From e9d20c8baebebb87f4655c01dcb3b5d39ece84c3 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 9 Sep 2021 15:03:30 +0200 Subject: [PATCH 01/44] Fix --- check_process | 15 +++------------ conf/wireguard_ui.service | 30 ++++++++++++++++++++++++++++++ scripts/restore | 2 -- 3 files changed, 33 insertions(+), 14 deletions(-) diff --git a/check_process b/check_process index 89c76a4..1e4f4ec 100644 --- a/check_process +++ b/check_process @@ -1,13 +1,8 @@ -# See here for more information -# https://github.com/YunoHost/package_check#syntax-check_process-file - -# Move this file from check_process.default to check_process when you have filled it. - ;; Test complet ; Manifest - domain="domain.tld" (DOMAIN) - path="/" (PATH) - admin="john" (USER) + domain="domain.tld" + path="/" + admin="john" ; Checks pkg_linter=1 setup_sub_dir=0 @@ -19,11 +14,7 @@ upgrade=1 from_commit=797a3e5990571629a8525764ce6e8d359277313f backup_restore=1 multi_instance=0 - port_already_use=0 change_url=0 -;;; Levels - # If the level 5 (Package linter) is forced to 1. Please add justifications here. - Level 5=auto ;;; Options Email= Notification=none diff --git a/conf/wireguard_ui.service b/conf/wireguard_ui.service index af3a207..98e8724 100644 --- a/conf/wireguard_ui.service +++ b/conf/wireguard_ui.service @@ -9,5 +9,35 @@ Group=__APP__ WorkingDirectory=__FINALPATH__/ ExecStart=__FINALPATH__/wireguard-ui --bind-address="127.0.0.1:__PORT__" --disable-login +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/scripts/restore b/scripts/restore index 8b7a3f4..624d929 100644 --- a/scripts/restore +++ b/scripts/restore @@ -39,8 +39,6 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " From b82ee6e2d119d39c5484c23cd987cff990c88636 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 9 Sep 2021 17:49:45 +0200 Subject: [PATCH 02/44] Fix --- scripts/remove | 8 +------- scripts/restore | 6 +++--- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/scripts/remove b/scripts/remove index e6aaf28..28162e9 100644 --- a/scripts/remove +++ b/scripts/remove @@ -78,7 +78,7 @@ ynh_secure_remove --file="/etc/wireguard" #================================================= # REMOVE NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Removing nginx web server configuration..." --weight=1 +ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1 # Remove the dedicated nginx config ynh_remove_nginx_config @@ -101,12 +101,6 @@ then ynh_exec_warn_less yunohost firewall disallow UDP $port_wg fi -if yunohost firewall list | grep -q "\- $port$" -then - ynh_script_progression --message="Closing port $port..." --weight=1 - ynh_exec_warn_less yunohost firewall disallow TCP $port -fi - #================================================= # SPECIFIC REMOVE #================================================= diff --git a/scripts/restore b/scripts/restore index 624d929..51bd50a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -94,10 +94,10 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=5 # Add buster-backports gpg key ynh_install_repo_gpg --key="https://ftp-master.debian.org/keys/archive-key-10.asc" --name="$app" -#Add buster-backports repo +# Add buster-backports repo ynh_add_repo --uri="http://deb.debian.org/debian" --suite="buster-backports" --component="main" --name="$app" -#Add pin-priority for wireguard packages +# Add pin-priority for wireguard packages ynh_pin_repo --package="wireguard*" --pin="origin deb http://deb.debian.org/debian buster-backports main" --priority=995 --name="$app" # Update the list of package with the new repo @@ -148,7 +148,7 @@ sleep 5 #================================================= # RELOAD NGINX AND PHP-FPM #================================================= -ynh_script_progression --message="Reloading nginx web server and php-fpm..." --weight=1 +ynh_script_progression --message="Reloading NGINX web server..." --weight=1 ynh_systemd_action --service_name=nginx --action=reload From 7cf8f97840a198068cd1893f794216bc109d2d1f Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 9 Sep 2021 17:58:14 +0200 Subject: [PATCH 03/44] Update install --- scripts/install | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/scripts/install b/scripts/install index 3a5e43c..dd35201 100644 --- a/scripts/install +++ b/scripts/install @@ -55,7 +55,7 @@ ynh_app_setting_set --app=$app --key=admin --value=$admin #================================================= # FIND AND OPEN A PORT #================================================= -ynh_script_progression --message="Configuring firewall..." --weight=1 +ynh_script_progression --message="Finding an available port..." --weight=1 # Find an available port for WireGuard port_wg=$(ynh_find_port --port=8095) @@ -66,6 +66,7 @@ port=$(ynh_find_port --port=$(($port_wg+1))) ynh_app_setting_set --app=$app --key=port --value=$port # Open the WireGuard port +ynh_script_progression --message="Configuring firewall..." --weight=1 ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $port_wg #================================================= @@ -102,7 +103,7 @@ ynh_setup_source --dest_dir="$final_path" --source_id="$(ynh_detect_arch)" #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Configuring nginx web server..." --weight=1 +ynh_script_progression --message="Configuring NGINX web server..." --weight=1 # Create a dedicated nginx config ynh_add_nginx_config @@ -175,8 +176,8 @@ chown -R $app: /etc/wireguard #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add wg-quick@wg0 --description "WireGuard VPN" --needs_exposed_ports $port_wg --test_status "wg show | grep wg0" -yunohost service add wireguard_ui --description "WireGuard UI" +yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" +yunohost service add wireguard_ui --description="WireGuard UI" #================================================= # START SYSTEMD SERVICE @@ -191,7 +192,7 @@ ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="ht #================================================= ynh_script_progression --message="Configuring permissions..." --weight=1 -ynh_permission_update --permission "main" --remove "all_users" --add "$admin" +ynh_permission_update --permission="main" --remove="all_users" --add="$admin" #================================================= # RELOAD NGINX From 9b2da99ab71aae096f7f56e17e056dd3df7d3406 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 9 Sep 2021 18:00:31 +0200 Subject: [PATCH 04/44] Exception to ProtectSystem for /etc/wireguard --- conf/wireguard_ui.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/wireguard_ui.service b/conf/wireguard_ui.service index 98e8724..2495c87 100644 --- a/conf/wireguard_ui.service +++ b/conf/wireguard_ui.service @@ -39,5 +39,8 @@ CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG +# Exception to ProtectSystem +ReadWritePaths=/etc/wireguard + [Install] WantedBy=multi-user.target From ce85ee0451ca3b26abcb5819552ec11f678df85e Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 9 Sep 2021 18:07:07 +0200 Subject: [PATCH 05/44] Proper backup/restore of config_file_path --- scripts/backup | 3 +++ scripts/restore | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/backup b/scripts/backup index 6c7b085..496e228 100644 --- a/scripts/backup +++ b/scripts/backup @@ -66,6 +66,9 @@ ynh_backup --src_path="/etc/sudoers.d/${app}_ynh" # Backup the wireguard interface config ynh_backup --src_path="/etc/wireguard" +# Backing up specific config file, in case of it is not in /etc/wireguard +ynh_backup --src_path="$(jq -r ".config_file_path" $final_path/db/server/global_settings.json)" --not_mandatory + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/restore b/scripts/restore index 51bd50a..3d53d5c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -133,7 +133,7 @@ yunohost service add wireguard_ui --description "WireGuard UI" # RESTORE VARIOUS FILES #================================================= -ynh_restore_file --origin_path=$(jq -r ".config_file_path" $final_path/db/server/global_settings.json) +ynh_restore_file --origin_path=$(jq -r ".config_file_path" $final_path/db/server/global_settings.json) --not_mandatory #================================================= # START SYSTEMD SERVICE From 4298c965e92592d8cc57fff706dfd088e5407019 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 9 Sep 2021 18:30:07 +0200 Subject: [PATCH 06/44] Have WireGuard start on boot --- scripts/install | 1 + scripts/upgrade | 1 + 2 files changed, 2 insertions(+) diff --git a/scripts/install b/scripts/install index dd35201..55a9364 100644 --- a/scripts/install +++ b/scripts/install @@ -155,6 +155,7 @@ systemctl enable --quiet wireguard_ui_conf.path # Create a dedicated systemd config for restarting WireGuard when its configuration changes ynh_add_systemd_config --service=wireguard_ui_conf --template=wireguard_ui_conf.service +systemctl enable --quiet wireguard_ui_conf.service #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 57c79b3..3f06c46 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -181,6 +181,7 @@ systemctl enable --quiet wireguard_ui_conf.path # Create a dedicated systemd config for restarting WireGuard when its configuration changes ynh_add_systemd_config --service=wireguard_ui_conf --template=wireguard_ui_conf.service +systemctl enable --quiet wireguard_ui_conf.service #================================================= # CONFIGURING WIREGUARD From ac2ed5c292f2877edc439085286ba0469ff6754d Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 9 Sep 2021 20:39:53 +0200 Subject: [PATCH 07/44] Consistent commands for adding services --- scripts/restore | 4 ++-- scripts/upgrade | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/restore b/scripts/restore index 3d53d5c..c0a68d5 100644 --- a/scripts/restore +++ b/scripts/restore @@ -126,8 +126,8 @@ systemctl enable --quiet wireguard_ui_conf.service #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add wg-quick@wg0 --description "WireGuard VPN" --needs_exposed_ports "$port_wg" --test_status "wg show | grep wg0" -yunohost service add wireguard_ui --description "WireGuard UI" +yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" +yunohost service add wireguard_ui --description="WireGuard UI" #================================================= # RESTORE VARIOUS FILES diff --git a/scripts/upgrade b/scripts/upgrade index 3f06c46..a026238 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -214,8 +214,8 @@ chown -R $app: /etc/wireguard #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add wg-quick@wg0 --description "WireGuard VPN" --needs_exposed_ports "$port_wg" --test_status "wg show | grep wg0" -yunohost service add wireguard_ui --description "WireGuard UI" +yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" +yunohost service add wireguard_ui --description="WireGuard UI" #================================================= # START SYSTEMD SERVICE From c72beb9ab1b60999dfb040c7e58964d6cfb2c3ab Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 9 Sep 2021 21:15:09 +0200 Subject: [PATCH 08/44] 0.3.2 --- conf/386.src | 4 ++-- conf/amd64.src | 4 ++-- conf/arm.src | 4 ++-- conf/arm64.src | 4 ++-- manifest.json | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/conf/386.src b/conf/386.src index 129b396..38feee3 100644 --- a/conf/386.src +++ b/conf/386.