Merge pull request #134 from linuxserver/site-to-site

Add site to site support, update readme

Author: aptalca

README.md

@@ -58,11 +58,13 @@ The architectures supported by this image are:
 
 ## Application Setup
 
-This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module.
+During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container.
+
+If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed.
 
 If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv).
 
-With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
+With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
 
 This can be run as a server or a client, based on the parameters used. 
 
@@ -104,6 +106,20 @@ When routing via Wireguard from another container using the `service` option in
   PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT
   ```
 
+## Site-to-site VPN
+
+** Note: This is not a supported configuration by Linuxserver.io - use at your own risk.
+
+Site-to-site VPN in server mode requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
+
+In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var).
+
+For instance `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`.
+
+Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary.
+
+Don't forget to set the necessary POSTUP and POSTDOWN rules in your client's peer conf for lan access.
+
 ## Usage
 
 Here are some example snippets to help you get started creating a container.
@@ -176,7 +192,7 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London |
 | `-e SERVERURL=wireguard.domain.com` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically |
 | `-e SERVERPORT=51820` | External port for docker host. Used in server mode. |
-| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet... |
+| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only) |
 | `-e PEERDNS=auto` | DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward. |
 | `-e INTERNAL_SUBNET=10.13.13.0` | Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode. |
 | `-e ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. |
@@ -293,6 +309,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **28.10.21:** - Add site-to-site vpn support.
 * **11.02.21:** - Fix bug related to changing internal subnet and named peer confs not updating.
 * **06.10.20:** - Disable CoreDNS in client mode, or if port 53 is already in use in server mode.
 * **04.10.20:** - Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart

readme-vars.yml

@@ -44,7 +44,7 @@ opt_param_usage_include_env: true
 opt_param_env_vars:
   - { env_var: "SERVERURL", env_value: "wireguard.domain.com", desc: "External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically"}
   - { env_var: "SERVERPORT", env_value: "51820", desc: "External port for docker host. Used in server mode."}
-  - { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet..."}
+  - { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can also be a list of names: `myPC,myPhone,myTablet` (alphanumeric only)"}
   - { env_var: "PEERDNS", env_value: "auto", desc: "DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward."}
   - { env_var: "INTERNAL_SUBNET", env_value: "10.13.13.0", desc: "Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode."}
   - { env_var: "ALLOWEDIPS", env_value: "0.0.0.0/0", desc: "The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1."}
@@ -55,11 +55,13 @@ optional_block_1_items: ""
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
-  This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module.
+  During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container.
+  
+  If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed.
 
   If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv).
 
-  With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
+  With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
 
   This can be run as a server or a client, based on the parameters used. 
 
@@ -100,9 +102,25 @@ app_setup_block: |
     PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT;  iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
     PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT
     ```
+
+  ## Site-to-site VPN
+
+  ** Note: This is not a supported configuration by Linuxserver.io - use at your own risk.
+
+  Site-to-site VPN in server mode requires customizing the `AllowedIPs` statement for a specific peer in `wg0.conf`. Since `wg0.conf` is autogenerated when server vars are changed, it is not recommended to edit it manually.
+
+  In order to customize the `AllowedIPs` statement for a specific peer in `wg0.conf`, you can set an env var `SERVER_ALLOWEDIPS_PEER_<peer name or number>` to the additional subnets you'd like to add, comma separated and excluding the peer IP (ie. `"192.168.1.0/24,192.168.2.0/24"`). Replace `<peer name or number>` with either the name or number of a peer (whichever is used in the `PEERS` var).
+  
+  For instance `SERVER_ALLOWEDIPS_PEER_laptop="192.168.1.0/24,192.168.2.0/24"` will result in the wg0.conf entry `AllowedIPs = 10.13.13.2,192.168.1.0/24,192.168.2.0/24` for the peer named `laptop`.
   
