setup-wireguard-docker-bridge.sh aktualisiert

2025-03-10 15:58:17 +00:00 · 2025-03-10 15:58:17 +00:00 · 18cc3e3862
commit 18cc3e3862
parent 85c3bc0041
1 changed files with 79 additions and 9 deletions
--- a/setup-wireguard-docker-bridge.sh
+++ b/setup-wireguard-docker-bridge.sh
@ -116,6 +116,10 @@ iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 iptables -I FORWARD -i ${WG_INTERFACE} -o ${BRIDGE_NAME} -j ACCEPT
 iptables -I FORWARD -i ${BRIDGE_NAME} -o ${WG_INTERFACE} -j ACCEPT

+# Add rules to Docker's user chain - this is the key improvement!
+iptables -I DOCKER-USER -i ${WG_INTERFACE} -o ${BRIDGE_NAME} -j ACCEPT
+iptables -I DOCKER-USER -i ${BRIDGE_NAME} -o ${WG_INTERFACE} -j ACCEPT
+
 # Add masquerading (NAT) for outgoing connections
 iptables -t nat -A POSTROUTING -o ${BRIDGE_NAME} -j MASQUERADE
 iptables -t nat -A POSTROUTING -o ${EXTERNAL_INTERFACE} -j MASQUERADE
@ -134,6 +138,10 @@ iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/
 iptables -D FORWARD -i ${WG_INTERFACE} -o ${BRIDGE_NAME} -j ACCEPT 2>/dev/null || true
 iptables -D FORWARD -i ${BRIDGE_NAME} -o ${WG_INTERFACE} -j ACCEPT 2>/dev/null || true

+# Remove Docker-User chain rules
+iptables -D DOCKER-USER -i ${WG_INTERFACE} -o ${BRIDGE_NAME} -j ACCEPT 2>/dev/null || true
+iptables -D DOCKER-USER -i ${BRIDGE_NAME} -o ${WG_INTERFACE} -j ACCEPT 2>/dev/null || true
+
 # Remove NAT rules
 iptables -t nat -D POSTROUTING -o ${BRIDGE_NAME} -j MASQUERADE 2>/dev/null || true
 iptables -t nat -D POSTROUTING -o ${EXTERNAL_INTERFACE} -j MASQUERADE 2>/dev/null || true
@ -198,29 +206,91 @@ systemctl enable wireguard-docker-rules.service

 status "Systemd service created and enabled"

-# Step 9: Make Docker wait for the bridge to be ready
-status "Configuring Docker to wait for bridge..."
+# Step 9: Fix any existing Docker daemon.json configuration
+status "Ensuring Docker has proper iptables management..."

-mkdir -p /etc/systemd/system/docker.service.d/
-cat > /etc/systemd/system/docker.service.d/wait-for-bridge.conf <<EOF
-[Unit]
-After=netplan-apply.service
-Requires=netplan-apply.service
-EOF
+# Create or update Docker daemon config file
+DOCKER_CONFIG="/etc/docker/daemon.json"
+if [ -f "$DOCKER_CONFIG" ]; then
+    # Check if we need to remove any previous workaround settings
+    if grep -q '"iptables":\s*false' "$DOCKER_CONFIG" || grep -q '"bridge":\s*"none"' "$DOCKER_CONFIG"; then
+        status "Updating Docker configuration to restore iptables management..."
+        # Use jq if available for proper JSON manipulation
+        if command -v jq >/dev/null 2>&1; then
+            TMP_CONFIG=$(mktemp)
+            jq 'del(.iptables) | del(.bridge)' "$DOCKER_CONFIG" > "$TMP_CONFIG"
+            mv "$TMP_CONFIG" "$DOCKER_CONFIG"
+        else
+            # Simple sed-based approach (less robust but works for basic cases)
+            sed -i 's/"iptables":\s*false,\?//g' "$DOCKER_CONFIG"
+            sed -i 's/"bridge":\s*"none",\?//g' "$DOCKER_CONFIG"
+            # Clean up any syntax issues this might create
+            sed -i 's/,\s*}/}/g' "$DOCKER_CONFIG"
+            sed -i 's/{,\s*/{/g' "$DOCKER_CONFIG"
+            sed -i 's/,,/,/g' "$DOCKER_CONFIG"
+        fi
+    fi
+else
+    # Create default config file
+    mkdir -p $(dirname "$DOCKER_CONFIG")
+    echo '{}' > "$DOCKER_CONFIG"
+fi

-systemctl daemon-reload
+status "Docker iptables management properly configured"

 # Step 10: Enable IP forwarding permanently
 status "Enabling IP forwarding permanently..."
 echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/99-ip-forward.conf
 sysctl -p /etc/sysctl.d/99-ip-forward.conf

+# Step 11: Create a Docker restart hook to reapply rules
+status "Creating Docker restart hook..."
+
+cat > /usr/local/bin/docker-post-start.sh <<EOF
+#!/bin/bash
+
+# Wait for Docker to fully start
+sleep 5
+
+# Re-apply Wireguard rules
+/etc/wireguard/${WG_INTERFACE}-up.sh
+
+# Log that we ran
+logger -t docker-vpn-fix "Re-applied Wireguard rules after Docker restart"
+EOF
+
+chmod +x /usr/local/bin/docker-post-start.sh
+
+cat > /etc/systemd/system/docker-vpn-fix.service <<EOF
+[Unit]
+Description=Fix VPN rules after Docker starts
+After=docker.service
+Wants=docker.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/docker-post-start.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable docker-vpn-fix.service
+
+status "Docker restart hook configured"
+
 # Final status
 status "Setup complete!"
 status "Bridge name: ${BRIDGE_NAME}"
 status "Docker network name: ${DOCKER_NETWORK_NAME}"
 status "IP subnet: ${BRIDGE_SUBNET}"

+# Restart Docker to apply changes
+status "Restarting Docker to apply changes..."
+systemctl restart docker
+
 # Provide instructions for next steps
 if systemctl is-active --quiet "wg-quick@${WG_INTERFACE}"; then
    status "Wireguard is running. Restarting to apply new configuration..."