search

donaldzou / WGDashboard

Simple dashboard for WireGuard VPN written in Python & Vue.js
https://donaldzou.github.io/WGDashboard-Documentation/
Apache License 2.0
1.63k stars 252 forks source link

Can't unrestrict peers #441

Closed sohrabp72 closed 4 weeks ago

sohrabp72 commented 4 weeks ago

Some peers after being restricted, can't be unrestricted and when I try to, the web session ends and will directed to login page of the panel.

Expected Error / Traceback

root@WG:~/WGDashboard/src# ./wgd.sh debug
------------------------------------------------------------
[WGDashboard] Starting WGDashboard in the foreground.
[WGDashboard] Initialized Configuration: wg0
[WGDashboard] Initialized Configuration: wg2
[WGDashboard] Initialized Configuration: wg1
[WGDashboard] Background Thread #1 Started
[WGDashboard] Background Thread #2 Started
 * Serving Flask app 'WGDashboard'
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:10086
Press CTRL+C to quit
127.0.0.1 - - [27/Oct/2024 07:34:02] "GET / HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:02] "GET /api/validateAuthentication HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:02] "GET /api/getDashboardTheme HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:02] "GET /api/isTotpEnabled HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:02] "GET /api/getDashboardVersion HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:04] "POST /api/authenticate HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:05] "GET /api/validateAuthentication HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:05] "GET /api/getDashboardConfiguration HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:05] "GET /api/getWireguardConfigurations HTTP/1.0" 200 -
[WGDashboard] Access Log Error: cannot rollback - no transaction is active
127.0.0.1 - - [27/Oct/2024 07:34:06] "GET /api/getWireguardConfigurationInfo?configurationName=wg0 HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:06] "GET /api/getDashboardUpdate HTTP/1.0" 200 -
[2024-10-27 07:34:33,194] ERROR in app: Exception on /api/allowAccessPeers/wg0 [POST]
Traceback (most recent call last):
  File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask/app.py", line 1473, in wsgi_app
    response = self.full_dispatch_request()
  File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask/app.py", line 882, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask_cors/extension.py", line 178, in wrapped_function
    return cors_after_request(app.make_response(f(*args, **kwargs)))
  File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask/app.py", line 880, in full_dispatch_request
    rv = self.dispatch_request()
  File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask/app.py", line 865, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]
  File "/root/WGDashboard/src/dashboard.py", line 1797, in API_allowAccessPeers
    return configuration.allowAccessPeers(peers)
  File "/root/WGDashboard/src/dashboard.py", line 702, in allowAccessPeers
    sqlUpdate("INSERT INTO '%s' SELECT * FROM %s_restrict_access WHERE id = ?"
  File "/root/WGDashboard/src/dashboard.py", line 1430, in sqlUpdate
    cursor.execute(statement, paramters)
sqlite3.IntegrityError: UNIQUE constraint failed: wg0.id
127.0.0.1 - - [27/Oct/2024 07:34:33] "POST /api/allowAccessPeers/wg0 HTTP/1.0" 500 -
127.0.0.1 - - [27/Oct/2024 07:34:34] "GET /api/getDashboardTheme HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:34] "GET /api/isTotpEnabled HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:34] "GET /api/getDashboardVersion HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:52] "POST /api/authenticate HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:52] "GET /api/validateAuthentication HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:52] "GET /api/getDashboardConfiguration HTTP/1.0" 200 -
[WGDashboard] Access Log Error: cannot commit - no transaction is active
127.0.0.1 - - [27/Oct/2024 07:34:53] "GET /api/getWireguardConfigurations HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:53] "GET /api/getDashboardUpdate HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:54] "GET /api/validateAuthentication HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:58] "GET /api/validateAuthentication HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:58] "GET /api/getDashboardConfiguration HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:58] "GET /api/getDashboardConfiguration HTTP/1.0" 200 -
127.0.0.1 - - [27/Oct/2024 07:34:59] "GET /api/getWireguardConfigurationInfo?configurationName=wg0 HTTP/1.0" 200 -
^Z
[1]+  Stopped                 ./wgd.sh debug
root@WG:~/WGDashboard/src# ^C
donaldzou commented 4 weeks ago

Hi! Did you add a peer with the same public key after restricting that peer?

Get Outlook for iOShttps://aka.ms/o0ukef

From: xtg @.> Sent: Sunday, October 27, 2024 12:10:48 PM To: donaldzou/WGDashboard @.> Cc: Subscribed @.***> Subject: [donaldzou/WGDashboard] Can't unrestrict peers (Issue #441)

Some peers after being restricted, can't be unrestricted and when I try to, the web session ends and will directed to login page of the panel.

Expected Error / Traceback

@.***:~/WGDashboard/src# ./wgd.sh debug

[WGDashboard] Starting WGDashboard in the foreground. [WGDashboard] Initialized Configuration: wg0 [WGDashboard] Initialized Configuration: wg2 [WGDashboard] Initialized Configuration: wg1 [WGDashboard] Background Thread #1 Started [WGDashboard] Background Thread #2 Started

— Reply to this email directly, view it on GitHubhttps://github.com/donaldzou/WGDashboard/issues/441, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGARNUJJCCYTS7UQKX3WQADZ5RRURAVCNFSM6AAAAABQVNTGSGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGYYTMMRZHE2DQNY. You are receiving this because you are subscribed to this thread.Message ID: @.***>

sohrabp72 commented 4 weeks ago

Hi! Did you add a peer with the same public key after restricting that peer? Get Outlook for iOShttps://aka.ms/o0ukef ____ From: xtg @.> Sent: Sunday, October 27, 2024 12:10:48 PM To: donaldzou/WGDashboard @.> Cc: Subscribed @.> Subject: [donaldzou/WGDashboard] Can't unrestrict peers (Issue #441) Some peers after being restricted, can't be unrestricted and when I try to, the web session ends and will directed to login page of the panel. Expected Error / Traceback @.:~/WGDashboard/src# ./wgd.sh debug ------------------------------------------------------------ [WGDashboard] Starting WGDashboard in the foreground. [WGDashboard] Initialized Configuration: wg0 [WGDashboard] Initialized Configuration: wg2 [WGDashboard] Initialized Configuration: wg1 [WGDashboard] Background Thread #1 Started [WGDashboard] Background Thread #2 Started Serving Flask app 'WGDashboard' Debug mode: off WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead. Running on http://127.0.0.1:10086 Press CTRL+C to quit 127.0.0.1 - - [27/Oct/2024 07:34:02] "GET / HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:02] "GET /api/validateAuthentication HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:02] "GET /api/getDashboardTheme HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:02] "GET /api/isTotpEnabled HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:02] "GET /api/getDashboardVersion HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:04] "POST /api/authenticate HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:05] "GET /api/validateAuthentication HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:05] "GET /api/getDashboardConfiguration HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:05] "GET /api/getWireguardConfigurations HTTP/1.0" 200 - [WGDashboard] Access Log Error: cannot rollback - no transaction is active 127.0.0.1 - - [27/Oct/2024 07:34:06] "GET /api/getWireguardConfigurationInfo?configurationName=wg0 HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:06] "GET /api/getDashboardUpdate HTTP/1.0" 200 - [2024-10-27 07:34:33,194] ERROR in app: Exception on /api/allowAccessPeers/wg0 [POST] Traceback (most recent call last): File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask/app.py", line 1473, in wsgi_app response = self.full_dispatch_request() File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask/app.py", line 882, in full_dispatch_request rv = self.handle_user_exception(e) File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask_cors/extension.py", line 178, in wrapped_function return cors_after_request(app.make_response(f(args, kwargs))) File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask/app.py", line 880, in full_dispatch_request rv = self.dispatch_request() File "/root/WGDashboard/src/venv/lib/python3.10/site-packages/flask/app.py", line 865, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(view_args) # type: ignore[no-any-return] File "/root/WGDashboard/src/dashboard.py", line 1797, in API_allowAccessPeers return configuration.allowAccessPeers(peers) File "/root/WGDashboard/src/dashboard.py", line 702, in allowAccessPeers sqlUpdate("INSERT INTO '%s' SELECT * FROM %s_restrict_access WHERE id = ?" File "/root/WGDashboard/src/dashboard.py", line 1430, in sqlUpdate cursor.execute(statement, paramters) sqlite3.IntegrityError: UNIQUE constraint failed: wg0.id 127.0.0.1 - - [27/Oct/2024 07:34:33] "POST /api/allowAccessPeers/wg0 HTTP/1.0" 500 - 127.0.0.1 - - [27/Oct/2024 07:34:34] "GET /api/getDashboardTheme HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:34] "GET /api/isTotpEnabled HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:34] "GET /api/getDashboardVersion HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:52] "POST /api/authenticate HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:52] "GET /api/validateAuthentication HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:52] "GET /api/getDashboardConfiguration HTTP/1.0" 200 - [WGDashboard] Access Log Error: cannot commit - no transaction is active 127.0.0.1 - - [27/Oct/2024 07:34:53] "GET /api/getWireguardConfigurations HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:53] "GET /api/getDashboardUpdate HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:54] "GET /api/validateAuthentication HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:58] "GET /api/validateAuthentication HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:58] "GET /api/getDashboardConfiguration HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:58] "GET /api/getDashboardConfiguration HTTP/1.0" 200 - 127.0.0.1 - - [27/Oct/2024 07:34:59] "GET /api/getWireguardConfigurationInfo?configurationName=wg0 HTTP/1.0" 200 - ^Z [1]+ Stopped ./wgd.sh debug @.:~/WGDashboard/src# ^C — Reply to this email directly, view it on GitHub<#441>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGARNUJJCCYTS7UQKX3WQADZ5RRURAVCNFSM6AAAAABQVNTGSGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGYYTMMRZHE2DQNY. You are receiving this because you are subscribed to this thread.Message ID: @.>

