From 928363d6944a4d8235d15d38c8cc7470236be3cf Mon Sep 17 00:00:00 2001
From: aptalca <aptalca@linuxserver.io>
Date: Tue, 26 Oct 2021 13:05:08 -0400
Subject: [PATCH] allow setting server AllowedIPs for specific peers

---
 README.md                      |  9 ++++++++-
 readme-vars.yml                |  9 ++++++++-
 root/etc/cont-init.d/30-config | 13 ++++++++++++-
 3 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 058c524..0f774c2 100644
--- a/README.md
+++ b/README.md
@@ -77,6 +77,13 @@ To display the QR codes of active peers again, you can use the following command
 
 The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
 
+## Site-to-site VPN
+Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
+
+In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`.
+
+Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary.
+
 ## Client Mode
 Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. 
 
@@ -176,7 +183,7 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London |
 | `-e SERVERURL=wireguard.domain.com` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically |
 | `-e SERVERPORT=51820` | External port for docker host. Used in server mode. |
-| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet... |
+| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only) |
 | `-e PEERDNS=auto` | DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward. |
 | `-e INTERNAL_SUBNET=10.13.13.0` | Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode. |
 | `-e ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. |
diff --git a/readme-vars.yml b/readme-vars.yml
index fb5fa2f..6fa65e5 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -44,7 +44,7 @@ opt_param_usage_include_env: true
 opt_param_env_vars:
   - { env_var: "SERVERURL", env_value: "wireguard.domain.com", desc: "External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically"}
   - { env_var: "SERVERPORT", env_value: "51820", desc: "External port for docker host. Used in server mode."}
-  - { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet..."}
+  - { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only)"}
   - { env_var: "PEERDNS", env_value: "auto", desc: "DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward."}
   - { env_var: "INTERNAL_SUBNET", env_value: "10.13.13.0", desc: "Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode."}
   - { env_var: "ALLOWEDIPS", env_value: "0.0.0.0/0", desc: "The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1."}
@@ -74,6 +74,13 @@ app_setup_block: |
 
   The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
 
+  ## Site-to-site VPN
+  Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
+
+  In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`.
+  
+  Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary.
+
   ## Client Mode
   Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. 
 
diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config
index 7bf238c..d0425fd 100644
--- a/root/etc/cont-init.d/30-config
+++ b/root/etc/cont-init.d/30-config
@@ -201,13 +201,24 @@ DUDE"
     cat <<DUDE > /config/${PEER_ID}/${PEER_ID}.conf
 `cat /config/templates/peer.conf`
 DUDE"
-    cat <<DUDE >> /config/wg0.conf
+    SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${PEER_ID}
+    if [ -n "${!SERVER_ALLOWEDIPS}" ]; then
+      cat <<DUDE >> /config/wg0.conf
+[Peer]
+# ${PEER_ID}
+PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
+AllowedIPs = ${!SERVER_ALLOWEDIPS}
+
+DUDE
+    else
+      cat <<DUDE >> /config/wg0.conf
 [Peer]
 # ${PEER_ID}
 PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
 AllowedIPs = ${CLIENT_IP}/32
 
 DUDE
+    fi
     echo "PEER ${i} QR code:"
     qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf
     qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf