From 577af9947d77232082d45a456e3df252c3e151dd Mon Sep 17 00:00:00 2001 From: Thomas Willems Date: Mon, 29 Jan 2024 12:51:44 +0100 Subject: [PATCH 01/16] introduce WG_DEFAULT_ADDRESS_RANGE (CIDR notation) This PR allows the use of Address Ranges using the CIDR notation. To make it backward compatible, i introduced a new env variable WG_DEFAULT_ADDRESS_RANGE (defaults to the previous default of 24). This allows the usage of smaller subnets (or possibly larger; but i didn't test that due to restrictions on my network). Client IPs will be calculated with correct IP addresses instead of making assumptions of the address space. --- README.md | 1 + docker-compose.yml | 1 + src/config.js | 10 +++++++++- src/lib/WireGuard.js | 21 ++++++++++++++------- src/package-lock.json | 6 ++++++ src/package.json | 1 + wg-easy.service | 1 + 7 files changed, 33 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 958104412..49fc42ffc 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,7 @@ These options can be configured by setting environment variables using `-e KEY=" | `WG_MTU` | `null` | `1420` | The MTU the clients will use. Server uses default WG MTU. | | `WG_PERSISTENT_KEEPALIVE` | `0` | `25` | Value in seconds to keep the "connection" open. If this value is 0, then connections won't be kept alive. | | `WG_DEFAULT_ADDRESS` | `10.8.0.x` | `10.6.0.x` | Clients IP address range. | +| `WG_DEFAULT_ADDRESS_RANGE` | `24` | `28` | CIDR notation block of range. Default equals `10.8.0.1/24` | | `WG_DEFAULT_DNS` | `1.1.1.1` | `8.8.8.8, 8.8.4.4` | DNS server clients will use. If set to blank value, clients will not use any DNS. | | `WG_ALLOWED_IPS` | `0.0.0.0/0, ::/0` | `192.168.15.0/24, 10.0.1.0/24` | Allowed IPs clients will use. | | `WG_PRE_UP` | `...` | - | See [config.js](https://github.com/wg-easy/wg-easy/blob/master/src/config.js#L19) for the default value. | diff --git a/docker-compose.yml b/docker-compose.yml index a6738832a..22e73cdb4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,6 +16,7 @@ services: # - PASSWORD=foobar123 # - WG_PORT=51820 # - WG_DEFAULT_ADDRESS=10.8.0.x + # - WG_DEFAULT_ADDRESS_RANGE=24 # - WG_DEFAULT_DNS=1.1.1.1 # - WG_MTU=1420 # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24 diff --git a/src/config.js b/src/config.js index 33ff7832b..5245a348f 100644 --- a/src/config.js +++ b/src/config.js @@ -1,5 +1,7 @@ 'use strict'; +const ip = require('ip'); + const { release } = require('./package.json'); module.exports.RELEASE = release; @@ -13,14 +15,20 @@ module.exports.WG_PORT = process.env.WG_PORT || 51820; module.exports.WG_MTU = process.env.WG_MTU || null; module.exports.WG_PERSISTENT_KEEPALIVE = process.env.WG_PERSISTENT_KEEPALIVE || 0; module.exports.WG_DEFAULT_ADDRESS = process.env.WG_DEFAULT_ADDRESS || '10.8.0.x'; +module.exports.WG_DEFAULT_ADDRESS_RANGE = process.env.WG_DEFAULT_ADDRESS_RANGE || 24; module.exports.WG_DEFAULT_DNS = typeof process.env.WG_DEFAULT_DNS === 'string' ? process.env.WG_DEFAULT_DNS : '1.1.1.1'; module.exports.WG_ALLOWED_IPS = process.env.WG_ALLOWED_IPS || '0.0.0.0/0, ::/0'; +module.exports.WG_SUBNET = ip.subnet(module.exports.WG_DEFAULT_ADDRESS.replace('x', '1'), `255.255.255.${256 - 2 ** (32 - module.exports.WG_DEFAULT_ADDRESS_RANGE)}`); +module.exports.WG_SERVER_ADDRESS = module.exports.WG_SUBNET.firstAddress; +module.exports.WG_CLIENT_FIRST_ADDRESS = ip.toLong(module.exports.WG_SERVER_ADDRESS) + 1; +module.exports.WG_CLIENT_LAST_ADDRESS = ip.toLong(module.exports.WG_SUBNET.lastAddress) - 1; // Exclude the broadcast address + module.exports.WG_PRE_UP = process.env.WG_PRE_UP || ''; module.exports.WG_POST_UP = process.env.WG_POST_UP || ` -iptables -t nat -A POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ${module.exports.WG_DEVICE} -j MASQUERADE; +iptables -t nat -A POSTROUTING -s ${module.exports.WG_SERVER_ADDRESS}/${module.exports.WG_DEFAULT_ADDRESS_RANGE} -o ${module.exports.WG_DEVICE} -j MASQUERADE; iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js index 89246a735..a0beddeb1 100644 --- a/src/lib/WireGuard.js +++ b/src/lib/WireGuard.js @@ -4,6 +4,7 @@ const fs = require('fs').promises; const path = require('path'); const debug = require('debug')('WireGuard'); +const ip = require('ip'); const uuid = require('uuid'); const QRCode = require('qrcode'); @@ -16,9 +17,12 @@ const { WG_PORT, WG_MTU, WG_DEFAULT_DNS, - WG_DEFAULT_ADDRESS, + WG_DEFAULT_ADDRESS_RANGE, WG_PERSISTENT_KEEPALIVE, WG_ALLOWED_IPS, + WG_SERVER_ADDRESS, + WG_CLIENT_FIRST_ADDRESS, + WG_CLIENT_LAST_ADDRESS, WG_PRE_UP, WG_POST_UP, WG_PRE_DOWN, @@ -45,13 +49,15 @@ module.exports = class WireGuard { const publicKey = await Util.exec(`echo ${privateKey} | wg pubkey`, { log: 'echo ***hidden*** | wg pubkey', }); - const address = WG_DEFAULT_ADDRESS.replace('x', '1'); + const address = WG_SERVER_ADDRESS; + const cidrBlock = WG_DEFAULT_ADDRESS_RANGE; config = { server: { privateKey, publicKey, address, + cidrBlock, }, clients: {}, }; @@ -94,7 +100,7 @@ module.exports = class WireGuard { # Server [Interface] PrivateKey = ${config.server.privateKey} -Address = ${config.server.address}/24 +Address = ${config.server.address}/${config.server.cidrBlock} ListenPort = 51820 PreUp = ${WG_PRE_UP} PostUp = ${WG_POST_UP} @@ -229,15 +235,16 @@ Endpoint = ${WG_HOST}:${WG_PORT}`; const publicKey = await Util.exec(`echo ${privateKey} | wg pubkey`); const preSharedKey = await Util.exec('wg genpsk'); - // Calculate next IP + // find next IP let address; - for (let i = 2; i < 255; i++) { + for (let i = WG_CLIENT_FIRST_ADDRESS; i <= WG_CLIENT_LAST_ADDRESS; i++) { + const currentIp = ip.fromLong(i); const client = Object.values(config.clients).find((client) => { - return client.address === WG_DEFAULT_ADDRESS.replace('x', i); + return client.address === currentIp; }); if (!client) { - address = WG_DEFAULT_ADDRESS.replace('x', i); + address = currentIp; break; } } diff --git a/src/package-lock.json b/src/package-lock.json index 532fa5bb4..85d8420b8 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -13,6 +13,7 @@ "debug": "^4.3.4", "express": "^4.18.3", "express-session": "^1.18.0", + "ip": "^1.1.8", "qrcode": "^1.5.3", "uuid": "^9.0.1" }, @@ -2793,6 +2794,11 @@ "node": ">= 0.4" } }, + "node_modules/ip": { + "version": "1.1.8", + "resolved": "https://registry.npmjs.org/ip/-/ip-1.1.8.tgz", + "integrity": "sha512-PuExPYUiu6qMBQb4l06ecm6T6ujzhmh+MeJcW9wa89PoAz5pvd4zPgN5WJV104mb6S2T1AwNIAaB70JNrLQWhg==" + }, "node_modules/ipaddr.js": { "version": "1.9.1", "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", diff --git a/src/package.json b/src/package.json index 14cf5183a..fe676ce31 100644 --- a/src/package.json +++ b/src/package.json @@ -17,6 +17,7 @@ "debug": "^4.3.4", "express": "^4.18.3", "express-session": "^1.18.0", + "ip": "^1.1.8", "qrcode": "^1.5.3", "uuid": "^9.0.1" }, diff --git a/wg-easy.service b/wg-easy.service index bcdf72fdf..9b842b39c 100644 --- a/wg-easy.service +++ b/wg-easy.service @@ -6,6 +6,7 @@ After=network-online.target nss-lookup.target Environment="WG_HOST=raspberrypi.local" # Change this to your host's public address or static public ip. Environment="PASSWORD=REPLACEME" # When set, requires a password when logging in to the Web UI, to disable add a hashtag #Environment="WG_DEFAULT_ADDRESS=10.0.8.x" #Clients IP address range. +#Environment="WG_DEFAULT_ADDRESS_RANGE=24" #Clients IP address range block. #Environment="WG_DEFAULT_DNS=10.0.8.1, 1.1.1.1" #DNS server clients will use. If set to blank value, clients will not use any DNS. #Environment="WG_ALLOWED_IPS=0.0.0.0/0,::/0" #Allowed IPs clients will use. #Environment="WG_DEVICE=ens1" #Ethernet device the wireguard traffic should be forwarded through. From 89415a2258e7167e44b06b2f436e24f141f5af77 Mon Sep 17 00:00:00 2001 From: Thomas Willems Date: Tue, 6 Feb 2024 09:25:23 +0100 Subject: [PATCH 02/16] refactor to support CIDR and legacy notation for WG_DEFAULT_ADDRESS --- README.md | 3 +-- docker-compose.yml | 3 +-- src/config.js | 26 +++++++++++++++++++++++--- src/lib/Util.js | 13 ------------- src/lib/WireGuard.js | 4 ++-- wg-easy.service | 3 +-- 6 files changed, 28 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 49fc42ffc..5a6642038 100644 --- a/README.md +++ b/README.md @@ -90,8 +90,7 @@ These options can be configured by setting environment variables using `-e KEY=" | `WG_PORT` | `51820` | `12345` | The public UDP port of your VPN server. WireGuard will always listen on 51820 