From 55177f0425afd2f8a137df533f77e8b0cc62f8e2 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Wed, 8 Sep 2021 23:54:25 -0500 Subject: [PATCH 01/84] cleanup, remove server mode --- .dockerignore | 4 +- .editorconfig | 20 - .gitattributes | 17 - .github/FUNDING.yml | 4 +- Dockerfile.aarch64 | 65 --- Dockerfile.armhf | 65 --- Jenkinsfile | 887 -------------------------------- jenkins-vars.yml | 29 -- package_versions.txt | 216 -------- readme-vars.yml | 123 ----- root/app/add-peer | 47 -- root/app/show-peer | 21 - root/defaults/server.conf | 6 - root/donate.txt | 1 - root/etc/cont-init.d/30-config | 123 +---- root/etc/services.d/coredns/run | 11 - 16 files changed, 7 insertions(+), 1632 deletions(-) delete mode 100755 .editorconfig delete mode 100644 .gitattributes delete mode 100644 Dockerfile.aarch64 delete mode 100644 Dockerfile.armhf delete mode 100644 Jenkinsfile delete mode 100644 jenkins-vars.yml delete mode 100755 package_versions.txt delete mode 100644 readme-vars.yml delete mode 100755 root/app/add-peer delete mode 100755 root/app/show-peer delete mode 100644 root/defaults/server.conf delete mode 100644 root/donate.txt delete mode 100644 root/etc/services.d/coredns/run diff --git a/.dockerignore b/.dockerignore index cdb1a82f..f8c28d33 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,6 +1,4 @@ .git .gitignore .github -.gitattributes -READMETEMPLATE.md -README.md +README.md \ No newline at end of file diff --git a/.editorconfig b/.editorconfig deleted file mode 100755 index a92f7dfd..00000000 --- a/.editorconfig +++ /dev/null @@ -1,20 +0,0 @@ -# This file is globally distributed to all container image projects from -# https://github.com/linuxserver/docker-jenkins-builder/blob/master/.editorconfig - -# top-most EditorConfig file -root = true - -# Unix-style newlines with a newline ending every file -[*] -end_of_line = lf -insert_final_newline = true -# trim_trailing_whitespace may cause unintended issues and should not be globally set true -trim_trailing_whitespace = false - -[{Dockerfile*,**.yml}] -indent_style = space -indent_size = 2 - -[{**.sh,root/etc/cont-init.d/**,root/etc/services.d/**}] -indent_style = space -indent_size = 4 diff --git a/.gitattributes b/.gitattributes deleted file mode 100644 index bdb0cabc..00000000 --- a/.gitattributes +++ /dev/null @@ -1,17 +0,0 @@ -# Auto detect text files and perform LF normalization -* text=auto - -# Custom for Visual Studio -*.cs diff=csharp - -# Standard to msysgit -*.doc diff=astextplain -*.DOC diff=astextplain -*.docx diff=astextplain -*.DOCX diff=astextplain -*.dot diff=astextplain -*.DOT diff=astextplain -*.pdf diff=astextplain -*.PDF diff=astextplain -*.rtf diff=astextplain -*.RTF diff=astextplain diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index 2d3799f5..f5be2c4c 100755 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1,3 +1,3 @@ -github: linuxserver +github: bubuntux open_collective: linuxserver -custom: ["https://www.wireguard.com/donations/",] +custom: "https://www.wireguard.com/donations/" diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 deleted file mode 100644 index 7d2fab1f..00000000 --- a/Dockerfile.aarch64 +++ /dev/null @@ -1,65 +0,0 @@ -FROM ghcr.io/linuxserver/baseimage-ubuntu:arm64v8-bionic - -# set version label -ARG BUILD_DATE -ARG VERSION -ARG WIREGUARD_RELEASE -LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" -LABEL maintainer="aptalca" - -ENV DEBIAN_FRONTEND="noninteractive" - -RUN \ - echo "**** install dependencies ****" && \ - apt-get update && \ - apt-get install -y --no-install-recommends \ - bc \ - build-essential \ - curl \ - dkms \ - git \ - gnupg \ - ifupdown \ - iproute2 \ - iptables \ - iputils-ping \ - jq \ - libc6 \ - libelf-dev \ - net-tools \ - openresolv \ - perl \ - pkg-config \ - qrencode && \ - echo "**** install wireguard-tools ****" && \ - if [ -z ${WIREGUARD_RELEASE+x} ]; then \ - WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \ - | jq -r .[0].name); \ - fi && \ - cd /app && \ - git clone https://git.zx2c4.com/wireguard-linux-compat && \ - git clone https://git.zx2c4.com/wireguard-tools && \ - cd wireguard-tools && \ - git checkout "${WIREGUARD_RELEASE}" && \ - make -C src -j$(nproc) && \ - make -C src install && \ - echo "**** install CoreDNS ****" && \ - COREDNS_VERSION=$(curl -sX GET "https://api.github.com/repos/coredns/coredns/releases/latest" \ - | awk '/tag_name/{print $4;exit}' FS='[""]' | awk '{print substr($1,2); }') && \ - curl -o \ - /tmp/coredns.tar.gz -L \ - "https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_arm64.tgz" && \ - tar xf \ - /tmp/coredns.tar.gz -C \ - /app && \ - echo "**** clean up ****" && \ - rm -rf \ - /tmp/* \ - /var/lib/apt/lists/* \ - /var/tmp/* - -# add local files -COPY /root / - -# ports and volumes -EXPOSE 51820/udp diff --git a/Dockerfile.armhf b/Dockerfile.armhf deleted file mode 100644 index 40a482a2..00000000 --- a/Dockerfile.armhf +++ /dev/null @@ -1,65 +0,0 @@ -FROM ghcr.io/linuxserver/baseimage-ubuntu:arm32v7-bionic - -# set version label -ARG BUILD_DATE -ARG VERSION -ARG WIREGUARD_RELEASE -LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" -LABEL maintainer="aptalca" - -ENV DEBIAN_FRONTEND="noninteractive" - -RUN \ - echo "**** install dependencies ****" && \ - apt-get update && \ - apt-get install -y --no-install-recommends \ - bc \ - build-essential \ - curl \ - dkms \ - git \ - gnupg \ - ifupdown \ - iproute2 \ - iptables \ - iputils-ping \ - jq \ - libc6 \ - libelf-dev \ - net-tools \ - openresolv \ - perl \ - pkg-config \ - qrencode && \ - echo "**** install wireguard-tools ****" && \ - if [ -z ${WIREGUARD_RELEASE+x} ]; then \ - WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \ - | jq -r .[0].name); \ - fi && \ - cd /app && \ - git clone https://git.zx2c4.com/wireguard-linux-compat && \ - git clone https://git.zx2c4.com/wireguard-tools && \ - cd wireguard-tools && \ - git checkout "${WIREGUARD_RELEASE}" && \ - make -C src -j$(nproc) && \ - make -C src install && \ - echo "**** install CoreDNS ****" && \ - COREDNS_VERSION=$(curl -sX GET "https://api.github.com/repos/coredns/coredns/releases/latest" \ - | awk '/tag_name/{print $4;exit}' FS='[""]' | awk '{print substr($1,2); }') && \ - curl -o \ - /tmp/coredns.tar.gz -L \ - "https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_arm.tgz" && \ - tar xf \ - /tmp/coredns.tar.gz -C \ - /app && \ - echo "**** clean up ****" && \ - rm -rf \ - /tmp/* \ - /var/lib/apt/lists/* \ - /var/tmp/* - -# add local files -COPY /root / - -# ports and volumes -EXPOSE 51820/udp diff --git a/Jenkinsfile b/Jenkinsfile deleted file mode 100644 index 96030f73..00000000 --- a/Jenkinsfile +++ /dev/null @@ -1,887 +0,0 @@ -pipeline { - agent { - label 'X86-64-MULTI' - } - options { - buildDiscarder(logRotator(numToKeepStr: '10', daysToKeepStr: '60')) - parallelsAlwaysFailFast() - } - // Input to determine if this is a package check - parameters { - string(defaultValue: 'false', description: 'package check run', name: 'PACKAGE_CHECK') - } - // Configuration for the variables used for this specific repo - environment { - BUILDS_DISCORD=credentials('build_webhook_url') - GITHUB_TOKEN=credentials('498b4638-2d02-4ce5-832d-8a57d01d97ab') - GITLAB_TOKEN=credentials('b6f0f1dd-6952-4cf6-95d1-9c06380283f0') - GITLAB_NAMESPACE=credentials('gitlab-namespace-id') - CONTAINER_NAME = 'wireguard' - BUILD_VERSION_ARG = 'WIREGUARD_VERSION' - LS_USER = 'linuxserver' - LS_REPO = 'docker-wireguard' - DOCKERHUB_IMAGE = 'linuxserver/wireguard' - DEV_DOCKERHUB_IMAGE = 'lsiodev/wireguard' - PR_DOCKERHUB_IMAGE = 'lspipepr/wireguard' - DIST_IMAGE = 'ubuntu' - MULTIARCH='true' - CI='false' - CI_WEB='false' - CI_PORT='8080' - CI_SSL='false' - CI_DELAY='120' - CI_DOCKERENV='TZ=US/Pacific' - CI_AUTH='user:password' - CI_WEBPATH='' - } - stages { - // Setup all the basic environment variables needed for the build - stage("Set ENV Variables base"){ - steps{ - script{ - env.EXIT_STATUS = '' - env.LS_RELEASE = sh( - script: '''docker run --rm ghcr.io/linuxserver/alexeiled-skopeo sh -c 'skopeo inspect docker://docker.io/'${DOCKERHUB_IMAGE}':latest 2>/dev/null' | jq -r '.Labels.build_version' | awk '{print $3}' | grep '\\-ls' || : ''', - returnStdout: true).trim() - env.LS_RELEASE_NOTES = sh( - script: '''cat readme-vars.yml | awk -F \\" '/date: "[0-9][0-9].[0-9][0-9].[0-9][0-9]:/ {print $4;exit;}' | sed -E ':a;N;$!ba;s/\\r{0,1}\\n/\\\\n/g' ''', - returnStdout: true).trim() - env.GITHUB_DATE = sh( - script: '''date '+%Y-%m-%dT%H:%M:%S%:z' ''', - returnStdout: true).trim() - env.COMMIT_SHA = sh( - script: '''git rev-parse HEAD''', - returnStdout: true).trim() - env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/commit/' + env.GIT_COMMIT - env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DOCKERHUB_IMAGE + '/tags/' - env.PULL_REQUEST = env.CHANGE_ID - env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.md ./.github/ISSUE_TEMPLATE/issue.feature.md ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/stale.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml ./root/donate.txt' - } - script{ - env.LS_RELEASE_NUMBER = sh( - script: '''echo ${LS_RELEASE} |sed 's/^.*-ls//g' ''', - returnStdout: true).trim() - } - script{ - env.LS_TAG_NUMBER = sh( - script: '''#! /bin/bash - tagsha=$(git rev-list -n 1 ${LS_RELEASE} 2>/dev/null) - if [ "${tagsha}" == "${COMMIT_SHA}" ]; then - echo ${LS_RELEASE_NUMBER} - elif [ -z "${GIT_COMMIT}" ]; then - echo ${LS_RELEASE_NUMBER} - else - echo $((${LS_RELEASE_NUMBER} + 1)) - fi''', - returnStdout: true).trim() - } - } - } - /* ####################### - Package Version Tagging - ####################### */ - // Grab the current package versions in Git to determine package tag - stage("Set Package tag"){ - steps{ - script{ - env.PACKAGE_TAG = sh( - script: '''#!/bin/bash - if [ -e package_versions.txt ] ; then - cat package_versions.txt | md5sum | cut -c1-8 - else - echo none - fi''', - returnStdout: true).trim() - } - } - } - /* ######################## - External Release Tagging - ######################## */ - // If this is a custom command to determine version use that command - stage("Set tag custom bash"){ - steps{ - script{ - env.EXT_RELEASE = sh( - script: ''' curl -sX GET https://api.github.com/repos/WireGuard/wireguard-tools/tags | jq -r .[0].name ''', - returnStdout: true).trim() - env.RELEASE_LINK = 'custom_command' - } - } - } - // Sanitize the release tag and strip illegal docker or github characters - stage("Sanitize tag"){ - steps{ - script{ - env.EXT_RELEASE_CLEAN = sh( - script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''', - returnStdout: true).trim() - } - } - } - // If this is a master build use live docker endpoints - stage("Set ENV live build"){ - when { - branch "master" - environment name: 'CHANGE_ID', value: '' - } - steps { - script{ - env.IMAGE = env.DOCKERHUB_IMAGE - env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/' + env.CONTAINER_NAME - env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/' + env.CONTAINER_NAME - if (env.MULTIARCH == 'true') { - env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER - } else { - env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER - } - env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER - env.META_TAG = env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER - env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN - } - } - } - // If this is a dev build use dev docker endpoints - stage("Set ENV dev build"){ - when { - not {branch "master"} - environment name: 'CHANGE_ID', value: '' - } - steps { - script{ - env.IMAGE = env.DEV_DOCKERHUB_IMAGE - env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lsiodev-' + env.CONTAINER_NAME - env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lsiodev-' + env.CONTAINER_NAME - if (env.MULTIARCH == 'true') { - env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA - } else { - env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA - } - env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA - env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-dev-' + env.COMMIT_SHA - env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN - env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DEV_DOCKERHUB_IMAGE + '/tags/' - } - } - } - // If this is a pull request build use dev docker endpoints - stage("Set ENV PR build"){ - when { - not {environment name: 'CHANGE_ID', value: ''} - } - steps { - script{ - env.IMAGE = env.PR_DOCKERHUB_IMAGE - env.GITHUBIMAGE = 'ghcr.io/' + env.LS_USER + '/lspipepr-' + env.CONTAINER_NAME - env.GITLABIMAGE = 'registry.gitlab.com/linuxserver.io/' + env.LS_REPO + '/lspipepr-' + env.CONTAINER_NAME - if (env.MULTIARCH == 'true') { - env.CI_TAGS = 'amd64-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm32v7-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST + '|arm64v8-' + env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST - } else { - env.CI_TAGS = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST - } - env.VERSION_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST - env.META_TAG = env.EXT_RELEASE_CLEAN + '-pkg-' + env.PACKAGE_TAG + '-pr-' + env.PULL_REQUEST - env.EXT_RELEASE_TAG = 'version-' + env.EXT_RELEASE_CLEAN - env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/pull/' + env.PULL_REQUEST - env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.PR_DOCKERHUB_IMAGE + '/tags/' - } - } - } - // Run ShellCheck - stage('ShellCheck') { - when { - environment name: 'CI', value: 'true' - } - steps { - withCredentials([ - string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'), - string(credentialsId: 'ci-tests-s3-secret-access-key', variable: 'S3_SECRET') - ]) { - script{ - env.SHELLCHECK_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/shellcheck-result.xml' - } - sh '''curl -sL https://raw.githubusercontent.com/linuxserver/docker-shellcheck/master/checkrun.sh | /bin/bash''' - sh '''#! /bin/bash - set -e - docker pull ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest - docker run --rm \ - -e DESTINATION=\"${IMAGE}/${META_TAG}/shellcheck-result.xml\" \ - -e FILE_NAME="shellcheck-result.xml" \ - -e MIMETYPE="text/xml" \ - -v ${WORKSPACE}:/mnt \ - -e SECRET_KEY=\"${S3_SECRET}\" \ - -e ACCESS_KEY=\"${S3_KEY}\" \ - -t ghcr.io/linuxserver/lsiodev-spaces-file-upload:latest \ - python /upload.py''' - } - } - } - // Use helper containers to render templated files - stage('Update-Templates') { - when { - branch "master" - environment name: 'CHANGE_ID', value: '' - expression { - env.CONTAINER_NAME != null - } - } - steps { - sh '''#! /bin/bash - set -e - TEMPDIR=$(mktemp -d) - docker pull ghcr.io/linuxserver/jenkins-builder:latest - docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH=master -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest - # Stage 1 - Jenkinsfile update - if [[ "$(md5sum Jenkinsfile | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile | awk '{ print $1 }')" ]]; then - mkdir -p ${TEMPDIR}/repo - git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO} - cd ${TEMPDIR}/repo/${LS_REPO} - git checkout -f master - cp ${TEMPDIR}/docker-${CONTAINER_NAME}/Jenkinsfile ${TEMPDIR}/repo/${LS_REPO}/ - git add Jenkinsfile - git commit -m 'Bot Updating Templated Files' - git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all - echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} - echo "Updating Jenkinsfile" - rm -Rf ${TEMPDIR} - exit 0 - else - echo "Jenkinsfile is up to date." - fi - # Stage 2 - Delete old templates - OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md" - for i in ${OLD_TEMPLATES}; do - if [[ -f "${i}" ]]; then - TEMPLATES_TO_DELETE="${i} ${TEMPLATES_TO_DELETE}" - fi - done - if [[ -n "${TEMPLATES_TO_DELETE}" ]]; then - mkdir -p ${TEMPDIR}/repo - git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO} - cd ${TEMPDIR}/repo/${LS_REPO} - git checkout -f master - for i in ${TEMPLATES_TO_DELETE}; do - git rm "${i}" - done - git commit -m 'Bot Updating Templated Files' - git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all - echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} - echo "Deleting old templates" - rm -Rf ${TEMPDIR} - exit 0 - else - echo "No templates to delete" - fi - # Stage 3 - Update templates - CURRENTHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8) - cd ${TEMPDIR}/docker-${CONTAINER_NAME} - NEWHASH=$(grep -hs ^ ${TEMPLATED_FILES} | md5sum | cut -c1-8) - if [[ "${CURRENTHASH}" != "${NEWHASH}" ]] || ! grep -q '.jenkins-external' "${WORKSPACE}/.gitignore" 2>/dev/null; then - mkdir -p ${TEMPDIR}/repo - git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/repo/${LS_REPO} - cd ${TEMPDIR}/repo/${LS_REPO} - git checkout -f master - cd ${TEMPDIR}/docker-${CONTAINER_NAME} - mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/workflows - mkdir -p ${TEMPDIR}/repo/${LS_REPO}/.github/ISSUE_TEMPLATE - cp --parents ${TEMPLATED_FILES} ${TEMPDIR}/repo/${LS_REPO}/ || : - cd ${TEMPDIR}/repo/${LS_REPO}/ - if ! grep -q '.jenkins-external' .gitignore 2>/dev/null; then - echo ".jenkins-external" >> .gitignore - git add .gitignore - fi - git add ${TEMPLATED_FILES} - git commit -m 'Bot Updating Templated Files' - git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all - echo "true" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} - else - echo "false" > /tmp/${COMMIT_SHA}-${BUILD_NUMBER} - fi - mkdir -p ${TEMPDIR}/gitbook - git clone https://github.com/linuxserver/docker-documentation.git ${TEMPDIR}/gitbook/docker-documentation - if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md) || ("$(md5sum ${TEMPDIR}/gitbook/docker-documentation/images/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md | awk '{ print $1 }')") ]]; then - cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/docker-${CONTAINER_NAME}.md ${TEMPDIR}/gitbook/docker-documentation/images/ - cd ${TEMPDIR}/gitbook/docker-documentation/ - git add images/docker-${CONTAINER_NAME}.md - git commit -m 'Bot Updating Documentation' - git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/docker-documentation.git --all - fi - mkdir -p ${TEMPDIR}/unraid - git clone https://github.com/linuxserver/docker-templates.git ${TEMPDIR}/unraid/docker-templates - git clone https://github.com/linuxserver/templates.git ${TEMPDIR}/unraid/templates - if [[ -f ${TEMPDIR}/unraid/docker-templates/linuxserver.io/img/${CONTAINER_NAME}-logo.png ]]; then - sed -i "s|master/linuxserver.io/img/linuxserver-ls-logo.png|master/linuxserver.io/img/${CONTAINER_NAME}-logo.png|" ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml - fi - if [[ ("${BRANCH_NAME}" == "master") || ("${BRANCH_NAME}" == "main") ]] && [[ (! -f ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml) || ("$(md5sum ${TEMPDIR}/unraid/templates/unraid/${CONTAINER_NAME}.xml | awk '{ print $1 }')" != "$(md5sum ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml | awk '{ print $1 }')") ]]; then - cd ${TEMPDIR}/unraid/templates/ - if grep -wq "${CONTAINER_NAME}" ${TEMPDIR}/unraid/templates/unraid/ignore.list; then - echo "Image is on the ignore list, removing Unraid template" - git rm unraid/${CONTAINER_NAME}.xml || : - git commit -m 'Bot Removing Deprecated Unraid Template' || : - else - cp ${TEMPDIR}/docker-${CONTAINER_NAME}/.jenkins-external/${CONTAINER_NAME}.xml ${TEMPDIR}/unraid/templates/unraid/ - git add unraid/${CONTAINER_NAME}.xml - git commit -m 'Bot Updating Unraid Template' - fi - git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/linuxserver/templates.git --all - fi - rm -Rf ${TEMPDIR}''' - script{ - env.FILES_UPDATED = sh( - script: '''cat /tmp/${COMMIT_SHA}-${BUILD_NUMBER}''', - returnStdout: true).trim() - } - } - } - // Exit the build if the Templated files were just updated - stage('Template-exit') { - when { - branch "master" - environment name: 'CHANGE_ID', value: '' - environment name: 'FILES_UPDATED', value: 'true' - expression { - env.CONTAINER_NAME != null - } - } - steps { - script{ - env.EXIT_STATUS = 'ABORTED' - } - } - } - /* ####################### - GitLab Mirroring - ####################### */ - // Ping into Gitlab to mirror this repo and have a registry endpoint - stage("GitLab Mirror"){ - when { - environment name: 'EXIT_STATUS', value: '' - } - steps{ - sh '''curl -H "Content-Type: application/json" -H "Private-Token: ${GITLAB_TOKEN}" -X POST https://gitlab.com/api/v4/projects \ - -d '{"namespace_id":'${GITLAB_NAMESPACE}',\ - "name":"'${LS_REPO}'", - "mirror":true,\ - "import_url":"https://github.com/linuxserver/'${LS_REPO}'.git",\ - "issues_access_level":"disabled",\ - "merge_requests_access_level":"disabled",\ - "repository_access_level":"enabled",\ - "visibility":"public"}' ''' - } - } - /* ############### - Build Container - ############### */ - // Build Docker container for push to LS Repo - stage('Build-Single') { - when { - expression { - env.MULTIARCH == 'false' || params.PACKAGE_CHECK == 'true' - } - environment name: 'EXIT_STATUS', value: '' - } - steps { - echo "Running on node: ${NODE_NAME}" - sh "docker build \ - --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ - --label \"org.opencontainers.image.authors=linuxserver.io\" \ - --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-wireguard/packages\" \ - --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-wireguard\" \ - --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-wireguard\" \ - --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ - --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ - --label \"org.opencontainers.image.vendor=linuxserver.io\" \ - --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ - --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ - --label \"org.opencontainers.image.title=Wireguard\" \ - --label \"org.opencontainers.image.description=[WireGuard®](https://www.wireguard.com/) is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.\" \ - --no-cache --pull -t ${IMAGE}:${META_TAG} \ - --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." - } - } - // Build MultiArch Docker containers for push to LS Repo - stage('Build-Multi') { - when { - allOf { - environment name: 'MULTIARCH', value: 'true' - expression { params.PACKAGE_CHECK == 'false' } - } - environment name: 'EXIT_STATUS', value: '' - } - parallel { - stage('Build X86') { - steps { - echo "Running on node: ${NODE_NAME}" - sh "docker build \ - --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ - --label \"org.opencontainers.image.authors=linuxserver.io\" \ - --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-wireguard/packages\" \ - --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-wireguard\" \ - --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-wireguard\" \ - --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ - --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ - --label \"org.opencontainers.image.vendor=linuxserver.io\" \ - --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ - --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ - --label \"org.opencontainers.image.title=Wireguard\" \ - --label \"org.opencontainers.image.description=[WireGuard®](https://www.wireguard.com/) is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.\" \ - --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} \ - --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." - } - } - stage('Build ARMHF') { - agent { - label 'ARMHF' - } - steps { - echo "Running on node: ${NODE_NAME}" - echo 'Logging into Github' - sh '''#! /bin/bash - echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin - ''' - sh "docker build \ - --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ - --label \"org.opencontainers.image.authors=linuxserver.io\" \ - --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-wireguard/packages\" \ - --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-wireguard\" \ - --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-wireguard\" \ - --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ - --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ - --label \"org.opencontainers.image.vendor=linuxserver.io\" \ - --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ - --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ - --label \"org.opencontainers.image.title=Wireguard\" \ - --label \"org.opencontainers.image.description=[WireGuard®](https://www.wireguard.com/) is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.\" \ - --no-cache --pull -f Dockerfile.armhf -t ${IMAGE}:arm32v7-${META_TAG} \ - --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." - sh "docker tag ${IMAGE}:arm32v7-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}" - retry(5) { - sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER}" - } - sh '''docker rmi \ - ${IMAGE}:arm32v7-${META_TAG} \ - ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} || :''' - } - } - stage('Build ARM64') { - agent { - label 'ARM64' - } - steps { - echo "Running on node: ${NODE_NAME}" - echo 'Logging into Github' - sh '''#! /bin/bash - echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin - ''' - sh "docker build \ - --label \"org.opencontainers.image.created=${GITHUB_DATE}\" \ - --label \"org.opencontainers.image.authors=linuxserver.io\" \ - --label \"org.opencontainers.image.url=https://github.com/linuxserver/docker-wireguard/packages\" \ - --label \"org.opencontainers.image.documentation=https://docs.linuxserver.io/images/docker-wireguard\" \ - --label \"org.opencontainers.image.source=https://github.com/linuxserver/docker-wireguard\" \ - --label \"org.opencontainers.image.version=${EXT_RELEASE_CLEAN}-ls${LS_TAG_NUMBER}\" \ - --label \"org.opencontainers.image.revision=${COMMIT_SHA}\" \ - --label \"org.opencontainers.image.vendor=linuxserver.io\" \ - --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \ - --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \ - --label \"org.opencontainers.image.title=Wireguard\" \ - --label \"org.opencontainers.image.description=[WireGuard®](https://www.wireguard.com/) is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.\" \ - --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} \ - --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." - sh "docker tag ${IMAGE}:arm64v8-${META_TAG} ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}" - retry(5) { - sh "docker push ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER}" - } - sh '''docker rmi \ - ${IMAGE}:arm64v8-${META_TAG} \ - ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || :''' - } - } - } - } - // Take the image we just built and dump package versions for comparison - stage('Update-packages') { - when { - branch "master" - environment name: 'CHANGE_ID', value: '' - environment name: 'EXIT_STATUS', value: '' - } - steps { - sh '''#! /bin/bash - set -e - TEMPDIR=$(mktemp -d) - if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then - LOCAL_CONTAINER=${IMAGE}:amd64-${META_TAG} - else - LOCAL_CONTAINER=${IMAGE}:${META_TAG} - fi - if [ "${DIST_IMAGE}" == "alpine" ]; then - docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\ - apk info -v > /tmp/package_versions.txt && \ - sort -o /tmp/package_versions.txt /tmp/package_versions.txt && \ - chmod 777 /tmp/package_versions.txt' - elif [ "${DIST_IMAGE}" == "ubuntu" ]; then - docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\ - apt list -qq --installed | sed "s#/.*now ##g" | cut -d" " -f1 > /tmp/package_versions.txt && \ - sort -o /tmp/package_versions.txt /tmp/package_versions.txt && \ - chmod 777 /tmp/package_versions.txt' - elif [ "${DIST_IMAGE}" == "fedora" ]; then - docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\ - rpm -qa > /tmp/package_versions.txt && \ - sort -o /tmp/package_versions.txt /tmp/package_versions.txt && \ - chmod 777 /tmp/package_versions.txt' - elif [ "${DIST_IMAGE}" == "arch" ]; then - docker run --rm --entrypoint '/bin/sh' -v ${TEMPDIR}:/tmp ${LOCAL_CONTAINER} -c '\ - pacman -Q > /tmp/package_versions.txt && \ - chmod 777 /tmp/package_versions.txt' - fi - NEW_PACKAGE_TAG=$(md5sum ${TEMPDIR}/package_versions.txt | cut -c1-8 ) - echo "Package tag sha from current packages in buit container is ${NEW_PACKAGE_TAG} comparing to old ${PACKAGE_TAG} from github" - if [ "${NEW_PACKAGE_TAG}" != "${PACKAGE_TAG}" ]; then - git clone https://github.com/${LS_USER}/${LS_REPO}.git ${TEMPDIR}/${LS_REPO} - git --git-dir ${TEMPDIR}/${LS_REPO}/.git checkout -f master - cp ${TEMPDIR}/package_versions.txt ${TEMPDIR}/${LS_REPO}/ - cd ${TEMPDIR}/${LS_REPO}/ - wait - git add package_versions.txt - git commit -m 'Bot Updating Package Versions' - git push https://LinuxServer-CI:${GITHUB_TOKEN}@github.com/${LS_USER}/${LS_REPO}.git --all - echo "true" > /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER} - echo "Package tag updated, stopping build process" - else - echo "false" > /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER} - echo "Package tag is same as previous continue with build process" - fi - rm -Rf ${TEMPDIR}''' - script{ - env.PACKAGE_UPDATED = sh( - script: '''cat /tmp/packages-${COMMIT_SHA}-${BUILD_NUMBER}''', - returnStdout: true).trim() - } - } - } - // Exit the build if the package file was just updated - stage('PACKAGE-exit') { - when { - branch "master" - environment name: 'CHANGE_ID', value: '' - environment name: 'PACKAGE_UPDATED', value: 'true' - environment name: 'EXIT_STATUS', value: '' - } - steps { - sh '''#! /bin/bash - echo "Packages were updated. Cleaning up the image and exiting." - if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then - docker rmi ${IMAGE}:amd64-${META_TAG} - else - docker rmi ${IMAGE}:${META_TAG} - fi''' - script{ - env.EXIT_STATUS = 'ABORTED' - } - } - } - // Exit the build if this is just a package check and there are no changes to push - stage('PACKAGECHECK-exit') { - when { - branch "master" - environment name: 'CHANGE_ID', value: '' - environment name: 'PACKAGE_UPDATED', value: 'false' - environment name: 'EXIT_STATUS', value: '' - expression { - params.PACKAGE_CHECK == 'true' - } - } - steps { - sh '''#! /bin/bash - echo "There are no package updates. Cleaning up the image and exiting." - if [ "${MULTIARCH}" == "true" ] && [ "${PACKAGE_CHECK}" == "false" ]; then - docker rmi ${IMAGE}:amd64-${META_TAG} - else - docker rmi ${IMAGE}:${META_TAG} - fi''' - script{ - env.EXIT_STATUS = 'ABORTED' - } - } - } - /* ####### - Testing - ####### */ - // Run Container tests - stage('Test') { - when { - environment name: 'CI', value: 'true' - environment name: 'EXIT_STATUS', value: '' - } - steps { - withCredentials([ - string(credentialsId: 'ci-tests-s3-key-id', variable: 'S3_KEY'), - string(credentialsId: 'ci-tests-s3-secret-access-key ', variable: 'S3_SECRET') - ]) { - script{ - env.CI_URL = 'https://ci-tests.linuxserver.io/' + env.IMAGE + '/' + env.META_TAG + '/index.html' - } - sh '''#! /bin/bash - set -e - docker pull ghcr.io/linuxserver/ci:latest - if [ "${MULTIARCH}" == "true" ]; then - docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} - docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} - docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG} - docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG} - fi - docker run --rm \ - --shm-size=1gb \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -e IMAGE=\"${IMAGE}\" \ - -e DELAY_START=\"${CI_DELAY}\" \ - -e TAGS=\"${CI_TAGS}\" \ - -e META_TAG=\"${META_TAG}\" \ - -e PORT=\"${CI_PORT}\" \ - -e SSL=\"${CI_SSL}\" \ - -e BASE=\"${DIST_IMAGE}\" \ - -e SECRET_KEY=\"${S3_SECRET}\" \ - -e ACCESS_KEY=\"${S3_KEY}\" \ - -e DOCKER_ENV=\"${CI_DOCKERENV}\" \ - -e WEB_SCREENSHOT=\"${CI_WEB}\" \ - -e WEB_AUTH=\"${CI_AUTH}\" \ - -e WEB_PATH=\"${CI_WEBPATH}\" \ - -e DO_REGION="ams3" \ - -e DO_BUCKET="lsio-ci" \ - -t ghcr.io/linuxserver/ci:latest \ - python /ci/ci.py''' - } - } - } - /* ################## - Release Logic - ################## */ - // If this is an amd64 only image only push a single image - stage('Docker-Push-Single') { - when { - environment name: 'MULTIARCH', value: 'false' - environment name: 'EXIT_STATUS', value: '' - } - steps { - withCredentials([ - [ - $class: 'UsernamePasswordMultiBinding', - credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207', - usernameVariable: 'DOCKERUSER', - passwordVariable: 'DOCKERPASS' - ] - ]) { - retry(5) { - sh '''#! /bin/bash - set -e - echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin - echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin - echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin - for PUSHIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${IMAGE}"; do - docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG} - docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest - docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG} - docker push ${PUSHIMAGE}:latest - docker push ${PUSHIMAGE}:${META_TAG} - docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG} - done - ''' - } - sh '''#! /bin/bash - for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${IMAGE}"; do - docker rmi \ - ${DELETEIMAGE}:${META_TAG} \ - ${DELETEIMAGE}:${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:latest || : - done - ''' - } - } - } - // If this is a multi arch release push all images and define the manifest - stage('Docker-Push-Multi') { - when { - environment name: 'MULTIARCH', value: 'true' - environment name: 'EXIT_STATUS', value: '' - } - steps { - withCredentials([ - [ - $class: 'UsernamePasswordMultiBinding', - credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207', - usernameVariable: 'DOCKERUSER', - passwordVariable: 'DOCKERPASS' - ] - ]) { - retry(5) { - sh '''#! /bin/bash - set -e - echo $DOCKERPASS | docker login -u $DOCKERUSER --password-stdin - echo $GITHUB_TOKEN | docker login ghcr.io -u LinuxServer-CI --password-stdin - echo $GITLAB_TOKEN | docker login registry.gitlab.com -u LinuxServer.io --password-stdin - if [ "${CI}" == "false" ]; then - docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} - docker pull ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} - docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm32v7-${META_TAG} - docker tag ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} ${IMAGE}:arm64v8-${META_TAG} - fi - for MANIFESTIMAGE in "${IMAGE}" "${GITLABIMAGE}" "${GITHUBIMAGE}"; do - docker tag ${IMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} - docker tag ${IMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} - docker tag ${IMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} - docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-latest - docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-latest - docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-latest - docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} - docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} - docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} - docker push ${MANIFESTIMAGE}:amd64-${META_TAG} - docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG} - docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG} - docker push ${MANIFESTIMAGE}:amd64-latest - docker push ${MANIFESTIMAGE}:arm32v7-latest - docker push ${MANIFESTIMAGE}:arm64v8-latest - docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} - docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} - docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} - docker manifest push --purge ${MANIFESTIMAGE}:latest || : - docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest - docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm - docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm64v8-latest --os linux --arch arm64 --variant v8 - docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} || : - docker manifest create ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} - docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm32v7-${META_TAG} --os linux --arch arm - docker manifest annotate ${MANIFESTIMAGE}:${META_TAG} ${MANIFESTIMAGE}:arm64v8-${META_TAG} --os linux --arch arm64 --variant v8 - docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} || : - docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} - docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm - docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8 - docker manifest push --purge ${MANIFESTIMAGE}:latest - docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} - docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} - done - ''' - } - sh '''#! /bin/bash - for DELETEIMAGE in "${GITHUBIMAGE}" "${GITLABIMAGE}" "${IMAGE}"; do - docker rmi \ - ${DELETEIMAGE}:amd64-${META_TAG} \ - ${DELETEIMAGE}:amd64-latest \ - ${DELETEIMAGE}:amd64-${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:arm32v7-${META_TAG} \ - ${DELETEIMAGE}:arm32v7-latest \ - ${DELETEIMAGE}:arm32v7-${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:arm64v8-${META_TAG} \ - ${DELETEIMAGE}:arm64v8-latest \ - ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} || : - done - docker rmi \ - ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \ - ghcr.io/linuxserver/lsiodev-buildcache:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} || : - ''' - } - } - } - // If this is a public release tag it in the LS Github - stage('Github-Tag-Push-Release') { - when { - branch "master" - expression { - env.LS_RELEASE != env.EXT_RELEASE_CLEAN + '-ls' + env.LS_TAG_NUMBER - } - environment name: 'CHANGE_ID', value: '' - environment name: 'EXIT_STATUS', value: '' - } - steps { - echo "Pushing New tag for current commit ${META_TAG}" - sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/git/tags \ - -d '{"tag":"'${META_TAG}'",\ - "object": "'${COMMIT_SHA}'",\ - "message": "Tagging Release '${EXT_RELEASE_CLEAN}'-ls'${LS_TAG_NUMBER}' to master",\ - "type": "commit",\ - "tagger": {"name": "LinuxServer Jenkins","email": "jenkins@linuxserver.io","date": "'${GITHUB_DATE}'"}}' ''' - echo "Pushing New release for Tag" - sh '''#! /bin/bash - echo "Updating to ${EXT_RELEASE_CLEAN}" > releasebody.json - echo '{"tag_name":"'${META_TAG}'",\ - "target_commitish": "master",\ - "name": "'${META_TAG}'",\ - "body": "**LinuxServer Changes:**\\n\\n'${LS_RELEASE_NOTES}'\\n\\n**Remote Changes:**\\n\\n' > start - printf '","draft": false,"prerelease": false}' >> releasebody.json - paste -d'\\0' start releasebody.json > releasebody.json.done - curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/releases -d @releasebody.json.done''' - } - } - // Use helper container to sync the current README on master to the dockerhub endpoint - stage('Sync-README') { - when { - environment name: 'CHANGE_ID', value: '' - environment name: 'EXIT_STATUS', value: '' - } - steps { - withCredentials([ - [ - $class: 'UsernamePasswordMultiBinding', - credentialsId: '3f9ba4d5-100d-45b0-a3c4-633fd6061207', - usernameVariable: 'DOCKERUSER', - passwordVariable: 'DOCKERPASS' - ] - ]) { - sh '''#! /bin/bash - set -e - TEMPDIR=$(mktemp -d) - docker pull ghcr.io/linuxserver/jenkins-builder:latest - docker run --rm -e CONTAINER_NAME=${CONTAINER_NAME} -e GITHUB_BRANCH="${BRANCH_NAME}" -v ${TEMPDIR}:/ansible/jenkins ghcr.io/linuxserver/jenkins-builder:latest - docker pull ghcr.io/linuxserver/readme-sync - docker run --rm=true \ - -e DOCKERHUB_USERNAME=$DOCKERUSER \ - -e DOCKERHUB_PASSWORD=$DOCKERPASS \ - -e GIT_REPOSITORY=${LS_USER}/${LS_REPO} \ - -e DOCKER_REPOSITORY=${IMAGE} \ - -e GIT_BRANCH=master \ - -v ${TEMPDIR}/docker-${CONTAINER_NAME}:/mnt \ - ghcr.io/linuxserver/readme-sync bash -c 'node sync' - rm -Rf ${TEMPDIR} ''' - } - } - } - // If this is a Pull request send the CI link as a comment on it - stage('Pull Request Comment') { - when { - not {environment name: 'CHANGE_ID', value: ''} - environment name: 'CI', value: 'true' - environment name: 'EXIT_STATUS', value: '' - } - steps { - sh '''curl -H "Authorization: token ${GITHUB_TOKEN}" -X POST https://api.github.com/repos/${LS_USER}/${LS_REPO}/issues/${PULL_REQUEST}/comments \ - -d '{"body": "I am a bot, here are the test results for this PR: \\n'${CI_URL}' \\n'${SHELLCHECK_URL}'"}' ''' - } - } - } - /* ###################### - Send status to Discord - ###################### */ - post { - always { - script{ - if (env.EXIT_STATUS == "ABORTED"){ - sh 'echo "build aborted"' - } - else if (currentBuild.currentResult == "SUCCESS"){ - sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 1681177,\ - "description": "**Build:** '${BUILD_NUMBER}'\\n**CI Results:** '${CI_URL}'\\n**ShellCheck Results:** '${SHELLCHECK_URL}'\\n**Status:** Success\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\ - "username": "Jenkins"}' ${BUILDS_DISCORD} ''' - } - else { - sh ''' curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://wiki.jenkins-ci.org/download/attachments/2916393/headshot.png","embeds": [{"color": 16711680,\ - "description": "**Build:** '${BUILD_NUMBER}'\\n**CI Results:** '${CI_URL}'\\n**ShellCheck Results:** '${SHELLCHECK_URL}'\\n**Status:** failure\\n**Job:** '${RUN_DISPLAY_URL}'\\n**Change:** '${CODE_URL}'\\n**External Release:**: '${RELEASE_LINK}'\\n**DockerHub:** '${DOCKERHUB_LINK}'\\n"}],\ - "username": "Jenkins"}' ${BUILDS_DISCORD} ''' - } - } - } - cleanup { - cleanWs() - } - } -} diff --git a/jenkins-vars.yml b/jenkins-vars.yml deleted file mode 100644 index 1b241b7f..00000000 --- a/jenkins-vars.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- - -# jenkins variables -project_name: docker-wireguard -external_type: na -custom_version_command: "curl -sX GET https://api.github.com/repos/WireGuard/wireguard-tools/tags | jq -r .