From 29349fd17e61b6ccb48ca796d3e0e851697c5a6a Mon Sep 17 00:00:00 2001 From: bergware Date: Tue, 19 Apr 2022 23:05:20 +0200 Subject: [PATCH 1/8] Wireguard: fix initial network creation --- plugins/dynamix/include/update.wireguard.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/plugins/dynamix/include/update.wireguard.php b/plugins/dynamix/include/update.wireguard.php index e25703be7..ecb4bf655 100644 --- a/plugins/dynamix/include/update.wireguard.php +++ b/plugins/dynamix/include/update.wireguard.php @@ -382,7 +382,10 @@ case 'toggle': case 'start': $index = substr($vtun,2)+200; $network = "$dockernet.$index.0/24"; - if (noNet($network)) exec("ip -4 rule add from $network table $index"); + if (noNet($network)) { + exec("ip -4 rule add from $network table $index"); + exec("ip -4 route add unreachable default table $index"); + } wgState($vtun,'up',$_POST['#type']); echo status($vtun) ? 0 : 1; break; From c463a4c0f34eda38e909db547d7204d6f7aece13 Mon Sep 17 00:00:00 2001 From: bergware Date: Wed, 20 Apr 2022 00:43:51 +0200 Subject: [PATCH 2/8] Wireguard: make routing independent from docker state --- plugins/dynamix/include/update.wireguard.php | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/plugins/dynamix/include/update.wireguard.php b/plugins/dynamix/include/update.wireguard.php index ecb4bf655..09a08389f 100644 --- a/plugins/dynamix/include/update.wireguard.php +++ b/plugins/dynamix/include/update.wireguard.php @@ -99,12 +99,12 @@ function addDocker($vtun) { $network = "$dockernet.$index.0/24"; exec("docker network create $vtun --subnet=$network 2>/dev/null"); $error = dockerNet($vtun); - if (!$error && noNet($network)) { - [$thisnet,$gateway] = thisnet(); - exec("ip -4 rule add from $network table $index"); - exec("ip -4 route add unreachable default table $index"); - exec("ip -4 route add $thisnet via $gateway table $index"); - } + } + if (!$error && noNet($network)) { + [$thisnet,$gateway] = thisnet(); + exec("ip -4 rule add from $network table $index"); + exec("ip -4 route add unreachable default table $index"); + exec("ip -4 route add $thisnet via $gateway table $index"); } return $error; } @@ -116,10 +116,10 @@ function delDocker($vtun) { $network = "$dockernet.$index.0/24"; exec("docker network rm $vtun 2>/dev/null"); $error = !dockerNet($vtun); - if (!$error && exec("ip rule|grep -Pom1 'from $network'")) { - exec("ip -4 route flush table $index"); - exec("ip -4 rule del from $network table $index"); - } + } + if (!$error && exec("ip rule|grep -Pom1 'from $network'")) { + exec("ip -4 route flush table $index"); + exec("ip -4 rule del from $network table $index"); } return $error; } From 191e8683a79515c4f98981e456404cfc1905a25b Mon Sep 17 00:00:00 2001 From: bergware Date: Wed, 20 Apr 2022 00:47:57 +0200 Subject: [PATCH 3/8] Wireguard: make routing independent from docker state --- plugins/dynamix/include/update.wireguard.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/dynamix/include/update.wireguard.php b/plugins/dynamix/include/update.wireguard.php index 09a08389f..693201d63 100644 --- a/plugins/dynamix/include/update.wireguard.php +++ b/plugins/dynamix/include/update.wireguard.php @@ -94,9 +94,9 @@ function dockerNet($vtun) { function addDocker($vtun) { global $dockerd,$dockernet; $error = false; + $index = substr($vtun,2)+200; + $network = "$dockernet.$index.0/24"; if ($dockerd && dockerNet($vtun)) { - $index = substr($vtun,2)+200; - $network = "$dockernet.$index.0/24"; exec("docker network create $vtun --subnet=$network 2>/dev/null"); $error = dockerNet($vtun); } @@ -111,9 +111,9 @@ function addDocker($vtun) { function delDocker($vtun) { global $dockerd,$dockernet; $error = false; + $index = substr($vtun,2)+200; + $network = "$dockernet.$index.0/24"; if ($dockerd && !dockerNet($vtun)) { - $index = substr($vtun,2)+200; - $network = "$dockernet.