inside the Docker container. | | `WG_MTU` | `null` | `1420` | The MTU the clients will use. Server uses default WG MTU. | | `WG_PERSISTENT_KEEPALIVE` | `0` | `25` | Value in seconds to keep the "connection" open. If this value is 0, then connections won't be kept alive. | -| `WG_DEFAULT_ADDRESS` | `10.8.0.x` | `10.6.0.x` | Clients IP address range. | -| `WG_DEFAULT_ADDRESS_RANGE` | `24` | `28` | CIDR notation block of range. Default equals `10.8.0.1/24` | +| `WG_DEFAULT_ADDRESS` | `10.8.0.1/24` | `10.6.0.x` | Clients IP address range. (For Legacy reasons x in last place is supported (e.g. 10.8.0.x)) | | `WG_DEFAULT_DNS` | `1.1.1.1` | `8.8.8.8, 8.8.4.4` | DNS server clients will use. If set to blank value, clients will not use any DNS. | | `WG_ALLOWED_IPS` | `0.0.0.0/0, ::/0` | `192.168.15.0/24, 10.0.1.0/24` | Allowed IPs clients will use. | | `WG_PRE_UP` | `...` | - | See [config.js](https://github.com/wg-easy/wg-easy/blob/master/src/config.js#L19) for the default value. | diff --git a/docker-compose.yml b/docker-compose.yml index 22e73cdb4..9495b9b53 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,8 +15,7 @@ services: # Optional: # - PASSWORD=foobar123 # - WG_PORT=51820 - # - WG_DEFAULT_ADDRESS=10.8.0.x - # - WG_DEFAULT_ADDRESS_RANGE=24 + # - WG_DEFAULT_ADDRESS=10.8.0.1/24 # - WG_DEFAULT_DNS=1.1.1.1 # - WG_MTU=1420 # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24 diff --git a/src/config.js b/src/config.js index 5245a348f..f1779fe39 100644 --- a/src/config.js +++ b/src/config.js @@ -4,6 +4,26 @@ const ip = require('ip'); const { release } = require('./package.json'); +function parseDefaultAddress(defaultAddress) { + // Set the default full address with subnet if it's not provided + const defaultFullAddress = defaultAddress || '10.8.0.1/24'; + + // Check if the address ends with '.x', if so, replace with '.1/24' + const addressWithSubnet = defaultFullAddress.endsWith('.x') + ? defaultFullAddress.replace('.x', '.1/24') + : defaultFullAddress; + + const [ipAddress, subnetRange] = addressWithSubnet.split('/'); + + return { + ipAddress, + subnetRange: subnetRange || '24', // Default subnet range to 24 if not provided + }; +} + +// Use the function to parse the environment variable or default to '10.8.0.1/24' +const { ipAddress, subnetRange } = parseDefaultAddress(process.env.WG_DEFAULT_ADDRESS); + module.exports.RELEASE = release; module.exports.PORT = process.env.PORT || 51821; module.exports.WEBUI_HOST = process.env.WEBUI_HOST || '0.0.0.0'; @@ -14,14 +34,14 @@ module.exports.WG_HOST = process.env.WG_HOST; module.exports.WG_PORT = process.env.WG_PORT || 51820; module.exports.WG_MTU = process.env.WG_MTU || null; module.exports.WG_PERSISTENT_KEEPALIVE = process.env.WG_PERSISTENT_KEEPALIVE || 0; -module.exports.WG_DEFAULT_ADDRESS = process.env.WG_DEFAULT_ADDRESS || '10.8.0.x'; -module.exports.WG_DEFAULT_ADDRESS_RANGE = process.env.WG_DEFAULT_ADDRESS_RANGE || 24; +module.exports.WG_DEFAULT_ADDRESS = ipAddress; +module.exports.WG_DEFAULT_ADDRESS_RANGE = subnetRange; module.exports.WG_DEFAULT_DNS = typeof process.env.WG_DEFAULT_DNS === 'string' ? process.env.WG_DEFAULT_DNS : '1.1.1.1'; module.exports.WG_ALLOWED_IPS = process.env.WG_ALLOWED_IPS || '0.0.0.0/0, ::/0'; -module.exports.WG_SUBNET = ip.subnet(module.exports.WG_DEFAULT_ADDRESS.replace('x', '1'), `255.255.255.${256 - 2 ** (32 - module.exports.WG_DEFAULT_ADDRESS_RANGE)}`); +module.exports.WG_SUBNET = ip.subnet(module.exports.WG_DEFAULT_ADDRESS, `255.255.255.${256 - 2 ** (32 - module.exports.WG_DEFAULT_ADDRESS_RANGE)}`); module.exports.WG_SERVER_ADDRESS = module.exports.WG_SUBNET.firstAddress; module.exports.WG_CLIENT_FIRST_ADDRESS = ip.toLong(module.exports.WG_SERVER_ADDRESS) + 1; module.exports.WG_CLIENT_LAST_ADDRESS = ip.toLong(module.exports.WG_SUBNET.lastAddress) - 1; // Exclude the broadcast address diff --git a/src/lib/Util.js b/src/lib/Util.js index cc6e89c2d..829425996 100644 --- a/src/lib/Util.js +++ b/src/lib/Util.js @@ -4,19 +4,6 @@ const childProcess = require('child_process'); module.exports = class Util { - static isValidIPv4(str) { - const blocks = str.split('.'); - if (blocks.length !== 4) return false; - - for (let value of blocks) { - value = parseInt(value, 10); - if (Number.isNaN(value)) return false; - if (value < 0 || value > 255) return false; - } - - return true; - } - static promisify(fn) { // eslint-disable-next-line func-names return function(req, res) { diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js index a0beddeb1..640741cd0 100644 --- a/src/lib/WireGuard.js +++ b/src/lib/WireGuard.js @@ -73,7 +73,7 @@ module.exports = class WireGuard { throw err; }); - // await Util.exec(`iptables -t nat -A POSTROUTING -s ${WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ' + WG_DEVICE + ' -j MASQUERADE`); + // await Util.exec(`iptables -t nat -A POSTROUTING -s ${WG_SERVER_ADDRESS/${WG_DEFAULT_ADDRESS_RANGE} -o ' + WG_DEVICE + ' -j MASQUERADE`); // await Util.exec('iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT'); // await Util.exec('iptables -A FORWARD -i wg0 -j ACCEPT'); // await Util.exec('iptables -A FORWARD -o wg0 -j ACCEPT'); @@ -315,7 +315,7 @@ Endpoint = ${WG_HOST}:${WG_PORT}`; async updateClientAddress({ clientId, address }) { const client = await this.getClient({ clientId }); - if (!Util.isValidIPv4(address)) { + if (!ip.isV4Format(address)) { throw new ServerError(`Invalid Address: ${address}`, 400); } diff --git a/wg-easy.service b/wg-easy.service index 9b842b39c..91b35206d 100644 --- a/wg-easy.service +++ b/wg-easy.service @@ -5,8 +5,7 @@ After=network-online.target nss-lookup.target [Service] Environment="WG_HOST=raspberrypi.local" # Change this to your host's public address or static public ip. Environment="PASSWORD=REPLACEME" # When set, requires a password when logging in to the Web UI, to disable add a hashtag -#Environment="WG_DEFAULT_ADDRESS=10.0.8.x" #Clients IP address range. -#Environment="WG_DEFAULT_ADDRESS_RANGE=24" #Clients IP address range block. +#Environment="WG_DEFAULT_ADDRESS=10.0.8.1/24" #Clients IP address range. #Environment="WG_DEFAULT_DNS=10.0.8.1, 1.1.1.1" #DNS server clients will use. If set to blank value, clients will not use any DNS. #Environment="WG_ALLOWED_IPS=0.0.0.0/0,::/0" #Allowed IPs clients will use. #Environment="WG_DEVICE=ens1" #Ethernet device the wireguard traffic should be forwarded through. From c4d4da38e7ba9521657056ebcf3b714551354900 Mon Sep 17 00:00:00 2001 From: Thomas Willems Date: Tue, 13 Feb 2024 13:55:00 +0100 Subject: [PATCH 03/16] correct CIDR notation --- README.md | 2 +- docker-compose.yml | 2 +- src/config.js | 8 ++++---- wg-easy.service | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 5a6642038..b2d2bc880 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ These options can be configured by setting environment variables using `-e KEY=" | `WG_PORT` | `51820` | `12345` | The public UDP port of your VPN server. WireGuard will always listen on 51820 inside the Docker container. | | `WG_MTU` | `null` | `1420` | The MTU the clients will use. Server uses default WG MTU. | | `WG_PERSISTENT_KEEPALIVE` | `0` | `25` | Value in seconds to keep the "connection" open. If this value is 0, then connections won't be kept alive. | -| `WG_DEFAULT_ADDRESS` | `10.8.0.1/24` | `10.6.0.x` | Clients IP address range. (For Legacy reasons x in last place is supported (e.g. 10.8.0.x)) | +| `WG_DEFAULT_ADDRESS` | `10.8.0.0/24` | `10.6.0.0/24` | Clients IP address range. (For Legacy reasons x in last place is supported and will be replaced with 0/24 (e.g. 10.8.0.x)) | | `WG_DEFAULT_DNS` | `1.1.1.1` | `8.8.8.8, 8.8.4.4` | DNS server clients will use. If set to blank value, clients will not use any DNS. | | `WG_ALLOWED_IPS` | `0.0.0.0/0, ::/0` | `192.168.15.0/24, 10.0.1.0/24` | Allowed IPs clients will use. | | `WG_PRE_UP` | `...