diff --git a/README.md b/README.md index a24a6f4..8636e04 100644 --- a/README.md +++ b/README.md @@ -58,11 +58,13 @@ The architectures supported by this image are: ## Application Setup -This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module. +During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container. + +If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed. If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv). -With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). +With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). This can be run as a server or a client, based on the parameters used. diff --git a/readme-vars.yml b/readme-vars.yml index ab87f18..2b5e74f 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -55,11 +55,13 @@ optional_block_1_items: "" # application setup block app_setup_block_enabled: true app_setup_block: | - This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module. + During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container. + + If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed. If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv). - With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). + With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). This can be run as a server or a client, based on the parameters used. diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-module similarity index 56% rename from root/etc/cont-init.d/30-config rename to root/etc/cont-init.d/30-module index 0ad49c7..da079e3 100644 --- a/root/etc/cont-init.d/30-config +++ b/root/etc/cont-init.d/30-module @@ -151,149 +151,3 @@ DUDE fi fi -# prepare symlinks -rm -rf /etc/wireguard -mkdir -p /etc/wireguard -ln -s /config/wg0.conf /etc/wireguard/wg0.conf -# prepare templates -[[ ! -f /config/templates/server.conf ]] && \ - cp /defaults/server.conf /config/templates/server.conf -[[ ! -f /config/templates/peer.conf ]] && \ - cp /defaults/peer.conf /config/templates/peer.conf - -generate_confs () { - mkdir -p /config/server - if [ ! -f /config/server/privatekey-server ]; then - umask 077 - wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server - fi - eval "`printf %s` - cat < /config/wg0.conf -`cat /config/templates/server.conf` - -DUDE" - for i in ${PEERS_ARRAY[@]}; do - if [[ "${i}" =~ ^[0-9]+$ ]]; then - PEER_ID="peer${i}" - else - PEER_ID="peer_${i//[^[:alnum:]_-]/}" - fi - mkdir -p /config/${PEER_ID} - if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then - umask 077 - wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID} - fi - if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then - CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}') - if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then - CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|") - fi - else - for idx in {2..254}; do - PROPOSED_IP="${INTERFACE}.${idx}" - if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then - CLIENT_IP="${PROPOSED_IP}" - break - fi - done - fi - eval "`printf %s` - cat < /config/${PEER_ID}/${PEER_ID}.conf -`cat /config/templates/peer.conf` -DUDE" - SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${i} - if [ -n "${!SERVER_ALLOWEDIPS}" ]; then - echo "Adding ${!SERVER_ALLOWEDIPS} to wg0.conf's AllowedIPs for peer ${i}" - cat <> /config/wg0.conf -[Peer] -# ${PEER_ID} -PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) -AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS} - -DUDE - else - cat <> /config/wg0.conf -[Peer] -# ${PEER_ID} -PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) -AllowedIPs = ${CLIENT_IP}/32 - -DUDE - fi - echo "PEER ${i} QR code:" - qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf - qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf - done -} - -save_vars () { - cat < /config/.donoteditthisfile -ORIG_SERVERURL="$SERVERURL" -ORIG_SERVERPORT="$SERVERPORT" -ORIG_PEERDNS="$PEERDNS" -ORIG_PEERS="$PEERS" -ORIG_INTERFACE="$INTERFACE" -ORIG_ALLOWEDIPS="$ALLOWEDIPS" -DUDE -} - -if [ -n "$PEERS" ]; then - echo "**** Server mode is selected ****" - if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then - PEERS_ARRAY=($(seq 1 $PEERS)) - else - PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' ')) - fi - PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}") - if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then - SERVERURL=$(curl -s icanhazip.com) - echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****" - else - echo "**** External server address is set to $SERVERURL ****" - fi - SERVERPORT=${SERVERPORT:-51820} - echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****" - INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0} - echo "**** Internal subnet is set to $INTERNAL_SUBNET ****" - INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--') - ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0} - echo "**** AllowedIPs for peers $ALLOWEDIPS ****" - if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then - PEERDNS="${INTERFACE}.1" - echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****" - else - echo "**** Peer DNS servers will be set to $PEERDNS ****" - fi - if [ ! -f /config/wg0.conf ]; then - echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****" - generate_confs - save_vars - else - echo "**** Server mode is selected ****" - [[ -f /config/.donoteditthisfile ]] && \ - . /config/.donoteditthisfile - if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then - echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****" - generate_confs - save_vars - else - echo "**** No changes to parameters. Existing configs are used. ****" - fi - fi -else - echo "**** Client mode selected. ****" - if [ ! -f /config/wg0.conf ]; then - echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****" - sleep infinity - fi - echo "**** Disabling CoreDNS ****" - rm -rf /etc/services.d/coredns -fi - -# set up CoreDNS -[[ ! -f /config/coredns/Corefile ]] && \ - cp /defaults/Corefile /config/coredns/Corefile - -# permissions -chown -R abc:abc \ - /config diff --git a/root/etc/cont-init.d/40-confs b/root/etc/cont-init.d/40-confs new file mode 100644 index 0000000..71bc311 --- /dev/null +++ b/root/etc/cont-init.d/40-confs @@ -0,0 +1,148 @@ +#!/usr/bin/with-contenv bash + +# prepare symlinks +rm -rf /etc/wireguard +mkdir -p /etc/wireguard +ln -s /config/wg0.conf /etc/wireguard/wg0.conf +# prepare templates +[[ ! -f /config/templates/server.conf ]] && \ + cp /defaults/server.conf /config/templates/server.conf +[[ ! -f /config/templates/peer.conf ]] && \ + cp /defaults/peer.conf /config/templates/peer.conf + +generate_confs () { + mkdir -p /config/server + if [ ! -f /config/server/privatekey-server ]; then + umask 077 + wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server + fi + eval "`printf %s` + cat < /config/wg0.conf +`cat /config/templates/server.conf` + +DUDE" + for i in ${PEERS_ARRAY[@]}; do + if [[ "${i}" =~ ^[0-9]+$ ]]; then + PEER_ID="peer${i}" + else + PEER_ID="peer_${i//[^[:alnum:]_-]/}" + fi + mkdir -p /config/${PEER_ID} + if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then + umask 077 + wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID} + fi + if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then + CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}') + if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then + CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|") + fi + else + for idx in {2..254}; do + PROPOSED_IP="${INTERFACE}.${idx}" + if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then + CLIENT_IP="${PROPOSED_IP}" + break + fi + done + fi + eval "`printf %s` + cat < /config/${PEER_ID}/${PEER_ID}.conf +`cat /config/templates/peer.conf` +DUDE" + SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${i} + if [ -n "${!SERVER_ALLOWEDIPS}" ]; then + echo "Adding ${!SERVER_ALLOWEDIPS} to wg0.conf's AllowedIPs for peer ${i}" + cat <> /config/wg0.conf +[Peer] +# ${PEER_ID} +PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) +AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS} + +DUDE + else + cat <> /config/wg0.conf +[Peer] +# ${PEER_ID} +PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) +AllowedIPs = ${CLIENT_IP}/32 + +DUDE + fi + echo "PEER ${i} QR code:" + qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf + qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf + done +} + +save_vars () { + cat < /config/.donoteditthisfile +ORIG_SERVERURL="$SERVERURL" +ORIG_SERVERPORT="$SERVERPORT" +ORIG_PEERDNS="$PEERDNS" +ORIG_PEERS="$PEERS" +ORIG_INTERFACE="$INTERFACE" +ORIG_ALLOWEDIPS="$ALLOWEDIPS" +DUDE +} + +if [ -n "$PEERS" ]; then + echo "**** Server mode is selected ****" + if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then + PEERS_ARRAY=($(seq 1 $PEERS)) + else + PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' ')) + fi + PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}") + if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then + SERVERURL=$(curl -s icanhazip.com) + echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****" + else + echo "**** External server address is set to $SERVERURL ****" + fi + SERVERPORT=${SERVERPORT:-51820} + echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****" + INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0} + echo "**** Internal subnet is set to $INTERNAL_SUBNET ****" + INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--') + ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0} + echo "**** AllowedIPs for peers $ALLOWEDIPS ****" + if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then + PEERDNS="${INTERFACE}.1" + echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****" + else + echo "**** Peer DNS servers will be set to $PEERDNS ****" + fi + if [ ! -f /config/wg0.conf ]; then + echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****" + generate_confs + save_vars + else + echo "**** Server mode is selected ****" + [[ -f /config/.donoteditthisfile ]] && \ + . /config/.donoteditthisfile + if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then + echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****" + generate_confs + save_vars + else + echo "**** No changes to parameters. Existing configs are used. ****" + fi + fi +else + echo "**** Client mode selected. ****" + if [ ! -f /config/wg0.conf ]; then + echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****" + sleep infinity + fi + echo "**** Disabling CoreDNS ****" + rm -rf /etc/services.d/coredns +fi + +# set up CoreDNS +[[ ! -f /config/coredns/Corefile ]] && \ + cp /defaults/Corefile /config/coredns/Corefile + +# permissions +chown -R abc:abc \ + /config \ No newline at end of file