Giters

subspacecommunity / subspace

A fork of the simple WireGuard VPN server GUI community maintained

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Custom ENV options not working correctly

soakes opened this issue · comments

commented

Describe the bug
Creating a custom network configurating is not created as expected.

To Reproduce
Steps to reproduce the behavior:
Use the following docker-compose.yml file

version: "3.3"
services:
  subspace:
   image: subspacecommunity/subspace:latest
   container_name: subspace
   volumes:
    - /volumes/wireguard/apps/subspace/data:/data
    - /volumes/wireguard/apps/subspace/dnsmasq:/etc/dnsmasq.d
   restart: always
   environment:
    - SUBSPACE_HTTP_HOST=ra01.example.io
    - SUBSPACE_LETSENCRYPT=false
    - SUBSPACE_HTTP_INSECURE=true
    - SUBSPACE_HTTP_ADDR=":80"
    - SUBSPACE_NAMESERVERS=1.1.1.1,1.0.0.1
    - SUBSPACE_LISTENPORT=51821
    - SUBSPACE_IPV4_POOL=10.27.253.0/24
    - SUBSPACE_IPV6_POOL=fd64:cf6f:9d42:c35d::/64
    - SUBSPACE_IPV4_GW=10.27.253.1
    - SUBSPACE_IPV6_GW=fd64:cf6f:9d42:c35d::1
    - SUBSPACE_IPV6_NAT_ENABLED=1
    - SUBSPACE_DISABLE_DNS=0
   cap_add:
    - NET_ADMIN
   network_mode: "host"

You will find the configuration incorrect and contains some defaults and not what you have asked for. If you download the config from the UI and look at the file data you will see its incorrect (pasted below)

[Interface]
PrivateKey = iDL7hfrVhZAmIQutI********************=
DNS = 10.27.253.1, fd64:cf6f:9d42:c35d::1
Address = 10.99.97.2/24,fd00::10:97:2/64

[Peer]
PublicKey = VXpJIVlONZaItW**********************=

Endpoint = ra01.example.io:51821
AllowedIPs = 0.0.0.0/0, ::/0

You will notice its taken the custom port from the docker-compose file as well as the DNS but the Address is totally incorrect and is the defaults.

You will also notice that the iptables rules are set correctly on start up. Its only the wireguard configuration which is totally incorrect which then makes for a broken deployment.

