jostreff/wireguard-ui
1
0
Fork 0
mirror of https://github.com/ngoduykhanh/wireguard-ui.git synced 2025-04-19 19:59:13 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix for fwmark

Browse source 
Evidently, wireguard's (use of) fwmark is not well understood. In short,
it determines which routing table to use for a tunnel's packets.

Adding a fwmark to a roadwarrior client config won't do anything to the
actual packets sent to a peer: Packets do not get marked.

A QRCode with `FwMark = ...` in it is invalid.

FwMark is now excluded from client configs (but is written to the
server config /etc/wireguard/wgX.conf).

Potential breaking change of `WGUI_FORWARD_MARK` to `WGUI_FIREWALL_MARK`

But this has the effect of making users eventually notice that it
probably does not do what they want/think.

See:
https://ro-che.info/articles/2021-02-27-linux-routing

https://casavant.org/2020/10/10/wireguard-fwmark.html

https://www.blinkenlights.ch/ccms/posts/source-based-routing/
This commit is contained in:
Paul 2022-12-21 00:46:59 +00:00
parent aadf099f50
commit 101b5564c2
7 changed files with 17 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -58,7 +58,7 @@ Note:
| `WGUI_DNS` | The default DNS servers (comma-separated-list) used in the global settings | `1.1.1.1` | | `WGUI_DNS` | The default DNS servers (comma-separated-list) used in the global settings | `1.1.1.1` |
| `WGUI_MTU` | The default MTU used in global settings | `1450` | | `WGUI_MTU` | The default MTU used in global settings | `1450` |
| `WGUI_PERSISTENT_KEEPALIVE` | The default persistent keepalive for WireGuard in global settings | `15` | | `WGUI_PERSISTENT_KEEPALIVE` | The default persistent keepalive for WireGuard in global settings | `15` |
| `WGUI_FORWARD_MARK` | The default WireGuard forward mark | `0xca6c` | | `WGUI_FIREWALL_MARK` | The default WireGuard firewall mark | `0xca6c` (51820) |
| `WGUI_CONFIG_FILE_PATH` | The default WireGuard config file path used in global settings | `/etc/wireguard/wg0.conf` | | `WGUI_CONFIG_FILE_PATH` | The default WireGuard config file path used in global settings | `/etc/wireguard/wg0.conf` |
| `WG_CONF_TEMPLATE` | The custom `wg.conf` config file template. Please refer to our [default template](https://github.com/ngoduykhanh/wireguard-ui/blob/master/templates/wg.conf) | N/A | | `WG_CONF_TEMPLATE` | The custom `wg.conf` config file template. Please refer to our [default template](https://github.com/ngoduykhanh/wireguard-ui/blob/master/templates/wg.conf) | N/A |
| `EMAIL_FROM_ADDRESS` | The sender email address | N/A | | `EMAIL_FROM_ADDRESS` | The sender email address | N/A |

2
model/setting.go
View file

@ -10,7 +10,7 @@ type GlobalSetting struct {
DNSServers []string `json:"dns_servers"` DNSServers []string `json:"dns_servers"`
MTU int `json:"mtu,string"` MTU int `json:"mtu,string"`
PersistentKeepalive int `json:"persistent_keepalive,string"` PersistentKeepalive int `json:"persistent_keepalive,string"`
ForwardMark string `json:"forward_mark"` FirewallMark string `json:"firewall_mark"`
ConfigFilePath string `json:"config_file_path"` ConfigFilePath string `json:"config_file_path"`
UpdatedAt time.Time `json:"updated_at"` UpdatedAt time.Time `json:"updated_at"`
} }

