github-actions[bot]
commented
1 year ago Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
Closed nagylzs closed 1 year ago
github-actions[bot]
commented
1 year ago Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.
aptalca
commented
1 year ago https://github.com/linuxserver/docker-wireguard/blob/master/root/defaults/server.conf#L5-L6
You can also add PreUp and PreDown if you like
nagylzs
commented
1 year ago I see, so I can create my own script and put it there, and pass %i (interface name) as an argument. I think this is a good answer, and I wanted something that already existed.
Just one little detail: what happens if the script fails (exists with non-zero exit code?) I could not find it in the documentation of wg-quick.
aptalca
commented
1 year ago Currently if any of the steps fail, the wg0 interface gets taken down and the process sleeps
nagylzs
commented
1 year ago Greatt, then I think we can close this. Thank you for your help!
Is this a new feature request?
Wanted change
There should be a way to mount and run post-init scripts, after the wg0 device has been created, but before the peers are added.
Reason for change
I would like to use iptables FORWARD rules to allow or restrict access to certain services for certain peers. In particular, limit access to certain destination addresses or output interfaces IMHO cannot be solved in any other way. These rules may also contain the interface name "wg0", which is only available after the wireguard device has been created, but before the peers are added. This way we can make sure that the restrictions are applied before any peer has connected.
Resoning: AllowedIps on the server side cannot be used for this purpose, because it can only restrict source IP addresses, but not destination addresses. Obviously, AllowedIps cannot be used on the client side for making restrictions, because the client can modify the peer config freely.
As far as I know, the only safe way to do this is with iptables FORWARD rules, and only between before peers are created. (And preferably, after wg0 interface is created).
Proposed code change
Create a new environment variable that points to a post script. This script could be executed after the wg0 interface is created, but before the peers are added. If this script exits with error, then the container should also exit with error (just to make sure that we don't fail to add rules that would protect precious addresses.) If the script succeeds, then peers can be added and the container should run normally.