jostreff/wireguard-ui
1
0
Fork 0
mirror of https://github.com/ngoduykhanh/wireguard-ui.git synced 2025-04-19 19:59:13 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix for fwmark

Browse source 
Evidently, wireguard's (use of) fwmark is not well understood. In short,
it determines which routing table to use for a tunnel's packets.

Adding a fwmark to a roadwarrior client config won't do anything to the
actual packets sent to a peer: Packets do not get marked.

A QRCode with `FwMark = ...` in it is invalid.

FwMark is now excluded from client configs (but is written to the
server config /etc/wireguard/wgX.conf).

Potential breaking change of `WGUI_FORWARD_MARK` to `WGUI_FIREWALL_MARK`

But this has the effect of making users eventually notice that it
probably does not do what they want/think.

See:
https://ro-che.info/articles/2021-02-27-linux-routing

https://casavant.org/2020/10/10/wireguard-fwmark.html

https://www.blinkenlights.ch/ccms/posts/source-based-routing/
This commit is contained in:
Paul 2022-12-21 00:46:59 +00:00
parent aadf099f50
commit 101b5564c2
7 changed files with 17 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -58,7 +58,7 @@ Note:
| `WGUI_DNS` | The default DNS servers (comma-separated-list) used in the global settings | `1.1.1.1` |
| `WGUI_MTU` | The default MTU used in global settings | `1450` |
| `WGUI_PERSISTENT_KEEPALIVE` | The default persistent keepalive for WireGuard in global settings | `15` |
| `WGUI_FORWARD_MARK` | The default WireGuard forward mark | `0xca6c` |
| `WGUI_FIREWALL_MARK` | The default WireGuard firewall mark | `0xca6c` (51820) |
| `WGUI_CONFIG_FILE_PATH` | The default WireGuard config file path used in global settings | `/etc/wireguard/wg0.conf` |
| `WG_CONF_TEMPLATE` | The custom `wg.conf` config file template. Please refer to our [default template](https://github.com/ngoduykhanh/wireguard-ui/blob/master/templates/wg.conf) | N/A |
| `EMAIL_FROM_ADDRESS` | The sender email address | N/A |

2
model/setting.go
View file

@ -10,7 +10,7 @@ type GlobalSetting struct {
DNSServers []string `json:"dns_servers"`
MTU int `json:"mtu,string"`
PersistentKeepalive int `json:"persistent_keepalive,string"`
ForwardMark string `json:"forward_mark"`
FirewallMark string `json:"firewall_mark"`
ConfigFilePath string `json:"config_file_path"`
UpdatedAt time.Time `json:"updated_at"`
}

5
store/jsondb/jsondb.go
View file

@ -96,7 +96,7 @@ func (o *JsonDB) Init() error {
globalSetting.DNSServers = util.LookupEnvOrStrings(util.DNSEnvVar, []string{util.DefaultDNS})
globalSetting.MTU = util.LookupEnvOrInt(util.MTUEnvVar, util.DefaultMTU)
globalSetting.PersistentKeepalive = util.LookupEnvOrInt(util.PersistentKeepaliveEnvVar, util.DefaultPersistentKeepalive)
globalSetting.ForwardMark = util.LookupEnvOrString(util.ForwardMarkEnvVar, util.DefaultForwardMark)
globalSetting.FirewallMark = util.LookupEnvOrString(util.FirewallMarkEnvVar, util.DefaultFirewallMark)
globalSetting.ConfigFilePath = util.LookupEnvOrString(util.ConfigFilePathEnvVar, util.DefaultConfigFilePath)
globalSetting.UpdatedAt = time.Now().UTC()
o.conn.Write("server", "global_settings", globalSetting)
@ -219,9 +219,6 @@ func (o *JsonDB) GetClientByID(clientID string, qrCodeSettings model.QRCodeSetti
if !qrCodeSettings.IncludeMTU {
globalSettings.MTU = 0
}
if !qrCodeSettings.IncludeFwMark {
globalSettings.ForwardMark = ""
}
png, err := qrcode.Encode(util.BuildClientConfig(client, server, globalSettings), qrcode.Medium, 256)
if err == nil {

17
templates/clients.html
View file

@ -70,17 +70,8 @@ Wireguard Clients
</div>
<div class="modal-body">
<input type="hidden" id="qr_client_id" name="qr_client_id">
<a href="" download="" id="qr_code_a">
<img id="qr_code" class="w-100" style="image-rendering: pixelated;" src="" alt="QR code" />
</a>
<div class="form-group">
<div class="icheck-primary d-inline">
<input type="checkbox" id="qr_include_fwmark" onchange="regenerateQRCode()">
<label for="qr_include_fwmark">
Include FwMark
</label>
</div>
</div>
<img id="qr_code" class="w-100" style="image-rendering: pixelated;" src="" alt="QR code" />
<!-- do not include FwMark in any client configs: it is INVALID. -->
</div>
</div>
<!-- /.modal-content -->
@ -425,9 +416,7 @@ Wireguard Clients
cache: false,
method: 'GET',
url: '{{.basePath}}/api/client/' + client_id,
data: {
qrCodeIncludeFwMark: include_fwmark
},
data: JSON.stringify(data),
dataType: 'json',
contentType: "application/json",
success: function (resp) {

