diff --git a/README.md b/README.md index 57700ec..94b1686 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # Wireguard -This is a simple docker image to run a wireguard client. +This is a simple docker image to run a wireguard client. It includes a killswitch to ensure that any traffic not encrypted via wireguard is dropped. Wireguard is implemented as a kernel module, which is key to its performance and simplicity. However, this means that Wireguard _must_ be installed on the host operating system for this container to work properly. Instructions for installing Wireguard can be found [here](http://wireguard.com/install). -You will need a configuration file for your Wireguard interface. Many VPN providers will create this configuration file for you. For example, [here](http://mullvad.net/en/download/wireguard-config) is the configuration generator for Mullvad. +You will need a configuration file for your Wireguard interface. Many VPN providers will create this configuration file for you. For example, [here](http://mullvad.net/en/download/wireguard-config) is the configuration generator for Mullvad. Be sure to NOT include a killswitch in the configuration file, since the docker image already has one. Now simply mount the configuration file and run! For example, if your configuration file is located at `/path/to/conf/mullvadus2.conf`: diff --git a/entrypoint.sh b/entrypoint.sh index a5414b1..d2305ec 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,16 +2,25 @@ set -e -interfaces=`find /etc/wireguard -type f` -if [[ -z $interfaces ]]; then - echo "No interface found in /etc/wireguard" >&2 +configs=`find /etc/wireguard -type f -printf "%f\n"` +if [[ -z $configs ]]; then + echo "No configuration files found in /etc/wireguard" >&2 exit 1 fi -interface=`echo $interfaces | head -n 1` +config=`echo $configs | head -n 1` +interface="${config%.*}" wg-quick up $interface +docker_network="$(ip -o addr show dev eth0 | awk '$3 == "inet" {print $4}')" +docker_network_rule=$([ ! -z "$docker_network" ] && echo "! -d $docker_network" || echo "") +iptables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker_network_rule -j REJECT + +docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4}')" +docker6_network_rule=$([ ! -z "$docker6_network" ] && echo "! -d $docker6_network" || echo "") +ip6tables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker6_network_rule -j REJECT + shutdown () { wg-quick down $interface exit 0