Updated Docker image

[DaanSelen]

Hello Donald, regarding the recent revelations in regards of security. I present here my fork.

Ask questions below.

[donaldzou]

This looks promising! Currently in the main branch, there is a iptable-rules folder including 2 bash files, does this changes still needs it?

[NOXCIS]

@DaanSelen Good stuff. Don't you think its a bit highly personalized. I was thinking more of a wg-easy on steroids thanks to @donaldzou UI & backend. Check my fork.

[NOXCIS]

@DaanSelen @donaldzou Oh and the iptable-rules dir is just what it says on the label. Calling a script to apply wireguard postup/down rules instead of hard coding into the config. It also allows for custom firewall rules such as the one below. Scripts can be be added and configured for each interface as needed.

#!/bin/bash

#DEFINE INTERFACE ENVIORNMENT
##############################################################################################################
WIREGUARD_INTERFACE=GUESTS
WIREGUARD_LAN=192.168.20.1/24
MASQUERADE_INTERFACE=eth0
GLOBAL_DNS=$WGD_IPTABLES_DNS
  

# Enable NAT on the interface
iptables  -t  nat  -I  POSTROUTING  -o  $MASQUERADE_INTERFACE  -j  MASQUERADE  -s  $WIREGUARD_LAN


# Add a WIREGUARD chain to the FORWARD chain
CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
iptables  -N  $CHAIN_NAME
iptables  -A  FORWARD  -j  $CHAIN_NAME

##############################################################################################################
#START OF CORE RULES
##############################################################################################################
# Accept related or established traffic
iptables  -A  $CHAIN_NAME  -o  $WIREGUARD_INTERFACE  -m  conntrack  --ctstate  RELATED,ESTABLISHED  -j  ACCEPT
# Drop traffic to wg-dashboard
iptables  -A  INPUT  -i  $WIREGUARD_INTERFACE  -j  DROP
#END OF CORE RULES
##############################################################################################################


#START OF GLOBAL DNS FORWARDING RULES
##############################################################################################################
iptables  -A  $CHAIN_NAME  -s  $WIREGUARD_LAN  -i  $WIREGUARD_INTERFACE  -d  $GLOBAL_DNS  -p  tcp  --dport  53  -j  ACCEPT
iptables  -A  $CHAIN_NAME  -s  $WIREGUARD_LAN  -i  $WIREGUARD_INTERFACE  -d  $GLOBAL_DNS  -p  udp  --dport  53  -j  ACCEPT
iptables  -A  $CHAIN_NAME  -s  $WIREGUARD_LAN  -i  $WIREGUARD_INTERFACE  -d  $GLOBAL_DNS  -p  tcp  --dport  853  -j  ACCEPT
iptables  -A  $CHAIN_NAME  -s  $WIREGUARD_LAN  -i  $WIREGUARD_INTERFACE  -d  $GLOBAL_DNS  -p  udp  --dport  853  -j  ACCEPT
#END OF GLOBAL DNS FORWARDING RULES
##############################################################################################################

# START OF GUEST RULES
##############################################################################################################
# Drop traffic to private IP address ranges
iptables  -A  $CHAIN_NAME  -s  $WIREGUARD_LAN  -i  $WIREGUARD_INTERFACE  -d  10.0.0.0/8,172.16.0.0/12,192.168.0.0/16  -j  DROP
# Accept outgoing connections to HTTP(S) ports to any IP address (public because of rule above)
iptables  -A  $CHAIN_NAME  -s  $WIREGUARD_LAN  -i  $WIREGUARD_INTERFACE  -d  0.0.0.0/0  -p  tcp  -m  multiport  --dports  80,443  -j  ACCEPT
#END OF GUEST RULES
##############################################################################################################

# Accept traffic from any Wireguard IP address connected to the Wireguard server
iptables  -A  $CHAIN_NAME  -s  $WIREGUARD_LAN  -i  $WIREGUARD_INTERFACE  -j  ACCEPT
# Drop everything else coming through the Wireguard interface
iptables  -A  $CHAIN_NAME  -i  $WIREGUARD_INTERFACE  -j  DROP
# Return to FORWARD chain
iptables  -A  $CHAIN_NAME  -j  RETURN
#END OF GUEST RULES
##############################################################################################################
  

[zwoabier]

Is there a reason why the PR is not merged in? Instead it seems like changes are cherry picked from it and main branch of this project is broken, at least for the docker related things...
There is misleading and conflicting documentation around and the image on docker hub is not built from this repo.

[DaanSelen]

Is there a reason why the PR is not merged in? Instead it seems like changes are cherry picked from it and main branch of this project is broken, at least for the docker related things... There is misleading and conflicting documentation around and the image on docker hub is not built from this repo.

@donaldzou I am waiting for your vision on the Docker image, as project lead. What is your feeling the Docker image should be? And do you have questions about certain decisions of this PR.

@zwoabier what is your opinion on this PR?

[zwoabier]

I think it's a good starting point but still some things to consider. One of the most important things to me would be to have a docker image that is built and published from this repository with a matching, up to date documentation so that people are able to use it and aren't frustrated because it's not working.

Apart from that, once we have the code merged and the docker image is built and working from within this repository we should improve the docker image with things like

• versioning
• more static image (not installing stuff during runtime, not calling wgd.sh install in the docker container anymore)
• add more configuration env variables / mount points
  • src not copied over to mounted volume
  • mount point for database
  • mount point for config
• get rid of 2 flavors? (debian / alpine)

Just a few ideas from my side. Once we have that merged in and it is working I would be happy to contribute and improve the setup further. But we should get the project lead on board and streamline our efforts with @NOXCIS

[DaanSelen]

I think it's a good starting point but still some things to consider. One of the most important things to me would be to have a docker image that is built and published from this repository with a matching, up to date documentation so that people are able to use it and aren't frustrated because it's not working.

Apart from that, once we have the code merged and the docker image is built and working from within this repository we should improve the docker image with things like

• versioning

• more static image (not installing stuff during runtime, not calling wgd.sh install in the docker container anymore)

• add more configuration env variables / mount points

  • src not copied over to mounted volume
  • mount point for database
  • mount point for config

• get rid of 2 flavors? (debian / alpine)

Just a few ideas from my side. Once we have that merged in and it is working I would be happy to contribute and improve the setup further. But we should get the project lead on board and streamline our efforts with @NOXCIS

Good idea, I will work on the ideas I understand, such as the mount points. It is correct that right now the only thing mounted is the /etc/wireguard directory and the /opt/wireguarddashboard directory. Please see my Fork: https://github.com/DaanSelen/WGDashboard and the changes including the Docker Compose file.
However preinstalling dependencies will inflate the image. Something which Noxcis has tried to remove in the current version of the Docker image in the main branche.

Of course if you have counter-arguments to the points he has made, I would like to hear them!
The points:
#333
#336

For inspiration, we might be able to merge the elements from the 2 main PR's available now. This one #345
And: #358

Let's have a conversation!

[NOXCIS]

@DaanSelen @zwoabier Im still strongly against hardcoding any enviorment or config creation into the docker image. As for the no installs during run time, python installs during runtime allows maintence free package updates across builds and images. I agree on not mouting the whole src dir, however im waiting to see if @donaldzou impliments database backups before switching the mount method.