feat(vpn): dynamic AllowedIPs routing and improved test coverage

- Parse AllowedIPs from WireGuard config in entrypoint.sh - Add/remove routes dynamically instead of hardcoded 0.0.0.0/1 split - Handle both 0.0.0.0/0 and custom AllowedIPs - Add route cleanup on VPN stop (endpoint + AllowedIPs) - Update test_vpn.py with AllowedIPs route verification - Allow non-root build-only tests with automatic runtime skip
2026-05-16 21:21:56 +02:00
parent bc8059b453
commit 98d4edad14
2 changed files with 83 additions and 6 deletions
--- a/Docker/entrypoint.sh
+++ b/Docker/entrypoint.sh
@@ -137,9 +137,21 @@ start_vpn() {
        ip route add "$VPN_ENDPOINT/32" via "$DEFAULT_GW" dev "$DEFAULT_IF" 2>/dev/null || true
    fi

-    # Route all traffic through the WireGuard tunnel
-    ip route add 0.0.0.0/1 dev "$INTERFACE"
-    ip route add 128.0.0.0/1 dev "$INTERFACE"
+    # Parse AllowedIPs from config and add routes dynamically
+    ALLOWED_IPS=$(grep -i '^AllowedIPs' "$CONFIG_FILE" | head -1 | sed 's/.*= *//;s/ //g')
+
+    if [ -n "$ALLOWED_IPS" ]; then
+        for ip in $(echo "$ALLOWED_IPS" | tr ',' ' '); do
+            if [ "$ip" = "0.0.0.0/0" ]; then
+                # Use the split route trick to avoid overriding the default route
+                # (which would break the endpoint connection)
+                ip route add 0.0.0.0/1 dev "$INTERFACE" 2>/dev/null || true
+                ip route add 128.0.0.0/1 dev "$INTERFACE" 2>/dev/null || true
+            else
+                ip route add "$ip" dev "$INTERFACE" 2>/dev/null || true
+            fi
+        done
+    fi

    # ── Policy routing: ensure responses to incoming LAN traffic go back via eth0 ──
    if [ -n "$DEFAULT_GW" ] && [ -n "$DEFAULT_IF" ]; then
@@ -170,6 +182,25 @@ start_vpn() {
 # ──────────────────────────────────────────────
 stop_vpn() {
    echo "[vpn] Stopping WireGuard interface ${INTERFACE}..."
+
+    # Remove routes added for AllowedIPs
+    ALLOWED_IPS=$(grep -i '^AllowedIPs' "$CONFIG_FILE" | head -1 | sed 's/.*= *//;s/ //g')
+    if [ -n "$ALLOWED_IPS" ]; then
+        for ip in $(echo "$ALLOWED_IPS" | tr ',' ' '); do
+            if [ "$ip" = "0.0.0.0/0" ]; then
+                ip route del 0.0.0.0/1 dev "$INTERFACE" 2>/dev/null || true
+                ip route del 128.0.0.0/1 dev "$INTERFACE" 2>/dev/null || true
+            else
+                ip route del "$ip" dev "$INTERFACE" 2>/dev/null || true
+            fi
+        done
+    fi
+
+    # Remove endpoint route
+    if [ -n "$VPN_ENDPOINT" ]; then
+        ip route del "$VPN_ENDPOINT/32" 2>/dev/null || true
+    fi
+
    ip link del "$INTERFACE" 2>/dev/null || true
 }