` | - | See [config.js](https://github.com/wg-easy/wg-easy/blob/master/src/config.js#L19) for the default value. | diff --git a/docker-compose.yml b/docker-compose.yml index 9495b9b53..766ed697a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,7 +15,7 @@ services: # Optional: # - PASSWORD=foobar123 # - WG_PORT=51820 - # - WG_DEFAULT_ADDRESS=10.8.0.1/24 + # - WG_DEFAULT_ADDRESS=10.8.0.0/24 # - WG_DEFAULT_DNS=1.1.1.1 # - WG_MTU=1420 # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24 diff --git a/src/config.js b/src/config.js index f1779fe39..21470be60 100644 --- a/src/config.js +++ b/src/config.js @@ -6,11 +6,11 @@ const { release } = require('./package.json'); function parseDefaultAddress(defaultAddress) { // Set the default full address with subnet if it's not provided - const defaultFullAddress = defaultAddress || '10.8.0.1/24'; + const defaultFullAddress = defaultAddress || '10.8.0.0/24'; - // Check if the address ends with '.x', if so, replace with '.1/24' + // Check if the address ends with '.x', if so, replace with '.0/24' const addressWithSubnet = defaultFullAddress.endsWith('.x') - ? defaultFullAddress.replace('.x', '.1/24') + ? defaultFullAddress.replace('.x', '.0/24') : defaultFullAddress; const [ipAddress, subnetRange] = addressWithSubnet.split('/'); @@ -21,7 +21,7 @@ function parseDefaultAddress(defaultAddress) { }; } -// Use the function to parse the environment variable or default to '10.8.0.1/24' +// Use the function to parse the environment variable or default to '10.8.0.0/24' const { ipAddress, subnetRange } = parseDefaultAddress(process.env.WG_DEFAULT_ADDRESS); module.exports.RELEASE = release; diff --git a/wg-easy.service b/wg-easy.service index 91b35206d..6adee95e3 100644 --- a/wg-easy.service +++ b/wg-easy.service @@ -5,7 +5,7 @@ After=network-online.target nss-lookup.target [Service] Environment="WG_HOST=raspberrypi.local" # Change this to your host's public address or static public ip. Environment="PASSWORD=REPLACEME" # When set, requires a password when logging in to the Web UI, to disable add a hashtag -#Environment="WG_DEFAULT_ADDRESS=10.0.8.1/24" #Clients IP address range. +#Environment="WG_DEFAULT_ADDRESS=10.0.8.0/24" # Clients IP address range. #Environment="WG_DEFAULT_DNS=10.0.8.1, 1.1.1.1" #DNS server clients will use. If set to blank value, clients will not use any DNS. #Environment="WG_ALLOWED_IPS=0.0.0.0/0,::/0" #Allowed IPs clients will use. #Environment="WG_DEVICE=ens1" #Ethernet device the wireguard traffic should be forwarded through. From cb45bc1c4317e8a1f5a0f096fb59737da2f46e2d Mon Sep 17 00:00:00 2001 From: Thomas Willems Date: Mon, 19 Feb 2024 11:02:38 +0100 Subject: [PATCH 04/16] update ip package to 2.0.1 --- src/package-lock.json | 8 ++++---- src/package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/package-lock.json b/src/package-lock.json index 85d8420b8..e527e473c 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -13,7 +13,7 @@ "debug": "^4.3.4", "express": "^4.18.3", "express-session": "^1.18.0", - "ip": "^1.1.8", + "ip": "^2.0.1", "qrcode": "^1.5.3", "uuid": "^9.0.1" }, @@ -2795,9 +2795,9 @@ } }, "node_modules/ip": { - "version": "1.1.8", - "resolved": "https://registry.npmjs.org/ip/-/ip-1.1.8.tgz", - "integrity": "sha512-PuExPYUiu6qMBQb4l06ecm6T6ujzhmh+MeJcW9wa89PoAz5pvd4zPgN5WJV104mb6S2T1AwNIAaB70JNrLQWhg==" + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.1.tgz", + "integrity": "sha512-lJUL9imLTNi1ZfXT+DU6rBBdbiKGBuay9B6xGSPVjUeQwaH1RIGqef8RZkUtHioLmSNpPR5M4HVKJGm1j8FWVQ==" }, "node_modules/ipaddr.js": { "version": "1.9.1", diff --git a/src/package.json b/src/package.json index fe676ce31..05964c9a3 100644 --- a/src/package.json +++ b/src/package.json @@ -17,7 +17,7 @@ "debug": "^4.3.4", "express": "^4.18.3", "express-session": "^1.18.0", - "ip": "^1.1.8", + "ip": "^2.0.1", "qrcode": "^1.5.3", "uuid": "^9.0.1" }, From 2f8976511278fab305ed351cda0571e8a4d63a22 Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Tue, 5 Mar 2024 17:55:10 +0100 Subject: [PATCH 05/16] WireGuard.js: fixup undefined CIDR --- src/lib/WireGuard.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js index 640741cd0..6c7f0d59e 100644 --- a/src/lib/WireGuard.js +++ b/src/lib/WireGuard.js @@ -204,7 +204,7 @@ ${client.preSharedKey ? `PresharedKey = ${client.preSharedKey}\n` : '' return `[Interface] PrivateKey = ${client.privateKey} -Address = ${client.address}/24 +Address = ${client.address}/${config.server.cidrBlock} ${WG_DEFAULT_DNS ? `DNS = ${WG_DEFAULT_DNS}\n` : ''}\ ${WG_MTU ? `MTU = ${WG_MTU}\n` : ''}\ From bbc919608c581772eb6134cf3ea217439bc5c0ae Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Tue, 5 Mar 2024 17:57:49 +0100 Subject: [PATCH 06/16] Update docker-compose.yml --- docker-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 