Skip to content

Commit 5cbb040

Browse files
aptalcaaptalca
committed
split up kernel module and conf generation
1 parent cca4336 commit 5cbb040

File tree

4 files changed

+156
-150
lines changed

4 files changed

+156
-150
lines changed

README.md

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -58,11 +58,13 @@ The architectures supported by this image are:
5858

5959
## Application Setup
6060

61-
This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module.
61+
During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container.
62+
63+
If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed.
6264

6365
If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv).
6466

65-
With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
67+
With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
6668

6769
This can be run as a server or a client, based on the parameters used.
6870

readme-vars.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,11 +55,13 @@ optional_block_1_items: ""
5555
# application setup block
5656
app_setup_block_enabled: true
5757
app_setup_block: |
58-
This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module.
58+
During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container.
59+
60+
If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed.
5961
6062
If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv).
6163
62-
With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
64+
With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees).
6365
6466
This can be run as a server or a client, based on the parameters used.
6567

root/etc/cont-init.d/30-config renamed to root/etc/cont-init.d/30-module

Lines changed: 0 additions & 146 deletions
Original file line numberDiff line numberDiff line change
@@ -151,149 +151,3 @@ DUDE
151151
fi
152152
fi
153153

154-
# prepare symlinks
155-
rm -rf /etc/wireguard
156-
mkdir -p /etc/wireguard
157-
ln -s /config/wg0.conf /etc/wireguard/wg0.conf
158-
# prepare templates
159-
[[ ! -f /config/templates/server.conf ]] && \
160-
cp /defaults/server.conf /config/templates/server.conf
161-
[[ ! -f /config/templates/peer.conf ]] && \
162-
cp /defaults/peer.conf /config/templates/peer.conf
163-
164-
generate_confs () {
165-
mkdir -p /config/server
166-
if [ ! -f /config/server/privatekey-server ]; then
167-
umask 077
168-
wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server
169-
fi
170-
eval "`printf %s`
171-
cat <<DUDE > /config/wg0.conf
172-
`cat /config/templates/server.conf`
173-
174-
DUDE"
175-
for i in ${PEERS_ARRAY[@]}; do
176-
if [[ "${i}" =~ ^[0-9]+$ ]]; then
177-
PEER_ID="peer${i}"
178-
else
179-
PEER_ID="peer_${i//[^[:alnum:]_-]/}"
180-
fi
181-
mkdir -p /config/${PEER_ID}
182-
if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then
183-
umask 077
184-
wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID}
185-
fi
186-
if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then
187-
CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}')
188-
if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then
189-
CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|")
190-
fi
191-
else
192-
for idx in {2..254}; do
193-
PROPOSED_IP="${INTERFACE}.${idx}"
194-
if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then
195-
CLIENT_IP="${PROPOSED_IP}"
196-
break
197-
fi
198-
done
199-
fi
200-
eval "`printf %s`
201-
