lukas.pupkalipinski/Aniworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c93ac3e7b89cbfd24f71c45fadac4d470c94416e
Aniworld/Docker/entrypoint.sh
Lukas 68c4335348 feat(vpn): add startup connectivity checks and PersistentKeepalive 
Add check_vpn_connectivity() that runs once after wg0 comes up:
- Waits for handshake (up to 15s) and prints public key if missing
- Measures RX bytes before/after curl to detect server-side routing issues
- Tests DNS resolution and dumps resolv.conf on failure
- On failure prints exact server-side commands to fix (sysctl, iptables, wg)

Add PersistentKeepalive=25 to wg0.conf to keep NAT mappings alive.
2026-05-17 18:40:24 +02:00

368 lines
16 KiB
Bash
Raw Blame History

#!/bin/bash
set -e
VERSION_FILE="/etc/wireguard/VERSION"
if [ -f "$VERSION_FILE" ]; then
VERSION=$(cat "$VERSION_FILE")
else
VERSION="unknown"
fi
echo "[init] VPN Container Entrypoint ${VERSION}"
INTERFACE="wg0"
MOUNT_CONFIG="/etc/wireguard/${INTERFACE}.conf"
CONFIG_DIR="/run/wireguard"
CONFIG_FILE="${CONFIG_DIR}/${INTERFACE}.conf"
CHECK_INTERVAL="${HEALTH_CHECK_INTERVAL:-10}"
CHECK_HOST="${HEALTH_CHECK_HOST:-1.1.1.1}"
# ──────────────────────────────────────────────
# Validate config exists, copy to writable location
# ──────────────────────────────────────────────
if [ ! -f "$MOUNT_CONFIG" ]; then
echo "[error] WireGuard config not found at ${MOUNT_CONFIG}"
echo "[error] Mount your config file: -v /path/to/your.conf:/etc/wireguard/wg0.conf:ro"
exit 1
fi
mkdir -p "$CONFIG_DIR"
cp "$MOUNT_CONFIG" "$CONFIG_FILE"
chmod 600 "$CONFIG_FILE"
# Extract endpoint IP and port from the config
VPN_ENDPOINT=$(grep -i '^Endpoint' "$CONFIG_FILE" | head -1 | sed 's/.*= *//;s/:.*//;s/ //g')
VPN_PORT=$(grep -i '^Endpoint' "$CONFIG_FILE" | head -1 | sed 's/.*://;s/ //g')
# Extract address
VPN_ADDRESS=$(grep -i '^Address' "$CONFIG_FILE" | head -1 | sed 's/.*= *//;s/ //g')
if [ -z "$VPN_ENDPOINT" ] || [ -z "$VPN_PORT" ]; then
echo "[error] Could not parse Endpoint from ${CONFIG_FILE}"
exit 1
fi
echo "[init] Config: ${CONFIG_FILE}"
echo "[init] Endpoint: ${VPN_ENDPOINT}:${VPN_PORT}"
echo "[init] Address: ${VPN_ADDRESS}"
# ──────────────────────────────────────────────
# Kill switch: only allow traffic through wg0
# ──────────────────────────────────────────────
setup_killswitch() {
echo "[killswitch] Setting up iptables kill switch..."
# Flush existing rules
iptables -F
iptables -X
iptables -t nat -F
# Default policy: DROP everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow traffic to/from VPN endpoint (needed to establish tunnel)
iptables -A OUTPUT -d "$VPN_ENDPOINT" -p udp --dport "$VPN_PORT" -j ACCEPT
iptables -A INPUT -s "$VPN_ENDPOINT" -p udp --sport "$VPN_PORT" -j ACCEPT
# Allow all traffic through the WireGuard interface
iptables -A INPUT -i "$INTERFACE" -j ACCEPT
iptables -A OUTPUT -o "$INTERFACE" -j ACCEPT
# Allow DNS (VPN DNS servers are routed through wg0; allow before routing decision)
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
# Allow DHCP (for container networking)
iptables -A OUTPUT -p udp --dport 67:68 -j ACCEPT
iptables -A INPUT -p udp --sport 67:68 -j ACCEPT
# Allow established/related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# ── Allow incoming connections to exposed service ports (e.g. app on 8000) ──
# LOCAL_PORTS can be set as env var, e.g. "8000,8080,3000"
if [ -n "${LOCAL_PORTS:-}" ]; then
for port in $(echo "$LOCAL_PORTS" | tr ',' ' '); do
echo "[killswitch] Allowing incoming traffic on port ${port}"
iptables -A INPUT -p tcp --dport "$port" -j ACCEPT
iptables -A OUTPUT -p tcp --sport "$port" -j ACCEPT
done
fi
# ── FORWARDING (so other containers can use this VPN) ──
iptables -A FORWARD -i eth0 -o "$INTERFACE" -j ACCEPT
iptables -A FORWARD -i "$INTERFACE" -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# NAT: masquerade traffic from other containers going out through wg0
iptables -t nat -A POSTROUTING -o "$INTERFACE" -j MASQUERADE
echo "[killswitch] Kill switch active. Traffic blocked if VPN drops."