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-386.tar.gz -SOURCE_SUM=16EA7A77E5BAC17C1B680ABF9CFF31E3F8313F8E00F9B88F8F6151D8F6A6EE12 +SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-386.tar.gz +SOURCE_SUM=f76fc030d54e735977236d1984a906e749abb038208f410b406a2972498e3b9e SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/amd64.src b/conf/amd64.src index 27e1b19..2e07f8b 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-amd64.tar.gz -SOURCE_SUM=DC0FF54ABD2E08DB5ED722E07CEDA6E007CD5E6DFABD3A3B5A948CC8275D8100 +SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-amd64.tar.gz +SOURCE_SUM=71972b81f2d2ade50484cc1501a5896c8a08cfd82297f81c1d6279d7e0ff1f35 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/arm.src b/conf/arm.src index 38c70f3..cb12b18 100644 --- a/conf/arm.src +++ b/conf/arm.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-arm.tar.gz -SOURCE_SUM=07003BF178A81C3D699CB3977028DB728C5E4D44003A7972855C3488F416E467 +SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-arm.tar.gz +SOURCE_SUM=4632fd96c7574321031907695fbbe6535884a8006b517c7f7d3ab289fb94be5f SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/arm64.src b/conf/arm64.src index ea0e232..cbfc24a 100644 --- a/conf/arm64.src +++ b/conf/arm64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-arm64.tar.gz -SOURCE_SUM=32331E591B0C3B9E4EC360B53B967A3CCEEEFE5B7FFEC3ADD61A9483B50B9F0D +SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-arm64.tar.gz +SOURCE_SUM=8d31fc39495f8a6480531859f225f0fee36788515532d75d9cfaaa866000f52f SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index ec6d434..7f20ff7 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Virtual Private Networks (VPN) via WireGuard, with a web UI to ease configuration", "fr": "Réseaux Privés Virtuels (VPN) via WireGuard, avec une web UI pour faciliter sa configuration" }, - "version": "0.2.7~ynh8", + "version": "0.3.2~ynh1", "url": "https://github.com/ngoduykhanh/wireguard-ui", "upstream": { "license": "MIT", From cd785c3fe8233aefe085c4809df2fa6356502552 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Thu, 9 Sep 2021 19:15:16 +0000 Subject: [PATCH 09/44] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 710129a..7c0f20e 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Virtual Private Networks (VPN) via WireGuard, with a web UI to ease configuration -**Shipped version:** 0.2.7~ynh8 +**Shipped version:** 0.3.2~ynh1 diff --git a/README_fr.md b/README_fr.md index c193035..dda15a4 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Réseaux Privés Virtuels (VPN) via WireGuard, avec une web UI pour faciliter sa configuration -**Version incluse :** 0.2.7~ynh8 +**Version incluse :** 0.3.2~ynh1 From 834a2b23711315c602ab5221341ce9fe3fb13448 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 9 Sep 2021 15:03:30 +0200 Subject: [PATCH 10/44] Fix --- check_process | 15 +++------------ conf/wireguard_ui.service | 30 ++++++++++++++++++++++++++++++ scripts/restore | 2 -- 3 files changed, 33 insertions(+), 14 deletions(-) diff --git a/check_process b/check_process index 89c76a4..1e4f4ec 100644 --- a/check_process +++ b/check_process @@ -1,13 +1,8 @@ -# See here for more information -# https://github.com/YunoHost/package_check#syntax-check_process-file - -# Move this file from check_process.default to check_process when you have filled it. - ;; Test complet ; Manifest - domain="domain.tld" (DOMAIN) - path="/" (PATH) - admin="john" (USER) + domain="domain.tld" + path="/" + admin="john" ; Checks pkg_linter=1 setup_sub_dir=0 @@ -19,11 +14,7 @@ upgrade=1 from_commit=797a3e5990571629a8525764ce6e8d359277313f backup_restore=1 multi_instance=0 - port_already_use=0 change_url=0 -;;; Levels - # If the level 5 (Package linter) is forced to 1. Please add justifications here. - Level 5=auto ;;; Options Email= Notification=none diff --git a/conf/wireguard_ui.service b/conf/wireguard_ui.service index af3a207..98e8724 100644 --- a/conf/wireguard_ui.service +++ b/conf/wireguard_ui.service @@ -9,5 +9,35 @@ Group=__APP__ WorkingDirectory=__FINALPATH__/ ExecStart=__FINALPATH__/wireguard-ui --bind-address="127.0.0.1:__PORT__" --disable-login +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target diff --git a/scripts/restore b/scripts/restore index 8b7a3f4..624d929 100644 --- a/scripts/restore +++ b/scripts/restore @@ -39,8 +39,6 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " From 003b48c3ffe5f786f5a00f7addfee142d79b08d3 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 9 Sep 2021 17:49:45 +0200 Subject: [PATCH 11/44] Fix --- scripts/remove | 8 +------- scripts/restore | 6 +++--- 2 files changed, 4 insertions(+), 10 deletions(-) diff --git a/scripts/remove b/scripts/remove index e6aaf28..28162e9 100644 --- a/scripts/remove +++ b/scripts/remove @@ -78,7 +78,7 @@ ynh_secure_remove --file="/etc/wireguard" #================================================= # REMOVE NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Removing nginx web server configuration..." --weight=1 +ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1 # Remove the dedicated nginx config ynh_remove_nginx_config @@ -101,12 +101,6 @@ then ynh_exec_warn_less yunohost firewall disallow UDP $port_wg fi -if yunohost firewall list | grep -q "\- $port$" -then - ynh_script_progression --message="Closing port $port..." --weight=1 - ynh_exec_warn_less yunohost firewall disallow TCP $port -fi - #================================================= # SPECIFIC REMOVE #================================================= diff --git a/scripts/restore b/scripts/restore index 624d929..51bd50a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -94,10 +94,10 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=5 # Add buster-backports gpg key ynh_install_repo_gpg --key="https://ftp-master.debian.org/keys/archive-key-10.asc" --name="$app" -#Add buster-backports repo +# Add buster-backports repo ynh_add_repo --uri="http://deb.debian.org/debian" --suite="buster-backports" --component="main" --name="$app" -#Add pin-priority for wireguard packages +# Add pin-priority for wireguard packages ynh_pin_repo --package="wireguard*" --pin="origin deb http://deb.debian.org/debian buster-backports main" --priority=995 --name="$app" # Update the list of package with the new repo @@ -148,7 +148,7 @@ sleep 5 #================================================= # RELOAD NGINX AND PHP-FPM #================================================= -ynh_script_progression --message="Reloading nginx web server and php-fpm..." --weight=1 +ynh_script_progression --message="Reloading NGINX web server..." --weight=1 ynh_systemd_action --service_name=nginx --action=reload From 75cea9d0e0cbf6e1e5845e4f3e56d6e47abdfc3e Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 9 Sep 2021 17:58:14 +0200 Subject: [PATCH 12/44] Update install --- scripts/install | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/scripts/install b/scripts/install index 3a5e43c..dd35201 100644 --- a/scripts/install +++ b/scripts/install @@ -55,7 +55,7 @@ ynh_app_setting_set --app=$app --key=admin --value=$admin #================================================= # FIND AND OPEN A PORT #================================================= -ynh_script_progression --message="Configuring firewall..." --weight=1 +ynh_script_progression --message="Finding an available port..." --weight=1 # Find an available port for WireGuard port_wg=$(ynh_find_port --port=8095) @@ -66,6 +66,7 @@ port=$(ynh_find_port --port=$(($port_wg+1))) ynh_app_setting_set --app=$app --key=port --value=$port # Open the WireGuard port +ynh_script_progression --message="Configuring firewall..." --weight=1 ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $port_wg #================================================= @@ -102,7 +103,7 @@ ynh_setup_source --dest_dir="$final_path" --source_id="$(ynh_detect_arch)" #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Configuring nginx web server..." --weight=1 +ynh_script_progression --message="Configuring NGINX web server..." --weight=1 # Create a dedicated nginx config ynh_add_nginx_config @@ -175,8 +176,8 @@ chown -R $app: /etc/wireguard #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add wg-quick@wg0 --description "WireGuard VPN" --needs_exposed_ports $port_wg --test_status "wg show | grep wg0" -yunohost service add wireguard_ui --description "WireGuard UI" +yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" +yunohost service add wireguard_ui --description="WireGuard UI" #================================================= # START SYSTEMD SERVICE @@ -191,7 +192,7 @@ ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="ht #================================================= ynh_script_progression --message="Configuring permissions..." --weight=1 -ynh_permission_update --permission "main" --remove "all_users" --add "$admin" +ynh_permission_update --permission="main" --remove="all_users" --add="$admin" #================================================= # RELOAD NGINX From afd102d54bbe6a92919c13f52ceccda0ef2fe36a Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 9 Sep 2021 18:00:31 +0200 Subject: [PATCH 13/44] Exception to ProtectSystem for /etc/wireguard --- conf/wireguard_ui.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/wireguard_ui.service b/conf/wireguard_ui.service index 98e8724..2495c87 100644 --- a/conf/wireguard_ui.service +++ b/conf/wireguard_ui.service @@ -39,5 +39,8 @@ CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG +# Exception to ProtectSystem +ReadWritePaths=/etc/wireguard + [Install] WantedBy=multi-user.target From 0f1f1232b1953c1c3d681875eab9796350dc8984 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 9 Sep 2021 18:07:07 +0200 Subject: [PATCH 14/44] Proper backup/restore of config_file_path --- scripts/backup | 3 +++ scripts/restore | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/backup b/scripts/backup index 6c7b085..496e228 100644 --- a/scripts/backup +++ b/scripts/backup @@ -66,6 +66,9 @@ ynh_backup --src_path="/etc/sudoers.d/${app}_ynh" # Backup the wireguard interface config ynh_backup --src_path="/etc/wireguard" +# Backing up specific config file, in case of it is not in /etc/wireguard +ynh_backup --src_path="$(jq -r ".config_file_path" $final_path/db/server/global_settings.json)" --not_mandatory + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/restore b/scripts/restore index 51bd50a..3d53d5c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -133,7 +133,7 @@ yunohost service add wireguard_ui --description "WireGuard UI" # RESTORE VARIOUS FILES #================================================= -ynh_restore_file --origin_path=$(jq -r ".config_file_path" $final_path/db/server/global_settings.json) +ynh_restore_file --origin_path=$(jq -r ".config_file_path" $final_path/db/server/global_settings.json) --not_mandatory #================================================= # START SYSTEMD SERVICE From e8e5d577fadc2020d3b79d8645a93164d7c88071 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 9 Sep 2021 18:30:07 +0200 Subject: [PATCH 15/44] Have WireGuard start on boot --- scripts/install | 1 + scripts/upgrade | 1 + 2 files changed, 2 insertions(+) diff --git a/scripts/install b/scripts/install index dd35201..55a9364 100644 --- a/scripts/install +++ b/scripts/install @@ -155,6 +155,7 @@ systemctl enable --quiet wireguard_ui_conf.path # Create a dedicated systemd config for restarting WireGuard when its configuration changes ynh_add_systemd_config --service=wireguard_ui_conf --template=wireguard_ui_conf.service +systemctl enable --quiet wireguard_ui_conf.service #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 57c79b3..3f06c46 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -181,6 +181,7 @@ systemctl enable --quiet wireguard_ui_conf.path # Create a dedicated systemd config for restarting WireGuard when its configuration changes ynh_add_systemd_config --service=wireguard_ui_conf --template=wireguard_ui_conf.service +systemctl enable --quiet wireguard_ui_conf.service #================================================= # CONFIGURING WIREGUARD From edaa31b77329d7fa03939b41f09651ba9d398796 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 9 Sep 2021 20:39:53 +0200 Subject: [PATCH 16/44] Consistent commands for adding services --- scripts/restore | 4 ++-- scripts/upgrade | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/restore b/scripts/restore index 3d53d5c..c0a68d5 100644 --- a/scripts/restore +++ b/scripts/restore @@ -126,8 +126,8 @@ systemctl enable --quiet wireguard_ui_conf.service #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add wg-quick@wg0 --description "WireGuard VPN" --needs_exposed_ports "$port_wg" --test_status "wg show | grep wg0" -yunohost service add wireguard_ui --description "WireGuard UI" +yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" +yunohost service add wireguard_ui --description="WireGuard UI" #================================================= # RESTORE VARIOUS FILES diff --git a/scripts/upgrade b/scripts/upgrade index 3f06c46..a026238 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -214,8 +214,8 @@ chown -R $app: /etc/wireguard #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add wg-quick@wg0 --description "WireGuard VPN" --needs_exposed_ports "$port_wg" --test_status "wg show | grep wg0" -yunohost service add wireguard_ui --description "WireGuard UI" +yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" +yunohost service add wireguard_ui --description="WireGuard UI" #================================================= # START SYSTEMD SERVICE From 3e75d535f1af824205b1e98e6e6944f8b1232a36 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 9 Sep 2021 21:15:09 +0200 Subject: [PATCH 17/44] 0.3.2 --- conf/386.src | 4 ++-- conf/amd64.src | 4 ++-- conf/arm.src | 4 ++-- conf/arm64.src | 4 ++-- manifest.json | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/conf/386.src b/conf/386.src index 129b396..38feee3 100644 --- a/conf/386.src +++ b/conf/386.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-386.tar.gz -SOURCE_SUM=16EA7A77E5BAC17C1B680ABF9CFF31E3F8313F8E00F9B88F8F6151D8F6A6EE12 +SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-386.tar.gz +SOURCE_SUM=f76fc030d54e735977236d1984a906e749abb038208f410b406a2972498e3b9e SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/amd64.src b/conf/amd64.src index 27e1b19..2e07f8b 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-amd64.tar.gz -SOURCE_SUM=DC0FF54ABD2E08DB5ED722E07CEDA6E007CD5E6DFABD3A3B5A948CC8275D8100 +SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-amd64.tar.gz +SOURCE_SUM=71972b81f2d2ade50484cc1501a5896c8a08cfd82297f81c1d6279d7e0ff1f35 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/arm.src b/conf/arm.src index 38c70f3..cb12b18 100644 --- a/conf/arm.src +++ b/conf/arm.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-arm.tar.gz -SOURCE_SUM=07003BF178A81C3D699CB3977028DB728C5E4D44003A7972855C3488F416E467 +SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-arm.tar.gz +SOURCE_SUM=4632fd96c7574321031907695fbbe6535884a8006b517c7f7d3ab289fb94be5f SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/conf/arm64.src b/conf/arm64.src index ea0e232..cbfc24a 100644 --- a/conf/arm64.src +++ b/conf/arm64.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.2.7/wireguard-ui-v0.2.7-linux-arm64.tar.gz -SOURCE_SUM=32331E591B0C3B9E4EC360B53B967A3CCEEEFE5B7FFEC3ADD61A9483B50B9F0D +SOURCE_URL=https://github.com/ngoduykhanh/wireguard-ui/releases/download/v0.3.2/wireguard-ui-v0.3.2-linux-arm64.tar.gz +SOURCE_SUM=8d31fc39495f8a6480531859f225f0fee36788515532d75d9cfaaa866000f52f SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false diff --git a/manifest.json b/manifest.json index ec6d434..7f20ff7 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Virtual Private Networks (VPN) via WireGuard, with a web UI to ease configuration", "fr": "Réseaux Privés Virtuels (VPN) via WireGuard, avec une web UI pour faciliter sa configuration" }, - "version": "0.2.7~ynh8", + "version": "0.3.2~ynh1", "url": "https://github.com/ngoduykhanh/wireguard-ui", "upstream": { "license": "MIT", From 894498a413d69545556e9c99349bf75d78dcd7a0 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Thu, 9 Sep 2021 19:15:16 +0000 Subject: [PATCH 18/44] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 710129a..7c0f20e 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in Virtual Private Networks (VPN) via WireGuard, with a web UI to ease configuration -**Shipped version:** 0.2.7~ynh8 +**Shipped version:** 0.3.2~ynh1 diff --git a/README_fr.md b/README_fr.md index c193035..dda15a4 100644 --- a/README_fr.md +++ b/README_fr.md @@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour Réseaux Privés Virtuels (VPN) via WireGuard, avec une web UI pour faciliter sa configuration -**Version incluse :** 0.2.7~ynh8 +**Version incluse :** 0.3.2~ynh1 From 60a4ae7372e4573c44268fe3363a29509f40de2b Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 2 Nov 2021 23:58:13 +0100 Subject: [PATCH 19/44] Set up IPv6 range --- conf/interfaces.json | 3 ++- conf/wg0.conf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/conf/interfaces.json b/conf/interfaces.json index 05558d7..2d483e5 100644 --- a/conf/interfaces.json +++ b/conf/interfaces.json @@ -1,6 +1,7 @@ { "addresses": [ - "10.10.10.0/24" + "10.10.10.0/24", + "fd42::/112" ], "listen_port": "__PORT_WG__", "post_up": "", diff --git a/conf/wg0.conf b/conf/wg0.conf index ed9cfcc..8077375 100644 --- a/conf/wg0.conf +++ b/conf/wg0.conf @@ -4,7 +4,7 @@ # Address updated at: # Private Key updated at: [Interface] -Address = 10.10.10.0/24 +Address = 10.10.10.0/24,fd42::/112 ListenPort = __PORT_WG__ PrivateKey = __PRIVATE_KEY__ MTU = 1450 From 1876b4cb54703b037e3ab29582495096e93f29f1 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 3 Nov 2021 00:09:09 +0100 Subject: [PATCH 20/44] Set up Post Up and Down scripts with interface detection --- conf/interfaces.json | 4 ++-- conf/wg0.conf | 4 ++-- scripts/_common.sh | 2 ++ scripts/install | 10 +++++----- scripts/upgrade | 7 ------- 5 files changed, 11 insertions(+), 16 deletions(-) diff --git a/conf/interfaces.json b/conf/interfaces.json index 2d483e5..d4bdb12 100644 --- a/conf/interfaces.json +++ b/conf/interfaces.json @@ -4,6 +4,6 @@ "fd42::/112" ], "listen_port": "__PORT_WG__", - "post_up": "", - "post_down": "" + "post_up": "iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip link set multicast on dev %i", + "post_down": "iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o __INTERFACE__ -j MASQUERADE" } diff --git a/conf/wg0.conf b/conf/wg0.conf index 8077375..a0d5882 100644 --- a/conf/wg0.conf +++ b/conf/wg0.conf @@ -8,5 +8,5 @@ Address = 10.10.10.0/24,fd42::/112 ListenPort = __PORT_WG__ PrivateKey = __PRIVATE_KEY__ MTU = 1450 -PostUp = -PostDown = +PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip link set multicast on dev %i +PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o __INTERFACE__ -j MASQUERADE diff --git a/scripts/_common.sh b/scripts/_common.sh index cb7337e..26317a4 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -14,6 +14,8 @@ fi # dependencies used by the app pkg_dependencies="$pkg_headers wireguard-dkms wireguard" +interface=$(ip route | awk '/default/ { print $5 }') + #================================================= # PERSONAL HELPERS #================================================= diff --git a/scripts/install b/scripts/install index 55a9364..e9c0f07 100644 --- a/scripts/install +++ b/scripts/install @@ -49,6 +49,7 @@ ynh_script_progression --message="Storing installation settings..." --weight=1 ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=admin --value=$admin +ynh_app_setting_set --app=$app --key=interface --value=$interface #================================================= # STANDARD MODIFICATIONS @@ -130,16 +131,15 @@ ynh_replace_string "__USER__" "${app}" /etc/sudoers.d/${app}_ynh mkdir -p $final_path/db/server # Add interface configuration file for the Web UI -cp ../conf/interfaces.json $final_path/db/server/interfaces.json -ynh_replace_string --match_string="__PORT_WG__" --replace_string="$port_wg" --target_file="$final_path/db/server/interfaces.json" +ynh_add_config --template="../conf/interfaces.json" --destination="$final_path/db/server/interfaces.json" +ynh_delete_file_checksum --file="$final_path/db/server/interfaces.json" # Create WireGuard configuration directory mkdir -p /etc/wireguard # Add interface configuration file for WireGuard -cp ../conf/wg0.conf /etc/wireguard/wg0.conf -ynh_replace_string --match_string="__PORT_WG__" --replace_string="$port_wg" --target_file="/etc/wireguard/wg0.conf" -ynh_replace_string --match_string="__PRIVATE_KEY__" --replace_string="$(wg genkey)" --target_file="/etc/wireguard/wg0.conf" +ynh_add_config --template="../conf/wg0.conf" --destination="/etc/wireguard/wg0.conf" +ynh_delete_file_checksum --file="/etc/wireguard/wg0.conf" #================================================= # SETUP SYSTEMD diff --git a/scripts/upgrade b/scripts/upgrade index a026238..684ffae 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -187,13 +187,6 @@ systemctl enable --quiet wireguard_ui_conf.service # CONFIGURING WIREGUARD #================================================= -# Create db directory for securing it later -mkdir -p $final_path/db/server - -# Add interface configuration file -cp ../conf/interfaces.json $final_path/db/server/interfaces.json -ynh_replace_string --match_string="__PORT_WG__" --replace_string="$port_wg" --target_file="$final_path/db/server/interfaces.json" - #================================================= # GENERIC FINALIZATION #================================================= From a0fef6524fbe6b8d8aff04411cc0a366be6fab98 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Sat, 6 Nov 2021 15:32:36 +0100 Subject: [PATCH 21/44] v0.3.2 --- conf/386.src | 1 - conf/amd64.src | 1 - conf/arm.src | 1 - conf/arm64.src | 1 - manifest.json | 12 +++--------- 5 files changed, 3 insertions(+), 13 deletions(-) diff --git a/conf/386.src b/conf/386.src index 38feee3..8fb5f9a 100644 --- a/conf/386.src +++ b/conf/386.src @@ -3,4 +3,3 @@ SOURCE_SUM=f76fc030d54e735977236d1984a906e749abb038208f410b406a2972498e3b9e SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false -SOURCE_FILENAME= diff --git a/conf/amd64.src b/conf/amd64.src index 2e07f8b..a720292 100644 --- a/conf/amd64.src +++ b/conf/amd64.src @@ -3,4 +3,3 @@ SOURCE_SUM=71972b81f2d2ade50484cc1501a5896c8a08cfd82297f81c1d6279d7e0ff1f35 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false -SOURCE_FILENAME= diff --git a/conf/arm.src b/conf/arm.src index cb12b18..2b32887 100644 --- a/conf/arm.src +++ b/conf/arm.src @@ -3,4 +3,3 @@ SOURCE_SUM=4632fd96c7574321031907695fbbe6535884a8006b517c7f7d3ab289fb94be5f SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false -SOURCE_FILENAME= diff --git a/conf/arm64.src b/conf/arm64.src index cbfc24a..97638b8 100644 --- a/conf/arm64.src +++ b/conf/arm64.src @@ -3,4 +3,3 @@ SOURCE_SUM=8d31fc39495f8a6480531859f225f0fee36788515532d75d9cfaaa866000f52f SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=false -SOURCE_FILENAME= diff --git a/manifest.json b/manifest.json index 7f20ff7..de06e57 100644 --- a/manifest.json +++ b/manifest.json @@ -19,7 +19,7 @@ "email": "tituspijean@outlook.com" }, "requirements": { - "yunohost": ">= 4.2" + "yunohost": ">= 4.2.8" }, "multi_instance": false, "services": [ @@ -37,17 +37,11 @@ }, { "name": "domain", - "type": "domain", - "example": "wg.example.com", - "help": { - "en": "The web UI requires its own dedicated domain.", - "fr": "L'interface web nécessite son propre domaine." - } + "type": "domain" }, { "name": "admin", - "type": "user", - "example": "johndoe" + "type": "user" } ] } From f3625daaf96ce33e0c69e96c453493458caa43b1 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sat, 6 Nov 2021 16:00:12 +0100 Subject: [PATCH 22/44] Do not require linux headers if kernel version >= 5.6 --- scripts/_common.