Added Auto Config Creation

Reimplemented Automatic Wireguard Configuration Generation Setting global Env Vars via the docker image build is still insecure, better to pass to dashboard before init.
2025-08-27 23:41:14 +00:00 · 2024-08-23 16:49:54 -05:00
parent acf4f3fbf0
commit 2d5796d161
6 changed files with 96 additions and 24 deletions
--- a/src/entrypoint.sh
+++ b/src/entrypoint.sh
@@ -19,9 +19,9 @@ ensure_blocking() {
  echo "Ensuring container continuation."

  # This function checks if the latest error log is created and tails it for docker logs uses.
-  if find "/home/app/wireguarddashboard/app/log" -mindepth 1 -maxdepth 1 -type f | read -r; then
-    latestErrLog=$(find /home/app/wireguarddashboard/app/log -name "error_*.log" | head -n 1)
-    latestAccLog=$(find /home/app/wireguarddashboard/app/log -name "access_*.log" | head -n 1)
+  if find "/opt/wireguarddashboard/src/log" -mindepth 1 -maxdepth 1 -type f | read -r; then
+    latestErrLog=$(find /opt/wireguarddashboard/src/log -name "error_*.log" | head -n 1)
+    latestAccLog=$(find /opt/wireguarddashboard/src/log -name "access_*.log" | head -n 1)
    tail -f "${latestErrLog}" "${latestAccLog}"
  fi

@@ -32,10 +32,10 @@ ensure_blocking() {
 # Execute functions for the WireGuard Dashboard services, then set the environment variables
 clean_up

-chmod u+x /home/app/wgd.sh
-if [ ! -f "/home/app/wg-dashboard.ini" ]; then
-  /home/app/wgd.sh install
+chmod u+x /opt/wireguarddashboard/src/wgd.sh
+if [ ! -f "/opt/wireguarddashboard/src/wg-dashboard.ini" ]; then
+  /opt/wireguarddashboard/src/wgd.sh install
  
 fi
-/home/app/wgd.sh start
+/opt/wireguarddashboard/src/wgd.sh start
 ensure_blocking
--- a/src/iptable-rules/postdown.sh
+++ b/src/iptable-rules/postdown.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+WIREGUARD_INTERFACE=ADMINS
+WIREGUARD_LAN=10.0.0.1/24
+MASQUERADE_INTERFACE=eth0
+
+CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
+
+iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
+
+# Remove and delete the WIREGUARD_wg0 chain
+iptables -D FORWARD -j $CHAIN_NAME
+iptables -F $CHAIN_NAME
+iptables -X $CHAIN_NAME
--- a/src/iptable-rules/postup.sh
+++ b/src/iptable-rules/postup.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+WIREGUARD_INTERFACE=ADMINS
+WIREGUARD_LAN=10.0.0.1/24
+MASQUERADE_INTERFACE=eth0
+
+iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
+
+# Add a WIREGUARD_wg0 chain to the FORWARD chain
+CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
+iptables -N $CHAIN_NAME
+iptables -A FORWARD -j $CHAIN_NAME
+
+# Accept related or established traffic
+iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Accept traffic from any Wireguard IP address connected to the Wireguard server
+iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -j ACCEPT
+
+# Allow traffic to the local loopback interface
+iptables -A $CHAIN_NAME -o lo -j ACCEPT
+
+# Drop everything else coming through the Wireguard interface
+iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP
+
+# Return to FORWARD chain
+iptables -A $CHAIN_NAME -j RETURN