Add VPN_CLIENTS_CAN_ACCESS_DJANGO configuration and update related settings

.env.example

@@ -23,4 +23,13 @@ TIMEZONE=America/Sao_Paulo
 # If you need additional hosts to be allowed, you can specify them here.
 # The SERVER_ADDRESS will always be allowed.
 # Example: EXTRA_ALLOWED_HOSTS=app1.example.com,app2.example.com:8443,app3.example.com
-#EXTRA_ALLOWED_HOSTS=app1.example.com,app2.example.com:8443,app3.example.com
+#EXTRA_ALLOWED_HOSTS=app1.example.com,app2.example.com:8443,app3.example.com
+
+# Allow VPN clients to access Django directly through the internal interface.
+# When enabled, users connected to the VPN can open the web interface using:
+# http://ip_or_hostname:8000
+#
+# IMPORTANT:
+# The internal address used for VPN access MUST be added to EXTRA_ALLOWED_HOSTS,
+# including the port :8000, otherwise Django will block the request (CSRF/Host validation).
+# VPN_CLIENTS_CAN_ACCESS_DJANGO=True

docker-compose-no-nginx-dev.yml

@@ -15,6 +15,7 @@ services:
       - WIREGUARD_STATUS_CACHE_ENABLED=${WIREGUARD_STATUS_CACHE_ENABLED}
       - WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT=${WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT}
       - WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL=${WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL}
+      - VPN_CLIENTS_CAN_ACCESS_DJANGO=${VPN_CLIENTS_CAN_ACCESS_DJANGO}
     volumes:
       - wireguard:/etc/wireguard
       - static_volume:/app_static_files/

docker-compose-no-nginx.yml

@@ -13,6 +13,7 @@ services:
       - WIREGUARD_STATUS_CACHE_ENABLED=${WIREGUARD_STATUS_CACHE_ENABLED}
       - WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT=${WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT}
       - WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL=${WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL}
+      - VPN_CLIENTS_CAN_ACCESS_DJANGO=${VPN_CLIENTS_CAN_ACCESS_DJANGO}
     volumes:
       - wireguard:/etc/wireguard
       - static_volume:/app_static_files/

docker-compose.yml

@@ -13,6 +13,7 @@ services:
       - WIREGUARD_STATUS_CACHE_ENABLED=${WIREGUARD_STATUS_CACHE_ENABLED}
       - WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT=${WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT}
       - WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL=${WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL}
+      - VPN_CLIENTS_CAN_ACCESS_DJANGO=${VPN_CLIENTS_CAN_ACCESS_DJANGO}
     volumes:
       - wireguard:/etc/wireguard
       - static_volume:/app_static_files/

entrypoint.sh

@@ -47,6 +47,10 @@ if [ -n "${TZ:-}" ]; then
     echo "TIME_ZONE = '${TZ}'" >> /app/wireguard_webadmin/production_settings.py
 fi
 
+if [[ "${VPN_CLIENTS_CAN_ACCESS_DJANGO,,}" == "true" ]]; then
+    echo "VPN_CLIENTS_CAN_ACCESS_DJANGO = True" >> /app/wireguard_webadmin/production_settings.py
+fi
+
 if [[ "${WIREGUARD_STATUS_CACHE_ENABLED,,}" == "false" ]]; then
     echo "WIREGUARD_STATUS_CACHE_ENABLED = False" >> /app/wireguard_webadmin/production_settings.py
 fi

firewall/tools.py

@@ -1,3 +1,4 @@
+from django.conf import settings
 from django.db.models import Q, Prefetch
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@@ -235,6 +236,7 @@ iptables -t nat    -F WGWADM_PREROUTING
 iptables -t filter -F WGWADM_FORWARD
 iptables -t filter -F WGWADM_ROUTE_POLICY
 iptables -t filter -F FORWARD
+iptables -t filter -F INPUT
 
 iptables -t nat    -D POSTROUTING -j WGWADM_POSTROUTING >> /dev/null 2>&1
 iptables -t nat    -D PREROUTING  -j WGWADM_PREROUTING  >> /dev/null 2>&1
@@ -247,6 +249,9 @@ iptables -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -t filter -A FORWARD -i wg+ -j WGWADM_ROUTE_POLICY
 iptables -t filter -A FORWARD        -j WGWADM_FORWARD
 '''
+    if not settings.VPN_CLIENTS_CAN_ACCESS_DJANGO:
+        header += 'iptables -t filter -A INPUT -i wg+ -p tcp --dport 8000 -j REJECT\n'
+
     return header
 
 

wireguard_peer/views.py

@@ -495,8 +495,15 @@ def view_wireguard_peer_schedule_profile(request):
     if form.is_valid():
         form.save()
         messages.success(request, _('Peer scheduling profile updated successfully.'))
-        current_peer.wireguard_instance.pending_changes = True
-        current_peer.wireguard_instance.save()
+        if not peer_scheduling.profile and current_peer.disabled_by_schedule:
+            current_peer.disabled_by_schedule = False
+            current_peer.save()
+            export_wireguard_configuration(current_peer.wireguard_instance)
+            success, message = func_reload_wireguard_interface(current_peer.wireguard_instance)
+
+        peer_scheduling.next_scheduled_enable_at = None
+        peer_scheduling.next_scheduled_disable_at = None
+        peer_scheduling.save()
         return redirect('/peer/manage/?peer=' + str(current_peer.uuid))
 
     context = {

wireguard_webadmin/settings.py

@@ -160,6 +160,7 @@ STATICFILES_DIRS = [
     BASE_DIR / "static_files",
 ]
 
+VPN_CLIENTS_CAN_ACCESS_DJANGO = False
 WIREGUARD_STATUS_CACHE_ENABLED = True
 WIREGUARD_STATUS_CACHE_MAX_AGE = 600
 WIREGUARD_STATUS_CACHE_REFRESH_INTERVAL = 60
@@ -170,7 +171,7 @@ WIREGUARD_STATUS_CACHE_WEB_LOAD_PREVIOUS_COUNT = 9
 DNS_CONFIG_FILE = '/etc/dnsmasq/wireguard_webadmin_dns.conf'
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 
-WIREGUARD_WEBADMIN_VERSION = 9974
+WIREGUARD_WEBADMIN_VERSION = 9975
 
 CLUSTER_WORKER_CURRENT_VERSION = 11
 CLUSTER_WORKER_MINIMUM_VERSION = 11