Skip to content

Commit

Permalink
Merge pull request linuxserver#302 from linuxserver/multi
Browse files Browse the repository at this point in the history
Add support for multiple WireGuard interfaces
  • Loading branch information
aptalca authored Oct 10, 2023
2 parents 2198ae4 + cd4e173 commit 62f1173
Show file tree
Hide file tree
Showing 8 changed files with 84 additions and 23 deletions.
2 changes: 2 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ RUN \
sed -i 's|\[\[ $proto == -4 \]\] && cmd sysctl -q net\.ipv4\.conf\.all\.src_valid_mark=1|[[ $proto == -4 ]] \&\& [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) != 1 ]] \&\& cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1|' src/wg-quick/linux.bash && \
make -C src -j$(nproc) && \
make -C src install && \
rm -rf /etc/wireguard && \
ln -s /config/wg_confs /etc/wireguard && \
echo "**** clean up ****" && \
apk del --no-network build-dependencies && \
rm -rf \
Expand Down
2 changes: 2 additions & 0 deletions Dockerfile.aarch64
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ RUN \
sed -i 's|\[\[ $proto == -4 \]\] && cmd sysctl -q net\.ipv4\.conf\.all\.src_valid_mark=1|[[ $proto == -4 ]] \&\& [[ $(sysctl -n net.ipv4.conf.all.src_valid_mark) != 1 ]] \&\& cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1|' src/wg-quick/linux.bash && \
make -C src -j$(nproc) && \
make -C src install && \
rm -rf /etc/wireguard && \
ln -s /config/wg_confs /etc/wireguard && \
echo "**** clean up ****" && \
apk del --no-network build-dependencies && \
rm -rf \
Expand Down
7 changes: 5 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -85,11 +85,13 @@ To add more peers/clients later on, you increment the `PEERS` environment variab

To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: `docker exec -it wireguard /app/show-peer 1 4 5` or `docker exec -it wireguard /app/show-peer myPC myPhone myTablet` (Keep in mind that the QR codes are also stored as PNGs in the config folder).

The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg_confs/wg0.conf` and restarting the container.

The container managed server conf is hardcoded to `wg0.conf`. However, the users can add additional tunnel config files with `.conf` extensions into `/config/wg_confs/` and the container will attempt to start them all in alphabetical order. If any one of the tunnels fail, they will all be stopped and the default route will be deleted, requiring user intervention to fix the invalid conf and a container restart.

## Client Mode

Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container.
Do not set the `PEERS` environment variable. Drop your client conf(s) into the config folder as `/config/wg_confs/<tunnel name>.conf` and start the container. If there are multiple tunnel configs, the container will attempt to start them all in alphabetical order. If any one of the tunnels fail, they will all be stopped and the default route will be deleted, requiring user intervention to fix the invalid conf and a container restart.

If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container.

Expand Down Expand Up @@ -330,6 +332,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64