5
store/jsondb/jsondb.go
View file

@ -96,7 +96,7 @@ func (o *JsonDB) Init() error {
globalSetting.DNSServers = util.LookupEnvOrStrings(util.DNSEnvVar, []string{util.DefaultDNS}) globalSetting.DNSServers = util.LookupEnvOrStrings(util.DNSEnvVar, []string{util.DefaultDNS})
globalSetting.MTU = util.LookupEnvOrInt(util.MTUEnvVar, util.DefaultMTU) globalSetting.MTU = util.LookupEnvOrInt(util.MTUEnvVar, util.DefaultMTU)
globalSetting.PersistentKeepalive = util.LookupEnvOrInt(util.PersistentKeepaliveEnvVar, util.DefaultPersistentKeepalive) globalSetting.PersistentKeepalive = util.LookupEnvOrInt(util.PersistentKeepaliveEnvVar, util.DefaultPersistentKeepalive)
globalSetting.ForwardMark = util.LookupEnvOrString(util.ForwardMarkEnvVar, util.DefaultForwardMark) globalSetting.FirewallMark = util.LookupEnvOrString(util.FirewallMarkEnvVar, util.DefaultFirewallMark)
globalSetting.ConfigFilePath = util.LookupEnvOrString(util.ConfigFilePathEnvVar, util.DefaultConfigFilePath) globalSetting.ConfigFilePath = util.LookupEnvOrString(util.ConfigFilePathEnvVar, util.DefaultConfigFilePath)
globalSetting.UpdatedAt = time.Now().UTC() globalSetting.UpdatedAt = time.Now().UTC()
o.conn.Write("server", "global_settings", globalSetting) o.conn.Write("server", "global_settings", globalSetting)
@ -219,9 +219,6 @@ func (o *JsonDB) GetClientByID(clientID string, qrCodeSettings model.QRCodeSetti
if !qrCodeSettings.IncludeMTU { if !qrCodeSettings.IncludeMTU {
globalSettings.MTU = 0 globalSettings.MTU = 0
} }
if !qrCodeSettings.IncludeFwMark {
globalSettings.ForwardMark = ""
}
png, err := qrcode.Encode(util.BuildClientConfig(client, server, globalSettings), qrcode.Medium, 256) png, err := qrcode.Encode(util.BuildClientConfig(client, server, globalSettings), qrcode.Medium, 256)
if err == nil { if err == nil {

15
templates/clients.html
View file

@ -70,17 +70,8 @@ Wireguard Clients
</div> </div>
<div class="modal-body"> <div class="modal-body">
<input type="hidden" id="qr_client_id" name="qr_client_id"> <input type="hidden" id="qr_client_id" name="qr_client_id">
<a href="" download="" id="qr_code_a">
<img id="qr_code" class="w-100" style="image-rendering: pixelated;" src="" alt="QR code" /> <img id="qr_code" class="w-100" style="image-rendering: pixelated;" src="" alt="QR code" />
</a> <!-- do not include FwMark in any client configs: it is INVALID. -->
<div class="form-group">
<div class="icheck-primary d-inline">
<input type="checkbox" id="qr_include_fwmark" onchange="regenerateQRCode()">
<label for="qr_include_fwmark">
Include FwMark
</label>
</div>
</div>
</div> </div>
</div> </div>
<!-- /.modal-content --> <!-- /.modal-content -->
@ -425,9 +416,7 @@ Wireguard Clients
cache: false, cache: false,
method: 'GET', method: 'GET',
url: '{{.basePath}}/api/client/' + client_id, url: '{{.basePath}}/api/client/' + client_id,
data: { data: JSON.stringify(data),
qrCodeIncludeFwMark: include_fwmark
},
dataType: 'json', dataType: 'json',
contentType: "application/json", contentType: "application/json",
success: function (resp) { success: function (resp) {