18
templates/global_settings.html
View file

@ -56,10 +56,10 @@ Global Settings
value="{{if .globalSettings.PersistentKeepalive }}{{ .globalSettings.PersistentKeepalive }}{{end}}">
</div>
<div class="form-group">
<label for="forward_mark">Forward Mark</label>
<input type="text" class="form-control" id="forward_mark"
name="forward_mark" placeholder="Forward Mark"
value="{{ .globalSettings.ForwardMark }}">
<label for="firewall_mark">Firewall Mark</label>
<input type="text" class="form-control" id="firewall_mark"
name="firewall_mark" placeholder="Firewall Mark"
value="{{ .globalSettings.FirewallMark }}">
</div>
<div class="form-group">
<label for="config_file_path">Wireguard Config File Path</label>
@ -100,8 +100,8 @@ Global Settings
until they reach out to other peers themselves. Adding <code>PersistentKeepalive</code>
can ensure that the connection remains open.</dd>
<dd>Leave blank to omit this setting in the Client config.</dd>
<dt>5. Forward Mark</dt>
<dd>Set an <code>fwmark</code> on all packets going out of WireGuard's UDP socket. Default value: <code>0xca6c</code></dd>
<dt>5. Firewall Mark</dt>
<dd>Add a matching <code>fwmark</code> on all packets going out of a WireGuard non-default-route tunnel. Default value: <code>0xca6c</code></dd>
<dt>6. Wireguard Config File Path</dt>
<dd>The path of your Wireguard server config file. Please make sure the parent directory
exists and is writable.</dd>
@ -149,9 +149,9 @@ Global Settings
const dns_servers = $("#dns_servers").val().split(",");
const mtu = $("#mtu").val();
const persistent_keepalive = $("#persistent_keepalive").val();
const forward_mark = $("#forward_mark").val();
const firewall_mark = $("#firewall_mark").val();
const config_file_path = $("#config_file_path").val();
const data = {"endpoint_address": endpoint_address, "dns_servers": dns_servers, "mtu": mtu, "persistent_keepalive": persistent_keepalive, "forward_mark": forward_mark, "config_file_path": config_file_path};
const data = {"endpoint_address": endpoint_address, "dns_servers": dns_servers, "mtu": mtu, "persistent_keepalive": persistent_keepalive, "firewall_mark": firewall_mark, "config_file_path": config_file_path};
$.ajax({
cache: false,
@ -222,7 +222,7 @@ Global Settings
config_file_path: {
required: true
},
forward_mark: {
firewall_mark: {
required: false
}
},

4
util/config.go
View file

@ -29,7 +29,7 @@ const (
DefaultDNS = "1.1.1.1"
DefaultMTU = 1450
DefaultPersistentKeepalive = 15
DefaultForwardMark = "0xca6c"
DefaultFirewallMark = "0xca6c" // i.e. 51820
DefaultConfigFilePath = "/etc/wireguard/wg0.conf"
UsernameEnvVar = "WGUI_USERNAME"
PasswordEnvVar = "WGUI_PASSWORD"
@ -39,7 +39,7 @@ const (
DNSEnvVar = "WGUI_DNS"
MTUEnvVar = "WGUI_MTU"
PersistentKeepaliveEnvVar = "WGUI_PERSISTENT_KEEPALIVE"
ForwardMarkEnvVar = "WGUI_FORWARD_MARK"
FirewallMarkEnvVar = "WGUI_FIREWALL_MARK"
ConfigFilePathEnvVar = "WGUI_CONFIG_FILE_PATH"
ServerAddressesEnvVar = "WGUI_SERVER_INTERFACE_ADDRESSES"
ServerListenPortEnvVar = "WGUI_SERVER_LISTEN_PORT"

6
util/util.go
View file

@ -60,18 +60,12 @@ func BuildClientConfig(client model.Client, server model.Server, setting model.G
peerPersistentKeepalive = fmt.Sprintf("PersistentKeepalive = %d\n", setting.PersistentKeepalive)
}
forwardMark := ""
if setting.ForwardMark != "" {
forwardMark = fmt.Sprintf("FwMark = %s\n", setting.ForwardMark)
}
// build the config as string
strConfig := "[Interface]\n" +
clientAddress +
clientPrivateKey +
clientDNS +
clientMTU +
forwardMark +
"\n[Peer]\n" +
peerPublicKey +
peerPresharedKey +