From 101b5564c267e673afdea97e24a6bd778939abd8 Mon Sep 17 00:00:00 2001 From: Paul Date: Wed, 21 Dec 2022 00:46:59 +0000 Subject: [PATCH] Fix for fwmark Evidently, wireguard's (use of) fwmark is not well understood. In short, it determines which routing table to use for a tunnel's packets. Adding a fwmark to a roadwarrior client config won't do anything to the actual packets sent to a peer: Packets do not get marked. A QRCode with `FwMark = ...` in it is invalid. FwMark is now excluded from client configs (but is written to the server config /etc/wireguard/wgX.conf). Potential breaking change of `WGUI_FORWARD_MARK` to `WGUI_FIREWALL_MARK` But this has the effect of making users eventually notice that it probably does not do what they want/think. See: https://ro-che.info/articles/2021-02-27-linux-routing https://casavant.org/2020/10/10/wireguard-fwmark.html https://www.blinkenlights.ch/ccms/posts/source-based-routing/ --- README.md | 2 +- model/setting.go | 2 +- store/jsondb/jsondb.go | 5 +---- templates/clients.html | 17 +++-------------- templates/global_settings.html | 18 +++++++++--------- util/config.go | 4 ++-- util/util.go | 6 ------ 7 files changed, 17 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 489314c..a9926f2 100644 --- a/README.md +++ b/README.md @@ -58,7 +58,7 @@ Note: | `WGUI_DNS` | The default DNS servers (comma-separated-list) used in the global settings | `1.1.1.1` | | `WGUI_MTU` | The default MTU used in global settings | `1450` | | `WGUI_PERSISTENT_KEEPALIVE` | The default persistent keepalive for WireGuard in global settings | `15` | -| `WGUI_FORWARD_MARK` | The default WireGuard forward mark | `0xca6c` | +| `WGUI_FIREWALL_MARK` | The default WireGuard firewall mark | `0xca6c` (51820) | | `WGUI_CONFIG_FILE_PATH` | The default WireGuard config file path used in global settings | `/etc/wireguard/wg0.conf` | | `WG_CONF_TEMPLATE` | The custom `wg.conf` config file template. Please refer to our [default template](https://github.com/ngoduykhanh/wireguard-ui/blob/master/templates/wg.conf) | N/A | | `EMAIL_FROM_ADDRESS` | The sender email address | N/A | diff --git a/model/setting.go b/model/setting.go index e871591..a702293 100644 --- a/model/setting.go +++ b/model/setting.go @@ -10,7 +10,7 @@ type GlobalSetting struct { DNSServers []string `json:"dns_servers"` MTU int `json:"mtu,string"` PersistentKeepalive int `json:"persistent_keepalive,string"` - ForwardMark string `json:"forward_mark"` + FirewallMark string `json:"firewall_mark"` ConfigFilePath string `json:"config_file_path"` UpdatedAt time.Time `json:"updated_at"` } diff --git a/store/jsondb/jsondb.go b/store/jsondb/jsondb.go index f39a452..2f80f26 100644 --- a/store/jsondb/jsondb.go +++ b/store/jsondb/jsondb.go @@ -96,7 +96,7 @@ func (o *JsonDB) Init() error { globalSetting.DNSServers = util.LookupEnvOrStrings(util.DNSEnvVar, []string{util.DefaultDNS}) globalSetting.MTU = util.LookupEnvOrInt(util.MTUEnvVar, util.DefaultMTU) globalSetting.PersistentKeepalive = util.LookupEnvOrInt(util.PersistentKeepaliveEnvVar, util.DefaultPersistentKeepalive) - globalSetting.ForwardMark = util.LookupEnvOrString(util.ForwardMarkEnvVar, util.DefaultForwardMark) + globalSetting.FirewallMark = util.LookupEnvOrString(util.FirewallMarkEnvVar, util.DefaultFirewallMark) globalSetting.ConfigFilePath = util.LookupEnvOrString(util.ConfigFilePathEnvVar, util.DefaultConfigFilePath) globalSetting.UpdatedAt = time.Now().UTC() o.conn.Write("server", "global_settings", globalSetting) @@ -219,9 +219,6 @@ func (o *JsonDB) GetClientByID(clientID string, qrCodeSettings model.QRCodeSetti if !qrCodeSettings.IncludeMTU { globalSettings.MTU = 0 } - if !qrCodeSettings.IncludeFwMark { - globalSettings.ForwardMark = "" - } png, err := qrcode.Encode(util.BuildClientConfig(client, server, globalSettings), qrcode.Medium, 256) if err == nil { diff --git a/templates/clients.html b/templates/clients.html index 239e54e..3ba5fd5 100644 --- a/templates/clients.html +++ b/templates/clients.html @@ -70,17 +70,8 @@ Wireguard Clients
- - QR code - -
-
- - -
-
+ QR code +
@@ -425,9 +416,7 @@ Wireguard Clients cache: false, method: 'GET', url: '{{.basePath}}/api/client/' + client_id, - data: { - qrCodeIncludeFwMark: include_fwmark - }, + data: JSON.stringify(data), dataType: 'json', contentType: "application/json", success: function (resp) { diff --git a/templates/global_settings.html b/templates/global_settings.html index 8a41d1f..15d7b4b 100644 --- a/templates/global_settings.html +++ b/templates/global_settings.html @@ -56,10 +56,10 @@ Global Settings value="{{if .globalSettings.PersistentKeepalive }}{{ .globalSettings.PersistentKeepalive }}{{end}}">
- - + +
@@ -100,8 +100,8 @@ Global Settings until they reach out to other peers themselves. Adding PersistentKeepalive can ensure that the connection remains open.