cat <<DUDE > /config/${PEER_ID}/${PEER_ID}.conf
202-
`cat /config/templates/peer.conf`
203-
DUDE"
204-
SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${i}
205-
if [ -n "${!SERVER_ALLOWEDIPS}" ]; then
206-
echo "Adding ${!SERVER_ALLOWEDIPS} to wg0.conf's AllowedIPs for peer ${i}"
207-
cat <<DUDE >> /config/wg0.conf
208-
[Peer]
209-
# ${PEER_ID}
210-
PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
211-
AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS}
212-
213-
DUDE
214-
else
215-
cat <<DUDE >> /config/wg0.conf
216-
[Peer]
217-
# ${PEER_ID}
218-
PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
219-
AllowedIPs = ${CLIENT_IP}/32
220-
221-
DUDE
222-
fi
223-
echo "PEER ${i} QR code:"
224-
qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf
225-
qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf
226-
done
227-
}
228-
229-
save_vars () {
230-
cat <<DUDE > /config/.donoteditthisfile
231-
ORIG_SERVERURL="$SERVERURL"
232-
ORIG_SERVERPORT="$SERVERPORT"
233-
ORIG_PEERDNS="$PEERDNS"
234-
ORIG_PEERS="$PEERS"
235-
ORIG_INTERFACE="$INTERFACE"
236-
ORIG_ALLOWEDIPS="$ALLOWEDIPS"
237-
DUDE
238-
}
239-
240-
if [ -n "$PEERS" ]; then
241-
echo "**** Server mode is selected ****"
242-
if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then
243-
PEERS_ARRAY=($(seq 1 $PEERS))
244-
else
245-
PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' '))
246-
fi
247-
PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}")
248-
if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then
249-
SERVERURL=$(curl -s icanhazip.com)
250-
echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****"
251-
else
252-
echo "**** External server address is set to $SERVERURL ****"
253-
fi
254-
SERVERPORT=${SERVERPORT:-51820}
255-
echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****"
256-
INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0}
257-
echo "**** Internal subnet is set to $INTERNAL_SUBNET ****"
258-
INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--')
259-
ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0}
260-
echo "**** AllowedIPs for peers $ALLOWEDIPS ****"
261-
if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then
262-
PEERDNS="${INTERFACE}.1"
263-
echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****"
264-
else
265-
echo "**** Peer DNS servers will be set to $PEERDNS ****"
266-
fi
267-
if [ ! -f /config/wg0.conf ]; then
268-
echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****"
269-
generate_confs
270-
save_vars
271-
else
272-
echo "**** Server mode is selected ****"
273-
[[ -f /config/.donoteditthisfile ]] && \
274-
. /config/.donoteditthisfile
275-
if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then
276-
echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****"
277-
generate_confs
278-
save_vars
279-
else
280-
echo "**** No changes to parameters. Existing configs are used. ****"
281-
fi
282-
fi
283-
else
284-
echo "**** Client mode selected. ****"
285-
if [ ! -f /config/wg0.conf ]; then
286-
echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****"
287-
sleep infinity
288-
fi
289-
echo "**** Disabling CoreDNS ****"
290-
rm -rf /etc/services.d/coredns
291-
fi
292-
293-
# set up CoreDNS
294-
[[ ! -f /config/coredns/Corefile ]] && \
295-
cp /defaults/Corefile /config/coredns/Corefile
296-
297-
# permissions
298-
chown -R abc:abc \
299-
/config