[0].name" -release_type: stable -release_tag: latest -ls_branch: master -repo_vars: - - CONTAINER_NAME = 'wireguard' - - BUILD_VERSION_ARG = 'WIREGUARD_VERSION' - - LS_USER = 'linuxserver' - - LS_REPO = 'docker-wireguard' - - DOCKERHUB_IMAGE = 'linuxserver/wireguard' - - DEV_DOCKERHUB_IMAGE = 'lsiodev/wireguard' - - PR_DOCKERHUB_IMAGE = 'lspipepr/wireguard' - - DIST_IMAGE = 'ubuntu' - - MULTIARCH='true' - - CI='false' - - CI_WEB='false' - - CI_PORT='8080' - - CI_SSL='false' - - CI_DELAY='120' - - CI_DOCKERENV='TZ=US/Pacific' - - CI_AUTH='user:password' - - CI_WEBPATH='' -sponsor_links: - - { name: "WireGuard", url: "https://www.wireguard.com/donations/" } \ No newline at end of file diff --git a/package_versions.txt b/package_versions.txt deleted file mode 100755 index e3ce85c7..00000000 --- a/package_versions.txt +++ /dev/null @@ -1,216 +0,0 @@ -adduser3.116ubuntu1 -apt1.6.14 -apt-utils1.6.14 -base-files10.1ubuntu2.10 -base-passwd3.5.44 -bash4.4.18-2ubuntu1.2 -bc1.07.1-2 -binutils2.30-21ubuntu1~18.04.5 -binutils-common2.30-21ubuntu1~18.04.5 -binutils-x86-64-linux-gnu2.30-21ubuntu1~18.04.5 -bsdutils1:2.31.1-0.4ubuntu3.7 -build-essential12.4ubuntu1 -bzip21.0.6-8.1ubuntu0.2 -ca-certificates20210119~18.04.1 -coreutils8.28-1ubuntu1 -cpp4:7.4.0-1ubuntu2.3 -cpp-77.5.0-3ubuntu1~18.04 -curl7.58.0-2ubuntu3.14 -dash0.5.8-2.10 -debconf1.5.66ubuntu1 -debianutils4.8.4 -diffutils1:3.6-1 -dirmngr2.2.4-1ubuntu1.4 -dkms2.3-3ubuntu9.7 -dpkg1.19.0.5ubuntu2.3 -dpkg-dev1.19.0.5ubuntu2.3 -e2fsprogs1.44.1-1ubuntu1.3 -fdisk2.31.1-0.4ubuntu3.7 -findutils4.6.0+git+20170828-2 -g++4:7.4.0-1ubuntu2.3 -g++-77.5.0-3ubuntu1~18.04 -gcc4:7.4.0-1ubuntu2.3 -gcc-77.5.0-3ubuntu1~18.04 -gcc-7-base7.5.0-3ubuntu1~18.04 -gcc-8-base8.4.0-1ubuntu1~18.04 -git1:2.17.1-1ubuntu0.8 -git-man1:2.17.1-1ubuntu0.8 -gnupg2.2.4-1ubuntu1.4 -gnupg-l10n2.2.4-1ubuntu1.4 -gnupg-utils2.2.4-1ubuntu1.4 -gpg2.2.4-1ubuntu1.4 -gpg-agent2.2.4-1ubuntu1.4 -gpgconf2.2.4-1ubuntu1.4 -gpgsm2.2.4-1ubuntu1.4 -gpgv2.2.4-1ubuntu1.4 -gpg-wks-client2.2.4-1ubuntu1.4 -gpg-wks-server2.2.4-1ubuntu1.4 -grep3.1-2build1 -gzip1.6-5ubuntu1.1 -hostname3.20 -ifupdown0.8.17ubuntu1.1 -init-system-helpers1.51 -iproute24.15.0-2ubuntu1.3 -iptables1.6.1-2ubuntu2 -iputils-ping3:20161105-1ubuntu3 -jq1.5+dfsg-2 -kmod24-1ubuntu3.5 -krb5-locales1.16-2ubuntu0.2 -libacl12.2.52-3build1 -libapt-inst2.01.6.14 -libapt-pkg5.01.6.14 -libasan47.5.0-3ubuntu1~18.04 -libasn1-8-heimdal7.5.0+dfsg-1 -libassuan02.5.1-2 -libatomic18.4.0-1ubuntu1~18.04 -libattr11:2.4.47-2build1 -libaudit11:2.8.2-1ubuntu1.1 -libaudit-common1:2.8.2-1ubuntu1.1 -libbinutils2.30-21ubuntu1~18.04.5 -libblkid12.31.1-0.4ubuntu3.7 -libbz2-1.01.0.6-8.1ubuntu0.2 -libc62.27-3ubuntu1.4 -libc6-dev2.27-3ubuntu1.4 -libcap21:2.25-1.2 -libcap-ng00.7.7-3.1 -libc-bin2.27-3ubuntu1.4 -libcc1-08.4.0-1ubuntu1~18.04 -libc-dev-bin2.27-3ubuntu1.4 -libcilkrts57.5.0-3ubuntu1~18.04 -libcom-err21.44.1-1ubuntu1.3 -libcurl3-gnutls7.58.0-2ubuntu3.14 -libcurl47.58.0-2ubuntu3.14 -libdb5.35.3.28-13.1ubuntu1.1 -libdebconfclient00.213ubuntu1 -libdpkg-perl1.19.0.5ubuntu2.3 -libelf10.170-0.4ubuntu0.1 -libelf-dev0.170-0.4ubuntu0.1 -liberror-perl0.17025-1 -libexpat12.2.5-3ubuntu0.2 -libext2fs21.44.1-1ubuntu1.3 -libfdisk12.31.1-0.4ubuntu3.7 -libffi63.2.1-8 -libgcc11:8.4.0-1ubuntu1~18.04 -libgcc-7-dev7.5.0-3ubuntu1~18.04 -libgcrypt201.8.1-4ubuntu1.2 -libgdbm51.14.1-6 -libgdbm-compat41.14.1-6 -libglib2.0-02.56.4-0ubuntu0.18.04.8 -libgmp102:6.1.2+dfsg-2 -libgnutls303.5.18-1ubuntu1.4 -libgomp18.4.0-1ubuntu1~18.04 -libgpg-error01.27-6 -libgssapi3-heimdal7.5.0+dfsg-1 -libgssapi-krb5-21.16-2ubuntu0.2 -libhcrypto4-heimdal7.5.0+dfsg-1 -libheimbase1-heimdal7.5.0+dfsg-1 -libheimntlm0-heimdal7.5.0+dfsg-1 -libhogweed43.4.1-0ubuntu0.18.04.1 -libhx509-5-heimdal7.5.0+dfsg-1 -libidn111.33-2.1ubuntu1.2 -libidn2-02.0.4-1.1ubuntu0.2 -libip4tc01.6.1-2ubuntu2 -libip6tc01.6.1-2ubuntu2 -libiptc01.6.1-2ubuntu2 -libisl190.19-1 -libitm18.4.0-1ubuntu1~18.04 -libjq11.5+dfsg-2 -libk5crypto31.16-2ubuntu0.2 -libkeyutils11.5.9-9.2ubuntu2 -libkmod224-1ubuntu3.5 -libkrb5-26-heimdal7.5.0+dfsg-1 -libkrb5-31.16-2ubuntu0.2 -libkrb5support01.16-2ubuntu0.2 -libksba81.3.5-2 -libldap-2.4-22.4.45+dfsg-1ubuntu1.10 -libldap-common2.4.45+dfsg-1ubuntu1.10 -liblsan08.4.0-1ubuntu1~18.04 -liblz4-10.0~r131-2ubuntu3.1 -liblzma55.2.2-1.3 -libmnl01.0.4-2 -libmount12.31.1-0.4ubuntu3.7 -libmpc31.1.0-1 -libmpfr64.0.1-1 -libmpx28.4.0-1ubuntu1~18.04 -libncurses56.1-1ubuntu1.18.04 -libncursesw56.1-1ubuntu1.18.04 -libnetfilter-conntrack31.0.6-2 -libnettle63.4.1-0ubuntu0.18.04.1 -libnfnetlink01.0.1-3 -libnghttp2-141.30.0-1ubuntu1 -libnpth01.5-3 -libonig46.7.0-1 -libp11-kit00.23.9-2ubuntu0.1 -libpam0g1.1.8-3.6ubuntu2.18.04.3 -libpam-modules1.1.8-3.6ubuntu2.18.04.3 -libpam-modules-bin1.1.8-3.6ubuntu2.18.04.3 -libpam-runtime1.1.8-3.6ubuntu2.18.04.3 -libpcre32:8.39-9 -libperl5.265.26.1-6ubuntu0.5 -libpng16-161.6.34-1ubuntu0.18.04.2 -libprocps62:3.3.12-3ubuntu1.2 -libpsl50.19.1-5build1 -libqrencode33.4.4-1build1 -libquadmath08.4.0-1ubuntu1~18.04 -libreadline77.0-3 -libroken18-heimdal7.5.0+dfsg-1 -librtmp12.4+20151223.gitfa8646d.1-1 -libsasl2-22.1.27~101-g0780600+dfsg-3ubuntu2.3 -libsasl2-modules2.1.27~101-g0780600+dfsg-3ubuntu2.3 -libsasl2-modules-db2.1.27~101-g0780600+dfsg-3ubuntu2.3 -libseccomp22.5.1-1ubuntu1~18.04.1 -libselinux12.7-2build2 -libsemanage12.7-2build2 -libsemanage-common2.7-2build2 -libsepol12.7-1 -libsmartcols12.31.1-0.4ubuntu3.7 -libsqlite3-03.22.0-1ubuntu0.4 -libss21.44.1-1ubuntu1.3 -libssl1.11.1.1-1ubuntu2.1~18.04.13 -libstdc++68.4.0-1ubuntu1~18.04 -libstdc++-7-dev7.5.0-3ubuntu1~18.04 -libsystemd0237-3ubuntu10.51 -libtasn1-64.13-2 -libtinfo56.1-1ubuntu1.18.04 -libtsan08.4.0-1ubuntu1~18.04 -libubsan07.5.0-3ubuntu1~18.04 -libudev1237-3ubuntu10.51 -libunistring20.9.9-0ubuntu2 -libuuid12.31.1-0.4ubuntu3.7 -libwind0-heimdal7.5.0+dfsg-1 -libxtables121.6.1-2ubuntu2 -libzstd11.3.3+dfsg-2ubuntu1.2 -linux-libc-dev4.15.0-154.161 -locales2.27-3ubuntu1.4 -login1:4.5-1ubuntu2 -lsb-base9.20170808ubuntu1 -make4.1-9.1ubuntu1 -mawk1.3.3-17ubuntu3 -mount2.31.1-0.4ubuntu3.7 -multiarch-support2.27-3ubuntu1.4 -ncurses-base6.1-1ubuntu1.18.04 -ncurses-bin6.1-1ubuntu1.18.04 -net-tools1.60+git20161116.90da8a0-1ubuntu1 -openresolv3.8.0-1 -openssl1.1.1-1ubuntu2.1~18.04.13 -passwd1:4.5-1ubuntu2 -patch2.7.6-2ubuntu1.1 -perl5.26.1-6ubuntu0.5 -perl-base5.26.1-6ubuntu0.5 -perl-modules-5.265.26.1-6ubuntu0.5 -pinentry-curses1.1.0-1 -pkg-config0.29.1-0ubuntu2 -procps2:3.3.12-3ubuntu1.2 -publicsuffix20180223.1310-1 -qrencode3.4.4-1build1 -readline-common7.0-3 -sed4.4-2 -sensible-utils0.0.12 -sysvinit-utils2.88dsf-59.10ubuntu1 -tar1.29b-2ubuntu0.2 -tzdata2021a-0ubuntu0.18.04 -ubuntu-keyring2018.09.18.1~18.04.2 -util-linux2.31.1-0.4ubuntu3.7 -xz-utils5.2.2-1.3 -zlib1g1:1.2.11.dfsg-0ubuntu2 -zlib1g-dev1:1.2.11.dfsg-0ubuntu2 diff --git a/readme-vars.yml b/readme-vars.yml deleted file mode 100644 index fb5fa2fb..00000000 --- a/readme-vars.yml +++ /dev/null @@ -1,123 +0,0 @@ ---- - -# project information -project_name: wireguard -project_url: "https://www.wireguard.com/" -project_logo: "https://www.wireguard.com/img/wireguard.svg" -project_blurb: "[WireGuard®]({{ project_url }}) is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry." -project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}" - -# supported architectures -available_architectures: - - { arch: "{{ arch_x86_64 }}", tag: "amd64-latest"} - - { arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"} - - { arch: "{{ arch_armhf }}", tag: "arm32v7-latest"} - -# development version -development_versions: false -development_versions_items: - - { tag: "latest", desc: "Stable releases" } - - { tag: "development", desc: "Prereleases from their GitHub" } - -# container parameters -common_param_env_vars_enabled: true -param_container_name: "{{ project_name }}" -param_usage_include_vols: true -param_volumes: - - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files." } - - { vol_path: "/lib/modules", vol_host_path: "/lib/modules", desc: "Maps host's modules folder." } -param_usage_include_ports: true -param_ports: - - { external_port: "51820", internal_port: "51820/udp", port_desc: "wireguard port" } -param_usage_include_env: true -param_env_vars: - - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London"} -cap_add_param: true -cap_add_param_vars: - - { cap_add_var: "NET_ADMIN" } - - { cap_add_var: "SYS_MODULE" } -custom_params: - - { name: "sysctl", name_compose: "sysctls", value: ["net.ipv4.conf.all.src_valid_mark=1"], desc: "Required for client mode.", array: "true" } - -# optional container parameters -opt_param_usage_include_env: true -opt_param_env_vars: - - { env_var: "SERVERURL", env_value: "wireguard.domain.com", desc: "External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically"} - - { env_var: "SERVERPORT", env_value: "51820", desc: "External port for docker host. Used in server mode."} - - { env_var: "PEERS", env_value: "1", desc: "Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet..."} - - { env_var: "PEERDNS", env_value: "auto", desc: "DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward."} - - { env_var: "INTERNAL_SUBNET", env_value: "10.13.13.0", desc: "Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode."} - - { env_var: "ALLOWEDIPS", env_value: "0.0.0.0/0", desc: "The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1."} - -optional_block_1: false -optional_block_1_items: "" - -# application setup block -app_setup_block_enabled: true -app_setup_block: | - This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module. - - If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv). - - With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). - - This can be run as a server or a client, based on the parameters used. - - ## Server Mode - If the environment variable `PEERS` is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under `/config/peerX` in case `PEERS` is a variable and an integer or `/config/peer_X` in case a list of names was provided instead of an integer. - - Variables `SERVERURL`, `SERVERPORT`, `INTERNAL_SUBNET` and `PEERDNS` are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs. - - To add more peers/clients later on, you increment the `PEERS` environment variable or add more elements to the list and recreate the container. - - To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: `docker exec -it wireguard /app/show-peer 1 4 5` or `docker exec -it wireguard /app/show-peer myPC myPhone myTablet` (Keep in mind that the QR codes are also stored as PNGs in the config folder). - - The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container. - - ## Client Mode - Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. - - If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container. - - ## Road warriors, roaming and returning home - If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost. - - This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally). - - Both of these approaches have positives and negatives however their setup is out of scope for this document as everyone's network layout and equipment will be different. - - ## Maintaining local access to attached services - - ** Note: This is not a supported configuration by Linuxserver.io - use at your own risk. - - When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so (modifying the subnets as you require): - - ``` - [Interface] - PrivateKey = - Address = 9.8.7.6/32 - DNS = 8.8.8.8 - PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT; iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT - ``` - -# changelog -changelogs: - - { date: "11.02.21:", desc: "Fix bug related to changing internal subnet and named peer confs not updating." } - - { date: "06.10.20:", desc: "Disable CoreDNS in client mode, or if port 53 is already in use in server mode." } - - { date: "04.10.20:", desc: "Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart" } - - { date: "27.09.20:", desc: "Cleaning service binding example to have accurate PreDown script." } - - { date: "06.08.20:", desc: "Replace resolvconf with openresolv due to dns issues when a client based on this image is connected to a server also based on this image. Add IPv6 info to readme. Display kernel version in logs." } - - { date: "29.07.20:", desc: "Update Coredns config to detect dns loops (existing users need to delete `/config/coredns/Corefile` and restart)." } - - { date: "27.07.20:", desc: "Update Coredns config to prevent issues with non-user-defined bridge networks (existing users need to delete `/config/coredns/Corefile` and restart)." } - - { date: "05.07.20:", desc: "Add Debian updates and security repos for headers." } - - { date: "25.06.20:", desc: "Simplify module tests, prevent iptables issues from resulting in false negatives." } - - { date: "19.06.20:", desc: "Add support for Ubuntu Focal (20.04) kernels. Compile wireguard tools and kernel module instead of using the ubuntu packages. Make module install optional. Improve verbosity in logs." } - - { date: "29.05.20:", desc: "Add support for 64bit raspbian." } - - { date: "28.04.20:", desc: "Add Buster/Stretch backports repos for Debian. Tested with OMV 5 and OMV 4 (on kernel 4.19.0-0.bpo.8-amd64)." } - - { date: "20.04.20:", desc: "Fix typo in client mode conf existence check." } - - { date: "13.04.20:", desc: "Fix bug that forced conf recreation on every start." } - - { date: "08.04.20:", desc: "Add arm32/64 builds and enable multi-arch (rpi4 with ubuntu and raspbian buster tested). Add CoreDNS for `PEERDNS=auto` setting. Update the `add-peer`/`show-peer` scripts to utilize the templates and the `INTERNAL_SUBNET` var (previously missed, oops)." } - - { date: "05.04.20:", desc: "Add `INTERNAL_SUBNET` variable to prevent subnet clashes. Add templates for server and peer confs." } - - { date: "01.04.20:", desc: "Add `show-peer` script and include info on host installed headers." } - - { date: "31.03.20:", desc: "Initial Release." } diff --git a/root/app/add-peer b/root/app/add-peer deleted file mode 100755 index f7b069a5..00000000 --- a/root/app/add-peer +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/with-contenv bash - -echo "******* This script has been deprecated and will be removed in a future version. In order to add peers, change the PEERS env var and recreate your container. Existing peers will still use the same private and public keys. *******" - -if [ ! -f /config/wg0.conf ] || [ -z "$PEERS" ]; then - echo "Wireguard is not set up in server mode" - exit 0 -fi - -INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0} -INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--') -if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then - SERVERURL=$(curl icanhazip.com) -fi -SERVERPORT=${SERVERPORT:-51820} -if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then - PEERDNS="${INTERFACE}.1" -fi - -for i in {1..254}; do - if grep -q "AllowedIPs = ${INTERFACE}.$(( $i + 1 ))/32" /config/wg0.conf; then - echo "Peer $i exists" - else - echo "Adding new Peer $i" - mkdir -p /config/peer${i} - if [ ! -f /config/peer${i}/privatekey-peer${i} ]; then - umask 077 - wg genkey | tee /config/peer${i}/privatekey-peer${i} | wg pubkey > /config/peer${i}/publickey-peer${i} - fi - eval "`printf %s` - cat < /config/peer${i}/peer${i}.conf -`cat /config/templates/peer.conf` -DUDE" - cat <> /config/wg0.conf -[Peer] -PublicKey = $(cat /config/peer${i}/publickey-peer${i}) -AllowedIPs = ${INTERFACE}.$(( $i + 1 ))/32 - -DUDE - echo "PEER ${i} QR code:" - qrencode -t ansiutf8 < /config/peer${i}/peer${i}.conf - qrencode -o /config/peer${i}/peer${i}.png < /config/peer${i}/peer${i}.conf - chown -R abc:abc /config/peer${i} - s6-svc -t /var/run/s6/services/wireguard - break - fi -done diff --git a/root/app/show-peer b/root/app/show-peer deleted file mode 100755 index a4523f9e..00000000 --- a/root/app/show-peer +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/with-contenv bash - -if [ ! $# -gt 0 ]; then - echo "You need to specify which peers to show" - exit 0 -fi - -for i in "$@"; do - if [[ "${i}" =~ ^[0-9]+$ ]]; then - PEER_ID="peer${i}" - else - PEER_ID="peer_${i//[^[:alnum:]_-]/}" - fi - - if grep -q "# ${PEER_ID}" /config/wg0.conf; then - echo "PEER ${i} QR code:" - qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf - else - echo "PEER ${i} is not active" - fi -done \ No newline at end of file diff --git a/root/defaults/server.conf b/root/defaults/server.conf deleted file mode 100644 index 9255d385..00000000 --- a/root/defaults/server.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Interface] -Address = ${INTERFACE}.1 -ListenPort = 51820 -PrivateKey = $(cat /config/server/privatekey-server) -PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE diff --git a/root/donate.txt b/root/donate.txt deleted file mode 100644 index a3160324..00000000 --- a/root/donate.txt +++ /dev/null @@ -1 +0,0 @@ -WireGuard: https://www.wireguard.com/donations/ diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config index 7bf238c2..a3b79466 100644 --- a/root/etc/cont-init.d/30-config +++ b/root/etc/cont-init.d/30-config @@ -161,127 +161,12 @@ ln -s /config/wg0.conf /etc/wireguard/wg0.conf [[ ! -f /config/templates/peer.conf ]] && \ cp /defaults/peer.conf /config/templates/peer.conf -generate_confs () { - mkdir -p /config/server - if [ ! -f /config/server/privatekey-server ]; then - umask 077 - wg genkey | tee /config/server/privatekey-server | wg pubkey > /config/server/publickey-server - fi - eval "`printf %s` - cat < /config/wg0.conf -`cat /config/templates/server.conf` - -DUDE" - for i in ${PEERS_ARRAY[@]}; do - if [[ "${i}" =~ ^[0-9]+$ ]]; then - PEER_ID="peer${i}" - else - PEER_ID="peer_${i//[^[:alnum:]_-]/}" - fi - mkdir -p /config/${PEER_ID} - if [ ! -f "/config/${PEER_ID}/privatekey-${PEER_ID}" ]; then - umask 077 - wg genkey | tee /config/${PEER_ID}/privatekey-${PEER_ID} | wg pubkey > /config/${PEER_ID}/publickey-${PEER_ID} - fi - if [ -f "/config/${PEER_ID}/${PEER_ID}.conf" ]; then - CLIENT_IP=$(cat /config/${PEER_ID}/${PEER_ID}.conf | grep "Address" | awk '{print $NF}') - if [ -n "${ORIG_INTERFACE}" ] && [ "${INTERFACE}" != "${ORIG_INTERFACE}" ]; then - CLIENT_IP=$(echo "${CLIENT_IP}" | sed "s|${ORIG_INTERFACE}|${INTERFACE}|") - fi - else - for idx in {2..254}; do - PROPOSED_IP="${INTERFACE}.${idx}" - if ! grep -q -R "${PROPOSED_IP}" /config/peer*/*.conf && ([ -z "${ORIG_INTERFACE}" ] || ! grep -q -R "${ORIG_INTERFACE}.${idx}" /config/peer*/*.conf); then - CLIENT_IP="${PROPOSED_IP}" - break - fi - done - fi - eval "`printf %s` - cat < /config/${PEER_ID}/${PEER_ID}.conf -`cat /config/templates/peer.conf` -DUDE" - cat <> /config/wg0.conf -[Peer] -# ${PEER_ID} -PublicKey = $(cat /config/${PEER_ID}/publickey-${PEER_ID}) -AllowedIPs = ${CLIENT_IP}/32 - -DUDE - echo "PEER ${i} QR code:" - qrencode -t ansiutf8 < /config/${PEER_ID}/${PEER_ID}.conf - qrencode -o /config/${PEER_ID}/${PEER_ID}.png < /config/${PEER_ID}/${PEER_ID}.conf - done -} - -save_vars () { - cat < /config/.donoteditthisfile -ORIG_SERVERURL="$SERVERURL" -ORIG_SERVERPORT="$SERVERPORT" -ORIG_PEERDNS="$PEERDNS" -ORIG_PEERS="$PEERS" -ORIG_INTERFACE="$INTERFACE" -ORIG_ALLOWEDIPS="$ALLOWEDIPS" -DUDE -} - -if [ -n "$PEERS" ]; then - echo "**** Server mode is selected ****" - if [[ "$PEERS" =~ ^[0-9]+$ ]] && ! [[ "$PEERS" =~ *,* ]]; then - PEERS_ARRAY=($(seq 1 $PEERS)) - else - PEERS_ARRAY=($(echo "$PEERS" | tr ',' ' ')) - fi - PEERS_COUNT=$(echo "${#PEERS_ARRAY[@]}") - if [ -z "$SERVERURL" ] || [ "$SERVERURL" = "auto" ]; then - SERVERURL=$(curl -s icanhazip.com) - echo "**** SERVERURL var is either not set or is set to \"auto\", setting external IP to auto detected value of $SERVERURL ****" - else - echo "**** External server address is set to $SERVERURL ****" - fi - SERVERPORT=${SERVERPORT:-51820} - echo "**** External server port is set to ${SERVERPORT}. Make sure that port is properly forwarded to port 51820 inside this container ****" - INTERNAL_SUBNET=${INTERNAL_SUBNET:-10.13.13.0} - echo "**** Internal subnet is set to $INTERNAL_SUBNET ****" - INTERFACE=$(echo "$INTERNAL_SUBNET" | awk 'BEGIN{FS=OFS="."} NF--') - ALLOWEDIPS=${ALLOWEDIPS:-0.0.0.0/0, ::/0} - echo "**** AllowedIPs for peers $ALLOWEDIPS ****" - if [ -z "$PEERDNS" ] || [ "$PEERDNS" = "auto" ]; then - PEERDNS="${INTERFACE}.1" - echo "**** PEERDNS var is either not set or is set to \"auto\", setting peer DNS to ${INTERFACE}.1 to use wireguard docker host's DNS. ****" - else - echo "**** Peer DNS servers will be set to $PEERDNS ****" - fi - if [ ! -f /config/wg0.conf ]; then - echo "**** No wg0.conf found (maybe an initial install), generating 1 server and ${PEERS} peer/client confs ****" - generate_confs - save_vars - else - echo "**** Server mode is selected ****" - [[ -f /config/.donoteditthisfile ]] && \ - . /config/.donoteditthisfile - if [ "$SERVERURL" != "$ORIG_SERVERURL" ] || [ "$SERVERPORT" != "$ORIG_SERVERPORT" ] || [ "$PEERDNS" != "$ORIG_PEERDNS" ] || [ "$PEERS" != "$ORIG_PEERS" ] || [ "$INTERFACE" != "$ORIG_INTERFACE" ] || [ "$ALLOWEDIPS" != "$ORIG_ALLOWEDIPS" ]; then - echo "**** Server related environment variables changed, regenerating 1 server and ${PEERS} peer/client confs ****" - generate_confs - save_vars - else - echo "**** No changes to parameters. Existing configs are used. ****" - fi - fi -else - echo "**** Client mode selected. ****" - if [ ! -f /config/wg0.conf ]; then - echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****" - sleep infinity - fi - echo "**** Disabling CoreDNS ****" - rm -rf /etc/services.d/coredns +echo "**** Client mode selected. ****" +if [ ! -f /config/wg0.conf ]; then + echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****" + sleep infinity fi -# set up CoreDNS -[[ ! -f /config/coredns/Corefile ]] && \ - cp /defaults/Corefile /config/coredns/Corefile - # permissions chown -R abc:abc \ /config diff --git a/root/etc/services.d/coredns/run b/root/etc/services.d/coredns/run deleted file mode 100644 index 5448654b..00000000 --- a/root/etc/services.d/coredns/run +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/with-contenv bash - -cd /config/coredns - -if netstat -apn | grep -q ":53 "; then - echo "Another service is using port 53, disabling CoreDNS" - sleep infinity -else - exec \ - /app/coredns -dns.port=53 -fi \ No newline at end of file From cb98df7708f8d7950f9438e446b50d0419acdbdc Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Thu, 9 Sep 2021 13:08:09 -0500 Subject: [PATCH 02/84] add firewall --- Dockerfile | 15 +-------- root/defaults/Corefile | 4 --- root/defaults/peer.conf | 10 ------ root/etc/cont-init.d/10-firewall | 51 +++++++++++++++++++++++++++++++ root/etc/cont-init.d/10-firewall6 | 51 +++++++++++++++++++++++++++++++ root/etc/cont-init.d/30-config | 6 ++-- 6 files changed, 105 insertions(+), 32 deletions(-) delete mode 100644 root/defaults/Corefile delete mode 100644 root/defaults/peer.conf create mode 100644 root/etc/cont-init.d/10-firewall create mode 100644 root/etc/cont-init.d/10-firewall6 diff --git a/Dockerfile b/Dockerfile index c0ee38c9..8a9a281b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,8 +29,7 @@ RUN \ net-tools \ openresolv \ perl \ - pkg-config \ - qrencode && \ + pkg-config && \ echo "**** install wireguard-tools ****" && \ if [ -z ${WIREGUARD_RELEASE+x} ]; then \ WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \ @@ -43,15 +42,6 @@ RUN \ git checkout "${WIREGUARD_RELEASE}" && \ make -C src -j$(nproc) && \ make -C src install && \ - echo "**** install CoreDNS ****" && \ - COREDNS_VERSION=$(curl -sX GET "https://api.github.com/repos/coredns/coredns/releases/latest" \ - | awk '/tag_name/{print $4;exit}' FS='[""]' | awk '{print substr($1,2); }') && \ - curl -o \ - /tmp/coredns.tar.gz -L \ - "https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_amd64.tgz" && \ - tar xf \ - /tmp/coredns.tar.gz -C \ - /app && \ echo "**** clean up ****" && \ rm -rf \ /tmp/* \ @@ -60,6 +50,3 @@ RUN \ # add local files COPY /root / - -# ports and volumes -EXPOSE 51820/udp diff --git a/root/defaults/Corefile b/root/defaults/Corefile deleted file mode 100644 index c8e2152f..00000000 --- a/root/defaults/Corefile +++ /dev/null @@ -1,4 +0,0 @@ -. { - loop - forward . /etc/resolv.conf -} \ No newline at end of file diff --git a/root/defaults/peer.conf b/root/defaults/peer.conf deleted file mode 100644 index 205a1bdb..00000000 --- a/root/defaults/peer.conf +++ /dev/null @@ -1,10 +0,0 @@ -[Interface] -Address = ${CLIENT_IP} -PrivateKey = $(cat /config/${PEER_ID}/privatekey-${PEER_ID}) -ListenPort = 51820 -DNS = ${PEERDNS} - -[Peer] -PublicKey = $(cat /config/server/publickey-server) -Endpoint = ${SERVERURL}:${SERVERPORT} -AllowedIPs = ${ALLOWEDIPS} \ No newline at end of file diff --git a/root/etc/cont-init.d/10-firewall b/root/etc/cont-init.d/10-firewall new file mode 100644 index 00000000..0aa9cbe1 --- /dev/null +++ b/root/etc/cont-init.d/10-firewall @@ -0,0 +1,51 @@ +#!/bin/sh + +docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | ( + while read interface + do + network="$(ip -o addr show dev "$interface" | awk '$3 == "inet" {print $4}')" + if [ -z "$result" ]; then + result=$network + else + result=$result,$network + fi + done + echo $result +)) +if [ -z "$docker_networks" ]; then + >&2 echo "No inet network" + exit +fi + +iptables -F +iptables -X +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT DROP + +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A INPUT -i lo -j ACCEPT +iptables -A INPUT -s "${docker_networks}" -j ACCEPT + +iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A OUTPUT -o lo -j ACCEPT +iptables -A OUTPUT -d "${docker_networks}" -j ACCEPT +iptables -A OUTPUT -o wg+ -j ACCEPT +iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT +iptables -A OUTPUT -p udp -m udp --dport "${WIREGUARD_PORT:-51820}" -j ACCEPT + +iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD -i lo -j ACCEPT +iptables -A FORWARD -d "${docker_networks}" -j ACCEPT +iptables -A FORWARD -s "${docker_networks}" -j ACCEPT + +iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE + +if [ -n "$NET_LOCAL" ]; then + docker_network_gw="$(ip route | awk '/default/{print $3}')" + for net in ${NET_LOCAL//[;,]/ }; do + iptables -A INPUT -i eth0 -s "$net" -j ACCEPT + iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT + ip route add "$net" via "$docker_network_gw" dev eth0 + done +fi \ No newline at end of file diff --git a/root/etc/cont-init.d/10-firewall6 b/root/etc/cont-init.d/10-firewall6 new file mode 100644 index 00000000..ab088cd4 --- /dev/null +++ b/root/etc/cont-init.d/10-firewall6 @@ -0,0 +1,51 @@ +#!/bin/sh + +docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | ( + while read interface + do + network="$(ip -o addr show dev "$interface" | awk '$3 == "inet6" {print $4; exit}')" + if [ -z "$result" ]; then + result=$network + else + result=$result,$network + fi + done + echo $result +)) +if [ -z "$docker_networks" ]; then + >&2 echo "No inet6 network" + exit +fi + +ip6tables -F +ip6tables -X +ip6tables -P INPUT DROP +ip6tables -P FORWARD DROP +ip6tables -P OUTPUT DROP + +ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +ip6tables -A INPUT -i lo -j ACCEPT +ip6tables -A INPUT -s "${docker_networks}" -j ACCEPT + +ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +ip6tables -A OUTPUT -o lo -j ACCEPT +ip6tables -A OUTPUT -d "${docker_networks}" -j ACCEPT +ip6tables -A OUTPUT -o wg+ -j ACCEPT +ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT +ip6tables -A OUTPUT -p udp -m udp --dport "${WIREGUARD_PORT:-51820}" -j ACCEPT + +ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +ip6tables -A FORWARD -i lo -j ACCEPT +ip6tables -A FORWARD -d "${docker_networks}" -j ACCEPT +ip6tables -A FORWARD -s "${docker_networks}" -j ACCEPT + +ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE + +if [ -n "$NET6_LOCAL" ]; then + docker_network_gw="$(ip -6 route | awk '/default/{print $3}')" + for net in ${NET6_LOCAL//[;,]/ }; do + ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT + ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT + ip route add "$net" via "$docker_network_gw" dev eth0 + done +fi \ No newline at end of file diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config index a3b79466..602b0658 100644 --- a/root/etc/cont-init.d/30-config +++ b/root/etc/cont-init.d/30-config @@ -107,7 +107,7 @@ DUDE fi if [ "$SKIP_COMPILE" != "true" ]; then - if [ -e /lib/modules/$(uname -r)/build ]; then + if [ -e /lib/modules/$(uname -r)/build ]; then echo "**** Kernel headers seem to be present, attempting to build the wireguard module. . . ****" if [ ! -f /lib/modules/$(uname -r)/build/certs/signing_key.pem ]; then mkdir -p /lib/modules/$(uname -r)/build/certs @@ -155,9 +155,7 @@ fi rm -rf /etc/wireguard mkdir -p /etc/wireguard ln -s /config/wg0.conf /etc/wireguard/wg0.conf -# prepare templates -[[ ! -f /config/templates/server.conf ]] && \ - cp /defaults/server.conf /config/templates/server.conf + [[ ! -f /config/templates/peer.conf ]] && \ cp /defaults/peer.conf /config/templates/peer.conf From c80ef590fdff9e0b0300fc08274a5c8299f3d4f3 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Thu, 9 Sep 2021 13:16:05 -0500 Subject: [PATCH 03/84] update readme --- README.md | 69 +------------------------------------------------------ 1 file changed, 1 insertion(+), 68 deletions(-) diff --git a/README.md b/README.md index d35bbf2e..bd533d3d 100644 --- a/README.md +++ b/README.md @@ -1,33 +1,4 @@ - - - -[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)](https://linuxserver.io) - -[![Blog](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Blog)](https://blog.linuxserver.io "all the things you can do with our containers including How-To guides, opinions and much more!") -[![Discord](https://img.shields.io/discord/354974912613449730.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Discord&logo=discord)](https://discord.gg/YWrKVTn "realtime support / chat with the community and the team.") -[![Discourse](https://img.shields.io/discourse/https/discourse.linuxserver.io/topics.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=discourse)](https://discourse.linuxserver.io "post on our community forum.") -[![Fleet](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=Fleet)](https://fleet.linuxserver.io "an online web interface which displays all of our maintained images.") -[![GitHub](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub&logo=github)](https://github.com/linuxserver "view the source for all of our repositories.") -[![Open Collective](https://img.shields.io/opencollective/all/linuxserver.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=Supporters&logo=open%20collective)](https://opencollective.com/linuxserver "please consider helping us by either donating or contributing to our budget") - -The [LinuxServer.io](https://linuxserver.io) team brings you another container release featuring: - -* regular and timely application updates -* easy user mappings (PGID, PUID) -* custom base image with s6 overlay -* weekly base OS updates with common layers across the entire LinuxServer.io ecosystem to minimise space usage, down time and bandwidth -* regular security updates - -Find us at: - -* [Blog](https://blog.linuxserver.io) - all the things you can do with our containers including How-To guides, opinions and much more! -* [Discord](https://discord.gg/YWrKVTn) - realtime support / chat with the community and the team. -* [Discourse](https://discourse.linuxserver.io) - post on our community forum. -* [Fleet](https://fleet.linuxserver.io) - an online web interface which displays all of our maintained images. -* [GitHub](https://github.com/linuxserver) - view the source for all of our repositories. -* [Open Collective](https://opencollective.com/linuxserver) - please consider helping us by either donating or contributing to our budget - -# [linuxserver/wireguard](https://github.com/linuxserver/docker-wireguard) +# [bubuntux/docker-nordlynx](https://github.com/bubuntux/docker-nordlynx) [![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-wireguard.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-wireguard) [![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-wireguard.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-wireguard/releases) @@ -65,17 +36,6 @@ With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu This can be run as a server or a client, based on the parameters used. -## Server Mode -If the environment variable `PEERS` is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under `/config/peerX` in case `PEERS` is a variable and an integer or `/config/peer_X` in case a list of names was provided instead of an integer. - -Variables `SERVERURL`, `SERVERPORT`, `INTERNAL_SUBNET` and `PEERDNS` are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs. - -To add more peers/clients later on, you increment the `PEERS` environment variable or add more elements to the list and recreate the container. - -To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: `docker exec -it wireguard /app/show-peer 1 4 5` or `docker exec -it wireguard /app/show-peer myPC myPhone myTablet` (Keep in mind that the QR codes are also stored as PNGs in the config folder). - -The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container. - ## Client Mode Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. @@ -213,12 +173,6 @@ In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as bel uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup) ``` -## Docker Mods - -[![Docker Mods](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=wireguard&query=%24.mods%5B%27wireguard%27%5D.mod_count&url=https%3A%2F%2Fraw.githubusercontent.com%2Flinuxserver%2Fdocker-mods%2Fmaster%2Fmod-list.yml)](https://mods.linuxserver.io/?mod=wireguard "view available mods for this container.") [![Docker Universal Mods](https://img.shields.io/badge/dynamic/yaml?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=universal&query=%24.mods%5B%27universal%27%5D.mod_count&url=https%3A%2F%2Fraw.githubusercontent.com%2Flinuxserver%2Fdocker-mods%2Fmaster%2Fmod-list.yml)](https://mods.linuxserver.io/?mod=universal "view available universal mods.") - -We publish various [Docker Mods](https://github.com/linuxserver/docker-mods) to enable additional functionality within the containers. The list of Mods available for this image (if any) as well as universal mods that can be applied to any one of our images can be accessed via the dynamic badges above. - ## Support Info * Shell access whilst the container is running: `docker exec -it wireguard /bin/bash` @@ -289,24 +243,3 @@ docker run --rm --privileged multiarch/qemu-user-static:register --reset ``` Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`. - -## Versions - -* **11.02.21:** - Fix bug related to changing internal subnet and named peer confs not updating. -* **06.10.20:** - Disable CoreDNS in client mode, or if port 53 is already in use in server mode. -* **04.10.20:** - Allow to specify a list of names as PEERS and add ALLOWEDIPS environment variable. Also, add peer name/id to each one of the peer sections in wg0.conf. Important: Existing users need to delete `/config/templates/peer.conf` and restart -* **27.09.20:** - Cleaning service binding example to have accurate PreDown script. -* **06.08.20:** - Replace resolvconf with openresolv due to dns issues when a client based on this image is connected to a server also based on this image. Add IPv6 info to readme. Display kernel version in logs. -* **29.07.20:** - Update Coredns config to detect dns loops (existing users need to delete `/config/coredns/Corefile` and restart). -* **27.07.20:** - Update Coredns config to prevent issues with non-user-defined bridge networks (existing users need to delete `/config/coredns/Corefile` and restart). -* **05.07.20:** - Add Debian updates and security repos for headers. -* **25.06.20:** - Simplify module tests, prevent iptables issues from resulting in false negatives. -* **19.06.20:** - Add support for Ubuntu Focal (20.04) kernels. Compile wireguard tools and kernel module instead of using the ubuntu packages. Make module install optional. Improve verbosity in logs. -* **29.05.20:** - Add support for 64bit raspbian. -* **28.04.20:** - Add Buster/Stretch backports repos for Debian. Tested with OMV 5 and OMV 4 (on kernel 4.19.0-0.bpo.8-amd64). -* **20.04.20:** - Fix typo in client mode conf existence check. -* **13.04.20:** - Fix bug that forced conf recreation on every start. -* **08.04.20:** - Add arm32/64 builds and enable multi-arch (rpi4 with ubuntu and raspbian buster tested). Add CoreDNS for `PEERDNS=auto` setting. Update the `add-peer`/`show-peer` scripts to utilize the templates and the `INTERNAL_SUBNET` var (previously missed, oops). -* **05.04.20:** - Add `INTERNAL_SUBNET` variable to prevent subnet clashes. Add templates for server and peer confs. -* **01.04.20:** - Add `show-peer` script and include info on host installed headers. -* **31.03.20:** - Initial Release. From b2515b7fbfda267f248702a641883523f8fa2fb0 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Thu, 9 Sep 2021 22:10:08 -0500 Subject: [PATCH 04/84] refactor --- root/etc/cont-init.d/10-firewall | 17 ++++------------- root/etc/cont-init.d/10-firewall6 | 17 ++++------------- root/etc/cont-init.d/20-route | 10 ++++++++++ root/etc/cont-init.d/20-route6 | 10 ++++++++++ root/etc/cont-init.d/{30-config => 30-module} | 8 ++++---- root/etc/cont-init.d/40-config | 1 + root/etc/services.d/wireguard/run | 2 +- 7 files changed, 34 insertions(+), 31 deletions(-) create mode 100644 root/etc/cont-init.d/20-route create mode 100644 root/etc/cont-init.d/20-route6 rename root/etc/cont-init.d/{30-config => 30-module} (99%) create mode 100644 root/etc/cont-init.d/40-config diff --git a/root/etc/cont-init.d/10-firewall b/root/etc/cont-init.d/10-firewall index 0aa9cbe1..d51caa0d 100644 --- a/root/etc/cont-init.d/10-firewall +++ b/root/etc/cont-init.d/10-firewall @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/execlineb -P docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | ( while read interface @@ -20,8 +20,8 @@ fi iptables -F iptables -X iptables -P INPUT DROP -iptables -P FORWARD DROP iptables -P OUTPUT DROP +iptables -P FORWARD DROP iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT @@ -32,20 +32,11 @@ iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -d "${docker_networks}" -j ACCEPT iptables -A OUTPUT -o wg+ -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -iptables -A OUTPUT -p udp -m udp --dport "${WIREGUARD_PORT:-51820}" -j ACCEPT +iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT iptables -A FORWARD -d "${docker_networks}" -j ACCEPT iptables -A FORWARD -s "${docker_networks}" -j ACCEPT -iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE - -if [ -n "$NET_LOCAL" ]; then - docker_network_gw="$(ip route | awk '/default/{print $3}')" - for net in ${NET_LOCAL//[;,]/ }; do - iptables -A INPUT -i eth0 -s "$net" -j ACCEPT - iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT - ip route add "$net" via "$docker_network_gw" dev eth0 - done -fi \ No newline at end of file +iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE \ No newline at end of file diff --git a/root/etc/cont-init.d/10-firewall6 b/root/etc/cont-init.d/10-firewall6 index ab088cd4..db5e9001 100644 --- a/root/etc/cont-init.d/10-firewall6 +++ b/root/etc/cont-init.d/10-firewall6 @@ -1,4 +1,4 @@ -#!/bin/sh +#!/usr/bin/execlineb -P docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | ( while read interface @@ -20,8 +20,8 @@ fi ip6tables -F ip6tables -X ip6tables -P INPUT DROP -ip6tables -P FORWARD DROP ip6tables -P OUTPUT DROP +ip6tables -P FORWARD DROP ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT @@ -32,20 +32,11 @@ ip6tables -A OUTPUT -o lo -j ACCEPT ip6tables -A OUTPUT -d "${docker_networks}" -j ACCEPT ip6tables -A OUTPUT -o wg+ -j ACCEPT ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -ip6tables -A OUTPUT -p udp -m udp --dport "${WIREGUARD_PORT:-51820}" -j ACCEPT +ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A FORWARD -d "${docker_networks}" -j ACCEPT ip6tables -A FORWARD -s "${docker_networks}" -j ACCEPT -ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE - -if [ -n "$NET6_LOCAL" ]; then - docker_network_gw="$(ip -6 route | awk '/default/{print $3}')" - for net in ${NET6_LOCAL//[;,]/ }; do - ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT - ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT - ip route add "$net" via "$docker_network_gw" dev eth0 - done -fi \ No newline at end of file +ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE \ No newline at end of file diff --git a/root/etc/cont-init.d/20-route b/root/etc/cont-init.d/20-route new file mode 100644 index 00000000..b2431cbb --- /dev/null +++ b/root/etc/cont-init.d/20-route @@ -0,0 +1,10 @@ +#!/usr/bin/with-contenv bash + +if [ -n "$NET_LOCAL" ]; then + gw="$(ip route | awk '/default/{print $3}')" + for net in ${NET_LOCAL//[;,]/ }; do + iptables -A INPUT -i eth0 -s "$net" -j ACCEPT + iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT + ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 + done +fi \ No newline at end of file diff --git a/root/etc/cont-init.d/20-route6 b/root/etc/cont-init.d/20-route6 new file mode 100644 index 00000000..9da1e619 --- /dev/null +++ b/root/etc/cont-init.d/20-route6 @@ -0,0 +1,10 @@ +#!/usr/bin/with-contenv bash + +if [ -n "$NET6_LOCAL" ]; then + gw="$(ip -6 route | awk '/default/{print $3}')" + for net in ${NET6_LOCAL//[;,]/ }; do + ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT + ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT + ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 + done +fi \ No newline at end of file diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-module similarity index 99% rename from root/etc/cont-init.d/30-config rename to root/etc/cont-init.d/30-module index 602b0658..2923a98b 100644 --- a/root/etc/cont-init.d/30-config +++ b/root/etc/cont-init.d/30-module @@ -1,6 +1,4 @@ -#!/usr/bin/with-contenv bash - -mkdir -p /config/{templates,coredns} +#!/usr/bin/execlineb -P echo "Uname info: $(uname -a)" # check for wireguard module @@ -11,7 +9,9 @@ if ip link add dev test type wireguard; then ip link del dev test else echo "**** The wireguard module is not active, will attempt kernel header install and module compilation. ****" -fi + #TODO + exit 1 +fi # install headers if necessary if [ "$SKIP_COMPILE" != "true" ] && [ ! -e /lib/modules/$(uname -r)/build ]; then diff --git a/root/etc/cont-init.d/40-config b/root/etc/cont-init.d/40-config new file mode 100644 index 00000000..8db91dbe --- /dev/null +++ b/root/etc/cont-init.d/40-config @@ -0,0 +1 @@ +#!/usr/bin/with-contenv bash diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 9ef15b46..3a8b4527 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv bash +#!/usr/bin/execlineb -P _term() { echo "Caught SIGTERM signal!" From 4454ef0b500d899fa72167ce4b892b50faa6829f Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Thu, 9 Sep 2021 23:34:31 -0500 Subject: [PATCH 05/84] wg-quick patch --- Dockerfile | 2 ++ root/etc/cont-init.d/10-firewall | 9 ++++----- root/etc/cont-init.d/10-firewall6 | 9 ++++----- root/etc/cont-init.d/30-module | 3 ++- root/etc/cont-init.d/40-config | 2 +- root/etc/services.d/wireguard/run | 2 +- wg-quick.patch | 11 +++++++++++ 7 files changed, 25 insertions(+), 13 deletions(-) create mode 100644 wg-quick.patch diff --git a/Dockerfile b/Dockerfile index 8a9a281b..e9047c1e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,6 +9,7 @@ LABEL maintainer="aptalca" ENV DEBIAN_FRONTEND="noninteractive" +COPY wg-quick.patch /tmp/ RUN \ echo "**** install dependencies ****" && \ apt-get update && \ @@ -42,6 +43,7 @@ RUN \ git checkout "${WIREGUARD_RELEASE}" && \ make -C src -j$(nproc) && \ make -C src install && \ + cd / && patch --verbose -p0 < /tmp/wg-quick.patch && \ echo "**** clean up ****" && \ rm -rf \ /tmp/* \ diff --git a/root/etc/cont-init.d/10-firewall b/root/etc/cont-init.d/10-firewall index d51caa0d..6e21a781 100644 --- a/root/etc/cont-init.d/10-firewall +++ b/root/etc/cont-init.d/10-firewall @@ -1,8 +1,7 @@ -#!/usr/bin/execlineb -P +#!/bin/bash docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | ( - while read interface - do + while read -r interface ; do network="$(ip -o addr show dev "$interface" | awk '$3 == "inet" {print $4}')" if [ -z "$result" ]; then result=$network @@ -10,10 +9,10 @@ docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;g result=$result,$network fi done - echo $result + echo "$result" )) if [ -z "$docker_networks" ]; then - >&2 echo "No inet network" + echo "No inet network" exit fi diff --git a/root/etc/cont-init.d/10-firewall6 b/root/etc/cont-init.d/10-firewall6 index db5e9001..e11338fd 100644 --- a/root/etc/cont-init.d/10-firewall6 +++ b/root/etc/cont-init.d/10-firewall6 @@ -1,8 +1,7 @@ -#!/usr/bin/execlineb -P +#!/bin/bash docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | ( - while read interface - do + while read -r interface ; do network="$(ip -o addr show dev "$interface" | awk '$3 == "inet6" {print $4; exit}')" if [ -z "$result" ]; then result=$network @@ -10,10 +9,10 @@ docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;g result=$result,$network fi done - echo $result + echo "$result" )) if [ -z "$docker_networks" ]; then - >&2 echo "No inet6 network" + echo "No inet6 network" exit fi diff --git a/root/etc/cont-init.d/30-module b/root/etc/cont-init.d/30-module index 2923a98b..c272d07d 100644 --- a/root/etc/cont-init.d/30-module +++ b/root/etc/cont-init.d/30-module @@ -1,4 +1,4 @@ -#!/usr/bin/execlineb -P +#!/bin/bash echo "Uname info: $(uname -a)" # check for wireguard module @@ -13,6 +13,7 @@ else exit 1 fi +exit # install headers if necessary if [ "$SKIP_COMPILE" != "true" ] && [ ! -e /lib/modules/$(uname -r)/build ]; then echo "**** Attempting kernel header install ****" diff --git a/root/etc/cont-init.d/40-config b/root/etc/cont-init.d/40-config index 8db91dbe..03475346 100644 --- a/root/etc/cont-init.d/40-config +++ b/root/etc/cont-init.d/40-config @@ -1 +1 @@ -#!/usr/bin/with-contenv bash +#!/usr/bin/with-contenv bash \ No newline at end of file diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 3a8b4527..301928c1 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -1,4 +1,4 @@ -#!/usr/bin/execlineb -P +#!/bin/bash _term() { echo "Caught SIGTERM signal!" diff --git a/wg-quick.patch b/wg-quick.patch new file mode 100644 index 00000000..c7354c14 --- /dev/null +++ b/wg-quick.patch @@ -0,0 +1,11 @@ +--- /usr/bin/wg-quick 2020-04-10 15:58:25.000000000 -0700 ++++ /usr/bin/wg-quick 2020-04-10 15:58:48.000000000 -0700 +@@ -232,7 +232,7 @@ + printf -v restore '%sCOMMIT\n*mangle\n-I POSTROUTING -m mark --mark %d -p udp -j CONNMARK --save-mark %s\n-I PREROUTING -p udp -j CONNMARK --restore-mark %s\nCOMMIT\n' "$restore" $table "$marker" "$marker" + printf -v nftcmd '%sadd rule %s %s postmangle meta l4proto udp mark %d ct mark set mark \n' "$nftcmd" "$pf" "$nftable" $table + printf -v nftcmd '%sadd rule %s %s premangle meta l4proto udp meta mark set ct mark \n' "$nftcmd" "$pf" "$nftable" +- [[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1 ++# [[ $proto == -4 ]] && cmd sysctl -q net.ipv4.conf.all.src_valid_mark=1 + if type -p nft >/dev/null; then + cmd nft -f <(echo -n "$nftcmd") + else From 14e8a2dffff03b9051977c9ffb6ac92ea25dc00e Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 02:40:47 -0500 Subject: [PATCH 06/84] wip --- .dockerignore | 104 ++++++++++++++- .github/CONTRIBUTING.md | 123 ----------------- .github/FUNDING.yml | 2 +- .github/ISSUE_TEMPLATE/config.yml | 13 -- .github/ISSUE_TEMPLATE/issue.bug.md | 40 ------ .github/ISSUE_TEMPLATE/issue.feature.md | 25 ---- .github/PULL_REQUEST_TEMPLATE.md | 43 ------ .github/workflows/docker-image-ci.yml | 53 ++++++++ .github/workflows/external_trigger.yml | 92 ------------- .../workflows/external_trigger_scheduler.yml | 43 ------ .github/workflows/greetings.yml | 13 -- .github/workflows/package_trigger.yml | 38 ------ .../workflows/package_trigger_scheduler.yml | 50 ------- .github/workflows/stale.yml | 19 +-- .gitignore | 126 +++++++++++++++--- Dockerfile | 46 ++----- {root => rootfs}/etc/cont-init.d/10-firewall | 0 {root => rootfs}/etc/cont-init.d/10-firewall6 | 0 {root => rootfs}/etc/cont-init.d/20-route | 0 {root => rootfs}/etc/cont-init.d/20-route6 | 0 {root => rootfs}/etc/cont-init.d/30-module | 0 {root => rootfs}/etc/cont-init.d/40-config | 0 {root => rootfs}/etc/services.d/wireguard/run | 3 +- wg-quick.patch => rootfs/tmp/wg-quick.patch | 0 24 files changed, 280 insertions(+), 553 deletions(-) delete mode 100755 .github/CONTRIBUTING.md delete mode 100755 .github/ISSUE_TEMPLATE/config.yml delete mode 100755 .github/ISSUE_TEMPLATE/issue.bug.md delete mode 100755 .github/ISSUE_TEMPLATE/issue.feature.md delete mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/workflows/docker-image-ci.yml delete mode 100755 .github/workflows/external_trigger.yml delete mode 100755 .github/workflows/external_trigger_scheduler.yml delete mode 100644 .github/workflows/greetings.yml delete mode 100755 .github/workflows/package_trigger.yml delete mode 100755 .github/workflows/package_trigger_scheduler.yml rename {root => rootfs}/etc/cont-init.d/10-firewall (100%) rename {root => rootfs}/etc/cont-init.d/10-firewall6 (100%) rename {root => rootfs}/etc/cont-init.d/20-route (100%) rename {root => rootfs}/etc/cont-init.d/20-route6 (100%) rename {root => rootfs}/etc/cont-init.d/30-module (100%) rename {root => rootfs}/etc/cont-init.d/40-config (100%) rename {root => rootfs}/etc/services.d/wireguard/run (63%) rename wg-quick.patch => rootfs/tmp/wg-quick.patch (100%) diff --git a/.dockerignore b/.dockerignore index f8c28d33..8b382ded 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,4 +1,106 @@ .git .gitignore .github -README.md \ No newline at end of file +README.md +LICENSE + +### macOS template +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +### VisualStudioCode template +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +### JetBrains template +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +.idea + +# CMake +cmake-build-*/ + +# File-based project format +*.iws + +# IntelliJ +out/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + + +### Linux template +*~ + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +### Vim template +# Swap +[._]*.s[a-v][a-z] +!*.svg # comment out if you don't need vector files +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ + diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md deleted file mode 100755 index d5ae6896..00000000 --- a/.github/CONTRIBUTING.md +++ /dev/null @@ -1,123 +0,0 @@ -# Contributing to wireguard - -## Gotchas - -* While contributing make sure to make all your changes before creating a Pull Request, as our pipeline builds each commit after the PR is open. -* Read, and fill the Pull Request template - * If this is a fix for a typo (in code, documentation, or the README) please file an issue and let us sort it out. We do not need a PR - * If the PR is addressing an existing issue include, closes #\, in the body of the PR commit message -* If you want to discuss changes, you can also bring it up in [#dev-talk](https://discordapp.com/channels/354974912613449730/757585807061155840) in our [Discord server](https://discord.gg/YWrKVTn) - -## Common files - -| File | Use case | -| :----: | --- | -| `Dockerfile` | Dockerfile used to build amd64 images | -| `Dockerfile.aarch64` | Dockerfile used to build 64bit ARM architectures | -| `Dockerfile.armhf` | Dockerfile used to build 32bit ARM architectures | -| `Jenkinsfile` | This file is a product of our builder and should not be edited directly. This is used to build the image | -| `jenkins-vars.yml` | This file is used to generate the `Jenkinsfile` mentioned above, it only affects the build-process | -| `package_versions.txt` | This file is generated as a part of the build-process and should not be edited directly. It lists all the installed packages and their versions | -| `README.md` | This file is a product of our builder and should not be edited directly. This displays the readme for the repository and image registries | -| `readme-vars.yml` | This file is used to generate the `README.md` | - -## Readme - -If you would like to change our readme, please __**do not**__ directly edit the readme, as it is auto-generated on each commit. -Instead edit the [readme-vars.yml](https://github.com/linuxserver/docker-wireguard/edit/master/readme-vars.yml). - -These variables are used in a template for our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) as part of an ansible play. -Most of these variables are also carried over to [docs.linuxserver.io](https://docs.linuxserver.io/images/docker-wireguard) - -### Fixing typos or clarify the text in the readme - -There are variables for multiple parts of the readme, the most common ones are: - -| Variable | Description | -| :----: | --- | -| `project_blurb` | This is the short excerpt shown above the project logo. | -| `app_setup_block` | This is the text that shows up under "Application Setup" if enabled | - -### Parameters - -The compose and run examples are also generated from these variables. - -We have a [reference file](https://github.com/linuxserver/docker-jenkins-builder/blob/master/vars/_container-vars-blank) in our Jenkins Builder. - -These are prefixed with `param_` for required parameters, or `opt_param` for optional parameters, except for `cap_add`. -Remember to enable param, if currently disabled. This differs between parameters, and can be seen in the reference file. - -Devices, environment variables, ports and volumes expects its variables in a certain way. - -### Devices - -```yml -param_devices: - - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" } -opt_param_devices: - - { device_path: "/dev/dri", device_host_path: "/dev/dri", desc: "For hardware transcoding" } -``` - -### Environment variables - -```yml -param_env_vars: - - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London." } -opt_param_env_vars: - - { env_var: "VERSION", env_value: "latest", desc: "Supported values are LATEST, PLEXPASS or a specific version number." } -``` - -### Ports - -```yml -param_ports: - - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" } -opt_param_ports: - - { external_port: "80", internal_port: "80", port_desc: "Application WebUI" } -``` - -### Volumes - -```yml -param_volumes: - - { vol_path: "/config", vol_host_path: "", desc: "Configuration files." } -opt_param_volumes: - - { vol_path: "/config", vol_host_path: "", desc: "Configuration files." } -``` - -### Testing template changes - -After you make any changes to the templates, you can use our [Jenkins Builder](https://github.com/linuxserver/docker-jenkins-builder) to have the files updated from the modified templates. Please use the command found under `Running Locally` [on this page](https://github.com/linuxserver/docker-jenkins-builder/blob/master/README.md) to generate them prior to submitting a PR. - -## Dockerfiles - -We use multiple Dockerfiles in our repos, this is because sometimes some CPU architectures needs different packages to work. -If you are proposing additional packages to be added, ensure that you added the packages to all the Dockerfiles in alphabetical order. - -### Testing your changes - -```bash -git clone https://github.com/linuxserver/docker-wireguard.git -cd docker-wireguard -docker build \ - --no-cache \ - --pull \ - -t linuxserver/wireguard:latest . -``` - -The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static` - -```bash -docker run --rm --privileged multiarch/qemu-user-static:register --reset -``` - -Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`. - -## Update the changelog - -If you are modifying the Dockerfiles or any of the startup scripts in [root](https://github.com/linuxserver/docker-wireguard/tree/master/root), add an entry to the changelog - -```yml -changelogs: - - { date: "DD.MM.YY:", desc: "Added some love to templates" } -``` diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index f5be2c4c..d5dd98d0 100755 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1,3 +1,3 @@ -github: bubuntux +github: [bubuntux,linuxserver] open_collective: linuxserver custom: "https://www.wireguard.com/donations/" diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml deleted file mode 100755 index 350e2c3a..00000000 --- a/.github/ISSUE_TEMPLATE/config.yml +++ /dev/null @@ -1,13 +0,0 @@ -blank_issues_enabled: false -contact_links: - - name: Discord chat support - url: https://discord.gg/YWrKVTn - about: Realtime support / chat with the community and the team. - - - name: Discourse discussion forum - url: https://discourse.linuxserver.io - about: Post on our community forum. - - - name: Documentation - url: https://docs.linuxserver.io/images/docker-wireguard - about: Documentation - information about all of our containers. diff --git a/.github/ISSUE_TEMPLATE/issue.bug.md b/.github/ISSUE_TEMPLATE/issue.bug.md deleted file mode 100755 index 5212eb17..00000000 --- a/.github/ISSUE_TEMPLATE/issue.bug.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve - ---- -[linuxserverurl]: https://linuxserver.io -[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] - - - - - ------------------------------- - -## Expected Behavior - - -## Current Behavior - - -## Steps to Reproduce - - -1. -2. -3. -4. - -## Environment -**OS:** -**CPU architecture:** x86_64/arm32/arm64 -**How docker service was installed:** - - - -## Command used to create docker container (run/create/compose/screenshot) - - -## Docker logs - diff --git a/.github/ISSUE_TEMPLATE/issue.feature.md b/.github/ISSUE_TEMPLATE/issue.feature.md deleted file mode 100755 index 20a91fdb..00000000 --- a/.github/ISSUE_TEMPLATE/issue.feature.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project - ---- -[linuxserverurl]: https://linuxserver.io -[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] - - - - - - - - ------------------------------- - -## Desired Behavior - - -## Current Behavior - - -## Alternatives Considered - diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md deleted file mode 100644 index ce5860d1..00000000 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ /dev/null @@ -1,43 +0,0 @@ - - -[linuxserverurl]: https://linuxserver.io -[![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] - - - - - - - - - - - - - - - - - ------------------------------- - - - [ ] I have read the [contributing](https://github.com/linuxserver/docker-wireguard/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications - ------------------------------- - - - -## Description: - - -## Benefits of this PR and context: - - -## How Has This Been Tested? - - - - - -## Source / References: - diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml new file mode 100644 index 00000000..0c74dca8 --- /dev/null +++ b/.github/workflows/docker-image-ci.yml @@ -0,0 +1,53 @@ +name: Docker Image CI + +on: + schedule: + - cron: '4 20 * * *' + push: + branches: [ main ] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Log into DockerHub + uses: docker/login-action@v1 + with: + username: ${{ github.actor }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Log into GitHub Container Registry + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Get Tags + id: meta + run: | + tags="ghcr.io/${{ github.repository }}:daily,${{ github.repository }}:daily,\ + ghcr.io/${{ github.repository }}:edge,${{ github.repository }}:edge" + if [[ $(date '+%d') == 01 || "${{ github.event_name }}" == "push" ]]; then + tags="${tags},ghcr.io/${{ github.repository }}:latest,${{ github.repository }}:latest,\ + ghcr.io/${{ github.repository }}:monthly,${{ github.repository }}:monthly,\ + ghcr.io/${{ github.repository }}:$(date '+%Y%m%d'),${{ github.repository }}:$(date '+%Y%m%d')" + fi + echo "::set-output name=tags::${tags}" + + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Build and push Docker image + uses: docker/build-push-action@v2 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386,linux/ppc64le,linux/s390x \ No newline at end of file diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml deleted file mode 100755 index 38684f84..00000000 --- a/.github/workflows/external_trigger.yml +++ /dev/null @@ -1,92 +0,0 @@ -name: External Trigger Main - -on: - workflow_dispatch: - -jobs: - external-trigger-master: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.3.3 - - - name: External Trigger - if: github.ref == 'refs/heads/master' - run: | - if [ -n "${{ secrets.PAUSE_EXTERNAL_TRIGGER_WIREGUARD_MASTER }}" ]; then - echo "**** Github secret PAUSE_EXTERNAL_TRIGGER_WIREGUARD_MASTER is set; skipping trigger. ****" - exit 0 - fi - echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_WIREGUARD_MASTER\". ****" - echo "**** Retrieving external version ****" - EXT_RELEASE=$(curl -u ${{ secrets.CR_USER }}:${{ secrets.CR_PAT }} -sX GET https://api.github.com/repos/WireGuard/wireguard-tools/tags | jq -r .[0].name) - if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then - echo "**** Can't retrieve external version, exiting ****" - FAILURE_REASON="Can't retrieve external version for wireguard branch master" - GHA_TRIGGER_URL="https://github.com/linuxserver/docker-wireguard/actions/runs/${{ github.run_id }}" - curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680, - "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n**Trigger URL:** '"${GHA_TRIGGER_URL}"' \n"}], - "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} - exit 1 - fi - EXT_RELEASE=$(echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g') - echo "**** External version: ${EXT_RELEASE} ****" - echo "**** Retrieving last pushed version ****" - image="linuxserver/wireguard" - tag="latest" - token=$(curl -sX GET \ - "https://ghcr.io/token?scope=repository%3Alinuxserver%2Fwireguard%3Apull" \ - | jq -r '.token') - multidigest=$(curl -s \ - --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ - --header "Authorization: Bearer ${token}" \ - "https://ghcr.io/v2/${image}/manifests/${tag}" \ - | jq -r 'first(.manifests[].digest)') - digest=$(curl -s \ - --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ - --header "Authorization: Bearer ${token}" \ - "https://ghcr.io/v2/${image}/manifests/${multidigest}" \ - | jq -r '.config.digest') - image_info=$(curl -sL \ - --header "Authorization: Bearer ${token}" \ - "https://ghcr.io/v2/${image}/blobs/${digest}" \ - | jq -r '.container_config') - IMAGE_RELEASE=$(echo ${image_info} | jq -r '.Labels.build_version' | awk '{print $3}') - IMAGE_VERSION=$(echo ${IMAGE_RELEASE} | awk -F'-ls' '{print $1}') - if [ -z "${IMAGE_VERSION}" ]; then - echo "**** Can't retrieve last pushed version, exiting ****" - FAILURE_REASON="Can't retrieve last pushed version for wireguard tag latest" - curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 16711680, - "description": "**Trigger Failed** \n**Reason:** '"${FAILURE_REASON}"' \n"}], - "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} - exit 1 - fi - echo "**** Last pushed version: ${IMAGE_VERSION} ****" - if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then - echo "**** Version ${EXT_RELEASE} already pushed, exiting ****" - exit 0 - elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-wireguard/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then - echo "**** New version ${EXT_RELEASE} found; but there already seems to be an active build on Jenkins; exiting ****" - exit 0 - else - echo "**** New version ${EXT_RELEASE} found; old version was ${IMAGE_VERSION}. Triggering new build ****" - response=$(curl -iX POST \ - https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-wireguard/job/master/buildWithParameters?PACKAGE_CHECK=false \ - --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|") - echo "**** Jenkins job queue url: ${response%$'\r'} ****" - echo "**** Sleeping 10 seconds until job starts ****" - sleep 10 - buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url') - buildurl="${buildurl%$'\r'}" - echo "**** Jenkins job build url: ${buildurl} ****" - echo "**** Attempting to change the Jenkins job description ****" - curl -iX POST \ - "${buildurl}submitDescription" \ - --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \ - --data-urlencode "description=GHA external trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ - --data-urlencode "Submit=Submit" - echo "**** Notifying Discord ****" - TRIGGER_REASON="A version change was detected for wireguard tag latest. Old version:${IMAGE_VERSION} New version:${EXT_RELEASE}" - curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903, - "description": "**Build Triggered** \n**Reason:** '"${TRIGGER_REASON}"' \n**Build URL:** '"${buildurl}display/redirect"' \n"}], - "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} - fi diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml deleted file mode 100755 index a9830deb..00000000 --- a/.github/workflows/external_trigger_scheduler.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: External Trigger Scheduler - -on: - schedule: - - cron: '25 * * * *' - workflow_dispatch: - -jobs: - external-trigger-scheduler: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.3.3 - with: - fetch-depth: '0' - - - name: External Trigger Scheduler - run: | - echo "**** Branches found: ****" - git for-each-ref --format='%(refname:short)' refs/remotes - echo "**** Pulling the yq docker image ****" - docker pull ghcr.io/linuxserver/yq - for br in $(git for-each-ref --format='%(refname:short)' refs/remotes) - do - br=$(echo "$br" | sed 's|origin/||g') - echo "**** Evaluating branch ${br} ****" - ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-wireguard/${br}/jenkins-vars.yml \ - | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch) - if [ "$br" == "$ls_branch" ]; then - echo "**** Branch ${br} appears to be live; checking workflow. ****" - if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-wireguard/${br}/.github/workflows/external_trigger.yml > /dev/null 2>&1; then - echo "**** Workflow exists. Triggering external trigger workflow for branch ${br} ****." - curl -iX POST \ - -H "Authorization: token ${{ secrets.CR_PAT }}" \ - -H "Accept: application/vnd.github.v3+json" \ - -d "{\"ref\":\"refs/heads/${br}\"}" \ - https://api.github.com/repos/linuxserver/docker-wireguard/actions/workflows/external_trigger.yml/dispatches - else - echo "**** Workflow doesn't exist; skipping trigger. ****" - fi - else - echo "**** ${br} appears to be a dev branch; skipping trigger. ****" - fi - done diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml deleted file mode 100644 index d10ccf2f..00000000 --- a/.github/workflows/greetings.yml +++ /dev/null @@ -1,13 +0,0 @@ -name: Greetings - -on: [pull_request_target, issues] - -jobs: - greeting: - runs-on: ubuntu-latest - steps: - - uses: actions/first-interaction@v1 - with: - issue-message: 'Thanks for opening your first issue here! Be sure to follow the [bug](https://github.com/linuxserver/docker-wireguard/blob/master/.github/ISSUE_TEMPLATE/issue.bug.md) or [feature](https://github.com/linuxserver/docker-wireguard/blob/master/.github/ISSUE_TEMPLATE/issue.feature.md) issue templates!' - pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver/docker-wireguard/blob/master/.github/PULL_REQUEST_TEMPLATE.md)!' - repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/package_trigger.yml b/.github/workflows/package_trigger.yml deleted file mode 100755 index 8c10ea54..00000000 --- a/.github/workflows/package_trigger.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: Package Trigger Main - -on: - workflow_dispatch: - -jobs: - package-trigger-master: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.3.3 - - - name: Package Trigger - if: github.ref == 'refs/heads/master' - run: | - if [ -n "${{ secrets.PAUSE_PACKAGE_TRIGGER_WIREGUARD_MASTER }}" ]; then - echo "**** Github secret PAUSE_PACKAGE_TRIGGER_WIREGUARD_MASTER is set; skipping trigger. ****" - exit 0 - fi - if [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-wireguard/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then - echo "**** There already seems to be an active build on Jenkins; skipping package trigger ****" - exit 0 - fi - echo "**** Package trigger running off of master branch. To disable, set a Github secret named \"PAUSE_PACKAGE_TRIGGER_WIREGUARD_MASTER\". ****" - response=$(curl -iX POST \ - https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-wireguard/job/master/buildWithParameters?PACKAGE_CHECK=true \ - --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|") - echo "**** Jenkins job queue url: ${response%$'\r'} ****" - echo "**** Sleeping 10 seconds until job starts ****" - sleep 10 - buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url') - buildurl="${buildurl%$'\r'}" - echo "**** Jenkins job build url: ${buildurl} ****" - echo "**** Attempting to change the Jenkins job description ****" - curl -iX POST \ - "${buildurl}submitDescription" \ - --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \ - --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ - --data-urlencode "Submit=Submit" diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml deleted file mode 100755 index 43a87b0c..00000000 --- a/.github/workflows/package_trigger_scheduler.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: Package Trigger Scheduler - -on: - schedule: - - cron: '41 1 * * 0' - workflow_dispatch: - -jobs: - package-trigger-scheduler: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.3.3 - with: - fetch-depth: '0' - - - name: Package Trigger Scheduler - run: | - echo "**** Branches found: ****" - git for-each-ref --format='%(refname:short)' refs/remotes - echo "**** Pulling the yq docker image ****" - docker pull ghcr.io/linuxserver/yq - for br in $(git for-each-ref --format='%(refname:short)' refs/remotes) - do - br=$(echo "$br" | sed 's|origin/||g') - echo "**** Evaluating branch ${br} ****" - ls_branch=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-wireguard/${br}/jenkins-vars.yml \ - | docker run --rm -i --entrypoint yq ghcr.io/linuxserver/yq -r .ls_branch) - if [ "${br}" == "${ls_branch}" ]; then - echo "**** Branch ${br} appears to be live; checking workflow. ****" - if curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-wireguard/${br}/.github/workflows/package_trigger.yml > /dev/null 2>&1; then - echo "**** Workflow exists. Triggering package trigger workflow for branch ${br}. ****" - triggered_branches="${triggered_branches}${br} " - curl -iX POST \ - -H "Authorization: token ${{ secrets.CR_PAT }}" \ - -H "Accept: application/vnd.github.v3+json" \ - -d "{\"ref\":\"refs/heads/${br}\"}" \ - https://api.github.com/repos/linuxserver/docker-wireguard/actions/workflows/package_trigger.yml/dispatches - sleep 30 - else - echo "**** Workflow doesn't exist; skipping trigger. ****" - fi - else - echo "**** ${br} appears to be a dev branch; skipping trigger. ****" - fi - done - echo "**** Package check build(s) triggered for branch(es): ${triggered_branches} ****" - echo "**** Notifying Discord ****" - curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903, - "description": "**Package Check Build(s) Triggered for wireguard** \n**Branch(es):** '"${triggered_branches}"' \n**Build URL:** '"https://ci.linuxserver.io/blue/organizations/jenkins/Docker-Pipeline-Builders%2Fdocker-wireguard/activity/"' \n"}], - "username": "Github Actions"}' ${{ secrets.DISCORD_WEBHOOK }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3b3846ee..6bb9283f 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -2,22 +2,13 @@ name: Mark stale issues and pull requests on: schedule: - - cron: "30 1 * * *" + - cron: "6 9 * * *" jobs: stale: - runs-on: ubuntu-latest - steps: - - uses: actions/stale@v3 - with: - stale-issue-message: "This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions." - stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions." - stale-issue-label: 'no-issue-activity' - stale-pr-label: 'no-pr-activity' - days-before-stale: 30 - days-before-close: 365 - exempt-issue-labels: 'awaiting-approval,work-in-progress' - exempt-pr-labels: 'awaiting-approval,work-in-progress' - repo-token: ${{ secrets.GITHUB_TOKEN }} + - uses: actions/stale@v4 + with: + stale-issue-message: "This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions." + stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions." \ No newline at end of file diff --git a/.gitignore b/.gitignore index 6e8ad977..232bf037 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,79 @@ -# Windows image file caches +### macOS template +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +### JetBrains template +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 + +.idea + +# CMake +cmake-build-*/ + +# File-based project format +*.iws + +# IntelliJ +out/ + +# JIRA plugin +atlassian-ide-plugin.xml + +# Crashlytics plugin (for Android Studio and IntelliJ) +com_crashlytics_export_strings.xml +crashlytics.properties +crashlytics-build.properties +fabric.properties + + +### VisualStudioCode template +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +### Windows template +# Windows thumbnail cache files Thumbs.db +Thumbs.db:encryptable ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump # Folder config file -Desktop.ini +[Dd]esktop.ini # Recycle Bin used on file shares $RECYCLE.BIN/ @@ -11,34 +81,46 @@ $RECYCLE.BIN/ # Windows Installer files *.cab *.msi +*.msix *.msm *.msp # Windows shortcuts *.lnk -# ========================= -# Operating System Files -# ========================= +### Linux template +*~ -# OSX -# ========================= +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* -.DS_Store -.AppleDouble -.LSOverride +# KDE directory preferences +.directory -# Thumbnails -._* +# Linux trash folder which might appear on any partition or disk +.Trash-* -# Files that might appear on external disk -.Spotlight-V100 -.Trashes +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +### Vim template +# Swap +[._]*.s[a-v][a-z] +!*.svg # comment out if you don't need vector files +[._]*.sw[a-p] +[._]s[a-rt-v][a-z] +[._]ss[a-gi-z] +[._]sw[a-p] + +# Session +Session.vim +Sessionx.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags +# Persistent undo +[._]*.un~ -# Directories potentially created on remote AFP share -.AppleDB -.AppleDesktop -Network Trash Folder -Temporary Items -.apdisk -.jenkins-external diff --git a/Dockerfile b/Dockerfile index e9047c1e..b7bde363 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,36 +1,18 @@ -FROM ghcr.io/linuxserver/baseimage-ubuntu:bionic +FROM ghcr.io/bubuntux/s6-alpine +LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" -# set version label -ARG BUILD_DATE -ARG VERSION -ARG WIREGUARD_RELEASE -LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DATE}" -LABEL maintainer="aptalca" +COPY /rootfs / -ENV DEBIAN_FRONTEND="noninteractive" - -COPY wg-quick.patch /tmp/ -RUN \ - echo "**** install dependencies ****" && \ - apt-get update && \ - apt-get install -y --no-install-recommends \ - bc \ - build-essential \ - curl \ - dkms \ - git \ - gnupg \ - ifupdown \ - iproute2 \ - iptables \ - iputils-ping \ - jq \ - libc6 \ - libelf-dev \ - net-tools \ - openresolv \ - perl \ - pkg-config && \ +RUN apt-get install -y \ + curl \ + dkms \ + ifupdown \ + iproute2 \ + iptables \ + iputils-ping \ + jq \ + net-tools \ + wireguard && \ echo "**** install wireguard-tools ****" && \ if [ -z ${WIREGUARD_RELEASE+x} ]; then \ WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \ @@ -50,5 +32,3 @@ RUN \ /var/lib/apt/lists/* \ /var/tmp/* -# add local files -COPY /root / diff --git a/root/etc/cont-init.d/10-firewall b/rootfs/etc/cont-init.d/10-firewall similarity index 100% rename from root/etc/cont-init.d/10-firewall rename to rootfs/etc/cont-init.d/10-firewall diff --git a/root/etc/cont-init.d/10-firewall6 b/rootfs/etc/cont-init.d/10-firewall6 similarity index 100% rename from root/etc/cont-init.d/10-firewall6 rename to rootfs/etc/cont-init.d/10-firewall6 diff --git a/root/etc/cont-init.d/20-route b/rootfs/etc/cont-init.d/20-route similarity index 100% rename from root/etc/cont-init.d/20-route rename to rootfs/etc/cont-init.d/20-route diff --git a/root/etc/cont-init.d/20-route6 b/rootfs/etc/cont-init.d/20-route6 similarity index 100% rename from root/etc/cont-init.d/20-route6 rename to rootfs/etc/cont-init.d/20-route6 diff --git a/root/etc/cont-init.d/30-module b/rootfs/etc/cont-init.d/30-module similarity index 100% rename from root/etc/cont-init.d/30-module rename to rootfs/etc/cont-init.d/30-module diff --git a/root/etc/cont-init.d/40-config b/rootfs/etc/cont-init.d/40-config similarity index 100% rename from root/etc/cont-init.d/40-config rename to rootfs/etc/cont-init.d/40-config diff --git a/root/etc/services.d/wireguard/run b/rootfs/etc/services.d/wireguard/run similarity index 63% rename from root/etc/services.d/wireguard/run rename to rootfs/etc/services.d/wireguard/run index 301928c1..45de5181 100644 --- a/root/etc/services.d/wireguard/run +++ b/rootfs/etc/services.d/wireguard/run @@ -1,11 +1,10 @@ #!/bin/bash _term() { - echo "Caught SIGTERM signal!" wg-quick down wg0 } -trap _term SIGTERM +trap _term SIGTERM SIGINT EXIT wg-quick up wg0 diff --git a/wg-quick.patch b/rootfs/tmp/wg-quick.patch similarity index 100% rename from wg-quick.patch rename to rootfs/tmp/wg-quick.patch From 63bcaf66ab3eb21a9846890dd6a516498f5c8941 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 03:00:35 -0500 Subject: [PATCH 07/84] wip --- Dockerfile | 33 ++++----------------------------- 1 file changed, 4 insertions(+), 29 deletions(-) diff --git a/Dockerfile b/Dockerfile index b7bde363..e7a07d74 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,32 +3,7 @@ LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" COPY /rootfs / -RUN apt-get install -y \ - curl \ - dkms \ - ifupdown \ - iproute2 \ - iptables \ - iputils-ping \ - jq \ - net-tools \ - wireguard && \ - echo "**** install wireguard-tools ****" && \ - if [ -z ${WIREGUARD_RELEASE+x} ]; then \ - WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \ - | jq -r .[0].name); \ - fi && \ - cd /app && \ - git clone https://git.zx2c4.com/wireguard-linux-compat && \ - git clone https://git.zx2c4.com/wireguard-tools && \ - cd wireguard-tools && \ - git checkout "${WIREGUARD_RELEASE}" && \ - make -C src -j$(nproc) && \ - make -C src install && \ - cd / && patch --verbose -p0 < /tmp/wg-quick.patch && \ - echo "**** clean up ****" && \ - rm -rf \ - /tmp/* \ - /var/lib/apt/lists/* \ - /var/tmp/* - +RUN apk add --no-cache -U wireguard-tools curl jq patch && \ + patch --verbose -p0 < /tmp/wg-quick.patch && \ + apk del --purge patch && \ + rm -rf /tmp/* \ No newline at end of file From 951c8e51f35a7922b44a0b2370103ffbb6287fa4 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 03:35:48 -0500 Subject: [PATCH 08/84] wip --- rootfs/etc/cont-init.d/00-firewall | 14 ++++++++ .../etc/cont-init.d/{30-module => 10-module} | 36 +++++-------------- .../etc/cont-init.d/{10-firewall => 20-inet} | 9 ++--- .../cont-init.d/{10-firewall6 => 20-inet6} | 8 ++--- rootfs/etc/cont-init.d/20-route | 10 ------ rootfs/etc/cont-init.d/30-route | 19 ++++++++++ .../etc/cont-init.d/{20-route6 => 30-route6} | 1 + 7 files changed, 48 insertions(+), 49 deletions(-) create mode 100644 rootfs/etc/cont-init.d/00-firewall rename rootfs/etc/cont-init.d/{30-module => 10-module} (89%) rename rootfs/etc/cont-init.d/{10-firewall => 20-inet} (85%) rename rootfs/etc/cont-init.d/{10-firewall6 => 20-inet6} (89%) delete mode 100644 rootfs/etc/cont-init.d/20-route create mode 100644 rootfs/etc/cont-init.d/30-route rename rootfs/etc/cont-init.d/{20-route6 => 30-route6} (82%) diff --git a/rootfs/etc/cont-init.d/00-firewall b/rootfs/etc/cont-init.d/00-firewall new file mode 100644 index 00000000..93f89d02 --- /dev/null +++ b/rootfs/etc/cont-init.d/00-firewall @@ -0,0 +1,14 @@ +#!/bin/bash + +iptables -P OUTPUT DROP +iptables -P INPUT DROP +iptables -P FORWARD DROP +ip6tables -P OUTPUT DROP 2>/dev/null +ip6tables -P INPUT DROP 2>/dev/null +ip6tables -P FORWARD DROP 2>/dev/null +iptables -F +iptables -X +ip6tables -F 2>/dev/null +ip6tables -X 2>/dev/null + +echo "[$(date -Iseconds)] Firewall is up, everything has to go through the vpn" \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/30-module b/rootfs/etc/cont-init.d/10-module similarity index 89% rename from rootfs/etc/cont-init.d/30-module rename to rootfs/etc/cont-init.d/10-module index c272d07d..34a322d1 100644 --- a/rootfs/etc/cont-init.d/30-module +++ b/rootfs/etc/cont-init.d/10-module @@ -1,19 +1,19 @@ #!/bin/bash -echo "Uname info: $(uname -a)" +echo "[$(date -Iseconds)] Uname info: $(uname -a)" # check for wireguard module ip link del dev test 2>/dev/null if ip link add dev test type wireguard; then - echo "**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****" - SKIP_COMPILE="true" + echo "[$(date -Iseconds)] Wireguard module is active" ip link del dev test -else - echo "**** The wireguard module is not active, will attempt kernel header install and module compilation. ****" - #TODO - exit 1 + exit fi -exit +echo "[$(date -Iseconds)] The wireguard module is not active, please install it on the host and try again (https://www.wireguard.com/install/)" +exit 1 + +#TODO install module ? + # install headers if necessary if [ "$SKIP_COMPILE" != "true" ] && [ ! -e /lib/modules/$(uname -r)/build ]; then echo "**** Attempting kernel header install ****" @@ -150,22 +150,4 @@ DUDE echo "**** Kernel headers don't seem to be available, can't compile the module. Sleeping now. . . ****" sleep infinity fi -fi - -# prepare symlinks -rm -rf /etc/wireguard -mkdir -p /etc/wireguard -ln -s /config/wg0.conf /etc/wireguard/wg0.conf - -[[ ! -f /config/templates/peer.conf ]] && \ - cp /defaults/peer.conf /config/templates/peer.conf - -echo "**** Client mode selected. ****" -if [ ! -f /config/wg0.conf ]; then - echo "**** No client conf found. Provide your own client conf as \"/config/wg0.conf\" and restart the container. ****" - sleep infinity -fi - -# permissions -chown -R abc:abc \ - /config +fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/10-firewall b/rootfs/etc/cont-init.d/20-inet similarity index 85% rename from rootfs/etc/cont-init.d/10-firewall rename to rootfs/etc/cont-init.d/20-inet index 6e21a781..9b8657d8 100644 --- a/rootfs/etc/cont-init.d/10-firewall +++ b/rootfs/etc/cont-init.d/20-inet @@ -12,15 +12,11 @@ docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;g echo "$result" )) if [ -z "$docker_networks" ]; then - echo "No inet network" + echo "[$(date -Iseconds)] No inet network" exit fi -iptables -F -iptables -X -iptables -P INPUT DROP -iptables -P OUTPUT DROP -iptables -P FORWARD DROP +echo "[$(date -Iseconds)] Enabling connection to secure interface and docker network" iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT @@ -32,6 +28,7 @@ iptables -A OUTPUT -d "${docker_networks}" -j ACCEPT iptables -A OUTPUT -o wg+ -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT +iptables -A OUTPUT -o eth0 -d api.nordvpn.com -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT diff --git a/rootfs/etc/cont-init.d/10-firewall6 b/rootfs/etc/cont-init.d/20-inet6 similarity index 89% rename from rootfs/etc/cont-init.d/10-firewall6 rename to rootfs/etc/cont-init.d/20-inet6 index e11338fd..d95be8a2 100644 --- a/rootfs/etc/cont-init.d/10-firewall6 +++ b/rootfs/etc/cont-init.d/20-inet6 @@ -12,15 +12,11 @@ docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;g echo "$result" )) if [ -z "$docker_networks" ]; then - echo "No inet6 network" + echo "[$(date -Iseconds)] No inet6 network" exit fi -ip6tables -F -ip6tables -X -ip6tables -P INPUT DROP -ip6tables -P OUTPUT DROP -ip6tables -P FORWARD DROP +echo "[$(date -Iseconds)] Enabling connection to secure interface6 and docker network6" ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT diff --git a/rootfs/etc/cont-init.d/20-route b/rootfs/etc/cont-init.d/20-route deleted file mode 100644 index b2431cbb..00000000 --- a/rootfs/etc/cont-init.d/20-route +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/with-contenv bash - -if [ -n "$NET_LOCAL" ]; then - gw="$(ip route | awk '/default/{print $3}')" - for net in ${NET_LOCAL//[;,]/ }; do - iptables -A INPUT -i eth0 -s "$net" -j ACCEPT - iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT - ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 - done -fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/30-route b/rootfs/etc/cont-init.d/30-route new file mode 100644 index 00000000..d38eaf01 --- /dev/null +++ b/rootfs/etc/cont-init.d/30-route @@ -0,0 +1,19 @@ +#!/usr/bin/with-contenv bash + +if [ -n "$NET_LOCAL" ]; then + gw="$(ip route | awk '/default/{print $3}')" + for net in ${NET_LOCAL//[;,]/ }; do + echo "[$(date -Iseconds)] Enabling connection to network ${net}" + iptables -A INPUT -i eth0 -s "$net" -j ACCEPT + iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT + ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 + done +fi + +if [[ -n ${WHITELIST} ]]; then + for domain in ${WHITELIST//[;,]/ }; do + domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') + echo "[$(date -Iseconds)] Enabling connection to host ${domain}" + iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT + done +fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/20-route6 b/rootfs/etc/cont-init.d/30-route6 similarity index 82% rename from rootfs/etc/cont-init.d/20-route6 rename to rootfs/etc/cont-init.d/30-route6 index 9da1e619..0cb8fb6c 100644 --- a/rootfs/etc/cont-init.d/20-route6 +++ b/rootfs/etc/cont-init.d/30-route6 @@ -3,6 +3,7 @@ if [ -n "$NET6_LOCAL" ]; then gw="$(ip -6 route | awk '/default/{print $3}')" for net in ${NET6_LOCAL//[;,]/ }; do + echo "[$(date -Iseconds)] Enabling connection to network ${net}" ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 From afc52d5bf50247755271d7070fd9197dabb5ca82 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 03:38:09 -0500 Subject: [PATCH 09/84] remove time stamp --- rootfs/etc/cont-init.d/00-firewall | 2 +- rootfs/etc/cont-init.d/10-module | 8 ++++---- rootfs/etc/cont-init.d/20-inet | 4 ++-- rootfs/etc/cont-init.d/20-inet6 | 4 ++-- rootfs/etc/cont-init.d/30-route | 4 ++-- rootfs/etc/cont-init.d/30-route6 | 2 +- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/rootfs/etc/cont-init.d/00-firewall b/rootfs/etc/cont-init.d/00-firewall index 93f89d02..d5e65552 100644 --- a/rootfs/etc/cont-init.d/00-firewall +++ b/rootfs/etc/cont-init.d/00-firewall @@ -11,4 +11,4 @@ iptables -X ip6tables -F 2>/dev/null ip6tables -X 2>/dev/null -echo "[$(date -Iseconds)] Firewall is up, everything has to go through the vpn" \ No newline at end of file +echo "Firewall is up, everything has to go through the vpn" \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/10-module b/rootfs/etc/cont-init.d/10-module index 34a322d1..38ec638f 100644 --- a/rootfs/etc/cont-init.d/10-module +++ b/rootfs/etc/cont-init.d/10-module @@ -1,18 +1,18 @@ #!/bin/bash -echo "[$(date -Iseconds)] Uname info: $(uname -a)" +echo "Uname info: $(uname -a)" # check for wireguard module ip link del dev test 2>/dev/null if ip link add dev test type wireguard; then - echo "[$(date -Iseconds)] Wireguard module is active" + echo "Wireguard module is active" ip link del dev test exit fi -echo "[$(date -Iseconds)] The wireguard module is not active, please install it on the host and try again (https://www.wireguard.com/install/)" +echo "The wireguard module is not active, please install it on the host and try again (https://www.wireguard.com/install/)" exit 1 -#TODO install module ? +#TODO install module ? # install headers if necessary if [ "$SKIP_COMPILE" != "true" ] && [ ! -e /lib/modules/$(uname -r)/build ]; then diff --git a/rootfs/etc/cont-init.d/20-inet b/rootfs/etc/cont-init.d/20-inet index 9b8657d8..a2a50f54 100644 --- a/rootfs/etc/cont-init.d/20-inet +++ b/rootfs/etc/cont-init.d/20-inet @@ -12,11 +12,11 @@ docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;g echo "$result" )) if [ -z "$docker_networks" ]; then - echo "[$(date -Iseconds)] No inet network" + echo "No inet network" exit fi -echo "[$(date -Iseconds)] Enabling connection to secure interface and docker network" +echo "Enabling connection to secure interface and docker network" iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT diff --git a/rootfs/etc/cont-init.d/20-inet6 b/rootfs/etc/cont-init.d/20-inet6 index d95be8a2..576d1e81 100644 --- a/rootfs/etc/cont-init.d/20-inet6 +++ b/rootfs/etc/cont-init.d/20-inet6 @@ -12,11 +12,11 @@ docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;g echo "$result" )) if [ -z "$docker_networks" ]; then - echo "[$(date -Iseconds)] No inet6 network" + echo "No inet6 network" exit fi -echo "[$(date -Iseconds)] Enabling connection to secure interface6 and docker network6" +echo "Enabling connection to secure interface6 and docker network6" ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT diff --git a/rootfs/etc/cont-init.d/30-route b/rootfs/etc/cont-init.d/30-route index d38eaf01..f678d91c 100644 --- a/rootfs/etc/cont-init.d/30-route +++ b/rootfs/etc/cont-init.d/30-route @@ -3,7 +3,7 @@ if [ -n "$NET_LOCAL" ]; then gw="$(ip route | awk '/default/{print $3}')" for net in ${NET_LOCAL//[;,]/ }; do - echo "[$(date -Iseconds)] Enabling connection to network ${net}" + echo "Enabling connection to network ${net}" iptables -A INPUT -i eth0 -s "$net" -j ACCEPT iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 @@ -13,7 +13,7 @@ fi if [[ -n ${WHITELIST} ]]; then for domain in ${WHITELIST//[;,]/ }; do domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') - echo "[$(date -Iseconds)] Enabling connection to host ${domain}" + echo "Enabling connection to host ${domain}" iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT done fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/30-route6 b/rootfs/etc/cont-init.d/30-route6 index 0cb8fb6c..7b278f37 100644 --- a/rootfs/etc/cont-init.d/30-route6 +++ b/rootfs/etc/cont-init.d/30-route6 @@ -3,7 +3,7 @@ if [ -n "$NET6_LOCAL" ]; then gw="$(ip -6 route | awk '/default/{print $3}')" for net in ${NET6_LOCAL//[;,]/ }; do - echo "[$(date -Iseconds)] Enabling connection to network ${net}" + echo "Enabling connection to network ${net}" ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 From ddc2fb4a640cfbf81cfad16634bc33cc7034a992 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 04:09:11 -0500 Subject: [PATCH 10/84] connects but traffic doesn't flow --- rootfs/etc/services.d/wireguard/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rootfs/etc/services.d/wireguard/run b/rootfs/etc/services.d/wireguard/run index 45de5181..594297b0 100644 --- a/rootfs/etc/services.d/wireguard/run +++ b/rootfs/etc/services.d/wireguard/run @@ -4,7 +4,7 @@ _term() { wg-quick down wg0 } -trap _term SIGTERM SIGINT EXIT +trap _term SIGTERM wg-quick up wg0 From b1faf9f45866651b50d9b1569d2f7b07062836aa Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 11:24:35 -0500 Subject: [PATCH 11/84] refactor --- rootfs/etc/cont-init.d/00-firewall | 4 ---- rootfs/etc/cont-init.d/20-inet | 3 +++ rootfs/etc/cont-init.d/20-inet6 | 3 +++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/rootfs/etc/cont-init.d/00-firewall b/rootfs/etc/cont-init.d/00-firewall index d5e65552..36b06680 100644 --- a/rootfs/etc/cont-init.d/00-firewall +++ b/rootfs/etc/cont-init.d/00-firewall @@ -6,9 +6,5 @@ iptables -P FORWARD DROP ip6tables -P OUTPUT DROP 2>/dev/null ip6tables -P INPUT DROP 2>/dev/null ip6tables -P FORWARD DROP 2>/dev/null -iptables -F -iptables -X -ip6tables -F 2>/dev/null -ip6tables -X 2>/dev/null echo "Firewall is up, everything has to go through the vpn" \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/20-inet b/rootfs/etc/cont-init.d/20-inet index a2a50f54..6c3aa1bf 100644 --- a/rootfs/etc/cont-init.d/20-inet +++ b/rootfs/etc/cont-init.d/20-inet @@ -18,6 +18,9 @@ fi echo "Enabling connection to secure interface and docker network" +iptables -F +iptables -X + iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -s "${docker_networks}" -j ACCEPT diff --git a/rootfs/etc/cont-init.d/20-inet6 b/rootfs/etc/cont-init.d/20-inet6 index 576d1e81..75802a1c 100644 --- a/rootfs/etc/cont-init.d/20-inet6 +++ b/rootfs/etc/cont-init.d/20-inet6 @@ -18,6 +18,9 @@ fi echo "Enabling connection to secure interface6 and docker network6" +ip6tables -F +ip6tables -X + ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -s "${docker_networks}" -j ACCEPT From 6c18312b2c4d1dd84cc33f54cdbe20b2cecaa840 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 11:46:46 -0500 Subject: [PATCH 12/84] only https connection to api.nordvpn.com --- rootfs/etc/cont-init.d/20-inet | 2 +- rootfs/etc/cont-init.d/20-inet6 | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/rootfs/etc/cont-init.d/20-inet b/rootfs/etc/cont-init.d/20-inet index 6c3aa1bf..4ada1775 100644 --- a/rootfs/etc/cont-init.d/20-inet +++ b/rootfs/etc/cont-init.d/20-inet @@ -31,7 +31,7 @@ iptables -A OUTPUT -d "${docker_networks}" -j ACCEPT iptables -A OUTPUT -o wg+ -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT -iptables -A OUTPUT -o eth0 -d api.nordvpn.com -j ACCEPT +iptables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT diff --git a/rootfs/etc/cont-init.d/20-inet6 b/rootfs/etc/cont-init.d/20-inet6 index 75802a1c..a7eb3436 100644 --- a/rootfs/etc/cont-init.d/20-inet6 +++ b/rootfs/etc/cont-init.d/20-inet6 @@ -31,6 +31,7 @@ ip6tables -A OUTPUT -d "${docker_networks}" -j ACCEPT ip6tables -A OUTPUT -o wg+ -j ACCEPT ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT +ip6tables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT From cf959c52969bf24418060c1eafadd95eb1c0ee98 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 11:54:43 -0500 Subject: [PATCH 13/84] ALLOW LIST --- rootfs/etc/cont-init.d/30-route | 8 -------- rootfs/etc/cont-init.d/40-allowlist | 9 +++++++++ rootfs/etc/cont-init.d/40-config | 1 - 3 files changed, 9 insertions(+), 9 deletions(-) create mode 100644 rootfs/etc/cont-init.d/40-allowlist delete mode 100644 rootfs/etc/cont-init.d/40-config diff --git a/rootfs/etc/cont-init.d/30-route b/rootfs/etc/cont-init.d/30-route index f678d91c..e2be3926 100644 --- a/rootfs/etc/cont-init.d/30-route +++ b/rootfs/etc/cont-init.d/30-route @@ -8,12 +8,4 @@ if [ -n "$NET_LOCAL" ]; then iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 done -fi - -if [[ -n ${WHITELIST} ]]; then - for domain in ${WHITELIST//[;,]/ }; do - domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') - echo "Enabling connection to host ${domain}" - iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT - done fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/40-allowlist b/rootfs/etc/cont-init.d/40-allowlist new file mode 100644 index 00000000..30a97e29 --- /dev/null +++ b/rootfs/etc/cont-init.d/40-allowlist @@ -0,0 +1,9 @@ +#!/usr/bin/with-contenv bash + +if [[ -n ${ALLOW_LIST} ]]; then + for domain in ${ALLOW_LIST//[;,]/ }; do + domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') + echo "Enabling connection to host ${domain}" + iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT + done +fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/40-config b/rootfs/etc/cont-init.d/40-config deleted file mode 100644 index 03475346..00000000 --- a/rootfs/etc/cont-init.d/40-config +++ /dev/null @@ -1 +0,0 @@ -#!/usr/bin/with-contenv bash \ No newline at end of file From e6d0eedc6adf6e271df202ab385c96df4fcae250 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 13:08:52 -0500 Subject: [PATCH 14/84] basic config file --- rootfs/etc/cont-init.d/50-config | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100755 rootfs/etc/cont-init.d/50-config diff --git a/rootfs/etc/cont-init.d/50-config b/rootfs/etc/cont-init.d/50-config new file mode 100755 index 00000000..1ea4142b --- /dev/null +++ b/rootfs/etc/cont-init.d/50-config @@ -0,0 +1,26 @@ +#!/usr/bin/with-contenv bash + +#TODO wip! + +wg0="/etc/wireguard/wg0.conf" +cat >${wg0} <> ${wg0} + echo "PublicKey = $(jq --argjson i "$i" -r '.[$i] | (.technologies|.[].metadata|.[].value)' <<< "${recommendations}")" >> ${wg0} + echo "Endpoint = $(jq --argjson i "$i" -r '.[$i] | .hostname' <<< "${recommendations}"):51820" >> ${wg0} + echo "AllowedIPs = 0.0.0.0/0" >> ${wg0} + echo "PersistentKeepalive = 25" >> ${wg0} + echo "" >> ${wg0} +done From 2a288e9a0351623862f625968d36156eda5e74e5 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 18:03:06 -0500 Subject: [PATCH 15/84] same file works on diff client --- rootfs/etc/cont-init.d/50-config | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/rootfs/etc/cont-init.d/50-config b/rootfs/etc/cont-init.d/50-config index 1ea4142b..6834054a 100755 --- a/rootfs/etc/cont-init.d/50-config +++ b/rootfs/etc/cont-init.d/50-config @@ -1,26 +1,18 @@ #!/usr/bin/with-contenv bash #TODO wip! +recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1") -wg0="/etc/wireguard/wg0.conf" -cat >${wg0} </etc/wireguard/wg0.conf <> ${wg0} - echo "PublicKey = $(jq --argjson i "$i" -r '.[$i] | (.technologies|.[].metadata|.[].value)' <<< "${recommendations}")" >> ${wg0} - echo "Endpoint = $(jq --argjson i "$i" -r '.[$i] | .hostname' <<< "${recommendations}"):51820" >> ${wg0} - echo "AllowedIPs = 0.0.0.0/0" >> ${wg0} - echo "PersistentKeepalive = 25" >> ${wg0} - echo "" >> ${wg0} -done +[Peer] +PublicKey = $(jq -r '.[0] | (.technologies|.[].metadata|.[].value)' <<< "${recommendations}") +AllowedIPs = 0.0.0.0/0 +Endpoint = $(jq -r '.[0] | .hostname' <<< "${recommendations}"):51820 +PersistentKeepalive = 25 +EOL \ No newline at end of file From f7a8d2ff98b1a08f0a0d5e3d58f68894b32d321b Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 12 Sep 2021 19:21:15 -0500 Subject: [PATCH 16/84] preparing for reconnects (cherry picked from commit ce788302d007ff9e55da0936767b9e273b7a8ab1) --- rootfs/etc/cont-init.d/50-config | 18 ------------------ rootfs/etc/services.d/wireguard/finish | 3 +++ rootfs/etc/services.d/wireguard/run | 22 +++++++++++++++++----- 3 files changed, 20 insertions(+), 23 deletions(-) delete mode 100755 rootfs/etc/cont-init.d/50-config create mode 100644 rootfs/etc/services.d/wireguard/finish diff --git a/rootfs/etc/cont-init.d/50-config b/rootfs/etc/cont-init.d/50-config deleted file mode 100755 index 6834054a..00000000 --- a/rootfs/etc/cont-init.d/50-config +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/with-contenv bash - -#TODO wip! -recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1") - -cat >/etc/wireguard/wg0.conf </etc/wireguard/wg0.conf < Date: Tue, 14 Sep 2021 04:29:15 -0500 Subject: [PATCH 17/84] working! --- Dockerfile | 4 ++-- rootfs/etc/services.d/wireguard/run | 6 +++--- rootfs/{tmp => patch}/wg-quick.patch | 0 3 files changed, 5 insertions(+), 5 deletions(-) rename rootfs/{tmp => patch}/wg-quick.patch (100%) diff --git a/Dockerfile b/Dockerfile index e7a07d74..73c6d0f2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,6 @@ LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" COPY /rootfs / RUN apk add --no-cache -U wireguard-tools curl jq patch && \ - patch --verbose -p0 < /tmp/wg-quick.patch && \ + patch --verbose -p0 < /patch/wg-quick.patch && \ apk del --purge patch && \ - rm -rf /tmp/* \ No newline at end of file + rm -rf /tmp/* /patch \ No newline at end of file diff --git a/rootfs/etc/services.d/wireguard/run b/rootfs/etc/services.d/wireguard/run index fabf60c1..047b3d34 100644 --- a/rootfs/etc/services.d/wireguard/run +++ b/rootfs/etc/services.d/wireguard/run @@ -7,9 +7,8 @@ cat >/etc/wireguard/wg0.conf < Date: Tue, 14 Sep 2021 05:23:51 -0500 Subject: [PATCH 18/84] adding documentation --- .dockerignore | 46 +++++-- .github/workflows/docker-image-ci.yml | 4 +- .gitignore | 9 +- README.md | 188 +++++++------------------- rootfs/etc/cont-init.d/10-module | 2 +- rootfs/etc/services.d/wireguard/run | 1 - 6 files changed, 81 insertions(+), 169 deletions(-) diff --git a/.dockerignore b/.dockerignore index 8b382ded..01456724 100644 --- a/.dockerignore +++ b/.dockerignore @@ -32,17 +32,6 @@ Network Trash Folder Temporary Items .apdisk -### VisualStudioCode template -.vscode/* -!.vscode/settings.json -!.vscode/tasks.json -!.vscode/launch.json -!.vscode/extensions.json -*.code-workspace - -# Local History for Visual Studio Code -.history/ - ### JetBrains template # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 @@ -67,6 +56,37 @@ crashlytics.properties crashlytics-build.properties fabric.properties +### VisualStudioCode template +.vscode + +# Local History for Visual Studio Code +.history/ + +### Windows template +# Windows thumbnail cache files +Thumbs.db +Thumbs.db:encryptable +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk ### Linux template *~ @@ -98,9 +118,7 @@ Sessionx.vim # Temporary .netrwhist -*~ # Auto-generated tag files tags # Persistent undo -[._]*.un~ - +[._]*.un~ \ No newline at end of file diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index 0c74dca8..8ec4d0b5 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -26,11 +26,9 @@ jobs: - name: Get Tags id: meta run: | - tags="ghcr.io/${{ github.repository }}:daily,${{ github.repository }}:daily,\ - ghcr.io/${{ github.repository }}:edge,${{ github.repository }}:edge" + tags="ghcr.io/${{ github.repository }}:edge,${{ github.repository }}:edge" if [[ $(date '+%d') == 01 || "${{ github.event_name }}" == "push" ]]; then tags="${tags},ghcr.io/${{ github.repository }}:latest,${{ github.repository }}:latest,\ - ghcr.io/${{ github.repository }}:monthly,${{ github.repository }}:monthly,\ ghcr.io/${{ github.repository }}:$(date '+%Y%m%d'),${{ github.repository }}:$(date '+%Y%m%d')" fi echo "::set-output name=tags::${tags}" diff --git a/.gitignore b/.gitignore index 232bf037..ebcf0741 100644 --- a/.gitignore +++ b/.gitignore @@ -50,14 +50,8 @@ crashlytics.properties crashlytics-build.properties fabric.properties - ### VisualStudioCode template -.vscode/* -!.vscode/settings.json -!.vscode/tasks.json -!.vscode/launch.json -!.vscode/extensions.json -*.code-workspace +.vscode # Local History for Visual Studio Code .history/ @@ -118,7 +112,6 @@ Sessionx.vim # Temporary .netrwhist -*~ # Auto-generated tag files tags # Persistent undo diff --git a/README.md b/README.md index bd533d3d..14a02bda 100644 --- a/README.md +++ b/README.md @@ -1,99 +1,75 @@ -# [bubuntux/docker-nordlynx](https://github.com/bubuntux/docker-nordlynx) +# [bbtux/nordlynx](https://github.com/bbtux/nordlynx) -[![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-wireguard.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-wireguard) -[![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-wireguard.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-wireguard/releases) -[![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-wireguard/packages) -[![GitLab Container Registry](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitLab%20Registry&logo=gitlab)](https://gitlab.com/linuxserver.io/docker-wireguard/container_registry) -[![Docker Pulls](https://img.shields.io/docker/pulls/linuxserver/wireguard.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/linuxserver/wireguard) -[![Docker Stars](https://img.shields.io/docker/stars/linuxserver/wireguard.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/linuxserver/wireguard) -[![Jenkins Build](https://img.shields.io/jenkins/build?labelColor=555555&logoColor=ffffff&style=for-the-badge&jobUrl=https%3A%2F%2Fci.linuxserver.io%2Fjob%2FDocker-Pipeline-Builders%2Fjob%2Fdocker-wireguard%2Fjob%2Fmaster%2F&logo=jenkins)](https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-wireguard/job/master/) - -[WireGuard®](https://www.wireguard.com/) is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry. - -[![wireguard](https://www.wireguard.com/img/wireguard.svg)](https://www.wireguard.com/) +--- +[![GitHub Stars](https://img.shields.io/github/stars/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/bbtux/nordlynx) +[![GitHub Release](https://img.shields.io/github/release/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/bbtux/nordlynx/releases) +[![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=nordlynx&message=GitHub%20Package&logo=github)](https://github.com/bbtux/nordlynx/packages) +[![Docker Pulls](https://img.shields.io/docker/pulls/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/bbtux/nordlynx) +[![Docker Stars](https://img.shields.io/docker/stars/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/bbtux/nordlynx) -## Supported Architectures +## Quick reference -Our images support multiple architectures such as `x86-64`, `arm64` and `armhf`. We utilise the docker manifest for multi-platform awareness. More information is available from docker [here](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#manifest-list) and our announcement [here](https://blog.linuxserver.io/2019/02/21/the-lsio-pipeline-project/). +--- +- **Maintained by**: [Julio Gutierrez](https://github.com/bubuntux) +- **Where to get help**: [Github discussions](https://github.com/bbtux/nordlynx/discussions) -Simply pulling `ghcr.io/linuxserver/wireguard` should retrieve the correct image for your arch, but you can also pull specific arch images via tags. +## Supported tags -The architectures supported by this image are: +--- +- edge (created nightly) +- latest (created monthly) +- YYYYmmdd -| Architecture | Tag | -| :----: | --- | -| x86-64 | amd64-latest | -| arm64 | arm64v8-latest | -| armhf | arm32v7-latest | +## Quick reference (cont.) -## Application Setup +--- +- **Where to file issues**: [Github issues](https://github.com/bbtux/nordlynx/issues) +- **Supported architecture**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) amd64, arm32v6, arm32v7, arm64, i386, ppc64le, s390x +- **Published image artifact details**: [DockerHub](https://hub.docker.com/r/bbtux/nordlynx), [Github packages](https://github.com/bbtux/nordlynx/pkgs/container/nordlynx) +- **Continuous integration**: [Github actions](https://github.com/bbtux/nordlynx/actions) +- **Source**: [Github](https://github.com/bbtux/nordlynx) -This image is designed for Ubuntu and Debian based systems mainly (it works on some others, but ymmv). During container start, it will first check if the wireguard module is already installed and loaded. If not, it will then check if the kernel headers are already installed (in `/usr/src`) and if not, attempt to download the necessary kernel headers from the ubuntu/debian/raspbian repos; then will compile and install the kernel module. +## What is NordLynx? -If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv). +--- +NordLynx is a technology built around the WireGuard® VPN protocol. It lets you experience WireGuard’s speed benefits without compromising your privacy. You can find more information about NordLynx in [this blog post](https://nordvpn.com/blog/nordlynx-protocol-wireguard/). +[![nordlynx](https://nordvpn.com/wp-content/uploads/2019/07/nordvpn-nordlynx-infographic.png)](https://nordvpn.com/blog/nordlynx-protocol-wireguard/) -With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images prior to focal](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). +## What is WireGuard? -This can be run as a server or a client, based on the parameters used. +--- +[WireGuard®](https://www.wireguard.com/) is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry. -## Client Mode -Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. +[![wireguard](https://www.wireguard.com/img/wireguard.svg)](https://www.wireguard.com/) -If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container. ## Road warriors, roaming and returning home + +--- If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost. This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally). Both of these approaches have positives and negatives however their setup is out of scope for this document as everyone's network layout and equipment will be different. -## Maintaining local access to attached services - -** Note: This is not a supported configuration by Linuxserver.io - use at your own risk. - -When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so (modifying the subnets as you require): - - ``` - [Interface] - PrivateKey = - Address = 9.8.7.6/32 - DNS = 8.8.8.8 - PostUp = DROUTE=$(ip route | grep default | awk '{print $3}'); HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route add $HOMENET3 via $DROUTE;ip route add $HOMENET2 via $DROUTE; ip route add $HOMENET via $DROUTE;iptables -I OUTPUT -d $HOMENET -j ACCEPT;iptables -A OUTPUT -d $HOMENET2 -j ACCEPT; iptables -A OUTPUT -d $HOMENET3 -j ACCEPT; iptables -A OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT - PreDown = HOMENET=192.168.0.0/16; HOMENET2=10.0.0.0/8; HOMENET3=172.16.0.0/12; ip route del $HOMENET3 via $DROUTE;ip route del $HOMENET2 via $DROUTE; ip route del $HOMENET via $DROUTE; iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT; iptables -D OUTPUT -d $HOMENET -j ACCEPT; iptables -D OUTPUT -d $HOMENET2 -j ACCEPT; iptables -D OUTPUT -d $HOMENET3 -j ACCEPT - ``` - ## Usage +--- Here are some example snippets to help you get started creating a container. -### docker-compose (recommended, [click here for more info](https://docs.linuxserver.io/general/docker-compose)) +### docker-compose (recommended, [click here for more info](https://docs.docker.com/compose/)) ```yaml --- -version: "2.1" +version: "3" services: wireguard: - image: ghcr.io/linuxserver/wireguard + image: ghcr.io/bbtux/nordlynx container_name: wireguard cap_add: - NET_ADMIN - - SYS_MODULE environment: - - PUID=1000 - - PGID=1000 - - TZ=Europe/London - - SERVERURL=wireguard.domain.com #optional - - SERVERPORT=51820 #optional - - PEERS=1 #optional - - PEERDNS=auto #optional - - INTERNAL_SUBNET=10.13.13.0 #optional - - ALLOWEDIPS=0.0.0.0/0 #optional - volumes: - - /path/to/appdata/config:/config - - /lib/modules:/lib/modules - ports: - - 51820:51820/udp + - PRIVATE_KEY=xxxxxxxxx #required sysctls: - net.ipv4.conf.all.src_valid_mark=1 restart: unless-stopped @@ -103,45 +79,23 @@ services: ```bash docker run -d \ - --name=wireguard \ + --name=nordlynx \ --cap-add=NET_ADMIN \ - --cap-add=SYS_MODULE \ - -e PUID=1000 \ - -e PGID=1000 \ - -e TZ=Europe/London \ - -e SERVERURL=wireguard.domain.com `#optional` \ - -e SERVERPORT=51820 `#optional` \ - -e PEERS=1 `#optional` \ - -e PEERDNS=auto `#optional` \ - -e INTERNAL_SUBNET=10.13.13.0 `#optional` \ - -e ALLOWEDIPS=0.0.0.0/0 `#optional` \ - -p 51820:51820/udp \ - -v /path/to/appdata/config:/config \ - -v /lib/modules:/lib/modules \ + -e PRIVATE_KEY=xxxxxxxxx `#required` \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --restart unless-stopped \ - ghcr.io/linuxserver/wireguard + ghcr.io/bbtux/nordlynx ``` ## Parameters +--- Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `:` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container. | Parameter | Function | | :----: | --- | -| `-p 51820/udp` | wireguard port | -| `-e PUID=1000` | for UserID - see below for explanation | -| `-e PGID=1000` | for GroupID - see below for explanation | -| `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London | -| `-e SERVERURL=wireguard.domain.com` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically | -| `-e SERVERPORT=51820` | External port for docker host. Used in server mode. | -| `-e PEERS=1` | Number of peers to create confs for. Required for server mode. Can be a list of names too: myPC,myPhone,myTablet... | -| `-e PEERDNS=auto` | DNS server set in peer/client configs (can be set as `8.8.8.8`). Used in server mode. Defaults to `auto`, which uses wireguard docker host's DNS via included CoreDNS forward. | -| `-e INTERNAL_SUBNET=10.13.13.0` | Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode. | -| `-e ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. | -| `-v /config` | Contains all relevant configuration files. | -| `-v /lib/modules` | Maps host's modules folder. | -| `--sysctl=` | Required for client mode. | +| `-e PRIVATE_KEY=xxxxxxxxx` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically | +| `--sysctl=net.ipv4.conf.all.src_valid_mark=1` | Required. | ## Environment variables from files (Docker secrets) @@ -155,39 +109,10 @@ As an example: Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file. -## Umask for running applications - -For all of our images we provide the ability to override the default umask settings for services started within the containers using the optional `-e UMASK=022` setting. -Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up [here](https://en.wikipedia.org/wiki/Umask) before asking for support. - -## User / Group Identifiers - -When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`. - -Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic. - -In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below: - -```bash - $ id username - uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup) -``` - -## Support Info - -* Shell access whilst the container is running: `docker exec -it wireguard /bin/bash` -* To monitor the logs of the container in realtime: `docker logs -f wireguard` -* container version number - * `docker inspect -f '{{ index .Config.Labels "build_version" }}' wireguard` -* image version number - * `docker inspect -f '{{ index .Config.Labels "build_version" }}' ghcr.io/linuxserver/wireguard` ## Updating Info -Most of our images are static, versioned, and require an image update and container recreation to update the app inside. With some exceptions (ie. nextcloud, plex), we do not recommend or support updating apps inside the container. Please consult the [Application Setup](#application-setup) section above to see if it is recommended for the image. - -Below are the instructions for updating containers: - +--- ### Via Docker Compose * Update all images: `docker-compose pull` @@ -221,25 +146,4 @@ Below are the instructions for updating containers: ### Image Update Notifications - Diun (Docker Image Update Notifier) -* We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported. - -## Building locally - -If you want to make local modifications to these images for development purposes or just to customize the logic: - -```bash -git clone https://github.com/linuxserver/docker-wireguard.git -cd docker-wireguard -docker build \ - --no-cache \ - --pull \ - -t ghcr.io/linuxserver/wireguard:latest . -``` - -The ARM variants can be built on x86_64 hardware using `multiarch/qemu-user-static` - -```bash -docker run --rm --privileged multiarch/qemu-user-static:register --reset -``` - -Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64`. +* We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported. \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/10-module b/rootfs/etc/cont-init.d/10-module index 38ec638f..87b36855 100644 --- a/rootfs/etc/cont-init.d/10-module +++ b/rootfs/etc/cont-init.d/10-module @@ -10,7 +10,7 @@ if ip link add dev test type wireguard; then fi echo "The wireguard module is not active, please install it on the host and try again (https://www.wireguard.com/install/)" -exit 1 +sleep infinity #TODO install module ? diff --git a/rootfs/etc/services.d/wireguard/run b/rootfs/etc/services.d/wireguard/run index 047b3d34..5c963dcf 100644 --- a/rootfs/etc/services.d/wireguard/run +++ b/rootfs/etc/services.d/wireguard/run @@ -1,6 +1,5 @@ #!/usr/bin/with-contenv bash -#TODO wip! recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1") cat >/etc/wireguard/wg0.conf < Date: Tue, 14 Sep 2021 05:25:58 -0500 Subject: [PATCH 19/84] update README --- README.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/README.md b/README.md index 14a02bda..a71234ca 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,5 @@ # [bbtux/nordlynx](https://github.com/bbtux/nordlynx) ---- [![GitHub Stars](https://img.shields.io/github/stars/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/bbtux/nordlynx) [![GitHub Release](https://img.shields.io/github/release/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/bbtux/nordlynx/releases) [![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=nordlynx&message=GitHub%20Package&logo=github)](https://github.com/bbtux/nordlynx/packages) @@ -9,20 +8,17 @@ ## Quick reference ---- - **Maintained by**: [Julio Gutierrez](https://github.com/bubuntux) - **Where to get help**: [Github discussions](https://github.com/bbtux/nordlynx/discussions) ## Supported tags ---- - edge (created nightly) - latest (created monthly) - YYYYmmdd ## Quick reference (cont.) ---- - **Where to file issues**: [Github issues](https://github.com/bbtux/nordlynx/issues) - **Supported architecture**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) amd64, arm32v6, arm32v7, arm64, i386, ppc64le, s390x - **Published image artifact details**: [DockerHub](https://hub.docker.com/r/bbtux/nordlynx), [Github packages](https://github.com/bbtux/nordlynx/pkgs/container/nordlynx) @@ -31,13 +27,11 @@ ## What is NordLynx? ---- NordLynx is a technology built around the WireGuard® VPN protocol. It lets you experience WireGuard’s speed benefits without compromising your privacy. You can find more information about NordLynx in [this blog post](https://nordvpn.com/blog/nordlynx-protocol-wireguard/). [![nordlynx](https://nordvpn.com/wp-content/uploads/2019/07/nordvpn-nordlynx-infographic.png)](https://nordvpn.com/blog/nordlynx-protocol-wireguard/) ## What is WireGuard? ---- [WireGuard®](https://www.wireguard.com/) is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry. [![wireguard](https://www.wireguard.com/img/wireguard.svg)](https://www.wireguard.com/) @@ -45,7 +39,6 @@ NordLynx is a technology built around the WireGuard® VPN protocol. It lets you ## Road warriors, roaming and returning home ---- If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost. This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally). @@ -54,7 +47,6 @@ Both of these approaches have positives and negatives however their setup is out ## Usage ---- Here are some example snippets to help you get started creating a container. ### docker-compose (recommended, [click here for more info](https://docs.docker.com/compose/)) @@ -89,7 +81,6 @@ docker run -d \ ## Parameters ---- Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `:` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container. | Parameter | Function | @@ -112,7 +103,6 @@ Will set the environment variable `PASSWORD` based on the contents of the `/run/ ## Updating Info ---- ### Via Docker Compose * Update all images: `docker-compose pull` From 8785495ef71a4191013e8349001eea076c0aade2 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Tue, 14 Sep 2021 05:28:32 -0500 Subject: [PATCH 20/84] update README --- README.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/README.md b/README.md index a71234ca..5f5f0b8d 100644 --- a/README.md +++ b/README.md @@ -88,19 +88,6 @@ Container images are configured using parameters passed at runtime (such as thos | `-e PRIVATE_KEY=xxxxxxxxx` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically | | `--sysctl=net.ipv4.conf.all.src_valid_mark=1` | Required. | -## Environment variables from files (Docker secrets) - -You can set any environment variable from a file by using a special prepend `FILE__`. - -As an example: - -```bash --e FILE__PASSWORD=/run/secrets/mysecretpassword -``` - -Will set the environment variable `PASSWORD` based on the contents of the `/run/secrets/mysecretpassword` file. - - ## Updating Info ### Via Docker Compose From de0488772664b7f299544ae55d8c0e1cb25579d7 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Tue, 14 Sep 2021 05:32:36 -0500 Subject: [PATCH 21/84] update README --- README.md | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 5f5f0b8d..a16b4350 100644 --- a/README.md +++ b/README.md @@ -55,15 +55,15 @@ Here are some example snippets to help you get started creating a container. --- version: "3" services: - wireguard: + nordlynx: image: ghcr.io/bbtux/nordlynx - container_name: wireguard + container_name: nordlynx cap_add: - - NET_ADMIN + - NET_ADMIN #required environment: - PRIVATE_KEY=xxxxxxxxx #required sysctls: - - net.ipv4.conf.all.src_valid_mark=1 + - net.ipv4.conf.all.src_valid_mark=1 #required restart: unless-stopped ``` @@ -72,9 +72,9 @@ services: ```bash docker run -d \ --name=nordlynx \ - --cap-add=NET_ADMIN \ + --cap-add=NET_ADMIN `#required` \ -e PRIVATE_KEY=xxxxxxxxx `#required` \ - --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ + --sysctl="net.ipv4.conf.all.src_valid_mark=1" `#required` \ --restart unless-stopped \ ghcr.io/bbtux/nordlynx ``` @@ -93,17 +93,16 @@ Container images are configured using parameters passed at runtime (such as thos ### Via Docker Compose * Update all images: `docker-compose pull` - * or update a single image: `docker-compose pull wireguard` + * or update a single image: `docker-compose pull nordlynx` * Let compose update all containers as necessary: `docker-compose up -d` - * or update a single container: `docker-compose up -d wireguard` + * or update a single container: `docker-compose up -d nordlynx` * You can also remove the old dangling images: `docker image prune` ### Via Docker Run -* Update the image: `docker pull ghcr.io/linuxserver/wireguard` -* Stop the running container: `docker stop wireguard` -* Delete the container: `docker rm wireguard` -* Recreate a new container with the same docker run parameters as instructed above (if mapped correctly to a host folder, your `/config` folder and settings will be preserved) +* Update the image: `docker pull ghcr.io/bbtux/nordlynx` +* Stop the running container: `docker stop nordlynx` +* Delete the container: `docker rm nordlynx` * You can also remove the old dangling images: `docker image prune` ### Via Watchtower auto-updater (only use if you don't remember the original parameters) @@ -114,12 +113,12 @@ Container images are configured using parameters passed at runtime (such as thos docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ containrrr/watchtower \ - --run-once wireguard + --run-once nordlynx ``` * You can also remove the old dangling images: `docker image prune` -**Note:** We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.linuxserver.io/general/docker-compose). +**Note:** We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.docker.com/compose/). ### Image Update Notifications - Diun (Docker Image Update Notifier) From 172bcdc5a10f37033686906c5e53fea96aef078d Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Tue, 14 Sep 2021 05:36:04 -0500 Subject: [PATCH 22/84] update README --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index a16b4350..162cf502 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # [bbtux/nordlynx](https://github.com/bbtux/nordlynx) [![GitHub Stars](https://img.shields.io/github/stars/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/bbtux/nordlynx) -[![GitHub Release](https://img.shields.io/github/release/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/bbtux/nordlynx/releases) [![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=nordlynx&message=GitHub%20Package&logo=github)](https://github.com/bbtux/nordlynx/packages) [![Docker Pulls](https://img.shields.io/docker/pulls/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/bbtux/nordlynx) [![Docker Stars](https://img.shields.io/docker/stars/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/bbtux/nordlynx) From 76ff9fa17c75368c56c78d9f7731b623d0bca986 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Tue, 14 Sep 2021 05:44:07 -0500 Subject: [PATCH 23/84] update CI --- .github/workflows/docker-image-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index 8ec4d0b5..07da1c1c 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -13,14 +13,14 @@ jobs: - name: Log into DockerHub uses: docker/login-action@v1 with: - username: ${{ github.actor }} + username: ${{ github.repository_owner }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Log into GitHub Container Registry uses: docker/login-action@v1 with: registry: ghcr.io - username: ${{ github.actor }} + username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Get Tags From 2d3899d8213e717ca616b0c91e10bcf9146d9c18 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Tue, 14 Sep 2021 05:47:59 -0500 Subject: [PATCH 24/84] update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 162cf502..09c1292e 100644 --- a/README.md +++ b/README.md @@ -84,7 +84,7 @@ Container images are configured using parameters passed at runtime (such as thos | Parameter | Function | | :----: | --- | -| `-e PRIVATE_KEY=xxxxxxxxx` | External IP or domain name for docker host. Used in server mode. If set to `auto`, the container will try to determine and set the external IP automatically | +| `-e PRIVATE_KEY=xxxxxxxxx` | The private key can be obtained using the instructions of [this post](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). | | `--sysctl=net.ipv4.conf.all.src_valid_mark=1` | Required. | ## Updating Info From f72524417619c5e7c98c2b228cc1161ad1d49982 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Tue, 14 Sep 2021 06:10:08 -0500 Subject: [PATCH 25/84] update README.md --- README.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 09c1292e..3aa65e22 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,13 @@ -# [bbtux/nordlynx](https://github.com/bbtux/nordlynx) - -[![GitHub Stars](https://img.shields.io/github/stars/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/bbtux/nordlynx) -[![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=nordlynx&message=GitHub%20Package&logo=github)](https://github.com/bbtux/nordlynx/packages) -[![Docker Pulls](https://img.shields.io/docker/pulls/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=pulls&logo=docker)](https://hub.docker.com/r/bbtux/nordlynx) -[![Docker Stars](https://img.shields.io/docker/stars/bbtux/nordlynx.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=stars&logo=docker)](https://hub.docker.com/r/bbtux/nordlynx) +

+ bbtux/nordlynx +
+ + + + + + +

## Quick reference @@ -13,8 +17,8 @@ ## Supported tags - edge (created nightly) -- latest (created monthly) -- YYYYmmdd +- latest (created monthly or on demand) +- YYYYmmdd (created monthly or on demand) ## Quick reference (cont.) From b494a6437fed354aa60a84649769379f6fbfa80d Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sat, 2 Oct 2021 21:13:43 -0500 Subject: [PATCH 26/84] rebase to s6on, change to use nordvpn dns --- Dockerfile | 2 +- rootfs/etc/services.d/wireguard/run | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 73c6d0f2..b0f4c3db 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/bubuntux/s6-alpine +FROM s6on/alpine LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" COPY /rootfs / diff --git a/rootfs/etc/services.d/wireguard/run b/rootfs/etc/services.d/wireguard/run index 5c963dcf..2d1da8f6 100644 --- a/rootfs/etc/services.d/wireguard/run +++ b/rootfs/etc/services.d/wireguard/run @@ -7,7 +7,7 @@ cat >/etc/wireguard/wg0.conf < Date: Sat, 2 Oct 2021 21:14:40 -0500 Subject: [PATCH 27/84] wip --- .github/workflows/docker-image-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index 07da1c1c..473790b6 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -1,8 +1,8 @@ name: Docker Image CI on: - schedule: - - cron: '4 20 * * *' + #schedule: + # - cron: '4 20 * * *' push: branches: [ main ] @@ -48,4 +48,4 @@ jobs: context: . push: true tags: ${{ steps.meta.outputs.tags }} - platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386,linux/ppc64le,linux/s390x \ No newline at end of file + platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386,linux/s390x \ No newline at end of file From 19f1f04fe0ad03cd11b5254a3f173e148366c7da Mon Sep 17 00:00:00 2001 From: Julio Guti Date: Sun, 24 Oct 2021 00:49:42 -0500 Subject: [PATCH 28/84] add ALLOWED_IPS env variable to close #2 --- rootfs/etc/services.d/wireguard/run | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rootfs/etc/services.d/wireguard/run b/rootfs/etc/services.d/wireguard/run index 2d1da8f6..e3b6224c 100644 --- a/rootfs/etc/services.d/wireguard/run +++ b/rootfs/etc/services.d/wireguard/run @@ -6,12 +6,12 @@ cat >/etc/wireguard/wg0.conf < Date: Thu, 11 Nov 2021 20:26:08 -0600 Subject: [PATCH 29/84] migration to bubuntux repository --- .github/workflows/docker-image-ci.yml | 2 +- Dockerfile | 20 ++++++++-- README.md | 32 +++++++-------- rootfs/etc/cont-init.d/10-module | 57 ++++++++++++--------------- rootfs/etc/cont-init.d/30-route | 1 + rootfs/etc/cont-init.d/30-route6 | 1 + rootfs/etc/cont-init.d/40-allowlist | 1 + 7 files changed, 62 insertions(+), 52 deletions(-) diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index 473790b6..5ecfb7f9 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -48,4 +48,4 @@ jobs: context: . push: true tags: ${{ steps.meta.outputs.tags }} - platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386,linux/s390x \ No newline at end of file + platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/s390x \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index b0f4c3db..bed01aef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,21 @@ -FROM s6on/alpine +FROM s6on/ubuntu:20.04 +ARG DEBIAN_FRONTEND=noninteractive LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" COPY /rootfs / -RUN apk add --no-cache -U wireguard-tools curl jq patch && \ +RUN apt update -y && \ + apt install -y curl jq patch iputils-ping wireguard && \ patch --verbose -p0 < /patch/wg-quick.patch && \ - apk del --purge patch && \ - rm -rf /tmp/* /patch \ No newline at end of file + apt remove -y patch && \ + apt autoremove -y && \ + apt autoclean -y && \ + rm -rf \ + /patch \ + /tmp/* \ + /var/cache/apt/archives/* \ + /var/lib/apt/lists/* \ + /var/tmp/* + +#ENV S6_CMD_WAIT_FOR_SERVICES=1 +#CMD \ No newline at end of file diff --git a/README.md b/README.md index 3aa65e22..dae227b0 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,18 @@

- bbtux/nordlynx + bubuntux/nordlynx
- - - - - - + + + + + +

## Quick reference - **Maintained by**: [Julio Gutierrez](https://github.com/bubuntux) -- **Where to get help**: [Github discussions](https://github.com/bbtux/nordlynx/discussions) +- **Where to get help**: [Github discussions](https://github.com/bubuntux/nordlynx/discussions) ## Supported tags @@ -22,11 +22,11 @@ ## Quick reference (cont.) -- **Where to file issues**: [Github issues](https://github.com/bbtux/nordlynx/issues) -- **Supported architecture**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) amd64, arm32v6, arm32v7, arm64, i386, ppc64le, s390x -- **Published image artifact details**: [DockerHub](https://hub.docker.com/r/bbtux/nordlynx), [Github packages](https://github.com/bbtux/nordlynx/pkgs/container/nordlynx) -- **Continuous integration**: [Github actions](https://github.com/bbtux/nordlynx/actions) -- **Source**: [Github](https://github.com/bbtux/nordlynx) +- **Where to file issues**: [Github issues](https://github.com/bubuntux/nordlynx/issues) +- **Supported architecture**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) amd64, arm32v6, arm32v7, arm64, s390x +- **Published image artifact details**: [DockerHub](https://hub.docker.com/r/bubuntux/nordlynx), [Github packages](https://github.com/bubuntux/nordlynx/pkgs/container/nordlynx) +- **Continuous integration**: [Github actions](https://github.com/bubuntux/nordlynx/actions) +- **Source**: [Github](https://github.com/bubuntux/nordlynx) ## What is NordLynx? @@ -59,7 +59,7 @@ Here are some example snippets to help you get started creating a container. version: "3" services: nordlynx: - image: ghcr.io/bbtux/nordlynx + image: ghcr.io/bubuntux/nordlynx container_name: nordlynx cap_add: - NET_ADMIN #required @@ -79,7 +79,7 @@ docker run -d \ -e PRIVATE_KEY=xxxxxxxxx `#required` \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" `#required` \ --restart unless-stopped \ - ghcr.io/bbtux/nordlynx + ghcr.io/bubuntux/nordlynx ``` ## Parameters @@ -103,7 +103,7 @@ Container images are configured using parameters passed at runtime (such as thos ### Via Docker Run -* Update the image: `docker pull ghcr.io/bbtux/nordlynx` +* Update the image: `docker pull ghcr.io/bubuntux/nordlynx` * Stop the running container: `docker stop nordlynx` * Delete the container: `docker rm nordlynx` * You can also remove the old dangling images: `docker image prune` diff --git a/rootfs/etc/cont-init.d/10-module b/rootfs/etc/cont-init.d/10-module index 87b36855..598e0c42 100644 --- a/rootfs/etc/cont-init.d/10-module +++ b/rootfs/etc/cont-init.d/10-module @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/with-contenv bash echo "Uname info: $(uname -a)" # check for wireguard module @@ -6,16 +6,13 @@ ip link del dev test 2>/dev/null if ip link add dev test type wireguard; then echo "Wireguard module is active" ip link del dev test - exit + exit 0 fi -echo "The wireguard module is not active, please install it on the host and try again (https://www.wireguard.com/install/)" -sleep infinity - -#TODO install module ? +echo "**** The wireguard module is not active, will attempt kernel header install and module compilation. ****" # install headers if necessary -if [ "$SKIP_COMPILE" != "true" ] && [ ! -e /lib/modules/$(uname -r)/build ]; then +if [ ! -e /lib/modules/$(uname -r)/build ]; then echo "**** Attempting kernel header install ****" apt-get update if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then @@ -107,13 +104,12 @@ DUDE fi fi -if [ "$SKIP_COMPILE" != "true" ]; then - if [ -e /lib/modules/$(uname -r)/build ]; then - echo "**** Kernel headers seem to be present, attempting to build the wireguard module. . . ****" - if [ ! -f /lib/modules/$(uname -r)/build/certs/signing_key.pem ]; then - mkdir -p /lib/modules/$(uname -r)/build/certs - cd /lib/modules/$(uname -r)/build/certs - cat <> x509.genkey +if [ -e /lib/modules/$(uname -r)/build ]; then + echo "**** Kernel headers seem to be present, attempting to build the wireguard module. . . ****" + if [ ! -f /lib/modules/$(uname -r)/build/certs/signing_key.pem ]; then + mkdir -p /lib/modules/$(uname -r)/build/certs + cd /lib/modules/$(uname -r)/build/certs + cat <> x509.genkey [ req ] default_bits = 4096 distinguished_name = req_distinguished_name @@ -130,24 +126,23 @@ keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid DUDE - echo "**** Generating signing key ****" - openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem - fi - cd /app - echo "**** Building the module ****" - make -C wireguard-linux-compat/src -j$(nproc) - make -C wireguard-linux-compat/src install - echo "**** Let's test our new module. ****" - ip link del dev test 2>/dev/null - if ip link add dev test type wireguard; then - echo "**** The module is active, moving forward with setup. ****" - ip link del dev test - else - echo "**** The module is not active, review the logs. Sleeping now. . . ****" - sleep infinity - fi + echo "**** Generating signing key ****" + openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem + fi + cd /app + echo "**** Building the module ****" + make -C wireguard-linux-compat/src -j$(nproc) + make -C wireguard-linux-compat/src install + echo "**** Let's test our new module. ****" + ip link del dev test 2>/dev/null + if ip link add dev test type wireguard; then + echo "**** The module is active, moving forward with setup. ****" + ip link del dev test else - echo "**** Kernel headers don't seem to be available, can't compile the module. Sleeping now. . . ****" + echo "**** The module is not active, review the logs. Sleeping now. . . ****" sleep infinity fi +else + echo "**** Kernel headers don't seem to be available, can't compile the module. Sleeping now. . . ****" + sleep infinity fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/30-route b/rootfs/etc/cont-init.d/30-route index e2be3926..d72d30b7 100644 --- a/rootfs/etc/cont-init.d/30-route +++ b/rootfs/etc/cont-init.d/30-route @@ -1,5 +1,6 @@ #!/usr/bin/with-contenv bash +[[ -n ${NETWORK} && -z ${NET_LOCAL} ]] && NET_LOCAL=${NETWORK} if [ -n "$NET_LOCAL" ]; then gw="$(ip route | awk '/default/{print $3}')" for net in ${NET_LOCAL//[;,]/ }; do diff --git a/rootfs/etc/cont-init.d/30-route6 b/rootfs/etc/cont-init.d/30-route6 index 7b278f37..25598eff 100644 --- a/rootfs/etc/cont-init.d/30-route6 +++ b/rootfs/etc/cont-init.d/30-route6 @@ -1,5 +1,6 @@ #!/usr/bin/with-contenv bash +[[ -n ${NETWORK6} && -z ${NET6_LOCAL} ]] && NET6_LOCAL=${NETWORK6} if [ -n "$NET6_LOCAL" ]; then gw="$(ip -6 route | awk '/default/{print $3}')" for net in ${NET6_LOCAL//[;,]/ }; do diff --git a/rootfs/etc/cont-init.d/40-allowlist b/rootfs/etc/cont-init.d/40-allowlist index 30a97e29..facbf764 100644 --- a/rootfs/etc/cont-init.d/40-allowlist +++ b/rootfs/etc/cont-init.d/40-allowlist @@ -1,5 +1,6 @@ #!/usr/bin/with-contenv bash +[[ -n ${WHITELIST} && -z ${ALLOW_LIST} ]] && ALLOW_LIST=${WHITELIST} if [[ -n ${ALLOW_LIST} ]]; then for domain in ${ALLOW_LIST//[;,]/ }; do domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') From f3f3ba4cc473d0f5ae072b3145931ad2354104f7 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Thu, 11 Nov 2021 20:34:54 -0600 Subject: [PATCH 30/84] remove arm v6 --- .github/workflows/docker-image-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index 5ecfb7f9..95282a0a 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -48,4 +48,4 @@ jobs: context: . push: true tags: ${{ steps.meta.outputs.tags }} - platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6,linux/s390x \ No newline at end of file + platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/s390x \ No newline at end of file From 6c386d24524416d73f6693617620350da6d19c48 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Thu, 11 Nov 2021 20:44:30 -0600 Subject: [PATCH 31/84] fix build --- Dockerfile | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index bed01aef..486ad363 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,13 +3,9 @@ ARG DEBIAN_FRONTEND=noninteractive LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" COPY /rootfs / - -RUN apt update -y && \ - apt install -y curl jq patch iputils-ping wireguard && \ +RUN apt-get update -y && \ + apt-get install -y curl jq patch iputils-ping wireguard && \ patch --verbose -p0 < /patch/wg-quick.patch && \ - apt remove -y patch && \ - apt autoremove -y && \ - apt autoclean -y && \ rm -rf \ /patch \ /tmp/* \ From da73c7e265ca5a697b51446f670da7667344ec30 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Thu, 11 Nov 2021 21:30:56 -0600 Subject: [PATCH 32/84] update readme --- README.md | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index dae227b0..c2c81ed1 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ ## Quick reference (cont.) - **Where to file issues**: [Github issues](https://github.com/bubuntux/nordlynx/issues) -- **Supported architecture**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) amd64, arm32v6, arm32v7, arm64, s390x +- **Supported architecture**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) amd64, arm32v7, arm64, s390x - **Published image artifact details**: [DockerHub](https://hub.docker.com/r/bubuntux/nordlynx), [Github packages](https://github.com/bubuntux/nordlynx/pkgs/container/nordlynx) - **Continuous integration**: [Github actions](https://github.com/bubuntux/nordlynx/actions) - **Source**: [Github](https://github.com/bubuntux/nordlynx) @@ -82,23 +82,31 @@ docker run -d \ ghcr.io/bubuntux/nordlynx ``` -## Parameters +## Env Variables -Container images are configured using parameters passed at runtime (such as those above). These parameters are separated by a colon and indicate `:` respectively. For example, `-p 8080:80` would expose port `80` from inside the container to be accessible from the host's IP on port `8080` outside the container. - -| Parameter | Function | +| Variable | Description | | :----: | --- | -| `-e PRIVATE_KEY=xxxxxxxxx` | The private key can be obtained using the instructions of [this post](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). | -| `--sysctl=net.ipv4.conf.all.src_valid_mark=1` | Required. | +| `PRIVATE_KEY` | **[Required]** The private key can be obtained using `docker run --rm -e ... bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `ADDRESS` | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. +|`DNS` | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. +|`ALLOWED_IPS` | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). +|`PERSISTENT_KEEP_ALIVE` | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. +|`ALLOW_LIST` | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). +|`NET_LOCAL` | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. +|`NET6_LOCAL` | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. + +## Sysctl +* `net.ipv4.conf.all.src_valid_mark=1` (Required) +* `net.ipv6.conf.all.disable_ipv6=1` Recommended when only using ipv4. ## Updating Info ### Via Docker Compose * Update all images: `docker-compose pull` - * or update a single image: `docker-compose pull nordlynx` +* or update a single image: `docker-compose pull nordlynx` * Let compose update all containers as necessary: `docker-compose up -d` - * or update a single container: `docker-compose up -d nordlynx` +* or update a single container: `docker-compose up -d nordlynx` * You can also remove the old dangling images: `docker image prune` ### Via Docker Run From b0a8803fc318980cac75af56ab93c974a8590fed Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Thu, 11 Nov 2021 22:07:01 -0600 Subject: [PATCH 33/84] update readme, fix module compilation --- Dockerfile | 2 +- README.md | 20 ++++++++++---------- rootfs/etc/cont-init.d/10-module | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 486ad363..9339bd13 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" COPY /rootfs / RUN apt-get update -y && \ - apt-get install -y curl jq patch iputils-ping wireguard && \ + apt-get install -y curl jq patch net-tools iproute2 iptables openresolv iputils-ping wireguard && \ patch --verbose -p0 < /patch/wg-quick.patch && \ rm -rf \ /patch \ diff --git a/README.md b/README.md index c2c81ed1..be6e0f6d 100644 --- a/README.md +++ b/README.md @@ -84,16 +84,16 @@ docker run -d \ ## Env Variables -| Variable | Description | -| :----: | --- | -| `PRIVATE_KEY` | **[Required]** The private key can be obtained using `docker run --rm -e ... bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). -| `ADDRESS` | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. -|`DNS` | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. -|`ALLOWED_IPS` | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). -|`PERSISTENT_KEEP_ALIVE` | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. -|`ALLOW_LIST` | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). -|`NET_LOCAL` | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. -|`NET6_LOCAL` | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. +| Variable | Default | Description | +| :----: | --- | --- | +| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. +|`DNS` | 103.86.96.100,103.86.99.100 | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. +|`ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). +|`PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. +|`ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). +|`NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. +|`NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. ## Sysctl * `net.ipv4.conf.all.src_valid_mark=1` (Required) diff --git a/rootfs/etc/cont-init.d/10-module b/rootfs/etc/cont-init.d/10-module index 598e0c42..f83b1555 100644 --- a/rootfs/etc/cont-init.d/10-module +++ b/rootfs/etc/cont-init.d/10-module @@ -129,7 +129,7 @@ DUDE echo "**** Generating signing key ****" openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem fi - cd /app + #cd /app echo "**** Building the module ****" make -C wireguard-linux-compat/src -j$(nproc) make -C wireguard-linux-compat/src install From 67f15da15bf0cd1eb43b792b3a290dc755220047 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Thu, 11 Nov 2021 23:31:50 -0600 Subject: [PATCH 34/84] recommend install module in host --- rootfs/etc/cont-init.d/10-module | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rootfs/etc/cont-init.d/10-module b/rootfs/etc/cont-init.d/10-module index f83b1555..de8df48e 100644 --- a/rootfs/etc/cont-init.d/10-module +++ b/rootfs/etc/cont-init.d/10-module @@ -139,10 +139,11 @@ DUDE echo "**** The module is active, moving forward with setup. ****" ip link del dev test else - echo "**** The module is not active, review the logs. Sleeping now. . . ****" - sleep infinity + echo "**** The module is not active, review the logs. ****" fi else - echo "**** Kernel headers don't seem to be available, can't compile the module. Sleeping now. . . ****" - sleep infinity -fi \ No newline at end of file + echo "**** Kernel headers don't seem to be available, can't compile the module. ****" +fi + +echo "**** Unable to enable the module, please install it on the host and try again (https://www.wireguard.com/install/). ****" +sleep infinity \ No newline at end of file From d6ffa9b88afbe78255fdedf1c2efeea3cf61a566 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Fri, 12 Nov 2021 00:08:18 -0600 Subject: [PATCH 35/84] update readme --- README.md | 43 ++----------------------------------------- 1 file changed, 2 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index be6e0f6d..72f28255 100644 --- a/README.md +++ b/README.md @@ -65,8 +65,6 @@ services: - NET_ADMIN #required environment: - PRIVATE_KEY=xxxxxxxxx #required - sysctls: - - net.ipv4.conf.all.src_valid_mark=1 #required restart: unless-stopped ``` @@ -77,7 +75,6 @@ docker run -d \ --name=nordlynx \ --cap-add=NET_ADMIN `#required` \ -e PRIVATE_KEY=xxxxxxxxx `#required` \ - --sysctl="net.ipv4.conf.all.src_valid_mark=1" `#required` \ --restart unless-stopped \ ghcr.io/bubuntux/nordlynx ``` @@ -96,41 +93,5 @@ docker run -d \ |`NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. ## Sysctl -* `net.ipv4.conf.all.src_valid_mark=1` (Required) -* `net.ipv6.conf.all.disable_ipv6=1` Recommended when only using ipv4. - -## Updating Info - -### Via Docker Compose - -* Update all images: `docker-compose pull` -* or update a single image: `docker-compose pull nordlynx` -* Let compose update all containers as necessary: `docker-compose up -d` -* or update a single container: `docker-compose up -d nordlynx` -* You can also remove the old dangling images: `docker image prune` - -### Via Docker Run - -* Update the image: `docker pull ghcr.io/bubuntux/nordlynx` -* Stop the running container: `docker stop nordlynx` -* Delete the container: `docker rm nordlynx` -* You can also remove the old dangling images: `docker image prune` - -### Via Watchtower auto-updater (only use if you don't remember the original parameters) - -* Pull the latest image at its tag and replace it with the same env variables in one run: - - ```bash - docker run --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - containrrr/watchtower \ - --run-once nordlynx - ``` - -* You can also remove the old dangling images: `docker image prune` - -**Note:** We do not endorse the use of Watchtower as a solution to automated updates of existing Docker containers. In fact we generally discourage automated updates. However, this is a useful tool for one-time manual updates of containers where you have forgotten the original parameters. In the long term, we highly recommend using [Docker Compose](https://docs.docker.com/compose/). - -### Image Update Notifications - Diun (Docker Image Update Notifier) - -* We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported. \ No newline at end of file +* `net.ipv4.conf.all.src_valid_mark=1` May be required. (depends on multiple factors) +* `net.ipv6.conf.all.disable_ipv6=1` Recommended when only using ipv4. \ No newline at end of file From 4932ad5da27fa1e5fe264fcc6c50b4f26522900e Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Fri, 12 Nov 2021 11:30:22 -0600 Subject: [PATCH 36/84] update readme --- .github/FUNDING.yml | 5 ++--- README.md | 8 ++++---- rootfs/etc/cont-init.d/10-module | 2 +- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index d5dd98d0..13144414 100755 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1,3 +1,2 @@ -github: [bubuntux,linuxserver] -open_collective: linuxserver -custom: "https://www.wireguard.com/donations/" +github: [bubuntux] +custom: ["https://www.wireguard.com/donations/","https://www.linuxserver.io/donate"] \ No newline at end of file diff --git a/README.md b/README.md index 72f28255..888c384f 100644 --- a/README.md +++ b/README.md @@ -5,8 +5,8 @@ - - + +

## Quick reference @@ -25,7 +25,7 @@ - **Where to file issues**: [Github issues](https://github.com/bubuntux/nordlynx/issues) - **Supported architecture**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) amd64, arm32v7, arm64, s390x - **Published image artifact details**: [DockerHub](https://hub.docker.com/r/bubuntux/nordlynx), [Github packages](https://github.com/bubuntux/nordlynx/pkgs/container/nordlynx) -- **Continuous integration**: [Github actions](https://github.com/bubuntux/nordlynx/actions) +- **Continuous integration**: [Github actions](https://github.com/bubuntux/nordlynx/actions/workflows/docker-image-ci.yml) - **Source**: [Github](https://github.com/bubuntux/nordlynx) ## What is NordLynx? @@ -85,7 +85,7 @@ docker run -d \ | :----: | --- | --- | | `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). | `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. -|`DNS` | 103.86.96.100,103.86.99.100 | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. +|`DNS` | [103.86.96.100,103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. |`ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). |`PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. |`ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). diff --git a/rootfs/etc/cont-init.d/10-module b/rootfs/etc/cont-init.d/10-module index de8df48e..9efed657 100644 --- a/rootfs/etc/cont-init.d/10-module +++ b/rootfs/etc/cont-init.d/10-module @@ -1,4 +1,4 @@ -#!/usr/bin/with-contenv bash +#!/bin/bash echo "Uname info: $(uname -a)" # check for wireguard module From 2d133f1c2cee8de41da51264ec3393482acf4d73 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 14 Nov 2021 02:56:57 -0600 Subject: [PATCH 37/84] add env variables LISTEN_PORT, TABLE, PRE_UP, POST_UP, PRE_DOWN, POST_DOWN, QUERY, PUBLIC_KEY, END_POINT --- .github/ISSUE_TEMPLATE/bug_report.md | 37 +++++++++++++++++++++++ .github/ISSUE_TEMPLATE/config.yml | 1 + .github/ISSUE_TEMPLATE/feature_request.md | 20 ++++++++++++ .github/workflows/docker-image-ci.yml | 4 +-- Dockerfile | 6 ++-- README.md | 18 +++++++---- {rootfs/patch => patch}/wg-quick.patch | 0 rootfs/etc/services.d/wireguard/run | 28 ++++++++++++----- rootfs/etc/services.d/wireguard/type | 1 + 9 files changed, 95 insertions(+), 20 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/config.yml create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md rename {rootfs/patch => patch}/wg-quick.patch (100%) create mode 100644 rootfs/etc/services.d/wireguard/type diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..390953d7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,37 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: bug, help wanted +assignees: '' +--- +## :warning: Before submitting review: +### - [Open/Closed Issues](https://github.com/bubuntux/nordlynx/issues) +### - [Discussions](https://github.com/bubuntux/nordlynx/discussions) +### Consider creating a thread in the discussion section, specially if you don't know what the problem is or is not directly related to the image itself. + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce using docker CLI** +Full command needs to be provided (hide credentials) +`docker run ... bubuntux/nordlynx ` + +**To Reproduce using docker-compose** +docker-compose.yml if used (hide credentials) +``` +version: '3' +services: + vpn: + image: bubuntux/nordlynx + ... +``` + +**Expected behavior** +A clear and concise description of what you expected to happen and a simple way for someone else to test it. + +**Logs** +Focus on errors or warnings messages, if not available post entire logs + +**Additional context** +Distribution used, versions, architecture and any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 00000000..3ba13e0c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1 @@ +blank_issues_enabled: false diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..dcb4a88a --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: enhancement, help wanted +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index 95282a0a..6a7bc5e7 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -1,8 +1,8 @@ name: Docker Image CI on: - #schedule: - # - cron: '4 20 * * *' + schedule: + - cron: '4 20 * * *' push: branches: [ main ] diff --git a/Dockerfile b/Dockerfile index 9339bd13..a32a009d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM s6on/ubuntu:20.04 ARG DEBIAN_FRONTEND=noninteractive LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" -COPY /rootfs / +COPY /patch /patch RUN apt-get update -y && \ apt-get install -y curl jq patch net-tools iproute2 iptables openresolv iputils-ping wireguard && \ patch --verbose -p0 < /patch/wg-quick.patch && \ @@ -12,6 +12,4 @@ RUN apt-get update -y && \ /var/cache/apt/archives/* \ /var/lib/apt/lists/* \ /var/tmp/* - -#ENV S6_CMD_WAIT_FOR_SERVICES=1 -#CMD \ No newline at end of file +COPY /rootfs / \ No newline at end of file diff --git a/README.md b/README.md index 888c384f..44f5ae91 100644 --- a/README.md +++ b/README.md @@ -84,13 +84,19 @@ docker run -d \ | Variable | Default | Description | | :----: | --- | --- | | `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `LISTEN_PORT` | 51820 | A 16-bit port for listening. | `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. -|`DNS` | [103.86.96.100,103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. -|`ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). -|`PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. -|`ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). -|`NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. -|`NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. +| `DNS` | [103.86.96.100,103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. +| `TABLE` | auto | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. +| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). +| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. +| `PRE_UP`/`POST_UP`/`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. Each one may be specified multiple times, in which case the commands are executed in order. +| `QUERY` | | Query for the api nordvpn +| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). +| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). +| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). +| `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. +| `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. ## Sysctl * `net.ipv4.conf.all.src_valid_mark=1` May be required. (depends on multiple factors) diff --git a/rootfs/patch/wg-quick.patch b/patch/wg-quick.patch similarity index 100% rename from rootfs/patch/wg-quick.patch rename to patch/wg-quick.patch diff --git a/rootfs/etc/services.d/wireguard/run b/rootfs/etc/services.d/wireguard/run index e3b6224c..32559600 100644 --- a/rootfs/etc/services.d/wireguard/run +++ b/rootfs/etc/services.d/wireguard/run @@ -1,18 +1,31 @@ #!/usr/bin/with-contenv bash -recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1") +if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then + recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") + if [[ -z ${PUBLIC_KEY} ]]; then + PUBLIC_KEY=$(jq -r '.[0].technologies[] | select( .identifier == "wireguard_udp" ) | .metadata[] | select( .name == "public_key" ) | .value' <<< "${recommendations}") + fi + if [[ -z ${END_POINT} ]]; then + END_POINT=$(jq -r '.[0].hostname' <<< "${recommendations}"):51820 + fi +fi cat >/etc/wireguard/wg0.conf < Date: Sun, 14 Nov 2021 23:27:13 -0600 Subject: [PATCH 38/84] fix net forwarding --- README.md | 2 +- rootfs/etc/cont-init.d/30-route | 6 ++++-- rootfs/etc/cont-init.d/30-route6 | 6 ++++-- rootfs/etc/cont-init.d/40-allowlist | 3 ++- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 44f5ae91..4cf96da3 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ docker run -d \ | `TABLE` | auto | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. | `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). | `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. -| `PRE_UP`/`POST_UP`/`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. Each one may be specified multiple times, in which case the commands are executed in order. +| `PRE_UP`/`POST_UP`/`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. | `QUERY` | | Query for the api nordvpn | `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). | `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). diff --git a/rootfs/etc/cont-init.d/30-route b/rootfs/etc/cont-init.d/30-route index d72d30b7..ebf32f67 100644 --- a/rootfs/etc/cont-init.d/30-route +++ b/rootfs/etc/cont-init.d/30-route @@ -5,8 +5,10 @@ if [ -n "$NET_LOCAL" ]; then gw="$(ip route | awk '/default/{print $3}')" for net in ${NET_LOCAL//[;,]/ }; do echo "Enabling connection to network ${net}" - iptables -A INPUT -i eth0 -s "$net" -j ACCEPT - iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 + iptables -A INPUT -s "$net" -j ACCEPT + iptables -A OUTPUT -d "$net" -j ACCEPT + iptables -A FORWARD -d "$net" -j ACCEPT + iptables -A FORWARD -s "$net" -j ACCEPT done fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/30-route6 b/rootfs/etc/cont-init.d/30-route6 index 25598eff..db26a651 100644 --- a/rootfs/etc/cont-init.d/30-route6 +++ b/rootfs/etc/cont-init.d/30-route6 @@ -5,8 +5,10 @@ if [ -n "$NET6_LOCAL" ]; then gw="$(ip -6 route | awk '/default/{print $3}')" for net in ${NET6_LOCAL//[;,]/ }; do echo "Enabling connection to network ${net}" - ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT - ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 + ip6tables -A INPUT -s "$net" -j ACCEPT + ip6tables -A OUTPUT -d "$net" -j ACCEPT + ip6tables -A FORWARD -d "$net" -j ACCEPT + ip6tables -A FORWARD -s "$net" -j ACCEPT done fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/40-allowlist b/rootfs/etc/cont-init.d/40-allowlist index facbf764..5a02cab5 100644 --- a/rootfs/etc/cont-init.d/40-allowlist +++ b/rootfs/etc/cont-init.d/40-allowlist @@ -5,6 +5,7 @@ if [[ -n ${ALLOW_LIST} ]]; then for domain in ${ALLOW_LIST//[;,]/ }; do domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') echo "Enabling connection to host ${domain}" - iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT + iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null + ip6tables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null done fi \ No newline at end of file From 10af2f4484aaf96ab9ecd1c658ecd0ed5beb9c40 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Mon, 15 Nov 2021 10:14:05 -0600 Subject: [PATCH 39/84] change edge to weekly --- .github/workflows/docker-image-ci.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index 6a7bc5e7..a8ded878 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -2,7 +2,7 @@ name: Docker Image CI on: schedule: - - cron: '4 20 * * *' + - cron: '4 20 1 * 4' push: branches: [ main ] diff --git a/README.md b/README.md index 4cf96da3..ec646f56 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ ## Supported tags -- edge (created nightly) +- edge (created weekly) - latest (created monthly or on demand) - YYYYmmdd (created monthly or on demand) From 886037b3d18df2eb4043eb5a655eb18dfef70ab5 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Mon, 15 Nov 2021 18:55:35 -0600 Subject: [PATCH 40/84] simplify using alpine --- Dockerfile | 14 +-- README.md | 12 +-- rootfs/etc/cont-init.d/10-module | 149 ---------------------------- rootfs/etc/cont-init.d/10-validate | 16 +++ rootfs/etc/cont-init.d/20-inet | 2 +- rootfs/etc/cont-init.d/20-inet6 | 2 +- rootfs/etc/cont-init.d/40-allowlist | 4 +- 7 files changed, 28 insertions(+), 171 deletions(-) delete mode 100644 rootfs/etc/cont-init.d/10-module create mode 100644 rootfs/etc/cont-init.d/10-validate diff --git a/Dockerfile b/Dockerfile index a32a009d..434dc0b0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,9 @@ -FROM s6on/ubuntu:20.04 -ARG DEBIAN_FRONTEND=noninteractive +FROM s6on/alpine:3 LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" COPY /patch /patch -RUN apt-get update -y && \ - apt-get install -y curl jq patch net-tools iproute2 iptables openresolv iputils-ping wireguard && \ +RUN apk add --no-cache -U wireguard-tools curl jq patch && \ patch --verbose -p0 < /patch/wg-quick.patch && \ - rm -rf \ - /patch \ - /tmp/* \ - /var/cache/apt/archives/* \ - /var/lib/apt/lists/* \ - /var/tmp/* + apk del --purge patch && \ + rm -rf /tmp/* /patch COPY /rootfs / \ No newline at end of file diff --git a/README.md b/README.md index ec646f56..b1d10b7e 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,9 @@ ## Supported tags -- edge (created weekly) -- latest (created monthly or on demand) -- YYYYmmdd (created monthly or on demand) +- edge (updated weekly) +- latest (updated monthly) +- YYYYmmdd (created monthly) ## Quick reference (cont.) @@ -60,26 +60,22 @@ version: "3" services: nordlynx: image: ghcr.io/bubuntux/nordlynx - container_name: nordlynx cap_add: - NET_ADMIN #required environment: - PRIVATE_KEY=xxxxxxxxx #required - restart: unless-stopped ``` ### docker cli ([click here for more info](https://docs.docker.com/engine/reference/commandline/cli/)) ```bash docker run -d \ - --name=nordlynx \ --cap-add=NET_ADMIN `#required` \ -e PRIVATE_KEY=xxxxxxxxx `#required` \ - --restart unless-stopped \ ghcr.io/bubuntux/nordlynx ``` -## Env Variables +## Environment Variables | Variable | Default | Description | | :----: | --- | --- | diff --git a/rootfs/etc/cont-init.d/10-module b/rootfs/etc/cont-init.d/10-module deleted file mode 100644 index 9efed657..00000000 --- a/rootfs/etc/cont-init.d/10-module +++ /dev/null @@ -1,149 +0,0 @@ -#!/bin/bash - -echo "Uname info: $(uname -a)" -# check for wireguard module -ip link del dev test 2>/dev/null -if ip link add dev test type wireguard; then - echo "Wireguard module is active" - ip link del dev test - exit 0 -fi - -echo "**** The wireguard module is not active, will attempt kernel header install and module compilation. ****" - -# install headers if necessary -if [ ! -e /lib/modules/$(uname -r)/build ]; then - echo "**** Attempting kernel header install ****" - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - apt-get install -y \ - linux-headers-$(uname -r) - elif (uname -r | grep -q 'v7+') || (uname -r | grep -q 'v7l+') || (uname -r | grep -q 'v8+'); then - echo "**** Raspbian kernel naming convention detected, attempting to install raspbian kernel headers ****" - curl -s http://archive.raspberrypi.org/debian/raspberrypi.gpg.key | apt-key add - - echo -e \ - "deb http://archive.raspberrypi.org/debian/ buster main\ndeb-src http://archive.raspberrypi.org/debian/ buster main" \ - > /etc/apt/sources.list.d/raspbian.list - apt-get update - apt-get install -y \ - raspberrypi-kernel-headers - elif uname -v | grep -q 'Ubuntu'; then - echo "**** Ubuntu kernel detected, but likely not Bionic. ****" - echo "**** Attempting to install kernel headers from Ubuntu Xenial repo ****" - if uname -m | grep -q 'x86_64'; then - echo -e \ - "deb http://archive.ubuntu.com/ubuntu/ xenial main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial main restricted\n\ndeb http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted" \ - > /etc/apt/sources.list.d/xenial-focal.list - else - echo -e \ - "deb http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted\ndeb-src http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted\n\ndeb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted\ndeb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted" \ - > /etc/apt/sources.list.d/xenial-focal.list - fi - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - apt-get install -y \ - linux-headers-$(uname -r) - else - echo "**** No kernel headers found in the Ubuntu Xenial repo!! Trying Ubuntu Focal. ****" - sed -i 's/xenial/focal/g' /etc/apt/sources.list.d/xenial-focal.list - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - apt-get install -y \ - linux-headers-$(uname -r) - else - echo "**** No kernel headers found in the Ubuntu repos!! Will try the headers from host (if mapped), may or may not work ****" - rm -rf /etc/apt/sources.list.d/xenial-focal.list - fi - fi - elif uname -v | grep -q 'Debian'; then - echo "**** Debian host detected, attempting to install kernel headers from Debian Buster repo ****" - curl -s https://ftp-master.debian.org/keys/archive-key-10.asc | apt-key add - - curl -s https://ftp-master.debian.org/keys/archive-key-10-security.asc | apt-key add - - cat < /etc/apt/sources.list.d/debian.list -deb http://deb.debian.org/debian buster main contrib non-free -deb-src http://deb.debian.org/debian buster main contrib non-free -deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free -deb-src http://deb.debian.org/debian-security/ buster/updates main contrib non-free -deb http://deb.debian.org/debian buster-updates main contrib non-free -deb-src http://deb.debian.org/debian buster-updates main contrib non-free -deb http://deb.debian.org/debian buster-backports main contrib non-free -deb-src http://deb.debian.org/debian buster-backports main contrib non-free -DUDE - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - if uname -r | grep -qs "bpo"; then - echo "**** Backported kernel detected ****" - apt-get install -y -t buster-backports \ - linux-headers-$(uname -r) - else - apt-get install -y \ - linux-headers-$(uname -r) - fi - else - echo "**** Attempting to install kernel headers from the Debian Stretch repo ****" - curl -s https://ftp-master.debian.org/keys/archive-key-9.asc | apt-key add - - curl -s https://ftp-master.debian.org/keys/archive-key-9-security.asc | apt-key add - - sed -i 's/buster/stretch/g' /etc/apt/sources.list.d/debian.list - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - if uname -r | grep -qs "bpo"; then - echo "**** Backported kernel detected ****" - apt-get install -y -t stretch-backports \ - linux-headers-$(uname -r) - else - apt-get install -y \ - linux-headers-$(uname -r) - fi - else - echo "**** No kernel headers found in Debian repos!! Will try the headers from host (if mapped), may or may not work ****" - rm -rf /etc/apt/sources.list.d/debian.list - fi - fi - else - echo "**** No kernel headers found in the Ubuntu or Debian repos!! Will try the headers from host (if mapped), may or may not work ****" - fi -fi - -if [ -e /lib/modules/$(uname -r)/build ]; then - echo "**** Kernel headers seem to be present, attempting to build the wireguard module. . . ****" - if [ ! -f /lib/modules/$(uname -r)/build/certs/signing_key.pem ]; then - mkdir -p /lib/modules/$(uname -r)/build/certs - cd /lib/modules/$(uname -r)/build/certs - cat <> x509.genkey -[ req ] -default_bits = 4096 -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = myexts - -[ req_distinguished_name ] -CN = Modules - -[ myexts ] -basicConstraints=critical,CA:FALSE -keyUsage=digitalSignature -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -DUDE - echo "**** Generating signing key ****" - openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem - fi - #cd /app - echo "**** Building the module ****" - make -C wireguard-linux-compat/src -j$(nproc) - make -C wireguard-linux-compat/src install - echo "**** Let's test our new module. ****" - ip link del dev test 2>/dev/null - if ip link add dev test type wireguard; then - echo "**** The module is active, moving forward with setup. ****" - ip link del dev test - else - echo "**** The module is not active, review the logs. ****" - fi -else - echo "**** Kernel headers don't seem to be available, can't compile the module. ****" -fi - -echo "**** Unable to enable the module, please install it on the host and try again (https://www.wireguard.com/install/). ****" -sleep infinity \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/10-validate b/rootfs/etc/cont-init.d/10-validate new file mode 100644 index 00000000..f414a68c --- /dev/null +++ b/rootfs/etc/cont-init.d/10-validate @@ -0,0 +1,16 @@ +#!/usr/bin/with-contenv bash + +ip link del dev test 2>/dev/null +if ip link add dev test type wireguard; then + echo "Wireguard module is active" + ip link del dev test +else + echo "Uname info: $(uname -a)" + echo "**** Unable to enable wireguard module, please install it on the host and try again (https://www.wireguard.com/install/). ****" + sleep infinity +fi + +if [[ -z ${PRIVATE_KEY} ]] ; then + echo "**** Missing PRIVATE_KEY please review the documentation. ****" + sleep infinity +fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/20-inet b/rootfs/etc/cont-init.d/20-inet index 4ada1775..1e36c0cf 100644 --- a/rootfs/etc/cont-init.d/20-inet +++ b/rootfs/etc/cont-init.d/20-inet @@ -31,7 +31,7 @@ iptables -A OUTPUT -d "${docker_networks}" -j ACCEPT iptables -A OUTPUT -o wg+ -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT -iptables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +iptables -A OUTPUT -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT diff --git a/rootfs/etc/cont-init.d/20-inet6 b/rootfs/etc/cont-init.d/20-inet6 index a7eb3436..2978b997 100644 --- a/rootfs/etc/cont-init.d/20-inet6 +++ b/rootfs/etc/cont-init.d/20-inet6 @@ -31,7 +31,7 @@ ip6tables -A OUTPUT -d "${docker_networks}" -j ACCEPT ip6tables -A OUTPUT -o wg+ -j ACCEPT ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT -ip6tables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +ip6tables -A OUTPUT -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT diff --git a/rootfs/etc/cont-init.d/40-allowlist b/rootfs/etc/cont-init.d/40-allowlist index 5a02cab5..953438d3 100644 --- a/rootfs/etc/cont-init.d/40-allowlist +++ b/rootfs/etc/cont-init.d/40-allowlist @@ -5,7 +5,7 @@ if [[ -n ${ALLOW_LIST} ]]; then for domain in ${ALLOW_LIST//[;,]/ }; do domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') echo "Enabling connection to host ${domain}" - iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null - ip6tables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null + iptables -A OUTPUT -d "${domain}" -j ACCEPT 2>/dev/null + ip6tables -A OUTPUT -d "${domain}" -j ACCEPT 2>/dev/null done fi \ No newline at end of file From 50827e807438d37a667a2560c4aea79cbb40aad2 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Mon, 15 Nov 2021 19:12:39 -0600 Subject: [PATCH 41/84] specify interface --- rootfs/etc/cont-init.d/20-inet | 14 +++++++------- rootfs/etc/cont-init.d/20-inet6 | 14 +++++++------- rootfs/etc/cont-init.d/40-allowlist | 4 ++-- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/rootfs/etc/cont-init.d/20-inet b/rootfs/etc/cont-init.d/20-inet index 1e36c0cf..4ac5f950 100644 --- a/rootfs/etc/cont-init.d/20-inet +++ b/rootfs/etc/cont-init.d/20-inet @@ -23,19 +23,19 @@ iptables -X iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT -iptables -A INPUT -s "${docker_networks}" -j ACCEPT +iptables -A INPUT -i eth0 -s "${docker_networks}" -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT -iptables -A OUTPUT -d "${docker_networks}" -j ACCEPT iptables -A OUTPUT -o wg+ -j ACCEPT -iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -iptables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT -iptables -A OUTPUT -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +iptables -A OUTPUT -o eth0 -d "${docker_networks}" -j ACCEPT +iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT +iptables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT +iptables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i lo -j ACCEPT -iptables -A FORWARD -d "${docker_networks}" -j ACCEPT -iptables -A FORWARD -s "${docker_networks}" -j ACCEPT +iptables -A FORWARD -i eth0 -d "${docker_networks}" -j ACCEPT +iptables -A FORWARD -i eth0 -s "${docker_networks}" -j ACCEPT iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/20-inet6 b/rootfs/etc/cont-init.d/20-inet6 index 2978b997..180ff7d1 100644 --- a/rootfs/etc/cont-init.d/20-inet6 +++ b/rootfs/etc/cont-init.d/20-inet6 @@ -23,19 +23,19 @@ ip6tables -X ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -i lo -j ACCEPT -ip6tables -A INPUT -s "${docker_networks}" -j ACCEPT +ip6tables -A INPUT -i eth0 -s "${docker_networks}" -j ACCEPT ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT -ip6tables -A OUTPUT -d "${docker_networks}" -j ACCEPT ip6tables -A OUTPUT -o wg+ -j ACCEPT -ip6tables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -ip6tables -A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT -ip6tables -A OUTPUT -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +ip6tables -A OUTPUT -o eth0 -d "${docker_networks}" -j ACCEPT +ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT +ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT +ip6tables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -i lo -j ACCEPT -ip6tables -A FORWARD -d "${docker_networks}" -j ACCEPT -ip6tables -A FORWARD -s "${docker_networks}" -j ACCEPT +ip6tables -A FORWARD -i eth0 -d "${docker_networks}" -j ACCEPT +ip6tables -A FORWARD -i eth0 -s "${docker_networks}" -j ACCEPT ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/40-allowlist b/rootfs/etc/cont-init.d/40-allowlist index 953438d3..5a02cab5 100644 --- a/rootfs/etc/cont-init.d/40-allowlist +++ b/rootfs/etc/cont-init.d/40-allowlist @@ -5,7 +5,7 @@ if [[ -n ${ALLOW_LIST} ]]; then for domain in ${ALLOW_LIST//[;,]/ }; do domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') echo "Enabling connection to host ${domain}" - iptables -A OUTPUT -d "${domain}" -j ACCEPT 2>/dev/null - ip6tables -A OUTPUT -d "${domain}" -j ACCEPT 2>/dev/null + iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null + ip6tables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null done fi \ No newline at end of file From 176ef82da58b87352e07496a078fdc9c849bf36c Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Wed, 17 Nov 2021 07:08:10 -0600 Subject: [PATCH 42/84] update readme --- .github/ISSUE_TEMPLATE/bug_report.md | 17 +++++++---------- Dockerfile | 4 ++-- README.md | 9 ++++++++- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 390953d7..dcffee87 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -5,19 +5,16 @@ title: '' labels: bug, help wanted assignees: '' --- -## :warning: Before submitting review: -### - [Open/Closed Issues](https://github.com/bubuntux/nordlynx/issues) -### - [Discussions](https://github.com/bubuntux/nordlynx/discussions) -### Consider creating a thread in the discussion section, specially if you don't know what the problem is or is not directly related to the image itself. +##### :warning: Make sure to follow the template, troubleshoot on your own first, review [Open/Closed Issues](https://github.com/bubuntux/nordlynx/issues), [Discussions](https://github.com/bubuntux/nordlynx/discussions), [Wiki](https://github.com/bubuntux/nordlynx/wiki) and consider creating a discussion thread instead. :warning: -**Describe the bug** +###**Describe the bug** A clear and concise description of what the bug is. -**To Reproduce using docker CLI** +###**To Reproduce using docker CLI** Full command needs to be provided (hide credentials) `docker run ... bubuntux/nordlynx ` -**To Reproduce using docker-compose** +###**To Reproduce using docker-compose** docker-compose.yml if used (hide credentials) ``` version: '3' @@ -27,11 +24,11 @@ services: ... ``` -**Expected behavior** +###**Expected behavior** A clear and concise description of what you expected to happen and a simple way for someone else to test it. -**Logs** +###**Logs** Focus on errors or warnings messages, if not available post entire logs -**Additional context** +###**Additional context** Distribution used, versions, architecture and any other context about the problem here. diff --git a/Dockerfile b/Dockerfile index 434dc0b0..6ed609d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" COPY /patch /patch RUN apk add --no-cache -U wireguard-tools curl jq patch && \ - patch --verbose -p0 < /patch/wg-quick.patch && \ + patch --verbose -p0 < /patch/wg-quick.patch && \ apk del --purge patch && \ - rm -rf /tmp/* /patch + rm -rf /tmp/* /patch COPY /rootfs / \ No newline at end of file diff --git a/README.md b/README.md index b1d10b7e..d88ef761 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,13 @@ docker run -d \ ghcr.io/bubuntux/nordlynx ``` -## Environment Variables +Review the [wiki](https://github.com/bubuntux/nordlynx/wiki) for more practical usages and host specific instructions. + +## Module + +Wireguard module is required, please install it on the host https://www.wireguard.com/install . + +## Environment | Variable | Default | Description | | :----: | --- | --- | @@ -95,5 +101,6 @@ docker run -d \ | `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. ## Sysctl + * `net.ipv4.conf.all.src_valid_mark=1` May be required. (depends on multiple factors) * `net.ipv6.conf.all.disable_ipv6=1` Recommended when only using ipv4. \ No newline at end of file From ec4fce26a1f6b9297fb3fc24b1acde43a252d89b Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Wed, 17 Nov 2021 07:13:10 -0600 Subject: [PATCH 43/84] Update bug_report.md --- .github/ISSUE_TEMPLATE/bug_report.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index dcffee87..594e45a7 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -7,14 +7,14 @@ assignees: '' --- ##### :warning: Make sure to follow the template, troubleshoot on your own first, review [Open/Closed Issues](https://github.com/bubuntux/nordlynx/issues), [Discussions](https://github.com/bubuntux/nordlynx/discussions), [Wiki](https://github.com/bubuntux/nordlynx/wiki) and consider creating a discussion thread instead. :warning: -###**Describe the bug** +### **Describe the bug** A clear and concise description of what the bug is. -###**To Reproduce using docker CLI** +### **To Reproduce using docker CLI** Full command needs to be provided (hide credentials) `docker run ... bubuntux/nordlynx ` -###**To Reproduce using docker-compose** +### **To Reproduce using docker-compose** docker-compose.yml if used (hide credentials) ``` version: '3' @@ -24,11 +24,11 @@ services: ... ``` -###**Expected behavior** +### **Expected behavior** A clear and concise description of what you expected to happen and a simple way for someone else to test it. -###**Logs** +### **Logs** Focus on errors or warnings messages, if not available post entire logs -###**Additional context** +### **Additional context** Distribution used, versions, architecture and any other context about the problem here. From a025ad8cd79c80d5ce0122e3a3a4f84e5bbd8847 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Fri, 19 Nov 2021 15:27:17 -0600 Subject: [PATCH 44/84] add interface to routes --- rootfs/etc/cont-init.d/30-route | 8 ++++---- rootfs/etc/cont-init.d/30-route6 | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rootfs/etc/cont-init.d/30-route b/rootfs/etc/cont-init.d/30-route index ebf32f67..7785a883 100644 --- a/rootfs/etc/cont-init.d/30-route +++ b/rootfs/etc/cont-init.d/30-route @@ -6,9 +6,9 @@ if [ -n "$NET_LOCAL" ]; then for net in ${NET_LOCAL//[;,]/ }; do echo "Enabling connection to network ${net}" ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 - iptables -A INPUT -s "$net" -j ACCEPT - iptables -A OUTPUT -d "$net" -j ACCEPT - iptables -A FORWARD -d "$net" -j ACCEPT - iptables -A FORWARD -s "$net" -j ACCEPT + iptables -A INPUT -i eth0 -s "$net" -j ACCEPT + iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT + iptables -A FORWARD -i eth0 -d "$net" -j ACCEPT + iptables -A FORWARD -i eth0 -s "$net" -j ACCEPT done fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/30-route6 b/rootfs/etc/cont-init.d/30-route6 index db26a651..e2207d07 100644 --- a/rootfs/etc/cont-init.d/30-route6 +++ b/rootfs/etc/cont-init.d/30-route6 @@ -6,9 +6,9 @@ if [ -n "$NET6_LOCAL" ]; then for net in ${NET6_LOCAL//[;,]/ }; do echo "Enabling connection to network ${net}" ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 - ip6tables -A INPUT -s "$net" -j ACCEPT - ip6tables -A OUTPUT -d "$net" -j ACCEPT - ip6tables -A FORWARD -d "$net" -j ACCEPT - ip6tables -A FORWARD -s "$net" -j ACCEPT + ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT + ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT + ip6tables -A FORWARD -i eth0 -d "$net" -j ACCEPT + ip6tables -A FORWARD -i eth0 -s "$net" -j ACCEPT done fi \ No newline at end of file From 438342aaf50a485954db55b1b32e77aecb57045b Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Wed, 9 Feb 2022 01:23:16 -0600 Subject: [PATCH 45/84] rebase from linuxserver/docker-wireguard so it will try to install the module to increase compatibility --- .github/workflows/docker-image-ci.yml | 2 +- Dockerfile | 53 ++++++- README.md | 13 +- {rootfs => root}/etc/cont-init.d/00-firewall | 0 root/etc/cont-init.d/20-validate | 6 + root/etc/cont-init.d/30-module | 150 ++++++++++++++++++ .../20-inet => root/etc/cont-init.d/40-inet | 0 .../20-inet6 => root/etc/cont-init.d/40-inet6 | 0 .../run => root/etc/cont-init.d/50-confs | 9 +- .../30-route => root/etc/cont-init.d/60-route | 0 .../etc/cont-init.d/60-route6 | 0 .../etc/cont-init.d/70-allowlist | 0 .../etc/services.d/wireguard/finish | 0 root/etc/services.d/wireguard/run | 7 + .../etc/services.d/wireguard/type | 0 rootfs/etc/cont-init.d/10-validate | 16 -- 16 files changed, 224 insertions(+), 32 deletions(-) rename {rootfs => root}/etc/cont-init.d/00-firewall (100%) create mode 100644 root/etc/cont-init.d/20-validate create mode 100644 root/etc/cont-init.d/30-module rename rootfs/etc/cont-init.d/20-inet => root/etc/cont-init.d/40-inet (100%) rename rootfs/etc/cont-init.d/20-inet6 => root/etc/cont-init.d/40-inet6 (100%) rename rootfs/etc/services.d/wireguard/run => root/etc/cont-init.d/50-confs (92%) rename rootfs/etc/cont-init.d/30-route => root/etc/cont-init.d/60-route (100%) rename rootfs/etc/cont-init.d/30-route6 => root/etc/cont-init.d/60-route6 (100%) rename rootfs/etc/cont-init.d/40-allowlist => root/etc/cont-init.d/70-allowlist (100%) rename {rootfs => root}/etc/services.d/wireguard/finish (100%) create mode 100644 root/etc/services.d/wireguard/run rename {rootfs => root}/etc/services.d/wireguard/type (100%) delete mode 100644 rootfs/etc/cont-init.d/10-validate diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index a8ded878..6d97c962 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -48,4 +48,4 @@ jobs: context: . push: true tags: ${{ steps.meta.outputs.tags }} - platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/s390x \ No newline at end of file + platforms: linux/amd64,linux/arm64,linux/arm/v7 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 6ed609d7..96c84d28 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,50 @@ -FROM s6on/alpine:3 +FROM ghcr.io/linuxserver/baseimage-ubuntu:bionic + LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" +ENV DEBIAN_FRONTEND="noninteractive" +ARG WIREGUARD_RELEASE COPY /patch /patch -RUN apk add --no-cache -U wireguard-tools curl jq patch && \ - patch --verbose -p0 < /patch/wg-quick.patch && \ - apk del --purge patch && \ - rm -rf /tmp/* /patch -COPY /rootfs / \ No newline at end of file + +RUN \ + echo "**** install dependencies ****" && \ + apt-get update && \ + apt-get install -y --no-install-recommends \ + bc \ + build-essential \ + curl \ + dkms \ + git \ + gnupg \ + ifupdown \ + iproute2 \ + iptables \ + iputils-ping \ + jq \ + libc6 \ + libelf-dev \ + net-tools \ + openresolv \ + patch \ + perl \ + pkg-config && \ + echo "**** install wireguard-tools ****" && \ + if [ -z ${WIREGUARD_RELEASE+x} ]; then \ + WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" | jq -r .[0].name); \ + fi && \ + cd /app && \ + git clone https://git.zx2c4.com/wireguard-linux-compat && \ + git clone https://git.zx2c4.com/wireguard-tools && \ + cd wireguard-tools && \ + git checkout "${WIREGUARD_RELEASE}" && \ + make -C src -j$(nproc) && \ + make -C src install && \ + patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ + echo "**** clean up ****" && \ + rm -rf \ + /patch \ + /tmp/* \ + /var/lib/apt/lists/* \ + /var/tmp/* + +COPY /root / \ No newline at end of file diff --git a/README.md b/README.md index d88ef761..c76859a1 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ ## Quick reference (cont.) - **Where to file issues**: [Github issues](https://github.com/bubuntux/nordlynx/issues) -- **Supported architecture**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) amd64, arm32v7, arm64, s390x +- **Supported architecture**: ([more info](https://github.com/docker-library/official-images#architectures-other-than-amd64)) amd64, arm32v7, arm64 - **Published image artifact details**: [DockerHub](https://hub.docker.com/r/bubuntux/nordlynx), [Github packages](https://github.com/bubuntux/nordlynx/pkgs/container/nordlynx) - **Continuous integration**: [Github actions](https://github.com/bubuntux/nordlynx/actions/workflows/docker-image-ci.yml) - **Source**: [Github](https://github.com/bubuntux/nordlynx) @@ -62,16 +62,21 @@ services: image: ghcr.io/bubuntux/nordlynx cap_add: - NET_ADMIN #required + - NET_RAW #required in some cases + - SYS_MODULE #requiered to install wireguard module environment: - PRIVATE_KEY=xxxxxxxxx #required + volumes: + - /lib/modules:/lib/modules #requiered to install wireguard module ``` ### docker cli ([click here for more info](https://docs.docker.com/engine/reference/commandline/cli/)) ```bash docker run -d \ - --cap-add=NET_ADMIN `#required` \ - -e PRIVATE_KEY=xxxxxxxxx `#required` \ + --cap-add=NET_ADMIN,NET_RAW,SYS_MODULE #required \ + -e PRIVATE_KEY=xxxxxxxxx #required \ + -v /lib/modules:/lib/modules #requiered to install wireguard module \ ghcr.io/bubuntux/nordlynx ``` @@ -79,7 +84,7 @@ Review the [wiki](https://github.com/bubuntux/nordlynx/wiki) for more practical ## Module -Wireguard module is required, please install it on the host https://www.wireguard.com/install . +Wireguard module is required, the container will try to install the module, install [manually](https://www.wireguard.com/install) if need it. ## Environment diff --git a/rootfs/etc/cont-init.d/00-firewall b/root/etc/cont-init.d/00-firewall similarity index 100% rename from rootfs/etc/cont-init.d/00-firewall rename to root/etc/cont-init.d/00-firewall diff --git a/root/etc/cont-init.d/20-validate b/root/etc/cont-init.d/20-validate new file mode 100644 index 00000000..81a7afb2 --- /dev/null +++ b/root/etc/cont-init.d/20-validate @@ -0,0 +1,6 @@ +#!/usr/bin/with-contenv bash + +if [[ -z ${PRIVATE_KEY} ]] ; then + echo "**** Missing PRIVATE_KEY please review the documentation. ****" + sleep infinity +fi \ No newline at end of file diff --git a/root/etc/cont-init.d/30-module b/root/etc/cont-init.d/30-module new file mode 100644 index 00000000..29fe5de2 --- /dev/null +++ b/root/etc/cont-init.d/30-module @@ -0,0 +1,150 @@ +#!/usr/bin/with-contenv bash + +echo "Uname info: $(uname -a)" +# check for wireguard module +ip link del dev test 2>/dev/null +if ip link add dev test type wireguard; then + echo "**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****" + SKIP_COMPILE="true" + ip link del dev test +else + echo "**** The wireguard module is not active, will attempt kernel header install and module compilation. ****" +fi + +# install headers if necessary +if [ "$SKIP_COMPILE" != "true" ] && [ ! -e /lib/modules/$(uname -r)/build ]; then + echo "**** Attempting kernel header install ****" + apt-get update + if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then + apt-get install -y \ + linux-headers-$(uname -r) + elif (uname -r | grep -q 'v7+') || (uname -r | grep -q 'v7l+') || (uname -r | grep -q 'v8+'); then + echo "**** Raspbian kernel naming convention detected, attempting to install raspbian kernel headers ****" + curl -s http://archive.raspberrypi.org/debian/raspberrypi.gpg.key | apt-key add - + echo -e \ + "deb http://archive.raspberrypi.org/debian/ buster main\ndeb-src http://archive.raspberrypi.org/debian/ buster main" \ + > /etc/apt/sources.list.d/raspbian.list + apt-get update + apt-get install -y \ + raspberrypi-kernel-headers + elif uname -v | grep -q 'Ubuntu'; then + echo "**** Ubuntu kernel detected, but likely not Bionic. ****" + echo "**** Attempting to install kernel headers from Ubuntu Xenial repo ****" + if uname -m | grep -q 'x86_64'; then + echo -e \ + "deb http://archive.ubuntu.com/ubuntu/ xenial main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial main restricted\n\ndeb http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted" \ + > /etc/apt/sources.list.d/xenial-focal.list + else + echo -e \ + "deb http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted\ndeb-src http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted\n\ndeb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted\ndeb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted" \ + > /etc/apt/sources.list.d/xenial-focal.list + fi + apt-get update + if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then + apt-get install -y \ + linux-headers-$(uname -r) + else + echo "**** No kernel headers found in the Ubuntu Xenial repo!! Trying Ubuntu Focal. ****" + sed -i 's/xenial/focal/g' /etc/apt/sources.list.d/xenial-focal.list + apt-get update + if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then + apt-get install -y \ + linux-headers-$(uname -r) + else + echo "**** No kernel headers found in the Ubuntu repos!! Will try the headers from host (if mapped), may or may not work ****" + rm -rf /etc/apt/sources.list.d/xenial-focal.list + fi + fi + elif uname -v | grep -q 'Debian'; then + echo "**** Debian host detected, attempting to install kernel headers from Debian Buster repo ****" + curl -s https://ftp-master.debian.org/keys/archive-key-10.asc | apt-key add - + curl -s https://ftp-master.debian.org/keys/archive-key-10-security.asc | apt-key add - + cat < /etc/apt/sources.list.d/debian.list +deb http://deb.debian.org/debian buster main contrib non-free +deb-src http://deb.debian.org/debian buster main contrib non-free +deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free +deb-src http://deb.debian.org/debian-security/ buster/updates main contrib non-free +deb http://deb.debian.org/debian buster-updates main contrib non-free +deb-src http://deb.debian.org/debian buster-updates main contrib non-free +deb http://deb.debian.org/debian buster-backports main contrib non-free +deb-src http://deb.debian.org/debian buster-backports main contrib non-free +DUDE + apt-get update + if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then + if uname -r | grep -qs "bpo"; then + echo "**** Backported kernel detected ****" + apt-get install -y -t buster-backports \ + linux-headers-$(uname -r) + else + apt-get install -y \ + linux-headers-$(uname -r) + fi + else + echo "**** Attempting to install kernel headers from the Debian Stretch repo ****" + curl -s https://ftp-master.debian.org/keys/archive-key-9.asc | apt-key add - + curl -s https://ftp-master.debian.org/keys/archive-key-9-security.asc | apt-key add - + sed -i 's/buster/stretch/g' /etc/apt/sources.list.d/debian.list + apt-get update + if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then + if uname -r | grep -qs "bpo"; then + echo "**** Backported kernel detected ****" + apt-get install -y -t stretch-backports \ + linux-headers-$(uname -r) + else + apt-get install -y \ + linux-headers-$(uname -r) + fi + else + echo "**** No kernel headers found in Debian repos!! Will try the headers from host (if mapped), may or may not work ****" + rm -rf /etc/apt/sources.list.d/debian.list + fi + fi + else + echo "**** No kernel headers found in the Ubuntu or Debian repos!! Will try the headers from host (if mapped), may or may not work ****" + fi +fi + +if [ "$SKIP_COMPILE" != "true" ]; then + if [ -e /lib/modules/$(uname -r)/build ]; then + echo "**** Kernel headers seem to be present, attempting to build the wireguard module. . . ****" + if [ ! -f /lib/modules/$(uname -r)/build/certs/signing_key.pem ]; then + mkdir -p /lib/modules/$(uname -r)/build/certs + cd /lib/modules/$(uname -r)/build/certs + cat <> x509.genkey +[ req ] +default_bits = 4096 +distinguished_name = req_distinguished_name +prompt = no +string_mask = utf8only +x509_extensions = myexts + +[ req_distinguished_name ] +CN = Modules + +[ myexts ] +basicConstraints=critical,CA:FALSE +keyUsage=digitalSignature +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid +DUDE + echo "**** Generating signing key ****" + openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem + fi + cd /app + echo "**** Building the module ****" + make -C wireguard-linux-compat/src -j$(nproc) + make -C wireguard-linux-compat/src install + echo "**** Let's test our new module. ****" + ip link del dev test 2>/dev/null + if ip link add dev test type wireguard; then + echo "**** The module is active, moving forward with setup. ****" + ip link del dev test + else + echo "**** The module is not active, review the logs. Sleeping now. . . ****" + sleep infinity + fi + else + echo "**** Kernel headers don't seem to be available, can't compile the module. Sleeping now. . . ****" + sleep infinity + fi +fi \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/20-inet b/root/etc/cont-init.d/40-inet similarity index 100% rename from rootfs/etc/cont-init.d/20-inet rename to root/etc/cont-init.d/40-inet diff --git a/rootfs/etc/cont-init.d/20-inet6 b/root/etc/cont-init.d/40-inet6 similarity index 100% rename from rootfs/etc/cont-init.d/20-inet6 rename to root/etc/cont-init.d/40-inet6 diff --git a/rootfs/etc/services.d/wireguard/run b/root/etc/cont-init.d/50-confs similarity index 92% rename from rootfs/etc/services.d/wireguard/run rename to root/etc/cont-init.d/50-confs index 32559600..591d64fd 100644 --- a/rootfs/etc/services.d/wireguard/run +++ b/root/etc/cont-init.d/50-confs @@ -1,5 +1,8 @@ #!/usr/bin/with-contenv bash +rm -rf /etc/wireguard +mkdir -p /etc/wireguard + if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") if [[ -z ${PUBLIC_KEY} ]]; then @@ -29,8 +32,4 @@ Endpoint = ${END_POINT} PersistentKeepalive = ${PERSISTENT_KEEP_ALIVE:-25} EOL -wg-quick up wg0 -wg show wg0 - -sleep infinity & -wait +chmod 600 /etc/wireguard/wg0.conf \ No newline at end of file diff --git a/rootfs/etc/cont-init.d/30-route b/root/etc/cont-init.d/60-route similarity index 100% rename from rootfs/etc/cont-init.d/30-route rename to root/etc/cont-init.d/60-route diff --git a/rootfs/etc/cont-init.d/30-route6 b/root/etc/cont-init.d/60-route6 similarity index 100% rename from rootfs/etc/cont-init.d/30-route6 rename to root/etc/cont-init.d/60-route6 diff --git a/rootfs/etc/cont-init.d/40-allowlist b/root/etc/cont-init.d/70-allowlist similarity index 100% rename from rootfs/etc/cont-init.d/40-allowlist rename to root/etc/cont-init.d/70-allowlist diff --git a/rootfs/etc/services.d/wireguard/finish b/root/etc/services.d/wireguard/finish similarity index 100% rename from rootfs/etc/services.d/wireguard/finish rename to root/etc/services.d/wireguard/finish diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run new file mode 100644 index 00000000..bd091744 --- /dev/null +++ b/root/etc/services.d/wireguard/run @@ -0,0 +1,7 @@ +#!/bin/bash + +wg-quick up wg0 +wg show wg0 + +sleep infinity & +wait diff --git a/rootfs/etc/services.d/wireguard/type b/root/etc/services.d/wireguard/type similarity index 100% rename from rootfs/etc/services.d/wireguard/type rename to root/etc/services.d/wireguard/type diff --git a/rootfs/etc/cont-init.d/10-validate b/rootfs/etc/cont-init.d/10-validate deleted file mode 100644 index f414a68c..00000000 --- a/rootfs/etc/cont-init.d/10-validate +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/with-contenv bash - -ip link del dev test 2>/dev/null -if ip link add dev test type wireguard; then - echo "Wireguard module is active" - ip link del dev test -else - echo "Uname info: $(uname -a)" - echo "**** Unable to enable wireguard module, please install it on the host and try again (https://www.wireguard.com/install/). ****" - sleep infinity -fi - -if [[ -z ${PRIVATE_KEY} ]] ; then - echo "**** Missing PRIVATE_KEY please review the documentation. ****" - sleep infinity -fi \ No newline at end of file From af9860541dda4ddcb54634943f8750ebc2b4013f Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Wed, 9 Feb 2022 01:32:41 -0600 Subject: [PATCH 46/84] add donate.txt --- root/donate.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 root/donate.txt diff --git a/root/donate.txt b/root/donate.txt new file mode 100644 index 00000000..c6c341b9 --- /dev/null +++ b/root/donate.txt @@ -0,0 +1,2 @@ +Bubuntux: https://github.com/sponsors/bubuntux +WireGuard: https://www.wireguard.com/donations/ \ No newline at end of file From a5d24269a44c2333153aa765ecc8a8ec62e5c405 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Wed, 9 Feb 2022 02:04:32 -0600 Subject: [PATCH 47/84] add trap --- root/etc/cont-init.d/50-confs | 35 --------------- root/etc/cont-init.d/{60-route => 50-route} | 0 root/etc/cont-init.d/{60-route6 => 50-route6} | 0 .../{70-allowlist => 60-allowlist} | 0 root/etc/services.d/wireguard/finish | 3 -- root/etc/services.d/wireguard/run | 44 ++++++++++++++++++- root/etc/services.d/wireguard/type | 1 - 7 files changed, 42 insertions(+), 41 deletions(-) delete mode 100644 root/etc/cont-init.d/50-confs rename root/etc/cont-init.d/{60-route => 50-route} (100%) rename root/etc/cont-init.d/{60-route6 => 50-route6} (100%) rename root/etc/cont-init.d/{70-allowlist => 60-allowlist} (100%) delete mode 100644 root/etc/services.d/wireguard/finish delete mode 100644 root/etc/services.d/wireguard/type diff --git a/root/etc/cont-init.d/50-confs b/root/etc/cont-init.d/50-confs deleted file mode 100644 index 591d64fd..00000000 --- a/root/etc/cont-init.d/50-confs +++ /dev/null @@ -1,35 +0,0 @@ -#!/usr/bin/with-contenv bash - -rm -rf /etc/wireguard -mkdir -p /etc/wireguard - -if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then - recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") - if [[ -z ${PUBLIC_KEY} ]]; then - PUBLIC_KEY=$(jq -r '.[0].technologies[] | select( .identifier == "wireguard_udp" ) | .metadata[] | select( .name == "public_key" ) | .value' <<< "${recommendations}") - fi - if [[ -z ${END_POINT} ]]; then - END_POINT=$(jq -r '.[0].hostname' <<< "${recommendations}"):51820 - fi -fi - -cat >/etc/wireguard/wg0.conf </etc/wireguard/wg0.conf < Date: Wed, 9 Feb 2022 02:45:38 -0600 Subject: [PATCH 48/84] add REFRESH variable --- README.md | 1 + root/etc/services.d/wireguard/finish | 3 +++ root/etc/services.d/wireguard/run | 16 +++++++++------- root/etc/services.d/wireguard/type | 1 + 4 files changed, 14 insertions(+), 7 deletions(-) create mode 100644 root/etc/services.d/wireguard/finish create mode 100644 root/etc/services.d/wireguard/type diff --git a/README.md b/README.md index c76859a1..0f45bb99 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,7 @@ Wireguard module is required, the container will try to install the module, inst | `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). | `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. | `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. +| `REFRESH` | | Time in seconds to refresh the connection (reconnect). ## Sysctl diff --git a/root/etc/services.d/wireguard/finish b/root/etc/services.d/wireguard/finish new file mode 100644 index 00000000..c5b013c4 --- /dev/null +++ b/root/etc/services.d/wireguard/finish @@ -0,0 +1,3 @@ +#!/bin/bash + +wg-quick down wg0 \ No newline at end of file diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 5e3e6b19..75eeb17c 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -4,6 +4,7 @@ rm -rf /etc/wireguard mkdir -p /etc/wireguard if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then + echo "Finding the best server..." recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") if [[ -z ${PUBLIC_KEY} ]]; then PUBLIC_KEY=$(jq -r '.[0].technologies[] | select( .identifier == "wireguard_udp" ) | .metadata[] | select( .name == "public_key" ) | .value' <<< "${recommendations}") @@ -13,6 +14,10 @@ if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then fi fi +if [[ -n ${REFRESH} ]]; then + REFRESH="s6-sleep ${REFRESH} s6-svc -r /run/s6/services/wireguard &" +fi + cat >/etc/wireguard/wg0.conf < Date: Wed, 9 Feb 2022 02:55:18 -0600 Subject: [PATCH 49/84] rename variable --- README.md | 32 +++++++++++++++---------------- root/etc/services.d/wireguard/run | 6 +++--- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index 0f45bb99..9f59d9d5 100644 --- a/README.md +++ b/README.md @@ -88,23 +88,23 @@ Wireguard module is required, the container will try to install the module, inst ## Environment -| Variable | Default | Description | -| :----: | --- | --- | -| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). -| `LISTEN_PORT` | 51820 | A 16-bit port for listening. -| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. -| `DNS` | [103.86.96.100,103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. -| `TABLE` | auto | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. -| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). -| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. +| Variable | Default | Description | +|:-----------------------------------------:| --- | --- | +| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `LISTEN_PORT` | 51820 | A 16-bit port for listening. +| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. +| `DNS` | [103.86.96.100,103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. +| `TABLE` | auto | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. +| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). +| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. | `PRE_UP`/`POST_UP`/`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. -| `QUERY` | | Query for the api nordvpn -| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). -| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). -| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). -| `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. -| `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. -| `REFRESH` | | Time in seconds to refresh the connection (reconnect). +| `QUERY` | | Query for the api nordvpn +| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). +| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). +| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). +| `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. +| `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. +| `RECONNECT` | | Time in seconds to re-establish the connection. ## Sysctl diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 75eeb17c..218028d7 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -14,8 +14,8 @@ if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then fi fi -if [[ -n ${REFRESH} ]]; then - REFRESH="s6-sleep ${REFRESH} s6-svc -r /run/s6/services/wireguard &" +if [[ -n ${RECONNECT} ]]; then + RECONNECT="s6-sleep ${RECONNECT} s6-svc -r /run/s6/services/wireguard &" fi cat >/etc/wireguard/wg0.conf < Date: Wed, 9 Feb 2022 10:15:31 -0600 Subject: [PATCH 50/84] logging used server --- root/etc/services.d/wireguard/run | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 218028d7..b0b6315c 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -6,6 +6,8 @@ mkdir -p /etc/wireguard if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then echo "Finding the best server..." recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") + echo "Using server:" + jq -r '.[0]' <<< "${recommendations}" if [[ -z ${PUBLIC_KEY} ]]; then PUBLIC_KEY=$(jq -r '.[0].technologies[] | select( .identifier == "wireguard_udp" ) | .metadata[] | select( .name == "public_key" ) | .value' <<< "${recommendations}") fi @@ -14,10 +16,6 @@ if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then fi fi -if [[ -n ${RECONNECT} ]]; then - RECONNECT="s6-sleep ${RECONNECT} s6-svc -r /run/s6/services/wireguard &" -fi - cat >/etc/wireguard/wg0.conf < Date: Fri, 11 Feb 2022 22:57:32 -0600 Subject: [PATCH 51/84] change format add times in the log --- .github/workflows/docker-image-ci.yml | 2 +- README.md | 2 +- root/etc/cont-init.d/00-firewall | 2 +- root/etc/cont-init.d/20-validate | 2 +- root/etc/cont-init.d/30-module | 6 +++--- root/etc/cont-init.d/50-route | 2 +- root/etc/cont-init.d/50-route6 | 2 +- root/etc/cont-init.d/60-allowlist | 2 +- root/etc/services.d/wireguard/run | 12 ++++++------ 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index 6d97c962..f5194d2e 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -29,7 +29,7 @@ jobs: tags="ghcr.io/${{ github.repository }}:edge,${{ github.repository }}:edge" if [[ $(date '+%d') == 01 || "${{ github.event_name }}" == "push" ]]; then tags="${tags},ghcr.io/${{ github.repository }}:latest,${{ github.repository }}:latest,\ - ghcr.io/${{ github.repository }}:$(date '+%Y%m%d'),${{ github.repository }}:$(date '+%Y%m%d')" + ghcr.io/${{ github.repository }}:$(date '+%Y-%m-%d'),${{ github.repository }}:$(date '+%Y-%m-%d')" fi echo "::set-output name=tags::${tags}" diff --git a/README.md b/README.md index 9f59d9d5..83d07074 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ - edge (updated weekly) - latest (updated monthly) -- YYYYmmdd (created monthly) +- YYYY-mm-dd (created monthly) ## Quick reference (cont.) diff --git a/root/etc/cont-init.d/00-firewall b/root/etc/cont-init.d/00-firewall index 36b06680..b0edfe48 100644 --- a/root/etc/cont-init.d/00-firewall +++ b/root/etc/cont-init.d/00-firewall @@ -7,4 +7,4 @@ ip6tables -P OUTPUT DROP 2>/dev/null ip6tables -P INPUT DROP 2>/dev/null ip6tables -P FORWARD DROP 2>/dev/null -echo "Firewall is up, everything has to go through the vpn" \ No newline at end of file +echo "[$(date -Iseconds)] Firewall is up, everything has to go through the vpn" \ No newline at end of file diff --git a/root/etc/cont-init.d/20-validate b/root/etc/cont-init.d/20-validate index 81a7afb2..0f3c8f8f 100644 --- a/root/etc/cont-init.d/20-validate +++ b/root/etc/cont-init.d/20-validate @@ -1,6 +1,6 @@ #!/usr/bin/with-contenv bash if [[ -z ${PRIVATE_KEY} ]] ; then - echo "**** Missing PRIVATE_KEY please review the documentation. ****" + echo "[$(date -Iseconds)] **** Missing PRIVATE_KEY please review the documentation. ****" sleep infinity fi \ No newline at end of file diff --git a/root/etc/cont-init.d/30-module b/root/etc/cont-init.d/30-module index 29fe5de2..cad11178 100644 --- a/root/etc/cont-init.d/30-module +++ b/root/etc/cont-init.d/30-module @@ -1,14 +1,14 @@ #!/usr/bin/with-contenv bash -echo "Uname info: $(uname -a)" +echo "[$(date -Iseconds)] Uname info: $(uname -a)" # check for wireguard module ip link del dev test 2>/dev/null if ip link add dev test type wireguard; then - echo "**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****" + echo "[$(date -Iseconds)] **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****" SKIP_COMPILE="true" ip link del dev test else - echo "**** The wireguard module is not active, will attempt kernel header install and module compilation. ****" + echo "[$(date -Iseconds)] **** The wireguard module is not active, will attempt kernel header install and module compilation. ****" fi # install headers if necessary diff --git a/root/etc/cont-init.d/50-route b/root/etc/cont-init.d/50-route index 7785a883..8ac8fbb7 100644 --- a/root/etc/cont-init.d/50-route +++ b/root/etc/cont-init.d/50-route @@ -4,7 +4,7 @@ if [ -n "$NET_LOCAL" ]; then gw="$(ip route | awk '/default/{print $3}')" for net in ${NET_LOCAL//[;,]/ }; do - echo "Enabling connection to network ${net}" + echo "[$(date -Iseconds)] Enabling connection to network ${net}" ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 iptables -A INPUT -i eth0 -s "$net" -j ACCEPT iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT diff --git a/root/etc/cont-init.d/50-route6 b/root/etc/cont-init.d/50-route6 index e2207d07..ee390e1a 100644 --- a/root/etc/cont-init.d/50-route6 +++ b/root/etc/cont-init.d/50-route6 @@ -4,7 +4,7 @@ if [ -n "$NET6_LOCAL" ]; then gw="$(ip -6 route | awk '/default/{print $3}')" for net in ${NET6_LOCAL//[;,]/ }; do - echo "Enabling connection to network ${net}" + echo "[$(date -Iseconds)] Enabling connection to network ${net}" ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT diff --git a/root/etc/cont-init.d/60-allowlist b/root/etc/cont-init.d/60-allowlist index 5a02cab5..84514d84 100644 --- a/root/etc/cont-init.d/60-allowlist +++ b/root/etc/cont-init.d/60-allowlist @@ -4,7 +4,7 @@ if [[ -n ${ALLOW_LIST} ]]; then for domain in ${ALLOW_LIST//[;,]/ }; do domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') - echo "Enabling connection to host ${domain}" + echo "[$(date -Iseconds)] Enabling connection to host ${domain}" iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null done diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index b0b6315c..c8406a3a 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -4,9 +4,9 @@ rm -rf /etc/wireguard mkdir -p /etc/wireguard if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then - echo "Finding the best server..." + echo "[$(date -Iseconds)] Finding the best server..." recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") - echo "Using server:" + echo "[$(date -Iseconds)] Using server:" jq -r '.[0]' <<< "${recommendations}" if [[ -z ${PUBLIC_KEY} ]]; then PUBLIC_KEY=$(jq -r '.[0].technologies[] | select( .identifier == "wireguard_udp" ) | .metadata[] | select( .name == "public_key" ) | .value' <<< "${recommendations}") @@ -37,15 +37,15 @@ EOL chmod 600 /etc/wireguard/wg0.conf -echo "Connecting..." +echo "[$(date -Iseconds)] Connecting..." wg-quick up wg0 -echo "Connected! \(ᵔᵕᵔ)/" +echo "[$(date -Iseconds)] Connected! \(ᵔᵕᵔ)/" if [[ -n ${RECONNECT} ]]; then - echo "Reconnecting in ${RECONNECT} seconds" + echo "[$(date -Iseconds)] Reconnecting in ${RECONNECT} seconds" sleep "${RECONNECT}" wg show wg0 | grep transfer - echo "Reconnecting..." + echo "[$(date -Iseconds)] Reconnecting..." exit 0 fi From 891f72f1f32d7273371c852aae23c3ca7c59ec6b Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Fri, 11 Feb 2022 23:54:30 -0600 Subject: [PATCH 52/84] fixes #19 --- README.md | 33 ++++++++++---------- root/etc/cont-init.d/40-inet | 57 ++++++++++++++++++----------------- root/etc/cont-init.d/40-inet6 | 57 ++++++++++++++++++----------------- 3 files changed, 75 insertions(+), 72 deletions(-) diff --git a/README.md b/README.md index 83d07074..e17ab5f7 100644 --- a/README.md +++ b/README.md @@ -88,23 +88,24 @@ Wireguard module is required, the container will try to install the module, inst ## Environment -| Variable | Default | Description | -|:-----------------------------------------:| --- | --- | -| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). -| `LISTEN_PORT` | 51820 | A 16-bit port for listening. -| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. +| Variable | Default | Description | +|:-----------------------------------------:|---------------------------------------------------------------------------------------------------------------------------| --- | +| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `LISTEN_PORT` | 51820 | A 16-bit port for listening. +| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. | `DNS` | [103.86.96.100,103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. -| `TABLE` | auto | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. -| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). -| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. -| `PRE_UP`/`POST_UP`/`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. -| `QUERY` | | Query for the api nordvpn -| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). -| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). -| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). -| `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. -| `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. -| `RECONNECT` | | Time in seconds to re-establish the connection. +| `TABLE` | auto | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. +| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). +| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. +| `PRE_UP`/`POST_UP`/`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. +| `QUERY` | | Query for the api nordvpn +| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). +| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). +| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). +| `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. +| `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. +| `RECONNECT` | | Time in seconds to re-establish the connection. +| `TZ` | UTC | Specify a timezone to use EG Europe/London. ## Sysctl diff --git a/root/etc/cont-init.d/40-inet b/root/etc/cont-init.d/40-inet index 4ac5f950..f390d810 100644 --- a/root/etc/cont-init.d/40-inet +++ b/root/etc/cont-init.d/40-inet @@ -1,41 +1,42 @@ #!/bin/bash -docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | ( - while read -r interface ; do - network="$(ip -o addr show dev "$interface" | awk '$3 == "inet" {print $4}')" - if [ -z "$result" ]; then - result=$network - else - result=$result,$network - fi - done - echo "$result" -)) -if [ -z "$docker_networks" ]; then - echo "No inet network" +network_found=false +interfaces=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1) +for iface in "${interfaces[@]}"; do + inet="$(ip -o addr show dev "${iface}" | awk '$3 == "inet" {print $4}')" + if [[ -z "$inet" ]]; then + continue + fi + if [ "$network_found" = false ]; then + iptables -F + iptables -X + fi + echo "[$(date -Iseconds)] Enabling connection to ${iface} ${inet}" + iptables -A INPUT -i "$iface" -s "${inet}" -j ACCEPT + iptables -A OUTPUT -o "$iface" -d "${inet}" -j ACCEPT + iptables -A FORWARD -i "$iface" -d "${inet}" -j ACCEPT + iptables -A FORWARD -i "$iface" -s "${inet}" -j ACCEPT + network_found=true +done + +if [ "$network_found" = false ]; then + echo "[$(date -Iseconds)] No interface network detected" exit fi -echo "Enabling connection to secure interface and docker network" - -iptables -F -iptables -X +echo "[$(date -Iseconds)] Enabling connection to secure interfaces" iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -iptables -A INPUT -i lo -j ACCEPT -iptables -A INPUT -i eth0 -s "${docker_networks}" -j ACCEPT - iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT +iptables -A FORWARD -i lo -j ACCEPT + iptables -A OUTPUT -o wg+ -j ACCEPT -iptables -A OUTPUT -o eth0 -d "${docker_networks}" -j ACCEPT +iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE + iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT iptables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT - -iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -iptables -A FORWARD -i lo -j ACCEPT -iptables -A FORWARD -i eth0 -d "${docker_networks}" -j ACCEPT -iptables -A FORWARD -i eth0 -s "${docker_networks}" -j ACCEPT - -iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE \ No newline at end of file diff --git a/root/etc/cont-init.d/40-inet6 b/root/etc/cont-init.d/40-inet6 index 180ff7d1..8f1b64de 100644 --- a/root/etc/cont-init.d/40-inet6 +++ b/root/etc/cont-init.d/40-inet6 @@ -1,41 +1,42 @@ #!