766ed697a..b5907bde1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -15,7 +15,8 @@ services: # Optional: # - PASSWORD=foobar123 # - WG_PORT=51820 - # - WG_DEFAULT_ADDRESS=10.8.0.0/24 + # - WG_DEFAULT_ADDRESS=10.8.0.0 + # - WG_DEFAULT_ADDRESS_RANGE=24 # - WG_DEFAULT_DNS=1.1.1.1 # - WG_MTU=1420 # - WG_ALLOWED_IPS=192.168.15.0/24, 10.0.1.0/24 From 76a3d7f81dfd3101acdc772045634267d49c9a67 Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Tue, 5 Mar 2024 18:15:42 +0100 Subject: [PATCH 07/16] fixing stuff and formating --- src/config.js | 30 +++++------------------------- 1 file changed, 5 insertions(+), 25 deletions(-) diff --git a/src/config.js b/src/config.js index 21470be60..46da2aa6f 100644 --- a/src/config.js +++ b/src/config.js @@ -4,38 +4,18 @@ const ip = require('ip'); const { release } = require('./package.json'); -function parseDefaultAddress(defaultAddress) { - // Set the default full address with subnet if it's not provided - const defaultFullAddress = defaultAddress || '10.8.0.0/24'; - - // Check if the address ends with '.x', if so, replace with '.0/24' - const addressWithSubnet = defaultFullAddress.endsWith('.x') - ? defaultFullAddress.replace('.x', '.0/24') - : defaultFullAddress; - - const [ipAddress, subnetRange] = addressWithSubnet.split('/'); - - return { - ipAddress, - subnetRange: subnetRange || '24', // Default subnet range to 24 if not provided - }; -} - -// Use the function to parse the environment variable or default to '10.8.0.0/24' -const { ipAddress, subnetRange } = parseDefaultAddress(process.env.WG_DEFAULT_ADDRESS); - module.exports.RELEASE = release; -module.exports.PORT = process.env.PORT || 51821; +module.exports.PORT = process.env.PORT || '51821'; module.exports.WEBUI_HOST = process.env.WEBUI_HOST || '0.0.0.0'; module.exports.PASSWORD = process.env.PASSWORD; module.exports.WG_PATH = process.env.WG_PATH || '/etc/wireguard/'; module.exports.WG_DEVICE = process.env.WG_DEVICE || 'eth0'; module.exports.WG_HOST = process.env.WG_HOST; -module.exports.WG_PORT = process.env.WG_PORT || 51820; +module.exports.WG_PORT = process.env.WG_PORT || '51820'; module.exports.WG_MTU = process.env.WG_MTU || null; -module.exports.WG_PERSISTENT_KEEPALIVE = process.env.WG_PERSISTENT_KEEPALIVE || 0; -module.exports.WG_DEFAULT_ADDRESS = ipAddress; -module.exports.WG_DEFAULT_ADDRESS_RANGE = subnetRange; +module.exports.WG_PERSISTENT_KEEPALIVE = process.env.WG_PERSISTENT_KEEPALIVE || '0'; +module.exports.WG_DEFAULT_ADDRESS = process.env.WG_DEFAULT_ADDRESS || '10.8.0.0'; +module.exports.WG_DEFAULT_ADDRESS_RANGE = process.env.WG_DEFAULT_ADDRESS_RANGE || '24'; module.exports.WG_DEFAULT_DNS = typeof process.env.WG_DEFAULT_DNS === 'string' ? process.env.WG_DEFAULT_DNS : '1.1.1.1'; From 63faf4c507a0238daef95230fda1246978785d28 Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Tue, 5 Mar 2024 18:24:42 +0100 Subject: [PATCH 08/16] fixup: WireGuard.js --- src/lib/WireGuard.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js index 6c7f0d59e..5f7425749 100644 --- a/src/lib/WireGuard.js +++ b/src/lib/WireGuard.js @@ -204,7 +204,7 @@ ${client.preSharedKey ? `PresharedKey = ${client.preSharedKey}\n` : '' return `[Interface] PrivateKey = ${client.privateKey} -Address = ${client.address}/${config.server.cidrBlock} +Address = ${client.address}/${client.cidrBlock} ${WG_DEFAULT_DNS ? `DNS = ${WG_DEFAULT_DNS}\n` : ''}\ ${WG_MTU ? `MTU = ${WG_MTU}\n` : ''}\ From 754b5f29af19e329945f7cd4c37b8d5d86b6383f Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Tue, 5 Mar 2024 19:29:14 +0100 Subject: [PATCH 09/16] fixup: WireGuard.js well I was on the client side so I hope I get all stuff fixed now. --- src/lib/WireGuard.