fix(docker): add missing Python deps, fix VPN routing and healthcheck

- Add missing packages to requirements.txt: requests, beautifulsoup4, fake-useragent, yt-dlp, urllib3 - Fix entrypoint.sh: replace grep -oP (GNU) with awk (BusyBox compat) - Fix entrypoint.sh: add policy routing so LAN clients get responses via eth0 instead of through the WireGuard tunnel - Change healthcheck from ping to curl (VPN provider blocks ICMP) - Add start_period and increase retries for healthcheck - Change external port mapping to 2000:8000 - Add podman-compose.prod.yml and push.sh to version control
2026-02-24 19:21:53 +01:00
parent d8248be67d
commit fc8cdc538d
5 changed files with 178 additions and 5 deletions
--- a/Docker/entrypoint.sh
+++ b/Docker/entrypoint.sh
@@ -101,7 +101,9 @@ setup_killswitch() {
 # ──────────────────────────────────────────────
 enable_forwarding() {
    echo "[init] Enabling IP forwarding..."
-    if echo 1 > /proc/sys/net/ipv4/ip_forward 2>/dev/null; then
+    if cat /proc/sys/net/ipv4/ip_forward 2>/dev/null | grep -q 1; then
+        echo "[init] IP forwarding already enabled."
+    elif echo 1 > /proc/sys/net/ipv4/ip_forward 2>/dev/null; then
        echo "[init] IP forwarding enabled via /proc."
    else
        echo "[init] /proc read-only — relying on --sysctl net.ipv4.ip_forward=1"
@@ -139,6 +141,20 @@ start_vpn() {
    ip route add 0.0.0.0/1 dev "$INTERFACE"
    ip route add 128.0.0.0/1 dev "$INTERFACE"

+    # ── Policy routing: ensure responses to incoming LAN traffic go back via eth0 ──
+    if [ -n "$DEFAULT_GW" ] && [ -n "$DEFAULT_IF" ]; then
+        # Get the container's eth0 IP address (BusyBox-compatible, no grep -P)
+        ETH0_IP=$(ip -4 addr show "$DEFAULT_IF" | awk '/inet / {split($2, a, "/"); print a[1]}' | head -1)
+        ETH0_SUBNET=$(ip -4 route show dev "$DEFAULT_IF" | grep -v default | head -1 | awk '{print $1}')
+        if [ -n "$ETH0_IP" ] && [ -n "$ETH0_SUBNET" ]; then
+            echo "[vpn] Setting up policy routing for incoming traffic (${ETH0_IP} on ${DEFAULT_IF})"
+            ip route add default via "$DEFAULT_GW" dev "$DEFAULT_IF" table 100 2>/dev/null || true
+            ip route add "$ETH0_SUBNET" dev "$DEFAULT_IF" table 100 2>/dev/null || true
+            ip rule add from "$ETH0_IP" table 100 priority 100 2>/dev/null || true
+            echo "[vpn] Policy routing active — incoming connections will be routed back via ${DEFAULT_IF}"
+        fi
+    fi
+
    # Set up DNS
    VPN_DNS=$(grep -i '^DNS' "$CONFIG_FILE" | head -1 | sed 's/.*= *//;s/ //g')
    if [ -n "$VPN_DNS" ]; then
@@ -169,7 +185,7 @@ health_loop() {
    while true; do
        sleep "$CHECK_INTERVAL"

-        if ping -c 1 -W 5 "$CHECK_HOST" > /dev/null 2>&1; then
+        if curl -sf --max-time 5 "http://$CHECK_HOST" > /dev/null 2>&1; then
            if [ "$failures" -gt 0 ]; then
                echo "[health] VPN recovered."
                failures=0