}
# ──────────────────────────────────────────────
# Enable IP forwarding so other containers can route through us
# ──────────────────────────────────────────────
enable_forwarding() {
echo "[init] Enabling IP forwarding..."
if cat /proc/sys/net/ipv4/ip_forward 2>/dev/null | grep -q 1; then
echo "[init] IP forwarding already enabled."
elif echo 1 > /proc/sys/net/ipv4/ip_forward 2>/dev/null; then
echo "[init] IP forwarding enabled via /proc."
else
echo "[init] /proc read-only — relying on --sysctl net.ipv4.ip_forward=1"
fi
}
# ──────────────────────────────────────────────
# Start WireGuard manually (no wg-quick, avoids sysctl issues)
# ──────────────────────────────────────────────
start_vpn() {
echo "[vpn] Starting WireGuard interface ${INTERFACE}..."
# Create the interface
ip link add "$INTERFACE" type wireguard
# Apply the WireGuard config (keys, peer, endpoint)
# We filter out Address/DNS/MTU/PreUp/PostUp/PreDown/PostDown/SaveConfig
# AllowedIPs is kept because WireGuard needs it to know which traffic to tunnel.
# We remove the auto-created default route afterwards and set our own.
wg setconf "$INTERFACE" <(grep -v -i '^\(Address\|DNS\|MTU\|PreUp\|PostUp\|PreDown\|PostDown\|SaveConfig\)' "$CONFIG_FILE")
# Log public key so it can be verified against the server's peer list
local PUBKEY
PUBKEY=$(wg show "$INTERFACE" public-key 2>/dev/null || echo "unknown")
echo "[vpn] Public key: ${PUBKEY}"
# Assign the address
ip -4 address add "$VPN_ADDRESS" dev "$INTERFACE"
# Set MTU
ip link set mtu 1420 up dev "$INTERFACE"
# Remove the auto-created default route by wg setconf (if AllowedIPs = 0.0.0.0/0)
# We set our own routes manually to avoid breaking the endpoint connection
ip route del default dev "$INTERFACE" 2>/dev/null || true
# Find default gateway/interface for the endpoint route
DEFAULT_GW=$(ip route | grep '^default' | head -1 | awk '{print $3}')
DEFAULT_IF=$(ip route | grep '^default' | head -1 | awk '{print $5}')
# Route VPN endpoint through the container's default gateway
if [ -n "$DEFAULT_GW" ] && [ -n "$DEFAULT_IF" ]; then
ip route add "$VPN_ENDPOINT/32" via "$DEFAULT_GW" dev "$DEFAULT_IF" 2>/dev/null || true
fi
# Parse AllowedIPs from config and add routes dynamically
ALLOWED_IPS=$(grep -i '^AllowedIPs' "$CONFIG_FILE" | head -1 | sed 's/.*= *//;s/ //g')
if [ -n "$ALLOWED_IPS" ]; then
for ip in $(echo "$ALLOWED_IPS" | tr ',' ' '); do
if [ "$ip" = "0.0.0.0/0" ]; then
# Use the split route trick to avoid overriding the default route
# (which would break the endpoint connection)
ip route add 0.0.0.0/1 dev "$INTERFACE" 2>/dev/null || true
ip route add 128.0.0.0/1 dev "$INTERFACE" 2>/dev/null || true
else
ip route add "$ip" dev "$INTERFACE" 2>/dev/null || true
fi
done
fi
# ── Policy routing: ensure responses to incoming LAN traffic go back via eth0 ──
if [ -n "$DEFAULT_GW" ] && [ -n "$DEFAULT_IF" ]; then
# Get the container's eth0 IP address (BusyBox-compatible, no grep -P)
ETH0_IP=$(ip -4 addr show "$DEFAULT_IF" | awk '/inet / {split($2, a, "/"); print a[1]}' | head -1)