root/etc/cont-init.d/40-confs

Lines changed: 148 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,148 @@
1+
#!/usr/bin/with-contenv bash
2+
3+
# prepare symlinks
4+
rm -rf /etc/wireguard
5+
mkdir -p /etc/wireguard
6+
ln -s /config/wg0.conf /etc/wireguard/wg0.conf
7+
# prepare templates
8+
[[ ! -f /config/templates/server.conf ]] && \
9+
cp /defaults/server.conf /config/templates/server.conf
10+
[[ ! -f /config/templates/peer.conf ]] && \
11+
cp /defaults/peer.conf /config/templates/peer.conf
12+
13+
generate_confs () {
14+
mkdir -p /config/server
15+
if [ ! -f /config/server/privatekey-server ]; then
16+
umask 077
17+
wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server
18+
fi
19+
eval "`printf %s`
20+
cat <<DUDE > /config/wg0.conf
21+
`cat /config/templates/server.conf`
22+
23+
DUDE"
24+
for i in ${PEERS_ARRAY[@]}; do
25+
if [[ "${i}" =~ ^[0-9]+$ ]]; then
26+
PEER_ID="peer${i}"
27+
else
28+
PEER_ID="peer_${i//[^[:alnum:]_-]/}"
29+
fi
30+
mkdir -p /config/${PEER_ID}
31+
if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then
32+
umask 077
33+
wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID}
34+
fi
35+
if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then
36+
CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}')
37+
if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then
38+
CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|")
39+
fi
40+
else
41+
for idx in {2..254}; do
42+
PROPOSED_IP="${INTERFACE}.${idx}"
43+
if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then
44+
CLIENT_IP="${PROPOSED_IP}"
45+
break
46+
fi
47+
done
48+
fi
49+
eval "`printf %s`
50+
cat <<DUDE > /config/${PEER_ID}/${PEER_ID}.conf
51+
`cat /config/templates/peer.conf`
52+
DUDE"
53+
SERVER_ALLOWEDIPS=SERVER_ALLOWEDIPS_PEER_${i}
54+
if [ -n "${!SERVER_ALLOWEDIPS}" ]; then
55+
echo "Adding ${!SERVER_ALLOWEDIPS} to wg0.conf's AllowedIPs for peer ${i}"
56+
cat <<DUDE >> /config/wg0.conf
57+
[Peer]
58+
# ${PEER_ID}
59+
PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
60+
AllowedIPs = ${CLIENT_IP}/32,${!SERVER_ALLOWEDIPS}
61+
62+
DUDE
63+
else
64+
cat <<DUDE >> /config/wg0.conf
65+
[Peer]
66+
# ${PEER_ID}
67+
PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID})
68+
AllowedIPs = ${CLIENT_IP}/32
69+
70+
DUDE
71+
fi
72+
echo "PEER ${i} QR code:"
73+
qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf
74+
qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf
75+
done
76+
}
77+
78+
save_vars () {
79+
cat <<DUDE > /config/.donoteditthisfile
80+
ORIG_SERVERURL="$SERVERURL"
81+
ORIG_SERVERPORT="$SERVERPORT"
82+
ORIG_PEERDNS="$PEERDNS"
83+
ORIG_PEERS="$PEERS"
84+
ORIG_INTERFACE="$INTERFACE"
85+
ORIG_ALLOWEDIPS="$ALLOWEDIPS"
86+
DUDE
87+
}
88+
89+
if [ -n "$PEERS" ]; then
90+
echo "**** Server mode is selected ****"
91+
if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then
92+
PEERS_ARRAY=($(seq 1 $PEERS))
93+
else
94+
PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' '))
95+
fi
96+
PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}")
97+
if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then
98+
SERVERURL=$(curl -s icanhazip.com)
99+
echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****"
100+
else
101+
echo "**** External server address is set to $SERVERURL ****"
102+
fi
103+
SERVERPORT=${SERVERPORT:-51820}
104+
echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****"
105+
INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0}
106+
echo "**** Internal subnet is set to $INTERNAL_SUBNET ****"
107+
INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--')
108+
ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0}
109+
echo "**** AllowedIPs for peers $ALLOWEDIPS ****"
110+
if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then
111+
PEERDNS="${INTERFACE}.1"
112+
echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****"
113+
else
114+
echo "**** Peer DNS servers will be set to $PEERDNS ****"
115+
fi
116+
if [ ! -f /config/wg0.conf ]; then
117+
echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****"
118+
generate_confs
119+
save_vars
120+
else
121+
echo "**** Server mode is selected ****"
122+
[[ -f /config/.donoteditthisfile ]] && \
123+
. /config/.donoteditthisfile
124+
if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then
125+
echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****"
126+
generate_confs
127+
save_vars
128+
else
129+
echo "**** No changes to parameters. Existing configs are used. ****"
130+
fi
131+
fi
132+
else
133+
echo "**** Client mode selected. ****"
134+
if [ ! -f /config/wg0.conf ]; then
135+
echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****"
136+
sleep infinity
137+
fi
138+
echo "**** Disabling CoreDNS ****"
139+
rm -rf /etc/services.d/coredns
140+
fi
141+
142+
# set up CoreDNS
143+
[[ ! -f /config/coredns/Corefile ]] && \
144+
cp /defaults/Corefile /config/coredns/Corefile
145+
146+
# permissions
147+
chown -R abc:abc \
148+
/config

0 commit comments

Comments
 (0)