Possible Docker solution

[donaldzou]

If you know how to migrate this project completely to a Docker app, please comment below ;) Thank you!

[potter420]

I can make a Dockerfile for this one. most of your code is in python right?

[donaldzou]

I can make a Dockerfile for this one. most of your code is in python right?

Hi! Yes, I tried to migrate this into Docker, but since this program need to access WireGuard and the configuration file from the host, which something i'm not sure how to do

[potter420]

Docker Volume mount can handle that somehow, but you need to give root access to docker container (build without setting user) or make wireguard executable being accessed by non-root user (which I think is not a good thing, I'm not a security expert) We can put a dockerFile and docker-compose with suitable volume mount.

[donaldzou]

I see, so is that means there are some command that allow python to execute wg show.. and then docker can execute that command to the host if the docker container have root access?

[donaldzou]

I've tried to write a simple python to control wireguard and ran that in docker, but it is still telling my wg command not found

[potter420]

I tried that too and encounter many problems. Managed to get wg show to work, but not sure if it affect the docker interface or host interface. At this point, I think packing wireguard into docker too may be better options :(, So we will have a docker image with wireguard and dashboard on the same container

[donaldzou]

Yeah I've been looking into that, but is gonna be quite complicated and which is not gonna be a "simple" dashboard anymore lol

[shrinidhi111]

@potter420

Managed to get wg show to work, but not sure if it affect the docker interface or host interface.

Using host network allows the docker's wireguard to directly manipulate the host's network rules and interface. So this issue won't come. Simply run the docker container with these flags

--privileged --cap-add=NET_RAW --net=host

[shrinidhi111]

@donaldzou

You may use this as inspiration/template.

https://hub.docker.com/r/linuxserver/wireguard

If time permits today I'll provide a working docker command.

[donaldzou]

Hi @shrinidhi111 ! Thank you for doing this, I will look into too ;)

[tamaskan]

And there is https://github.com/WeeJeWel/wg-easy/ . I think your dashboard is visually more pleasing :-) The only issue i have with these kind of containers is that you always have to expose them, so i personally settled with a bridged container, volume and a inotify-reload on the host

[barryboom]

i would reserve caution on moving to a Docker based dashboard as still to find one that works well and easy to install even the one above wg-easy following the install guide does not work unlike what you have here

[neonwatty]

i've added a dockerized form of your excellent app in this fork - tested successfully using an Ubuntu 20.04 LTS host on Linode.

Short Description

this fork contains 5 extra files on top of the current repo that roll up your app + wireguard into a docker image, allow for custom config at compose time, and deploy using docker-compose. you can pull the forked repo, cd into the dir, and follow these two steps to test

bash install_docker_ubuntu.sh docker-compose up -d --build

Long Description

these extra 5 files are

1. install_docker_ubuntu.sh - docker/docker-compose installs for ubuntu 20.04

   
   #!/bin/bash

install docker

sudo apt install -y apt-transport-https ca-certificates curl gnupg software-properties-common curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" sudo apt update sudo apt install -y docker-ce docker-ce-cli containerd.io

install docker-compose

sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

2.  `Dockerfile` - a basic Dockerfile rolling up your app + wireguard into an ubuntu image

FROM ubuntu:20.04

update pack list

RUN apt update

install utils + wireguard

RUN apt install -y apt-utils python3.8 python3-pip gcc libffi-dev python-dev default-libmysqlclient-dev python3-dev net-tools gettext-base iproute2 iptables wireguard

configure wireguard

RUN wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

python installs

RUN pip3 install Flask tinydb ifcfg icmplib flask-qrcode

make home directory

RUN mkdir /home/app

copy over env and template

COPY env.sh /home/app/env.sh COPY wg0_template.conf /etc/wireguard/wg0_template.conf

3.  `wg0_template.conf` - config file template - currently allows `SERVER_PRIVATE_KEY` configuration based on wireguard instantiation

[Interface] Address = 10.0.0.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = $SERVER_PRIVATE_KEY PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

4.  `env.sh` - stamps env variables into `wg0_template.conf` at compose time.  currently only `SERVER_PRIVATE_KEY`