ETH0_SUBNET=$(ip -4 route show dev "$DEFAULT_IF" | grep -v default | head -1 | awk '{print $1}')
if [ -n "$ETH0_IP" ] && [ -n "$ETH0_SUBNET" ]; then
echo "[vpn] Setting up policy routing for incoming traffic (${ETH0_IP} on ${DEFAULT_IF})"
ip route add default via "$DEFAULT_GW" dev "$DEFAULT_IF" table 100 2>/dev/null || true
ip route add "$ETH0_SUBNET" dev "$DEFAULT_IF" table 100 2>/dev/null || true
ip rule add from "$ETH0_IP" table 100 priority 100 2>/dev/null || true
echo "[vpn] Policy routing active — incoming connections will be routed back via ${DEFAULT_IF}"
fi
fi
# Set up DNS (handle comma-separated DNS servers)
VPN_DNS=$(grep -i '^DNS' "$CONFIG_FILE" | head -1 | sed 's/.*= *//;s/ //g')
if [ -n "$VPN_DNS" ]; then
# Clear resolv.conf and add each DNS server on its own line
> /etc/resolv.conf
for dns in $(echo "$VPN_DNS" | tr ',' ' '); do
echo "nameserver $dns" >> /etc/resolv.conf
done
echo "[vpn] DNS set to: ${VPN_DNS}"
fi
echo "[vpn] WireGuard interface ${INTERFACE} is up."
echo "[vpn] Routes:"
ip route show | sed 's/^/[vpn] /'
echo "[vpn] WireGuard status:"
wg show "$INTERFACE" 2>/dev/null | sed 's/^/[vpn] /'
}
# ──────────────────────────────────────────────
# Stop WireGuard manually
# ──────────────────────────────────────────────
stop_vpn() {
echo "[vpn] Stopping WireGuard interface ${INTERFACE}..."
# Remove routes added for AllowedIPs
ALLOWED_IPS=$(grep -i '^AllowedIPs' "$CONFIG_FILE" | head -1 | sed 's/.*= *//;s/ //g')
if [ -n "$ALLOWED_IPS" ]; then
for ip in $(echo "$ALLOWED_IPS" | tr ',' ' '); do
if [ "$ip" = "0.0.0.0/0" ]; then
ip route del 0.0.0.0/1 dev "$INTERFACE" 2>/dev/null || true
ip route del 128.0.0.0/1 dev "$INTERFACE" 2>/dev/null || true
else
ip route del "$ip" dev "$INTERFACE" 2>/dev/null || true
fi
done
fi
# Remove endpoint route
if [ -n "$VPN_ENDPOINT" ]; then
ip route del "$VPN_ENDPOINT/32" 2>/dev/null || true
fi
ip link del "$INTERFACE" 2>/dev/null || true
}
# ──────────────────────────────────────────────
# Health check loop — restarts VPN if tunnel dies
# ──────────────────────────────────────────────
health_loop() {
local failures=0
local max_failures=3
echo "[health] Starting health check (every ${CHECK_INTERVAL}s, target ${CHECK_HOST})..."
while true; do
sleep "$CHECK_INTERVAL"
if curl -sf --max-time 5 "http://$CHECK_HOST" > /dev/null 2>&1; then
if [ "$failures" -gt 0 ]; then
echo "[health] VPN recovered."
failures=0
fi
else
failures=$((failures + 1))
echo "[health] Check failed ($failures/$max_failures) — curl http://${CHECK_HOST} timed out"
# Dump WireGuard stats to show if handshake is stale and how much data flows
echo "[health] wg stats:"
wg show "$INTERFACE" 2>/dev/null | grep -E 'latest handshake|transfer|endpoint' | sed 's/^/[health] /' || echo "[health] wg0 not found"
echo "[health] routes:"
ip route show | grep -E 'wg0|default' | sed 's/^/[health] /'
if [ "$failures" -ge "$max_failures" ]; then
echo "[health] VPN appears down. Restarting WireGuard..."