Leave blank to omit this setting in the Client config.
-
5. Forward Mark
-
Set an fwmark on all packets going out of WireGuard's UDP socket. Default value: 0xca6c
+
5. Firewall Mark
+
Add a matching fwmark on all packets going out of a WireGuard non-default-route tunnel. Default value: 0xca6c
6. Wireguard Config File Path
The path of your Wireguard server config file. Please make sure the parent directory exists and is writable.
@@ -149,9 +149,9 @@ Global Settings const dns_servers = $("#dns_servers").val().split(","); const mtu = $("#mtu").val(); const persistent_keepalive = $("#persistent_keepalive").val(); - const forward_mark = $("#forward_mark").val(); + const firewall_mark = $("#firewall_mark").val(); const config_file_path = $("#config_file_path").val(); - const data = {"endpoint_address": endpoint_address, "dns_servers": dns_servers, "mtu": mtu, "persistent_keepalive": persistent_keepalive, "forward_mark": forward_mark, "config_file_path": config_file_path}; + const data = {"endpoint_address": endpoint_address, "dns_servers": dns_servers, "mtu": mtu, "persistent_keepalive": persistent_keepalive, "firewall_mark": firewall_mark, "config_file_path": config_file_path}; $.ajax({ cache: false, @@ -222,7 +222,7 @@ Global Settings config_file_path: { required: true }, - forward_mark: { + firewall_mark: { required: false } }, diff --git a/util/config.go b/util/config.go index 7f5d221..99cd609 100644 --- a/util/config.go +++ b/util/config.go @@ -29,7 +29,7 @@ const ( DefaultDNS = "1.1.1.1" DefaultMTU = 1450 DefaultPersistentKeepalive = 15 - DefaultForwardMark = "0xca6c" + DefaultFirewallMark = "0xca6c" // i.e. 51820 DefaultConfigFilePath = "/etc/wireguard/wg0.conf" UsernameEnvVar = "WGUI_USERNAME" PasswordEnvVar = "WGUI_PASSWORD" @@ -39,7 +39,7 @@ const ( DNSEnvVar = "WGUI_DNS" MTUEnvVar = "WGUI_MTU" PersistentKeepaliveEnvVar = "WGUI_PERSISTENT_KEEPALIVE" - ForwardMarkEnvVar = "WGUI_FORWARD_MARK" + FirewallMarkEnvVar = "WGUI_FIREWALL_MARK" ConfigFilePathEnvVar = "WGUI_CONFIG_FILE_PATH" ServerAddressesEnvVar = "WGUI_SERVER_INTERFACE_ADDRESSES" ServerListenPortEnvVar = "WGUI_SERVER_LISTEN_PORT" diff --git a/util/util.go b/util/util.go index 40eb357..c957b30 100644 --- a/util/util.go +++ b/util/util.go @@ -60,18 +60,12 @@ func BuildClientConfig(client model.Client, server model.Server, setting model.G peerPersistentKeepalive = fmt.Sprintf("PersistentKeepalive = %d\n", setting.PersistentKeepalive) } - forwardMark := "" - if setting.ForwardMark != "" { - forwardMark = fmt.Sprintf("FwMark = %s\n", setting.ForwardMark) - } - // build the config as string strConfig := "[Interface]\n" + clientAddress + clientPrivateKey + clientDNS + clientMTU + - forwardMark + "\n[Peer]\n" + peerPublicKey + peerPresharedKey +