Archives/docker-wireguard
2
0
Fork 0
mirror of https://github.com/linuxserver/docker-wireguard synced 2024-11-06 09:20:26 +00:00
Code Issues Projects Releases Wiki Activity

allow setting server AllowedIPs for specific peers

Browse Source
This commit is contained in:
aptalca 2021-10-26 13:05:08 -04:00
parent 0be48caf95
commit 928363d694
3 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -77,6 +77,13 @@ To display the QR codes of active peers again, you can use the following command
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
## Site-to-site VPN
Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`.
Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary.
## Client Mode
Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container.
@ -176,7 +183,7 @@ Container images are configured using parameters passed at runtime (such as thos
| `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London |
| `-e SERVERURL=wireguard.domain.com` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically |
| `-e SERVERPORT=51820` | External port for docker host. Used in server mode. |
| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet... |
| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only) |
| `-e PEERDNS=auto` | DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward. |
| `-e INTERNAL_SUBNET=10.13.13.0` | Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode. |
| `-e ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. |

9
readme-vars.yml
View File

@ -44,7 +44,7 @@ opt_param_usage_include_env: true
opt_param_env_vars:
- { env_var: "SERVERURL", env_value: "wireguard.domain.com", desc: "External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically"}
- { env_var: "SERVERPORT", env_value: "51820", desc: "External port for docker host. Used in server mode."}
- { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet..."}
- { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only)"}
- { env_var: "PEERDNS", env_value: "auto", desc: "DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward."}
- { env_var: "INTERNAL_SUBNET", env_value: "10.13.13.0", desc: "Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode."}
- { env_var: "ALLOWEDIPS", env_value: "0.0.0.0/0", desc: "The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1."}
@ -74,6 +74,13 @@ app_setup_block: |
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
## Site-to-site VPN
Site-to-site VPN requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the full `AllowedIPS` you'd like to use (ie. `"192.168.1.0/24,10.13.13.5"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var) so the full thing reads something like `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,10.13.13.5"`.
Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can remove and readd a peer to force regeneration if necessary.
## Client Mode
Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container.

11
root/etc/cont-init.d/30-config
View File

@ -201,6 +201,16 @@ DUDE"
cat <<DUDE > /config/${PEER_ID}/${PEER_ID}.conf
`cat /config/templates/peer.conf`
DUDE"
SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${PEER_ID}
if [ -n "${!SERVER_ALLOWEDIPS}" ]; then
cat <<DUDE >> /config/wg0.conf
[Peer]
# ${PEER_ID}
PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
AllowedIPs = ${!SERVER_ALLOWEDIPS}
DUDE
else
cat <<DUDE >> /config/wg0.conf
[Peer]
# ${PEER_ID}
@ -208,6 +218,7 @@ PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
AllowedIPs = ${CLIENT_IP}/32
DUDE
fi
echo "PEER ${i} QR code:"
qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf
qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf