From 42edf25751babaa4e597787f77db45f2fd6a2505 Mon Sep 17 00:00:00 2001
From: Jordan Potter <me@jordanpotter.com>
Date: Sat, 6 Mar 2021 21:22:10 -0600
Subject: [PATCH 1/4] Add support for LOCAL_NETWORK environment variable

---
 entrypoint.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/entrypoint.sh b/entrypoint.sh
index 7e8548e..08d5bd5 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -2,6 +2,12 @@
 
 set -e
 
+default_route_ip=$(ip route | grep default | awk '{print $3}')
+if [[ -z "$default_route_ip" ]]; then
+    echo "No default route configured" >&2
+    exit 1
+fi
+
 configs=`find /etc/wireguard -type f -printf "%f\n"`
 if [[ -z "$configs" ]]; then
     echo "No configuration files found in /etc/wireguard" >&2
@@ -31,6 +37,11 @@ else
     ip6tables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker6_network_rule -j REJECT
 fi
 
+if [[ "$LOCAL_NETWORK" ]]; then
+    ip route add $LOCAL_NETWORK via $default_route_ip
+    iptables -I OUTPUT -d $LOCAL_NETWORK -j ACCEPT
+fi
+
 shutdown () {
     wg-quick down $interface
     exit 0

From dda803d0406a471353bb2c5d0df14b1116b5d681 Mon Sep 17 00:00:00 2001
From: Jordan Potter <me@jordanpotter.com>
Date: Sat, 6 Mar 2021 22:20:15 -0600
Subject: [PATCH 2/4] Add instructions for LOCAL_NETWORK environment variable

---
 README.md | 42 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 39 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index a2baad7..c60e8e2 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,10 @@
 # Wireguard
 
-This is a simple docker image to run a Wireguard client. It includes a kill switch to ensure that any traffic not encrypted via Wireguard is dropped.
+This is a simple Docker image to run a Wireguard client. It includes a kill switch to ensure that any traffic not encrypted via Wireguard is dropped.
 
 Wireguard is implemented as a kernel module, which is key to its performance and simplicity. However, this means that Wireguard _must_ be installed on the host operating system for this container to work properly. Instructions for installing Wireguard can be found [here](http://wireguard.com/install).
 
-You will need a configuration file for your Wireguard interface. Many VPN providers will create this configuration file for you. For example, [here](http://mullvad.net/en/download/wireguard-config) is the configuration generator for Mullvad. Be sure to NOT include a kill switch in the configuration file, since the docker image already has one.
+You will need a configuration file for your Wireguard interface. Many VPN providers will create this configuration file for you. For example, [here](http://mullvad.net/en/download/wireguard-config) is the configuration generator for Mullvad. Be sure to NOT include a kill switch in the configuration file, since the Docker image already has one.
 
 Now simply mount the configuration file and run! For example, if your configuration file is located at `/path/to/conf/mullvad.conf`:
 
@@ -25,4 +25,40 @@ docker run -it --rm                                                  \
     appropriate/curl http://httpbin.org/ip
 ```
 
-Wireguard is new technology and its behavior may change in the future. For this reason, it's recommended to specify an image tag when running this container, such as `jordanpotter/wireguard:2.0.1`. The available tags are listed [here](https://hub.docker.com/r/jordanpotter/wireguard/tags).
+## Local Network
+
+If you wish to allow traffic to your local network, specify the `LOCAL_NETWORK` environment variable:
+
+```bash
+docker run --name wireguard                                          \
+    --cap-add NET_ADMIN                                              \
+    --cap-add SYS_MODULE                                             \
+    --sysctl net.ipv4.conf.all.src_valid_mark=1                      \
+    -v /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf        \
+    -e LOCAL_NETWORK=10.0.0.0/8                                      \
+    jordanpotter/wireguard
+```
+
+Additionally, you can expose ports to allow your local network to access services linked to the Wireguard container:
+
+```bash
+docker run --name wireguard                                          \
+    --cap-add NET_ADMIN                                              \
+    --cap-add SYS_MODULE                                             \
+    --sysctl net.ipv4.conf.all.src_valid_mark=1                      \
+    -v /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf        \
+    -p 8080:80                                                       \
+    jordanpotter/wireguard
+```
+
+```bash
+docker run --name nginx                                              \
+    --net=container:wireguard                                        \
+    nginx
+```
+
+## Versioning
+
+Wireguard is new technology and its behavior may change in the future. For this reason, it's recommended to specify an image tag when running this container, such as `jordanpotter/wireguard:2.1.0`.
+
+The available tags are listed [here](https://hub.docker.com/r/jordanpotter/wireguard/tags).

From 6f7a3426dd6b7a6184b98c9f28f7eba750dc96a0 Mon Sep 17 00:00:00 2001
From: Jordan Potter <me@jordanpotter.com>
Date: Sat, 6 Mar 2021 22:48:51 -0600
Subject: [PATCH 3/4] Add log statement when LOCAL_NETWORK specified

---
 entrypoint.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 08d5bd5..39fb1e5 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -31,13 +31,14 @@ iptables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark)
 
 docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4}')"
 if [[ -z "$docker6_network" ]]; then
-    echo "Skipping ipv6 killswitch setup since ipv6 interface was not found..." >&2
+    echo "Skipping ipv6 kill switch setup since ipv6 interface was not found" >&2
 else
     docker6_network_rule=$([ ! -z "$docker6_network" ] && echo "! -d $docker6_network" || echo "")
     ip6tables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker6_network_rule -j REJECT
 fi
 
 if [[ "$LOCAL_NETWORK" ]]; then
+    echo "Allowing traffic to local network ${LOCAL_NETWORK}" >&2
     ip route add $LOCAL_NETWORK via $default_route_ip
     iptables -I OUTPUT -d $LOCAL_NETWORK -j ACCEPT
 fi

From e10eef58a89e320eac178589d277243d36831eef Mon Sep 17 00:00:00 2001
From: Jordan Potter <me@jordanpotter.com>
Date: Sat, 6 Mar 2021 22:53:26 -0600
Subject: [PATCH 4/4] Minor cleanup to README

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index c60e8e2..310fcd3 100644
--- a/README.md
+++ b/README.md
@@ -27,7 +27,7 @@ docker run -it --rm                                                  \
 
 ## Local Network
 
-If you wish to allow traffic to your local network, specify the `LOCAL_NETWORK` environment variable:
+If you wish to allow traffic to your local network, specify the subnet using the `LOCAL_NETWORK` environment variable:
 
 ```bash
 docker run --name wireguard                                          \
@@ -52,7 +52,7 @@ docker run --name wireguard                                          \
 ```
 
 ```bash
-docker run --name nginx                                              \
+docker run -it --rm                                                  \
     --net=container:wireguard                                        \
     nginx
 ```