search

EnigmaCurry / d.rymcg.tech

A collection of self-hosted docker-compose projects with Traefik reverse proxy, integrated auth, and administrative Makefiles for easy maintainance
MIT License
46 stars 9 forks source link

Changing peer keys doesn't work in wireguard-client unless `make destroy` #250

Closed mcmikemn closed 6 days ago

mcmikemn commented 1 week ago

Once you install traefik with a wireguard-client container, if the peer keys change and you enter the new keys in traefik's config and run make reinstall, the wireguard-client container launches wg with the old keys. you have to traefik/make destroy first.

EnigmaCurry commented 1 week ago

It appears that it should always recreate the config from .env vars:

https://github.com/EnigmaCurry/d.rymcg.tech/blob/c15bd53163c3ffdff1d8a7cd7cada87b3a695e8a/traefik/docker-compose.yaml#L204-L221 https://github.com/EnigmaCurry/d.rymcg.tech/blob/c15bd53163c3ffdff1d8a7cd7cada87b3a695e8a/traefik/wireguard-client-config/setup.sh#L8

Can you reproduce it?

mcmikemn commented 6 days ago

Yes, I can reproduce it. Here are the steps:

  1. install traefik/wg as server on "sentry" droplet, install traefik/wg as client on local VM, confirm they can handshake
  2. make destroy the sentry
  3. make install the sentry - it now has new wg keys
  4. make config the VM - config it with the new keys
  5. make install or make reinstall the VM
  6. VM and sentry can no longer handshake, and wg on the VM shows the previous key next to "Peer" (not the new key)
EnigmaCurry commented 6 days ago

ah, I see this in the logs now:

# docker compose -f docker-compose.yaml --env-file=.env_delorean-traefik-public_default --project-name=traefik logs -f -t wireguard-client-config
wireguard-client-config-1  | 2024-07-02T00:41:28.646565121Z rm: cannot remove '/config/coredns/Corefile': Permission denied
wireguard-client-config-1  | 2024-07-02T00:41:28.646885993Z rm: cannot remove '/config/templates/server.conf': Permission denied
wireguard-client-config-1  | 2024-07-02T00:41:28.646912353Z rm: cannot remove '/config/templates/peer.conf': Permission denied
wireguard-client-config-1  | 2024-07-02T00:41:28.647626922Z rm: cannot remove '/config/wg_confs/wg0.conf': Permission denied
wireguard-client-config-1  | 2024-07-02T00:42:24.005893395Z rm: cannot remove '/config/coredns/Corefile': Permission denied
wireguard-client-config-1  | 2024-07-02T00:42:24.005927059Z rm: cannot remove '/config/templates/server.conf': Permission denied
wireguard-client-config-1  | 2024-07-02T00:42:24.005952682Z rm: cannot remove '/config/templates/peer.conf': Permission denied
wireguard-client-config-1  | 2024-07-02T00:42:24.005978896Z rm: cannot remove '/config/wg_confs/wg0.conf': Permission denied
EnigmaCurry commented 6 days ago

Thanks, I found the permission error due to unnecessary capabilities drop. I fixed it in a42aa19 as part of #237 .