18
templates/global_settings.html
View file

@ -56,10 +56,10 @@ Global Settings
value="{{if .globalSettings.PersistentKeepalive }}{{ .globalSettings.PersistentKeepalive }}{{end}}"> value="{{if .globalSettings.PersistentKeepalive }}{{ .globalSettings.PersistentKeepalive }}{{end}}">
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="forward_mark">Forward Mark</label> <label for="firewall_mark">Firewall Mark</label>
<input type="text" class="form-control" id="forward_mark" <input type="text" class="form-control" id="firewall_mark"
name="forward_mark" placeholder="Forward Mark" name="firewall_mark" placeholder="Firewall Mark"
value="{{ .globalSettings.ForwardMark }}"> value="{{ .globalSettings.FirewallMark }}">
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="config_file_path">Wireguard Config File Path</label> <label for="config_file_path">Wireguard Config File Path</label>
@ -100,8 +100,8 @@ Global Settings
until they reach out to other peers themselves. Adding <code>PersistentKeepalive</code> until they reach out to other peers themselves. Adding <code>PersistentKeepalive</code>
can ensure that the connection remains open.</dd> can ensure that the connection remains open.</dd>
<dd>Leave blank to omit this setting in the Client config.</dd> <dd>Leave blank to omit this setting in the Client config.</dd>
<dt>5. Forward Mark</dt> <dt>5. Firewall Mark</dt>
<dd>Set an <code>fwmark</code> on all packets going out of WireGuard's UDP socket. Default value: <code>0xca6c</code></dd> <dd>Add a matching <code>fwmark</code> on all packets going out of a WireGuard non-default-route tunnel. Default value: <code>0xca6c</code></dd>
<dt>6. Wireguard Config File Path</dt> <dt>6. Wireguard Config File Path</dt>
<dd>The path of your Wireguard server config file. Please make sure the parent directory <dd>The path of your Wireguard server config file. Please make sure the parent directory
exists and is writable.</dd> exists and is writable.</dd>
@ -149,9 +149,9 @@ Global Settings
const dns_servers = $("#dns_servers").val().split(","); const dns_servers = $("#dns_servers").val().split(",");
const mtu = $("#mtu").val(); const mtu = $("#mtu").val();
const persistent_keepalive = $("#persistent_keepalive").val(); const persistent_keepalive = $("#persistent_keepalive").val();
const forward_mark = $("#forward_mark").val(); const firewall_mark = $("#firewall_mark").val();
const config_file_path = $("#config_file_path").val(); const config_file_path = $("#config_file_path").val();
const data = {"endpoint_address": endpoint_address, "dns_servers": dns_servers, "mtu": mtu, "persistent_keepalive": persistent_keepalive, "forward_mark": forward_mark, "config_file_path": config_file_path}; const data = {"endpoint_address": endpoint_address, "dns_servers": dns_servers, "mtu": mtu, "persistent_keepalive": persistent_keepalive, "firewall_mark": firewall_mark, "config_file_path": config_file_path};
$.ajax({ $.ajax({
cache: false, cache: false,
@ -222,7 +222,7 @@ Global Settings
config_file_path: { config_file_path: {
required: true required: true
}, },
forward_mark: { firewall_mark: {
required: false required: false
} }
}, },

4
util/config.go
View file

@ -29,7 +29,7 @@ const (
DefaultDNS = "1.1.1.1" DefaultDNS = "1.1.1.1"
DefaultMTU = 1450 DefaultMTU = 1450
DefaultPersistentKeepalive = 15 DefaultPersistentKeepalive = 15
DefaultForwardMark = "0xca6c" DefaultFirewallMark = "0xca6c" // i.e. 51820
DefaultConfigFilePath = "/etc/wireguard/wg0.conf" DefaultConfigFilePath = "/etc/wireguard/wg0.conf"
UsernameEnvVar = "WGUI_USERNAME" UsernameEnvVar = "WGUI_USERNAME"
PasswordEnvVar = "WGUI_PASSWORD" PasswordEnvVar = "WGUI_PASSWORD"
@ -39,7 +39,7 @@ const (
DNSEnvVar = "WGUI_DNS" DNSEnvVar = "WGUI_DNS"
MTUEnvVar = "WGUI_MTU" MTUEnvVar = "WGUI_MTU"
PersistentKeepaliveEnvVar = "WGUI_PERSISTENT_KEEPALIVE" PersistentKeepaliveEnvVar = "WGUI_PERSISTENT_KEEPALIVE"
ForwardMarkEnvVar = "WGUI_FORWARD_MARK" FirewallMarkEnvVar = "WGUI_FIREWALL_MARK"
ConfigFilePathEnvVar = "WGUI_CONFIG_FILE_PATH" ConfigFilePathEnvVar = "WGUI_CONFIG_FILE_PATH"
ServerAddressesEnvVar = "WGUI_SERVER_INTERFACE_ADDRESSES" ServerAddressesEnvVar = "WGUI_SERVER_INTERFACE_ADDRESSES"
ServerListenPortEnvVar = "WGUI_SERVER_LISTEN_PORT" ServerListenPortEnvVar = "WGUI_SERVER_LISTEN_PORT"

6
util/util.go
View file

@ -60,18 +60,12 @@ func BuildClientConfig(client model.Client, server model.Server, setting model.G
peerPersistentKeepalive = fmt.Sprintf("PersistentKeepalive = %d\n", setting.PersistentKeepalive) peerPersistentKeepalive = fmt.Sprintf("PersistentKeepalive = %d\n", setting.PersistentKeepalive)
} }
forwardMark := ""
if setting.ForwardMark != "" {
forwardMark = fmt.Sprintf("FwMark = %s\n", setting.ForwardMark)
}
// build the config as string // build the config as string
strConfig := "[Interface]\n" + strConfig := "[Interface]\n" +
clientAddress + clientAddress +
clientPrivateKey + clientPrivateKey +
clientDNS + clientDNS +
clientMTU + clientMTU +
forwardMark +
"\n[Peer]\n" + "\n[Peer]\n" +
peerPublicKey + peerPublicKey +
peerPresharedKey + peerPresharedKey +