diff --git a/linux-amd64.Dockerfile b/linux-amd64.Dockerfile index e1f2b3a8..f54e075a 100644 --- a/linux-amd64.Dockerfile +++ b/linux-amd64.Dockerfile @@ -22,7 +22,7 @@ ENV IMAGE_STATS=${IMAGE_STATS} BUILD_ARCHITECTURE=${BUILD_ARCHITECTURE} \ XDG_CONFIG_HOME="${CONFIG_DIR}/.config" XDG_CACHE_HOME="${CONFIG_DIR}/.cache" XDG_DATA_HOME="${CONFIG_DIR}/.local/share" \ LANG="en_US.UTF-8" LANGUAGE="en_US:en" LC_ALL="en_US.UTF-8" \ S6_BEHAVIOUR_IF_STAGE2_FAILS=2 S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 S6_SERVICES_GRACETIME=180000 S6_STAGE2_HOOK="/init-hook" \ - VPN_ENABLED="false" VPN_CONF="wg0" VPN_PROVIDER="generic" VPN_LAN_NETWORK="" VPN_EXPOSE_PORTS_ON_LAN="" VPN_AUTO_PORT_FORWARD="true" VPN_AUTO_PORT_FORWARD_TO_PORTS="" VPN_KEEP_LOCAL_DNS="false" VPN_FIREWALL_TYPE="auto" PRIVOXY_ENABLED="false" UNBOUND_ENABLED="false" \ + VPN_ENABLED="false" VPN_CONF="wg0" VPN_PROVIDER="generic" VPN_LAN_NETWORK="" VPN_LAN_LEAK_ENABLED="false" VPN_EXPOSE_PORTS_ON_LAN="" VPN_AUTO_PORT_FORWARD="true" VPN_AUTO_PORT_FORWARD_TO_PORTS="" VPN_KEEP_LOCAL_DNS="false" VPN_FIREWALL_TYPE="auto" VPN_HEALTHCHECK_ENABLED="true" PRIVOXY_ENABLED="false" UNBOUND_ENABLED="false" \ VPN_PIA_USER="" VPN_PIA_PASS="" VPN_PIA_PREFERRED_REGION="" VPN_PIA_DIP_TOKEN="no" VPN_PIA_PORT_FORWARD_PERSIST="false" VOLUME ["${CONFIG_DIR}"] diff --git a/linux-arm64.Dockerfile b/linux-arm64.Dockerfile index 5e936560..9e63a1db 100644 --- a/linux-arm64.Dockerfile +++ b/linux-arm64.Dockerfile @@ -22,7 +22,7 @@ ENV IMAGE_STATS=${IMAGE_STATS} BUILD_ARCHITECTURE=${BUILD_ARCHITECTURE} \ XDG_CONFIG_HOME="${CONFIG_DIR}/.config" XDG_CACHE_HOME="${CONFIG_DIR}/.cache" XDG_DATA_HOME="${CONFIG_DIR}/.local/share" \ LANG="en_US.UTF-8" LANGUAGE="en_US:en" LC_ALL="en_US.UTF-8" \ S6_BEHAVIOUR_IF_STAGE2_FAILS=2 S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0 S6_SERVICES_GRACETIME=180000 S6_STAGE2_HOOK="/init-hook" \ - VPN_ENABLED="false" VPN_CONF="wg0" VPN_PROVIDER="generic" VPN_LAN_NETWORK="" VPN_EXPOSE_PORTS_ON_LAN="" VPN_AUTO_PORT_FORWARD="true" VPN_AUTO_PORT_FORWARD_TO_PORTS="" VPN_KEEP_LOCAL_DNS="false" VPN_FIREWALL_TYPE="auto" PRIVOXY_ENABLED="false" UNBOUND_ENABLED="false" \ + VPN_ENABLED="false" VPN_CONF="wg0" VPN_PROVIDER="generic" VPN_LAN_NETWORK="" VPN_LAN_LEAK_ENABLED="false" VPN_EXPOSE_PORTS_ON_LAN="" VPN_AUTO_PORT_FORWARD="true" VPN_AUTO_PORT_FORWARD_TO_PORTS="" VPN_KEEP_LOCAL_DNS="false" VPN_FIREWALL_TYPE="auto" VPN_HEALTHCHECK_ENABLED="true" PRIVOXY_ENABLED="false" UNBOUND_ENABLED="false" \ VPN_PIA_USER="" VPN_PIA_PASS="" VPN_PIA_PREFERRED_REGION="" VPN_PIA_DIP_TOKEN="no" VPN_PIA_PORT_FORWARD_PERSIST="false" VOLUME ["${CONFIG_DIR}"] diff --git