Add killswitch
This commit is contained in:
Jordan Potter
parent
e49e41b85f
commit
8cdbdd9bab
2 changed files with 15 additions and 6 deletions
|
|
@ -1,9 +1,9 @@
|
||||||
# Wireguard
|
# Wireguard
|
||||||
This is a simple docker image to run a wireguard client.
|
This is a simple docker image to run a wireguard client. It includes a killswitch to ensure that any traffic not encrypted via wireguard is dropped.
|
||||||
|
|
||||||
Wireguard is implemented as a kernel module, which is key to its performance and simplicity. However, this means that Wireguard _must_ be installed on the host operating system for this container to work properly. Instructions for installing Wireguard can be found [here](http://wireguard.com/install).
|
Wireguard is implemented as a kernel module, which is key to its performance and simplicity. However, this means that Wireguard _must_ be installed on the host operating system for this container to work properly. Instructions for installing Wireguard can be found [here](http://wireguard.com/install).
|
||||||
|
|
||||||
You will need a configuration file for your Wireguard interface. Many VPN providers will create this configuration file for you. For example, [here](http://mullvad.net/en/download/wireguard-config) is the configuration generator for Mullvad.
|
You will need a configuration file for your Wireguard interface. Many VPN providers will create this configuration file for you. For example, [here](http://mullvad.net/en/download/wireguard-config) is the configuration generator for Mullvad. Be sure to NOT include a killswitch in the configuration file, since the docker image already has one.
|
||||||
|
|
||||||
Now simply mount the configuration file and run! For example, if your configuration file is located at `/path/to/conf/mullvadus2.conf`:
|
Now simply mount the configuration file and run! For example, if your configuration file is located at `/path/to/conf/mullvadus2.conf`:
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2,16 +2,25 @@
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
interfaces=`find /etc/wireguard -type f`
|
configs=`find /etc/wireguard -type f -printf "%f\n"`
|
||||||
if [[ -z $interfaces ]]; then
|
if [[ -z $configs ]]; then
|
||||||
echo "No interface found in /etc/wireguard" >&2
|
echo "No configuration files found in /etc/wireguard" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
interface=`echo $interfaces | head -n 1`
|
config=`echo $configs | head -n 1`
|
||||||
|
interface="${config%.*}"
|
||||||
|
|
||||||
wg-quick up $interface
|
wg-quick up $interface
|
||||||
|
|
||||||
|
docker_network="$(ip -o addr show dev eth0 | awk '$3 == "inet" {print $4}')"
|
||||||
|
docker_network_rule=$([ ! -z "$docker_network" ] && echo "! -d $docker_network" || echo "")
|
||||||
|
iptables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker_network_rule -j REJECT
|
||||||
|
|
||||||
|
docker6_network="$(ip -o addr show dev eth0 | awk '$3 == "inet6" {print $4}')"
|
||||||
|
docker6_network_rule=$([ ! -z "$docker6_network" ] && echo "! -d $docker6_network" || echo "")
|
||||||
|
ip6tables -I OUTPUT ! -o $interface -m mark ! --mark $(wg show $interface fwmark) -m addrtype ! --dst-type LOCAL $docker6_network_rule -j REJECT
|
||||||
|
|
||||||
shutdown () {
|
shutdown () {
|
||||||
wg-quick down $interface
|
wg-quick down $interface
|
||||||
exit 0
|
exit 0
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue