forked from cmulk/wireguard-docker
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathrun
174 lines (145 loc) · 5.49 KB
/
run
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#!/bin/bash
## The below is modified from https://github.com/activeeos/wireguard-docker
# Find a Wireguard interface
interfaces=`find /etc/wireguard -type f`
if [[ -z $interfaces ]]; then
echo "$(date): ---FATAL--- Interface not found in /etc/wireguard" >&2
exit 1
fi
for interface in $interfaces; do
echo "$(date): ---INFO--- Starting Wireguard $interface"
wg-quick up $interface
done
## Verify thet wireguard module is installed
wg_module=`find /lib/modules/$(uname -r) -type f \( -name '*.ko' -o -name '*.ko.xz' \) | grep -i wireguard`
echo "$(date): ---INFO--- Module output: $wg_module"
if [[ -z $wg_module ]]; then
echo "$(date): ---INFO--- Wireguard module not installed.. Installing" >&2
apt update ; apt install -y linux-headers-amd64 wireguard-dkms
else
echo "$(date): ---INFO--- Wireguard module seems to be installed: $wg_module Moving on... "
fi
# Add masquerade rule for NAT'ing VPN traffic bound for the Internet
if [[ $IPTABLES_MASQ -eq 1 ]]; then
echo "$(date): ---INFO--- Adding iptables NAT rule"
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
else
echo "$(date): ---INFO--- IPTABLES_MASQ not set; not adding iptables NAT rule"
fi
## Do some DNS fixing
# write /etc/dnsmasq.conf
cat << 'EOF' > /etc/dnsmasq.conf
# dont use hosts nameservers
no-resolv
# listen on 127.0.0.1
listen-address=127.0.0.1
EOF
if [[ -n $LOCAL_TLD ]]; then
echo "" >> /etc/dnsmasq.conf
echo "$(date): ---INFO--- Writing \"server=/$LOCAL_TLD/127.0.0.11\" to /etc/dnsmasq.conf"
echo "# send queries for $LOCAL_TLD domain to docker DNS" >> /etc/dnsmasq.conf
echo server=/$LOCAL_TLD/127.0.0.11 >> /etc/dnsmasq.conf
fi
for service_name in $SERVICE_NAMES; do
echo "$(date): ---INFO--- Writing \"server=/$service_name/127.0.0.11\" to /etc/dnsmasq.conf"
echo server=/$service_name/127.0.0.11 >> /etc/dnsmasq.conf
done
echo "" >> /etc/dnsmasq.conf
echo "# send all other queries to interface DNS server" >> /etc/dnsmasq.conf
default_dns="1.1.1.1"
dns_found=""
# look for DNS addresses like DNS =
for interface in $interfaces; do
dns_address=$(grep -Po '^DNS\s?=\s?\K[0-9\.]{7,}' $interface)
if [[ -n $dns_address ]]; then
dns_found="true"
echo "$(date): ---INFO--- Writing \"server=$dns_address\" to /etc/dnsmasq.conf"
echo server=$dns_address >> /etc/dnsmasq.conf
fi
dns_address=""
done
# if no DNS addresses were found, write the default address
if [[ -z $dns_found ]]; then
echo "$(date): ---INFO--- No DNS address found in interfaces. Writing default address \"server=$default_dns\""
echo server=$default_dns >> /etc/dnsmasq.conf
fi
# restart dnsmasq
/etc/init.d/dnsmasq restart
# write /etc/resolv.conf
cat << 'EOF' > /etc/resolv.conf
# set nameserver to 127.0.0.1 to use dnsmasq to resolve DNS
nameserver 127.0.0.1
EOF
if [[ -n $LOCAL_TLD ]]; then
echo "search $LOCAL_TLD" >> /etc/resolv.conf
fi
# Fix route back to local network
if [[ -z $LOCAL_NETWORK ]]; then
echo "$(date): ---INFO--- No network provided. Ignoring route back to local network"
else
echo "$(date): ---INFO--- Adding route back to local network: $LOCAL_NETWORK"
gw=$(ip route |awk '/default/ {print $3}')
ip route add to $LOCAL_NETWORK via $gw dev eth0
fi
# Handle shutdown behavior
function finish {
echo "$(date): ---INFO--- Shutting down Wireguard"
for interface in $interfaces; do
wg-quick down $interface
done
if [[ $IPTABLES_MASQ -eq 1 ]]; then
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
fi
exit 0
}
# Fill the expected and actual ips
function fill_ips {
expected_ips=()
for interface in $interfaces; do
expected_ip=$(grep -Po '^Endpoint\s?=\s?\K[0-9\.]{7,}' $interface)
expected_ips+=($expected_ip)
done
actual_ips=()
actual_ip=$(wg | grep -Po 'endpoint:\s\K[^:]*')
actual_ips+=($actual_ip)
}
trap finish SIGTERM SIGINT SIGQUIT
# Write /etc/hosts with service addresses to fix docker service DNS resolution
function write_service_hosts {
NETWORK_NAME=${NETWORK_NAME:-mediaserver-docker_default}
service_hosts=$(docker network inspect $NETWORK_NAME) || true
if [[ ${service_hosts[@]+"${service_hosts[@]}"} && $service_hosts != "[]" ]]; then
echo "$(date): ---INFO--- Adding services to /etc/hosts"
service_hosts=$(echo $service_hosts | jq -r '.[0].Containers[] | .IPv4Address + " " + .Name | gsub("/[0-9]{1,}"; "")')
echo "$service_hosts"
echo "$service_hosts" >> /etc/hosts
else
echo "$(date): ---WARNING--- No response from docker network inspect. Did you mount docker.sock?"
fi
}
fill_ips
echo "$(date): ---INFO--- Endpoint in config: $expected_ips"
echo "$(date): ---INFO--- Active EndPoint : $actual_ips"
write_service_hosts
# Check IP address every 10 seconds
retry=true
while $retry
do
sleep 10;
fill_ips
if [[ $expected_ips != $actual_ips ]];
then
# Make one attempt to restart the wireguard interface if the IP is incorrect
echo "$(date): ---WARNING--- Expected IP to be $expected_ips but found $actual_ips. Attempting to restart wireguard."
for interface in $interfaces; do
wg-quick down $interface; wg-quick up $interface
done
fill_ips
if [[ $expected_ips != $actual_ips ]];
then
# Exit the container if the IP is still incorrect after wireguard restart
echo "$(date): ---WARNING--- Expected IP to be $expected_ips but found $actual_ips. Activating killswitch."
retry=false
fi
fi
done