+  Keep in mind that this var will only be considered when the confs are regenerated. Adding this var for an existing peer won't force a regeneration. You can delete wg0.conf and restart the container to force regeneration if necessary.
+
+  Don't forget to set the necessary POSTUP and POSTDOWN rules in your client's peer conf for lan access.
+
+
 # changelog
 changelogs:
+  - { date: "28.10.21:", desc: "Add site-to-site vpn support." }
   - { date: "11.02.21:", desc: "Fix bug related to changing internal subnet and named peer confs not updating." }
   - { date: "06.10.20:", desc: "Disable CoreDNS in client mode, or if port 53 is already in use in server mode." }
   - { date: "04.10.20:", desc: "Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart" }

root/etc/cont-init.d/30-config renamed to root/etc/cont-init.d/30-module

@@ -151,137 +151,3 @@ DUDE
   fi
 fi
 
-# prepare symlinks
-rm -rf /etc/wireguard
-mkdir -p /etc/wireguard
-ln -s /config/wg0.conf /etc/wireguard/wg0.conf
-# prepare templates
-[[ ! -f /config/templates/server.conf ]] && \
-  cp /defaults/server.conf /config/templates/server.conf
-[[ ! -f /config/templates/peer.conf ]] && \
-  cp /defaults/peer.conf /config/templates/peer.conf
-
-generate_confs () {
-  mkdir -p /config/server
-  if [ ! -f /config/server/privatekey-server ]; then
-    umask 077
-    wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server
-  fi
-  eval "`printf %s`
-  cat <<DUDE > /config/wg0.conf
-`cat /config/templates/server.conf`
-
-DUDE"
-  for i in ${PEERS_ARRAY[@]}; do
-    if [[ "${i}" =~ ^[0-9]+$ ]]; then
-      PEER_ID="peer${i}"
-    else
-      PEER_ID="peer_${i//[^[:alnum:]_-]/}"
-    fi
-    mkdir -p /config/${PEER_ID}
-    if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then
-      umask 077
-      wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID}
-    fi
-    if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then
-      CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}')
-      if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then
-        CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|")
-      fi
-    else
-      for idx in {2..254}; do
-        PROPOSED_IP="${INTERFACE}.${idx}"
-        if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then
-          CLIENT_IP="${PROPOSED_IP}"
-          break
-        fi
-      done
-    fi
-    eval "`printf %s`
-    cat <<DUDE > /config/${PEER_ID}/${PEER_ID}.conf
-`cat /config/templates/peer.conf`
-DUDE"
-    cat <<DUDE >> /config/wg0.conf
-[Peer]
-# ${PEER_ID}
-PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
-AllowedIPs = ${CLIENT_IP}/32
-
-DUDE
-    echo "PEER ${i} QR code:"
-    qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf
-    qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf
-  done
-}
-
-save_vars () {
-  cat <<DUDE > /config/.donoteditthisfile
-ORIG_SERVERURL="$SERVERURL"
-ORIG_SERVERPORT="$SERVERPORT"
-ORIG_PEERDNS="$PEERDNS"
-ORIG_PEERS="$PEERS"
-ORIG_INTERFACE="$INTERFACE"
-ORIG_ALLOWEDIPS="$ALLOWEDIPS"
-DUDE
-}
-
-if [ -n "$PEERS" ]; then
-  echo "**** Server mode is selected ****"
-  if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then
-    PEERS_ARRAY=($(seq 1 $PEERS))
-  else
-    PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' '))
-  fi
-  PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}")
-  if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then
-    SERVERURL=$(curl -s icanhazip.com)
-    echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****"
-  else
-    echo "**** External server address is set to $SERVERURL ****"
-  fi
-  SERVERPORT=${SERVERPORT:-51820}
-  echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****"
-  INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0}
-  echo "**** Internal subnet is set to $INTERNAL_SUBNET ****"
-  INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--')
-  ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0}
-  echo "**** AllowedIPs for peers $ALLOWEDIPS ****"
-  if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then
-    PEERDNS="${INTERFACE}.1"
-    echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****"
-  else
-    echo "**** Peer DNS servers will be set to $PEERDNS ****"
-  fi
-  if [ ! -f /config/wg0.conf ]; then
-    echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****"
-    generate_confs
-    save_vars
-  else
-    echo "**** Server mode is selected ****"
-    [[ -f /config/.donoteditthisfile ]] && \
-      . /config/.donoteditthisfile
-    if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then
-      echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****"
-      generate_confs
-      save_vars
-    else
-      echo "**** No changes to parameters. Existing configs are used. ****"
-    fi
-  fi
-else
-  echo "**** Client mode selected. ****"
-  if [ ! -f /config/wg0.conf ]; then
-    echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****"
-    sleep infinity
-  fi
-  echo "**** Disabling CoreDNS ****"
-  rm -rf /etc/services.d/coredns
-fi
-
-# set up CoreDNS
-[[ ! -f /config/coredns/Corefile ]] && \
-  cp /defaults/Corefile /config/coredns/Corefile
-
-# permissions
-chown -R abc:abc \
-	/config