simono41/docker-wireguard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #14 from jordanpotter/local_subnet

Browse source 
Add support for LOCAL_NETWORK environment variable
This commit is contained in:
Jordan Potter 2021-03-07 13:50:24 -06:00 committed by GitHub
commit 522c8ff06d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 52 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
README.md
View file

@ -1,10 +1,10 @@
# Wireguard # Wireguard
This is a simple docker image to run a Wireguard client. It includes a kill switch to ensure that any traffic not encrypted via Wireguard is dropped. This is a simple Docker image to run a Wireguard client. It includes a kill switch to ensure that any traffic not encrypted via Wireguard is dropped.
Wireguard is implemented as a kernel module, which is key to its performance and simplicity. However, this means that Wireguard _must_ be installed on the host operating system for this container to work properly. Instructions for installing Wireguard can be found [here](http://wireguard.com/install). Wireguard is implemented as a kernel module, which is key to its performance and simplicity. However, this means that Wireguard _must_ be installed on the host operating system for this container to work properly. Instructions for installing Wireguard can be found [here](http://wireguard.com/install).
You will need a configuration file for your Wireguard interface. Many VPN providers will create this configuration file for you. For example, [here](http://mullvad.net/en/download/wireguard-config) is the configuration generator for Mullvad. Be sure to NOT include a kill switch in the configuration file, since the docker image already has one. You will need a configuration file for your Wireguard interface. Many VPN providers will create this configuration file for you. For example, [here](http://mullvad.net/en/download/wireguard-config) is the configuration generator for Mullvad. Be sure to NOT include a kill switch in the configuration file, since the Docker image already has one.
Now simply mount the configuration file and run! For example, if your configuration file is located at `/path/to/conf/mullvad.conf`: Now simply mount the configuration file and run! For example, if your configuration file is located at `/path/to/conf/mullvad.conf`:
@ -25,4 +25,40 @@ docker run -it --rm \
appropriate/curl http://httpbin.org/ip appropriate/curl http://httpbin.org/ip
``` ```
Wireguard is new technology and its behavior may change in the future. For this reason, it's recommended to specify an image tag when running this container, such as `jordanpotter/wireguard:2.0.1`. The available tags are listed [here](https://hub.docker.com/r/jordanpotter/wireguard/tags). ## Local Network
If you wish to allow traffic to your local network, specify the subnet using the `LOCAL_NETWORK` environment variable:
```bash
docker run --name wireguard \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-v /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf \
-e LOCAL_NETWORK=10.0.0.0/8 \
jordanpotter/wireguard
```
Additionally, you can expose ports to allow your local network to access services linked to the Wireguard container:
```bash
docker run --name wireguard \
--cap-add NET_ADMIN \
--cap-add SYS_MODULE \
--sysctl net.ipv4.conf.all.src_valid_mark=1 \
-v /path/to/conf/mullvad.conf:/etc/wireguard/mullvad.conf \
-p 8080:80 \
jordanpotter/wireguard
```
```bash
docker run -it --rm \
--net=container:wireguard \
nginx
```
## Versioning
Wireguard is new technology and its behavior may change in the future. For this reason, it's recommended to specify an image tag when running this container, such as `jordanpotter/wireguard:2.1.0`.
The available tags are listed [here](https://hub.docker.com/r/jordanpotter/wireguard/tags).

14
entrypoint.sh
View file

@ -2,6 +2,12 @@
set -e set -e
default_route_ip=$(ip route | grep default | awk '{print $3}')
if [[ -z "$default_route_ip" ]]; then
echo "No default route configured" >&2
exit 1
fi
configs=`find /etc/wireguard -type f -printf "%f\n"` configs=`find /etc/wireguard -type f -printf "%f\n"`
if [[ -z "$configs" ]]; then if [[ -z "$configs" ]]; then
echo "No configuration files found in /etc/wireguard" >&2 echo "No configuration files found in /etc/wireguard" >&2
@ -25,12 +31,18 @@ iptables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark)
docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4}')" docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4}')"
if [[ -z "$docker6_network" ]]; then if [[ -z "$docker6_network" ]]; then
echo "Skipping ipv6 killswitch setup since ipv6 interface was not found..." >&2 echo "Skipping ipv6 kill switch setup since ipv6 interface was not found" >&2
else else
docker6_network_rule=$([ ! -z "$docker6_network" ] && echo "! -d $docker6_network" || echo "") docker6_network_rule=$([ ! -z "$docker6_network" ] && echo "! -d $docker6_network" || echo "")
ip6tables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker6_network_rule -j REJECT ip6tables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker6_network_rule -j REJECT
fi fi
if [[ "$LOCAL_NETWORK" ]]; then
echo "Allowing traffic to local network ${LOCAL_NETWORK}" >&2
ip route add $LOCAL_NETWORK via $default_route_ip
iptables -I OUTPUT -d $LOCAL_NETWORK -j ACCEPT
fi
shutdown () { shutdown () {
wg-quick down $interface wg-quick down $interface
exit 0 exit 0