diff --git a/README.md b/README.md index 5a69878..fc3aec6 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,7 @@ Customize the file `docker-compose`. You can change the following environment va * `SERVER_PORT`: The port the service should listen at * `NETWORK`: Some custom /24 network. e.g. `192.168.42.0` * `CLIENTS`: Number of clients for which configurations are to be created. Do not use more than 240 clients. +* `DISABLE_FORWARD_ALL_TRAFFIC`: Use `true` or `yes` to not add iptables rules and do not forward all traffic. If no environment variables are set, config creation script will ask you for settings. @@ -45,9 +46,16 @@ wg_1 | - Using endpoint hostname example.com wg_1 | - Using port 51820 wg_1 | - Using network 192.168.42.0/24 wg_1 | - Generating 5 client configs and client QR codes +wg_1 | - Forward all traffic wireguard_wg_1 exited with code 0 ``` +To disable traffic forwarding set `DISABLE_FORWARD_ALL_TRAFFIC` to `true` or `yes` or use + +``` +$ docker-compose run wg init --no-forward +``` + ### Start the service Start the service in detached mode. diff --git a/scripts/create-config.sh b/scripts/create-config.sh index c4e2c03..d8e39ff 100755 --- a/scripts/create-config.sh +++ b/scripts/create-config.sh @@ -40,6 +40,12 @@ if (( $CLIENTS > 240 )); then fi echo " - Generating $CLIENTS client configs and client QR codes" +if [ "$DISABLE_FORWARD_ALL_TRAFFIC" != "true" ] && [ "$DISABLE_FORWARD_ALL_TRAFFIC" != "yes" ]; then + echo " - Forward all traffic" +else + echo " - Do not forward all traffic" +fi + SERVER_SEC_KEY=$(wg genkey) SERVER_PUB_KEY=$(echo $SERVER_SEC_KEY | wg pubkey) @@ -63,9 +69,17 @@ cat <> $DEVICE.conf Address = $NETWORK.1/24 ListenPort = $SERVER_PORT PrivateKey = $SERVER_SEC_KEY +EOF + +if [ "$DISABLE_FORWARD_ALL_TRAFFIC" != "true" ] && [ "$DISABLE_FORWARD_ALL_TRAFFIC" != "yes" ]; then +cat <> $DEVICE.conf PostUp = iptables -A FORWARD -i $DEVICE -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i $DEVICE -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE +EOF +fi + +cat <> $DEVICE.conf # <- $(date) EOF diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index f40c8ac..a8b82c0 100755 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -36,6 +36,9 @@ case "$1" in exit 0 ;; 'init') + if [ "$2" == "--no-forward" ]; then + export DISABLE_FORWARD_ALL_TRAFFIC="yes" + fi if [ ! -f "/etc/wireguard/$DEVICE.conf" ]; then cd /etc/wireguard /scripts/create-config.sh