/bin/bash -docker_networks=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1 | ( - while read -r interface ; do - network="$(ip -o addr show dev "$interface" | awk '$3 == "inet6" {print $4; exit}')" - if [ -z "$result" ]; then - result=$network - else - result=$result,$network - fi - done - echo "$result" -)) -if [ -z "$docker_networks" ]; then - echo "No inet6 network" +network_found=false +interfaces=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1) +for iface in "${interfaces[@]}"; do + inet="$(ip -o addr show dev "${iface}" | awk '$3 == "inet6" {print $4; exit}')" + if [[ -z "$inet" ]]; then + continue + fi + if [ "$network_found" = false ]; then + ip6tables -F + ip6tables -X + fi + echo "[$(date -Iseconds)] Enabling connection to ${iface} ${inet}" + ip6tables -A INPUT -i "$iface" -s "${inet}" -j ACCEPT + ip6tables -A OUTPUT -o "$iface" -d "${inet}" -j ACCEPT + ip6tables -A FORWARD -i "$iface" -d "${inet}" -j ACCEPT + ip6tables -A FORWARD -i "$iface" -s "${inet}" -j ACCEPT + network_found=true +done + +if [ "$network_found" = false ]; then + echo "[$(date -Iseconds)] No interface network6 detected" exit fi -echo "Enabling connection to secure interface6 and docker network6" - -ip6tables -F -ip6tables -X +echo "[$(date -Iseconds)] Enabling connection to secure interfaces" ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -ip6tables -A INPUT -i lo -j ACCEPT -ip6tables -A INPUT -i eth0 -s "${docker_networks}" -j ACCEPT - ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT +ip6tables -A FORWARD -i lo -j ACCEPT + ip6tables -A OUTPUT -o wg+ -j ACCEPT -ip6tables -A OUTPUT -o eth0 -d "${docker_networks}" -j ACCEPT +ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE + ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT ip6tables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT - -ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -ip6tables -A FORWARD -i lo -j ACCEPT -ip6tables -A FORWARD -i eth0 -d "${docker_networks}" -j ACCEPT -ip6tables -A FORWARD -i eth0 -s "${docker_networks}" -j ACCEPT - -ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE \ No newline at end of file From 01bc17e39ce497048482065892a7acc5a29d117f Mon Sep 17 00:00:00 2001 From: sudheera Date: Sat, 12 Feb 2022 12:09:43 +0100 Subject: [PATCH 53/84] Fixing #36 . - Bug : network interfaces list incorrectly assigned to an array. Fixed --- root/etc/cont-init.d/40-inet | 2 +- root/etc/cont-init.d/40-inet6 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/root/etc/cont-init.d/40-inet b/root/etc/cont-init.d/40-inet index f390d810..8879d00b 100644 --- a/root/etc/cont-init.d/40-inet +++ b/root/etc/cont-init.d/40-inet @@ -1,7 +1,7 @@ #!/bin/bash network_found=false -interfaces=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1) +interfaces=($(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1)) for iface in "${interfaces[@]}"; do inet="$(ip -o addr show dev "${iface}" | awk '$3 == "inet" {print $4}')" if [[ -z "$inet" ]]; then diff --git a/root/etc/cont-init.d/40-inet6 b/root/etc/cont-init.d/40-inet6 index 8f1b64de..1dca16ed 100644 --- a/root/etc/cont-init.d/40-inet6 +++ b/root/etc/cont-init.d/40-inet6 @@ -1,7 +1,7 @@ #!/bin/bash network_found=false -interfaces=$(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1) +interfaces=($(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1)) for iface in "${interfaces[@]}"; do inet="$(ip -o addr show dev "${iface}" | awk '$3 == "inet6" {print $4; exit}')" if [[ -z "$inet" ]]; then From 65b451fedc28c292e6329e0af7629ba7ca0e02f9 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sat, 12 Feb 2022 12:12:54 -0600 Subject: [PATCH 54/84] sleep when no server found --- root/etc/services.d/wireguard/run | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index c8406a3a..201fcdcd 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -6,8 +6,12 @@ mkdir -p /etc/wireguard if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then echo "[$(date -Iseconds)] Finding the best server..." recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") - echo "[$(date -Iseconds)] Using server:" - jq -r '.[0]' <<< "${recommendations}" + server=$(jq -r '.[0] | del(.services, .technologies)' <<< "${recommendations}") + if [[ -z ${server} ]]; then + echo "[$(date -Iseconds)] Unable to select a server ¯\_(⊙︿⊙)_/¯" + sleep infinity + fi + echo "[$(date -Iseconds)] Using server: ${server}" if [[ -z ${PUBLIC_KEY} ]]; then PUBLIC_KEY=$(jq -r '.[0].technologies[] | select( .identifier == "wireguard_udp" ) | .metadata[] | select( .name == "public_key" ) | .value' <<< "${recommendations}") fi From 032a697890ffe9d488fd0aa4eca997e998790df6 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sat, 12 Feb 2022 17:55:05 -0600 Subject: [PATCH 55/84] update doc for the new container to get the private key --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e17ab5f7..6bac5f2a 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ Wireguard module is required, the container will try to install the module, inst | Variable | Default | Description | |:-----------------------------------------:|---------------------------------------------------------------------------------------------------------------------------| --- | -| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn nord_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). | `LISTEN_PORT` | 51820 | A 16-bit port for listening. | `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. | `DNS` | [103.86.96.100,103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. From e1b627d1d9e37aeba4444e80f8993a50edb0ed12 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 13 Feb 2022 21:26:09 -0600 Subject: [PATCH 56/84] moving back to alpine, the wireguard module installation was moved to a separate container --- Dockerfile | 51 +----- README.md | 9 +- root/donate.txt | 2 - root/etc/cont-init.d/10-validate | 19 +++ root/etc/cont-init.d/{40-inet => 20-inet} | 0 root/etc/cont-init.d/{40-inet6 => 20-inet6} | 0 root/etc/cont-init.d/20-validate | 6 - root/etc/cont-init.d/30-module | 150 ------------------ root/etc/cont-init.d/{50-route => 30-route} | 0 root/etc/cont-init.d/{50-route6 => 30-route6} | 0 .../{60-allowlist => 40-allowlist} | 2 +- 11 files changed, 27 insertions(+), 212 deletions(-) delete mode 100644 root/donate.txt create mode 100644 root/etc/cont-init.d/10-validate rename root/etc/cont-init.d/{40-inet => 20-inet} (100%) rename root/etc/cont-init.d/{40-inet6 => 20-inet6} (100%) delete mode 100644 root/etc/cont-init.d/20-validate delete mode 100644 root/etc/cont-init.d/30-module rename root/etc/cont-init.d/{50-route => 30-route} (100%) rename root/etc/cont-init.d/{50-route6 => 30-route6} (100%) rename root/etc/cont-init.d/{60-allowlist => 40-allowlist} (84%) diff --git a/Dockerfile b/Dockerfile index 96c84d28..0e721d7a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,50 +1,9 @@ -FROM ghcr.io/linuxserver/baseimage-ubuntu:bionic - +FROM ghcr.io/linuxserver/baseimage-alpine:3.15 LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" -ENV DEBIAN_FRONTEND="noninteractive" -ARG WIREGUARD_RELEASE COPY /patch /patch - -RUN \ - echo "**** install dependencies ****" && \ - apt-get update && \ - apt-get install -y --no-install-recommends \ - bc \ - build-essential \ - curl \ - dkms \ - git \ - gnupg \ - ifupdown \ - iproute2 \ - iptables \ - iputils-ping \ - jq \ - libc6 \ - libelf-dev \ - net-tools \ - openresolv \ - patch \ - perl \ - pkg-config && \ - echo "**** install wireguard-tools ****" && \ - if [ -z ${WIREGUARD_RELEASE+x} ]; then \ - WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" | jq -r .[0].name); \ - fi && \ - cd /app && \ - git clone https://git.zx2c4.com/wireguard-linux-compat && \ - git clone https://git.zx2c4.com/wireguard-tools && \ - cd wireguard-tools && \ - git checkout "${WIREGUARD_RELEASE}" && \ - make -C src -j$(nproc) && \ - make -C src install && \ - patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ - echo "**** clean up ****" && \ - rm -rf \ - /patch \ - /tmp/* \ - /var/lib/apt/lists/* \ - /var/tmp/* - +RUN apk add --no-cache -U wireguard-tools curl jq patch && \ + patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ + apk del --purge patch && \ + rm -rf /tmp/* /patch COPY /root / \ No newline at end of file diff --git a/README.md b/README.md index 6bac5f2a..6f6673c8 100644 --- a/README.md +++ b/README.md @@ -62,21 +62,16 @@ services: image: ghcr.io/bubuntux/nordlynx cap_add: - NET_ADMIN #required - - NET_RAW #required in some cases - - SYS_MODULE #requiered to install wireguard module environment: - PRIVATE_KEY=xxxxxxxxx #required - volumes: - - /lib/modules:/lib/modules #requiered to install wireguard module ``` ### docker cli ([click here for more info](https://docs.docker.com/engine/reference/commandline/cli/)) ```bash docker run -d \ - --cap-add=NET_ADMIN,NET_RAW,SYS_MODULE #required \ + --cap-add=NET_ADMIN #required \ -e PRIVATE_KEY=xxxxxxxxx #required \ - -v /lib/modules:/lib/modules #requiered to install wireguard module \ ghcr.io/bubuntux/nordlynx ``` @@ -84,7 +79,7 @@ Review the [wiki](https://github.com/bubuntux/nordlynx/wiki) for more practical ## Module -Wireguard module is required, the container will try to install the module, install [manually](https://www.wireguard.com/install) if need it. +Wireguard module is required, please install it [manually](https://www.wireguard.com/install) if need it. ## Environment diff --git a/root/donate.txt b/root/donate.txt deleted file mode 100644 index c6c341b9..00000000 --- a/root/donate.txt +++ /dev/null @@ -1,2 +0,0 @@ -Bubuntux: https://github.com/sponsors/bubuntux -WireGuard: https://www.wireguard.com/donations/ \ No newline at end of file diff --git a/root/etc/cont-init.d/10-validate b/root/etc/cont-init.d/10-validate new file mode 100644 index 00000000..afaa03d5 --- /dev/null +++ b/root/etc/cont-init.d/10-validate @@ -0,0 +1,19 @@ +#!/usr/bin/with-contenv bash + +ip link del dev test 2>/dev/null +if ip link add dev test type wireguard; then + ip link del dev test +else + echo "[$(date -Iseconds)] The wireguard module is not active, try \`docker run --rm --cap-add=NET_ADMIN --cap-add=SYS_MODULE -v /lib/modules:/lib/modules bubuntux/install-wireguard\` to install it or follow the proper instructions from https://www.wireguard.com/install/ to manually install it." + sleep infinity +fi + +if ! iptables -L > /dev/null 2>&1; then + echo "[$(date -Iseconds)] iptables is not functional. Ensure your container config adds --cap-add=NET_RAW" + sleep infinity +fi + +if [[ -z ${PRIVATE_KEY} ]] ; then + echo "[$(date -Iseconds)] Missing PRIVATE_KEY please review the documentation." + sleep infinity +fi \ No newline at end of file diff --git a/root/etc/cont-init.d/40-inet b/root/etc/cont-init.d/20-inet similarity index 100% rename from root/etc/cont-init.d/40-inet rename to root/etc/cont-init.d/20-inet diff --git a/root/etc/cont-init.d/40-inet6 b/root/etc/cont-init.d/20-inet6 similarity index 100% rename from root/etc/cont-init.d/40-inet6 rename to root/etc/cont-init.d/20-inet6 diff --git a/root/etc/cont-init.d/20-validate b/root/etc/cont-init.d/20-validate deleted file mode 100644 index 0f3c8f8f..00000000 --- a/root/etc/cont-init.d/20-validate +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/with-contenv bash - -if [[ -z ${PRIVATE_KEY} ]] ; then - echo "[$(date -Iseconds)] **** Missing PRIVATE_KEY please review the documentation. ****" - sleep infinity -fi \ No newline at end of file diff --git a/root/etc/cont-init.d/30-module b/root/etc/cont-init.d/30-module deleted file mode 100644 index cad11178..00000000 --- a/root/etc/cont-init.d/30-module +++ /dev/null @@ -1,150 +0,0 @@ -#!/usr/bin/with-contenv bash - -echo "[$(date -Iseconds)] Uname info: $(uname -a)" -# check for wireguard module -ip link del dev test 2>/dev/null -if ip link add dev test type wireguard; then - echo "[$(date -Iseconds)] **** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****" - SKIP_COMPILE="true" - ip link del dev test -else - echo "[$(date -Iseconds)] **** The wireguard module is not active, will attempt kernel header install and module compilation. ****" -fi - -# install headers if necessary -if [ "$SKIP_COMPILE" != "true" ] && [ ! -e /lib/modules/$(uname -r)/build ]; then - echo "**** Attempting kernel header install ****" - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - apt-get install -y \ - linux-headers-$(uname -r) - elif (uname -r | grep -q 'v7+') || (uname -r | grep -q 'v7l+') || (uname -r | grep -q 'v8+'); then - echo "**** Raspbian kernel naming convention detected, attempting to install raspbian kernel headers ****" - curl -s http://archive.raspberrypi.org/debian/raspberrypi.gpg.key | apt-key add - - echo -e \ - "deb http://archive.raspberrypi.org/debian/ buster main\ndeb-src http://archive.raspberrypi.org/debian/ buster main" \ - > /etc/apt/sources.list.d/raspbian.list - apt-get update - apt-get install -y \ - raspberrypi-kernel-headers - elif uname -v | grep -q 'Ubuntu'; then - echo "**** Ubuntu kernel detected, but likely not Bionic. ****" - echo "**** Attempting to install kernel headers from Ubuntu Xenial repo ****" - if uname -m | grep -q 'x86_64'; then - echo -e \ - "deb http://archive.ubuntu.com/ubuntu/ xenial main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial main restricted\n\ndeb http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted" \ - > /etc/apt/sources.list.d/xenial-focal.list - else - echo -e \ - "deb http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted\ndeb-src http://ports.ubuntu.com/ubuntu-ports/ xenial main restricted\n\ndeb http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted\ndeb-src http://ports.ubuntu.com/ubuntu-ports/ xenial-updates main restricted" \ - > /etc/apt/sources.list.d/xenial-focal.list - fi - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - apt-get install -y \ - linux-headers-$(uname -r) - else - echo "**** No kernel headers found in the Ubuntu Xenial repo!! Trying Ubuntu Focal. ****" - sed -i 's/xenial/focal/g' /etc/apt/sources.list.d/xenial-focal.list - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - apt-get install -y \ - linux-headers-$(uname -r) - else - echo "**** No kernel headers found in the Ubuntu repos!! Will try the headers from host (if mapped), may or may not work ****" - rm -rf /etc/apt/sources.list.d/xenial-focal.list - fi - fi - elif uname -v | grep -q 'Debian'; then - echo "**** Debian host detected, attempting to install kernel headers from Debian Buster repo ****" - curl -s https://ftp-master.debian.org/keys/archive-key-10.asc | apt-key add - - curl -s https://ftp-master.debian.org/keys/archive-key-10-security.asc | apt-key add - - cat < /etc/apt/sources.list.d/debian.list -deb http://deb.debian.org/debian buster main contrib non-free -deb-src http://deb.debian.org/debian buster main contrib non-free -deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free -deb-src http://deb.debian.org/debian-security/ buster/updates main contrib non-free -deb http://deb.debian.org/debian buster-updates main contrib non-free -deb-src http://deb.debian.org/debian buster-updates main contrib non-free -deb http://deb.debian.org/debian buster-backports main contrib non-free -deb-src http://deb.debian.org/debian buster-backports main contrib non-free -DUDE - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - if uname -r | grep -qs "bpo"; then - echo "**** Backported kernel detected ****" - apt-get install -y -t buster-backports \ - linux-headers-$(uname -r) - else - apt-get install -y \ - linux-headers-$(uname -r) - fi - else - echo "**** Attempting to install kernel headers from the Debian Stretch repo ****" - curl -s https://ftp-master.debian.org/keys/archive-key-9.asc | apt-key add - - curl -s https://ftp-master.debian.org/keys/archive-key-9-security.asc | apt-key add - - sed -i 's/buster/stretch/g' /etc/apt/sources.list.d/debian.list - apt-get update - if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then - if uname -r | grep -qs "bpo"; then - echo "**** Backported kernel detected ****" - apt-get install -y -t stretch-backports \ - linux-headers-$(uname -r) - else - apt-get install -y \ - linux-headers-$(uname -r) - fi - else - echo "**** No kernel headers found in Debian repos!! Will try the headers from host (if mapped), may or may not work ****" - rm -rf /etc/apt/sources.list.d/debian.list - fi - fi - else - echo "**** No kernel headers found in the Ubuntu or Debian repos!! Will try the headers from host (if mapped), may or may not work ****" - fi -fi - -if [ "$SKIP_COMPILE" != "true" ]; then - if [ -e /lib/modules/$(uname -r)/build ]; then - echo "**** Kernel headers seem to be present, attempting to build the wireguard module. . . ****" - if [ ! -f /lib/modules/$(uname -r)/build/certs/signing_key.pem ]; then - mkdir -p /lib/modules/$(uname -r)/build/certs - cd /lib/modules/$(uname -r)/build/certs - cat <> x509.genkey -[ req ] -default_bits = 4096 -distinguished_name = req_distinguished_name -prompt = no -string_mask = utf8only -x509_extensions = myexts - -[ req_distinguished_name ] -CN = Modules - -[ myexts ] -basicConstraints=critical,CA:FALSE -keyUsage=digitalSignature -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid -DUDE - echo "**** Generating signing key ****" - openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem - fi - cd /app - echo "**** Building the module ****" - make -C wireguard-linux-compat/src -j$(nproc) - make -C wireguard-linux-compat/src install - echo "**** Let's test our new module. ****" - ip link del dev test 2>/dev/null - if ip link add dev test type wireguard; then - echo "**** The module is active, moving forward with setup. ****" - ip link del dev test - else - echo "**** The module is not active, review the logs. Sleeping now. . . ****" - sleep infinity - fi - else - echo "**** Kernel headers don't seem to be available, can't compile the module. Sleeping now. . . ****" - sleep infinity - fi -fi \ No newline at end of file diff --git a/root/etc/cont-init.d/50-route b/root/etc/cont-init.d/30-route similarity index 100% rename from root/etc/cont-init.d/50-route rename to root/etc/cont-init.d/30-route diff --git a/root/etc/cont-init.d/50-route6 b/root/etc/cont-init.d/30-route6 similarity index 100% rename from root/etc/cont-init.d/50-route6 rename to root/etc/cont-init.d/30-route6 diff --git a/root/etc/cont-init.d/60-allowlist b/root/etc/cont-init.d/40-allowlist similarity index 84% rename from root/etc/cont-init.d/60-allowlist rename to root/etc/cont-init.d/40-allowlist index 84514d84..9889d3bf 100644 --- a/root/etc/cont-init.d/60-allowlist +++ b/root/etc/cont-init.d/40-allowlist @@ -4,7 +4,7 @@ if [[ -n ${ALLOW_LIST} ]]; then for domain in ${ALLOW_LIST//[;,]/ }; do domain=$(echo "$domain" | sed 's/^.*:\/\///;s/\/.*$//') - echo "[$(date -Iseconds)] Enabling connection to host ${domain}" + echo "[$(date -Iseconds)] Enabling connection to host ${domain}" iptables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null ip6tables -A OUTPUT -o eth0 -d "${domain}" -j ACCEPT 2>/dev/null done From b80f73dfeaffacd82a8af5c68a26924ddc38f1b9 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 13 Feb 2022 21:27:18 -0600 Subject: [PATCH 57/84] re-adding donation message --- root/donate.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 root/donate.txt diff --git a/root/donate.txt b/root/donate.txt new file mode 100644 index 00000000..c6c341b9 --- /dev/null +++ b/root/donate.txt @@ -0,0 +1,2 @@ +Bubuntux: https://github.com/sponsors/bubuntux +WireGuard: https://www.wireguard.com/donations/ \ No newline at end of file From 9a8342b3f0302f1e6d65d816782da559575f761d Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Mon, 14 Feb 2022 10:16:44 -0600 Subject: [PATCH 58/84] format readme --- README.md | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 6f6673c8..21add37e 100644 --- a/README.md +++ b/README.md @@ -83,24 +83,24 @@ Wireguard module is required, please install it [manually](https://www.wireguard ## Environment -| Variable | Default | Description | -|:-----------------------------------------:|---------------------------------------------------------------------------------------------------------------------------| --- | -| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). -| `LISTEN_PORT` | 51820 | A 16-bit port for listening. -| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. -| `DNS` | [103.86.96.100,103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. -| `TABLE` | auto | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. -| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). -| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. -| `PRE_UP`/`POST_UP`/`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. -| `QUERY` | | Query for the api nordvpn -| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). -| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). -| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). -| `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. -| `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. -| `RECONNECT` | | Time in seconds to re-establish the connection. -| `TZ` | UTC | Specify a timezone to use EG Europe/London. +| Variable | Default | Description | +|:----------------------------------------:|:-----------------------------------------------------------------------------------------------------------------------------:| --- | +| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `LISTEN_PORT` | 51820 | A 16-bit port for listening. +| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. +| `DNS` | [103.86.96.100
103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. +| `TABLE` | auto | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. +| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). +| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. +| `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. +| `QUERY` | | Query for the api nordvpn +| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). +| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). +| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). +| `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. +| `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. +| `RECONNECT` | | Time in seconds to re-establish the connection. +| `TZ` | UTC | Specify a timezone to use EG Europe/London. ## Sysctl From 6a2a984763d62a7d7518872880d90b464cc318ef Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Mon, 14 Feb 2022 21:35:15 -0600 Subject: [PATCH 59/84] refactors --- Dockerfile | 5 ++--- root/etc/services.d/wireguard/finish | 5 ++++- root/etc/services.d/wireguard/run | 21 +++++---------------- {patch => root/patch}/wg-quick.patch | 0 4 files changed, 11 insertions(+), 20 deletions(-) rename {patch => root/patch}/wg-quick.patch (100%) diff --git a/Dockerfile b/Dockerfile index 0e721d7a..e6d77209 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,8 @@ FROM ghcr.io/linuxserver/baseimage-alpine:3.15 LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" -COPY /patch /patch +COPY /root / RUN apk add --no-cache -U wireguard-tools curl jq patch && \ patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ apk del --purge patch && \ - rm -rf /tmp/* /patch -COPY /root / \ No newline at end of file + rm -rf /tmp/* /patch \ No newline at end of file diff --git a/root/etc/services.d/wireguard/finish b/root/etc/services.d/wireguard/finish index c5b013c4..b652f817 100644 --- a/root/etc/services.d/wireguard/finish +++ b/root/etc/services.d/wireguard/finish @@ -1,3 +1,6 @@ #!/bin/bash -wg-quick down wg0 \ No newline at end of file +echo "[$(date -Iseconds)] Connection summary:" +wg show wg0 +wg-quick down wg0 +rm -f /etc/wireguard/wg0.conf \ No newline at end of file diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 201fcdcd..68169a08 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -1,11 +1,8 @@ #!/usr/bin/with-contenv bash -rm -rf /etc/wireguard -mkdir -p /etc/wireguard - if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then echo "[$(date -Iseconds)] Finding the best server..." - recommendations=$(curl -s "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") + recommendations=$(curl --retry 3 -LsS "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") server=$(jq -r '.[0] | del(.services, .technologies)' <<< "${recommendations}") if [[ -z ${server} ]]; then echo "[$(date -Iseconds)] Unable to select a server ¯\_(⊙︿⊙)_/¯" @@ -20,7 +17,7 @@ if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then fi fi -cat >/etc/wireguard/wg0.conf </etc/wireguard/wg0.conf <<-EOF [Interface] PrivateKey = ${PRIVATE_KEY} ListenPort = ${LISTEN_PORT:-51820} @@ -37,9 +34,8 @@ PublicKey = ${PUBLIC_KEY} AllowedIPs = ${ALLOWED_IPS:-0.0.0.0/0} Endpoint = ${END_POINT} PersistentKeepalive = ${PERSISTENT_KEEP_ALIVE:-25} -EOL - -chmod 600 /etc/wireguard/wg0.conf +EOF +} && sync ) echo "[$(date -Iseconds)] Connecting..." wg-quick up wg0 @@ -47,12 +43,5 @@ echo "[$(date -Iseconds)] Connected! \(ᵔᵕᵔ)/" if [[ -n ${RECONNECT} ]]; then echo "[$(date -Iseconds)] Reconnecting in ${RECONNECT} seconds" - sleep "${RECONNECT}" - wg show wg0 | grep transfer - echo "[$(date -Iseconds)] Reconnecting..." - exit 0 fi - -sleep infinity & PID=$! -trap "kill $PID; exit" INT TERM -wait +sleep "${RECONNECT:-infinity}" \ No newline at end of file diff --git a/patch/wg-quick.patch b/root/patch/wg-quick.patch similarity index 100% rename from patch/wg-quick.patch rename to root/patch/wg-quick.patch From 8ab7d226ea4bff288dd8337d88b19f4768d534da Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Mon, 14 Feb 2022 21:38:48 -0600 Subject: [PATCH 60/84] add comment to obtain the private key --- root/etc/cont-init.d/10-validate | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/cont-init.d/10-validate b/root/etc/cont-init.d/10-validate index afaa03d5..2ed451ff 100644 --- a/root/etc/cont-init.d/10-validate +++ b/root/etc/cont-init.d/10-validate @@ -14,6 +14,6 @@ if ! iptables -L > /dev/null 2>&1; then fi if [[ -z ${PRIVATE_KEY} ]] ; then - echo "[$(date -Iseconds)] Missing PRIVATE_KEY please review the documentation." + echo "[$(date -Iseconds)] Missing PRIVATE_KEY, try \`docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key\` or follow this instructions https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976 to obtain the private key." sleep infinity fi \ No newline at end of file From ad714c6b79f59a5b608da1815eb0c2c75a3cc4c5 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Mon, 14 Feb 2022 23:39:15 -0600 Subject: [PATCH 61/84] adding healthcheck --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index e6d77209..001e5a32 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ FROM ghcr.io/linuxserver/baseimage-alpine:3.15 LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" +HEALTHCHECK CMD [ $(( $(date -u +%s) - $(wg show wg0 latest-handshakes | awk '{print $2}') )) -le 120 ] || exit 1 + COPY /root / RUN apk add --no-cache -U wireguard-tools curl jq patch && \ patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ From f2d68c9b5d9872a40c2154cd8173dd20bb3cc58a Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sat, 12 Mar 2022 11:55:31 -0600 Subject: [PATCH 62/84] remove default dns, this way you can resolve aliases within the docker network and use whatever dns the host is using by default --- README.md | 44 +++++++++++++++++-------------- root/etc/services.d/wireguard/run | 6 ++--- 2 files changed, 27 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 21add37e..5e8fc453 100644 --- a/README.md +++ b/README.md @@ -39,14 +39,18 @@ NordLynx is a technology built around the WireGuard® VPN protocol. It lets you [![wireguard](https://www.wireguard.com/img/wireguard.svg)](https://www.wireguard.com/) - ## Road warriors, roaming and returning home -If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost. +If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. +Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that +when you return home, even though you can see the Wireguard server, the return packets will probably get lost. -This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally). +This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge +router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your +internal DNS to return the private rather than public IP when connecting locally). -Both of these approaches have positives and negatives however their setup is out of scope for this document as everyone's network layout and equipment will be different. +Both of these approaches have positives and negatives however their setup is out of scope for this document as +everyone's network layout and equipment will be different. ## Usage @@ -79,30 +83,30 @@ Review the [wiki](https://github.com/bubuntux/nordlynx/wiki) for more practical ## Module -Wireguard module is required, please install it [manually](https://www.wireguard.com/install) if need it. +Wireguard module is required, please install it [manually](https://www.wireguard.com/install) if need it. ## Environment -| Variable | Default | Description | -|:----------------------------------------:|:-----------------------------------------------------------------------------------------------------------------------------:| --- | -| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). -| `LISTEN_PORT` | 51820 | A 16-bit port for listening. -| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. -| `DNS` | [103.86.96.100
103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. -| `TABLE` | auto | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. -| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). -| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. -| `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. -| `QUERY` | | Query for the api nordvpn -| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). -| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). -| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). +| Variable | Default | Description | +|:----------------------------------------:|:--------------:| --- | +| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `LISTEN_PORT` | 51820 | A 16-bit port for listening. +| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. +| `DNS` | | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. +| `TABLE` | | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. +| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). +| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. +| `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. +| `QUERY` | | Query for the api nordvpn +| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). +| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). +| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). | `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. | `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. | `RECONNECT` | | Time in seconds to re-establish the connection. | `TZ` | UTC | Specify a timezone to use EG Europe/London. -## Sysctl +## Sysctl * `net.ipv4.conf.all.src_valid_mark=1` May be required. (depends on multiple factors) * `net.ipv6.conf.all.disable_ipv6=1` Recommended when only using ipv4. \ No newline at end of file diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 68169a08..05d013a7 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -22,17 +22,17 @@ fi PrivateKey = ${PRIVATE_KEY} ListenPort = ${LISTEN_PORT:-51820} Address = ${ADDRESS:-10.5.0.2/32} -DNS = ${DNS:-103.86.96.100,103.86.99.100} -Table = ${TABLE:-auto} +DNS = ${DNS} +Table = ${TABLE} PreUp = ${PRE_UP} PostUp = ${POST_UP} PreDown = ${PRE_DOWN} PostDown = ${POST_DOWN} [Peer] +Endpoint = ${END_POINT} PublicKey = ${PUBLIC_KEY} AllowedIPs = ${ALLOWED_IPS:-0.0.0.0/0} -Endpoint = ${END_POINT} PersistentKeepalive = ${PERSISTENT_KEEP_ALIVE:-25} EOF } && sync ) From 363c6463373b70caeb2b309fc2c1b96b8796d56c Mon Sep 17 00:00:00 2001 From: Bart Kamphorst Date: Tue, 15 Mar 2022 00:09:06 +0100 Subject: [PATCH 63/84] Update Synology specific comments --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5e8fc453..0fa8b69e 100644 --- a/README.md +++ b/README.md @@ -94,9 +94,9 @@ Wireguard module is required, please install it [manually](https://www.wireguard | `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. | `DNS` | | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. | `TABLE` | | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. -| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. Use 0.0.0.0/1 for Synology, read [this](https://github.com/bubuntux/nordlynx/issues/2). +| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). | `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. -| `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. +| `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). | `QUERY` | | Query for the api nordvpn | `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). | `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). @@ -109,4 +109,4 @@ Wireguard module is required, please install it [manually](https://www.wireguard ## Sysctl * `net.ipv4.conf.all.src_valid_mark=1` May be required. (depends on multiple factors) -* `net.ipv6.conf.all.disable_ipv6=1` Recommended when only using ipv4. \ No newline at end of file +* `net.ipv6.conf.all.disable_ipv6=1` Recommended when only using ipv4. From f60758cb575e2dcf38d9e2a5bcf56e4196d15c2e Mon Sep 17 00:00:00 2001 From: Bart Kamphorst Date: Tue, 15 Mar 2022 00:09:54 +0100 Subject: [PATCH 64/84] Correction: TABLES has no default --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0fa8b69e..1813c4d7 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | `LISTEN_PORT` | 51820 | A 16-bit port for listening. | `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. | `DNS` | | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. -| `TABLE` | | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (the default) adds routes to the default table and enables special handling of default routes. +| `TABLE` | | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (suggested for most users) adds routes to the default table and enables special handling of default routes. | `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). | `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. | `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). From 1a1480ac8de9223832b6b178e517d866f9e8be06 Mon Sep 17 00:00:00 2001 From: wjervis7 <32655115+wjervis7@users.noreply.github.com> Date: Sun, 15 May 2022 12:24:23 -0700 Subject: [PATCH 65/84] private key --- root/etc/services.d/wireguard/run | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 05d013a7..71487a05 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -17,6 +17,11 @@ if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then fi fi +echo "Private Key: $PRIVATE_KEY" +echo "Private Key File: $PRIVATE_KEY_FILE" +[[ -z "${PRIVATE_KEY}" ]] && [[ -f "${PRIVATE_KEY_FILE}" ]] && PRIVATE_KEY="$(head -n 1 "${PRIVATE_KEY_FILE}")" +echo "Private key: $PRIVATE_KEY" + ( umask 077 && { cat >/etc/wireguard/wg0.conf <<-EOF [Interface] PrivateKey = ${PRIVATE_KEY} @@ -44,4 +49,4 @@ echo "[$(date -Iseconds)] Connected! \(ᵔᵕᵔ)/" if [[ -n ${RECONNECT} ]]; then echo "[$(date -Iseconds)] Reconnecting in ${RECONNECT} seconds" fi -sleep "${RECONNECT:-infinity}" \ No newline at end of file +sleep "${RECONNECT:-infinity}" From b5673140d9fa0bfabb0cc435daef532a931e6ec1 Mon Sep 17 00:00:00 2001 From: wjervis7 <32655115+wjervis7@users.noreply.github.com> Date: Sun, 15 May 2022 12:38:39 -0700 Subject: [PATCH 66/84] Update docker-image-ci.yml Update docker-image-ci.yml Update 10-validate add private_key_file Revert "Update docker-image-ci.yml" This reverts commit 1084fef6feb03eb11c03586f0762b3233302a008. Revert "Update docker-image-ci.yml" This reverts commit 8e581045c87f14eb073f7c0973cd315439cb2c2e. update documentation for PRIVATE_KEY_FILE fix formatting remove newlines at eof --- README.md | 19 +++++++++++++++++++ root/etc/cont-init.d/10-validate | 4 ++-- root/etc/services.d/wireguard/run | 5 +---- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 1813c4d7..6b6798f8 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,24 @@ services: - PRIVATE_KEY=xxxxxxxxx #required ``` +### docker-compose (using secret) + +```yaml +version: "3.9" +services: + nordlynx: + image: ghcr.io/bubuntux/nordlynx + cap_add: + - NET_ADMIN #required + environment: + - PRIVATE_KEY_FILE=/run/secrets/privatekey + secrets: + - privatekey +secrets: + privatekey: + file: ./privatekey.txt +``` + ### docker cli ([click here for more info](https://docs.docker.com/engine/reference/commandline/cli/)) ```bash @@ -90,6 +108,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | Variable | Default | Description | |:----------------------------------------:|:--------------:| --- | | `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `PRIVATE_KEY_FILE` | | File from which to get PASS, if using docker secrets this should be set to /run/secrets/. This file should contain just the account password on the first line. | `LISTEN_PORT` | 51820 | A 16-bit port for listening. | `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. | `DNS` | | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. diff --git a/root/etc/cont-init.d/10-validate b/root/etc/cont-init.d/10-validate index 2ed451ff..2da42fec 100644 --- a/root/etc/cont-init.d/10-validate +++ b/root/etc/cont-init.d/10-validate @@ -13,7 +13,7 @@ if ! iptables -L > /dev/null 2>&1; then sleep infinity fi -if [[ -z ${PRIVATE_KEY} ]] ; then - echo "[$(date -Iseconds)] Missing PRIVATE_KEY, try \`docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key\` or follow this instructions https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976 to obtain the private key." +if [[ -z ${PRIVATE_KEY} ]] && [[ -z ${PRIVATE_KEY_FILE} ]] ; then + echo "[$(date -Iseconds)] Missing PRIVATE_KEY, and, PRIVATE_KEY_FILE, try \`docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key\` or follow this instructions https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976 to obtain the private key." sleep infinity fi \ No newline at end of file diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 71487a05..4ce3fce2 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -17,10 +17,7 @@ if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then fi fi -echo "Private Key: $PRIVATE_KEY" -echo "Private Key File: $PRIVATE_KEY_FILE" [[ -z "${PRIVATE_KEY}" ]] && [[ -f "${PRIVATE_KEY_FILE}" ]] && PRIVATE_KEY="$(head -n 1 "${PRIVATE_KEY_FILE}")" -echo "Private key: $PRIVATE_KEY" ( umask 077 && { cat >/etc/wireguard/wg0.conf <<-EOF [Interface] @@ -49,4 +46,4 @@ echo "[$(date -Iseconds)] Connected! \(ᵔᵕᵔ)/" if [[ -n ${RECONNECT} ]]; then echo "[$(date -Iseconds)] Reconnecting in ${RECONNECT} seconds" fi -sleep "${RECONNECT:-infinity}" +sleep "${RECONNECT:-infinity}" \ No newline at end of file From 94a29a6bf7a3b84cfda382e915b4a4d845de93f4 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 25 Sep 2022 23:45:42 -0500 Subject: [PATCH 67/84] add back nordvpn DNS by default closes #67 --- README.md | 2 +- root/etc/services.d/wireguard/run | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 6b6798f8..0c91e26b 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | `PRIVATE_KEY_FILE` | | File from which to get PASS, if using docker secrets this should be set to /run/secrets/. This file should contain just the account password on the first line. | `LISTEN_PORT` | 51820 | A 16-bit port for listening. | `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. -| `DNS` | | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. +| `DNS` | [103.86.96.100
103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. | `TABLE` | | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (suggested for most users) adds routes to the default table and enables special handling of default routes. | `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). | `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 4ce3fce2..141af1de 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -24,7 +24,7 @@ fi PrivateKey = ${PRIVATE_KEY} ListenPort = ${LISTEN_PORT:-51820} Address = ${ADDRESS:-10.5.0.2/32} -DNS = ${DNS} +DNS = ${DNS:-103.86.96.100,103.86.99.100} Table = ${TABLE} PreUp = ${PRE_UP} PostUp = ${POST_UP} @@ -46,4 +46,4 @@ echo "[$(date -Iseconds)] Connected! \(ᵔᵕᵔ)/" if [[ -n ${RECONNECT} ]]; then echo "[$(date -Iseconds)] Reconnecting in ${RECONNECT} seconds" fi -sleep "${RECONNECT:-infinity}" \ No newline at end of file +sleep "${RECONNECT:-infinity}" From c01eac12a55cdec5b66400324cdd06ca9547999b Mon Sep 17 00:00:00 2001 From: Andres Gomez Date: Mon, 3 Oct 2022 02:11:04 +0300 Subject: [PATCH 68/84] allow specifying the interface to use in the container When using rootless podman, for example, we won't have "eth0" but "tap0", which is the one created by slirp4netns. --- README.md | 1 + root/etc/cont-init.d/20-inet | 26 +++++++++++++++----------- root/etc/cont-init.d/20-inet6 | 26 +++++++++++++++----------- root/etc/cont-init.d/30-route | 11 ++++++----- root/etc/cont-init.d/30-route6 | 11 ++++++----- 5 files changed, 43 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 0c91e26b..69bb3f1b 100644 --- a/README.md +++ b/README.md @@ -110,6 +110,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). | `PRIVATE_KEY_FILE` | | File from which to get PASS, if using docker secrets this should be set to /run/secrets/. This file should contain just the account password on the first line. | `LISTEN_PORT` | 51820 | A 16-bit port for listening. +| `INTERFACE` | eth0 | The network interface to use inside the container. | `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. | `DNS` | [103.86.96.100
