Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wg-easy does not delete iptables rules when stopped #1239

Open
krin-san opened this issue Dec 26, 2024 · 4 comments · May be fixed by #1240
Open

wg-easy does not delete iptables rules when stopped #1239

krin-san opened this issue Dec 26, 2024 · 4 comments · May be fixed by #1240

Comments

@krin-san
Copy link

Steps to reproduce

  • Install wg-easy app
  • Stop wg-easy app
  • Run iptables-legacy -S command – there's just one --dport 51820 rule
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -o wg0 -j ACCEPT
  • Start and stop wg-easy again
  • Run iptables-legacy -S again – now there are two --dport 51820 rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -o wg0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -o wg0 -j ACCEPT

Why it happens?

Despite all the effort done in wg-easy/wg-easy#862 to ensure WG_PRE_DOWN and WG_POST_DOWN run on process termination, this line in /trains/stable/wg-easy/1.1.6/templates/docker-compose.yaml file

{#
  https://github.com/wg-easy/wg-easy/pull/862
  WG_POST_DOWN, keep it empty in order to let the container
  handle the cleanup when the container is stopped.
  Also it will not allow users to set it to a value.
  Avoiding foot-shooting.
#}
{% do c1.environment.add_env("WG_POST_DOWN", none) %}

not only "Avoids foot-shooting" but also overrides all iptables -D ... rules set in wg-easy/src/config.js.

That's why every time app starts it adds new iptables rules and doesn't remove them when stopped.

How to fix

Remove WG_POST_DOWN setter. Yes, it'll allow users to override its value and "shoot themselves in the foot" but will also let wg-easy to run clean-up commands on installations with default config.
@stavros-k
Copy link
Contributor

I see what the issue is.
We shouldn't set it to None, but to ''.
So this line https://github.com/wg-easy/wg-easy/blob/c6dce0f6fb2e28e7e40ddac1498bd67e9bb17cba/src/config.js#L34 will actually fallback to the correct value.
Now it sees the string "None" instead of falsy value.
Thanks

@stavros-k stavros-k linked a pull request Dec 26, 2024 that will close this issue
Open
@krin-san
Copy link
Author

Is solving it this way really necessary? How important is it to block WG_POST_DOWN from TrueNAS users?

I'm trying to migrate my per-client iptables rules, which allow certain clients to access only certain services, from wg-easy Chart and need both post_up and post_down scripts.

@stavros-k
Copy link
Contributor

The WG_POST_DOWN is for the wg server, not clients. Right?
Are you setting iptables rules in truenas?

@krin-san
Copy link
Author

Yes, it's for the server, but default iptables rules open up the whole network to remotely connecting family members while I wanted to open just a couple of services for them. https://gist.github.com/qdm12/4e0e4f9d1a34db9cf63ebb0997827d0d?permalink_comment_id=5090869#gistcomment-5090869 goes into the details on how it was working in the Chart.

iptables commands are executed from wg-easy, but when configured poorly it certainly affects the host system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

wg-easy: fix empty value truenas/apps
2 participants
@krin-san @stavros-k