Mirrors/wireguard_webadmin
1
0
Fork 0
mirror of https://github.com/eduardogsilva/wireguard_webadmin.git synced 2025-06-27 16:57:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Port forwarding to peers! :)

Browse Source
This commit is contained in:
Eduardo Silva 2024-02-26 18:55:04 -03:00
parent 4bcf853e9e
commit abeafa228c
13 changed files with 386 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docker-compose-no-nginx-dev.yml
View File

@ -13,11 +13,13 @@ services:
- static_volume:/app_static_files/
- .:/app
ports:
# Do not directly expose the Django port to the internet, use the reverse proxy below instead
# Do not directly expose the Django port to the internet, use some kind of reverse proxy with SSL.
- "127.0.0.1:8000:8000"
# dont go crazy increasing the udp port range. Docker will have a hard time handling with a large range of ports
# Actually, you probably will use only one port, but you can add more server instances if you want
# Warning: Docker will have a hard time handling large amount of ports. Expose only the ports that you need.
# Ports for multiple WireGuard instances. (Probably, you just need one)
- "51820-51839:51820-51839/udp"
# Ports for port forwarding rules. Add your own ports here if you need them.
- "8080-8089:8080-8089/tcp"
cap_add:
- NET_ADMIN

8
docker-compose-no-nginx.yml
View File

@ -12,11 +12,13 @@ services:
- wireguard:/etc/wireguard
- static_volume:/app_static_files/
ports:
# Do not directly expose the Django port to the internet, use the reverse proxy below instead
# Do not directly expose the Django port to the internet, use some kind of reverse proxy with SSL.
- "127.0.0.1:8000:8000"
# dont go crazy increasing the udp port range. Docker will have a hard time handling with a large range of ports
# Actually, you probably will use only one port, but you can add more server instances if you want
# Warning: Docker will have a hard time handling large amount of ports. Expose only the ports that you need.
# Ports for multiple WireGuard instances. (Probably, you just need one)
- "51820-51839:51820-51839/udp"
# Ports for port forwarding rules. Add your own ports here if you need them.
- "8080-8089:8080-8089/tcp"
cap_add:
- NET_ADMIN

6
docker-compose.yml
View File

@ -14,9 +14,11 @@ services:
ports:
# Do not directly expose the Django port to the internet, use the reverse proxy below instead
#- "127.0.0.1:8000:8000"
# dont go crazy increasing the udp port range. Docker will have a hard time handling with a large range of ports
# Actually, you probably will use only one port, but you can add more server instances if you want
# Warning: Docker will have a hard time handling large amount of ports. Expose only the ports that you need.
# Ports for multiple WireGuard instances. (Probably, you just need one)
- "51820-51839:51820-51839/udp"
# Ports for port forwarding rules. Add your own ports here if you need them.
- "8080-8089:8080-8089/tcp"
cap_add:
- NET_ADMIN

52
firewall/forms.py
View File

@ -0,0 +1,52 @@
from firewall.models import RedirectRule
from wireguard.models import Peer, WireGuardInstance
from django import forms
class RedirectRuleForm(forms.ModelForm):
description = forms.CharField(label='Description', required=False)
protocol = forms.ChoiceField(label='Protocol', choices=[('tcp', 'TCP'), ('udp', 'UDP')], initial='tcp')
port = forms.IntegerField(label='Port', initial=8080, min_value=1, max_value=65535)
add_forward_rule = forms.BooleanField(label='Add Forward Rule', required=False, initial=True)
masquerade_source = forms.BooleanField(label='Masquerade Source (not recommended)', required=False)
peer = forms.ModelChoiceField(label='Peer', queryset=Peer.objects.all(), required=False)
wireguard_instance = forms.ModelChoiceField(label='WireGuard Instance', queryset=WireGuardInstance.objects.all().order_by('instance_id'), required=True)
ip_address = forms.GenericIPAddressField(label='IP Address', required=False)
class Meta:
model = RedirectRule
fields = ['description', 'protocol', 'port', 'add_forward_rule', 'masquerade_source', 'peer', 'wireguard_instance', 'ip_address']
def __init__(self, *args, **kwargs):
super(RedirectRuleForm, self).__init__(*args, **kwargs)
if self.fields['wireguard_instance'].queryset.exists():
self.fields['wireguard_instance'].initial = self.fields['wireguard_instance'].queryset.first().uuid
def clean(self):
cleaned_data = super().clean()
port = cleaned_data.get('port')
protocol = cleaned_data.get('protocol')
peer = cleaned_data.get('peer')
ip_address = cleaned_data.get('ip_address')
wireguard_instance = cleaned_data.get('wireguard_instance')
if port == 8000 and protocol == 'tcp':
raise forms.ValidationError("Port 8000 (tcp) is reserved for wireguard-webadmin.")
if protocol == 'udp':
if WireGuardInstance.objects.filter(udp_port=port).exists():
raise forms.ValidationError("Port " + str(port) + " (udp) is already in use by a WireGuard instance.")
if peer and ip_address:
raise forms.ValidationError("Peer and IP Address cannot be selected at the same time.")
if ip_address and not wireguard_instance:
raise forms.ValidationError("IP Address cannot be used without selecting a WireGuard instance.")
if peer:
cleaned_data['wireguard_instance'] = peer.wireguard_instance
cleaned_data['ip_address'] = None
if ip_address:
cleaned_data['peer'] = None
return cleaned_data