$index.0/24"; exec("docker network rm $vtun 2>/dev/null"); $error = !dockerNet($vtun); } From 241f9a7c8c06e866308fccd3ffaa5dcf8120173d Mon Sep 17 00:00:00 2001 From: bergware Date: Wed, 20 Apr 2022 00:52:35 +0200 Subject: [PATCH 4/8] Wireguard: make routing independent from docker state --- plugins/dynamix/include/update.wireguard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/dynamix/include/update.wireguard.php b/plugins/dynamix/include/update.wireguard.php index 693201d63..89a35ef79 100644 --- a/plugins/dynamix/include/update.wireguard.php +++ b/plugins/dynamix/include/update.wireguard.php @@ -117,7 +117,7 @@ function delDocker($vtun) { exec("docker network rm $vtun 2>/dev/null"); $error = !dockerNet($vtun); } - if (!$error && exec("ip rule|grep -Pom1 'from $network'")) { + if (!$error && !noNet($network)) { exec("ip -4 route flush table $index"); exec("ip -4 rule del from $network table $index"); } From 9f6aeb8d18c25063ddda7b54b0bd513ed1e856ce Mon Sep 17 00:00:00 2001 From: bergware Date: Wed, 20 Apr 2022 12:03:39 +0200 Subject: [PATCH 5/8] Wireguard: minor code optimizations --- plugins/dynamix/include/update.wireguard.php | 33 ++++++++++---------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/plugins/dynamix/include/update.wireguard.php b/plugins/dynamix/include/update.wireguard.php index 89a35ef79..f378e9b37 100644 --- a/plugins/dynamix/include/update.wireguard.php +++ b/plugins/dynamix/include/update.wireguard.php @@ -58,8 +58,13 @@ function ipfilter(&$list) { function host($ip) { return strpos($ip,'/')!==false ? $ip : (ipv4($ip) ? "$ip/32" : "$ip/128"); } -function noNet($network) { - return empty(exec("ip rule|grep -Pom1 'from $network'")); +function isNet($network) { + return !empty(exec("ip rule|grep -Pom1 'from $network'")); +} +function newNet($vtun) { + global $dockernet; + $i = substr($vtun,2)+200; + return [$i,"$dockernet.$i.0/24"]; } function wgState($vtun,$state,$type=0) { global $t1,$etc; @@ -92,15 +97,14 @@ function dockerNet($vtun) { return empty(exec("docker network ls --filter name='$vtun' --format='{{.Name}}'")); } function addDocker($vtun) { - global $dockerd,$dockernet; + global $dockerd; $error = false; - $index = substr($vtun,2)+200; - $network = "$dockernet.$index.0/24"; + [$index,$network] = newNet($vtun); if ($dockerd && dockerNet($vtun)) { exec("docker network create $vtun --subnet=$network 2>/dev/null"); $error = dockerNet($vtun); } - if (!$error && noNet($network)) { + if (!$error && !isNet($network)) { [$thisnet,$gateway] = thisnet(); exec("ip -4 rule add from $network table $index"); exec("ip -4 route add unreachable default table $index"); @@ -109,15 +113,14 @@ function addDocker($vtun) { return $error; } function delDocker($vtun) { - global $dockerd,$dockernet; + global $dockerd; $error = false; - $index = substr($vtun,2)+200; - $network = "$dockernet.$index.0/24"; + [$index,$network] = newNet($vtun); if ($dockerd && !dockerNet($vtun)) { exec("docker network rm $vtun 2>/dev/null"); $error = !dockerNet($vtun); } - if (!$error && !noNet($network)) { + if (!$error && isNet($network)) { exec("ip -4 route flush table $index"); exec("ip -4 rule del from $network table $index"); } @@ -210,7 +213,7 @@ function createIPs($list) { return implode(', ',array_map('host',array_filter(array_map('trim',explode(',',$list))))); } function parseInput($vtun,&$input,&$x) { - global $conf,$user,$var,$default,$default6,$vpn,$dockernet; + global $conf,$user,$var,$default,$default6,$vpn; $section = 0; $addPeer = false; foreach ($input as $key => $value) { if ($key[0]=='#') continue; @@ -218,8 +221,7 @@ function parseInput($vtun,&$input,&$x) { if ($i != $section) { if ($section==0) { // add WG routing for docker containers. Only IPv4 supported - $index = substr($vtun,2)+200; - $network = "$dockernet.$index.0/24"; + [$index,$network] = newNet($vtun); [$thisnet,$gateway] = thisnet(); $conf[] = "PostUp=ip -4 route flush table $index"; $conf[] = "PostUp=ip -4 route add default via $tunip table $index"; @@ -380,9 +382,8 @@ case 'toggle': echo status($vtun) ? 