a/root/etc/s6-overlay/s6-rc.d/init-setup/run b/root/etc/s6-overlay/s6-rc.d/init-setup/run index be05a945..f057c116 100644 --- a/root/etc/s6-overlay/s6-rc.d/init-setup/run +++ b/root/etc/s6-overlay/s6-rc.d/init-setup/run @@ -43,11 +43,13 @@ VPN_ENABLED=${VPN_ENABLED}" VPN_CONF=${VPN_CONF} VPN_PROVIDER=${VPN_PROVIDER} VPN_LAN_NETWORK=${VPN_LAN_NETWORK} +VPN_LAN_LEAK_ENABLED=${VPN_LAN_LEAK_ENABLED} VPN_EXPOSE_PORTS_ON_LAN=${VPN_EXPOSE_PORTS_ON_LAN} VPN_AUTO_PORT_FORWARD=${VPN_AUTO_PORT_FORWARD} VPN_AUTO_PORT_FORWARD_TO_PORTS=${VPN_AUTO_PORT_FORWARD_TO_PORTS} VPN_KEEP_LOCAL_DNS=${VPN_KEEP_LOCAL_DNS} VPN_FIREWALL_TYPE=${VPN_FIREWALL_TYPE} +VPN_HEALTHCHECK_ENABLED=${VPN_HEALTHCHECK_ENABLED} VPN_PIA_USER=$(mask "${VPN_PIA_USER}") VPN_PIA_PASS=$(mask "${VPN_PIA_PASS}") VPN_PIA_PREFERRED_REGION=${VPN_PIA_PREFERRED_REGION} diff --git a/root/etc/s6-overlay/s6-rc.d/init-wireguard/run.up b/root/etc/s6-overlay/s6-rc.d/init-wireguard/run.up index ff81dab9..1244578f 100644 --- a/root/etc/s6-overlay/s6-rc.d/init-wireguard/run.up +++ b/root/etc/s6-overlay/s6-rc.d/init-wireguard/run.up @@ -257,6 +257,12 @@ if [[ ${VPN_ENABLED} == "true" ]]; then for nw_cidr in $networks_cidr; do iptables -A INPUT -s "${nw_cidr}" -d "${nw_cidr}" -j ACCEPT done + if [[ ${VPN_LAN_LEAK_ENABLED} == "true" ]]; then + IFS=',' read -ra lan_networks <<< "${VPN_LAN_NETWORK%,}" + for lan_network in "${lan_networks[@]}"; do + iptables -A INPUT -i "${nw_interface}" -s "${lan_network}" -j ACCEPT + done + fi iptables -A INPUT -i "${VPN_CONF}" -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT @@ -272,6 +278,12 @@ if [[ ${VPN_ENABLED} == "true" ]]; then for nw_cidr in $networks_cidr; do iptables -A OUTPUT -s "${nw_cidr}" -d "${nw_cidr}" -j ACCEPT done + if [[ ${VPN_LAN_LEAK_ENABLED} == "true" ]]; then + IFS=',' read -ra lan_networks <<< "${VPN_LAN_NETWORK%,}" + for lan_network in "${lan_networks[@]}"; do + iptables -A OUTPUT -o "${nw_interface}" -d "${lan_network}" -j ACCEPT + done + fi iptables -A OUTPUT -o "${VPN_CONF}" -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT @@ -325,6 +337,12 @@ if [[ ${VPN_ENABLED} == "true" ]]; then for nw_cidr in $networks_cidr; do nft add rule inet hotio input ip saddr "${nw_cidr}" ip daddr "${nw_cidr}" counter accept done + if [[ ${VPN_LAN_LEAK_ENABLED} == "true" ]]; then + IFS=',' read -ra lan_networks <<< "${VPN_LAN_NETWORK%,}" + for lan_network in "${lan_networks[@]}"; do + nft add rule inet hotio input iifname "${nw_interface}" ip saddr "${lan_network}" counter accept + done + fi nft add rule inet hotio input iifname "${VPN_CONF}" counter accept nft add rule inet hotio input iifname "lo" counter accept nft add rule inet hotio input icmp type echo-reply