## Versions

* **03.10.23:** - **Potentially Breaking Change:** Support for multiple interfaces added. Wireguard confs moved to `/config/wg_confs/`. Any file with a `.conf` extension in that folder will be treated as a live tunnel config and will be attempted to start. If any of the tunnels fail, all tunnels will be stopped. Tunnels are started in alphabetical order. Managed server conf will continue to be hardcoded to `wg0.conf`.
* **28.06.23:** - Rebase master to Alpine 3.18 again.
* **26.06.23:** - Revert master to Alpine 3.17, due to issue with openresolv.
* **24.06.23:** - Rebase master to Alpine 3.18, deprecate armhf as per [https://www.linuxserver.io/armhf](https://www.linuxserver.io/armhf).
Expand Down
7 changes: 5 additions & 2 deletions readme-vars.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,11 +78,13 @@ app_setup_block: |
To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: `docker exec -it wireguard /app/show-peer 1 4 5` or `docker exec -it wireguard /app/show-peer myPC myPhone myTablet` (Keep in mind that the QR codes are also stored as PNGs in the config folder).
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container.
The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg_confs/wg0.conf` and restarting the container.
The container managed server conf is hardcoded to `wg0.conf`. However, the users can add additional tunnel config files with `.conf` extensions into `/config/wg_confs/` and the container will attempt to start them all in alphabetical order. If any one of the tunnels fail, they will all be stopped and the default route will be deleted, requiring user intervention to fix the invalid conf and a container restart.
## Client Mode
Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container.
Do not set the `PEERS` environment variable. Drop your client conf(s) into the config folder as `/config/wg_confs/<tunnel name>.conf` and start the container. If there are multiple tunnel configs, the container will attempt to start them all in alphabetical order. If any one of the tunnels fail, they will all be stopped and the default route will be deleted, requiring user intervention to fix the invalid conf and a container restart.
If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container.
Expand Down Expand Up @@ -126,6 +128,7 @@ app_setup_block: |
# changelog
changelogs:
- { date: "03.10.23:", desc: "**Potentially Breaking Change:** Support for multiple interfaces added. Wireguard confs moved to `/config/wg_confs/`. Any file with a `.conf` extension in that folder will be treated as a live tunnel config and will be attempted to start. If any of the tunnels fail, all tunnels will be stopped. Tunnels are started in alphabetical order. Managed server conf will continue to be hardcoded to `wg0.conf`." }
- { date: "28.06.23:", desc: "Rebase master to Alpine 3.18 again." }
- { date: "26.06.23:", desc: "Revert master to Alpine 3.17, due to issue with openresolv." }
- { date: "24.06.23:", desc: "Rebase master to Alpine 3.18, deprecate armhf as per [https://www.linuxserver.io/armhf](https://www.linuxserver.io/armhf)." }
Expand Down
2 changes: 1 addition & 1 deletion root/app/show-peer
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ for i in "$@"; do
PEER_ID="peer_${i//[^[:alnum:]_-]/}"
fi

if grep -q "# ${PEER_ID}" /config/wg0.conf; then
if grep -q "# ${PEER_ID}" /config/wg_confs/wg0.conf; then
echo "PEER ${i} QR code:"
qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf
else
Expand Down
33 changes: 17 additions & 16 deletions root/etc/s6-overlay/s6-rc.d/init-wireguard-confs/run
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,15 @@
# shellcheck shell=bash
# shellcheck disable=SC2016,SC1091,SC2183

# prepare symlinks
rm -rf /etc/wireguard
mkdir -p /etc/wireguard
ln -s /config/wg0.conf /etc/wireguard/wg0.conf
mkdir -p /config/wg_confs

# migration to subfolder for wg confs
if [[ -z "$(ls -A /config/wg_confs)" ]] && [[ -f /config/wg0.conf ]]; then
echo "**** Performing migration to new folder structure for confs. Please see the image changelog 2023-10-03 entry for more details. ****"
cp /config/wg0.conf /config/wg_confs/wg0.conf
rm -rf /config/wg0.conf || :
fi

# prepare templates
if [[ ! -f /config/templates/server.conf ]]; then
cp /defaults/server.conf /config/templates/server.conf
Expand All @@ -25,7 +30,7 @@ generate_confs () {
wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server
fi
eval "$(printf %s)
cat <<DUDE > /config/wg0.conf
cat <<DUDE > /config/wg_confs/wg0.conf
$(cat /config/templates/server.conf)

DUDE"
Expand Down Expand Up @@ -65,7 +70,7 @@ DUDE"
$(cat /config/templates/peer.conf)
DUDE"
# add peer info to server conf with presharedkey
cat <<DUDE >> /config/wg0.conf
cat <<DUDE >> /config/wg_confs/wg0.conf
[Peer]
# ${PEER_ID}
PublicKey = $(cat "/config/${PEER_ID}/publickey-${PEER_ID}")
Expand All @@ -79,7 +84,7 @@ DUDE
$(sed '/PresharedKey/d' "/config/templates/peer.conf")
DUDE"
# add peer info to server conf without presharedkey
cat <<DUDE >> /config/wg0.conf
cat <<DUDE >> /config/wg_confs/wg0.conf
[Peer]
# ${PEER_ID}
PublicKey = $(cat "/config/${PEER_ID}/publickey-${PEER_ID}")
Expand All @@ -89,22 +94,22 @@ DUDE
# add peer's allowedips to server conf
if [[ -n "${!SERVER_ALLOWEDIPS}" ]]; then
echo "Adding ${!SERVER_ALLOWEDIPS} to wg0.conf's AllowedIPs for peer ${i}"
cat <<DUDE >> /config/wg0.conf
cat <<DUDE >> /config/wg_confs/wg0.conf
AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS}
DUDE
else
cat <<DUDE >> /config/wg0.conf
cat <<DUDE >> /config/wg_confs/wg0.conf
AllowedIPs = ${CLIENT_IP}/32
DUDE
fi
# add PersistentKeepalive if the peer is specified
if [[ -n "${PERSISTENTKEEPALIVE_PEERS_ARRAY}" ]] && ([[ "${PERSISTENTKEEPALIVE_PEERS_ARRAY[0]}" = "all" ]] || printf '%s\0' "${PERSISTENTKEEPALIVE_PEERS_ARRAY[@]}" | grep -Fxqz -- "${i}"); then
cat <<DUDE >> /config/wg0.conf
cat <<DUDE >> /config/wg_confs/wg0.conf
PersistentKeepalive = 25