1 : 0; break; case 'start': - $index = substr($vtun,2)+200; - $network = "$dockernet.$index.0/24"; - if (noNet($network)) { + [$index,$network] = newNet($vtun); + if (!isNet($network)) { exec("ip -4 rule add from $network table $index"); exec("ip -4 route add unreachable default table $index"); } From 2f4e8691aad52cc5d17d57f196e876a62efd3674 Mon Sep 17 00:00:00 2001 From: bergware Date: Wed, 20 Apr 2022 12:34:47 +0200 Subject: [PATCH 6/8] Wireguard: minor code optimizations --- plugins/dynamix/include/update.wireguard.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/plugins/dynamix/include/update.wireguard.php b/plugins/dynamix/include/update.wireguard.php index f378e9b37..44ea306be 100644 --- a/plugins/dynamix/include/update.wireguard.php +++ b/plugins/dynamix/include/update.wireguard.php @@ -34,7 +34,7 @@ function mask2cidr($mask) { $base = ip2long('255.255.255.255'); return 32-log(($long ^ $base)+1,2); } -function thisnet($ethX='eth0') { +function thisNet($ethX='eth0') { extract(parse_ini_file('state/network.ini',true)); $net = long2ip(ip2long($$ethX['IPADDR:0']) & ip2long($$ethX['NETMASK:0'])).'/'.mask2cidr($$ethX['NETMASK:0']); return [$net,$$ethX['GATEWAY:0']]; @@ -105,7 +105,7 @@ function addDocker($vtun) { $error = dockerNet($vtun); } if (!$error && !isNet($network)) { - [$thisnet,$gateway] = thisnet(); + [$thisnet,$gateway] = thisNet(); exec("ip -4 rule add from $network table $index"); exec("ip -4 route add unreachable default table $index"); exec("ip -4 route add $thisnet via $gateway table $index"); @@ -222,7 +222,7 @@ function parseInput($vtun,&$input,&$x) { if ($section==0) { // add WG routing for docker containers. Only IPv4 supported [$index,$network] = newNet($vtun); - [$thisnet,$gateway] = thisnet(); + [$thisnet,$gateway] = thisNet(); $conf[] = "PostUp=ip -4 route flush table $index"; $conf[] = "PostUp=ip -4 route add default via $tunip table $index"; $conf[] = "PostUp=ip -4 route add $thisnet via $gateway table $index"; From 4b5154bdad9dc4bdeafa803a3cf868df363b9ad1 Mon Sep 17 00:00:00 2001 From: bergware Date: Wed, 20 Apr 2022 17:33:20 +0200 Subject: [PATCH 7/8] Wireguard: fix regression error --- plugins/dynamix/include/update.wireguard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/dynamix/include/update.wireguard.php b/plugins/dynamix/include/update.wireguard.php index 44ea306be..31643a34a 100644 --- a/plugins/dynamix/include/update.wireguard.php +++ b/plugins/dynamix/include/update.wireguard.php @@ -213,7 +213,7 @@ function createIPs($list) { return implode(', ',array_map('host',array_filter(array_map('trim',explode(',',$list))))); } function parseInput($vtun,&$input,&$x) { - global $conf,$user,$var,$default,$default6,$vpn; + global $conf,$user,$var,$default,$default6,$vpn,$tunip; $section = 0; $addPeer = false; foreach ($input as $key => $value) { if ($key[0]=='#') continue; From dcaf500effdbebaf229a38e8d9e94a490969723a Mon Sep 17 00:00:00 2001 From: bergware Date: Wed, 20 Apr 2022 17:38:04 +0200 Subject: [PATCH 8/8] Revert "Wireguard: fix regression error" This reverts commit 4b5154bdad9dc4bdeafa803a3cf868df363b9ad1. --- plugins/dynamix/include/update.wireguard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/dynamix/include/update.wireguard.php b/plugins/dynamix/include/update.wireguard.php index 31643a34a..44ea306be 100644 --- a/plugins/dynamix/include/update.wireguard.php +++ b/plugins/dynamix/include/update.wireguard.php @@ -213,7 +213,7 @@ function createIPs($list) { return implode(', ',array_map('host',array_filter(array_map('trim',explode(',',$list))))); } function parseInput($vtun,&$input,&$x) { - global $conf,$user,$var,$default,$default6,$vpn,$tunip; + global $conf,$user,$var,$default,$default6,$vpn; $section = 0; $addPeer = false; foreach ($input as $key => $value) { if ($key[0]=='#') continue;