-
-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated Docker image #345
base: main
Are you sure you want to change the base?
Updated Docker image #345
Conversation
Rearranged Ubuntu match other descending formats.
This looks promising! Currently in the |
@DaanSelen Good stuff. Don't you think its a bit highly personalized. I was thinking more of a wg-easy on steroids thanks to @donaldzou UI & backend. Check my fork. |
@DaanSelen @donaldzou Oh and the iptable-rules dir is just what it says on the label. Calling a script to apply wireguard postup/down rules instead of hard coding into the config. It also allows for custom firewall rules such as the one below. Scripts can be be added and configured for each interface as needed. #!/bin/bash
#DEFINE INTERFACE ENVIORNMENT
##############################################################################################################
WIREGUARD_INTERFACE=GUESTS
WIREGUARD_LAN=192.168.20.1/24
MASQUERADE_INTERFACE=eth0
GLOBAL_DNS=$WGD_IPTABLES_DNS
# Enable NAT on the interface
iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
# Add a WIREGUARD chain to the FORWARD chain
CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
iptables -N $CHAIN_NAME
iptables -A FORWARD -j $CHAIN_NAME
##############################################################################################################
#START OF CORE RULES
##############################################################################################################
# Accept related or established traffic
iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Drop traffic to wg-dashboard
iptables -A INPUT -i $WIREGUARD_INTERFACE -j DROP
#END OF CORE RULES
##############################################################################################################
#START OF GLOBAL DNS FORWARDING RULES
##############################################################################################################
iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -d $GLOBAL_DNS -p tcp --dport 53 -j ACCEPT
iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -d $GLOBAL_DNS -p udp --dport 53 -j ACCEPT
iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -d $GLOBAL_DNS -p tcp --dport 853 -j ACCEPT
iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -d $GLOBAL_DNS -p udp --dport 853 -j ACCEPT
#END OF GLOBAL DNS FORWARDING RULES
##############################################################################################################
# START OF GUEST RULES
##############################################################################################################
# Drop traffic to private IP address ranges
iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j DROP
# Accept outgoing connections to HTTP(S) ports to any IP address (public because of rule above)
iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -d 0.0.0.0/0 -p tcp -m multiport --dports 80,443 -j ACCEPT
#END OF GUEST RULES
##############################################################################################################
# Accept traffic from any Wireguard IP address connected to the Wireguard server
iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -j ACCEPT
# Drop everything else coming through the Wireguard interface
iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP
# Return to FORWARD chain
iptables -A $CHAIN_NAME -j RETURN
#END OF GUEST RULES
##############################################################################################################
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason why the PR is not merged in? Instead it seems like changes are cherry picked from it and main
branch of this project is broken, at least for the docker related things...
There is misleading and conflicting documentation around and the image on docker hub is not built from this repo.
@donaldzou I am waiting for your vision on the Docker image, as project lead. What is your feeling the Docker image should be? And do you have questions about certain decisions of this PR. @zwoabier what is your opinion on this PR? |
I think it's a good starting point but still some things to consider. One of the most important things to me would be to have a docker image that is built and published from this repository with a matching, up to date documentation so that people are able to use it and aren't frustrated because it's not working. Apart from that, once we have the code merged and the docker image is built and working from within this repository we should improve the docker image with things like
Just a few ideas from my side. Once we have that merged in and it is working I would be happy to contribute and improve the setup further. But we should get the project lead on board and streamline our efforts with @NOXCIS |
Good idea, I will work on the ideas I understand, such as the mount points. It is correct that right now the only thing mounted is the /etc/wireguard directory and the /opt/wireguarddashboard directory. Please see my Fork: https://github.com/DaanSelen/WGDashboard and the changes including the Docker Compose file. Of course if you have counter-arguments to the points he has made, I would like to hear them! For inspiration, we might be able to merge the elements from the 2 main PR's available now. This one #345 Let's have a conversation! |
@DaanSelen @zwoabier Im still strongly against hardcoding any enviorment or config creation into the docker image. As for the no installs during run time, python installs during runtime allows maintence free package updates across builds and images. I agree on not mouting the whole src dir, however im waiting to see if @donaldzou impliments database backups before switching the mount method. |
Hello Donald, regarding the recent revelations in regards of security. I present here my fork.
Ask questions below.