/wg-iptables-manager

Primary LanguageRustApache License 2.0Apache-2.0

wg-iptables-manager

A small program designed to run within the wg-easy container to automatically detect the correct network interface based on a configured IP prefix (TARGET_IP_PREFIX). This eliminates the need for manual configuration of the WG_DEVICE environment variable in wg-easy.

Problem

The wg-easy container requires the WG_DEVICE environment variable to be set to the correct network interface for routing WireGuard traffic. Manually identifying and configuring this interface can be cumbersome and prone to errors, especially in dynamic environments.

Solution

wg-iptables-manager automatically identifies the appropriate network interface by scanning interfaces and matching them against the IP prefix specified by the TARGET_IP_PREFIX environment variable. This allows wg-easy to function correctly without the user needing to manually determine and set WG_DEVICE.

Features

  • Automatic detection of the network interface based on TARGET_IP_PREFIX.
  • Simplifies deployment of wg-easy by removing the need for manual WG_DEVICE configuration.
  • Designed to run seamlessly within the wg-easy Docker container environment.

Requirements

  • Docker (specifically for running the wg-easy container).
  • The wg-easy Docker image.

Usage

  1. Build or obtain the wg-iptables-manager executable.

  2. Mount the wg-iptables-manager executable into your wg-easy container.

  3. Set the TARGET_IP_PREFIX environment variable for the wg-easy container to the desired IP prefix (e.g., 192.168.1.0/24).

  4. Utilize the WG_POST_UP and WG_POST_DOWN environment variables provided by wg-easy to execute wg-iptables-manager for managing iptables rules.

    For more details on WG_POST_UP and WG_POST_DOWN, refer to the wg-easy README.

    Example (using docker-compose.yml):

    version: '3.8'

services:
  wg-easy:
    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    environment:
      - WG_HOST=YOUR_SERVER_IP_OR_HOSTNAME
      - PASSWORD_HASH=YOUR_ADMIN_PASSWORD_HASH # See wg-easy README for how to generate this
      - TARGET_IP_PREFIX=192.168.1. # Replace with your target IP prefix
      - WG_POST_UP=/path/to/wg-iptables-manager up
      - WG_POST_DOWN=/path/to/wg-iptables-manager down
    volumes:
      - .:/etc/wireguard:rw # Mount the wg-iptables-manager executable here
    ports:
      - 51820:51820/udp
      - 51821:51821/tcp # Admin UI
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      net.ipv4.ip_forward: 1
      net.ipv4.conf.all.src_valid_mark: 1

    In this example:

    • We mount the wg-iptables-manager executable into the container.
    • WG_POST_UP is set to run wg-iptables-manager up when the WireGuard interface comes up.
    • WG_POST_DOWN is set to run wg-iptables-manager down when the WireGuard interface goes down.

    Make sure to replace YOUR_SERVER_IP_OR_HOSTNAME, YOUR_ADMIN_PASSWORD_HASH, and 192.168.1.0/24 with your actual values. Adjust the volume mount (.:/etc/wireguard:rw) based on where your wg-iptables-manager executable is located on your host machine and where you want to mount it in the container.

Configuration

The primary configuration is done via the TARGET_IP_PREFIX environment variable.

Env Description
TARGET_IP_PREFIX The IP prefix used to identify the correct network interface (e.g., 192.168.1.).

Contributing

Contributions are welcome! Please see the issue tracker for ways to contribute or open a pull request.

License

This project is dual-licensed under the Apache License, Version 2.0 and the MIT License. See the LICENSE-APACHE-2.0 and LICENSE-MIT files for details.