pcvolkmer/docker-wireguard-boringtun
1
0
Fork 0
mirror of https://github.com/pcvolkmer/docker-wireguard-boringtun.git synced 2025-04-19 21:36:49 +00:00
Code Issues Packages Releases Activity

Add option to disable traffic forwarding

Browse Source
This commit is contained in:
Paul-Christian Volkmer 2022-12-06 20:54:46 +01:00
parent c88d16ca3d
commit f85d6dc215
3 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -28,6 +28,7 @@ Customize the file `docker-compose`. You can change the following environment va
* `SERVER_PORT`: The port the service should listen at * `SERVER_PORT`: The port the service should listen at
* `NETWORK`: Some custom /24 network. e.g. `192.168.42.0` * `NETWORK`: Some custom /24 network. e.g. `192.168.42.0`
* `CLIENTS`: Number of clients for which configurations are to be created. Do not use more than 240 clients. * `CLIENTS`: Number of clients for which configurations are to be created. Do not use more than 240 clients.
* `DISABLE_FORWARD_ALL_TRAFFIC`: Use `true` or `yes` to not add iptables rules and do not forward all traffic.
If no environment variables are set, config creation script will ask you for settings. If no environment variables are set, config creation script will ask you for settings.
@ -45,9 +46,16 @@ wg_1 | - Using endpoint hostname example.com
wg_1 | - Using port 51820 wg_1 | - Using port 51820
wg_1 | - Using network 192.168.42.0/24 wg_1 | - Using network 192.168.42.0/24
wg_1 | - Generating 5 client configs and client QR codes wg_1 | - Generating 5 client configs and client QR codes
wg_1 | - Forward all traffic
wireguard_wg_1 exited with code 0 wireguard_wg_1 exited with code 0
``` ```
To disable traffic forwarding set `DISABLE_FORWARD_ALL_TRAFFIC` to `true` or `yes` or use
```
$ docker-compose run wg init --no-forward
```
### Start the service ### Start the service
Start the service in detached mode. Start the service in detached mode.

14
scripts/create-config.sh
View File

@ -40,6 +40,12 @@ if (( $CLIENTS > 240 )); then
fi fi
echo " - Generating $CLIENTS client configs and client QR codes" echo " - Generating $CLIENTS client configs and client QR codes"
if [ "$DISABLE_FORWARD_ALL_TRAFFIC" != "true" ] && [ "$DISABLE_FORWARD_ALL_TRAFFIC" != "yes" ]; then
echo " - Forward all traffic"
else
echo " - Do not forward all traffic"
fi
SERVER_SEC_KEY=$(wg genkey) SERVER_SEC_KEY=$(wg genkey)
SERVER_PUB_KEY=$(echo $SERVER_SEC_KEY | wg pubkey) SERVER_PUB_KEY=$(echo $SERVER_SEC_KEY | wg pubkey)
@ -63,9 +69,17 @@ cat <<EOF >> $DEVICE.conf
Address = $NETWORK.1/24 Address = $NETWORK.1/24
ListenPort = $SERVER_PORT ListenPort = $SERVER_PORT
PrivateKey = $SERVER_SEC_KEY PrivateKey = $SERVER_SEC_KEY
EOF
if [ "$DISABLE_FORWARD_ALL_TRAFFIC" != "true" ] && [ "$DISABLE_FORWARD_ALL_TRAFFIC" != "yes" ]; then
cat <<EOF >> $DEVICE.conf
PostUp = iptables -A FORWARD -i $DEVICE -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostUp = iptables -A FORWARD -i $DEVICE -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i $DEVICE -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i $DEVICE -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
EOF
fi
cat <<EOF >> $DEVICE.conf
# <- $(date) # <- $(date)
EOF EOF

3
scripts/entrypoint.sh
View File

@ -36,6 +36,9 @@ case "$1" in
exit 0 exit 0
;; ;;
'init') 'init')
if [ "$2" == "--no-forward" ]; then
export DISABLE_FORWARD_ALL_TRAFFIC="yes"
fi
if [ ! -f "/etc/wireguard/$DEVICE.conf" ]; then if [ ! -f "/etc/wireguard/$DEVICE.conf" ]; then
cd /etc/wireguard cd /etc/wireguard
/scripts/create-config.sh /scripts/create-config.sh