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js index 5f7425749..ad5e79735 100644 --- a/src/lib/WireGuard.js +++ b/src/lib/WireGuard.js @@ -143,6 +143,7 @@ ${client.preSharedKey ? `PresharedKey = ${client.preSharedKey}\n` : '' name: client.name, enabled: client.enabled, address: client.address, + cidrBlock: client.cidrBlock, publicKey: client.publicKey, createdAt: new Date(client.createdAt), updatedAt: new Date(client.updatedAt), @@ -259,6 +260,7 @@ Endpoint = ${WG_HOST}:${WG_PORT}`; id, name, address, + cidrBlock, privateKey, publicKey, preSharedKey, From 5ee284b973131aae37b48466188293dce986c7ee Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Tue, 5 Mar 2024 19:35:38 +0100 Subject: [PATCH 10/16] fixup: WireGuard.js --- src/lib/WireGuard.js | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js index ad5e79735..9ff77464e 100644 --- a/src/lib/WireGuard.js +++ b/src/lib/WireGuard.js @@ -256,6 +256,7 @@ Endpoint = ${WG_HOST}:${WG_PORT}`; // Create Client const id = uuid.v4(); + const cidrBlock = WG_DEFAULT_ADDRESS_RANGE; const client = { id, name, From a36ab8891ed9594101cee258c42b9634e4990e29 Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Wed, 6 Mar 2024 16:43:07 +0100 Subject: [PATCH 11/16] fixup: WireGuard.js --- src/lib/WireGuard.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/WireGuard.js b/src/lib/WireGuard.js index 9ff77464e..b1dfe0af8 100644 --- a/src/lib/WireGuard.js +++ b/src/lib/WireGuard.js @@ -73,7 +73,7 @@ module.exports = class WireGuard { throw err; }); - // await Util.exec(`iptables -t nat -A POSTROUTING -s ${WG_SERVER_ADDRESS/${WG_DEFAULT_ADDRESS_RANGE} -o ' + WG_DEVICE + ' -j MASQUERADE`); + // await Util.exec(`iptables -t nat -A POSTROUTING -s ${WG_SERVER_ADDRESS}/${WG_DEFAULT_ADDRESS_RANGE} -o ' + WG_DEVICE + ' -j MASQUERADE`); // await Util.exec('iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT'); // await Util.exec('iptables -A FORWARD -i wg0 -j ACCEPT'); // await Util.exec('iptables -A FORWARD -o wg0 -j ACCEPT'); From fe7d77e48196634dab5ba25f96b920cea918a702 Mon Sep 17 00:00:00 2001 From: "Philip H." <47042125+pheiduck@users.noreply.github.com> Date: Sat, 23 Mar 2024 20:34:43 +0000 Subject: [PATCH 12/16] fixup: packages --- src/package-lock.json | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/package-lock.json b/src/package-lock.json index 69bf52c15..38278c678 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -12,8 +12,8 @@ "bcryptjs": "^2.4.3", "debug": "^4.3.4", "express-session": "^1.18.0", - "ip": "^2.0.1", "h3": "^1.11.1", + "ip": "^2.0.1", "qrcode": "^1.5.3", "uuid": "^9.0.1" }, @@ -2660,12 +2660,6 @@ "resolved": "https://registry.npmjs.org/ip/-/ip-2.0.1.tgz", "integrity": "sha512-lJUL9imLTNi1ZfXT+DU6rBBdbiKGBuay9B6xGSPVjUeQwaH1RIGqef8RZkUtHioLmSNpPR5M4HVKJGm1j8FWVQ==" }, - "node_modules/ipaddr.js": { - "version": "1.9.1", - "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", - "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==", - "engines": { - "node": ">= 0.10" "node_modules/iron-webcrypto": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/iron-webcrypto/-/iron-webcrypto-1.1.0.tgz", From 5cdacd6cc3962da60e1683c9a3fe01d0a20fdc55 Mon Sep 17 00:00:00 2001 From: Utkarsh Goel Date: Mon, 25 Mar 2024 23:28:36 +0800 Subject: [PATCH 13/16] Fix CIDR block calculation issue, fix POST_DOWN config --- src/config.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/config.js b/src/config.js index 6ae34d15f..35cb266f6 100644 --- a/src/config.js +++ b/src/config.js @@ -21,7 +21,7 @@ module.exports.WG_DEFAULT_DNS = typeof process.env.WG_DEFAULT_DNS === 'string' : '1.1.1.1'; module.exports.WG_ALLOWED_IPS = process.env.WG_ALLOWED_IPS || '0.0.0.0/0, ::/0'; -module.exports.WG_SUBNET = ip.subnet(module.exports.WG_DEFAULT_ADDRESS, `255.255.255.${256 - 2 ** (32 - module.exports.WG_DEFAULT_ADDRESS_RANGE)}`); +module.exports.WG_SUBNET = ip.cidrSubnet(`${module.exports.WG_DEFAULT_ADDRESS}/${module.exports.WG_DEFAULT_ADDRESS_RANGE}`); module.exports.WG_SERVER_ADDRESS = module.exports.WG_SUBNET.firstAddress; module.exports.WG_CLIENT_FIRST_ADDRESS = ip.toLong(module.exports.WG_SERVER_ADDRESS) + 1; module.exports.WG_CLIENT_LAST_ADDRESS = ip.toLong(module.exports.WG_SUBNET.lastAddress) - 1; // Exclude the broadcast address @@ -36,7 +36,7 @@ iptables -A FORWARD -o wg0 -j ACCEPT; module.exports.WG_PRE_DOWN = process.env.WG_PRE_DOWN || ''; module.exports.WG_POST_DOWN = process.env.WG_POST_DOWN || ` -iptables -t nat -D POSTROUTING -s ${module.exports.WG_DEFAULT_ADDRESS.replace('x', '0')}/24 -o ${module.exports.WG_DEVICE} -j MASQUERADE; +iptables -t nat -D POSTROUTING -s ${module.exports.WG_SERVER_ADDRESS}/${module.exports.WG_DEFAULT_ADDRESS_RANGE} -o ${module.exports.WG_DEVICE} -j MASQUERADE; iptables -D INPUT -p udp -m udp --dport 51820 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; From 196cb63c6ef0902732675e0764d050a30c579b6b Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Mon, 25 Mar 2024 17:15:30 +0100 Subject: [PATCH 14/16] README.md: add WG_DEFAULT_ADDRESS_RANGE --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 39d9b0f69..420378177 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,8 @@ These options can be configured by setting environment variables using `-e KEY=" | `WG_PORT` | `51820` | `12345` | The public UDP port of your VPN server. WireGuard will always listen on 51820 inside the Docker container. | | `WG_MTU` | `null` | `1420` | The MTU the clients will use. Server uses default WG MTU. | | `WG_PERSISTENT_KEEPALIVE` | `0` | `25` | Value in seconds to keep the "connection" open. If this value is 0, then connections won't be kept alive. | -| `WG_DEFAULT_ADDRESS` | `10.8.0.0/24` | `10.6.0.0/24` | Clients IP address range. (For Legacy reasons x in last place is supported and will be replaced with 0/24 (e.g. 10.8.0.x)) | +| `WG_DEFAULT_ADDRESS` | `10.8.0.0` | `10.6.0.0` | Clients IP address range. | +| `WG_DEFAULT_ADDRESS_RANGE` | `/24` | `/32` | Value to define CIDR Range. If not defined fallback to `/24` | `WG_DEFAULT_DNS` | `1.1.1.1` | `8.8.8.8, 8.8.4.4` | DNS server clients will use. If set to blank value, clients will not use any DNS. | | `WG_ALLOWED_IPS` | `0.0.0.0/0, ::/0` | `192.168.15.0/24, 10.0.1.0/24` | Allowed IPs clients will use. | | `WG_PRE_UP` | `...` | - | See [config.js](https://github.com/wg-easy/wg-easy/blob/master/src/config.js#L19) for the default value. | From 479c51d741edd95719c191ec0c9c473217eb4615 Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Mon, 25 Mar 2024 17:18:14 +0100 Subject: [PATCH 15/16] WG_DEFAULT_ADDRESS_RANGE `/` is not needed --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 420378177..edd569bf5 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ These options can be configured by setting environment variables using `-e KEY=" | `WG_MTU` | `null` | `1420` | The MTU the clients will use. Server uses default WG MTU. | | `WG_PERSISTENT_KEEPALIVE` | `0` | `25` | Value in seconds to keep the "connection" open. If this value is 0, then connections won't be kept alive. | | `WG_DEFAULT_ADDRESS` | `10.8.0.0` | `10.6.0.0` | Clients IP address range. | -| `WG_DEFAULT_ADDRESS_RANGE` | `/24` | `/32` | Value to define CIDR Range. If not defined fallback to `/24` +| `WG_DEFAULT_ADDRESS_RANGE` | `24` | `32` | Value to define CIDR Range. If not defined fallback to `24` | `WG_DEFAULT_DNS` | `1.1.1.1` | `8.8.8.8, 8.8.4.4` | DNS server clients will use. If set to blank value, clients will not use any DNS. | | `WG_ALLOWED_IPS` | `0.0.0.0/0, ::/0` | `192.168.15.0/24, 10.0.1.0/24` | Allowed IPs clients will use. | | `WG_PRE_UP` | `...` | - | See [config.js](https://github.com/wg-easy/wg-easy/blob/master/src/config.js#L19) for the default value. | From 2f9364aa31f88bc924863b51ec635cbc5465f3a3 Mon Sep 17 00:00:00 2001 From: Philip H <47042125+pheiduck@users.noreply.github.com> Date: Mon, 25 Mar 2024 18:31:06 +0100 Subject: [PATCH 16/16] wg-easy.service: add missing WG_DEFAULT_ADDRESS_RANGE --- wg-easy.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wg-easy.service b/wg-easy.service index 6adee95e3..e1ea96ea4 100644 --- a/wg-easy.service +++ b/wg-easy.service @@ -5,7 +5,8 @@ After=network-online.target nss-lookup.target [Service] Environment="WG_HOST=raspberrypi.local" # Change this to your host's public address or static public ip. Environment="PASSWORD=REPLACEME" # When set, requires a password when logging in to the Web UI, to disable add a hashtag -#Environment="WG_DEFAULT_ADDRESS=10.0.8.0/24" # Clients IP address range. +#Environment="WG_DEFAULT_ADDRESS=10.0.8.0" # Clients IP addresses. +#Environment="WG_DEFAULT_ADDRESS_RANGE=32" # Client CIDR Range (if not set fallback to 24) #Environment="WG_DEFAULT_DNS=10.0.8.1, 1.1.1.1" #DNS server clients will use. If set to blank value, clients will not use any DNS. #Environment="WG_ALLOWED_IPS=0.0.0.0/0,::/0" #Allowed IPs clients will use. #Environment="WG_DEVICE=ens1" #Ethernet device the wireguard traffic should be forwarded through.