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index cb7337e..cb121ff 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -4,11 +4,16 @@ # COMMON VARIABLES #================================================= -# dependencies used by the app -if grep "Raspberry Pi" /proc/device-tree/model; then - pkg_headers="raspberrypi-kernel-headers" +# WireGuard was integrated in Linux kernel 5.6 +# Before that, we need Linux Headers +if dpkg --compare-versions $(uname -r) lt 5.6; then + if grep "Raspberry Pi" /proc/device-tree/model; then + pkg_headers="raspberrypi-kernel-headers" + else + pkg_headers="linux-headers-$(uname -r)" + fi else - pkg_headers="linux-headers-$(uname -r)" + pkg_headers="" fi # dependencies used by the app From c01884cf2f4161bf52a34a542ff8701648598cbd Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 9 Dec 2021 12:31:02 +0100 Subject: [PATCH 23/44] 4.3 --- conf/{arm.src => armhf.src} | 0 conf/{386.src => i386.src} | 0 conf/nginx.conf | 5 ----- doc/DESCRIPTION.md | 1 + manifest.json | 6 +++--- scripts/_common.sh | 24 ------------------------ scripts/install | 5 +++-- scripts/restore | 3 +-- scripts/upgrade | 5 +++-- 9 files changed, 11 insertions(+), 38 deletions(-) rename conf/{arm.src => armhf.src} (100%) rename conf/{386.src => i386.src} (100%) create mode 100644 doc/DESCRIPTION.md diff --git a/conf/arm.src b/conf/armhf.src similarity index 100% rename from conf/arm.src rename to conf/armhf.src diff --git a/conf/386.src b/conf/i386.src similarity index 100% rename from conf/386.src rename to conf/i386.src diff --git a/conf/nginx.conf b/conf/nginx.conf index 265a4c2..ae67a33 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,11 +1,6 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - # Force usage of https - if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; - } - proxy_pass http://127.0.0.1:__PORT__/; proxy_redirect off; proxy_set_header Host $host; diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md new file mode 100644 index 0000000..7799894 --- /dev/null +++ b/doc/DESCRIPTION.md @@ -0,0 +1 @@ +WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN. \ No newline at end of file diff --git a/manifest.json b/manifest.json index de06e57..a0c431a 100644 --- a/manifest.json +++ b/manifest.json @@ -3,8 +3,8 @@ "id": "wireguard", "packaging_format": 1, "description": { - "en": "Virtual Private Networks (VPN) via WireGuard, with a web UI to ease configuration", - "fr": "Réseaux Privés Virtuels (VPN) via WireGuard, avec une web UI pour faciliter sa configuration" + "en": "Web user interface to manage your WireGuard setup", + "fr": "Interface utilisateur Web pour gérer votre configuration WireGuard" }, "version": "0.3.2~ynh1", "url": "https://github.com/ngoduykhanh/wireguard-ui", @@ -19,7 +19,7 @@ "email": "tituspijean@outlook.com" }, "requirements": { - "yunohost": ">= 4.2.8" + "yunohost": ">= 4.3.0" }, "multi_instance": false, "services": [ diff --git a/scripts/_common.sh b/scripts/_common.sh index cb121ff..63549ca 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -68,30 +68,6 @@ ynh_install_repo_gpg () { # EXPERIMENTAL HELPERS #================================================= -# Check the architecture -# -# example: architecture=$(ynh_detect_arch) -# -# usage: ynh_detect_arch -# -# Requires YunoHost version 2.2.4 or higher. - -ynh_detect_arch(){ - local architecture - if [ -n "$(uname -m | grep arm64)" ] || [ -n "$(uname -m | grep aarch64)" ]; then - architecture="arm64" - elif [ -n "$(uname -m | grep 64)" ]; then - architecture="amd64" - elif [ -n "$(uname -m | grep 86)" ]; then - architecture="386" - elif [ -n "$(uname -m | grep arm)" ]; then - architecture="arm" - else - architecture="unknown" - fi - echo $architecture -} - # Send an email to inform the administrator # # usage: ynh_send_readme_to_admin --app_message=app_message [--recipients=recipients] [--type=type] diff --git a/scripts/install b/scripts/install index 55a9364..b0e7745 100644 --- a/scripts/install +++ b/scripts/install @@ -27,6 +27,7 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url="/" admin=$YNH_APP_ARG_ADMIN +architecture=$YNH_ARCH app=$YNH_APP_INSTANCE_NAME @@ -98,7 +99,7 @@ ynh_script_progression --message="Setting up source files..." --weight=1 ynh_app_setting_set --app=$app --key=final_path --value=$final_path # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir="$final_path" --source_id="$(ynh_detect_arch)" +ynh_setup_source --dest_dir="$final_path" --source_id="$architecture" #================================================= # NGINX CONFIGURATION @@ -198,7 +199,7 @@ ynh_permission_update --permission="main" --remove="all_users" --add="$admin" #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." --weight=1 +ynh_script_progression --message="Reloading NGINX web server..." --weight=1 ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/restore b/scripts/restore index c0a68d5..1f1f20c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -39,8 +39,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) #================================================= ynh_script_progression --message="Validating restoration parameters..." --weight=1 -test ! -d $final_path \ - || ynh_die --message="There is already a directory: $final_path " +test ! -d $final_path || ynh_die --message="There is already a directory: $final_path " #================================================= # STANDARD RESTORATION STEPS diff --git a/scripts/upgrade b/scripts/upgrade index a026238..5c0a2e5 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -21,6 +21,7 @@ path_url=$(ynh_app_setting_get --app=$app --key=path) port=$(ynh_app_setting_get --app=$app --key=port) port_wg=$(ynh_app_setting_get --app=$app --key=port_wg) final_path=$(ynh_app_setting_get --app=$app --key=final_path) +architecture=$YNH_ARCH #================================================= # CHECK VERSION @@ -124,13 +125,13 @@ then ynh_script_progression --message="Upgrading source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src - ynh_setup_source --dest_dir="$final_path" --source_id="$(ynh_detect_arch)" + ynh_setup_source --dest_dir="$final_path" --source_id="$architecture" fi #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=1 +ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=1 # Create a dedicated nginx config ynh_add_nginx_config From 31c4a2176cff204e6c432d63e27de977049138b2 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Thu, 9 Dec 2021 11:31:08 +0000 Subject: [PATCH 24/44] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7c0f20e..9da5da8 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in ## Overview -Virtual Private Networks (VPN) via WireGuard, with a web UI to ease configuration +WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN. **Shipped version:** 0.3.2~ynh1 diff --git a/README_fr.md b/README_fr.md index dda15a4..a23e891 100644 --- a/README_fr.md +++ b/README_fr.md @@ -11,7 +11,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour ## Vue d'ensemble -Réseaux Privés Virtuels (VPN) via WireGuard, avec une web UI pour faciliter sa configuration +WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN. **Version incluse :** 0.3.2~ynh1 From 806e6d4b181a08284093a68763878a53c2141e8e Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 12 Dec 2021 17:59:22 +0100 Subject: [PATCH 25/44] ynh_detect_arch is now deprecated --- scripts/upgrade | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 5c0a2e5..ff6d92e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -71,14 +71,13 @@ then fi # Downgrade linux-image-$arch if updated to the buster-backports version -arch=$(ynh_detect_arch) -linuximage_version=$(ynh_package_version --package=linux-image-$arch) +linuximage_version=$(ynh_package_version --package=linux-image-$architecture) if [[ $linuximage_version == *"bpo10"* ]] then # Downgrading using ynh_package_install apt command without "--no-remove" and with "--allow-downgrades" # It will remove wireguard-ynh-deps and wireguard but they will be reinstalled throught upgrade process ynh_apt --allow-downgrades --option Dpkg::Options::=--force-confdef \ - --option Dpkg::Options::=--force-confold install linux-image-$arch/stable + --option Dpkg::Options::=--force-confold install linux-image-$architecture/stable #Remove backports kernel if running on it and send a mail to the admin to ask him to reboot linuxkernel_version=$(uname -r) From 88f5edb0953f50b149475be80c9dc01093ab14b7 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 21 Dec 2021 12:12:33 +0100 Subject: [PATCH 26/44] Simplify linux-headers dependency --- scripts/_common.