No I don’t add keys manually, they are generated automatically by the panel.

donaldzou commented 4 weeks ago

I see.. did you used any other tools or script to manage WireGuard?

sohrabp72 commented 4 weeks ago

Got what happened after some manipulation of the panel. everything works fine until you start using a feature called Restricting peers. when you restrict a peer, some bugs start to happen over time (tested on a server in production)

I got a list of all weird bugs here: 1.you can't unrestrict a peer sometimes. link

  1. you see some Untitled peers after a server reboot or service restart link
  2. you can't create new peer after a while the above bugs happened, seems it is becuz of an error in allowed IP address function which produce a non digit value and cause the panel to crash link
  3. if you enter a PSK for a peer after a while it has been created and then remove PSK, the peer can't connect, it should be restrited and unrestric to continue connection to the server.

How did I fixed all the above problems? Reboot the server, started the WG-dashboard.service and saw many Untitled Peers which supposed to be removed many days ago, removed them, then I realized I can unrestric the restricted peers then I could finnaly create new peers.

donaldzou commented 4 weeks ago

That's weird... Basically how restrict peer works is:

  1. Delete peer from WireGuard
  2. Copy that peer in the database table to the restrict peer table

When allow access, it just reverse what restrict did. In this case, the only reason for can't unrestrict is the restricted peer somehow got added back to the WireGuard interface.. because WireGuard itself "think" that peer is no longer existed, but WGDashboard know that peer is just restricted.

sohrabp72 commented 3 weeks ago

I see.. did you used any other tools or script to manage WireGuard?

No, never.

sohrabp72 commented 3 weeks ago

That's weird... Basically how restrict peer works is:

  1. Delete peer from WireGuard
  2. Copy that peer in the database table to the restrict peer table

When allow access, it just reverse what restrict did. In this case, the only reason for can't unrestrict is the restricted peer somehow got added back to the WireGuard interface.. because WireGuard itself "thinks" that the peer no longer existed, but WGDashboard knows that peer is just restricted.

So this is going to be a bug, the only reason 2 separate peers count as one is their public and private keys, adding the same keys for 2 different peers is almost rare as the public key length is high enough to prevent producing the same key for 2 different peers, the problem could be something else. another idea is restricting the peer in another way than deleting it from wg0.cong something like making it comment by putting # at the beginning of each line or adding PSK to the peer to make it unavailable to connect. this way causes WireGuard to detect the peers that exist but are unavailable to connect.

sohrabp72 commented 3 weeks ago

Got what happened after some manipulation of the panel. everything works fine until you start using a feature called Restricting peers. when you restrict a peer, some bugs start to happen over time (tested on a server in production)

I got a list of all weird bugs here: 1.you can't unrestrict a peer sometimes. link 2. you see some Untitled peers after a server reboot or service restart link 3. you can't create new peer after a while the above bugs happened, seems it is becuz of an error in allowed IP address function which produce a non digit value and cause the panel to crash link 4. if you enter a PSK for a peer after a while it has been created and then remove PSK, the peer can't connect, it should be restrited and unrestric to continue connection to the server.

How did I fixed all the above problems? Reboot the server, started the WG-dashboard.service and saw many Untitled Peers which supposed to be removed many days ago, removed them, then I realized I can unrestric the restricted peers then I could finnaly create new peers.

If you take a deeper look at options 3 and 4 you might realize something which panel is unable to make changes permanent right away, after a reboot or server restart we get some Untitled peers that have not connected for a while(have no last connection time) and usually their statistics are 0, this is where we can look for a bug in something like syncing wg0.conf or making permanent changes to wg0.conf file.