Creating subspace ... done
Attaching to subspace
subspace    | + '[' -z ra01.example.io ]
subspace    | + '[' -z  ]
subspace    | + export 'SUBSPACE_BACKLINK=/'
subspace    | + '[' -z 10.27.253.0/24 ]
subspace    | + '[' -z fd64:cf6f:9d42:c35d::/64 ]
subspace    | + '[' -z  ]
subspace    | + export 'SUBSPACE_NAMESERVER=1.1.1.1'
subspace    | + '[' -z false ]
subspace    | + '[' -z '":80"' ]
subspace    | + '[' -z 51821 ]
subspace    | + '[' -z true ]
subspace    | + '[' -z  ]
subspace    | + export 'SUBSPACE_THEME=green'
subspace    | + export 'DEBIAN_FRONTEND=noninteractive'
subspace    | + '[' -z 10.27.253.1 ]
subspace    | + '[' -z fd64:cf6f:9d42:c35d::1 ]
subspace    | + '[' -z 1 ]
subspace    | + echo 'nameserver 1.1.1.1'
subspace    | + '[' -z  ]
subspace    | + /sbin/iptables -t nat --check POSTROUTING -s 10.27.253.0/24 -j MASQUERADE
subspace    | + /sbin/iptables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
subspace    | + /sbin/iptables --check FORWARD -s 10.27.253.0/24 -j ACCEPT
subspace    | + '[[' 1 -gt 0 ]]
subspace    | + /sbin/ip6tables -t nat --check POSTROUTING -s fd64:cf6f:9d42:c35d::/64 -j MASQUERADE
subspace    | + /sbin/ip6tables --check FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
subspace    | + /sbin/ip6tables --check FORWARD -s fd64:cf6f:9d42:c35d::/64 -j ACCEPT
subspace    | + /sbin/iptables -t nat --check OUTPUT -s 10.27.253.0/24 -p udp --dport 53 -j DNAT --to 10.27.253.1:53
subspace    | + /sbin/iptables -t nat --check OUTPUT -s 10.27.253.0/24 -p tcp --dport 53 -j DNAT --to 10.27.253.1:53
subspace    | + /sbin/ip6tables --wait -t nat --check OUTPUT -s fd64:cf6f:9d42:c35d::/64 -p udp --dport 53 -j DNAT --to fd64:cf6f:9d42:c35d::1
subspace    | + /sbin/ip6tables --wait -t nat --check OUTPUT -s fd64:cf6f:9d42:c35d::/64 -p tcp --dport 53 -j DNAT --to fd64:cf6f:9d42:c35d::1
subspace    | + test -d /data/wireguard
subspace    | + mkdir /data/wireguard
subspace    | + cd /data/wireguard
subspace    | + mkdir clients
subspace    | + touch clients/null.conf
subspace    | + mkdir peers
subspace    | + touch peers/null.conf
subspace    | + tee server.private
subspace    | + wg genkey
subspace    | + wg pubkey
subspace    | + cat
subspace    | + cat /data/wireguard/server.private
subspace    | + cat /data/wireguard/peers/null.conf
subspace    | + ip link show wg0
subspace    | 9: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
subspace    |     link/none
subspace    | + ip link del wg0
subspace    | + ip link add wg0 type wireguard
subspace    | + echo 10.27.253.0/24
subspace    | + cut -d / -f2
subspace    | + export 'SUBSPACE_IPV4_CIDR=24'
subspace    | + ip addr add 10.27.253.1/24 dev wg0
subspace    | + echo fd64:cf6f:9d42:c35d::/64
subspace    | + cut -d / -f2
subspace    | + export 'SUBSPACE_IPV6_CIDR=64'
subspace    | + ip addr add fd64:cf6f:9d42:c35d::1/64 dev wg0
subspace    | + wg setconf wg0 /data/wireguard/server.conf
subspace    | + ip link set wg0 up
subspace    | + test -d /etc/service/dnsmasq
subspace    | + cat
subspace    | + mkdir -p /etc/service/dnsmasq
subspace    | + cat
subspace    | + chmod +x /etc/service/dnsmasq/run
subspace    | + mkdir -p /etc/service/dnsmasq/log/main
subspace    | + cat
subspace    | + chmod +x /etc/service/dnsmasq/log/run
subspace    | + test -d /etc/service/subspace
subspace    | + mkdir /etc/service/subspace
subspace    | + cat
subspace    | + chmod +x /etc/service/subspace/run
subspace    | + mkdir /etc/service/subspace/log
subspace    | + mkdir /etc/service/subspace/log/main
subspace    | + cat
subspace    | + chmod +x /etc/service/subspace/log/run
subspace    | + exec /sbin/my_init
subspace    | Started runsvdir, PID is 61
subspace    | wait for processes to start....
subspace    | dnsmasq: started, version 2.80 cachesize 150
subspace    | dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
subspace    | dnsmasq: reading /etc/resolv.conf
subspace    | dnsmasq: using nameserver 1.1.1.1#53
subspace    | dnsmasq: read /etc/hosts - 5 addresses
subspace    | run: dnsmasq: (pid 68) 4s; run: log: (pid 66) 4s
subspace    | run: subspace: (pid 67) 4s; run: log: (pid 65) 4s

Expected behavior
I would expect that the config reflects whats actually being served and producing a working config. I have confirmed by looking at the server.conf which is generated that its incorrect and where the issue lies.

[Interface]
PrivateKey = 2JLKuO0rut5yZW*************************
ListenPort = 51821

[Peer]
PublicKey = NqCmt3DCRTrf**************************
AllowedIPs = 10.99.97.2/32,fd00::10:97:2/128

The AllowedIP should be whats been specified in the docker-compose file.

Additional context
Easy to reproduce with the above config.

commented

The docker is extremely outdated (from 3 years ago). Try building from source

commented

Some environment variables aren't documented.

This worked for me:

export SUBSPACE_IPV4_PREF=172.20.10.
export SUBSPACE_IPV4_GW=172.20.10.1
export SUBSPACE_ALLOWED_IPS=172.20.10.0/24
export SUBSPACE_IPV6_NAT_ENABLED="0"
commented

Thank you @acheong08 , thats why I couldn't find.