wgd_app:/home/app - wgd_app:/opt/wireguarddashboard/src
ports: ports:
- 10086:10086/tcp - 10086:10086/tcp
- 51820:51820/udp - 51820:51820/udp

40
docker/wgd.sh
View File

@ -271,14 +271,11 @@ gunicorn_start () {
printf "[ERROR] Gunicorn executable not found or not executable.\n" printf "[ERROR] Gunicorn executable not found or not executable.\n"
return 1 return 1
fi fi
start_core
gunicorn -c ./gunicorn.conf.py gunicorn -c ./gunicorn.conf.py
# line below exsits after execution when using docker # line below exsits after execution when using docker
#"$venv_gunicorn" --config ./gunicorn.conf.py & #"$venv_gunicorn" --config ./gunicorn.conf.py &
sleep 5 sleep 5
checkPIDExist=0 checkPIDExist=0
while [ $checkPIDExist -eq 0 ]; do while [ $checkPIDExist -eq 0 ]; do
if test -f './gunicorn.pid'; then if test -f './gunicorn.pid'; then
@ -289,7 +286,6 @@ gunicorn_start () {
fi fi
sleep 2 sleep 2
done done
printf "[WGDashboard] WGDashboard w/ Gunicorn started successfully\n" printf "[WGDashboard] WGDashboard w/ Gunicorn started successfully\n"
printf "%s\n" "$dashes" printf "%s\n" "$dashes"
} }
@ -301,6 +297,9 @@ gunicorn_stop () {
start_wgd () { start_wgd () {
_checkWireguard _checkWireguard
gunicorn_start gunicorn_start
} }
stop_wgd() { stop_wgd() {
@ -344,7 +343,38 @@ update_wgd() {
fi fi
} }
start_core () {
local config_files=$(find /etc/wireguard -type f -name "*.conf")
local iptable_dir="/opt/wireguarddashboard/src/iptable-rules"
newconf_wgd
find /etc/wireguard -type f -name "*.conf" -exec chmod 600 {} \;
find "$iptable_dir" -type f -name "*.sh" -exec chmod +x {} \;
for file in $config_files; do
config_name=$(basename "$file" ".conf")
{ date; wg-quick up "$config_name"; printf "\n\n"; } >> /opt/wireguarddashboard/src/log/install.txt 2>&1
done
}
newconf_wgd() {
local wg_port_listen=$wg_port
local wg_addr_range=$wg_net
private_key=$(wg genkey)
public_key=$(echo "$private_key" | wg pubkey)
cat <<EOF >"/etc/wireguard/wg0.conf"
[Interface]
PrivateKey = $private_key
Address = $wg_addr_range
ListenPort = $wg_port_listen
SaveConfig = true
PostUp = /opt/wireguarddashboard/src/iptable-rules/postup.sh
PreDown = /opt/wireguarddashboard/src/iptable-rules/postdown.sh
EOF
}
if [ "$#" != 1 ]; if [ "$#" != 1 ];
then then

14
src/entrypoint.sh
View File

@ -19,9 +19,9 @@ ensure_blocking() {
echo "Ensuring container continuation." echo "Ensuring container continuation."
# This function checks if the latest error log is created and tails it for docker logs uses. # This function checks if the latest error log is created and tails it for docker logs uses.
if find "/home/app/wireguarddashboard/app/log" -mindepth 1 -maxdepth 1 -type f | read -r; then if find "/opt/wireguarddashboard/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then
latestErrLog=$(find /home/app/wireguarddashboard/app/log -name "error_*.log" | head -n 1) latestErrLog=$(find /opt/wireguarddashboard/src/log -name "error_*.log" | head -n 1)
latestAccLog=$(find /home/app/wireguarddashboard/app/log -name "access_*.log" | head -n 1) latestAccLog=$(find /opt/wireguarddashboard/src/log -name "access_*.log" | head -n 1)
tail -f "${latestErrLog}" "${latestAccLog}" tail -f "${latestErrLog}" "${latestAccLog}"
fi fi
@ -32,10 +32,10 @@ ensure_blocking() {
# Execute functions for the WireGuard Dashboard services, then set the environment variables # Execute functions for the WireGuard Dashboard services, then set the environment variables
clean_up clean_up
chmod u+x /home/app/wgd.sh chmod u+x /opt/wireguarddashboard/src/wgd.sh
if [ ! -f "/home/app/wg-dashboard.ini" ]; then if [ ! -f "/opt/wireguarddashboard/src/wg-dashboard.ini" ]; then
/home/app/wgd.sh install /opt/wireguarddashboard/src/wgd.sh install
fi fi
/home/app/wgd.sh start /opt/wireguarddashboard/src/wgd.sh start
ensure_blocking ensure_blocking

13
src/iptable-rules/postdown.sh Normal file
View File

@ -0,0 +1,13 @@
#!/bin/bash
WIREGUARD_INTERFACE=ADMINS
WIREGUARD_LAN=10.0.0.1/24
MASQUERADE_INTERFACE=eth0
CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
# Remove and delete the WIREGUARD_wg0 chain
iptables -D FORWARD -j $CHAIN_NAME
iptables -F $CHAIN_NAME
iptables -X $CHAIN_NAME

26
src/iptable-rules/postup.sh Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
WIREGUARD_INTERFACE=ADMINS
WIREGUARD_LAN=10.0.0.1/24
MASQUERADE_INTERFACE=eth0
iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
# Add a WIREGUARD_wg0 chain to the FORWARD chain
CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
iptables -N $CHAIN_NAME
iptables -A FORWARD -j $CHAIN_NAME
# Accept related or established traffic
iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Accept traffic from any Wireguard IP address connected to the Wireguard server
iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -j ACCEPT
# Allow traffic to the local loopback interface
iptables -A $CHAIN_NAME -o lo -j ACCEPT
# Drop everything else coming through the Wireguard interface
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP
# Return to FORWARD chain
iptables -A $CHAIN_NAME -j RETURN