42
firewall/views.py
View File

@ -1,15 +1,55 @@
from django.shortcuts import render
from django.shortcuts import render, get_object_or_404, redirect
from firewall.models import RedirectRule
from firewall.forms import RedirectRuleForm
from django.contrib import messages
from wireguard.models import WireGuardInstance
from user_manager.models import UserAcl
def view_redirect_rule_list(request):
wireguard_instances = WireGuardInstance.objects.all().order_by('instance_id')
if wireguard_instances.filter(pending_changes=True).exists():
pending_changes_warning = True
else:
pending_changes_warning = False
context = {
'page_title': 'Port Forward List',
'pending_changes_warning': pending_changes_warning,
'redirect_rule_list': RedirectRule.objects.all().order_by('wireguard_instance', 'protocol', 'port')
}
return render(request, 'firewall/redirect_rule_list.html', context=context)
def manage_redirect_rule(request):
if not UserAcl.objects.filter(user=request.user).filter(user_level__gte=40).exists():
return render(request, 'access_denied.html', {'page_title': 'Access Denied'})
context = {'page_title': 'Manage Port Forward'}
instance = None
uuid = request.GET.get('uuid', None)
if uuid:
instance = get_object_or_404(RedirectRule, uuid=uuid)
if request.GET.get('action') == 'delete':
if request.GET.get('confirmation') == instance.protocol + str(instance.port):
instance.wireguard_instance.pending_changes = True
instance.wireguard_instance.save()
instance.delete()
messages.success(request, 'Port Forward rule deleted successfully')
else:
messages.warning(request, 'Error deleting Port Forward rule|Confirmation did not match. Port Forward rule was not deleted.')
return redirect('/firewall/port_forward/')
if request.method == 'POST':
form = RedirectRuleForm(request.POST, instance=instance)
if form.is_valid():
wireguard_instance = form.cleaned_data['wireguard_instance']
wireguard_instance.pending_changes = True
wireguard_instance.save()
form.save()
messages.success(request, 'Port Forward rule saved successfully')
return redirect('/firewall/port_forward/')
else:
form = RedirectRuleForm(instance=instance)
context['form'] = form
context['instance'] = instance
return render(request, 'firewall/manage_redirect_rule.html', context=context)

2
templates/base.html
View File

@ -151,6 +151,7 @@
<!-- Content Header (Page header) -->
<div class="content-header">
<div class="container-fluid">
{% if page_title %}
<div class="row mb-2">
<div class="col-sm-6">
<h1 class="m-0">{{ page_title }}</h1>
@ -173,6 +174,7 @@
</ol>
</div><!-- /.col -->
</div><!-- /.row -->
{% endif %}
</div><!-- /.container-fluid -->
</div>
<!-- /.content-header -->

162
templates/firewall/manage_redirect_rule.html
View File

@ -1,3 +1,163 @@
{% extends 'base.html' %}
{% block content %}gerenciar regra{%endblock%}
{% block content %}
<div class="container mt-3">
<div class="card card-primary card-outline">
<div class="card-header">
<h3 class="card-title">{{ form.instance.pk|yesno:"Edit User,Create New User" }}</h3>
</div>
<div class="card-body">
<div class="row">
<div class="col-md-4">
<form method="post">
{% csrf_token %}
<div class="form-group">
<label for="id_description">Description</label>
<input type="text" class="form-control" id="id_description" name="description" placeholder="Description" value="{{ form.description.value|default_if_none:'' }}">
</div>
<div class="form-group">
<label for="id_protocol">Protocol</label>
<select class="form-control" id="id_protocol" name="protocol">
<option value="tcp" {% if form.protocol.value == "tcp" %}selected{% endif %}>TCP</option>
<option value="udp" {% if form.protocol.value == "udp" %}selected{% endif %}>UDP</option>
</select>
</div>
<div class="form-group">
<label for="id_port">Port</label>
<input type="number" class="form-control" id="id_port" name="port" value="{{ form.port.value|default_if_none:'' }}">
</div>
<div class="form-group">
<label for="destinationType">Destination Type:</label>
<select class="form-control" name="destinationType" id="destinationType">
<option value="peer">Peer</option>
<option value="ipAddress" {% if instance.ip_address %}selected{% endif %}>IP Address</option>
</select>
</div>
<div class="form-group">
<label for="id_peer">Peer</label>
<select class="form-control" id="id_peer" name="peer">
<option value="">---------</option>
{% for peer in form.fields.peer.queryset %}
<option value="{{ peer.pk }}" {% if form.instance.peer_id == peer.pk %}selected{% endif %}>{{ peer }}</option>
{% endfor %}
</select>
</div>
<div class="form-group">
<label for="id_wireguard_instance">WireGuard Instance</label>
<select class="form-control" id="id_wireguard_instance" name="wireguard_instance">
{% comment %}<option value="">---------</option>{% endcomment %}
{% for instance in form.fields.wireguard_instance.queryset %}
<option value="{{ instance.pk }}" {% if form.instance.wireguard_instance_id == instance.pk %}selected{% endif %}>{{ instance }}</option>
{% endfor %}
</select>
</div>
<div class="form-group">
<label for="id_ip_address">IP Address</label>
<input type="text" class="form-control" id="id_ip_address" name="ip_address" placeholder="IP Address" value="{{ form.ip_address.value|default_if_none:'' }}">
</div>
<div class="form-group">
<div class="form-check">
<input type="checkbox" class="form-check-input" id="id_add_forward_rule" name="add_forward_rule" {% if form.add_forward_rule.value %}checked{% endif %}>
<label class="form-check-label" for="id_add_forward_rule">Add Forward Rule (allow)</label>
</div>
</div>
<div class="form-group">
<div class="form-check">
<input type="checkbox" class="form-check-input" id="id_masquerade_source" name="masquerade_source" {% if form.masquerade_source.value %}checked{% endif %}>
<label class="form-check-label" for="id_masquerade_source">Masquerade Source</label>
</div>
</div>
<button type="submit" class="btn btn-primary">Submit</button>
<a href="/firewall/port_forward/" class="btn btn-secondary">Cancel</a>
{% if instance %}<a href='javascript:void(0)' class='btn btn-outline-danger' data-command='delete' onclick='openCommandDialog(this)'>Delete Rule</a>{% endif %}
</form>
</div>
<div class="col-md-8">
<h5>Default Ports</h5>
<p>The default <code>docker-compose.yml</code> file specifies the <b>TCP</b> port range <b>8080-8089</b>. If you wish to change the port forwarding to a different range, you must manually edit the <code>docker-compose.yml</code> file and rerun the Docker Compose step outlined in the <a href="https://github.com/eduardogsilva/wireguard_webadmin?tab=readme-ov-file#deployment">deployment instructions</a>.</p>
<h5>Destination Type: Peer</h5>
<p>Port redirection will prioritize the first Peer IP address assigned a priority of Zero.</p>
<h5>Destination Type: IP Address</h5>
<p>Port forwarding rules will redirect to the specified IP address. Remember to allocate the IP address or network to a Peer.</p>
<h5>Adding a Forward Rule</h5>
<p>Automatically generates a forwarding rule to accommodate stricter firewall settings.</p>
<h5>Masquerade Source</h5>
<p>This serves as a temporary solution when a peer does not use the VPN as its default gateway. It's important to note that this configuration is not recommended, as it alters the source address of all connections to match the IP address of the WireGuard instance.</p>
</div>
</div>
</div>
</div>
</div>
{% endblock %}
{% block custom_page_scripts %}
<script>
function adjustVisibilityBasedOnDestinationType() {
var selectedType = document.getElementById("destinationType").value;
var peerField = document.getElementById("id_peer").closest(".form-group");
var wireguardInstanceField = document.getElementById("id_wireguard_instance").closest(".form-group");
var ipAddressField = document.getElementById("id_ip_address").closest(".form-group");
if (selectedType === "peer") {
peerField.style.display = "";
wireguardInstanceField.style.display = "none";
ipAddressField.style.display = "none";
//document.getElementById("id_wireguard_instance").value = "";
document.getElementById("id_ip_address").value = "";
} else if (selectedType === "ipAddress") {
peerField.style.display = "none";
wireguardInstanceField.style.display = "";
ipAddressField.style.display = "";
document.getElementById("id_peer").value = "";
}
}
// Chama a função no carregamento da página
document.addEventListener("DOMContentLoaded", adjustVisibilityBasedOnDestinationType);
// E também na mudança do campo
document.getElementById("destinationType").addEventListener("change", adjustVisibilityBasedOnDestinationType);
</script>
<script>
function openCommandDialog(element) {
var command = element.getAttribute('data-command');
var confirmation = prompt("Please type '{{ instance.protocol }}{{ instance.port }}' to remove this rule.");
if (confirmation) {
var url = "?uuid={{ instance.uuid }}&action=delete&confirmation=" + encodeURIComponent(confirmation);
window.location.href = url;
}
}
</script>
{% endblock %}

