mirror
/
wg-easy
mirror of https://github.com/wg-easy/wg-easy
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

add option to disable ipv6

pull/1950/head
Bernd Storath 3 weeks ago
parent
187bdc0836
commit
e93342edfb
5 changed files with 69 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      Dockerfile
  2. 1
      Dockerfile.dev
  3. 11
      docs/content/advanced/config/optional-config.md
  4. 51
      src/server/database/sqlite.ts
  5. 2
      src/server/utils/config.ts

1
Dockerfile
View File

@ -54,6 +54,7 @@ ENV PORT=51821
ENV HOST=0.0.0.0 ENV HOST=0.0.0.0
ENV INSECURE=false ENV INSECURE=false
ENV INIT_ENABLED=false ENV INIT_ENABLED=false
ENV DISABLE_IPV6=false
LABEL org.opencontainers.image.source=https://github.com/wg-easy/wg-easy LABEL org.opencontainers.image.source=https://github.com/wg-easy/wg-easy

1
Dockerfile.dev
View File

@ -28,6 +28,7 @@ ENV PORT=51821
ENV HOST=0.0.0.0 ENV HOST=0.0.0.0
ENV INSECURE=true ENV INSECURE=true
ENV INIT_ENABLED=false ENV INIT_ENABLED=false
ENV DISABLE_IPV6=false
# Install Dependencies # Install Dependencies
COPY src/package.json src/pnpm-lock.yaml ./ COPY src/package.json src/pnpm-lock.yaml ./

11
docs/content/advanced/config/optional-config.md
View File

@ -5,7 +5,16 @@ title: Optional Configuration
You can set these environment variables to configure the container. They are not required, but can be useful in some cases. You can set these environment variables to configure the container. They are not required, but can be useful in some cases.
| Env | Default | Example | Description | | Env | Default | Example | Description |
| ---------- | --------- | ----------- | ------------------------------ | | -------------- | --------- | ----------- | ---------------------------------- |
| `PORT` | `51821` | `6789` | TCP port for Web UI. | | `PORT` | `51821` | `6789` | TCP port for Web UI. |
| `HOST` | `0.0.0.0` | `localhost` | IP address web UI binds to. | | `HOST` | `0.0.0.0` | `localhost` | IP address web UI binds to. |
| `INSECURE` | `false` | `true` | If access over http is allowed | | `INSECURE` | `false` | `true` | If access over http is allowed |
| `DISABLE_IPV6` | `false` | `true` | If IPv6 support should be disabled |
/// note | IPv6 Caveats
Disabling IPv6 will only disable the creation of the default IPv6 firewall rules. The clients will still get an IPv6 address assigned.
This option can be removed in the future, as more devices support IPv6.
///

51
src/server/database/sqlite.ts
View File

@ -2,6 +2,7 @@ import { drizzle } from 'drizzle-orm/libsql';
import { migrate as drizzleMigrate } from 'drizzle-orm/libsql/migrator'; import { migrate as drizzleMigrate } from 'drizzle-orm/libsql/migrator';
import { createClient } from '@libsql/client'; import { createClient } from '@libsql/client';
import debug from 'debug'; import debug from 'debug';
import { eq } from 'drizzle-orm';
import * as schema from './schema'; import * as schema from './schema';
import { ClientService } from './repositories/client/service'; import { ClientService } from './repositories/client/service';
@ -25,6 +26,11 @@ export async function connect() {
await initialSetup(dbService); await initialSetup(dbService);
} }
if (WG_ENV.DISABLE_IPV6) {
DB_DEBUG('Warning: Disabling IPv6...');
await disableIpv6(db);
}
return dbService; return dbService;
} }
@ -108,3 +114,48 @@ async function initialSetup(db: DBServiceType) {
await db.general.setSetupStep(0); await db.general.setSetupStep(0);
} }
} }
async function disableIpv6(db: DBType) {
// This should match the initial value migration
const postUpMatch =
' ip6tables -t nat -A POSTROUTING -s {{ipv6Cidr}} -o {{device}} -j MASQUERADE; ip6tables -A INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -A FORWARD -o wg0 -j ACCEPT;';
const postDownMatch =
' ip6tables -t nat -D POSTROUTING -s {{ipv6Cidr}} -o {{device}} -j MASQUERADE; ip6tables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -o wg0 -j ACCEPT;';
await db.transaction(async (tx) => {
const hooks = await tx.query.hooks.findFirst({
where: eq(schema.hooks.id, 'wg0'),
});
if (!hooks) {
throw new Error('Hooks not found');
}
if (hooks.postUp.includes(postUpMatch)) {
DB_DEBUG('Disabling IPv6 in Post Up hooks...');
await tx
.update(schema.hooks)
.set({
postUp: hooks.postUp.replace(postUpMatch, ''),
postDown: hooks.postDown.replace(postDownMatch, ''),
})
.where(eq(schema.hooks.id, 'wg0'))
.execute();
} else {
DB_DEBUG('IPv6 Post Up hooks already disabled, skipping...');
}
if (hooks.postDown.includes(postDownMatch)) {
DB_DEBUG('Disabling IPv6 in Post Down hooks...');
await tx
.update(schema.hooks)
.set({
postUp: hooks.postUp.replace(postUpMatch, ''),
postDown: hooks.postDown.replace(postDownMatch, ''),
})
.where(eq(schema.hooks.id, 'wg0'))
.execute();
} else {
DB_DEBUG('IPv6 Post Down hooks already disabled, skipping...');
}
});
}

2
src/server/utils/config.ts
View File

@ -17,6 +17,8 @@ export const WG_ENV = {
INSECURE: process.env.INSECURE === 'true', INSECURE: process.env.INSECURE === 'true',
/** Port the UI is listening on */ /** Port the UI is listening on */
PORT: assertEnv('PORT'), PORT: assertEnv('PORT'),
/** If IPv6 should be disabled */
DISABLE_IPV6: process.env.DISABLE_IPV6 === 'true',
}; };
export const WG_INITIAL_ENV = { export const WG_INITIAL_ENV = {

Write Preview
Loading…
Cancel
Save