Wireguard: "Patching" AllowedIps and interface PostUp
-
Dear all,
I've just set up a wireguard VPN server on my Cloudron instance and love the simplicity and instant success! Great stuff!
However, I have one little question:
One of my VPN peers is a MikroTik LTE router with a private subnet
192.168.99.0/24behind it.
After the VPN app is started I currently run the following two commands in the app's web terminal to make the nodes in the subnet behind the router reachable to all VPN peers:wg set wg0 peer <key> allowed-ips 172.26.99.3/32,192.168.99.0/24 ip route add 192.168.99.0/24 via 172.26.99.3These two commands add the subnet
192.168.99.0/24to theAllowedIpsof the routers wireguard peer entry and add a respective route.
This works great and everything functions exactly as it should.However, these changes get lost when the VPN app is restarted.
In order to make them persist across app restarted I tried patching the/app/data/wg/wg0.conffile, but apparently this file gets regenerated on every app restart.Does anyone have an idea of how to best make these two tweaks permanent?
Cheers
Mathias -
Thank you, robi, I've seen
/app/code/start.shand it'd be a great place to put the needed changes, but this file is not in the/app/data/folder and -- as such -- isn't writeable.
It seems to me I have to somehow sneak something into/app/data/as that's the only place I have influence over.One thought: Could I simply patch
/app/data/wg/wg0.confandchmod -rit to prevent it being rewritten on app restart? -
Thank you, robi, I've seen
/app/code/start.shand it'd be a great place to put the needed changes, but this file is not in the/app/data/folder and -- as such -- isn't writeable.
It seems to me I have to somehow sneak something into/app/data/as that's the only place I have influence over.One thought: Could I simply patch
/app/data/wg/wg0.confandchmod -rit to prevent it being rewritten on app restart? -
Ah, of course I meant
-wto prevent the rewrite.I don't think there is a lot of TLC required.
One additional line instart.shwould suffice, which simply checks for the existence of a custom script like/app/data/poststart.shand calls it if it exists.
So, a hook for custom logic to run after the app has started and the tunnel is up.
Where can I best propose/submit this little feature request? -
@girish Yes, of course, it'd be great it the VPN App had native support for routed networks behind a device.
This would make it easier for users who are less experienced with networking setups to quickly set this up.I'd be happy to test-drive an update if you'd like to make one available.
Nevertheless I agree with @robi in that providing a simple hook for a custom script in the
/app/data/directory would also work and be even more flexible.
It wouldn't even have to become part of the UI and thus be somewhat less intrusive to the clean nature of the app.Cheers
Mathias -
We prefer a UI-based and use case driven configuration approach to our software. You can even say flexibility is not a goal for this app. There is no way we can support complicated VPN setups that would arise from all the various configurations. Part of the reason this app exists is that the OpenVPN without the UI is really complicated to use for normal people. Of course, people are free to change the source to match their philosophy of how software should be :).
@sirthias I pushed a change with minimal testing, please check.
-
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login