103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. | `TABLE` | | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (suggested for most users) adds routes to the default table and enables special handling of default routes. diff --git a/root/etc/cont-init.d/20-inet b/root/etc/cont-init.d/20-inet index 8879d00b..1c1ec711 100644 --- a/root/etc/cont-init.d/20-inet +++ b/root/etc/cont-init.d/20-inet @@ -1,9 +1,13 @@ -#!/bin/bash +#!/usr/bin/with-contenv bash network_found=false +iface=${INTERFACE:-eth0} interfaces=($(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1)) -for iface in "${interfaces[@]}"; do - inet="$(ip -o addr show dev "${iface}" | awk '$3 == "inet" {print $4}')" +if [[ ! " ${interfaces[*]} " =~ " $iface " ]]; then + interfaces+=("$iface") +fi +for interface in "${interfaces[@]}"; do + inet="$(ip -o addr show dev "${interface}" | awk '$3 == "inet" {print $4}')" if [[ -z "$inet" ]]; then continue fi @@ -11,11 +15,11 @@ for iface in "${interfaces[@]}"; do iptables -F iptables -X fi - echo "[$(date -Iseconds)] Enabling connection to ${iface} ${inet}" - iptables -A INPUT -i "$iface" -s "${inet}" -j ACCEPT - iptables -A OUTPUT -o "$iface" -d "${inet}" -j ACCEPT - iptables -A FORWARD -i "$iface" -d "${inet}" -j ACCEPT - iptables -A FORWARD -i "$iface" -s "${inet}" -j ACCEPT + echo "[$(date -Iseconds)] Enabling connection to ${interface} ${inet}" + iptables -A INPUT -i "$interface" -s "${inet}" -j ACCEPT + iptables -A OUTPUT -o "$interface" -d "${inet}" -j ACCEPT + iptables -A FORWARD -i "$interface" -d "${inet}" -j ACCEPT + iptables -A FORWARD -i "$interface" -s "${inet}" -j ACCEPT network_found=true done @@ -37,6 +41,6 @@ iptables -A FORWARD -i lo -j ACCEPT iptables -A OUTPUT -o wg+ -j ACCEPT iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE -iptables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT -iptables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT -iptables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT +iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT +iptables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT diff --git a/root/etc/cont-init.d/20-inet6 b/root/etc/cont-init.d/20-inet6 index 1dca16ed..c2667e1c 100644 --- a/root/etc/cont-init.d/20-inet6 +++ b/root/etc/cont-init.d/20-inet6 @@ -1,9 +1,13 @@ -#!/bin/bash +#!/usr/bin/with-contenv bash network_found=false +iface=${INTERFACE:-eth0} interfaces=($(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1)) -for iface in "${interfaces[@]}"; do - inet="$(ip -o addr show dev "${iface}" | awk '$3 == "inet6" {print $4; exit}')" +if [[ ! " ${interfaces[*]} " =~ " $iface " ]]; then + interfaces+=("$iface") +fi +for interface in "${interfaces[@]}"; do + inet="$(ip -o addr show dev "${interface}" | awk '$3 == "inet6" {print $4; exit}')" if [[ -z "$inet" ]]; then continue fi @@ -11,11 +15,11 @@ for iface in "${interfaces[@]}"; do ip6tables -F ip6tables -X fi - echo "[$(date -Iseconds)] Enabling connection to ${iface} ${inet}" - ip6tables -A INPUT -i "$iface" -s "${inet}" -j ACCEPT - ip6tables -A OUTPUT -o "$iface" -d "${inet}" -j ACCEPT - ip6tables -A FORWARD -i "$iface" -d "${inet}" -j ACCEPT - ip6tables -A FORWARD -i "$iface" -s "${inet}" -j ACCEPT + echo "[$(date -Iseconds)] Enabling connection to ${interface} ${inet}" + ip6tables -A INPUT -i "$interface" -s "${inet}" -j ACCEPT + ip6tables -A OUTPUT -o "$interface" -d "${inet}" -j ACCEPT + ip6tables -A FORWARD -i "$interface" -d "${inet}" -j ACCEPT + ip6tables -A FORWARD -i "$interface" -s "${inet}" -j ACCEPT network_found=true done @@ -37,6 +41,6 @@ ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A OUTPUT -o wg+ -j ACCEPT ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE -ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT -ip6tables -A OUTPUT -o eth0 -p udp -m udp --dport 51820 -j ACCEPT -ip6tables -A OUTPUT -o eth0 -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT +ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT +ip6tables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT diff --git a/root/etc/cont-init.d/30-route b/root/etc/cont-init.d/30-route index 8ac8fbb7..e3d2c4e9 100644 --- a/root/etc/cont-init.d/30-route +++ b/root/etc/cont-init.d/30-route @@ -2,13 +2,14 @@ [[ -n ${NETWORK} && -z ${NET_LOCAL} ]] && NET_LOCAL=${NETWORK} if [ -n "$NET_LOCAL" ]; then + iface=${INTERFACE:-eth0} gw="$(ip route | awk '/default/{print $3}')" for net in ${NET_LOCAL//[;,]/ }; do echo "[$(date -Iseconds)] Enabling connection to network ${net}" - ip route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 - iptables -A INPUT -i eth0 -s "$net" -j ACCEPT - iptables -A OUTPUT -o eth0 -d "$net" -j ACCEPT - iptables -A FORWARD -i eth0 -d "$net" -j ACCEPT - iptables -A FORWARD -i eth0 -s "$net" -j ACCEPT + ip route | grep -q "$net" || ip route add "$net" via "$gw" dev "$iface" + iptables -A INPUT -i "$iface" -s "$net" -j ACCEPT + iptables -A OUTPUT -o "$iface" -d "$net" -j ACCEPT + iptables -A FORWARD -i "$iface" -d "$net" -j ACCEPT + iptables -A FORWARD -i "$iface" -s "$net" -j ACCEPT done fi \ No newline at end of file diff --git a/root/etc/cont-init.d/30-route6 b/root/etc/cont-init.d/30-route6 index ee390e1a..afc973c9 100644 --- a/root/etc/cont-init.d/30-route6 +++ b/root/etc/cont-init.d/30-route6 @@ -2,13 +2,14 @@ [[ -n ${NETWORK6} && -z ${NET6_LOCAL} ]] && NET6_LOCAL=${NETWORK6} if [ -n "$NET6_LOCAL" ]; then + iface=${INTERFACE:-eth0} gw="$(ip -6 route | awk '/default/{print $3}')" for net in ${NET6_LOCAL//[;,]/ }; do echo "[$(date -Iseconds)] Enabling connection to network ${net}" - ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev eth0 - ip6tables -A INPUT -i eth0 -s "$net" -j ACCEPT - ip6tables -A OUTPUT -o eth0 -d "$net" -j ACCEPT - ip6tables -A FORWARD -i eth0 -d "$net" -j ACCEPT - ip6tables -A FORWARD -i eth0 -s "$net" -j ACCEPT + ip -6 route | grep -q "$net" || ip route add "$net" via "$gw" dev "$iface" + ip6tables -A INPUT -i "$iface" -s "$net" -j ACCEPT + ip6tables -A OUTPUT -o "$iface" -d "$net" -j ACCEPT + ip6tables -A FORWARD -i "$iface" -d "$net" -j ACCEPT + ip6tables -A FORWARD -i "$iface" -s "$net" -j ACCEPT done fi \ No newline at end of file From 1303f5b1b2072bd60a6a7075d7af7d27869639e0 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 9 Oct 2022 00:17:11 -0500 Subject: [PATCH 69/84] Update alpine 3.16, prevent dns leak using group base iptable filter --- Dockerfile | 9 +++++---- root/etc/cont-init.d/10-validate | 4 +++- root/etc/cont-init.d/20-inet | 10 +++++++--- root/etc/cont-init.d/20-inet6 | 10 +++++++--- root/etc/services.d/wireguard/run | 4 ++-- 5 files changed, 24 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 001e5a32..6c35347f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,11 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:3.15 +FROM ghcr.io/linuxserver/baseimage-alpine:3.16 LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" HEALTHCHECK CMD [ $(( $(date -u +%s) - $(wg show wg0 latest-handshakes | awk '{print $2}') )) -le 120 ] || exit 1 COPY /root / -RUN apk add --no-cache -U wireguard-tools curl jq patch && \ +RUN apk add --no-cache -U wireguard-tools curl jq patch shadow-login && \ patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ - apk del --purge patch && \ - rm -rf /tmp/* /patch \ No newline at end of file + addgroup -S vpn && \ + apk del --purge patch && \ + rm -rf /tmp/* /patch diff --git a/root/etc/cont-init.d/10-validate b/root/etc/cont-init.d/10-validate index 2da42fec..f11705cd 100644 --- a/root/etc/cont-init.d/10-validate +++ b/root/etc/cont-init.d/10-validate @@ -16,4 +16,6 @@ fi if [[ -z ${PRIVATE_KEY} ]] && [[ -z ${PRIVATE_KEY_FILE} ]] ; then echo "[$(date -Iseconds)] Missing PRIVATE_KEY, and, PRIVATE_KEY_FILE, try \`docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key\` or follow this instructions https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976 to obtain the private key." sleep infinity -fi \ No newline at end of file +fi + +[[ "${VPN_ID:-}" =~ ^[0-9]+$ ]] && groupmod -g $VPN_ID -o vpn diff --git a/root/etc/cont-init.d/20-inet b/root/etc/cont-init.d/20-inet index 1c1ec711..b04ba269 100644 --- a/root/etc/cont-init.d/20-inet +++ b/root/etc/cont-init.d/20-inet @@ -41,6 +41,10 @@ iptables -A FORWARD -i lo -j ACCEPT iptables -A OUTPUT -o wg+ -j ACCEPT iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE -iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT -iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT -iptables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +iptables -A OUTPUT -p tcp -m owner --gid-owner vpn -j ACCEPT && +iptables -A OUTPUT -p udp -m owner --gid-owner vpn -j ACCEPT || { + echo "[$(date -Iseconds)] Possible dns leak..." + iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT + iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT + iptables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +} diff --git a/root/etc/cont-init.d/20-inet6 b/root/etc/cont-init.d/20-inet6 index c2667e1c..a1089b36 100644 --- a/root/etc/cont-init.d/20-inet6 +++ b/root/etc/cont-init.d/20-inet6 @@ -41,6 +41,10 @@ ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A OUTPUT -o wg+ -j ACCEPT ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE -ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT -ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT -ip6tables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +ip6tables -A OUTPUT -p tcp -m owner --gid-owner vpn -j ACCEPT && +ip6tables -A OUTPUT -p udp -m owner --gid-owner vpn -j ACCEPT || { + echo "[$(date -Iseconds)] Possible dns leak..." + ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT + ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT + ip6tables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +} diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 141af1de..c4fa2166 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -2,7 +2,7 @@ if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then echo "[$(date -Iseconds)] Finding the best server..." - recommendations=$(curl --retry 3 -LsS "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") + recommendations=$(sg vpn -c "curl --retry 3 -LsS \"https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}\"") server=$(jq -r '.[0] | del(.services, .technologies)' <<< "${recommendations}") if [[ -z ${server} ]]; then echo "[$(date -Iseconds)] Unable to select a server ¯\_(⊙︿⊙)_/¯" @@ -40,7 +40,7 @@ EOF } && sync ) echo "[$(date -Iseconds)] Connecting..." -wg-quick up wg0 +sg vpn -c "wg-quick up wg0" echo "[$(date -Iseconds)] Connected! \(ᵔᵕᵔ)/" if [[ -n ${RECONNECT} ]]; then From b45aa94278af6596e58851677a0744c8b47ce264 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Sun, 9 Oct 2022 01:24:08 -0500 Subject: [PATCH 70/84] Revert "Update alpine 3.16, prevent dns leak using group base iptable filter" This reverts commit 1303f5b1b2072bd60a6a7075d7af7d27869639e0. --- Dockerfile | 9 ++++----- root/etc/cont-init.d/10-validate | 4 +--- root/etc/cont-init.d/20-inet | 10 +++------- root/etc/cont-init.d/20-inet6 | 10 +++------- root/etc/services.d/wireguard/run | 4 ++-- 5 files changed, 13 insertions(+), 24 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6c35347f..001e5a32 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,10 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:3.16 +FROM ghcr.io/linuxserver/baseimage-alpine:3.15 LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" HEALTHCHECK CMD [ $(( $(date -u +%s) - $(wg show wg0 latest-handshakes | awk '{print $2}') )) -le 120 ] || exit 1 COPY /root / -RUN apk add --no-cache -U wireguard-tools curl jq patch shadow-login && \ +RUN apk add --no-cache -U wireguard-tools curl jq patch && \ patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ - addgroup -S vpn && \ - apk del --purge patch && \ - rm -rf /tmp/* /patch + apk del --purge patch && \ + rm -rf /tmp/* /patch \ No newline at end of file diff --git a/root/etc/cont-init.d/10-validate b/root/etc/cont-init.d/10-validate index f11705cd..2da42fec 100644 --- a/root/etc/cont-init.d/10-validate +++ b/root/etc/cont-init.d/10-validate @@ -16,6 +16,4 @@ fi if [[ -z ${PRIVATE_KEY} ]] && [[ -z ${PRIVATE_KEY_FILE} ]] ; then echo "[$(date -Iseconds)] Missing PRIVATE_KEY, and, PRIVATE_KEY_FILE, try \`docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key\` or follow this instructions https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976 to obtain the private key." sleep infinity -fi - -[[ "${VPN_ID:-}" =~ ^[0-9]+$ ]] && groupmod -g $VPN_ID -o vpn +fi \ No newline at end of file diff --git a/root/etc/cont-init.d/20-inet b/root/etc/cont-init.d/20-inet index b04ba269..1c1ec711 100644 --- a/root/etc/cont-init.d/20-inet +++ b/root/etc/cont-init.d/20-inet @@ -41,10 +41,6 @@ iptables -A FORWARD -i lo -j ACCEPT iptables -A OUTPUT -o wg+ -j ACCEPT iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE -iptables -A OUTPUT -p tcp -m owner --gid-owner vpn -j ACCEPT && -iptables -A OUTPUT -p udp -m owner --gid-owner vpn -j ACCEPT || { - echo "[$(date -Iseconds)] Possible dns leak..." - iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT - iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT - iptables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT -} +iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT +iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT +iptables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT diff --git a/root/etc/cont-init.d/20-inet6 b/root/etc/cont-init.d/20-inet6 index a1089b36..c2667e1c 100644 --- a/root/etc/cont-init.d/20-inet6 +++ b/root/etc/cont-init.d/20-inet6 @@ -41,10 +41,6 @@ ip6tables -A FORWARD -i lo -j ACCEPT ip6tables -A OUTPUT -o wg+ -j ACCEPT ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE -ip6tables -A OUTPUT -p tcp -m owner --gid-owner vpn -j ACCEPT && -ip6tables -A OUTPUT -p udp -m owner --gid-owner vpn -j ACCEPT || { - echo "[$(date -Iseconds)] Possible dns leak..." - ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT - ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT - ip6tables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT -} +ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT +ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT +ip6tables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index c4fa2166..141af1de 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -2,7 +2,7 @@ if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then echo "[$(date -Iseconds)] Finding the best server..." - recommendations=$(sg vpn -c "curl --retry 3 -LsS \"https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}\"") + recommendations=$(curl --retry 3 -LsS "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") server=$(jq -r '.[0] | del(.services, .technologies)' <<< "${recommendations}") if [[ -z ${server} ]]; then echo "[$(date -Iseconds)] Unable to select a server ¯\_(⊙︿⊙)_/¯" @@ -40,7 +40,7 @@ EOF } && sync ) echo "[$(date -Iseconds)] Connecting..." -sg vpn -c "wg-quick up wg0" +wg-quick up wg0 echo "[$(date -Iseconds)] Connected! \(ᵔᵕᵔ)/" if [[ -n ${RECONNECT} ]]; then From 05c4d2007da2c174bb847efcb991628d3071737b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Szymon=20=C5=81=C4=85giewka?= Date: Sat, 8 Apr 2023 15:00:31 +0200 Subject: [PATCH 71/84] docs: update references to nordvpn:get_private_key With https://github.com/bubuntux/nordvpn/pull/388 the user+pass option will be succeeded by token input. However, the image from that change has not been built successfully. This change can't be merged until the image is ready to use. --- README.md | 2 +- root/etc/cont-init.d/10-validate | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 69bb3f1b..6fe72140 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | Variable | Default | Description | |:----------------------------------------:|:--------------:| --- | -| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e TOKEN=XXX bubuntux/nordvpn:get_private_key` with access token or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). | `PRIVATE_KEY_FILE` | | File from which to get PASS, if using docker secrets this should be set to /run/secrets/. This file should contain just the account password on the first line. | `LISTEN_PORT` | 51820 | A 16-bit port for listening. | `INTERFACE` | eth0 | The network interface to use inside the container. diff --git a/root/etc/cont-init.d/10-validate b/root/etc/cont-init.d/10-validate index 2da42fec..15c07d3e 100644 --- a/root/etc/cont-init.d/10-validate +++ b/root/etc/cont-init.d/10-validate @@ -14,6 +14,6 @@ if ! iptables -L > /dev/null 2>&1; then fi if [[ -z ${PRIVATE_KEY} ]] && [[ -z ${PRIVATE_KEY_FILE} ]] ; then - echo "[$(date -Iseconds)] Missing PRIVATE_KEY, and, PRIVATE_KEY_FILE, try \`docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key\` or follow this instructions https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976 to obtain the private key." + echo "[$(date -Iseconds)] Missing PRIVATE_KEY, and, PRIVATE_KEY_FILE, try \`docker run --rm --cap-add=NET_ADMIN -e TOKEN=XXX bubuntux/nordvpn:get_private_key\` with access token or follow this instructions https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976 to obtain the private key." sleep infinity fi \ No newline at end of file From 0b11bce77ebc35635c803e20f66b8d687b3619b7 Mon Sep 17 00:00:00 2001 From: Julio Gutierrez Date: Mon, 10 Apr 2023 00:10:44 -0500 Subject: [PATCH 72/84] udate to alpine 3.17 --- Dockerfile | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 001e5a32..67bf83c2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:3.15 +FROM ghcr.io/linuxserver/baseimage-alpine:3.17 LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" HEALTHCHECK CMD [ $(( $(date -u +%s) - $(wg show wg0 latest-handshakes | awk '{print $2}') )) -le 120 ] || exit 1 diff --git a/README.md b/README.md index 69bb3f1b..a066ad2c 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | Variable | Default | Description | |:----------------------------------------:|:--------------:| --- | -| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e TOKEN=XXX ghcr.io/bubuntux/nordvpn:get_private_key` or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). | `PRIVATE_KEY_FILE` | | File from which to get PASS, if using docker secrets this should be set to /run/secrets/. This file should contain just the account password on the first line. | `LISTEN_PORT` | 51820 | A 16-bit port for listening. | `INTERFACE` | eth0 | The network interface to use inside the container. From fb68e309729b9e21d2f5e49e4e9b5e1dda90fc89 Mon Sep 17 00:00:00 2001 From: Davide <22103897+dvdblg@users.noreply.github.com> Date: Wed, 10 May 2023 14:27:57 +0200 Subject: [PATCH 73/84] Add environment variable to filter by country code --- README.md | 1 + root/etc/services.d/wireguard/run | 19 +++++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a9c41d96..f7ad280a 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). | `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. | `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). +| `COUNTRY_CODE` | | Country code to filter server list. | `QUERY` | | Query for the api nordvpn | `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). | `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run index 141af1de..31c56411 100644 --- a/root/etc/services.d/wireguard/run +++ b/root/etc/services.d/wireguard/run @@ -2,13 +2,28 @@ if [[ -z ${PUBLIC_KEY} || -z ${END_POINT} ]]; then echo "[$(date -Iseconds)] Finding the best server..." - recommendations=$(curl --retry 3 -LsS "https://api.nordvpn.com/v1/servers/recommendations?&filters\[servers_technologies\]\[identifier\]=wireguard_udp&limit=1&${QUERY}") + api_url="https://api.nordvpn.com/v1/servers/recommendations?filters" + technology_filter="\[servers_technologies\]\[identifier\]=wireguard_udp" + + # Get the country code from the country name (if provided) and add it to the API URL as a filter + if [[ -n ${COUNTRY_CODE} ]]; then + country_id=$(curl --silent "https://api.nordvpn.com/v1/servers/countries" | jq --raw-output ".[] | select(.code == \"${COUNTRY_CODE}\") | [.name, .id] | \"\(.[1])\"") + echo "[$(date -Iseconds)] Country ID: ${country_id}" + country_filter="\[country_id\]=${country_id}" + api_url="${api_url}${country_filter}&${technology_filter}" + echo "[$(date -Iseconds)] API URL: ${api_url}" + else + api_url="${api_url}${technology_filter}" + fi + + recommendations=$(curl --retry 3 -LsS "${api_url}&${QUERY}&limit=1") server=$(jq -r '.[0] | del(.services, .technologies)' <<< "${recommendations}") + echo "[$(date -Iseconds)] Server: ${server}" if [[ -z ${server} ]]; then echo "[$(date -Iseconds)] Unable to select a server ¯\_(⊙︿⊙)_/¯" sleep infinity fi - echo "[$(date -Iseconds)] Using server: ${server}" +# echo "[$(date -Iseconds)] Using server: ${server}" if [[ -z ${PUBLIC_KEY} ]]; then PUBLIC_KEY=$(jq -r '.[0].technologies[] | select( .identifier == "wireguard_udp" ) | .metadata[] | select( .name == "public_key" ) | .value' <<< "${recommendations}") fi From 2cf1cbd461f868bee657b25346c1469f2f282cb2 Mon Sep 17 00:00:00 2001 From: buntel Date: Sun, 28 May 2023 00:17:24 +0200 Subject: [PATCH 74/84] Retry bootstrapping the container until we got a connection, if we have no connection on startup. --- root/etc/cont-init.d/20-inet | 11 ++++++++++- root/etc/cont-init.d/20-inet6 | 11 ++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/root/etc/cont-init.d/20-inet b/root/etc/cont-init.d/20-inet index 1c1ec711..05c6074e 100644 --- a/root/etc/cont-init.d/20-inet +++ b/root/etc/cont-init.d/20-inet @@ -3,6 +3,7 @@ network_found=false iface=${INTERFACE:-eth0} interfaces=($(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1)) +no_connenction_retry=${NO_CONNECTION_RETRY:-5} if [[ ! " ${interfaces[*]} " =~ " $iface " ]]; then interfaces+=("$iface") fi @@ -43,4 +44,12 @@ iptables -t nat -A POSTROUTING -o wg+ -j MASQUERADE iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT iptables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT -iptables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +while true; do + iptables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT\ + || { + echo "Seems like we have no internet connection. Retrying in $no_connenction_retry seconds..." + sleep ${no_connenction_retry} + continue + } + break +done diff --git a/root/etc/cont-init.d/20-inet6 b/root/etc/cont-init.d/20-inet6 index c2667e1c..b9a032d5 100644 --- a/root/etc/cont-init.d/20-inet6 +++ b/root/etc/cont-init.d/20-inet6 @@ -3,6 +3,7 @@ network_found=false iface=${INTERFACE:-eth0} interfaces=($(ip link | awk -F': ' '$0 !~ "lo|wg|tun|tap|^[^0-9]"{print $2;getline}' | cut -d@ -f1)) +no_connenction_retry=${NO_CONNECTION_RETRY:-5} if [[ ! " ${interfaces[*]} " =~ " $iface " ]]; then interfaces+=("$iface") fi @@ -43,4 +44,12 @@ ip6tables -t nat -A POSTROUTING -o wg+ -j MASQUERADE ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 53 -j ACCEPT ip6tables -A OUTPUT -o "$iface" -p udp -m udp --dport 51820 -j ACCEPT -ip6tables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT +while true; do + ip6tables -A OUTPUT -o "$iface" -d api.nordvpn.com -p tcp --dport 443 -j ACCEPT\ + || { + echo "Seems like we have no internet connection. Retrying in $no_connenction_retry seconds..." + sleep ${no_connenction_retry} + continue + } + break +done From 1da7246be6e746803d0b7782c32a4acfd085c03d Mon Sep 17 00:00:00 2001 From: buntel Date: Sun, 28 May 2023 00:29:18 +0200 Subject: [PATCH 75/84] update README.md --- README.md | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index a9c41d96..2437a4f1 100644 --- a/README.md +++ b/README.md @@ -105,26 +105,27 @@ Wireguard module is required, please install it [manually](https://www.wireguard ## Environment -| Variable | Default | Description | -|:----------------------------------------:|:--------------:| --- | -| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e TOKEN=XXX ghcr.io/bubuntux/nordvpn:get_private_key` with access token or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). -| `PRIVATE_KEY_FILE` | | File from which to get PASS, if using docker secrets this should be set to /run/secrets/. This file should contain just the account password on the first line. -| `LISTEN_PORT` | 51820 | A 16-bit port for listening. -| `INTERFACE` | eth0 | The network interface to use inside the container. -| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. -| `DNS` | [103.86.96.100
103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. -| `TABLE` | | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (suggested for most users) adds routes to the default table and enables special handling of default routes. -| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). -| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. -| `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). -| `QUERY` | | Query for the api nordvpn -| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). -| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). -| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). -| `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. -| `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. -| `RECONNECT` | | Time in seconds to re-establish the connection. -| `TZ` | UTC | Specify a timezone to use EG Europe/London. +| Variable | Default | Description | +|:-------------------------------------------------------:|:-----------------------------------------------------------------------------------------------------------------------------:| --- | +| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e TOKEN=XXX ghcr.io/bubuntux/nordvpn:get_private_key` with access token or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `PRIVATE_KEY_FILE` | | File from which to get PASS, if using docker secrets this should be set to /run/secrets/. This file should contain just the account password on the first line. +| `LISTEN_PORT` | 51820 | A 16-bit port for listening. +| `INTERFACE` | eth0 | The network interface to use inside the container. +| `ADDRESS` | 10.5.0.2/32 | A comma-separated list of IP (v4 or v6) addresses (optionally with CIDR masks) to be assigned to the interface. +| `DNS` | [103.86.96.100
103.86.99.100](https://support.nordvpn.com/General-info/1047409702/What-are-your-DNS-server-addresses.htm) | A comma-separated list of IP (v4 or v6) addresses to be set as the interface's DNS servers, or non-IP hostnames to be set as the interface's DNS search domains. +| `TABLE` | | Controls the routing table to which routes are added. There are two special values: `off` disables the creation of routes altogether, and `auto` (suggested for most users) adds routes to the default table and enables special handling of default routes. +| `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). +| `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. +| `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). +| `QUERY` | | Query for the api nordvpn +| `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). +| `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). +| `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). +| `NET_LOCAL` | | CIDR networks (IE 192.168.1.0/24), add a route to allows replies once the VPN is up. +| `NET6_LOCAL` | | CIDR IPv6 networks (IE fe00:d34d:b33f::/64), add a route to allows replies once the VPN is up. +| `RECONNECT` | | Time in seconds to re-establish the connection. +| `TZ` | UTC | Specify a timezone to use EG Europe/London. +| `NO_CONNECTION_RETRY` | 5 | Set the retry interval if the container has no connection on startup. ## Sysctl From 17580158a68afd2bff2a3778bd59e922299b3e53 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Wed, 31 May 2023 18:51:58 +0000 Subject: [PATCH 76/84] Added help on how to get your `PRIVATE_KEY` and some examples. --- README.md | 132 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 129 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a9c41d96..4facbb09 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | `ALLOWED_IPS` | 0.0.0.0/0 | A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). | `PERSISTENT_KEEP_ALIVE` | 25 | A second interval, between 1 and 65535 inclusive, of how often to send an authenticated empty packet to the peer for the purpose of keeping a stateful firewall or NAT mapping valid persistently. | `PRE_UP`/`POST_UP`
`PRE_DOWN`/`POST_DOWN` | | Script snippets which will be executed by bash before/after setting up/tearing down the interface, most commonly used to configure custom DNS options or firewall rules. The special string `%i` is expanded to INTERFACE. For Synology, read [this](https://github.com/bubuntux/nordlynx/wiki/Synology). -| `QUERY` | | Query for the api nordvpn +| `QUERY` | | Query for the api nordvpn (see https://sleeplessbeastie.eu/2019/02/18/how-to-use-public-nordvpn-api/) | `PUBLIC_KEY` | | Public key of the server to connect (auto select base on recommendation api). | `END_POINT` | | Ip address of the server to connect (auto select base on recommendation api). | `ALLOW_LIST` | | List of domains that are going to be accessible _outside_ vpn (IE rarbg.to,yts.mx). @@ -126,7 +126,133 @@ Wireguard module is required, please install it [manually](https://www.wireguard | `RECONNECT` | | Time in seconds to re-establish the connection. | `TZ` | UTC | Specify a timezone to use EG Europe/London. +### `PRIVATE_KEY` + +To get your `PRIVATE_KEY` you will need to get an access token from the NordVPN website and then use the https://github.com/bubuntux/nordvpn container. + +1. Log in to https://nordvpn.com/ +2. On the left side, click on **NordVPN** +3. In the middle, under **Manual setup**, click on **Set up NordVPN manually** and go through the verification process +4. On the new page, in the middle, in the **Access token** box, click on **Generate new token** +5. In the **Generate new token?** pop-up box, select **Set to expire in 30 days** and click **Generate token** +6. In the **Copy access token** pop-up box, click the **Copy** linnk to copy your token +7. From your computer where Docker is installed, run the below command and replace `{{{TOKEN}}}` with what you copied from step 6 above: + + ``` + docker run --rm --cap-add=NET_ADMIN -e TOKEN={{{TOKEN}}} ghcr.io/bubuntux/nordvpn:get_private_key + ``` + +8. Docker will do it's thing and spit out your `PRIVATE_KEY`: + + ``` + user@hostname:~/docker> docker run --rm --cap-add=NET_ADMIN -e TOKEN=[redacted] ghcr.io/bubuntux/nordvpn:get_private_key + Unable to find image 'ghcr.io/bubuntux/nordvpn:get_private_key' locally + get_private_key: Pulling from bubuntux/nordvpn + 06d39c85623a: Pull complete + 3e1c241a05c8: Pull complete + 0077b26e8dce: Pull complete + Digest: sha256:0d91aabb4511d400b01e930654950729a4e859d3c250f61664662b0ed7027c56 + Status: Downloaded newer image for ghcr.io/bubuntux/nordvpn:get_private_key + Waiting for daemon to start up... + A new version of NordVPN is available! Please update the application. + Welcome to NordVPN! You can now connect to VPN by using 'nordvpn connect'. + A new version of NordVPN is available! Please update the application. + Technology is already set to 'NORDLYNX'. + A new version of NordVPN is available! Please update the application. + Connecting to United States #5831 (us5831.nordvpn.com) + You are connected to United States #5831 (us5831.nordvpn.com)! + ############################################################ + IP: 10.5.0.2/32 + Private Key: [!!! THIS IS YOUR PRIVATE_KEY YOU NEED !!!] + \(^O^)/############################################################ + nacho@desk:~/docker> + ``` + +9. Copy everything after `Privatey Key: ` (note the space after `:`) to the end of the line -- this is your `PRIVATE_KEY` + ## Sysctl -* `net.ipv4.conf.all.src_valid_mark=1` May be required. (depends on multiple factors) -* `net.ipv6.conf.all.disable_ipv6=1` Recommended when only using ipv4. +| Option | Details | +|:-------------------------------------|:----------------------------------------------| +| `net.ipv4.conf.all.src_valid_mark=1` | May be required; depends on multiple factors. | +| `net.ipv6.conf.all.disable_ipv6=1` | Recommended when only using ipv4. | + +## Example + +### Stand-Alone + +This example will start a nordlynx VPN container on a `legacy_p2p` VPN server. + +``` yaml +services: + nordlynx: + image: ghcr.io/bubuntux/nordlynx + hostname: nordlynx + container_name: nordlynx + cap_add: + - NET_ADMIN # required + - SYS_MODULE # maybe + environment: + - PRIVATE_KEY=[redacted] # required + - QUERY=filters\[servers_groups\]\[identifier\]=legacy_p2p + - NET_LOCAL=192.168.0.0/16 + - TZ=America/New_York + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 # maybe + - net.ipv4.conf.all.rp_filter=2 # maybe; set reverse path filter to loose mode + - net.ipv6.conf.all.disable_ipv6=1 # disable ipv6; recommended if using ipv4 only +``` + +### Passing Another Container Through The nordlynx VPN Container + +This example will create a [Firefox container](https://github.com/linuxserver/docker-firefox) that routes traffic through the nordlynx VPN container. + +Typically, when you do port forwarding for a container (for example, to access it from your computer's browser), you do it on the container. + +When you pass a container's traffic through another container (the nordlynx VPN container in this case), both/all containers are in the same network. As such, you no longer do port forwarding on the container you want to access and, instead, do it on the nordlynx VPN container. + +Additionally, you need to ensure the second container starts **AFTER** the nordlynx VPN container. + +``` yaml +services: + nordlynx: + image: ghcr.io/bubuntux/nordlynx + hostname: nordlynx + container_name: nordlynx + ports: + - "3000:3000" # port I want forwarded for the firefox container + - "3001:3001" # port I want forwarded for the firefox container + cap_add: + - NET_ADMIN # required + - SYS_MODULE # maybe + environment: + - PRIVATE_KEY=[redacted] # required + - QUERY=filters\[servers_groups\]\[identifier\]=legacy_p2p + - NET_LOCAL=192.168.0.0/16 + - TZ=America/New_York + sysctls: + - net.ipv4.conf.all.src_valid_mark=1 # maybe + - net.ipv4.conf.all.rp_filter=2 # maybe; set reverse path filter to loose mode + - net.ipv6.conf.all.disable_ipv6=1 # disable ipv6; recommended if using ipv4 only + + firefox: + image: lscr.io/linuxserver/firefox:latest + # hostname: firefox # won't work when you do network_mode + container_name: firefox + restart: unless-stopped + depends_on: + - nordlynx + network_mode: service:nordlynx + # ports: # won't work; you need to do this in the nordlynx VPN container + # - "3000:3000" # won't work; you need to do this in the nordlynx VPN container + # - "3001:3001" # won't work; you need to do this in the nordlynx VPN container + volumes: + - /path/to/config:/config + environment: + - PUID=1000 + - PGID=1000 + - TZ=America/New_York + security_opt: + - seccomp:unconfined + shm_size: "1gb" +``` \ No newline at end of file From 3635d9dbd2488accca83ee347da99b9686b42d67 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Wed, 31 May 2023 18:55:01 +0000 Subject: [PATCH 77/84] link to private key --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4facbb09..22a08e13 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard ## Environment | Variable | Default | Description | -|:----------------------------------------:|:--------------:| --- | +|:-----------------------------------------|:--------------:| --- | | `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e TOKEN=XXX ghcr.io/bubuntux/nordvpn:get_private_key` with access token or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). | `PRIVATE_KEY_FILE` | | File from which to get PASS, if using docker secrets this should be set to /run/secrets/. This file should contain just the account password on the first line. | `LISTEN_PORT` | 51820 | A 16-bit port for listening. @@ -126,7 +126,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | `RECONNECT` | | Time in seconds to re-establish the connection. | `TZ` | UTC | Specify a timezone to use EG Europe/London. -### `PRIVATE_KEY` +### How To Get Your `PRIVATE_KEY` To get your `PRIVATE_KEY` you will need to get an access token from the NordVPN website and then use the https://github.com/bubuntux/nordvpn container. From d2752ff88da7cbe4e919d30137d599e403982be0 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Wed, 31 May 2023 18:56:12 +0000 Subject: [PATCH 78/84] fixes --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 22a08e13..ff6001d6 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,7 @@ Wireguard module is required, please install it [manually](https://www.wireguard | Variable | Default | Description | |:-----------------------------------------|:--------------:| --- | -| `PRIVATE_KEY` | **[Required]** | The private key can be obtained using `docker run --rm --cap-add=NET_ADMIN -e TOKEN=XXX ghcr.io/bubuntux/nordvpn:get_private_key` with access token or following these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). +| `PRIVATE_KEY` | **[Required]** | See [How To Get Your `PRIVATE_KEY`](#how-to-get-your-private_key) or these [instructions](https://forum.openwrt.org/t/instruction-config-nordvpn-wireguard-nordlynx-on-openwrt/89976). | `PRIVATE_KEY_FILE` | | File from which to get PASS, if using docker secrets this should be set to /run/secrets/. This file should contain just the account password on the first line. | `LISTEN_PORT` | 51820 | A 16-bit port for listening. | `INTERFACE` | eth0 | The network interface to use inside the container. From 9622cd361a65a197aca175853d3f57519c80e617 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Wed, 31 May 2023 18:56:49 +0000 Subject: [PATCH 79/84] fixes --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ff6001d6..267ce288 100644 --- a/README.md +++ b/README.md @@ -177,9 +177,9 @@ To get your `PRIVATE_KEY` you will need to get an access token from the NordVPN | `net.ipv4.conf.all.src_valid_mark=1` | May be required; depends on multiple factors. | | `net.ipv6.conf.all.disable_ipv6=1` | Recommended when only using ipv4. | -## Example +## Examples -### Stand-Alone +### nordlynx VPN container This example will start a nordlynx VPN container on a `legacy_p2p` VPN server. From e0a7e152fb337711473a5b8265bf0be87e688522 Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Wed, 31 May 2023 14:57:59 -0400 Subject: [PATCH 80/84] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 267ce288..81c591f3 100644 --- a/README.md +++ b/README.md @@ -177,7 +177,7 @@ To get your `PRIVATE_KEY` you will need to get an access token from the NordVPN | `net.ipv4.conf.all.src_valid_mark=1` | May be required; depends on multiple factors. | | `net.ipv6.conf.all.disable_ipv6=1` | Recommended when only using ipv4. | -## Examples +## Docker Compose Examples ### nordlynx VPN container @@ -255,4 +255,4 @@ services: security_opt: - seccomp:unconfined shm_size: "1gb" -``` \ No newline at end of file +``` From 7fd468163a8981f3070e995af99b57e22a88204a Mon Sep 17 00:00:00 2001 From: IMTheNachoMan Date: Mon, 26 Jun 2023 09:26:27 -0400 Subject: [PATCH 81/84] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 81c591f3..82e2bc6c 100644 --- a/README.md +++ b/README.md @@ -165,7 +165,7 @@ To get your `PRIVATE_KEY` you will need to get an access token from the NordVPN IP: 10.5.0.2/32 Private Key: [!!! THIS IS YOUR PRIVATE_KEY YOU NEED !!!] \(^O^)/############################################################ - nacho@desk:~/docker> + user@hostname:~/docker> ``` 9. Copy everything after `Privatey Key: ` (note the space after `:`) to the end of the line -- this is your `PRIVATE_KEY` From f58a46a4e29d353407d593b8966f4e8374ed075a Mon Sep 17 00:00:00 2001 From: Jacques Doucet Date: Thu, 7 Nov 2024 20:12:33 -0400 Subject: [PATCH 82/84] Update base image --- Dockerfile | 6 +++--- root/etc/cont-init.d/00-firewall | 0 root/etc/cont-init.d/10-validate | 0 root/etc/cont-init.d/20-inet | 0 root/etc/cont-init.d/20-inet6 | 0 root/etc/cont-init.d/30-route | 0 root/etc/cont-init.d/30-route6 | 0 root/etc/cont-init.d/40-allowlist | 0 root/etc/services.d/wireguard/finish | 0 root/etc/services.d/wireguard/run | 0 root/etc/services.d/wireguard/type | 0 11 files changed, 3 insertions(+), 3 deletions(-) mode change 100644 => 100755 root/etc/cont-init.d/00-firewall mode change 100644 => 100755 root/etc/cont-init.d/10-validate mode change 100644 => 100755 root/etc/cont-init.d/20-inet mode change 100644 => 100755 root/etc/cont-init.d/20-inet6 mode change 100644 => 100755 root/etc/cont-init.d/30-route mode change 100644 => 100755 root/etc/cont-init.d/30-route6 mode change 100644 => 100755 root/etc/cont-init.d/40-allowlist mode change 100644 => 100755 root/etc/services.d/wireguard/finish mode change 100644 => 100755 root/etc/services.d/wireguard/run mode change 100644 => 100755 root/etc/services.d/wireguard/type diff --git a/Dockerfile b/Dockerfile index 67bf83c2..865e0efe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ -FROM ghcr.io/linuxserver/baseimage-alpine:3.17 +FROM ghcr.io/linuxserver/baseimage-alpine:3.20 LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" HEALTHCHECK CMD [ $(( $(date -u +%s) - $(wg show wg0 latest-handshakes | awk '{print $2}') )) -le 120 ] || exit 1 COPY /root / -RUN apk add --no-cache -U wireguard-tools curl jq patch && \ +RUN apk add --no-cache -U iptables wireguard-tools curl jq patch && \ patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ apk del --purge patch && \ - rm -rf /tmp/* /patch \ No newline at end of file + rm -rf /tmp/* /patch diff --git a/root/etc/cont-init.d/00-firewall b/root/etc/cont-init.d/00-firewall old mode 100644 new mode 100755 diff --git a/root/etc/cont-init.d/10-validate b/root/etc/cont-init.d/10-validate old mode 100644 new mode 100755 diff --git a/root/etc/cont-init.d/20-inet b/root/etc/cont-init.d/20-inet old mode 100644 new mode 100755 diff --git a/root/etc/cont-init.d/20-inet6 b/root/etc/cont-init.d/20-inet6 old mode 100644 new mode 100755 diff --git a/root/etc/cont-init.d/30-route b/root/etc/cont-init.d/30-route old mode 100644 new mode 100755 diff --git a/root/etc/cont-init.d/30-route6 b/root/etc/cont-init.d/30-route6 old mode 100644 new mode 100755 diff --git a/root/etc/cont-init.d/40-allowlist b/root/etc/cont-init.d/40-allowlist old mode 100644 new mode 100755 diff --git a/root/etc/services.d/wireguard/finish b/root/etc/services.d/wireguard/finish old mode 100644 new mode 100755 diff --git a/root/etc/services.d/wireguard/run b/root/etc/services.d/wireguard/run old mode 100644 new mode 100755 diff --git a/root/etc/services.d/wireguard/type b/root/etc/services.d/wireguard/type old mode 100644 new mode 100755 From b74782bdf52f7555de05d120971f4892ff482150 Mon Sep 17 00:00:00 2001 From: jaycuse Date: Sat, 23 Nov 2024 11:17:17 -0400 Subject: [PATCH 83/84] Removes arm32v7 platform. No longer supported by linuxservers. --- .github/workflows/docker-image-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-image-ci.yml b/.github/workflows/docker-image-ci.yml index f5194d2e..b0e8b56d 100644 --- a/.github/workflows/docker-image-ci.yml +++ b/.github/workflows/docker-image-ci.yml @@ -48,4 +48,4 @@ jobs: context: . push: true tags: ${{ steps.meta.outputs.tags }} - platforms: linux/amd64,linux/arm64,linux/arm/v7 \ No newline at end of file + platforms: linux/amd64,linux/arm64 From 22ea518696305ad4b92bb333dac7591cf4bb9218 Mon Sep 17 00:00:00 2001 From: archietownsend Date: Sat, 21 Dec 2024 21:27:22 +0000 Subject: [PATCH 84/84] move to iptables legacy --- Dockerfile | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 865e0efe..cd62dc73 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,20 @@ FROM ghcr.io/linuxserver/baseimage-alpine:3.20 + LABEL maintainer="Julio Gutierrez julio.guti+nordlynx@pm.me" HEALTHCHECK CMD [ $(( $(date -u +%s) - $(wg show wg0 latest-handshakes | awk '{print $2}') )) -le 120 ] || exit 1 COPY /root / + RUN apk add --no-cache -U iptables wireguard-tools curl jq patch && \ - patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ + patch --verbose -d / -p 0 -i /patch/wg-quick.patch && \ apk del --purge patch && \ - rm -rf /tmp/* /patch + rm -rf /tmp/* /patch + +# Update iptables and ip6tables symbolic links for compatibility with iptables-legacy +RUN for suffix in "" "-save" "-restore"; do \ + rm -rf "iptables${suffix}" && \ + rm -rf "ip6tables${suffix}" && \ + ln -s "iptables-legacy${suffix}" "iptables${suffix}" && \ + ln -s "ip6tables-legacy${suffix}" "ip6tables${suffix}"; \ + done