diff --git a/src/config.js b/src/config.js index 3281523f..701f2389 100644 --- a/src/config.js +++ b/src/config.js @@ -20,7 +20,7 @@ module.exports.WG_ALLOWED_IPS = process.env.WG_ALLOWED_IPS || '0.0.0.0/0, ::/0'; module.exports.WG_PRE_UP = process.env.WG_PRE_UP || ''; module.exports.WG_POST_UP = process.env.WG_POST_UP || ` -iptables -t nat -A POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ${module.exports.WG_DEVICE} -j MASQUERADE; +iptables -t nat -A POSTROUTING -o ${module.exports.WG_DEVICE} -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; diff --git a/src/lib/Server.js b/src/lib/Server.js index 91c669be..1144121a 100644 --- a/src/lib/Server.js +++ b/src/lib/Server.js @@ -161,6 +161,14 @@ module.exports = class Server { const { address } = req.body; return WireGuard.updateClientAddress({ clientId, address }); })) + .put('/api/wireguard/client/:clientId/allowedips', Util.promisify(async (req, res) => { + const { clientId } = req.params; + if (clientId === '__proto__' || clientId === 'constructor' || clientId === 'prototype') { + res.end(403); + } + const { allowedIPs } = req.body; + return WireGuard.updateClientAllowedIPs({ clientId, allowedIPs }); + })) .listen(PORT, WEBUI_HOST, () => { debug(`Listening on http://${WEBUI_HOST}:${PORT}`); diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js index fd379465..e1b9cf8a 100644 --- a/src/lib/WireGuard.js +++ b/src/lib/WireGuard.js @@ -104,6 +104,15 @@ PostDown = ${WG_POST_DOWN} for (const [clientId, client] of Object.entries(config.clients)) { if (!client.enabled) continue; + let allowedIPs = ''; + if(client?.allowedIPs){ + for (const allowedIP of client.allowedIPs) { + allowedIPs += `,${allowedIP.address}/${allowedIP.cidr}`; + } + allowedIPs = allowedIPs.substring(1); + }else { + allowedIPs = client.address; + } result += ` @@ -111,7 +120,7 @@ PostDown = ${WG_POST_DOWN} [Peer] PublicKey = ${client.publicKey} PresharedKey = ${client.preSharedKey} -AllowedIPs = ${client.address}`; +AllowedIPs = ${allowedIPs}`; } debug('Config saving...'); @@ -140,7 +149,7 @@ AllowedIPs = ${client.address}`; publicKey: client.publicKey, createdAt: new Date(client.createdAt), updatedAt: new Date(client.updatedAt), - allowedIPs: client.allowedIPs, + allowedIPs: client?.allowedIPs?client.allowedIPs:[{type:'ipv4', address:client.address, cidr: 32}], persistentKeepalive: null, latestHandshakeAt: null, @@ -241,7 +250,7 @@ Endpoint = ${WG_HOST}:${WG_PORT}`; }); if (!client) { - address = `${WG_DEFAULT_ADDRESS.replace('x', i)}/32`; + address = `${WG_DEFAULT_ADDRESS.replace('x', i)}`; break; } } @@ -263,6 +272,7 @@ Endpoint = ${WG_HOST}:${WG_PORT}`; createdAt: new Date(), updatedAt: new Date(), + allowedIPs: [{type:'ipv4', address, cidr: 32}], enabled: true, }; @@ -316,11 +326,27 @@ Endpoint = ${WG_HOST}:${WG_PORT}`; if (!Util.isValidIPv4(address)) { throw new ServerError(`Invalid Address: ${address}`, 400); } - + if(client?.allowedIPs){ + let allowedIPs = client.allowedIPs + client.allowedIPs[0].address = address; + } client.address = address; client.updatedAt = new Date(); await this.saveConfig(); } + async updateClientAllowedIPs({ clientId, allowedIPs }) { + const client = await this.getClient({ clientId }); + let ips = allowedIPs.map(item=>item.address) + ips.forEach(ip=>{ + if (!Util.isValidIPv4(ip)) { + throw new ServerError(`Invalid Address: ${ip}`, 400); + } + }) + client.allowedIPs = allowedIPs; + client.updatedAt = new Date(); + + await this.saveConfig(); + } }; diff --git a/src/www/index.html b/src/www/index.html index 950fe23a..0d7ad6bc 100644 --- a/src/www/index.html +++ b/src/www/index.html @@ -216,6 +216,21 @@
+ + +