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 63549ca..876639c 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -7,11 +7,7 @@ # WireGuard was integrated in Linux kernel 5.6 # Before that, we need Linux Headers if dpkg --compare-versions $(uname -r) lt 5.6; then - if grep "Raspberry Pi" /proc/device-tree/model; then - pkg_headers="raspberrypi-kernel-headers" - else - pkg_headers="linux-headers-$(uname -r)" - fi + pkg_headers="raspberrypi-kernel-headers|linux-headers-generic|linux-headers-virtual|linux-headers-$(uname -r)" else pkg_headers="" fi From 29f4015f46c239eb0b7b1437e9441bd34ca7026f Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 21 Dec 2021 17:48:41 +0100 Subject: [PATCH 27/44] Drop sudoers --- conf/sudoers.conf | 2 -- conf/wireguard_ui_conf.service | 5 ++--- scripts/install | 4 ---- scripts/upgrade | 5 ++--- 4 files changed, 4 insertions(+), 12 deletions(-) delete mode 100644 conf/sudoers.conf diff --git a/conf/sudoers.conf b/conf/sudoers.conf deleted file mode 100644 index 5942292..0000000 --- a/conf/sudoers.conf +++ /dev/null @@ -1,2 +0,0 @@ -Cmnd_Alias WIREGUARDSERVICE = /usr/bin/systemctl restart wg-quick@wg0.service -%__USER__ ALL = NOPASSWD: WIREGUARDSERVICE diff --git a/conf/wireguard_ui_conf.service b/conf/wireguard_ui_conf.service index d5bea50..91779ed 100644 --- a/conf/wireguard_ui_conf.service +++ b/conf/wireguard_ui_conf.service @@ -4,6 +4,5 @@ After=network.target [Service] Type=oneshot -User=__APP__ -Group=__APP__ -ExecStart=sudo /usr/bin/systemctl restart wg-quick@wg0.service +User=root +ExecStart=/usr/bin/systemctl restart wg-quick@wg0.service diff --git a/scripts/install b/scripts/install index b0e7745..23df7d0 100644 --- a/scripts/install +++ b/scripts/install @@ -117,10 +117,6 @@ ynh_script_progression --message="Configuring system user..." --weight=1 # Create a system user ynh_system_user_create --username=$app -# Ensure the system user has enough permissions -install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh -ynh_replace_string "__USER__" "${app}" /etc/sudoers.d/${app}_ynh - #================================================= # SPECIFIC SETUP #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index ff6d92e..396c6e4 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -92,10 +92,9 @@ Now wireguard_ynh use a DKMS module allowing itself to be used with the stable k fi fi -# Add sudoers file if missing +# Drop sudoers file if present if [ -f "/etc/sudoers.d/${app}_ynh" ]; then - install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh - ynh_replace_string "__USER__" "${app}" /etc/sudoers.d/${app}_ynh + ynh_secure_remove /etc/sudoers.d/${app}_ynh fi # Remove deprecated services From 33d7348d7e846a51baae4c3e86cacfa953d654fe Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 21 Dec 2021 17:57:39 +0100 Subject: [PATCH 28/44] Start and enable the VPN service --- scripts/install | 12 ++++++++++-- scripts/restore | 13 ++++++++++--- scripts/upgrade | 11 +++++++++-- 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/scripts/install b/scripts/install index 23df7d0..b2e656d 100644 --- a/scripts/install +++ b/scripts/install @@ -178,13 +178,21 @@ yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ yunohost service add wireguard_ui --description="WireGuard UI" #================================================= -# START SYSTEMD SERVICE +# START UI SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Starting a systemd service..." --weight=1 +ynh_script_progression --message="Starting the systemd service for the UI..." --weight=1 # Start a systemd service ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="http server started" --log_path="systemd" --timeout=30 +#================================================= +# START VPN SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting the systemd service for the VPN..." --weight=1 + +# Start and enable a systemd service +systemctl enable --now wg-quick@wg0 + #================================================= # SETUP SSOWAT #================================================= diff --git a/scripts/restore b/scripts/restore index 1f1f20c..10de44a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -135,12 +135,19 @@ yunohost service add wireguard_ui --description="WireGuard UI" ynh_restore_file --origin_path=$(jq -r ".config_file_path" $final_path/db/server/global_settings.json) --not_mandatory #================================================= -# START SYSTEMD SERVICE +# START UI SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Starting a systemd service..." --weight=1 +ynh_script_progression --message="Starting the systemd service for the UI..." --weight=1 ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="http server started" --log_path="systemd" --timeout=30 -sleep 5 + +#================================================= +# START VPN SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting the systemd service for the VPN..." --weight=1 + +# Start and enable a systemd service +systemctl enable --now wg-quick@wg0 #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 396c6e4..0588d34 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -219,11 +219,18 @@ yunohost service add wireguard_ui --description="WireGuard UI" #================================================= # START SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Starting a systemd service..." --weight=1 +ynh_script_progression --message="Starting the systemd service for the UI..." --weight=1 # Start a systemd service ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="http server started" --log_path="systemd" --timeout=30 -sleep 5 + +#================================================= +# START VPN SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Starting the systemd service for the VPN..." --weight=1 + +# Start and enable a systemd service +systemctl enable --now wg-quick@wg0 #================================================= # RELOAD NGINX From 242e4b2c2f0b2ecaaf679370bc836fa6e76d6756 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 21 Dec 2021 17:58:18 +0100 Subject: [PATCH 29/44] Drop sudoers in backup and restore too --- scripts/backup | 1 - scripts/restore | 3 --- 2 files changed, 4 deletions(-) diff --git a/scripts/backup b/scripts/backup index 496e228..1d54546 100644 --- a/scripts/backup +++ b/scripts/backup @@ -57,7 +57,6 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_backup --src_path=/etc/systemd/system/wireguard_ui.service ynh_backup --src_path=/etc/systemd/system/wireguard_ui_conf.path ynh_backup --src_path=/etc/systemd/system/wireguard_ui_conf.service -ynh_backup --src_path="/etc/sudoers.d/${app}_ynh" #================================================= # BACKUP VARIOUS FILES diff --git a/scripts/restore b/scripts/restore index 10de44a..419fe5c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -65,9 +65,6 @@ ynh_script_progression --message="Recreating the dedicated system user..." --wei # Create the dedicated user (if not existing) ynh_system_user_create --username=$app -# Restore sudoers file -ynh_restore_file --origin_path="/etc/sudoers.d/${app}_ynh" - #================================================= # RESTORE USER RIGHTS #================================================= From eb0608f1f2bcd330172a3650f108b8dd31ac880f Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 21 Dec 2021 18:18:50 +0100 Subject: [PATCH 30/44] Silence service enabling --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index b2e656d..f277d2e 100644 --- a/scripts/install +++ b/scripts/install @@ -191,7 +191,7 @@ ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="ht ynh_script_progression --message="Starting the systemd service for the VPN..." --weight=1 # Start and enable a systemd service -systemctl enable --now wg-quick@wg0 +systemctl enable --now --quiet wg-quick@wg0 #================================================= # SETUP SSOWAT diff --git a/scripts/restore b/scripts/restore index 419fe5c..27e1204 100644 --- a/scripts/restore +++ b/scripts/restore @@ -144,7 +144,7 @@ ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="ht ynh_script_progression --message="Starting the systemd service for the VPN..." --weight=1 # Start and enable a systemd service -systemctl enable --now wg-quick@wg0 +systemctl enable --now --quiet wg-quick@wg0 #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 0588d34..1e0fe4a 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -230,7 +230,7 @@ ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="ht ynh_script_progression --message="Starting the systemd service for the VPN..." --weight=1 # Start and enable a systemd service -systemctl enable --now wg-quick@wg0 +systemctl enable --now --quiet wg-quick@wg0 #================================================= # RELOAD NGINX From 7bdf34ac71be0c9faf918df914ea7f608fade18c Mon Sep 17 00:00:00 2001 From: tituspijean Date: Tue, 21 Dec 2021 18:25:55 +0100 Subject: [PATCH 31/44] Simplify path to systemctl in service restart --- conf/wireguard_ui_conf.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/wireguard_ui_conf.service b/conf/wireguard_ui_conf.service index 91779ed..8e3481c 100644 --- a/conf/wireguard_ui_conf.service +++ b/conf/wireguard_ui_conf.service @@ -5,4 +5,4 @@ After=network.target [Service] Type=oneshot User=root -ExecStart=/usr/bin/systemctl restart wg-quick@wg0.service +ExecStart=systemctl restart wg-quick@wg0.service From b147c0c7cbb7237719c13b07dcaea6980760e9b9 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 22 Dec 2021 10:37:22 +0100 Subject: [PATCH 32/44] Simplify services --- conf/wireguard@.path | 8 ++++++++ conf/wireguard@.service | 13 +++++++++++++ conf/wireguard_ui_conf.path | 8 -------- conf/wireguard_ui_conf.service | 8 -------- scripts/backup | 4 ++-- scripts/install | 20 ++++++-------------- scripts/remove | 17 +++++++++-------- scripts/restore | 18 +++++------------- scripts/upgrade | 32 ++++++++++++++------------------ 9 files changed, 57 insertions(+), 71 deletions(-) create mode 100644 conf/wireguard@.path create mode 100644 conf/wireguard@.service delete mode 100644 conf/wireguard_ui_conf.path delete mode 100644 conf/wireguard_ui_conf.service diff --git a/conf/wireguard@.path b/conf/wireguard@.path new file mode 100644 index 0000000..018f3a0 --- /dev/null +++ b/conf/wireguard@.path @@ -0,0 +1,8 @@ +[Unit] +Description=Watch WireGuard %I.conf for changes + +[Path] +PathModified=/etc/wireguard/%I.conf + +[Install] +WantedBy=multi-user.target diff --git a/conf/wireguard@.service b/conf/wireguard@.service new file mode 100644 index 0000000..4dcb7f0 --- /dev/null +++ b/conf/wireguard@.service @@ -0,0 +1,13 @@ +[Unit] +Description=WireGuard on %I +After=network-online.target nss-lookup.target +Wants=network-online.target nss-lookup.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/systemctl restart wg-quick@%I.service +ExecStop=/bin/systemctl stop wg-quick@%I.service + +[Install] +WantedBy=multi-user.target diff --git a/conf/wireguard_ui_conf.path b/conf/wireguard_ui_conf.path deleted file mode 100644 index 8c89c4e..0000000 --- a/conf/wireguard_ui_conf.path +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=Watch WireGuard wg0.conf for changes - -[Path] -PathModified=/etc/wireguard/wg0.conf - -[Install] -WantedBy=multi-user.target diff --git a/conf/wireguard_ui_conf.service b/conf/wireguard_ui_conf.service deleted file mode 100644 index 8e3481c..0000000 --- a/conf/wireguard_ui_conf.service +++ /dev/null @@ -1,8 +0,0 @@ -[Unit] -Description=WireGuard restart -After=network.target - -[Service] -Type=oneshot -User=root -ExecStart=systemctl restart wg-quick@wg0.service diff --git a/scripts/backup b/scripts/backup index 1d54546..7549c0a 100644 --- a/scripts/backup +++ b/scripts/backup @@ -55,8 +55,8 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= ynh_backup --src_path=/etc/systemd/system/wireguard_ui.service -ynh_backup --src_path=/etc/systemd/system/wireguard_ui_conf.path -ynh_backup --src_path=/etc/systemd/system/wireguard_ui_conf.service +ynh_backup --src_path=/etc/systemd/system/wireguard@.path +ynh_backup --src_path=/etc/systemd/system/wireguard@.service #================================================= # BACKUP VARIOUS FILES diff --git a/scripts/install b/scripts/install index f277d2e..05f904e 100644 --- a/scripts/install +++ b/scripts/install @@ -147,12 +147,12 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 ynh_add_systemd_config --service=wireguard_ui --template=wireguard_ui.service # Create a dedicated systemd config for monitoring WireGuard's configuration -cp ../conf/wireguard_ui_conf.path /etc/systemd/system/wireguard_ui_conf.path -systemctl enable --quiet wireguard_ui_conf.path +cp ../conf/wireguard@.path /etc/systemd/system/wireguard@.path +systemctl enable --quiet wireguard@wg0.path -# Create a dedicated systemd config for restarting WireGuard when its configuration changes -ynh_add_systemd_config --service=wireguard_ui_conf --template=wireguard_ui_conf.service -systemctl enable --quiet wireguard_ui_conf.service +# Create a dedicated systemd config for WireGuard +cp ../conf/wireguard@.service /etc/systemd/system/wireguard@.service +systemctl enable --quiet wireguard@wg0.service #================================================= # GENERIC FINALIZATION @@ -174,7 +174,7 @@ chown -R $app: /etc/wireguard #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" +yunohost service add wireguard@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" yunohost service add wireguard_ui --description="WireGuard UI" #================================================= @@ -185,14 +185,6 @@ ynh_script_progression --message="Starting the systemd service for the UI..." -- # Start a systemd service ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="http server started" --log_path="systemd" --timeout=30 -#================================================= -# START VPN SYSTEMD SERVICE -#================================================= -ynh_script_progression --message="Starting the systemd service for the VPN..." --weight=1 - -# Start and enable a systemd service -systemctl enable --now --quiet wg-quick@wg0 - #================================================= # SETUP SSOWAT #================================================= diff --git a/scripts/remove b/scripts/remove index 28162e9..d974789 100644 --- a/scripts/remove +++ b/scripts/remove @@ -35,10 +35,10 @@ then yunohost service remove wireguard_ui fi -if ynh_exec_warn_less yunohost service status wg-quick@wg0 >/dev/null +if ynh_exec_warn_less yunohost service status wireguard@wg0 >/dev/null then ynh_script_progression --message="Removing WireGuard service integration..." --weight=1 - yunohost service remove wg-quick@wg0 + yunohost service remove wireguard@wg0 fi #================================================= @@ -47,13 +47,14 @@ fi ynh_script_progression --message="Stopping and removing the systemd service..." --weight=1 # YunoHost does not handle services not ending with .service, let's remove it manually -systemctl stop wireguard_ui_conf.path -systemctl disable wireguard_ui_conf.path --quiet -ynh_secure_remove --file="/etc/systemd/system/wireguard_ui_conf.path" -systemctl daemon-reload +systemctl stop wireguard@wg0.path +systemctl disable wireguard@wg0.path --quiet +ynh_secure_remove --file="/etc/systemd/system/wireguard@.path" + +systemctl stop wireguard@wg0.service +systemctl disable wireguard@wg0.service --quiet +ynh_secure_remove --file="/etc/systemd/system/wireguard@.service" -# Remove the dedicated systemd configs -ynh_remove_systemd_config --service=wireguard_ui_conf ynh_remove_systemd_config --service=wireguard_ui #================================================= diff --git a/scripts/restore b/scripts/restore index 27e1204..e9787ad 100644 --- a/scripts/restore +++ b/scripts/restore @@ -110,19 +110,19 @@ ynh_remove_extra_repo --name=$app ynh_script_progression --message="Restoring the systemd configuration..." --weight=1 ynh_restore_file --origin_path=/etc/systemd/system/wireguard_ui.service -ynh_restore_file --origin_path=/etc/systemd/system/wireguard_ui_conf.path -ynh_restore_file --origin_path=/etc/systemd/system/wireguard_ui_conf.service +ynh_restore_file --origin_path=/etc/systemd/system/wireguard@.path +ynh_restore_file --origin_path=/etc/systemd/system/wireguard@.service systemctl enable --quiet wireguard_ui.service -systemctl enable --quiet wireguard_ui_conf.path -systemctl enable --quiet wireguard_ui_conf.service +systemctl enable --quiet wireguard@wg0.path +systemctl enable --quiet wireguard@wg0.service #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" +yunohost service add wireguard@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" yunohost service add wireguard_ui --description="WireGuard UI" #================================================= @@ -138,14 +138,6 @@ ynh_script_progression --message="Starting the systemd service for the UI..." -- ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="http server started" --log_path="systemd" --timeout=30 -#================================================= -# START VPN SYSTEMD SERVICE -#================================================= -ynh_script_progression --message="Starting the systemd service for the VPN..." --weight=1 - -# Start and enable a systemd service -systemctl enable --now --quiet wg-quick@wg0 - #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 1e0fe4a..9819b7d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -98,11 +98,15 @@ if [ -f "/etc/sudoers.d/${app}_ynh" ]; then fi # Remove deprecated services -if systemctl list-units --full -all | grep -Fq "wireguard.path"; then - systemctl disable --now --quiet wireguard.path - ynh_secure_remove --file="/etc/systemd/system/wireguard.path" +if systemctl list-units --full -all | grep -Fq "wireguard_ui_conf.path"; then + systemctl disable --now --quiet wireguard_ui_conf.path + ynh_secure_remove --file="/etc/systemd/system/wireguard_ui_conf.path" +fi +if systemctl list-units --full -all | grep -Fq "wireguard_ui_conf.service"; then + systemctl disable --now --quiet wireguard_ui_conf.service + ynh_secure_remove --file="/etc/systemd/system/wireguard_ui_conf.service" + yunohost service remove wireguard_ui_conf fi -ynh_remove_systemd_config --service="wireguard.service" #================================================= # STANDARD UPGRADE STEPS @@ -112,7 +116,7 @@ ynh_remove_systemd_config --service="wireguard.service" ynh_script_progression --message="Stopping a systemd service..." --weight=1 ynh_systemd_action --service_name=wireguard_ui --action="stop" --line_match="Stopped WireGuard UI" --log_path="systemd" --timeout=30 -ynh_systemd_action --service_name=wg-quick@wg0 --action="stop" --line_match="Stopped WireGuard via wg-quick(8) for wg0." --log_path="systemd" --timeout=30 +ynh_systemd_action --service_name=wireguard@wg0 --action="stop" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -175,12 +179,12 @@ ynh_script_progression --message="Upgrading systemd configuration..." --weight=1 ynh_add_systemd_config --service=wireguard_ui --template=wireguard_ui.service # Create a dedicated systemd config for monitoring WireGuard's configuration -cp ../conf/wireguard_ui_conf.path /etc/systemd/system/wireguard_ui_conf.path -systemctl enable --quiet wireguard_ui_conf.path +cp ../conf/wireguard@.path /etc/systemd/system/wireguard@.path +systemctl enable --quiet wireguard@wg0.path # Create a dedicated systemd config for restarting WireGuard when its configuration changes -ynh_add_systemd_config --service=wireguard_ui_conf --template=wireguard_ui_conf.service -systemctl enable --quiet wireguard_ui_conf.service +cp ../conf/wireguard@.service /etc/systemd/system/wireguard@.service +systemctl enable --quiet wireguard@wg0.service #================================================= # CONFIGURING WIREGUARD @@ -213,7 +217,7 @@ chown -R $app: /etc/wireguard #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add wg-quick@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" +yunohost service add wireguard@wg0 --description="WireGuard VPN" --needs_exposed_ports="$port_wg" --test_status="wg show | grep wg0" yunohost service add wireguard_ui --description="WireGuard UI" #================================================= @@ -224,14 +228,6 @@ ynh_script_progression --message="Starting the systemd service for the UI..." -- # Start a systemd service ynh_systemd_action --service_name=wireguard_ui --action="start" --line_match="http server started" --log_path="systemd" --timeout=30 -#================================================= -# START VPN SYSTEMD SERVICE -#================================================= -ynh_script_progression --message="Starting the systemd service for the VPN..." --weight=1 - -# Start and enable a systemd service -systemctl enable --now --quiet wg-quick@wg0 - #================================================= # RELOAD NGINX #================================================= From 5e1dc05032cabad87400371c8ecbd71c1f65becd Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 22 Dec 2021 14:45:00 +0100 Subject: [PATCH 33/44] Appease linter with service User --- conf/wireguard@.service | 1 + 1 file changed, 1 insertion(+) diff --git a/conf/wireguard@.service b/conf/wireguard@.service index 4dcb7f0..17eb385 100644 --- a/conf/wireguard@.service +++ b/conf/wireguard@.service @@ -5,6 +5,7 @@ Wants=network-online.target nss-lookup.target [Service] Type=oneshot +User=root RemainAfterExit=yes ExecStart=/bin/systemctl restart wg-quick@%I.service ExecStop=/bin/systemctl stop wg-quick@%I.service From 41fe61cf21b00ad323d2f94aeaab5bba3a0d40b7 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 22 Dec 2021 15:18:28 +0100 Subject: [PATCH 34/44] Appease linter about ynh_install_app_dependencies --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 05f904e..ddbd95a 100644 --- a/scripts/install +++ b/scripts/install @@ -87,7 +87,7 @@ ynh_pin_repo --package="wireguard*" --pin="origin deb http://deb.debian.org/debi # Update the list of package with the new repo ynh_package_update -ynh_add_app_dependencies --package="$pkg_dependencies" +ynh_install_app_dependencies --package="$pkg_dependencies" # Remove buster-backports repo and pin-priority ynh_remove_extra_repo --name=$app diff --git a/scripts/restore b/scripts/restore index e9787ad..d14aa61 100644 --- a/scripts/restore +++ b/scripts/restore @@ -99,7 +99,7 @@ ynh_pin_repo --package="wireguard*" --pin="origin deb http://deb.debian.org/debi # Update the list of package with the new repo ynh_package_update -ynh_add_app_dependencies --package="$pkg_dependencies" +ynh_install_app_dependencies --package="$pkg_dependencies" #Remove buster-backports repo and pin-priority ynh_remove_extra_repo --name=$app diff --git a/scripts/upgrade b/scripts/upgrade index 9819b7d..3412c47 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -157,7 +157,7 @@ ynh_pin_repo --package="wireguard*" --pin="origin deb http://deb.debian.org/debi # Update the list of package with the new repo ynh_package_update -ynh_add_app_dependencies --package="$pkg_dependencies" +ynh_install_app_dependencies --package="$pkg_dependencies" # Remove buster-backports repo and pin-priority ynh_remove_extra_repo --name=$app From 20ecc320aa985ec3a9b84c13fbb8f5fcd3c00bcb Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 22 Dec 2021 17:24:56 +0100 Subject: [PATCH 35/44] Revert "Appease linter about ynh_install_app_dependencies" This reverts commit 41fe61cf21b00ad323d2f94aeaab5bba3a0d40b7. --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index c7c51fe..bf40673 100644 --- a/scripts/install +++ b/scripts/install @@ -88,7 +88,7 @@ ynh_pin_repo --package="wireguard*" --pin="origin deb http://deb.debian.org/debi # Update the list of package with the new repo ynh_package_update -ynh_install_app_dependencies --package="$pkg_dependencies" +ynh_add_app_dependencies --package="$pkg_dependencies" # Remove buster-backports repo and pin-priority ynh_remove_extra_repo --name=$app diff --git a/scripts/restore b/scripts/restore index d14aa61..e9787ad 100644 --- a/scripts/restore +++ b/scripts/restore @@ -99,7 +99,7 @@ ynh_pin_repo --package="wireguard*" --pin="origin deb http://deb.debian.org/debi # Update the list of package with the new repo ynh_package_update -ynh_install_app_dependencies --package="$pkg_dependencies" +ynh_add_app_dependencies --package="$pkg_dependencies" #Remove buster-backports repo and pin-priority ynh_remove_extra_repo --name=$app diff --git a/scripts/upgrade