diff --git a/.env.example b/.env.example index b2d79f8..2749524 100644 --- a/.env.example +++ b/.env.example @@ -23,4 +23,13 @@ TIMEZONE=America/Sao_Paulo # If you need additional hosts to be allowed, you can specify them here. # The SERVER_ADDRESS will always be allowed. # Example: EXTRA_ALLOWED_HOSTS=app1.example.com,app2.example.com:8443,app3.example.com -#EXTRA_ALLOWED_HOSTS=app1.example.com,app2.example.com:8443,app3.example.com \ No newline at end of file +#EXTRA_ALLOWED_HOSTS=app1.example.com,app2.example.com:8443,app3.example.com + +# Allow VPN clients to access Django directly through the internal interface. +# When enabled, users connected to the VPN can open the web interface using: +# http://ip_or_hostname:8000 +# +# IMPORTANT: +# The internal address used for VPN access MUST be added to EXTRA_ALLOWED_HOSTS, +# including the port :8000, otherwise Django will block the request (CSRF/Host validation). +# VPN_CLIENTS_CAN_ACCESS_DJANGO=True diff --git a/docker-compose-no-nginx-dev.yml b/docker-compose-no-nginx-dev.yml index 9f15893..c51a2c1 100644 --- a/docker-compose-no-nginx-dev.yml +++ b/docker-compose-no-nginx-dev.yml @@ -15,6 +15,7 @@ services: - WIREGUARD_STATUS_CACHE_ENABLED=${WIREGUARD_STATUS_CACHE_ENABLED} - WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT=${WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT} - WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL=${WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL} + - VPN_CLIENTS_CAN_ACCESS_DJANGO=${VPN_CLIENTS_CAN_ACCESS_DJANGO} volumes: - wireguard:/etc/wireguard - static_volume:/app_static_files/ diff --git a/docker-compose-no-nginx.yml b/docker-compose-no-nginx.yml index bdf3ce2..c6dd949 100644 --- a/docker-compose-no-nginx.yml +++ b/docker-compose-no-nginx.yml @@ -13,6 +13,7 @@ services: - WIREGUARD_STATUS_CACHE_ENABLED=${WIREGUARD_STATUS_CACHE_ENABLED} - WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT=${WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT} - WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL=${WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL} + - VPN_CLIENTS_CAN_ACCESS_DJANGO=${VPN_CLIENTS_CAN_ACCESS_DJANGO} volumes: - wireguard:/etc/wireguard - static_volume:/app_static_files/ diff --git a/docker-compose.yml b/docker-compose.yml index 1ed577a..96f7806 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,6 +13,7 @@ services: - WIREGUARD_STATUS_CACHE_ENABLED=${WIREGUARD_STATUS_CACHE_ENABLED} - WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT=${WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT} - WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL=${WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL} + - VPN_CLIENTS_CAN_ACCESS_DJANGO=${VPN_CLIENTS_CAN_ACCESS_DJANGO} volumes: - wireguard:/etc/wireguard - static_volume:/app_static_files/ diff --git a/entrypoint.sh b/entrypoint.sh index 993820e..4489349 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -47,6 +47,10 @@ if [ -n "${TZ:-}" ]; then echo "TIME_ZONE = '${TZ}'" >> /app/wireguard_webadmin/production_settings.py fi +if [[ "${VPN_CLIENTS_CAN_ACCESS_DJANGO,,}" == "true" ]]; then + echo "VPN_CLIENTS_CAN_ACCESS_DJANGO = True" >> /app/wireguard_webadmin/production_settings.py +fi + if [[ "${WIREGUARD_STATUS_CACHE_ENABLED,,}" == "false" ]]; then echo "WIREGUARD_STATUS_CACHE_ENABLED = False" >> /app/wireguard_webadmin/production_settings.py fi diff --git a/firewall/tools.py b/firewall/tools.py index 53c77c7..48eff66 100644 --- a/firewall/tools.py +++ b/firewall/tools.py @@ -1,3 +1,4 @@ +from django.conf import settings from django.db.models import Q, Prefetch from django.utils import timezone from django.utils.translation import gettext_lazy as _ @@ -235,6 +236,7 @@ iptables -t nat -F WGWADM_PREROUTING iptables -t filter -F WGWADM_FORWARD iptables -t filter -F WGWADM_ROUTE_POLICY iptables -t filter -F FORWARD +iptables -t filter -F INPUT iptables -t nat -D POSTROUTING -j WGWADM_POSTROUTING >> /dev/null 2>&1 iptables -t nat -D PREROUTING -j WGWADM_PREROUTING >> /dev/null 2>&1 @@ -247,6 +249,9 @@ iptables -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A FORWARD -i wg+ -j WGWADM_ROUTE_POLICY iptables -t filter -A FORWARD -j WGWADM_FORWARD ''' + if not settings.VPN_CLIENTS_CAN_ACCESS_DJANGO: + header += 'iptables -t filter -A INPUT -i wg+ -p tcp --dport 8000 -j REJECT\n' + return header diff --git a/wireguard_peer/views.py b/wireguard_peer/views.py index 9223877..2618f60 100644 --- a/wireguard_peer/views.py +++ b/wireguard_peer/views.py @@ -495,8 +495,15 @@ def view_wireguard_peer_schedule_profile(request): if form.is_valid(): form.save() messages.success(request, _('Peer scheduling profile updated successfully.')) - current_peer.wireguard_instance.pending_changes = True - current_peer.wireguard_instance.save() + if not peer_scheduling.profile and current_peer.disabled_by_schedule: + current_peer.disabled_by_schedule = False + current_peer.save() + export_wireguard_configuration(current_peer.wireguard_instance) + success, message = func_reload_wireguard_interface(current_peer.wireguard_instance) + + peer_scheduling.next_scheduled_enable_at = None + peer_scheduling.next_scheduled_disable_at = None + peer_scheduling.save() return redirect('/peer/manage/?peer=' + str(current_peer.uuid)) context = { diff --git a/wireguard_webadmin/settings.py b/wireguard_webadmin/settings.py index 5a8d489..1f3983d 100644 --- a/wireguard_webadmin/settings.py +++ b/wireguard_webadmin/settings.py @@ -160,6 +160,7 @@ STATICFILES_DIRS = [ BASE_DIR / "static_files", ] +VPN_CLIENTS_CAN_ACCESS_DJANGO = False WIREGUARD_STATUS_CACHE_ENABLED = True WIREGUARD_STATUS_CACHE_MAX_AGE = 600 WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL = 60 @@ -170,7 +171,7 @@ WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT = 9 DNS_CONFIG_FILE = '/etc/dnsmasq/wireguard_webadmin_dns.conf' DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField' -WIREGUARD_WEBADMIN_VERSION = 9974 +WIREGUARD_WEBADMIN_VERSION = 9975 CLUSTER_WORKER_CURRENT_VERSION = 11 CLUSTER_WORKER_MINIMUM_VERSION = 11