search

linuxserver / docker-wireguard

GNU General Public License v3.0
2.9k stars 359 forks source link

[FEAT] Do not regenerate all peers when adding a new peer #297

Closed 3891sinneD closed 1 year ago

3891sinneD commented 1 year ago

Is this a new feature request?

Wanted change

Maybe you can add a parameter, like REGENERATE_ALL true|false, so when you add one new peer on recreate the container it will only add the new peer or add the new peer and regenerate all the configs.

Reason for change

I made some ipv6 adjustments, and now when i add a new peer al the configs are regenerated and the start-up of the container will fail. Cause some of the ipv6 address will remain in the config but not in a proper way. Like Address: 2a02:a44b:xxxx:1:1 remains as 2a02:a44b:xxxx:1:1

Proposed code change

No response

github-actions[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

aptalca commented 1 year ago

Please elaborate further.

The peer confs are not necessarily used for the server so they shouldn't cause startup issues. Are you making manual changes to the wg0.conf?

3891sinneD commented 1 year ago

I see, i was a bit too guick. For ipv6 i've edited the wg0.conf too.

I made a test environment and this is my wg0.conf with 1 peer:

[Interface]
Address = 10.13.13.1
Address = 2a02:a44b:xxxx:3::1/64
ListenPort = 51820
PrivateKey = <private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer_Test1
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 10.13.13.2/32,2a02:a44b:xxxx:3::2/128

And the conf for Test1:

[Interface]
Address = 10.13.13.2
Address = 2a02:a44b:xxxx:3::2/128
PrivateKey = <private key>
ListenPort = 51820
DNS = 10.13.13.1

[Peer]
PublicKey = <public key>
PresharedKey = <pre shared key>
Endpoint = <endpoint url>:51820
AllowedIPs = 0.0.0.0/0, ::/0

But now, when i add an extra peer when recreating the wireguard container -e PEERS=Test1,Test2 \ The wg0.conf is not valid anymore so wireguard will fail to start. But also the peer.conf for peer1 is not valid anymore.

linux/arm64, go1.20.7,
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
Line unrecognized: `2a02:a44b:xxxx:3::2/128/32'
Configuration parsing error
[#] ip link delete dev wg0
s6-rc: warning: unable to start service svc-wireguard: command exited 1

The wg0.conf now looks like this, the ipv6 address is missing for the interface, the ip6tables settings are gone and the ipv6 allowed ip for Test1 is just a string in the config :

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = <private key>
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE

[Peer]
# peer_Test1
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 10.13.13.2
2a02:a44b:xxxx:3::2/128/32

[Peer]
# peer_Test2
PublicKey = <public key>
PresharedKey = <pre shared key>
AllowedIPs = 10.13.13.3/32

And the config for Test1 is also not valid anymore, in case peer Test1 needs to recreate the tunnel locally on that peer.

[Interface]
Address = 10.13.13.2
2a02:a44b:xxxx:3::2/128
PrivateKey = <private key>
ListenPort = 51820
DNS = 10.13.13.1

[Peer]
PublicKey = <public key>
PresharedKey = <pre shared key>
Endpoint = <endpoint url>:51820
AllowedIPs = 0.0.0.0/0, ::/0

I hope this made things clear. I would love to have an option, that when a peer is added, the new peer will be added to the wg0.conf (only with an ipv4 address, i'll add an ipv6 address manually) And the other peers in the wg0 and the peer configs are left alone.

aptalca commented 1 year ago

We don't support manual edits to the wg0.conf in server mode with PEERS set. wg0.conf has to be auto generated when there are changes to the vars, like adding a new peer. Any user changes need to be made through the env vars and/or the server conf template.

drizuid commented 1 year ago

This is a bit off topic, but I have to just toss this out... why in the world are you natting ipv6? the whole point of ipv6 is that with the, on average, 18quintillion ip addresses you get, you do not ever need to NAT. Either way, the issue was caused by an unsupported direct change, as mentioned above, closing as non-reproducible.