b/scripts/upgrade index dc40a67..2057243 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -157,7 +157,7 @@ ynh_pin_repo --package="wireguard*" --pin="origin deb http://deb.debian.org/debi # Update the list of package with the new repo ynh_package_update -ynh_install_app_dependencies --package="$pkg_dependencies" +ynh_add_app_dependencies --package="$pkg_dependencies" # Remove buster-backports repo and pin-priority ynh_remove_extra_repo --name=$app From 1929f4bba09c03c78c439d8eddbc6dbd13c93637 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 22 Dec 2021 19:20:27 +0100 Subject: [PATCH 36/44] Drop wg0.conf autoinstall --- conf/wg0.conf | 12 ------------ conf/wireguard_ui.service | 6 ++++-- scripts/install | 4 ---- 3 files changed, 4 insertions(+), 18 deletions(-) delete mode 100644 conf/wg0.conf diff --git a/conf/wg0.conf b/conf/wg0.conf deleted file mode 100644 index a0d5882..0000000 --- a/conf/wg0.conf +++ /dev/null @@ -1,12 +0,0 @@ -# This file was generated using wireguard-ui (https://github.com/ngoduykhanh/wireguard-ui) -# Please don't modify it manually, otherwise your change might got replaced. - -# Address updated at: -# Private Key updated at: -[Interface] -Address = 10.10.10.0/24,fd42::/112 -ListenPort = __PORT_WG__ -PrivateKey = __PRIVATE_KEY__ -MTU = 1450 -PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip6tables -A FORWARD -i %i -j ACCEPT; ip6tables -A FORWARD -o %i -j ACCEPT; ip6tables -t nat -A POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip link set multicast on dev %i -PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o __INTERFACE__ -j MASQUERADE; ip6tables -D FORWARD -i %i -j ACCEPT; ip6tables -D FORWARD -o %i -j ACCEPT; ip6tables -t nat -D POSTROUTING -o __INTERFACE__ -j MASQUERADE diff --git a/conf/wireguard_ui.service b/conf/wireguard_ui.service index 2495c87..a98c57f 100644 --- a/conf/wireguard_ui.service +++ b/conf/wireguard_ui.service @@ -16,7 +16,8 @@ ExecStart=__FINALPATH__/wireguard-ui --bind-address="127.0.0.1:__PORT__" --disab NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +# Disabling the following restriction since the UI needs to poll the interfaces +#RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes DevicePolicy=closed @@ -36,7 +37,8 @@ CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +# Disabling the following restriction since the UI needs to poll the interfaces +#CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG # Exception to ProtectSystem diff --git a/scripts/install b/scripts/install index bf40673..2e8032b 100644 --- a/scripts/install +++ b/scripts/install @@ -134,10 +134,6 @@ ynh_delete_file_checksum --file="$final_path/db/server/interfaces.json" # Create WireGuard configuration directory mkdir -p /etc/wireguard -# Add interface configuration file for WireGuard -ynh_add_config --template="../conf/wg0.conf" --destination="/etc/wireguard/wg0.conf" -ynh_delete_file_checksum --file="/etc/wireguard/wg0.conf" - #================================================= # SETUP SYSTEMD #================================================= From d1946f851b207d3aaa1b332ef2de61ba2cc42203 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 22 Dec 2021 19:27:37 +0100 Subject: [PATCH 37/44] Update DISCLAIMERs after auto Post Up and Down scripts --- doc/DISCLAIMER.md | 14 ++------------ doc/DISCLAIMER_fr.md | 14 ++------------ 2 files changed, 4 insertions(+), 24 deletions(-) diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md index 312b919..3ea978a 100644 --- a/doc/DISCLAIMER.md +++ b/doc/DISCLAIMER.md @@ -5,6 +5,8 @@ * Use YunoHost permissions panel to allow users to access the web UI. * Only one network interface, *wg0*, can be managed with this app at the moment. +After installation, you need to `Apply Config` once in the UI before the VPN service can be started. + ### Make your server share its Internet connection #### Enable port forwarding @@ -18,15 +20,3 @@ net.ipv6.conf.all.forwarding = 1 sudo sysctl -p ``` -Add the following commands in `WireGuard Server` menu, like in [this picture](https://user-images.githubusercontent.com/8769166/124400150-cf354980-dd20-11eb-87c6-9478938d9c82.png). Replace `eth0` with the interface connected to the Internet: - -#### Post Up Script -``` -iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -``` - -#### Post Down Script -``` -iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -``` - diff --git a/doc/DISCLAIMER_fr.md b/doc/DISCLAIMER_fr.md index 11b0e5b..b6d5bf9 100644 --- a/doc/DISCLAIMER_fr.md +++ b/doc/DISCLAIMER_fr.md @@ -5,6 +5,8 @@ * Utiliser le panneau de permissions de YunoHost pour autoriser des utilisateurs à accéder à WireGuard UI. * Une seule interface réseau, *wg0*, peut actuellement être gérée par cette app. +Après installation, vous devrez cliquer sur `Apply Config` une fois dans l'UI avant que le service VPN puisse être démarré. + ### Partagez votre connexion Internet via WireGuard #### Activez le *port forwarding* @@ -18,15 +20,3 @@ net.ipv6.conf.all.forwarding = 1 sudo sysctl -p ``` -Ajoutez les commandes suivantes dans le menu `WireGuard Server`, tel que dans [cette image](https://user-images.githubusercontent.com/8769166/124400150-cf354980-dd20-11eb-87c6-9478938d9c82.png). Remplacez `eth0` avec l'interface connectée à Internet : - -#### Post Up Script -``` -iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -``` - -#### Post Down Script -``` -iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -``` - From 721484eda10d1af3e356fdd3410e16dd180a2766 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 26 Dec 2021 11:51:25 +0100 Subject: [PATCH 38/44] Enable and start .path service --- scripts/install | 9 ++++----- scripts/restore | 8 +++++--- scripts/upgrade | 9 ++++----- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/scripts/install b/scripts/install index 2e8032b..f1c9abe 100644 --- a/scripts/install +++ b/scripts/install @@ -142,13 +142,12 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config for the web UI ynh_add_systemd_config --service=wireguard_ui --template=wireguard_ui.service -# Create a dedicated systemd config for monitoring WireGuard's configuration -cp ../conf/wireguard@.path /etc/systemd/system/wireguard@.path -systemctl enable --quiet wireguard@wg0.path - -# Create a dedicated systemd config for WireGuard +# Create dedicated systemd configs for starting and monitoring WireGuard's configuration cp ../conf/wireguard@.service /etc/systemd/system/wireguard@.service +cp ../conf/wireguard@.path /etc/systemd/system/wireguard@.path +systemctl daemon-reload systemctl enable --quiet wireguard@wg0.service +systemctl enable --quiet --now wireguard@wg0.path #================================================= # GENERIC FINALIZATION diff --git a/scripts/restore b/scripts/restore index e9787ad..27195bd 100644 --- a/scripts/restore +++ b/scripts/restore @@ -110,12 +110,14 @@ ynh_remove_extra_repo --name=$app ynh_script_progression --message="Restoring the systemd configuration..." --weight=1 ynh_restore_file --origin_path=/etc/systemd/system/wireguard_ui.service -ynh_restore_file --origin_path=/etc/systemd/system/wireguard@.path ynh_restore_file --origin_path=/etc/systemd/system/wireguard@.service +ynh_restore_file --origin_path=/etc/systemd/system/wireguard@.path + +systemctl daemon-reload systemctl enable --quiet wireguard_ui.service -systemctl enable --quiet wireguard@wg0.path -systemctl enable --quiet wireguard@wg0.service +systemctl enable --quiet --now wireguard@wg0.service +systemctl enable --quiet --now wireguard@wg0.path #================================================= # INTEGRATE SERVICE IN YUNOHOST diff --git a/scripts/upgrade b/scripts/upgrade index 2057243..1071be5 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -178,13 +178,12 @@ ynh_script_progression --message="Upgrading systemd configuration..." --weight=1 # Create a dedicated systemd config for the web UI ynh_add_systemd_config --service=wireguard_ui --template=wireguard_ui.service -# Create a dedicated systemd config for monitoring WireGuard's configuration -cp ../conf/wireguard@.path /etc/systemd/system/wireguard@.path -systemctl enable --quiet wireguard@wg0.path - -# Create a dedicated systemd config for restarting WireGuard when its configuration changes +# Create dedicated systemd configs for starting and monitoring WireGuard's configuration cp ../conf/wireguard@.service /etc/systemd/system/wireguard@.service +cp ../conf/wireguard@.path /etc/systemd/system/wireguard@.path +systemctl daemon-reload systemctl enable --quiet wireguard@wg0.service +systemctl enable --quiet --now wireguard@wg0.path #================================================= # CONFIGURING WIREGUARD From 39a0bed1a0d0d49878cdc7339317d4067ab6d29b Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Sun, 26 Dec 2021 11:17:30 +0000 Subject: [PATCH 39/44] Auto-update README --- README.md | 14 ++------------ README_fr.md | 14 ++------------ 2 files changed, 4 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 9da5da8..97b69e5 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,8 @@ WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. * Use YunoHost permissions panel to allow users to access the web UI. * Only one network interface, *wg0*, can be managed with this app at the moment. +After installation, you need to `Apply Config` once in the UI before the VPN service can be started. + ### Make your server share its Internet connection #### Enable port forwarding @@ -48,18 +50,6 @@ net.ipv6.conf.all.forwarding = 1 sudo sysctl -p ``` -Add the following commands in `WireGuard Server` menu, like in [this picture](https://user-images.githubusercontent.com/8769166/124400150-cf354980-dd20-11eb-87c6-9478938d9c82.png). Replace `eth0` with the interface connected to the Internet: - -#### Post Up Script -``` -iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -``` - -#### Post Down Script -``` -iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -``` - ## Documentation and resources diff --git a/README_fr.md b/README_fr.md index a23e891..d496f14 100644 --- a/README_fr.md +++ b/README_fr.md @@ -31,6 +31,8 @@ WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. * Utiliser le panneau de permissions de YunoHost pour autoriser des utilisateurs à accéder à WireGuard UI. * Une seule interface réseau, *wg0*, peut actuellement être gérée par cette app. +Après installation, vous devrez cliquer sur `Apply Config` une fois dans l'UI avant que le service VPN puisse être démarré. + ### Partagez votre connexion Internet via WireGuard #### Activez le *port forwarding* @@ -44,18 +46,6 @@ net.ipv6.conf.all.forwarding = 1 sudo sysctl -p ``` -Ajoutez les commandes suivantes dans le menu `WireGuard Server`, tel que dans [cette image](https://user-images.githubusercontent.com/8769166/124400150-cf354980-dd20-11eb-87c6-9478938d9c82.png). Remplacez `eth0` avec l'interface connectée à Internet : - -#### Post Up Script -``` -iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -``` - -#### Post Down Script -``` -iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE -``` - ## Documentations et ressources From 126babe73c794b6a388a9d6b1be224dc19746035 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 26 Dec 2021 17:05:42 +0100 Subject: [PATCH 40/44] Fix wg-quick@wg0 enabling --- scripts/restore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/restore b/scripts/restore index 