65
templates/firewall/redirect_rule_list.html
View File

@ -1,3 +1,66 @@
{% extends 'base.html' %}
{% block content %}Lista{%endblock%}
{% block content %}
<table class="table table-striped">
<thead>
<tr>
<th>Instance</th>
<th>Protocol</th>
<th>Port</th>
<th>Destination</th>
<th>Allow Forward</th>
<th>Masquerade Source</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
{% for redirect_rule in redirect_rule_list %}
<tr>
<td>{{ redirect_rule.wireguard_instance }}</td>
<td>{{ redirect_rule.protocol }}</td>
<td>{{ redirect_rule.port }}</td>
<td>
{% if redirect_rule.peer %}
<a href="/peer/manage/?peer={{ redirect_rule.peer.uuid }}">
{% if redirect_rule.peer.name %}
{{ redirect_rule.peer.name }}
{% else %}
{{ redirect_rule.peer.public_key|slice:":16" }}{% if redirect_rule.peer.public_key|length > 16 %}...{% endif %}
{% endif %}
</a>
{% else %}
{{ redirect_rule.ip_address }}
{% endif %}
</td>
<td>
{% if redirect_rule.add_forward_rule %}
<i class="fas fa-check"></i>
{% else %}
<i class="fas fa-times"></i>
{% endif %}
</td>
<td>
{% if redirect_rule.masquerade_source %}
<i class="fas fa-check"></i>
<i class="fas fa-exclamation-triangle" title="This serves as a temporary solution when a peer does not use the VPN as its default gateway. It's important to note that this configuration is not recommended, as it alters the source address of all connections to match the IP address of the WireGuard instance."></i>
{% else %}
<i class="fas fa-times"></i>
{% endif %}
</td>
<td style="width: 1%; white-space: nowrap;">
<a href="/firewall/manage_port_forward_rule/?uuid={{ redirect_rule.uuid }}" ><i class="far fa-edit"></i></a>
</td>
</tr>
{% endfor %}
</tbody>
</table>
<a href="/firewall/manage_port_forward_rule/" class='btn btn-primary'>Create Port forwarding Rule</a>
{% endblock %}

5
templates/user_manager/manage_user.html
View File

@ -68,11 +68,6 @@
</div>
</div>
<div class="row">
<div class="col-md-12">
</div>
</div>
</div>