stop_vpn
sleep 2
start_vpn
failures=0
echo "[health] WireGuard restarted."
fi
fi
done
}
# ──────────────────────────────────────────────
# Graceful shutdown
# ──────────────────────────────────────────────
cleanup() {
echo "[shutdown] Stopping WireGuard..."
stop_vpn
echo "[shutdown] Flushing iptables..."
iptables -F
iptables -t nat -F
echo "[shutdown] Done."
exit 0
}
trap cleanup SIGTERM SIGINT
# ──────────────────────────────────────────────
# Startup connectivity checks — diagnose issues early
# ──────────────────────────────────────────────
check_vpn_connectivity() {
echo "[check] ── Startup connectivity checks ──"
# 1. Wait for WireGuard handshake (up to 15s)
local elapsed=0
local handshake_ts=0
echo "[check] Waiting for WireGuard handshake (up to 15s)..."
while [ "$elapsed" -lt 15 ]; do
handshake_ts=$(wg show "$INTERFACE" latest-handshakes 2>/dev/null | awk '{print $2}' | head -1)
if [ -n "$handshake_ts" ] && [ "$handshake_ts" != "0" ]; then
local age=$(( $(date +%s) - handshake_ts ))
echo "[check] OK Handshake established ${age}s ago"
break
fi
sleep 1
elapsed=$((elapsed + 1))
done
if [ "$elapsed" -ge 15 ]; then
echo "[check] FAIL No WireGuard handshake after 15s — tunnel is not up"
echo "[check] This container's public key (must be on the server):"
echo "[check] PublicKey = $(wg show "$INTERFACE" public-key 2>/dev/null || echo 'unknown')"
echo "[check] AllowedIPs = ${VPN_ADDRESS}"
echo "[check] Verify on server: wg show"
fi
# 2. Check whether traffic actually flows through the tunnel
echo "[check] Testing traffic through tunnel (http://${CHECK_HOST})..."
local rx_before
rx_before=$(wg show "$INTERFACE" transfer 2>/dev/null | awk '{print $2}' | head -1)
if curl -sf --max-time 8 "http://${CHECK_HOST}" > /dev/null 2>&1; then
echo "[check] OK Traffic flows — tunnel is fully working"
else
local rx_after
rx_after=$(wg show "$INTERFACE" transfer 2>/dev/null | awk '{print $2}' | head -1)
echo "[check] FAIL http://${CHECK_HOST} unreachable through tunnel"
if [ -n "$rx_before" ] && [ -n "$rx_after" ]; then
if [ "$rx_after" -le "$rx_before" ]; then
echo "[check] RX bytes unchanged (${rx_before}${rx_after})"
echo "[check] Server receives packets but does NOT route them back"
echo "[check] Fix on VPN server (${VPN_ENDPOINT}):"
echo "[check] sysctl net.ipv4.ip_forward # must output 1"
echo "[check] iptables -t nat -L POSTROUTING -v -n # must have MASQUERADE"
echo "[check] wg show # check peer + AllowedIPs"
else
echo "[check] RX increased (${rx_before}${rx_after}) — tunnel passes data"
echo "[check] Issue may be specific to ${CHECK_HOST} or DNS"
fi
fi
local transfer
transfer=$(wg show "$INTERFACE" transfer 2>/dev/null | awk '{printf "rx=%s tx=%s", $2, $3}')
echo "[check] wg transfer: ${transfer}"
fi
# 3. DNS check
echo "[check] Testing DNS resolution..."
if nslookup 1.1.1.1 > /dev/null 2>&1 || nslookup google.com > /dev/null 2>&1; then
echo "[check] OK DNS resolves"
else
echo "[check] FAIL DNS resolution failed"
echo "[check] resolv.conf: $(tr '\n' ' ' < /etc/resolv.conf)"
echo "[check] Check that DNS servers are reachable through wg0"
fi
echo "[check] ── End of checks ──"
}
# ── Main ──
enable_forwarding
setup_killswitch
start_vpn
check_vpn_connectivity
health_loop
Reference in New Issue View Git Blame Copy Permalink