27195bd..93d17fb 100644 --- a/scripts/restore +++ b/scripts/restore @@ -116,7 +116,7 @@ ynh_restore_file --origin_path=/etc/systemd/system/wireguard@.path systemctl daemon-reload systemctl enable --quiet wireguard_ui.service -systemctl enable --quiet --now wireguard@wg0.service +systemctl enable --quiet wireguard@wg0.service systemctl enable --quiet --now wireguard@wg0.path #================================================= From 7efb0966280c8f7ae84a0e42c45ee449ff1e4fe1 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 30 Dec 2021 17:06:32 +0100 Subject: [PATCH 41/44] Automatically enable port forwarding --- conf/sysctl.conf | 2 ++ doc/DISCLAIMER.md | 16 +--------------- doc/DISCLAIMER_fr.md | 16 +--------------- scripts/backup | 3 +++ scripts/install | 8 ++++++++ scripts/remove | 3 +++ scripts/restore | 8 ++++++++ scripts/upgrade | 6 +++++- 8 files changed, 31 insertions(+), 31 deletions(-) create mode 100644 conf/sysctl.conf diff --git a/conf/sysctl.conf b/conf/sysctl.conf new file mode 100644 index 0000000..f501eb9 --- /dev/null +++ b/conf/sysctl.conf @@ -0,0 +1,2 @@ +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md index 3ea978a..fae5ecf 100644 --- a/doc/DISCLAIMER.md +++ b/doc/DISCLAIMER.md @@ -1,22 +1,8 @@ * WireGuard for YunoHost will add a DMKS module to your Linux kernel. * You may need to reboot your server for WireGuard to be able to start. * The package includes WireGuard and non-official web UI to configure it. - * Avoid altering the configuration files via the command line interface, though. + * Do not manually alter the configuration files. * Use YunoHost permissions panel to allow users to access the web UI. * Only one network interface, *wg0*, can be managed with this app at the moment. After installation, you need to `Apply Config` once in the UI before the VPN service can be started. - -### Make your server share its Internet connection - -#### Enable port forwarding - -```bash -sudo nano /etc/sysctl.conf -# Uncomment the following lines: -net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1 -# Save and quit (CTRL+O, CTRL+X) -sudo sysctl -p -``` - diff --git a/doc/DISCLAIMER_fr.md b/doc/DISCLAIMER_fr.md index b6d5bf9..e4667ce 100644 --- a/doc/DISCLAIMER_fr.md +++ b/doc/DISCLAIMER_fr.md @@ -1,22 +1,8 @@ * Cette application ajoutera un module DMKS à votre noyau Linux. * Vous devriez redémarrer votre serveur pour que WireGuard puisse se lancer. * Cette application inclut WireGuard et une interface web non-officielle pour le configurer. - * Évitez de modifier les fichiers de configuration via la ligne de commande. + * Ne modifiez pas les fichiers de configuration à la main. * Utiliser le panneau de permissions de YunoHost pour autoriser des utilisateurs à accéder à WireGuard UI. * Une seule interface réseau, *wg0*, peut actuellement être gérée par cette app. Après installation, vous devrez cliquer sur `Apply Config` une fois dans l'UI avant que le service VPN puisse être démarré. - -### Partagez votre connexion Internet via WireGuard - -#### Activez le *port forwarding* - -```bash -sudo nano /etc/sysctl.conf -# Décommentez les lignes suivantes : -net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1 -# Sauvegardez et quittez (CTRL+O, CTRL+X) -sudo sysctl -p -``` - diff --git a/scripts/backup b/scripts/backup index 7549c0a..0e9ebff 100644 --- a/scripts/backup +++ b/scripts/backup @@ -68,6 +68,9 @@ ynh_backup --src_path="/etc/wireguard" # Backing up specific config file, in case of it is not in /etc/wireguard ynh_backup --src_path="$(jq -r ".config_file_path" $final_path/db/server/global_settings.json)" --not_mandatory +# Backup the sysctl config file to enable port forwarding +ynh_backup --src_path="/etc/sysctl.d/$app.conf" + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/install b/scripts/install index f1c9abe..8aa2e1f 100644 --- a/scripts/install +++ b/scripts/install @@ -149,6 +149,14 @@ systemctl daemon-reload systemctl enable --quiet wireguard@wg0.service systemctl enable --quiet --now wireguard@wg0.path +#================================================= +# ENABLE PORT FORWARDING +#================================================= +ynh_script_progression --message="Enabling port forwarding..." --weight=1 + +ynh_add_config --template="../conf/sysctl.conf" --destination="/etc/sysctl.d/$app.conf" +sysctl -p /etc/sysctl.d/$app.conf + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/remove b/scripts/remove index d974789..3c35861 100644 --- a/scripts/remove +++ b/scripts/remove @@ -111,6 +111,9 @@ fi # Remove sudoers file ynh_secure_remove --file="/etc/sudoers.d/${app}_ynh" +# Remove sysctl file for port forwarding +ynh_secure_remove --file="/etc/sysctl.d/$app.conf" + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index 93d17fb..e66d9da 100644 --- a/scripts/restore +++ b/scripts/restore @@ -119,6 +119,14 @@ systemctl enable --quiet wireguard_ui.service systemctl enable --quiet wireguard@wg0.service systemctl enable --quiet --now wireguard@wg0.path +#================================================= +# ENABLE PORT FORWARDING +#================================================= +ynh_script_progression --message="Enabling port forwarding..." --weight=1 + +ynh_restore_file --origin_path="/etc/sysctl.d/$app.conf" +sysctl -p /etc/sysctl.d/$app.conf + #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 1071be5..635c5bc 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -186,8 +186,12 @@ systemctl enable --quiet wireguard@wg0.service systemctl enable --quiet --now wireguard@wg0.path #================================================= -# CONFIGURING WIREGUARD +# ENABLE PORT FORWARDING #================================================= +ynh_script_progression --message="Enabling port forwarding..." --weight=1 + +ynh_add_config --template="../conf/sysctl.conf" --destination="/etc/sysctl.d/$app.conf" +sysctl -p /etc/sysctl.d/$app.conf #================================================= # GENERIC FINALIZATION From 3a520195e8e06dd1a63f15548a10a4e47e7e3faa Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Thu, 30 Dec 2021 16:07:07 +0000 Subject: [PATCH 42/44] Auto-update README --- README.md | 16 +--------------- README_fr.md | 16 +--------------- 2 files changed, 2 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 97b69e5..1895d1d 100644 --- a/README.md +++ b/README.md @@ -31,26 +31,12 @@ WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. * WireGuard for YunoHost will add a DMKS module to your Linux kernel. * You may need to reboot your server for WireGuard to be able to start. * The package includes WireGuard and non-official web UI to configure it. - * Avoid altering the configuration files via the command line interface, though. + * Do not manually alter the configuration files. * Use YunoHost permissions panel to allow users to access the web UI. * Only one network interface, *wg0*, can be managed with this app at the moment. After installation, you need to `Apply Config` once in the UI before the VPN service can be started. -### Make your server share its Internet connection - -#### Enable port forwarding - -```bash -sudo nano /etc/sysctl.conf -# Uncomment the following lines: -net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1 -# Save and quit (CTRL+O, CTRL+X) -sudo sysctl -p -``` - - ## Documentation and resources * Official app website: https://www.wireguard.com/ diff --git a/README_fr.md b/README_fr.md index d496f14..9d5c892 100644 --- a/README_fr.md +++ b/README_fr.md @@ -27,26 +27,12 @@ WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. * Cette application ajoutera un module DMKS à votre noyau Linux. * Vous devriez redémarrer votre serveur pour que WireGuard puisse se lancer. * Cette application inclut WireGuard et une interface web non-officielle pour le configurer. - * Évitez de modifier les fichiers de configuration via la ligne de commande. + * Ne modifiez pas les fichiers de configuration à la main. * Utiliser le panneau de permissions de YunoHost pour autoriser des utilisateurs à accéder à WireGuard UI. * Une seule interface réseau, *wg0*, peut actuellement être gérée par cette app. Après installation, vous devrez cliquer sur `Apply Config` une fois dans l'UI avant que le service VPN puisse être démarré. -### Partagez votre connexion Internet via WireGuard - -#### Activez le *port forwarding* - -```bash -sudo nano /etc/sysctl.conf -# Décommentez les lignes suivantes : -net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1 -# Sauvegardez et quittez (CTRL+O, CTRL+X) -sudo sysctl -p -``` - - ## Documentations et ressources * Site officiel de l'app : https://www.wireguard.com/ From ad533198421a7331fc9bb942aafe2a31d67f14c9 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 30 Dec 2021 17:09:00 +0100 Subject: [PATCH 43/44] Add disclaimer about non working Status page --- doc/DISCLAIMER.md | 1 + doc/DISCLAIMER_fr.md | 1 + 2 files changed, 2 insertions(+) diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md index fae5ecf..4a7395c 100644 --- a/doc/DISCLAIMER.md +++ b/doc/DISCLAIMER.md @@ -4,5 +4,6 @@ * Do not manually alter the configuration files. * Use YunoHost permissions panel to allow users to access the web UI. * Only one network interface, *wg0*, can be managed with this app at the moment. +* `Status` page is not working for the time being. After installation, you need to `Apply Config` once in the UI before the VPN service can be started. diff --git a/doc/DISCLAIMER_fr.md b/doc/DISCLAIMER_fr.md index e4667ce..3c563b0 100644 --- a/doc/DISCLAIMER_fr.md +++ b/doc/DISCLAIMER_fr.md @@ -4,5 +4,6 @@ * Ne modifiez pas les fichiers de configuration à la main. * Utiliser le panneau de permissions de YunoHost pour autoriser des utilisateurs à accéder à WireGuard UI. * Une seule interface réseau, *wg0*, peut actuellement être gérée par cette app. +* La page `Status` demeure non fonctionnelle pour l'instant. Après installation, vous devrez cliquer sur `Apply Config` une fois dans l'UI avant que le service VPN puisse être démarré. From bd314c00e31233ec6046ea155c043dcfd74100a3 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Thu, 30 Dec 2021 16:09:19 +0000 Subject: [PATCH 44/44] Auto-update README --- README.md | 1 + README_fr.md | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index 1895d1d..e840e2a 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,7 @@ WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. * Do not manually alter the configuration files. * Use YunoHost permissions panel to allow users to access the web UI. * Only one network interface, *wg0*, can be managed with this app at the moment. +* `Status` page is not working for the time being. After installation, you need to `Apply Config` once in the UI before the VPN service can be started. diff --git a/README_fr.md b/README_fr.md index 9d5c892..b91489c 100644 --- a/README_fr.md +++ b/README_fr.md @@ -30,6 +30,7 @@ WireGuard® is fast and modern VPN that utilizes state-of-the-art cryptography. * Ne modifiez pas les fichiers de configuration à la main. * Utiliser le panneau de permissions de YunoHost pour autoriser des utilisateurs à accéder à WireGuard UI. * Une seule interface réseau, *wg0*, peut actuellement être gérée par cette app. +* La page `Status` demeure non fonctionnelle pour l'instant. Après installation, vous devrez cliquer sur `Apply Config` une fois dans l'UI avant que le service VPN puisse être démarré.