counter accept @@ -341,6 +359,12 @@ if [[ ${VPN_ENABLED} == "true" ]]; then for nw_cidr in $networks_cidr; do nft add rule inet hotio output ip saddr "${nw_cidr}" ip daddr "${nw_cidr}" counter accept done + if [[ ${VPN_LAN_LEAK_ENABLED} == "true" ]]; then + IFS=',' read -ra lan_networks <<< "${VPN_LAN_NETWORK%,}" + for lan_network in "${lan_networks[@]}"; do + nft add rule inet hotio output oifname "${nw_interface}" ip daddr "${lan_network}" counter accept + done + fi nft add rule inet hotio output oifname "${VPN_CONF}" counter accept nft add rule inet hotio output oifname "lo" counter accept nft add rule inet hotio output icmp type echo-request counter accept @@ -356,8 +380,8 @@ if [[ ${VPN_ENABLED} == "true" ]]; then [[ -f "${CONFIG_DIR}/wireguard/${VPN_CONF}-post.sh" ]] && bash "${CONFIG_DIR}/wireguard/${VPN_CONF}-post.sh" echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] Performing internet connectivity test..." - echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] [IPV4] [PING: $(ping -c 1 1.1.1.1 2> /dev/null | grep 'time=' | awk -F '=' '{print $4}')] $(curl -fsL -4 --retry 5 --retry-max-time 60 --max-time 10 wtfismyip.com/json | jq -re '"[\(.YourFuckingLocation)] [\(.YourFuckingISP)] [\(.YourFuckingIPAddress)]"')" + echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] [IPV4] [PING: $(ping -c 5 1.1.1.1 2> /dev/null | tail -1 | awk -F ' = ' '{print $2}')] $(curl -fsL -4 --retry 5 --retry-max-time 60 --max-time 10 wtfismyip.com/json | jq -re '"[\(.YourFuckingLocation)] [\(.YourFuckingISP)] [\(.YourFuckingIPAddress)]"')" if [[ ${ipv6_wanted} == "true" ]]; then - echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] [IPV6] [PING: $(ping6 -c 1 2606:4700:4700::1111 2> /dev/null | grep 'time=' | awk -F '=' '{print $4}')] $(curl -fsL -6 --retry 5 --retry-max-time 60 --max-time 10 wtfismyip.com/json | jq -re '"[\(.YourFuckingLocation)] [\(.YourFuckingISP)] [\(.YourFuckingIPAddress)]"')" + echo "[INF] [$(date '+%Y-%m-%d %H:%M:%S')] [VPN] [IPV6] [PING: $(ping6 -c 5 2606:4700:4700::1111 2> /dev/null | tail -1 | awk -F ' = ' '{print $2}')] $(curl -fsL -6 --retry 5 --retry-max-time 60 --max-time 10 wtfismyip.com/json | jq -re '"[\(.YourFuckingLocation)] [\(.YourFuckingISP)] [\(.YourFuckingIPAddress)]"')" fi fi diff --git a/root/init-hook b/root/init-hook index b9d2903c..7691dffa 100644 --- a/root/init-hook +++ b/root/init-hook @@ -23,5 +23,8 @@ fi if [[ "${VPN_ENABLED}" != true ]]; then rm -rf /etc/s6-overlay/s6-rc.d/user/contents.d/service-forwarder +fi + +if [[ "${VPN_ENABLED}" != true ]] || [[ "${VPN_HEALTHCHECK_ENABLED}" != true ]]; then rm -rf /etc/s6-overlay/s6-rc.d/user/contents.d/service-healthcheck fi