33
templates/wireguard/welcome.html
View File

@ -1,17 +1,28 @@
{% extends "base.html" %}
{% block content %}
<h1>Welcome to wireguard_webadmin</h1>
<p>I've been working hard on it over the past week and plan to continue making corrections and finishing it in the coming days.</p>
<p>Currently, it's quite functional, but there's still a need to polish various aspects of the interface to enhance usability.</p>
<p>If you encounter any issues or have suggestions, please open an issue on GitHub so I can review it.</p>
<h2>TODO list</h2>
<ul>
<li>AllowedIPs on client configuration side.</li>
<li>Allow peer portforwarding</li>
</ul>
<p>Keep checking the GitHub page, I will be updating this project very soon.</p>
<h1>Welcome to WireGuard WebAdmin</h1>
<p>WireGuard WebAdmin is a web-based interface designed for managing WireGuard VPN, a remarkably simple, fast, and modern VPN that employs cutting-edge cryptography.</p>
<p>I have dedicated significant effort to this project over the past few weeks and am thrilled to announce that the primary functionalities are performing as anticipated!</p>
<p>I just introduced the port forwarding feature. It is functioning well, aside from a few minor issues that I intend to resolve shortly.</p>
<h3>Known Port Forwarding Issues</h3>
<ul>
<li>Upon creating a port forwarding rule and updating the service, an initial reload may trigger a warning. This is due to the PostDown script's inability to remove a rule that does not yet exist.</li>
<li>Unchecking "Allow Forward" or "Masquerade Source" and then updating the service, fails to properly remove the corresponding iptables rules.</li>
<li>Deleting a rule and reloading the service does not properly remove the corresponding iptables rules.</li>
</ul>
<p>These issues are on my radar for fixes in the near future. In the meantime, restarting the main Docker container will cause the firewall to rebuild as expected, eliminating any lingering rules.</p>
<br>
<h3>Upcoming Enhancements</h3>
<ul>
<li>Implementing AllowedIPs in the client configuration.</li>
<li>Revising the firewall logic for PostUp/PostDown scripts.</li>
<li>Developing a straightforward firewall management interface.</li>
</ul>
<p>Stay tuned to our GitHub page for imminent updates to this project.</p>
{% endblock %}

6
wireguard/views.py
View File

@ -68,9 +68,9 @@ def generate_instance_defaults():
@login_required
def view_welcome(request):
page_title = 'Welcome'
context = {'page_title': page_title}
return render(request, 'wireguard/welcome.html', context)
#page_title = 'Welcome'
#context = {'page_title': page_title}
return render(request, 'wireguard/welcome.html')
@login_required

27
wireguard_tools/views.py
View File

@ -6,6 +6,7 @@ from django.http import HttpResponse
from django.shortcuts import redirect, get_object_or_404, render
from user_manager.models import UserAcl
from wireguard.models import WireGuardInstance, Peer, PeerAllowedIP
from firewall.models import RedirectRule
from django.contrib.auth.decorators import login_required
from django.contrib import messages
from io import BytesIO
@ -17,7 +18,6 @@ def clean_command_field(command_field):
return cleaned_field
def generate_peer_config(peer_uuid):
peer = get_object_or_404(Peer, uuid=peer_uuid)
wg_instance = peer.wireguard_instance
@ -56,7 +56,32 @@ def export_wireguard_configs(request):
for instance in instances:
post_up_processed = clean_command_field(instance.post_up) if instance.post_up else ""
post_down_processed = clean_command_field(instance.post_down) if instance.post_down else ""
if post_up_processed:
post_up_processed += '; '
if post_down_processed:
post_down_processed += '; '
for redirect_rule in RedirectRule.objects.filter(wireguard_instance=instance):
rule_text_up = ""
rule_text_down = ""
rule_destination = redirect_rule.ip_address
if redirect_rule.peer:
peer_allowed_ip_address = PeerAllowedIP.objects.filter(peer=redirect_rule.peer, netmask=32, priority=0).first()
if peer_allowed_ip_address:
rule_destination = peer_allowed_ip_address.allowed_ip
if rule_destination:
rule_text_up = f"iptables -t nat -A PREROUTING -p {redirect_rule.protocol} -d wireguard-webadmin --dport {redirect_rule.port} -j DNAT --to-dest {rule_destination}:{redirect_rule.port} ; "
rule_text_down = f"iptables -t nat -D PREROUTING -p {redirect_rule.protocol} -d wireguard-webadmin --dport {redirect_rule.port} -j DNAT --to-dest {rule_destination}:{redirect_rule.port} ; "
if redirect_rule.add_forward_rule:
rule_text_up += f"iptables -A FORWARD -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j ACCEPT ; "
rule_text_down += f"iptables -D FORWARD -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j ACCEPT ; "
if redirect_rule.masquerade_source:
rule_text_up += f"iptables -t nat -A POSTROUTING -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j MASQUERADE ; "
rule_text_down += f"iptables -t nat -D POSTROUTING -d {rule_destination} -p {redirect_rule.protocol} --dport {redirect_rule.port} -j MASQUERADE ; "
post_up_processed += rule_text_up
post_down_processed += rule_text_down
config_lines = [
"[Interface]",
f"PrivateKey = {instance.private_key}",

2
wireguard_webadmin/settings.py
View File

@ -129,6 +129,6 @@ STATICFILES_DIRS = [
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
WIREGUARD_WEBADMIN_VERSION = 9010
WIREGUARD_WEBADMIN_VERSION = 9201
from wireguard_webadmin.production_settings import *