!/bin/bash

set temp envs

export SERVER_PRIVATE_KEY=$(cat /etc/wireguard/privatekey)

copy template

cp /home/app/wg0_template.conf /etc/wireguard/wg0_template.conf

sub in vars in template .conf

envsubst < /etc/wireguard/wg0_template.conf > /etc/wireguard/wg0.conf

clean up template

rm /etc/wireguard/wg0_template.conf

chmod

chmod 600 /etc/wireguard/{privatekey,wg0.conf}

5.  docker-compose.yml - a simple compose file that wraps up the docker-fied version of the app

version: '3.8'

services: wireguard_dashboard: build: context: . image: wireguard_dashboard container_name: wireguard_dashboard ports:

• 51820:51820 # wireguard port
• 10086:10086 # wireguard dashboard port volumes:
• ./img:/home/app/img
• ./src:/home/app/src working_dir: /home/app/src command: > sh -c "/home/app/env.sh && sleep 5 && /home/app/src/wgd.sh debug && sleep infinity" networks:
• wireguard_network restart: "always" cap_add:
  • NET_ADMIN

networks: wireguard_network:

With this setup there's no need to manufacture a specific `systemd` unit to ensure wireguard + your app runs at boot - as systemd's management of docker + the line `restart: "always"` should produce the same effect.

Here you can replace `/home/app/src/wgd.sh debug` with `/home/app/src/wgd.sh start` etc.,

You can examine logs of the running container via

`docker container logs wireguard_dashboard`

## Final thoughts - separating your app from wireguard

This docker configuration works - eventually it would be nice to separate the app from wireguard and host each from a separate container.  

[gaby]

i would reserve caution on moving to a Docker based dashboard as still to find one that works well and easy to install even the one above wg-easy following the install guide does not work unlike what you have here

wg-easy works out of the box for me, your kernel needs to have wireguard support. I'm using Ubuntu 20.04 LTS with kernel 5.4

[SirusDoma]

Hey, I still haven't figure out how to separate dashboard and wireguard container but I manage to setup everything under 5 mins (or even less) with pre-existing wireguard image out there that works out of the box, here's how I do it:

1. makedir config directory to mount as volume and create empty wg-dashboard.ini, otherwise it will be created as directory instead of file, which can be frustrating. (tldr; do mkdir data then touch ./data/wg-dashboard.ini, edit: if you aren't using data in current directory, make sure to change volume mount in docker-compose.yml as well)
2. Setup Dockerfile and docker-compose.yml, also entrypoint script for the Dockerfile which you can find it in my fork: https://github.com/SirusDoma/WGDashboard/commit/c00932b8478e398e3ff708b18c0679735428ed24
3. Make sure docker compose installed and run docker-compose up -d
4. ...
5. Profit!

Hope this useful for someone looking for simple setup. Edit: you can configure wg0.conf in ./data/ directory after running the docker compose and then you may want to add SaveConfig = true as per recommendation

[ikidd]

Have you looked to see if there are any changes necessary to make to your docker setup here with the changes that have been applied regarding venv and sqlite?

[donaldzou]

I'm not so sure cuz i'm not an expert of Docker.. (too complicated for me lol)

[adrinux]

For those working on docker I'd suggest wg-gen-web is a better example than wg-easy since it uses a host installed Wireguard instead of putting it in the same container in the way wg-easy does.

[gaby]

@adrinux wg-easy works just fine for me. I actually prefer having wg in the container, since its easier to get updates. Host OS are slower at updating packages

[pgalonza]

Here https://gitlab.com/pgalonza/wireguard-image/-/tree/develop i using WGDashboard with podman, ansible and and scripts from https://github.com/linuxserver/docker-wireguard

[pompushko]

unfortunately, you have to use different way, rather than "subprocess.check_output"...

Here is mine Dockerfile:

FROM --platform=$BUILDPLATFORM python:latest AS builder

WORKDIR /app

COPY requirements.txt /app
RUN --mount=type=cache,target=/root/.cache/pip \
    pip3 install -r requirements.txt

COPY . /app

ENTRYPOINT ["python3"]
CMD ["dashboard.py"]

And compose.yaml for "docker compose up -d":

services:
  web: 
    build:
      context: src
      target: builder
    # flask requires SIGINT to stop gracefully
    # (default stop signal from Compose is SIGTERM)
    stop_signal: SIGINT
    ports:
      - '10086:10086'
    volumes:
      - /etc/wireguard:/data

[DaanSelen]

New updates are in: https://github.com/donaldzou/WGDashboard/issues/272

Please close this issue and respond there to limit the wild growth of the same issue.