chore: release v1.1.2

fix(vpn): fix DNS iptables rules and add NET_RAW cap
DNS OUTPUT was restricted to -o wg0, but routing decision happens after iptables OUTPUT — so DNS to VPN-internal addresses (198.18.0.x) was blocked before the kernel selected the outgoing interface. Allow DNS unconditionally; routing still sends it through wg0. Add NET_RAW capability so ping works inside the container.
2026-05-17 18:31:59 +02:00 · 2026-05-17 18:31:38 +02:00 · 2026-05-16 21:47:05 +02:00 · 2026-05-16 21:46:19 +02:00
5 changed files with 18 additions and 6 deletions
--- a/Docker/Containerfile
+++ b/Docker/Containerfile
@@ -13,7 +13,8 @@ RUN apk add --no-cache \
 # Create wireguard config directory (config is mounted at runtime)
 RUN mkdir -p /etc/wireguard

-# Copy entrypoint
+# Copy version file and entrypoint
+COPY VERSION /etc/wireguard/VERSION
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh

--- a/Docker/VERSION
+++ b/Docker/VERSION
@@ -1 +1 @@
-v0.1.0
+v1.1.2
--- a/Docker/entrypoint.sh
+++ b/Docker/entrypoint.sh
@@ -1,6 +1,14 @@
 #!/bin/bash
 set -e

+VERSION_FILE="/etc/wireguard/VERSION"
+if [ -f "$VERSION_FILE" ]; then
+    VERSION=$(cat "$VERSION_FILE")
+else
+    VERSION="unknown"
+fi
+echo "[init] VPN Container Entrypoint ${VERSION}"
+
 INTERFACE="wg0"
 MOUNT_CONFIG="/etc/wireguard/${INTERFACE}.conf"
 CONFIG_DIR="/run/wireguard"
@@ -64,9 +72,11 @@ setup_killswitch() {
    iptables -A INPUT  -i "$INTERFACE" -j ACCEPT
    iptables -A OUTPUT -o "$INTERFACE" -j ACCEPT

-    # Allow DNS to the VPN DNS server (through wg0)
-    iptables -A OUTPUT -o "$INTERFACE" -p udp --dport 53 -j ACCEPT
-    iptables -A OUTPUT -o "$INTERFACE" -p tcp --dport 53 -j ACCEPT
+    # Allow DNS (VPN DNS servers are routed through wg0; allow before routing decision)
+    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+    iptables -A INPUT  -p udp --sport 53 -j ACCEPT
+    iptables -A INPUT  -p tcp --sport 53 -j ACCEPT

    # Allow DHCP (for container networking)
    iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT
--- a/Docker/podman-compose.yml
+++ b/Docker/podman-compose.yml
@@ -7,6 +7,7 @@ services:
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
+      - NET_RAW
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "aniworld-web",
-  "version": "0.1.0",
+  "version": "1.1.2",
  "description": "Aniworld Anime Download Manager - Web Frontend",
  "type": "module",
  "scripts": {
Author	SHA1	Message	Date
Lukas	be87f2e230	chore: release v1.1.2	2026-05-17 18:31:59 +02:00
Lukas	c56e0f507d	fix(vpn): fix DNS iptables rules and add NET_RAW cap DNS OUTPUT was restricted to -o wg0, but routing decision happens after iptables OUTPUT — so DNS to VPN-internal addresses (198.18.0.x) was blocked before the kernel selected the outgoing interface. Allow DNS unconditionally; routing still sends it through wg0. Add NET_RAW capability so ping works inside the container.	2026-05-17 18:31:38 +02:00
Lukas	cb0a36ccc2	chore: release v1.1.1	2026-05-16 21:47:05 +02:00
Lukas	3644b16447	feat(vpn): add version logging from VERSION file - Read version from /etc/wireguard/VERSION instead of hardcoding - Copy VERSION file into container image during build - Update VERSION to v1.1.0	2026-05-16 21:46:19 +02:00