ruslan/Wireguard_server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WG: apply advertised routes on server immediately; relax rp_filter for routed clients

Browse Source
This commit is contained in:
Ruslan
2026-04-14 13:01:30 +03:00
parent 02ccad1805
commit 530e93c1df
2 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
client/install_client.sh
View File

@@ -347,6 +347,8 @@ build_lan_nat_hooks_if_needed() {
local fwd="/etc/sysctl.d/99-wireguard-client-forwarding.conf"
cat > "$fwd" <<EOF_FWD
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=2
net.ipv4.conf.default.rp_filter=2
EOF_FWD
sysctl --system >/dev/null || true

72
server/wg-peerctl.sh
View File

@@ -207,6 +207,71 @@ extract_peer_address_by_pubkey() {
' "$WG_CONF" | awk -F',' '{print $1}' | xargs
}
extract_peer_allowed_ips_by_pubkey() {
local pubkey="$1"
awk -v pk="$pubkey" '
$0 ~ /^\[Peer\]/ {in_peer=1; key=""; allowed=""}
in_peer && $0 ~ /^PublicKey[[:space:]]*=/ {
sub(/^[^=]*=[[:space:]]*/, "", $0); key=$0
}
in_peer && $0 ~ /^AllowedIPs[[:space:]]*=/ {
sub(/^[^=]*=[[:space:]]*/, "", $0); allowed=$0
}
in_peer && key==pk && allowed!="" {print allowed; exit}
' "$WG_CONF" | xargs
}
routes_without_primary_address() {
local allowed_ips="$1"
local primary_addr="$2"
local out=""
local item
local norm_primary
norm_primary="$(echo "$primary_addr" | xargs)"
IFS=',' read -ra items <<< "$allowed_ips"
for item in "${items[@]}"; do
item="$(echo "$item" | xargs)"
[[ -z "$item" ]] && continue
if [[ -n "$norm_primary" && "$item" == "$norm_primary" ]]; then
continue
fi
if [[ -z "$out" ]]; then
out="$item"
else
out="${out},${item}"
fi
done
echo "$out"
}
apply_client_routes_now() {
local routes="${1:-}"
[[ -n "$routes" ]] || return 0
local cidr
IFS=',' read -ra cidrs <<< "$routes"
for cidr in "${cidrs[@]}"; do
cidr="$(echo "$cidr" | xargs)"
[[ -n "$cidr" ]] || continue
ip route replace "$cidr" dev "$WG_INTERFACE" proto static >/dev/null 2>&1 || true
done
}
remove_client_routes_now() {
local routes="${1:-}"
[[ -n "$routes" ]] || return 0
local cidr
IFS=',' read -ra cidrs <<< "$routes"
for cidr in "${cidrs[@]}"; do
cidr="$(echo "$cidr" | xargs)"
[[ -n "$cidr" ]] || continue
ip route del "$cidr" dev "$WG_INTERFACE" >/dev/null 2>&1 || true
done
}
apply_config() {
if systemctl is-active --quiet "wg-quick@${WG_INTERFACE}"; then
wg syncconf "$WG_INTERFACE" <(wg-quick strip "$WG_CONF")
@@ -262,6 +327,7 @@ cmd_add() {
existing_allowed="${existing_addr:-}"
if [[ -n "$client_routes" ]]; then
existing_allowed="${existing_allowed},${client_routes}"
apply_client_routes_now "$client_routes"
fi
sync_gui_db_upsert_peer "$client_name" "$client_pubkey" "${existing_addr:-}" "$client_routes" "$client_psk" "${existing_allowed}" 1
cat <<EOF_OUT
@@ -303,6 +369,7 @@ EOF_OUT
} >> "$WG_CONF"
apply_config
apply_client_routes_now "$client_routes"
sync_gui_db_upsert_peer "$client_name" "$client_pubkey" "$client_address" "$client_routes" "$client_psk" "$peer_allowed_ips" 1
cat <<EOF_OUT
@@ -332,6 +399,10 @@ cmd_remove() {
load_meta
[[ -f "$WG_CONF" ]] || die "Не найден конфиг WireGuard: $WG_CONF"
local existing_allowed existing_addr existing_routes
existing_allowed="$(extract_peer_allowed_ips_by_pubkey "$client_pubkey")"
existing_addr="$(extract_peer_address_by_pubkey "$client_pubkey")"
existing_routes="$(routes_without_primary_address "$existing_allowed" "$existing_addr")"
backup_file "$WG_CONF"
local tmp
@@ -362,6 +433,7 @@ cmd_remove() {
safe_chmod_600 "$WG_CONF"
apply_config
remove_client_routes_now "$existing_routes"
sync_gui_db_set_enabled "$client_pubkey" 0
cat <<EOF_OUT