DUDE
else
cat <<DUDE >> /config/wg0.conf
cat <<DUDE >> /config/wg_confs/wg0.conf

DUDE
fi
Expand Down Expand Up @@ -161,7 +166,7 @@ if [[ -n "$PEERS" ]]; then
else
echo "**** Peer DNS servers will be set to $PEERDNS ****"
fi
if [[ ! -f /config/wg0.conf ]]; then
if [[ ! -f /config/wg_confs/wg0.conf ]]; then
echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****"
generate_confs
save_vars
Expand All @@ -180,10 +185,6 @@ if [[ -n "$PEERS" ]]; then
fi
else
echo "**** Client mode selected. ****"
if [[ ! -f /config/wg0.conf ]]; then
echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****"
sleep infinity
fi
USE_COREDNS="${USE_COREDNS,,}"
printf %s "${USE_COREDNS:-false}" > /run/s6/container_environment/USE_COREDNS
fi
Expand Down
10 changes: 9 additions & 1 deletion root/etc/s6-overlay/s6-rc.d/svc-wireguard/finish
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
#!/usr/bin/with-contenv bash
# shellcheck shell=bash

wg-quick down wg0
if [[ -f "/app/activeconfs" ]]; then
. /app/activeconfs
for tunnel in $(printf '%s\n' "${WG_CONFS[@]}" | tac | tr '\n' ' '; echo); do
echo "**** Disabling tunnel ${tunnel} ****"
wg-quick down "${tunnel}" || :
done
echo "**** All tunnels are down ****"
rm -rf /app/activeconfs
fi
44 changes: 43 additions & 1 deletion root/etc/s6-overlay/s6-rc.d/svc-wireguard/run
Original file line number Diff line number Diff line change
@@ -1,4 +1,46 @@
#!/usr/bin/with-contenv bash
# shellcheck shell=bash

wg-quick up wg0
unset WG_CONFS
rm -rf /app/activeconfs
# Enumerate interfaces
for wgconf in $(ls /config/wg_confs/*.conf); do
if grep -q "\[Interface\]" "${wgconf}"; then
echo "**** Found WG conf ${wgconf}, adding to list ****"
WG_CONFS+=("${wgconf}")
else
echo "**** Found WG conf ${wgconf}, but it doesn't seem to be valid, skipping. ****"
fi
done

if [[ -z "${WG_CONFS}" ]]; then
echo "**** No valid tunnel config found. Please create a valid config and restart the container ****"
ip route del default
exit 0
fi

unset FAILED
for tunnel in ${WG_CONFS[@]}; do
echo "**** Activating tunnel ${tunnel} ****"
if ! wg-quick up "${tunnel}"; then
FAILED="${tunnel}"
break
fi
done

if [[ -z "${FAILED}" ]]; then
declare -p WG_CONFS > /app/activeconfs
echo "**** All tunnels are now active ****"
else
echo "**** Tunnel ${FAILED} failed, will stop all others! ****"
for tunnel in ${WG_CONFS[@]}; do
if [[ "${tunnel}" = "${FAILED}" ]]; then
break
else
echo "**** Disabling tunnel ${tunnel} ****"
wg-quick down "${tunnel}" || :
fi
done
ip route del default
echo "**** All tunnels are now down. Please fix the tunnel config ${FAILED} and restart the container ****"
fi

0 comments on commit 62f1173

Please sign in to comment.